According to the National Institute of Standards and Technology (NIST) SP 800-40, which of the following considerations are MOST important when creating a vulnerability management program?

• A.Susceptibility to attack, mitigation response time, and cost
• B.Vulnerability exploitation, attack recovery, and mean time to repair
• C.Attack vectors, controls cost, and investigation staffing needs
• D.Susceptibility to attack, expected duration of attack, and mitigation availability

Comment: *

Name: *

Email: *

Verification: *

The amount of risk an organization is willing to accept in pursuit of its mission is known as

• A.Risk acceptance
• B.Risk tolerance
• C.Risk mitigation
• D.Risk transfer

Comment: *

Name: *

Email: *

Verification: *

An organization licenses and uses personal information for business operations, and a server containing that information has been compromised.
What kind of law would require notifying the owner or licensee of this incident?

• A.Consumer right disclosure
• B.Data breach disclosure
• C.Security incident disclosure
• D.Special circumstance disclosure

Comment: *

Name: *

Email: *

Verification: *

When a critical vulnerability has been discovered on production systems and needs to be fixed immediately, what is the BEST approach for a CISO to mitigate the vulnerability under tight budget constraints?

• A.Schedule an emergency meeting and request the funding to fix the issue
• B.Take the system off line until the budget is available
• C.Transfer financial resources from other critical programs
• D.Deploy countermeasures and compensating controls until the budget is available

Comment: *

Name: *

Email: *

Verification: *

The Security Operations Center (SOC) just purchased a new intrusion prevention system (IPS) that needs to be deployed in-line for best defense. The IT group is concerned about putting the new IPS in-line because it might negatively impact network availability.
What would be the BEST approach for the CISO to reassure the IT group?

• A.Work with the IT group and tell them to put IPS in-line and say it won't cause any network impact
• B.Explain to the IT group that the IPS will fail open once in-line however it will be deployed in monitor mode for a set period of time to ensure that it doesn't block any legitimate traffic
• C.Explain to the IT group that this is a business need and the IPS will fail open however, if there is a network failure the CISO will accept responsibility
• D.Explain to the IT group that the IPS won't cause any network impact because it will fail open

Comment: *

Name: *

Email: *

Verification: *