Question 21: True or false: Mobile devices can require a location as an authentication factor to access certain assets.
A. True
B. False
Correct Answer:
A. True
Question 22: What can an enterprise information security team learn by looking at its previous data breaches or security incidents?
A. Where the organization historically has had “soft spots”
B. Insecure business processes
C. The cost of a security breach at your organization
D. All of the above
Correct Answer:
D. All of the above
Explanation:
An organization should look at its previous data breaches or security incidents to know where to focus precious time, money and effort. Since every organization is different, defending past weaknesses and fixing past mistakes is a great place to start.
Question 23: With the right data breach prevention strategy, which kind of data breach can be entirely avoided?
A. Malware infection
B. Lost or stolen laptop
C. Account compromise
D. Weak passwords
E. None of the above
Correct Answer:
E. None of the above
Explanation:
No data breach prevention strategy can totally eliminate the risk of a data breach, but the likelihood of breaches due to any of the above can be greatly reduced with the right mix of policy, process, technology and training.
Question 24: Which is not a method to identify a “soft spot” in your enterprise’s security?
A. Penetration test
B. Vulnerability scan
C. Risk assessment
D. Password changes
E. None of the above
Correct Answer:
D. Password changes
Explanation:
Password changes happen commonly in any organization with a short password-change cycle.
Question 25: Where are mistakes most commonly made when an organization is assessing its data breach risk?
A. Assuming all security controls are 100% effective, so it doesn’t plan for failure.
B. Mis-assessing risk by failing to consider how an attacker would approach key systems.
C. Using log data to correlate network activity to high- and low-risk areas.
D. Failing to use modern security metrics to gauge commonly neglected risks.
Correct Answer:
B. Mis-assessing risk by failing to consider how an attacker would approach key systems.
Explanation:
Mistakes can happen in this complex process, causing a potential high-risk finding to not be identified, or classified as a low risk, so the necessary controls wouldn’t be implemented to manage the risk.
Question 26: How should you prioritize your organizational response to the recommendations from a risk assessment?
A. Get a consensus of the security team and IT decision makers.
B. Purchase several security products from emerging startups.
C. Do first whatever can be done most quickly and get an easy
D. Implement all missing security controls to reduce the risk to zero.
E. Apply available resources to identified
Correct Answer:
E. Apply available resources to identified
Explanation:
Every organization’s security posture and attack profile will be unique, so breach prevention resources must be applied to address each organization’s specific needs.
Question 27: In its study of the CISO role, Forrester Research found that:
A. unlike CEOs, most CISOs have similar personalities.
B. most cybersecurity pros don’t aspire to the CISO role because it lacks variety.
C. incompatibility between CISOs and the companies they serve — poor CISO-company fit — is a significant driver of high CISO turnover rates.
D. most CISOs have a clear understanding of their strengths and the kinds of companies and situations in which they excel.
Correct Answer:
C. incompatibility between CISOs and the companies they serve — poor CISO-company fit — is a significant driver of high CISO turnover rates.
Question 28: Nemertes Research CEO Johna Till Johnson suggests recruiting and developing in-house cybersecurity talent by:
A. hosting on-the-job training events, such as cybersecurity boot camps.
B. surveying existing employees beyond the security team to identify those with family members and friends who have the missing skills the company is hunting.
C. both.
D. neither.
Correct Answer:
A. hosting on-the-job training events, such as cybersecurity boot camps.
Question 29: In our feature story on the six types of CISO, the post-breach CISO is one who:
A. exhibits a calm and process-oriented leadership style.
B. should expect to stay in a new role for a few years.
C. should consider moving on to a new position once a company has regained its equilibrium, following a breach.
D. all of the above.
E. none of the above.
Correct Answer:
D. all of the above.
Question 30: According to cybsersecurity expert Michael Cobb, it’s essential to embed security by design throughout the software development process. But key challenges include:
A. getting senior management to realize their company is a likely target of cybercriminals.
B. making stakeholders understand that disregarding security in any part of the development lifecycle creates far-reaching vulnerabilities.
C. both.
D. neither.
Correct Answer:
C. both.
