An internal employee has sold a copy of the production customer database that was being used
for upgrade testing to outside parties via HTTP file upload. The Chief Information Officer (CIO) has
resigned and the Chief Executive Officer (CEO) has tasked the incoming CIO with putting effective
controls in place to help prevent this from occurring again in the future. Which of the following
controls is the MOST effective in preventing this threat from re-occurring?

A security manager has provided a Statement of Work (SOW) to an external penetration testing
firm for a web application security test. The web application starts with a very simple HTML survey
form with two components: a country selection dropdown list and a submit button. The penetration
testers are required to provide their test cases for this survey form in advance. In order to
adequately test the input validation of the survey form, which of the following tools would be the
BEST tool for the technician to use?

An online banking application has had its source code updated and is soon to be re-launched. The
underlying infrastructure has not been changed. In order to ensure that the application has an
appropriate security posture, several security-related activities are required.

Which of the following security activities should be performed to provide an appropriate level of
security testing coverage? (Select TWO).

Within a large organization, the corporate security policy states that personal electronic devices
are not allowed to be placed on the company network. There is considerable pressure from the
company board to allow smartphones to connect and synchronize email and calendar items of
board members and company executives. Which of the following options BEST balances the
security and usability requirements of the executive management team?

A replacement CRM has had its business case approved. In preparation for a requirements
workshop, an architect is working with a business analyst to ensure that appropriate security

requirements have been captured. Which of the following documents BEST captures the security
requirements?

Which of the following BEST defines the term e-discovery?

A new project initiative involves replacing a legacy core HR system, and is expected to touch
many major operational systems in the company. A security administrator is engaged in the
project to provide security consulting advice. In addition, there are database, network, application,
HR, and transformation management consultants engaged on the project as well. The
administrator has established the security requirements. Which of the following is the NEXT logical
step?

SDLC is being used for the commissioning of a new platform. To provide an appropriate level of
assurance the security requirements that were specified at the project origin need to be carried
through to implementation. Which of the following would BEST help to determine if this occurred?

An IT administrator has installed new DNS name servers (Primary and Secondary), which are
used to host the company MX records and resolve the web server’s public address. In order to
secure the zone transfer between the primary and secondary server, the administrator uses only
server ACLs. Which of the following attacks could the secondary DNS server still be susceptible
to?

The Chief Executive Officer (CEO) has decided to outsource systems which are not core business
functions; however, a recent review by the risk officer has indicated that core business functions
are dependent on the outsourced systems. The risk officer has requested that the IT department
calculates the priority of restoration for all systems and applications under the new business

model. Which of the following is the BEST tool to achieve this?