A security administrator wants to verify and improve the security of a business process which is
tied to proven company workflow. The security administrator was able to improve security by
applying controls that were defined by the newly released company security standard. Such
controls included code improvement, transport encryption, and interface restrictions. Which of the
following can the security administrator do to further increase security after having exhausted all
the technical controls dictated by the company’s security standard?

A company receives an e-discovery request for the Chief Information Officer’s (CIO’s) email data.
The storage administrator reports that the data retention policy relevant to their industry only
requires one year of email data. However the storage administrator also reports that there are
three years of email data on the server and five years of email data on backup tapes. How many
years of data MUST the company legally provide?

The VoIP administrator starts receiving reports that users are having problems placing phone
calls. The VoIP administrator cannot determine the issue, and asks the security administrator for
help. The security administrator reviews the switch interfaces and does not see an excessive
amount of network traffic on the voice network. Using a protocol analyzer, the security
administrator does see an excessive number of SIP INVITE packets destined for the SIP proxy.
Based on the information given, which of the following types of attacks is underway and how can it
be remediated?

The Chief Information Security Officer (CISO) of a small bank wants to embed a monthly testing
regiment into the security management plan specifically for the development area. The CISO’s
requirements are that testing must have a low risk of impacting system stability, can be scripted,
and is very thorough. The development team claims that this will lead to a higher degree of test
script maintenance and that it would be preferable if the testing was outsourced to a third party.
The CISO still maintains that third-party testing would not be as thorough as the third party lacks
the introspection of the development team. Which of the following will satisfy the CISO
requirements?

A large corporation which is heavily reliant on IT platforms and systems is in financial difficulty and
needs to drastically reduce costs in the short term to survive. The Chief Financial Officer (CFO)
has mandated that all IT and architectural functions will be outsourced and a mixture of providers
will be selected. One provider will manage the desktops for five years, another provider will
manage the network for ten years, another provider will be responsible for security for four years,
and an offshore provider will perform day to day business processing functions for two years. At
the end of each contract the incumbent may be renewed or a new provider may be selected.
Which of the following are the MOST likely risk implications of the CFO’s business decision?

A small customer focused bank with implemented least privilege principles, is concerned about the
possibility of branch staff unintentionally aiding fraud in their day to day interactions with
customers. Bank staff has been encouraged to build friendships with customers to make the
banking experience feel more personal. The security and risk team have decided that a policy
needs to be implemented across all branches to address the risk. Which of the following BEST
addresses the security and risk team’s concerns?