A newly-appointed risk management director for the IT department at Company XYZ, a major
pharmaceutical manufacturer, needs to conduct a risk analysis regarding a new system which the
developers plan to bring on-line in three weeks. The director begins by reviewing the thorough and
well-written report from the independent contractor who performed a security assessment of the

system. The report details what seems to be a manageable volume of infrequently exploited
security vulnerabilities. The likelihood of a malicious attacker exploiting one of the vulnerabilities is
low; however, the director still has some reservations about approving the system because of
which of the following?

A small company has a network with 37 workstations, 3 printers, a 48 port switch, an enterprise
class router, and a firewall at the boundary to the ISP. The workstations have the latest patches
and all have up-to-date anti-virus software. User authentication is a two-factor system with
fingerprint scanners and passwords. Sensitive data on each workstation is encrypted. The network
is configured to use IPv4 and is a standard Ethernet network. The network also has a captive
portal based wireless hot-spot to accommodate visitors. Which of the following is a problem with
the security posture of this company?

Statement: “The system shall implement measures to notify system administrators prior to a
security incident occurring.”
Which of the following BEST restates the above statement to allow it to be implemented by a team

of software developers?

A corporate executive lost their smartphone while on an overseas business trip. The phone was
equipped with file encryption and secured with a strong passphrase. The phone contained over
60GB of proprietary data. Given this scenario, which of the following is the BEST course of action?

A user logs into domain A using a PKI certificate on a smartcard protected by an 8 digit PIN. The
credential is cached by the authenticating server in domain A. Later, the user attempts to access a
resource in domain B. This initiates a request to the original authenticating server to somehow
attest to the resource server in the second domain that the user is in fact who they claim to be.
Which of the following is being described?

A certain script was recently altered by the author to meet certain security requirements, and
needs to be executed on several critical servers. Which of the following describes the process of
ensuring that the script being used was not altered by anyone other than the author?

A company has asked their network engineer to list the major advantages for implementing a
virtual environment in regards to cost. Which of the following would MOST likely be selected?

The security administrator has been tasked with providing a solution that would not only eliminate
the need for physical desktops, but would also centralize the location of all desktop applications,
without losing physical control of any network devices. Which of the following would the security
manager MOST likely implement?

A company has decided to relocate and the security manager has been tasked to perform a site
survey of the new location to help in the design of the physical infrastructure. The current location
has video surveillance throughout the building and entryways.
The following requirements must be met:
Able to log entry of all employees in and out of specific areas
Access control into and out of all sensitive areas
Tailgating prevention
Which of the following would MOST likely be implemented to meet the above requirements and
provide a secure solution? (Select TWO).

The company is about to upgrade a financial system through a third party, but wants to legally
ensure that no sensitive information is compromised throughout the project. The project manager
must also make sure that internal controls are set to mitigate the potential damage that one
individual’s actions may cause. Which of the following needs to be put in place to make certain
both organizational requirements are met? (Select TWO).