Company XYZ has invested an increasing amount in security due to the changing threat
landscape. The company is going through a cost cutting exercise and the Chief Financial Officer
(CFO) has queried the security budget allocated to the Chief Information Security Officer (CISO).
At the same time, the CISO is actively promoting business cases for additional funding to support
new initiatives. These initiatives will mitigate several security incidents that have occurred due to
ineffective controls.
A security advisor is engaged to assess the current controls framework and to provide
recommendations on whether preventative, detective, or corrective controls should be
implemented. How should the security advisor respond when explaining which controls to
implement?

There has been a recent security breach which has led to the release of sensitive customer
information. As part of improving security and reducing the disclosure of customer data, a training
company has been employed to educate staff. Which of the following should be the primary focus
of the privacy compliance training program?

A new malware spreads over UDP Port 8320 and several network hosts have been infected. A
new security administrator has determined a possible cause, and the infected machines have
been quarantined. Which of the following actions could a new security administrator take to further
mitigate this issue?

A newly-hired Chief Information Security Officer (CISO) is faced with improving security for a
company with low morale and numerous disgruntled employees. After reviewing the situation for
several weeks the CISO publishes a more comprehensive security policy with associated
standards. Which of the following issues could be addressed through the use of technical controls
specified in the new security policy?