Ann, a Physical Security Manager, is ready to replace all 50 analog surveillance cameras with IP
cameras with built-in web management. Ann has several security guard desks on different
networks that must be able to view the cameras without unauthorized people viewing the video as
well. The selected IP camera vendor does not have the ability to authenticate users at the camera
level. Which of the following should Ann suggest to BEST secure this environment?

A general insurance company wants to set up a new online business. The requirements are that
the solution needs to be:
Extendable for new products to be developed and added
Externally facing for customers and business partners to login
Usable and manageable
Be able to integrate seamlessly with third parties for non core functions such as document
printing
Secure to protect customer’s personal information and credit card information during transport
and at rest
The conceptual solution architecture has specified that the application will consist of a traditional
three tiered architecture for the front end components, an ESB to provide services, data
transformation capability and legacy system integration and a web services gateway.
Which of the following security components will BEST meet the above requirements and fit into the
solution architecture? (Select TWO).

A retail bank has had a number of issues in regards to the integrity of sensitive information across
all of its customer databases. This has resulted in the bank’s share price decreasing in value by
50% and regulatory intervention and monitoring.
The new Chief Information Security Officer (CISO) as a result has initiated a program of work to
solve the issues.
The business has specified that the solution needs to be enterprise grade and meet the following
requirements:
Be across all major platforms, applications and infrastructure.
Be able to track user and administrator activity.
Does not significantly degrade the performance of production platforms, applications, and
infrastructures.
Real time incident reporting.
Manageable and has meaningful information.
Business units are able to generate reports in a timely manner of the unit’s system assets.
In order to solve this problem, which of the following security solutions will BEST meet the above
requirements? (Select THREE).

Company XYZ has employed a consultant to perform a controls assessment of the HR system,
backend business operations, and the SCADA system used in the factory. Which of the following
correctly states the risk management options that the consultant should use during the
assessment?

Company XYZ has had repeated vulnerability exploits of a critical nature released to the
company’s flagship product. The product is used by a number of large customers. At the Chief
Information Security Officer’s (CISO’s) request, the product manager now has to budget for a team
of security consultants to introduce major product security improvements.
Here is a list of improvements in order of priority:

1. A noticeable improvement in security posture immediately.
2. Fundamental changes to resolve systemic issues as an ongoing process
3. Improvements should be strategic as opposed to tactical
4. Customer impact should be minimized
Which of the following recommendations is BEST for the CISO to put forward to the product
manager?

A system administrator has installed a new Internet facing secure web application that consists of
a Linux web server and Windows SQL server into a new corporate site. The administrator wants to
place the servers in the most logical network security zones and implement the appropriate
security controls. Which of the following scenarios BEST accomplishes this goal?

The lead systems architect on a software development project developed a design which is
optimized for a distributed computing environment. The security architect assigned to the project
has concerns about the integrity of the system, if it is deployed in a commercial cloud. Due to poor
communication within the team, the security risks of the proposed design are not being given any
attention. A network engineer on the project has a security background and is concerned about
the overall success of the project. Which of the following is the BEST course of action for the
network engineer to take?

Company XYZ plans to donate 1,000 used computers to a local school. The company has a large
research and development section and some of the computers were previously used to store
proprietary research.
The security administrator is concerned about data remnants on the donated machines, but the
company does not have a device sanitization section in the data handling policy.
Which of the following is the BEST course of action for the security administrator to take?

Continuous monitoring is a popular risk reduction technique in many large organizations with
formal certification processes for IT projects. In order to implement continuous monitoring in an
effective manner which of the following is correct?

The Chief Information Security Officer (CISO) regularly receives reports of a single department
repeatedly violating the corporate security policy. The head of the department in question informs
the CISO that the offending behaviors are a result of necessary business activities. The CISO
assigns a junior security administrator to solve the issue. Which of the following is the BEST
course of action for the junior security administrator to take?