A Chief Information Security Officer (CISO) of a major consulting firm has significantly increased
the company’s security posture; however, the company is still plagued by data breaches of
misplaced assets. These data breaches as a result have led to the compromise of sensitive

corporate and client data on at least 25 occasions. Each employee in the company is provided a
laptop to perform company business. Which of the following actions can the CISO take to mitigate
the breaches?

The security administrator is responsible for the confidentiality of all corporate data. The
company’s servers are located in a datacenter run by a different vendor. The vendor datacenter
hosts servers for many different clients, all of whom have access to the datacenter. None of the
racks are physically secured. Recently, the company has been the victim of several attacks
involving data injection and exfiltatration. The security administrator suspects these attacks are
due to several new network based attacks facilitated by having physical access to a system.
Which of the following BEST describes how to adapt to the threat?

Which of the following should be used to identify overflow vulnerabilities?

A network administrator notices a security intrusion on the web server. Which of the following is
noticed by http://test.com/modules.php?op=modload&name=XForum&file=[hostilejavascript]&fid=2
in the log file?

The Chief Technology Officer (CTO) has decided that servers in the company datacenter should
be virtualized to conserve physical space. The risk assurance officer is concerned that the project
team in charge of virtualizing servers plans to co-mingle many guest operating systems with
different security requirements to speed up the rollout and reduce the number of host operating
systems or hypervisors required.
Which of the following BEST describes the risk assurance officer’s concerns?

Due to cost and implementation time pressures, a security architect has allowed a NAS to be used
instead of a SAN for a non-critical, low volume database. Which of the following would make a
NAS unsuitable for a business critical, high volume database application that required a high
degree of data confidentiality and data availability? (Select THREE).

An IT administrator wants to restrict DNS zone transfers between two geographically dispersed,
external company DNS name servers, and has decided to use TSIG. Which of the following are
critical when using TSIG? (Select TWO).

As part of the ongoing information security plan in a large software development company, the
Chief Information officer (CIO) has decided to review and update the company’s privacy policies
and procedures to reflect the changing business environment and business requirements.
Training and awareness of the new policies and procedures has been incorporated into the
security awareness program which should be:

Which of the following is the BEST place to contractually document security priorities,
responsibilities, guarantees, and warranties when dealing with outsourcing providers?

Staff from the sales department have administrator rights to their corporate standard operating
environment, and often connect their work laptop to customer networks when onsite during
meetings and presentations. This increases the risk and likelihood of a security incident when the
sales staff reconnects to the corporate LAN. Which of the following controls would BEST protect
the corporate network?