Which would be one of the BEST metrics an information security manager can employ to
effectively evaluate the results of a security program?

Which of the following types of information would the information security manager expect to have
the LOWEST level of security protection in a large, multinational enterprise?

The PRIMARY purpose of using risk analysis within a security program is to:

Which of the following is the PRIMARY prerequisite to implementing data classification within an
organization?

An online banking institution is concerned that the breach of customer personal information will
have a significant financial impact due to the need to notify and compensate customers whose
personal information may have been compromised. The institution determines that residual risk
will always be too high and decides to:

What mechanisms are used to identify deficiencies that would provide attackers with an
opportunity to compromise a computer system?

A common concern with poorly written web applications is that they can allow an attacker to:

Which of the following would be of GREATEST importance to the security manager in determining
whether to accept residual risk?

A project manager is developing a developer portal and requests that the security manager assign
a public IP address so that it can be accessed by in-house staff and by external consultants
outside the organization’s local area network (LAN). What should the security manager do FIRST?

A mission-critical system has been identified as having an administrative system account with
attributes that prevent locking and change of privileges and name. Which would be the BEST
approach to prevent successful brute forcing of the account?