question: 1
What is the primary purpose of a security governance framework?
A. To define the operational tasks for IT security professionals
B. To outline organizational responsibilities for managing security risks
C. To reduce the number of security incidents
D. To implement technical security measures

correct answer: B
explanation: A security governance framework provides a structure to align security efforts with business goals and ensure proper management of security risks at all levels of the organization.

---

question: 2
Which of the following risk management strategies involves transferring the risk to a third party?
A. Risk avoidance
B. Risk reduction
C. Risk acceptance
D. Risk transfer

correct answer: D
explanation: Risk transfer involves shifting the responsibility for the risk to a third party, such as through insurance or outsourcing certain operations.

---

question: 3
Which of the following security program components is critical for ensuring business continuity during a disaster?
A. Incident response plan
B. Business impact analysis
C. Security awareness training
D. Data loss prevention strategy

correct answer: B
explanation: A business impact analysis (BIA) identifies the most critical business functions and the resources required for recovery, helping to ensure continuity during a disaster.

---

question: 4
Which of the following is a key characteristic of a successful security awareness training program?
A. It is a one-time event for all employees.
B. It focuses only on technical security measures.
C. It is regularly updated and tailored to specific job roles.
D. It is optional for employees.

correct answer: C
explanation: A successful security awareness training program is regularly updated and tailored to specific roles to address the evolving threats employees may encounter in their specific functions.

---

question: 5
Which of the following is an example of preventive control?
A. Firewalls
B. Security audits
C. Incident response procedures
D. Security patches

correct answer: A
explanation: Firewalls are a preventive control as they are designed to block unauthorized access before it occurs.

---

question: 6
Which of the following standards is typically used to ensure an organization is in compliance with privacy laws?
A. ISO/IEC 27001
B. NIST Cybersecurity Framework
C. General Data Protection Regulation (GDPR)
D. ITIL

correct answer: C
explanation: The General Data Protection Regulation (GDPR) is a regulation that ensures companies comply with privacy and data protection laws regarding personal data processing.

---

question: 7
Which of the following security frameworks is used primarily to assess the effectiveness of an organization’s information security management system?
A. ISO/IEC 27001
B. NIST Cybersecurity Framework
C. COBIT
D. PCI-DSS

correct answer: A
explanation: ISO/IEC 27001 is an international standard for managing and securing information, and it is commonly used to assess the effectiveness of an organization’s information security management system.

---

question: 8
What is the main purpose of separation of duties in security management?
A. To ensure that no individual can single-handedly cause a security breach
B. To streamline security processes
C. To reduce operational overhead
D. To prevent unauthorized personnel from accessing security logs

correct answer: A
explanation: Separation of duties ensures that critical tasks are split among multiple individuals, reducing the risk of fraud or malicious activities by a single person.

---

question: 9
Which of the following is an important aspect of security monitoring?
A. Continuously auditing system logs for signs of malicious activity
B. Limiting monitoring to high-risk systems only
C. Performing vulnerability assessments annually
D. Implementing encryption on all communications

correct answer: A
explanation: Security monitoring involves actively auditing system logs for signs of malicious activity to detect incidents early and take corrective actions.

---

question: 10
Which type of control is used to identify and mitigate risks that have already occurred?
A. Preventive control
B. Corrective control
C. Detective control
D. Compensating control

correct answer: B
explanation: Corrective controls are used to fix issues and mitigate risks after they have occurred, such as restoring systems after an attack.

question: 11
What is the primary objective of incident response?
A. To minimize system downtime
B. To improve system performance
C. To detect and prevent future attacks
D. To contain and mitigate the impact of security incidents

correct answer: D
explanation: The primary objective of incident response is to contain, mitigate, and resolve the impact of security incidents as quickly as possible.

---

question: 12
Which of the following is the best approach to reduce the risk of insider threats in an organization?
A. Implement strong encryption on all sensitive data
B. Conduct regular audits and reviews of employee activities
C. Increase network security measures only
D. Increase employee access to sensitive data for operational efficiency

correct answer: B
explanation: Regular audits and reviews of employee activities help identify and reduce the risk of insider threats by detecting suspicious behavior early.

---

question: 13
Which of the following security principles ensures that an individual or system can only access information that they are authorized to view?
A. Integrity
B. Confidentiality
C. Availability
D. Accountability

correct answer: B
explanation: Confidentiality ensures that sensitive information is only accessible to authorized individuals, protecting it from unauthorized access.

---

question: 14
Which of the following is a key benefit of encryption for data at rest?
A. It increases system performance
B. It ensures data integrity during transmission
C. It protects data from unauthorized access
D. It ensures compliance with privacy regulations

correct answer: C
explanation: Encryption protects data at rest by making it unreadable to unauthorized users, ensuring that even if the data is compromised, it cannot be accessed or used.

---

question: 15
What does the security control of least privilege refer to?
A. Granting users the minimum permissions required to perform their job functions
B. Enforcing a multi-factor authentication system
C. Auditing the permissions of all users regularly
D. Providing access to all resources to a select group of users

correct answer: A
explanation: Least privilege ensures users are given only the minimum access necessary to perform their specific tasks, reducing the potential for misuse of privileges.

---

question: 16
Which of the following policies addresses the appropriate usage of organizational resources such as computers, networks, and information?
A. Data classification policy
B. Acceptable use policy
C. Information retention policy
D. Incident response policy

correct answer: B
explanation: An Acceptable Use Policy (AUP) defines the acceptable usage of an organization’s resources and sets the boundaries for employees’ actions related to IT systems and data.

---

question: 17
Which of the following metrics is most commonly used to measure the effectiveness of an incident response plan?
A. Incident detection time
B. Number of successful attacks
C. Total number of security policies in place
D. Cost of implementing security measures

correct answer: A
explanation: Incident detection time measures how quickly an organization identifies a security incident, which is crucial for minimizing damage and improving response times.

---

question: 18
What is the primary purpose of security audits in an organization?
A. To assess the operational efficiency of IT systems
B. To evaluate compliance with security standards and policies
C. To identify software bugs in the system
D. To ensure employees are using systems effectively

correct answer: B
explanation: Security audits evaluate compliance with internal security policies, regulatory requirements, and industry standards, helping to identify vulnerabilities and ensure security controls are working as intended.

---

question: 19
Which network security measure is used to monitor and control incoming and outgoing network traffic based on predetermined security rules?
A. Intrusion Detection System (IDS)
B. Firewall
C. Security Information and Event Management (SIEM)
D. Data Loss Prevention (DLP)

correct answer: B
explanation: A firewall is a network security measure that monitors and controls incoming and outgoing network traffic based on security rules, helping to prevent unauthorized access.

---

question: 20
Which of the following is an example of a corrective control?
A. Implementing firewalls
B. Conducting a security audit
C. Restoring data from backup after a breach
D. Encrypting sensitive data in transit

correct answer: C
explanation: Restoring data from backup is a corrective control, as it involves taking actions to recover from a security incident, like a data breach.

question: 21
Which of the following security management frameworks is specifically focused on integrating security with business processes and aligning security goals with organizational objectives?
A. ISO/IEC 27001
B. COBIT
C. NIST Cybersecurity Framework
D. ITIL

correct answer: B
explanation: COBIT (Control Objectives for Information and Related Technologies) is a framework that integrates security with business processes, helping organizations align their security goals with overall business objectives.

---

question: 22
Which of the following standards is specifically focused on ensuring the confidentiality, integrity, and availability of information systems?
A. ISO/IEC 27001
B. NIST 800-53
C. PCI DSS
D. HIPAA

correct answer: A
explanation: ISO/IEC 27001 is an international standard for establishing, implementing, and maintaining an Information Security Management System (ISMS) to ensure the confidentiality, integrity, and availability of information.

---

question: 23
Which risk management approach involves transferring the financial impact of a risk to a third party, such as through purchasing insurance?
A. Risk avoidance
B. Risk acceptance
C. Risk mitigation
D. Risk transfer

correct answer: D
explanation: Risk transfer involves shifting the financial consequences of risk to a third party, often through mechanisms like insurance or outsourcing certain activities.

---

question: 24
What is the primary function of a Security Information and Event Management (SIEM) system?
A. Encrypting sensitive data
B. Managing incident response teams
C. Collecting and analyzing security event data from multiple sources
D. Providing firewall protection

correct answer: C
explanation: A SIEM system collects and analyzes security event data from various sources in real-time to detect and respond to potential threats.

---

question: 25
Which of the following access control models is based on classification labels such as security clearances?
A. Role-Based Access Control (RBAC)
B. Mandatory Access Control (MAC)
C. Discretionary Access Control (DAC)
D. Attribute-Based Access Control (ABAC)

correct answer: B
explanation: Mandatory Access Control (MAC) enforces access policies based on classification labels or security clearances, restricting access based on the classification of information.

---

question: 26
What is the primary role of an access control policy in an organization’s security framework?
A. To define the security requirements for firewalls
B. To define which users or systems can access specific resources
C. To determine encryption standards for data storage
D. To set guidelines for patch management

correct answer: B
explanation: An access control policy defines which users, devices, or systems can access specific resources within an organization and under what conditions.

---

question: 27
Which of the following is an example of data classification?
A. Encrypting sensitive customer information
B. Assigning different levels of sensitivity to documents such as “confidential” or “public”
C. Applying firewall rules to specific data sets
D. Setting up access control lists (ACLs) for users

correct answer: B
explanation: Data classification involves categorizing data based on its sensitivity, such as labeling documents as “confidential” or “public” to ensure appropriate protection and handling.

---

question: 28
Which of the following components of a security program is responsible for establishing protocols to restore business operations after a disaster?
A. Incident response plan
B. Business continuity plan
C. Vulnerability management plan
D. Disaster recovery plan

correct answer: D
explanation: A disaster recovery plan outlines the steps to restore IT systems and data after a disaster, ensuring that business operations can resume as quickly as possible.

---

question: 29
Which of the following best defines confidentiality in the context of information security?
A. Ensuring data is accurate and complete
B. Ensuring data is available when needed
C. Ensuring data is accessible only by authorized individuals
D. Ensuring data is protected from unauthorized modification

correct answer: C
explanation: Confidentiality ensures that information is only accessible to authorized individuals, preventing unauthorized access.

---

question: 30
Which of the following best describes the role of a CISO (Chief Information Security Officer) in an organization?
A. Implementing IT infrastructure solutions
B. Overseeing all aspects of cybersecurity and information risk management
C. Ensuring compliance with financial regulations
D. Managing day-to-day IT operations

correct answer: B
explanation: A CISO is responsible for overseeing the organization’s cybersecurity efforts and managing information risk, including the development and implementation of security policies, incident response, and compliance programs.

question: 31
Which of the following security management processes ensures that the organization’s information security program is continuously improving over time?
A. Risk assessment
B. Security audit
C. Security monitoring
D. Continuous improvement

correct answer: D
explanation: Continuous improvement ensures that an organization’s information security program is regularly reviewed and enhanced based on lessons learned from incidents, audits, and new security challenges.

---

question: 32
Which of the following is the best strategy for mitigating the risk of a denial-of-service (DoS) attack?
A. Encrypt sensitive data
B. Implement network redundancy
C. Employ intrusion detection systems
D. Use anti-malware software

correct answer: B
explanation: Network redundancy can help mitigate the risk of a denial-of-service (DoS) attack by ensuring that alternative network paths or systems are available in case of attack-induced outages.

---

question: 33
Which of the following types of encryption is most commonly used to protect data during transmission?
A. Symmetric encryption
B. Asymmetric encryption
C. Hashing
D. Digital signatures

correct answer: B
explanation: Asymmetric encryption (e.g., RSA) is commonly used to protect data during transmission, as it uses public and private keys to secure communications, ensuring confidentiality and integrity.

---

question: 34
Which policy is most appropriate to guide an organization in implementing access restrictions based on the user’s role within the organization?
A. Data retention policy
B. Acceptable use policy
C. Role-based access control (RBAC) policy
D. Incident response policy

correct answer: C
explanation: A role-based access control (RBAC) policy governs access permissions based on the user’s role within the organization, ensuring that users only have access to the resources they need to perform their job.

---

question: 35
Which of the following is the primary purpose of a business continuity plan (BCP)?
A. To define security measures for protecting data
B. To minimize operational disruptions during and after an incident
C. To evaluate security vulnerabilities in systems
D. To conduct post-incident reviews and improve security measures

correct answer: B
explanation: A business continuity plan (BCP) aims to minimize operational disruptions and ensure that essential business functions can continue during and after an incident or disaster.

---

question: 36
Which of the following access control models uses labels (such as security clearances) to determine the level of access granted to a user?
A. Role-Based Access Control (RBAC)
B. Discretionary Access Control (DAC)
C. Mandatory Access Control (MAC)
D. Attribute-Based Access Control (ABAC)

correct answer: C
explanation: Mandatory Access Control (MAC) uses labels, such as security clearances, to determine the level of access a user has to information, often enforced by the system.

---

question: 37
Which of the following best describes a security risk assessment?
A. A process of identifying and quantifying risks to organizational assets
B. A process of setting security controls based on regulatory compliance
C. A method for responding to incidents after they occur
D. A procedure for defining organizational roles and responsibilities

correct answer: A
explanation: A security risk assessment involves identifying and quantifying risks to the organization’s assets, enabling the organization to make informed decisions on how to mitigate those risks.

---

question: 38
Which of the following is the best practice for managing security patches in an organization’s IT systems?
A. Apply patches immediately after they are released without testing
B. Prioritize patches based on the criticality of the system and the vulnerability addressed
C. Only apply patches when system performance issues occur
D. Wait for patches to be automatically applied by vendors

correct answer: B
explanation: Prioritizing patches based on criticality ensures that the most vulnerable systems are updated first, reducing the risk of security breaches while maintaining system performance.

---

question: 39
What is the purpose of a Security Operations Center (SOC) in an organization?
A. To enforce physical security in the data center
B. To monitor and respond to security incidents in real-time
C. To conduct regular employee training on security threats
D. To implement compliance audits and ensure regulatory adherence

correct answer: B
explanation: A Security Operations Center (SOC) is responsible for monitoring, detecting, and responding to security incidents in real-time, ensuring the organization’s security posture is maintained.

---

question: 40
Which of the following best describes the concept of least privilege?
A. Users have access to all resources necessary for their job
B. Users are granted access to all resources based on their department
C. Users are granted the minimum level of access required to perform their tasks
D. Users can access all systems after authentication

correct answer: C
explanation: Least privilege ensures that users are granted the minimum level of access required to perform their tasks, reducing the risk of unauthorized access and limiting damage from security breaches.

question: 41
Which of the following is a key benefit of implementing a security governance framework in an organization?
A. Ensures technical security measures are effective
B. Aligns security strategies with business objectives
C. Provides detailed configurations for security devices
D. Automates incident response processes

correct answer: B
explanation: A security governance framework aligns security strategies with the organization’s business objectives, ensuring that security initiatives support overall business goals.

---

question: 42
Which of the following is the primary focus of the ISO/IEC 27001 standard in information security management?
A. To define a disaster recovery plan
B. To ensure compliance with financial regulations
C. To establish an information security management system (ISMS)
D. To monitor network traffic for potential threats

correct answer: C
explanation: ISO/IEC 27001 focuses on establishing, implementing, and maintaining an Information Security Management System (ISMS) to protect sensitive information and manage security risks.

---

question: 43
In which phase of the security management lifecycle would you typically conduct a business impact analysis (BIA)?
A. Risk identification
B. Risk assessment
C. Risk treatment
D. Risk monitoring

correct answer: B
explanation: The business impact analysis (BIA) is typically conducted during the risk assessment phase to identify the potential impacts of various risks on business operations and resources.

---

question: 44
Which security management activity involves monitoring and evaluating the performance of security controls to ensure they are working as intended?
A. Risk treatment
B. Continuous monitoring
C. Security auditing
D. Incident response

correct answer: B
explanation: Continuous monitoring is the process of continuously evaluating the performance and effectiveness of security controls to ensure that they are functioning as intended and to detect potential issues early.

---

question: 45
What is the primary purpose of a security policy in an organization?
A. To describe technical solutions for protecting information
B. To define high-level security goals and rules
C. To list detailed steps for incident response
D. To implement encryption methods for all data

correct answer: B
explanation: A security policy defines high-level security goals, rules, and guidelines that govern the organization’s approach to securing its information and systems.

---

question: 46
Which of the following is the best way to prioritize risks when developing a security management strategy?
A. Focus on risks with the highest financial impact only
B. Consider both the likelihood of the risk and its potential impact
C. Address risks based on how recent they were detected
D. Focus only on technical vulnerabilities identified in the system

correct answer: B
explanation: Risk prioritization involves assessing both the likelihood of a risk occurring and the potential impact it may have, helping to allocate resources effectively and address the most critical risks first.

---

question: 47
Which of the following best describes a security audit in an organization?
A. A process to identify new vulnerabilities
B. A process of reviewing security policies and controls for effectiveness
C. A method for training employees on security best practices
D. A process for responding to ongoing security incidents

correct answer: B
explanation: A security audit involves reviewing security policies, procedures, and controls to assess their effectiveness and ensure compliance with regulations and security best practices.

---

question: 48
Which of the following is NOT typically part of a security awareness training program?
A. Teaching employees about phishing and social engineering attacks
B. Educating employees about secure password practices
C. Training employees on how to configure firewalls
D. Explaining the importance of reporting security incidents

correct answer: C
explanation: Security awareness training focuses on educating employees about recognizing threats like phishing, using secure passwords, and reporting incidents, but it does not typically cover technical tasks like configuring firewalls.

---

question: 49
What is the primary objective of a business continuity plan (BCP)?
A. To recover systems after an incident
B. To protect the organization’s information from external threats
C. To ensure the organization can continue critical operations during disruptions
D. To prevent all types of security incidents from occurring

correct answer: C
explanation: The primary goal of a business continuity plan (BCP) is to ensure that critical business operations can continue or quickly resume in the event of a disruption, such as a natural disaster or cyberattack.

---

question: 50
Which of the following is a key component of an incident response plan?
A. Defining acceptable use of organizational resources
B. Identifying and categorizing potential threats and vulnerabilities
C. Performing a detailed audit of network traffic
D. Identifying roles and responsibilities during a security incident

correct answer: D
explanation: A key component of an incident response plan is defining roles and responsibilities so that during a security incident, everyone involved understands their tasks and how to effectively respond to the situation.

question: 51
Which of the following governance frameworks is primarily used for managing IT services and ensuring continuous improvement?
A. COBIT
B. ISO/IEC 27001
C. ITIL
D. NIST 800-53

correct answer: C
explanation: ITIL (Information Technology Infrastructure Library) is a framework for managing IT services and ensuring continuous improvement in service delivery, focusing on aligning IT services with business needs.

---

question: 52
Which of the following risk treatment options involves completely eliminating a risk by removing the associated activity or asset?
A. Risk acceptance
B. Risk avoidance
C. Risk transfer
D. Risk mitigation

correct answer: B
explanation: Risk avoidance involves eliminating the risk by removing the activity or asset that poses the risk, effectively eliminating the potential for harm.

---

question: 53
Which of the following is a key focus of security governance in an organization?
A. Establishing the security configuration of individual devices
B. Aligning security strategy with business objectives and managing risk
C. Conducting vulnerability assessments for all systems
D. Implementing technical measures to secure network traffic

correct answer: B
explanation: Security governance focuses on aligning the organization’s security strategy with its business objectives, managing risk, and ensuring compliance with legal and regulatory requirements.

---

question: 54
Which of the following control frameworks is specifically focused on data privacy and protecting personal information?
A. COBIT
B. NIST 800-53
C. GDPR
D. ISO/IEC 27001

correct answer: C
explanation: GDPR (General Data Protection Regulation) is a regulation that focuses on protecting personal data and privacy within the European Union, with an emphasis on individuals’ rights over their data.

---

question: 55
What is the primary goal of a security metrics program in an organization?
A. To determine compliance with industry regulations
B. To measure the effectiveness of security controls and identify areas for improvement
C. To create awareness among employees about security threats
D. To prevent security incidents from occurring

correct answer: B
explanation: The goal of a security metrics program is to measure the effectiveness of security controls, monitor performance, and identify areas where security measures can be improved.

---

question: 56
Which of the following security policies outlines the acceptable use of technology and defines behaviors that are allowed or prohibited on the organization’s network?
A. Acceptable Use Policy (AUP)
B. Data Classification Policy
C. Incident Response Policy
D. Access Control Policy

correct answer: A
explanation: An Acceptable Use Policy (AUP) outlines the acceptable use of the organization’s technology resources and defines behaviors that are allowed or prohibited on the organization’s network.

---

question: 57
Which of the following is a key principle of security risk management?
A. Never apply patches to production systems
B. Always use a one-size-fits-all approach for risk mitigation
C. Continuously assess and adjust security strategies based on evolving risks
D. Focus solely on preventing all security incidents from occurring

correct answer: C
explanation: A key principle of security risk management is to continuously assess and adjust security strategies based on emerging threats and evolving risks, ensuring that the organization remains protected over time.

---

question: 58
Which of the following is the primary objective of a disaster recovery plan (DRP)?
A. To identify and fix vulnerabilities in the system
B. To recover critical IT systems and data after a disaster
C. To prevent unauthorized access to systems
D. To reduce the risk of data loss during normal operations

correct answer: B
explanation: A disaster recovery plan (DRP) focuses on recovering critical IT systems, applications, and data after a disaster or major disruption to ensure minimal downtime and business continuity.

---

question: 59
Which of the following is an example of data classification?
A. Encrypting all files on an organization’s server
B. Categorizing documents as “confidential,” “internal use,” or “public”
C. Setting firewall rules based on IP address
D. Using strong passwords to secure user accounts

correct answer: B
explanation: Data classification involves categorizing data according to its sensitivity and handling requirements, such as labeling documents as “confidential,” “internal use,” or “public.”

---

question: 60
Which of the following is the best method for ensuring that security incidents are detected and responded to in a timely manner?
A. Implementing automated patch management
B. Establishing a well-defined incident response plan and team
C. Conducting regular vulnerability assessments
D. Training employees on basic security measures

correct answer: B
explanation: The best method for ensuring timely detection and response to security incidents is by establishing a well-defined incident response plan and having a trained incident response team in place.

question: 61
Which of the following security controls is most effective at preventing insider threats?
A. Access control lists
B. Monitoring and logging
C. Firewalls
D. Antivirus software

correct answer: B
explanation: Monitoring and logging are crucial for detecting insider threats, as they allow for the identification of suspicious or unauthorized activities by individuals with access to internal systems.

---

question: 62
Which of the following best describes business continuity management (BCM)?
A. A plan to ensure that employees follow company security policies
B. A strategy to protect against data breaches and hacking attempts
C. A process for ensuring that critical business functions can continue during a disruption
D. A framework for responding to compliance audits

correct answer: C
explanation: Business continuity management (BCM) focuses on ensuring that critical business functions continue or can quickly resume in the event of a disruption or disaster.

---

question: 63
Which of the following best describes a security incident?
A. Any activity that is considered a potential threat
B. An event that negatively impacts the organization’s data security
C. A security breach detected by automated systems
D. A failure of a system that causes downtime

correct answer: B
explanation: A security incident is any event that negatively affects the organization’s data security, whether it’s an attack, breach, or other compromise of information security.

---

question: 64
Which of the following standards provides a framework for managing and protecting information security risks?
A. ISO/IEC 27001
B. HIPAA
C. NIST 800-53
D. COBIT

correct answer: A
explanation: ISO/IEC 27001 provides a framework for establishing, implementing, and maintaining an information security management system (ISMS) to protect organizational information and manage security risks.

---

question: 65
Which of the following should be the first step in establishing a security management program?
A. Implementing technical security controls
B. Conducting a risk assessment
C. Defining incident response procedures
D. Educating employees about security

correct answer: B
explanation: The first step in a security management program is conducting a risk assessment to identify potential threats, vulnerabilities, and the organization’s risk tolerance, which helps prioritize subsequent actions.

---

question: 66
Which of the following is the most appropriate method for managing vendor risk?
A. Granting vendors access to sensitive systems with no restrictions
B. Evaluating vendors based on compliance with security standards and monitoring their activities
C. Allowing vendors to self-manage their security policies
D. Ignoring vendor risk as it is outside the organization’s scope

correct answer: B
explanation: Managing vendor risk involves evaluating vendors based on their adherence to security standards and continuously monitoring their activities to ensure compliance and mitigate potential risks.

---

question: 67
Which of the following is the primary objective of information security governance?
A. To ensure systems are always available
B. To protect sensitive data from unauthorized access
C. To align security with organizational goals and manage risks
D. To implement technical controls and monitor security incidents

correct answer: C
explanation: The primary objective of information security governance is to align the organization’s security initiatives with business objectives and ensure that risks are properly managed.

---

question: 68
Which of the following best practice guidelines is aimed at maintaining effective security awareness training programs?
A. Regularly update and review training content based on emerging threats
B. Provide training only during onboarding and then ignore updates
C. Train only the IT team on security protocols
D. Avoid testing employees on their knowledge of security topics

correct answer: A
explanation: Regularly updating and reviewing training content is essential to maintain an effective security awareness training program, ensuring employees are aware of current threats and practices.

---

question: 69
What is the most effective way to ensure that security policies are consistently enforced across an organization?
A. Automate policy enforcement with technical controls
B. Allow employees to manage their own security
C. Regularly update the security policies and let employees read them
D. Only apply security policies to IT systems

correct answer: A
explanation: Automating policy enforcement with technical controls ensures that security policies are consistently applied and monitored across all systems and activities.

---

question: 70
Which of the following would be considered a preventative control?
A. Intrusion detection systems
B. Encryption
C. Access control systems
D. Security audits

correct answer: C
explanation: Access control systems are considered preventative controls because they limit access to sensitive information or systems before an incident occurs.

---

question: 71
Which of the following principles is critical for ensuring a successful security management strategy?
A. Top-down commitment and involvement
B. Focusing only on external threats
C. Using a one-size-fits-all approach for risk management
D. Delegating security decisions to third parties

correct answer: A
explanation: Top-down commitment is crucial for a successful security management strategy, as leadership involvement ensures that security initiatives are properly prioritized, resourced, and integrated across the organization.

---

question: 72
Which of the following is the primary purpose of a data retention policy?
A. To ensure that data is available for business operations
B. To protect sensitive data from unauthorized access
C. To manage the storage and disposal of data according to legal and regulatory requirements
D. To implement backup procedures for critical systems

correct answer: C
explanation: The primary purpose of a data retention policy is to manage how long data is stored and when it should be archived or deleted, ensuring compliance with legal, regulatory, and organizational requirements.

---

question: 73
What is the main objective of an organization’s security audit?
A. To detect and respond to security incidents in real-time
B. To evaluate the effectiveness of security controls and identify vulnerabilities
C. To train employees on security best practices
D. To determine if systems meet compliance requirements

correct answer: B
explanation: The main objective of a security audit is to evaluate the effectiveness of existing security controls and identify vulnerabilities to improve the overall security posture.

---

question: 74
Which of the following is an important benefit of conducting a risk assessment as part of security management?
A. It helps to create awareness among employees about security threats
B. It helps to identify critical assets, threats, and vulnerabilities
C. It ensures all systems are patched and up-to-date
D. It prevents security breaches from happening

correct answer: B
explanation: A risk assessment helps to identify critical assets, potential threats, and vulnerabilities in order to prioritize resources and implement appropriate security measures.

---

question: 75
Which of the following control objectives is achieved by implementing role-based access control (RBAC)?
A. Ensuring that data is encrypted
B. Minimizing the risk of insider threats
C. Automating incident response
D. Ensuring compliance with security regulations

correct answer: B
explanation: Role-based access control (RBAC) helps to minimize the risk of insider threats by ensuring that users are granted only the minimum necessary access based on their roles, reducing unauthorized access to sensitive information.

---

question: 76
Which of the following would be an example of a corrective control in security management?
A. Intrusion prevention systems
B. Security incident response plans
C. Firewalls
D. Employee security awareness training

correct answer: B
explanation: Security incident response plans are considered corrective controls because they are designed to respond to security incidents, mitigate damage, and restore normal operations after an event occurs.

question: 77
Which of the following laws is aimed at securing financial data and requires businesses to implement strict security controls over their financial records?
A. Sarbanes-Oxley Act (SOX)
B. Federal Information Security Management Act (FISMA)
C. Payment Card Industry Data Security Standard (PCI DSS)
D. General Data Protection Regulation (GDPR)

correct answer: A
explanation: The Sarbanes-Oxley Act (SOX) is a U.S. law that mandates strict security controls over financial reporting and auditing, aiming to improve the accuracy and reliability of financial disclosures.

---

question: 78
Which of the following compliance standards is specifically designed for ensuring the security of credit card transactions?
A. HIPAA
B. PCI DSS
C. ISO/IEC 27001
D. NIST 800-53

correct answer: B
explanation: PCI DSS (Payment Card Industry Data Security Standard) is a compliance standard designed to secure credit card transactions and protect cardholder data during processing, transmission, and storage.

---

question: 79
What is the primary goal of GDPR (General Data Protection Regulation)?
A. To protect personal data and privacy in the European Union
B. To standardize cybersecurity practices for all industries
C. To regulate data sharing between EU and non-EU countries
D. To establish penalties for cybersecurity breaches

correct answer: A
explanation: The primary goal of GDPR is to protect personal data and privacy of individuals within the European Union and to give EU citizens more control over their personal data.

---

question: 80
Which of the following is required by the FISMA (Federal Information Security Management Act)?
A. Implementation of encryption for all data in transit
B. Implementation of security controls for federal information systems
C. Regular audits of credit card transactions
D. Establishment of a data retention policy for all organizations

correct answer: B
explanation: FISMA requires federal agencies and contractors to implement security controls for information systems, ensuring that these systems meet specific security requirements to protect sensitive information.

---

question: 81
Which of the following standards outlines the requirements for managing information security risks in the context of a business continuity management (BCM) system?
A. ISO/IEC 27001
B. ISO 22301
C. NIST 800-53
D. COBIT

correct answer: B
explanation: ISO 22301 is the standard that focuses on business continuity management, helping organizations design and implement systems to ensure the continuity of operations during disruptions.

---

question: 82
Which of the following best describes the role of a Data Protection Officer (DPO) under GDPR?
A. Ensures that the organization is compliant with all regulatory requirements
B. Manages encryption and key management for personal data
C. Monitors data processing activities and ensures compliance with data protection laws
D. Ensures that all data storage solutions are adequately backed up

correct answer: C
explanation: Under GDPR, the Data Protection Officer (DPO) is responsible for monitoring the organization’s data processing activities and ensuring compliance with data protection laws.

---

question: 83
Which of the following compliance requirements is typically focused on protecting personally identifiable information (PII)?
A. ISO/IEC 27001
B. PCI DSS
C. GDPR
D. SOX

correct answer: C
explanation: GDPR is specifically focused on the protection of personally identifiable information (PII) and the privacy of individuals within the EU.

---

question: 84
Which of the following compliance regulations requires organizations to secure sensitive government data and implement specific controls based on risk management frameworks?
A. NIST 800-53
B. SOX
C. HIPAA
D. FISMA

correct answer: D
explanation: FISMA requires organizations working with U.S. federal agencies to secure sensitive government data and apply security controls based on established frameworks such as NIST 800-53.

---

question: 85
Which of the following would be considered a breach of compliance under the GDPR?
A. Encrypting data in transit without notifying users
B. Failing to notify authorities within 72 hours of a personal data breach
C. Providing data access only to authorized personnel
D. Regularly updating security patches on systems

correct answer: B
explanation: Under GDPR, organizations are required to notify authorities within 72 hours of a personal data breach. Failure to do so constitutes a breach of compliance.

---

question: 86
Which of the following is a requirement of the Health Insurance Portability and Accountability Act (HIPAA) for securing health-related data?
A. Data must be encrypted both at rest and in transit
B. Data must be stored in a centralized location for easier access
C. Access to health data must be unrestricted for healthcare professionals
D. A Data Protection Officer must be appointed

correct answer: A
explanation: HIPAA requires health-related data to be encrypted both at rest and in transit to ensure its security and privacy, protecting sensitive patient information.

---

question: 87
Which of the following best practices would ensure compliance with the PCI DSS?
A. Encrypting only credit card numbers on the payment gateway
B. Conducting annual vulnerability scans and applying patches regularly
C. Storing credit card data without encryption for convenience
D. Allowing all personnel to access cardholder data for troubleshooting purposes

correct answer: B
explanation: PCI DSS compliance requires conducting annual vulnerability scans, applying patches regularly, and ensuring that access to sensitive payment data is restricted and properly protected.

---

question: 88
Which of the following compliance frameworks is specifically used for managing security of federal information systems in the United States?
A. FISMA
B. ISO/IEC 27001
C. NIST 800-53
D. SOC 2

correct answer: A
explanation: FISMA (Federal Information Security Management Act) applies to U.S. federal agencies and contractors, requiring them to secure federal information systems and implement required security controls.

---

question: 89
Which of the following is a key principle of compliance management?
A. Focus on external audits alone to ensure compliance
B. Implement a reactive approach to compliance enforcement
C. Continuously monitor and adjust policies to align with changing regulations
D. Ignore regulatory changes unless directly impacting business operations

correct answer: C
explanation: A key principle of compliance management is to continuously monitor and adjust policies to align with evolving regulations and ensure ongoing compliance.

---

question: 90
Which of the following best practices is essential for ensuring compliance with SOX (Sarbanes-Oxley Act)?
A. Securing access to financial records and ensuring only authorized personnel have access
B. Using unencrypted storage for financial data
C. Only focusing on compliance for the financial reporting process
D. Allowing employees unrestricted access to sensitive financial information for audit purposes

correct answer: A
explanation: To ensure SOX compliance, access control is essential, and only authorized personnel should have access to financial records to protect the integrity and security of financial data.

---

question: 91
Which of the following compliance frameworks is designed to help organizations secure the confidentiality and integrity of electronic healthcare data?
A. SOX
B. HIPAA
C. ISO/IEC 27001
D. NIST 800-53

correct answer: B
explanation: HIPAA is designed to ensure the confidentiality, integrity, and security of electronic healthcare data by setting standards for how healthcare organizations handle sensitive patient information.

---

question: 92
Which of the following is the primary focus of the General Data Protection Regulation (GDPR)?
A. Preventing financial fraud
B. Ensuring fair and transparent processing of personal data
C. Securing government networks
D. Protecting organizational intellectual property

correct answer: B
explanation: GDPR focuses on ensuring that personal data is processed fairly and transparently while providing individuals with greater control over their personal information.

---

question: 93
Which of the following privacy laws is aimed at protecting personal data across international borders, particularly in the EU and beyond?
A. GDPR
B. CCPA
C. HIPAA
D. FISMA

correct answer: A
explanation: GDPR is a privacy law that protects personal data of individuals in the European Union and governs the handling of that data by organizations worldwide, regardless of location.

---

question: 94
Which of the following regulatory requirements would require a company to regularly review and update its security policies and controls?
A. NIST 800-53
B. PCI DSS
C. FISMA
D. All of the above

correct answer: D
explanation: All of these regulations require organizations to regularly review and update their security policies and controls to ensure they remain effective and aligned with regulatory requirements.

---

question: 95
Under GDPR, which of the following is required for organizations that handle personal data?
A. Implementing security measures based on risk assessments
B. Appointing a Data Protection Officer (DPO) only if they handle sensitive data
C. Encrypting data in transit and at rest by default
D. Keeping all data for an unlimited period for business purposes

correct answer: A
explanation: Under GDPR, organizations must implement appropriate security measures to protect personal data based on the results of regular risk assessments.

question: 96
Under GDPR, which of the following is required for organizations that handle personal data?
A. Implementing security measures based on risk assessments
B. Appointing a Data Protection Officer (DPO) only if they handle sensitive data
C. Encrypting data in transit and at rest by default
D. Keeping all data for an unlimited period for business purposes

correct answer: A
explanation: Under GDPR, organizations must implement appropriate security measures to protect personal data based on the results of regular risk assessments.

---

question: 97
Which of the following compliance regulations focuses on protecting the confidentiality, integrity, and availability of federal information systems in the United States?
A. PCI DSS
B. FISMA
C. ISO/IEC 27001
D. HIPAA

correct answer: B
explanation: FISMA (Federal Information Security Management Act) focuses on protecting the confidentiality, integrity, and availability of federal information systems in the U.S. and requires federal agencies and contractors to adhere to specific security standards.

---

question: 98
Which of the following regulations is aimed at securing personally identifiable information (PII) for California residents?
A. GDPR
B. CCPA
C. HIPAA
D. SOX

correct answer: B
explanation: The California Consumer Privacy Act (CCPA) aims to protect the privacy of personally identifiable information (PII) of California residents by giving them greater control over their personal data.

---

question: 99
Which of the following regulations outlines specific requirements for securing payment card data and preventing fraud in organizations that store, process, or transmit payment card information?
A. PCI DSS
B. GDPR
C. HIPAA
D. NIST 800-53

correct answer: A
explanation: PCI DSS (Payment Card Industry Data Security Standard) is the set of standards designed to protect payment card data by securing cardholder information and preventing fraud in organizations that store, process, or transmit credit card data.

---

question: 100
Which of the following compliance requirements under GDPR mandates that data subjects have the right to erasure of their personal data, often referred to as the “right to be forgotten”?
A. Data Minimization
B. Right to Rectification
C. Right to Data Portability
D. Right to Erasure

correct answer: D
explanation: Under GDPR, the Right to Erasure (or “right to be forgotten”) gives data subjects the right to request the deletion of their personal data under specific circumstances, such as when the data is no longer necessary for its original purpose.

---

question: 101
Which of the following regulatory frameworks provides a set of security controls for the federal government and is widely adopted by non-governmental entities for managing cybersecurity risk?
A. NIST Cybersecurity Framework (CSF)
B. ISO/IEC 27001
C. SOC 2
D. PCI DSS

correct answer: A
explanation: The NIST Cybersecurity Framework (CSF) provides a set of security controls for managing cybersecurity risk and is widely adopted by both federal and non-governmental entities for securing their systems and data.