1.

Joe is authoring a document that explains to system

administrators one way in which they might comply with the

organization's requirement to encrypt all laptops. What type of

document is Joe writing?

A. Policy

B. Guideline

C. Procedure

D. Standard

2. Which one of the following statements is not true about

compensating controls under PCI DSS?

A. Controls used to fulfill one PCI DSS requirement may be used

to compensate for the absence of a control needed to meet

another requirement.

B. Controls must meet the intent of the original requirement.

C. Controls must meet the rigor of the original requirement.

D. Compensating controls must provide a similar level of

defense as the original requirement.

3. What law creates privacy obligations for those who handle the

personal information of European Union residents?

A. HIPAA

B. FERPA

C. GDPR

D. PCI DSS

4. Which one of the following is not one of the five core security

functions defined by the NIST Cybersecurity Framework?

A. Identify

B. Contain

C. Respond

D. Recover
5. What ISO standard provides guidance on privacy controls?

A. 27002

B. 27001

C. 27701

D. 31000

6. Which one of the following documents must normally be

approved by the CEO or similarly high-level executive?

A. Standard

B. Procedure

C. Guideline

D. Policy

7. Greg would like to create an umbrella agreement that provides the

security terms and conditions for all future work that his

organization does with a vendor. What type of agreement should

Greg use?

A. BPA

B. MOU

C. MSA

D. SLA

8. What organization is known for creating independent security

benchmarks covering hardware and software platforms from

many different vendors?

A. Microsoft

B. Center for Internet Security

C. Cloud Security Alliance

D. Cisco

9. What do many organizations use to schedule and coordinate

changes for information systems?

A. Impact analysis

B. Backout plans

C. Maintenance windows

D. Version control

10. Which one of the following would not normally be found in an

organization's information security policy?

A. Statement of the importance of cybersecurity

B. Requirement to use AES-256 encryption

C. Delegation of authority

D. Designation of responsible executive

11. Alice, an IT security manager at Acme Corporation, decides to

conduct an exercise to test the employees' ability to recognize

phishing emails. She creates fake phishing messages and sends

them to the employees. When employees click on the links in the

fake messages, they are redirected to a training program. What is

the primary purpose of the exercise that Alice is conducting?

A. To penalize the employees who click on the phishing links

B. To reward employees who identify the fake phishing

messages

C. To test employees' ability to recognize phishing messages and

help them improve

D. To gather data for a report on the most gullible departments

12. Tonya discovers that an employee is running a side business from

his office, using company technology resources. What policy

would most likely contain information relevant to this situation?

A. NDA

B. AUP

C. Data ownership

D. Data classification
13. What compliance obligation applies to merchants and service

providers who work with credit card information?

A. FERPA

B. SOX

C. HIPAA

D. PCI DSS

14. Mike is an information security manager at TechRise Solutions.

The company has been experiencing an increase in security

incidents, and senior management is concerned about the security

posture of the organization. They have asked Mike to take

proactive measures to strengthen the company's security culture.

What should be Mike's primary role in enhancing the security

awareness and training at TechRise Solutions?

A. To delegate all security responsibilities to the HR department

B. To establish, promote, and maintain security training and

awareness programs

C. To create and distribute security awareness posters

D. To personally conduct security training sessions for all

employees

15. Colin would like to implement a security control in his accounting

department that is specifically designed to detect cases of fraud

that are able to occur despite the presence of other security

controls. Which one of the following controls is best suited to

meet Colin's need?

A. Separation of duties

B. Least privilege

C. Dual control

D. Mandatory vacations
16. Which one of the following security policy framework components

does not contain mandatory guidance for individuals in the

organization?

A. Policy

B. Standard

C. Procedure

D. Guideline

17. Rachel is the Head of Security at WebCraft Inc. She wants to

create both security training and awareness programs. Which

statement best captures the difference between these programs?

A. Security training requires time to learn new material,

whereas awareness efforts use techniques like posters and

emails to remind employees of security lessons.

B. Security training involves giving rewards to employees,

whereas awareness efforts involve punishments.

C. There is no difference; both terms can be used

interchangeably.

D. Security training is for security team members only, whereas

security awareness is for all employees.

18. Allan is developing a document that lists the acceptable

mechanisms for securely obtaining remote administrative access

to servers in his organization. What type of document is Allan

writing?

A. Policy

B. Standard

C. Guideline

D. Procedure

19. Which one of the following is not a common use of the NIST

Cybersecurity Framework?
A. Describe the current cybersecurity posture of an

organization.

B. Describe the target future cybersecurity posture of an

organization.

C. Communicate with stakeholders about cybersecurity risk.

D. Create specific technology requirements for an organization.

20. Which one of the following items is not normally included in a

request for an exception to security policy?

A. Description of a compensating control

B. Description of the risks associated with the exception

C. Proposed revision to the security policy

D. Business justification for the exception

1. B.

2. A.

3. C.

4. B.

6. D.

7. C.

8. B.

9. C.

10. B.

11. C.

12. B.

13. D.

14. B.

15. D.

16. D.

17. A.
18. B.

19. D.

20. C.