A large organization has gone through several mergers, acquisitions, and de-mergers over the
past decade. As a result, the internal networks have been integrated but have complex
dependencies and interactions between systems. Better integration is needed in order to simplify
the underlying complexity. Which of the following is the MOST suitable integration platform to
provide event-driven and standards-based secure software architecture?

The Chief Information Officer (CIO) of a technology company is likely to move away from a deperimeterized model for employee owned devices. This is because there were too many issues

with lack of patching, malware incidents, and data leakage due to lost/stolen devices which did not
have full-disk encryption. The ‘bring your own computing’ approach was originally introduced
because different business units preferred different operating systems and application stacks.
Based on the issues and user needs, which of the following is the BEST recommendation for the
CIO to make?

An architect has been engaged to write the security viewpoint of a new initiative. Which of the
following BEST describes a repeatable process that can be used for establishing the security
architecture?

Within the company, there is executive management pressure to start advertising to a new target
market. Due to the perceived schedule and budget inefficiencies of engaging a technology
business unit to commission a new micro-site, the marketing department is engaging third parties
to develop the site in order to meet time-to-market demands. From a security perspective, which of
the following options BEST balances the needs between marketing and risk management?

Several business units have requested the ability to use collaborative web-based meeting places
with third party vendors. Generally these require user registration, installation of client-based
ActiveX or Java applets, and also the ability for the user to share their desktop in read-only or
read-write mode. In order to ensure that information security is not compromised, which of the
following controls is BEST suited to this situation?

A new web application system was purchased from a vendor and configured by the internal
development team. Before the web application system was moved into production, a vulnerability
assessment was conducted. A review of the vulnerability assessment report indicated that the
testing team discovered a minor security issue with the configuration of the web application. The
security issue should be reported to:

A security consultant is hired by a company to determine if an internally developed web application
is vulnerable to attacks. The consultant spent two weeks testing the application, and determines
that no vulnerabilities are present. Based on the results of the tools and tests available, which of
the following statements BEST reflects the security status of the application?

In an effort to reduce internal email administration costs, a company is determining whether to
outsource its email to a managed service provider that provides email, spam, and malware
protection. The security manager is asked to provide input regarding any security implications of
this change.

Which of the following BEST addresses risks associated with disclosure of intellectual property?

A company is preparing to upgrade its NIPS at five locations around the world. The three platforms
the team plans to test, claims to have the most advanced features and lucrative pricing.
Assuming all platforms meet the functionality requirements, which of the following methods should
be used to select the BEST platform?

An organization has had component integration related vulnerabilities exploited in consecutive
releases of the software it hosts. The only reason the company was able to identify the
compromises was because of a correlation of slow server performance and an attentive security
analyst noticing unusual outbound network activity from the application servers. End-to-end
management of the development process is the responsibility of the applications development
manager and testing is done by various teams of programmers. Which of the following will MOST
likely reduce the likelihood of similar incidents?