An organization is close to going live with the implementation of a cloud-based application. Independent penetration test results have been received that show a high-rated vulnerability. Which of the following would be the BEST way to proceed?

1. A. Implement the application and request the cloud service provider to fix the vulnerability.
2. B. Assess whether the vulnerability is within the organization's risk tolerance levels.
3. C. Commission further penetration tests to validate initial test results,
4. D. Postpone the implementation until the vulnerability has been fixed.

Correct Answer: D

During which of the following phases should an incident response team document actions required to remove the threat that caused the incident?

1. A. Post-incident review
2. B. Eradication
3. C. Containment
4. D. Identification

Correct Answer: B

Which of the following is MOST important to include in a report to key stakeholders regarding the effectiveness of an information security program?

1. A. Security metrics
2. B. Security baselines
3. C. Security incident details
4. D. Security risk exposure

Correct Answer: A
Security metrics are the most important to include in a report to key stakeholders regarding the effectiveness of an information security program because they provide objective and measurable evidence of security performance and progress. Security metrics can include measures such as the number and severity of security incidents, the level of compliance with security policies and standards, the effectiveness of security controls, and the return on investment (ROI) of security initiatives. The other choices may also be included in a security report, but security metrics are the most important.
An information security program is a set of policies, procedures, standards, guidelines, and tools that aim to protect an organization’s information assets from threats and ensure compliance with laws and regulations. The effectiveness of an information security program depends on various factors, such as the organization’s risk appetite, business objectives, resources, culture, and external environment. Regular reporting to key stakeholders, such as senior management, the board of directors, and business partners, is critical to maintaining their support and buy-in for the program. The report should provide clear and concise information on the program’s status, achievements, challenges, and future plans, and it should be tailored to the audience’s needs and expectations.

Which of the following provides an information security manager with the MOST accurate indication of the organization's ability to respond to a cyber attack?

1. A. Walk-through of the incident response plan
2. B. Black box penetration test
3. C. Simulated phishing exercise
4. D. Red team exercise

Correct Answer: D

Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process?

1. A. Threat management is enhanced.
2. B. Compliance status is improved.
3. C. Security metrics are enhanced.
4. D. Proactive risk management is facilitated.

Correct Answer: A