Company XYZ has purchased and is now deploying a new HTML5 application. The company wants to hire a
penetration tester to evaluate the security of the client and server components of the proprietary web
application before launch. Which of the following is the penetration tester MOST likely to use while performing
black box testing of the security of the company’s purchased application? (Select TWO).

A security firm is writing a response to an RFP from a customer that is building a new network based software
product. The firm’s expertise is in penetration testing corporate networks. The RFP explicitly calls for all
possible behaviors of the product to be tested, however, it does not specify any particular method to achieve
this goal. Which of the following should be used to ensure the security and functionality of the product? (Select
TWO).

There have been some failures of the company’s internal facing website. A security engineer has found the
WAF to be the root cause of the failures. System logs show that the WAF has been unavailable for 14 hours
over the past month, in four separate situations. One of these situations was a two hour scheduled
maintenance time, aimed at improving the stability of the WAF. Using the MTTR based on the last month’s
performance figures, which of the following calculations is the percentage of uptime assuming there were 722
hours in the month?

A company is facing penalties for failing to effectively comply with e-discovery requests. Which of the following
could reduce the overall risk to the company from this issue?

The technology steering committee is struggling with increased requirements stemming from an increase in
telecommuting. The organization has not addressed telecommuting in the past. The implementation of a new
SSL-VPN and a VOIP phone solution enables personnel to work from remote locations with corporate assets.
Which of the following steps must the committee take FIRST to outline senior management’s directives?

A software project manager has been provided with a requirement from the customer to place limits on the
types of transactions a given user can initiate without external interaction from another user with elevated
privileges. This requirement is BEST described as an implementation of:

The source workstation image for new accounting PCs has begun blue-screening. A technician notices that the
date/time stamp of the image source appears to have changed. The desktop support director has asked the
Information Security department to determine if any changes were made to the source image. Which of the
following methods would BEST help with this process? (Select TWO).

An assessor identifies automated methods for identifying security control compliance through validating sensors
at the endpoint and at Tier 2. Which of the following practices satisfy continuous monitoring of authorized
information systems?

A security officer is leading a lessons learned meeting. Which of the following should be components of that
meeting? (Select TWO).

The Chief Executive Officer (CEO) of a company that allows telecommuting has challenged the Chief Security
Officer’s (CSO) request to harden the corporate network’s perimeter. The CEO argues that the company
cannot protect its employees at home, so the risk at work is no different. Which of the following BEST explains
why this company should proceed with protecting its corporate network boundary?