- (Exam Topic 15)
The Chief Executive Officer (CEO) wants to implement an internal audit of the company's information security posture. The CEO wants to avoid any bias in the audit process; therefore, has assigned the Sales Director to conduct the audit. After significant interaction over a period of weeks the audit concludes that the company's policies and procedures are sufficient, robust and well established. The CEO then moves on to engage an external penetration testing company in order to showcase the organization's robust information security stance. This exercise reveals significant failings in several critical security controls and shows that the incident response processes remain undocumented. What is the MOST likely reason for this disparity in the results of the audit and the external penetration test?

1. A. The external penetration testing company used custom zero-day attacks that could not have been predicted.
2. B. The information technology (IT) and governance teams have failed to disclose relevant information to the internal audit team leading to an incomplete assessment being formulated.
3. C. The scope of the penetration test exercise and the internal audit were significantly different.
4. D. The audit team lacked the technical experience and training to make insightful and objective assessments of the data provided to them.

Correct Answer: C

- (Exam Topic 15)
What is the FIRST step in developing a patch management plan?

1. A. Subscribe to a vulnerability subscription service.
2. B. Develop a patch testing procedure.
3. C. Inventory the hardware and software used.
4. D. Identify unnecessary services installed on systems.

Correct Answer: B

- (Exam Topic 14)
Which of the following is a characteristic of convert security testing?

1. A. Induces less risk than over testing
2. B. Tests staff knowledge and Implementation of the organization's security policy
3. C. Focuses an Identifying vulnerabilities
4. D. Tests and validates all security controls in the organization

Correct Answer: B

- (Exam Topic 15)
What is considered a compensating control for not having electrical surge protectors installed?

1. A. Having dual lines to network service providers built to the site
2. B. Having backup diesel generators installed to the site
3. C. Having a hot disaster recovery (DR) environment for the site
4. D. Having network equipment in active-active clusters at the site

Correct Answer: D

- (Exam Topic 13)
Digital certificates used in Transport Layer Security (TLS) support which of the following?

1. A. Information input validation
2. B. Non-repudiation controls and data encryption
3. C. Multi-Factor Authentication (MFA)
4. D. Server identity and data confidentially

Correct Answer: D