Quiz-summary
0 of 20 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
Information
Premium Practice Questions
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 20 questions answered correctly
Your time:
Time has elapsed
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- Answered
- Review
-
Question 1 of 20
1. Question
A mid-sized investment firm in New York recently underwent a compliance audit against the NIST Cybersecurity Framework (CSF) to satisfy SEC regulatory expectations. The audit identified several high-risk deficiencies in the firm’s Identity and Access Management (IAM) processes. The Compliance Officer is now drafting a Remediation Plan Report to present to the Board of Directors and regulatory examiners. Which of the following components is most essential to include in this report to demonstrate a robust commitment to risk mitigation?
Correct
Correct: In the context of US regulatory compliance, such as SEC or FINRA oversight, a remediation plan must establish clear accountability and a measurable path to resolution. Including specific actions, assigned owners, and firm deadlines ensures that the deficiencies are addressed systematically. Furthermore, assessing the residual risk allows the Board and regulators to understand the remaining exposure after the plan is executed, which is a core principle of the NIST CSF and risk-based auditing.
Incorrect: Relying on system alert logs provides raw data but fails to outline a strategic path for fixing the underlying compliance gaps identified by the auditors. Simply comparing the firm to peers might provide industry context but does not address the specific deficiencies or provide a roadmap for internal improvement. Choosing to provide only a high-level summary lacks the necessary detail for examiners to verify that the remediation is effective, tracked, and sufficiently resourced.
Takeaway: Effective remediation plans must define clear accountability, specific timelines, and the impact on the organization’s overall risk profile to satisfy regulators.
Incorrect
Correct: In the context of US regulatory compliance, such as SEC or FINRA oversight, a remediation plan must establish clear accountability and a measurable path to resolution. Including specific actions, assigned owners, and firm deadlines ensures that the deficiencies are addressed systematically. Furthermore, assessing the residual risk allows the Board and regulators to understand the remaining exposure after the plan is executed, which is a core principle of the NIST CSF and risk-based auditing.
Incorrect: Relying on system alert logs provides raw data but fails to outline a strategic path for fixing the underlying compliance gaps identified by the auditors. Simply comparing the firm to peers might provide industry context but does not address the specific deficiencies or provide a roadmap for internal improvement. Choosing to provide only a high-level summary lacks the necessary detail for examiners to verify that the remediation is effective, tracked, and sufficiently resourced.
Takeaway: Effective remediation plans must define clear accountability, specific timelines, and the impact on the organization’s overall risk profile to satisfy regulators.
-
Question 2 of 20
2. Question
A US-based financial institution is updating its risk management framework to align with the NIST Cybersecurity Framework. The security team is debating two approaches for their quarterly threat landscape analysis. Approach 1 utilizes a bottom-up method, focusing on the most frequent alerts from the Security Operations Center and high-severity vulnerabilities. Approach 2 utilizes a threat-led method, integrating data from the Financial Services Information Sharing and Analysis Center and mapping behaviors to the MITRE ATT&CK framework. Which approach is more effective for long-term resilience?
Correct
Correct: The threat-led approach is superior because it incorporates Cyber Threat Intelligence to understand the broader environment. By using industry-specific data from organizations like the FS-ISAC, the firm can anticipate emerging tactics. Mapping these to the MITRE ATT&CK framework allows the security team to build proactive defenses. This methodology helps identify gaps in controls before an adversary exploits them.
Incorrect
Correct: The threat-led approach is superior because it incorporates Cyber Threat Intelligence to understand the broader environment. By using industry-specific data from organizations like the FS-ISAC, the firm can anticipate emerging tactics. Mapping these to the MITRE ATT&CK framework allows the security team to build proactive defenses. This methodology helps identify gaps in controls before an adversary exploits them.
-
Question 3 of 20
3. Question
A financial services firm in New York is updating its customer portal to comply with NIST SP 800-53 security controls. During a vulnerability assessment, the team discovers that the application does not properly handle special characters in the search field, leading to potential SQL injection. Which implementation strategy provides the most effective defense-in-depth for this vulnerability?
Correct
Correct: Parameterized queries ensure that the database treats input as data rather than executable code, effectively neutralizing SQL injection. Combining this with an allowlist ensures that only expected, well-formed data enters the system, providing a strong first line of defense.
Incorrect
Correct: Parameterized queries ensure that the database treats input as data rather than executable code, effectively neutralizing SQL injection. Combining this with an allowlist ensures that only expected, well-formed data enters the system, providing a strong first line of defense.
-
Question 4 of 20
4. Question
A mid-sized investment firm based in the United States discovers that an unauthorized external actor has gained access to a server containing sensitive client financial records. The Security Operations Center (SOC) confirms the intrusion is active and data exfiltration is currently in progress. Following the NIST Computer Security Incident Handling Guide (SP 800-61), which action should the incident response team prioritize to address the immediate threat while maintaining regulatory readiness?
Correct
Correct: According to NIST SP 800-61, once an incident is detected, the immediate priority is containment to limit the damage and prevent further exfiltration. In the United States financial sector, this must be balanced with the preservation of forensic evidence, such as volatile memory and logs. This ensures that the firm can later determine the scope of the breach and fulfill legal obligations, including materiality assessments required for SEC reporting.
Incorrect: Relying solely on immediate SEC filings is premature because the four-day reporting window typically begins after a firm determines an incident is material, not at the moment of discovery. The strategy of wiping systems immediately is flawed as it destroys critical forensic evidence needed for attribution and understanding the extent of the data compromise. Opting to delay containment for a root cause analysis is dangerous because it allows the attacker to continue exfiltrating data while the team investigates.
Takeaway: Effective incident response requires immediate containment and evidence preservation to support both operational recovery and United States regulatory compliance requirements.
Incorrect
Correct: According to NIST SP 800-61, once an incident is detected, the immediate priority is containment to limit the damage and prevent further exfiltration. In the United States financial sector, this must be balanced with the preservation of forensic evidence, such as volatile memory and logs. This ensures that the firm can later determine the scope of the breach and fulfill legal obligations, including materiality assessments required for SEC reporting.
Incorrect: Relying solely on immediate SEC filings is premature because the four-day reporting window typically begins after a firm determines an incident is material, not at the moment of discovery. The strategy of wiping systems immediately is flawed as it destroys critical forensic evidence needed for attribution and understanding the extent of the data compromise. Opting to delay containment for a root cause analysis is dangerous because it allows the attacker to continue exfiltrating data while the team investigates.
Takeaway: Effective incident response requires immediate containment and evidence preservation to support both operational recovery and United States regulatory compliance requirements.
-
Question 5 of 20
5. Question
A financial services firm in the United States is updating its vendor management policy following a series of supply chain attacks. The compliance team must enhance the risk mitigation strategy for a critical SaaS provider handling sensitive customer data. To align with the NIST Cybersecurity Framework and SEC guidelines on oversight, which approach should the firm prioritize to manage long-term third-party risk?
Correct
Correct: A continuous monitoring framework provides persistent visibility into the vendor’s security posture. Integrating independent audits and specific Service Level Agreements ensures accountability and timely response to threats. This approach aligns with NIST and SEC expectations for active, risk-based oversight of critical service providers.
Incorrect
Correct: A continuous monitoring framework provides persistent visibility into the vendor’s security posture. Integrating independent audits and specific Service Level Agreements ensures accountability and timely response to threats. This approach aligns with NIST and SEC expectations for active, risk-based oversight of critical service providers.
-
Question 6 of 20
6. Question
A US-based broker-dealer is migrating its trade execution reporting system to a serverless architecture to improve scalability during high market volatility. To comply with SEC Rule 17a-4 regarding data integrity and NIST Cybersecurity Framework standards for access control, the security team must address the unique risks associated with event-driven execution. Which strategy most effectively mitigates the risk of unauthorized lateral movement within the serverless environment?
Correct
Correct: Assigning unique, minimal-scope IAM roles ensures that each function only has the permissions necessary for its specific task. This follows the principle of least privilege, which is a core component of the NIST Cybersecurity Framework (PR.AC-6) and helps satisfy SEC requirements for protecting sensitive financial records by limiting the potential impact of a compromised function.
Incorrect: The strategy of implementing network security groups at the subnet level provides some protection but fails to address the identity-based permissions that govern how serverless functions interact with other cloud services. Choosing to use a global administrative policy significantly increases the risk of lateral movement because any compromised function would have full access to the database. Focusing only on standardized execution timeouts addresses operational performance and logging consistency but does not provide any meaningful security controls against unauthorized access or privilege escalation.
Takeaway: Effective serverless security requires granular, function-level identity management to enforce the principle of least privilege and limit the blast radius.
Incorrect
Correct: Assigning unique, minimal-scope IAM roles ensures that each function only has the permissions necessary for its specific task. This follows the principle of least privilege, which is a core component of the NIST Cybersecurity Framework (PR.AC-6) and helps satisfy SEC requirements for protecting sensitive financial records by limiting the potential impact of a compromised function.
Incorrect: The strategy of implementing network security groups at the subnet level provides some protection but fails to address the identity-based permissions that govern how serverless functions interact with other cloud services. Choosing to use a global administrative policy significantly increases the risk of lateral movement because any compromised function would have full access to the database. Focusing only on standardized execution timeouts addresses operational performance and logging consistency but does not provide any meaningful security controls against unauthorized access or privilege escalation.
Takeaway: Effective serverless security requires granular, function-level identity management to enforce the principle of least privilege and limit the blast radius.
-
Question 7 of 20
7. Question
A financial institution in the United States is reviewing its personnel security protocols following a recent audit by the Office of the Comptroller of the Currency (OCC). The audit highlighted concerns regarding the offboarding process for system administrators with elevated privileges. To align with NIST Cybersecurity Framework recommendations, which risk-based strategy should the institution prioritize to prevent unauthorized post-employment access?
Correct
Correct: This approach ensures that the window of opportunity for an insider threat is closed immediately upon termination. By reviewing recent activity logs, the organization can identify if the departing employee attempted to exfiltrate sensitive data or plant logic bombs before their departure. This aligns with the NIST SP 800-53 Personnel Security (PS) controls and ISO 27001 requirements for the removal of access rights.
Incorrect
Correct: This approach ensures that the window of opportunity for an insider threat is closed immediately upon termination. By reviewing recent activity logs, the organization can identify if the departing employee attempted to exfiltrate sensitive data or plant logic bombs before their departure. This aligns with the NIST SP 800-53 Personnel Security (PS) controls and ISO 27001 requirements for the removal of access rights.
-
Question 8 of 20
8. Question
A Chief Information Security Officer at a financial services firm in Chicago is refining the organization’s Data Loss Prevention (DLP) strategy to better align with SEC Regulation S-P requirements. During a recent risk assessment, the security team identified that sensitive non-public personal information (NPI) is frequently shared across various departments via cloud-based collaboration tools. The CISO must now decide on a deployment strategy that balances regulatory compliance with operational efficiency.
Correct
Correct: Classifying data and mapping it to egress points ensures that the most sensitive information, such as NPI, receives the highest level of protection. This risk-based approach aligns with SEC expectations for safeguarding customer records and information while maintaining business continuity. By focusing on high-risk data flows, the organization can implement automated blocking that prevents data loss before it occurs, rather than just detecting it after the fact.
Incorrect: Applying uniform encryption to all traffic without content analysis fails to prevent the unauthorized transfer of data to unapproved recipients or external personal accounts. Relying on reactive monthly reviews is insufficient for preventing data loss in real-time and does not meet the proactive standards expected under modern cybersecurity frameworks like the NIST Cybersecurity Framework. Choosing to use only default vendor templates often leads to significant gaps in protection because the filters are not tuned to the specific regulatory or operational context of the firm, resulting in high false-positive rates.
Takeaway: A risk-based DLP strategy must prioritize data classification and targeted technical controls to effectively protect sensitive information and meet regulatory obligations.
Incorrect
Correct: Classifying data and mapping it to egress points ensures that the most sensitive information, such as NPI, receives the highest level of protection. This risk-based approach aligns with SEC expectations for safeguarding customer records and information while maintaining business continuity. By focusing on high-risk data flows, the organization can implement automated blocking that prevents data loss before it occurs, rather than just detecting it after the fact.
Incorrect: Applying uniform encryption to all traffic without content analysis fails to prevent the unauthorized transfer of data to unapproved recipients or external personal accounts. Relying on reactive monthly reviews is insufficient for preventing data loss in real-time and does not meet the proactive standards expected under modern cybersecurity frameworks like the NIST Cybersecurity Framework. Choosing to use only default vendor templates often leads to significant gaps in protection because the filters are not tuned to the specific regulatory or operational context of the firm, resulting in high false-positive rates.
Takeaway: A risk-based DLP strategy must prioritize data classification and targeted technical controls to effectively protect sensitive information and meet regulatory obligations.
-
Question 9 of 20
9. Question
A security manager at a US-based healthcare provider is reviewing the organization’s vulnerability management program to comply with the HIPAA Security Rule and NIST guidelines. The manager is concerned that while they are patching known vulnerabilities, they are not testing the effectiveness of their intrusion detection systems against lateral movement. Which testing technique should be implemented to specifically address this concern?
Correct
Correct: Internal penetration testing is the most effective technique for simulating an adversary who has bypassed perimeter defenses. It allows the organization to evaluate how well their internal controls and monitoring systems detect and prevent lateral movement, which is a critical requirement for protecting sensitive data under NIST and HIPAA frameworks.
Incorrect
Correct: Internal penetration testing is the most effective technique for simulating an adversary who has bypassed perimeter defenses. It allows the organization to evaluate how well their internal controls and monitoring systems detect and prevent lateral movement, which is a critical requirement for protecting sensitive data under NIST and HIPAA frameworks.
-
Question 10 of 20
10. Question
You are the Lead Security Architect for a United States financial institution. You must validate the Incident Response Plan (IRP) regarding executive roles during a data breach. Which approach best validates communication protocols and escalation paths without interrupting critical business operations?
Correct
Correct: Tabletop exercises are a key component of the NIST Cybersecurity Framework for testing response capabilities. They allow stakeholders to practice decision-making and communication in a low-risk environment. This method ensures that legal, technical, and management teams understand their specific obligations under United States regulatory requirements during a crisis.
Incorrect: The strategy of parallel recovery testing focuses primarily on technical redundancy and system availability rather than the procedural response to a security threat. Simply conducting administrative sign-offs on policy documents confirms awareness of the text but fails to test the actual execution of the plan under pressure. Opting for penetration testing evaluates the effectiveness of technical defenses and detection alerts but does not sufficiently exercise the management-level communication and escalation procedures required during a major incident.
Takeaway: Tabletop exercises validate communication and decision-making frameworks by simulating realistic scenarios without impacting live production environments.
Incorrect
Correct: Tabletop exercises are a key component of the NIST Cybersecurity Framework for testing response capabilities. They allow stakeholders to practice decision-making and communication in a low-risk environment. This method ensures that legal, technical, and management teams understand their specific obligations under United States regulatory requirements during a crisis.
Incorrect: The strategy of parallel recovery testing focuses primarily on technical redundancy and system availability rather than the procedural response to a security threat. Simply conducting administrative sign-offs on policy documents confirms awareness of the text but fails to test the actual execution of the plan under pressure. Opting for penetration testing evaluates the effectiveness of technical defenses and detection alerts but does not sufficiently exercise the management-level communication and escalation procedures required during a major incident.
Takeaway: Tabletop exercises validate communication and decision-making frameworks by simulating realistic scenarios without impacting live production environments.
-
Question 11 of 20
11. Question
A Chief Information Security Officer at a US-based investment firm is updating the organization’s information security program to comply with the NIST Cybersecurity Framework. During the initial phase of asset identification, the team finds that data is scattered across various on-premises servers and cloud-based SaaS applications. To ensure that security controls are applied consistently and appropriately, what is the most critical first step in the classification process?
Correct
Correct: Developing a standardized policy is the foundational step because it establishes the criteria for how data should be handled, protected, and retained. This alignment with NIST CSF (ID.AM-2) ensures that the organization can prioritize its security efforts based on the actual risk and value of the information assets, which is essential for meeting SEC and other regulatory data protection expectations.
Incorrect: Relying solely on automated DLP solutions is premature without first defining the data categories the system is meant to protect. Focusing only on physical hardware inventory fails to address the logical data assets which often carry higher regulatory risk in financial services. The strategy of reviewing third-party SLAs is a component of vendor management but does not establish the internal framework needed for data classification.
Takeaway: A formal classification policy is the essential foundation for prioritizing security controls and ensuring regulatory compliance for sensitive data assets.
Incorrect
Correct: Developing a standardized policy is the foundational step because it establishes the criteria for how data should be handled, protected, and retained. This alignment with NIST CSF (ID.AM-2) ensures that the organization can prioritize its security efforts based on the actual risk and value of the information assets, which is essential for meeting SEC and other regulatory data protection expectations.
Incorrect: Relying solely on automated DLP solutions is premature without first defining the data categories the system is meant to protect. Focusing only on physical hardware inventory fails to address the logical data assets which often carry higher regulatory risk in financial services. The strategy of reviewing third-party SLAs is a component of vendor management but does not establish the internal framework needed for data classification.
Takeaway: A formal classification policy is the essential foundation for prioritizing security controls and ensuring regulatory compliance for sensitive data assets.
-
Question 12 of 20
12. Question
A project manager at a United States financial services firm is leading a security initiative to implement a new data loss prevention solution. To ensure the project aligns with the NIST Cybersecurity Framework and meets the requirements of the Gramm-Leach-Bliley Act, which approach is most appropriate?
Correct
Correct: Integrating security throughout the project lifecycle, known as Security by Design, aligns with NIST standards and ensures that regulatory requirements for protecting consumer financial information are met efficiently. This proactive approach allows for the identification and mitigation of risks early, reducing the cost of remediation and ensuring that the final product is compliant with U.S. Securities and Exchange Commission (SEC) and FINRA expectations for data protection.
Incorrect
Correct: Integrating security throughout the project lifecycle, known as Security by Design, aligns with NIST standards and ensures that regulatory requirements for protecting consumer financial information are met efficiently. This proactive approach allows for the identification and mitigation of risks early, reducing the cost of remediation and ensuring that the final product is compliant with U.S. Securities and Exchange Commission (SEC) and FINRA expectations for data protection.
-
Question 13 of 20
13. Question
A Chief Information Security Officer (CISO) at a mid-sized brokerage firm in the United States is conducting an annual review of the organization’s security posture following a NIST Cybersecurity Framework (CSF) implementation. While the firm met its initial compliance targets, a recent internal audit identified several recurring misconfigurations in cloud storage buckets over the last six months. To ensure the security program adheres to the principle of continuous improvement as defined in professional governance standards, which action should the CISO prioritize?
Correct
Correct: Establishing a feedback loop is a core component of continuous improvement frameworks like the NIST CSF. By integrating audit findings back into the risk assessment process, the organization ensures that the root causes of recurring issues are addressed through systemic updates to controls and educational programs, fostering a proactive security culture rather than just reactive patching.
Incorrect: Increasing the frequency of penetration tests focuses on vulnerability detection rather than improving the management processes that allowed the vulnerabilities to exist. The strategy of implementing strict disciplinary measures is often counterproductive as it ignores potential process flaws or resource gaps that contribute to human error. Opting for automated tools provides a technical solution for monitoring but does not address the underlying governance and feedback mechanisms necessary for a mature continuous improvement program.
Takeaway: Continuous improvement requires a structured feedback loop where audit results inform risk management and control updates.
Incorrect
Correct: Establishing a feedback loop is a core component of continuous improvement frameworks like the NIST CSF. By integrating audit findings back into the risk assessment process, the organization ensures that the root causes of recurring issues are addressed through systemic updates to controls and educational programs, fostering a proactive security culture rather than just reactive patching.
Incorrect: Increasing the frequency of penetration tests focuses on vulnerability detection rather than improving the management processes that allowed the vulnerabilities to exist. The strategy of implementing strict disciplinary measures is often counterproductive as it ignores potential process flaws or resource gaps that contribute to human error. Opting for automated tools provides a technical solution for monitoring but does not address the underlying governance and feedback mechanisms necessary for a mature continuous improvement program.
Takeaway: Continuous improvement requires a structured feedback loop where audit results inform risk management and control updates.
-
Question 14 of 20
14. Question
A wealth management firm in the United States is conducting a tabletop exercise to test its Security Incident Response Plan against a simulated ransomware threat. The CISO has invited representatives from Legal, Compliance, and Corporate Communications to participate alongside the IT Security team. The scenario involves the potential exfiltration of sensitive client data protected under SEC Regulation S-P. What is the primary objective of including these non-technical stakeholders in the exercise?
Correct
Correct: In the United States regulatory environment, incident response involves strict timelines for reporting breaches to the SEC and notifying affected clients. Including diverse stakeholders ensures that the organization can effectively coordinate legal, regulatory, and public relations responses while the technical team manages the threat. This validates that the Incident Response Plan correctly identifies who has the authority to trigger external notifications.
Incorrect: Relying solely on technical training for non-IT staff is inappropriate for a tabletop exercise, which is intended to be a discussion-based simulation of policy and procedure. Simply conducting a live-fire test of failover systems describes a functional exercise or disaster recovery test rather than a tabletop discussion. Opting to treat the session as a generic HR training requirement misses the strategic goal of identifying gaps in the specialized incident response framework.
Takeaway: Tabletop exercises evaluate the effectiveness of non-technical coordination and decision-making processes during a simulated security incident.
Incorrect
Correct: In the United States regulatory environment, incident response involves strict timelines for reporting breaches to the SEC and notifying affected clients. Including diverse stakeholders ensures that the organization can effectively coordinate legal, regulatory, and public relations responses while the technical team manages the threat. This validates that the Incident Response Plan correctly identifies who has the authority to trigger external notifications.
Incorrect: Relying solely on technical training for non-IT staff is inappropriate for a tabletop exercise, which is intended to be a discussion-based simulation of policy and procedure. Simply conducting a live-fire test of failover systems describes a functional exercise or disaster recovery test rather than a tabletop discussion. Opting to treat the session as a generic HR training requirement misses the strategic goal of identifying gaps in the specialized incident response framework.
Takeaway: Tabletop exercises evaluate the effectiveness of non-technical coordination and decision-making processes during a simulated security incident.
-
Question 15 of 20
15. Question
A financial services firm in the United States is updating its contingency planning to align with NIST SP 800-34 Rev. 1. The CISO needs to determine recovery priorities for the organization’s business units. Which process should the CISO prioritize to identify mission-critical functions and establish the Maximum Tolerable Downtime (MTD)?
Correct
Correct: A Business Impact Analysis (BIA) is the foundational step in NIST SP 800-34 for identifying mission-critical systems and quantifying the impact of disruptions. This process allows the organization to set Recovery Time Objectives (RTO) based on the Maximum Tolerable Downtime (MTD) to meet US regulatory expectations.
Incorrect
Correct: A Business Impact Analysis (BIA) is the foundational step in NIST SP 800-34 for identifying mission-critical systems and quantifying the impact of disruptions. This process allows the organization to set Recovery Time Objectives (RTO) based on the Maximum Tolerable Downtime (MTD) to meet US regulatory expectations.
-
Question 16 of 20
16. Question
A Chief Information Security Officer (CISO) at a mid-sized financial services firm in the United States is preparing a report for the Board of Directors. The firm currently aligns with the NIST Cybersecurity Framework (CSF) but lacks a formal method to measure progress over time. To comply with evolving SEC cybersecurity disclosure rules, the CISO needs to establish a benchmarking process that demonstrates the maturity of the security program relative to industry peers. Which approach provides the most defensible maturity assessment for regulatory and stakeholder reporting?
Correct
Correct: The NIST CSF Implementation Tiers are specifically designed to help organizations communicate their cybersecurity risk management rigor. By using these tiers alongside sector-specific benchmarks from bodies like the FSSCC, a US financial institution can provide a context-aware and regulatorily aligned view of its security program maturity. This approach directly supports the transparency required by SEC disclosure mandates regarding risk management and strategy.
Incorrect
Correct: The NIST CSF Implementation Tiers are specifically designed to help organizations communicate their cybersecurity risk management rigor. By using these tiers alongside sector-specific benchmarks from bodies like the FSSCC, a US financial institution can provide a context-aware and regulatorily aligned view of its security program maturity. This approach directly supports the transparency required by SEC disclosure mandates regarding risk management and strategy.
-
Question 17 of 20
17. Question
A financial institution in the United States is undergoing an internal audit to evaluate the enforcement of its information security policies. The organization recently updated its risk register to reflect new threats to its cloud-hosted customer data. To ensure the audit provides the most value to the board of directors, the lead auditor must determine the scope of the enforcement testing. Which of the following approaches represents the most effective risk-based auditing procedure?
Correct
Correct: Prioritizing controls for systems handling MNPI and PII ensures that the audit focuses on the areas of highest risk and regulatory impact. This approach aligns with NIST guidelines and US financial regulations which demand rigorous protection of sensitive data and market-moving information. By focusing on high-value assets identified in the risk register, the auditor can provide assurance that the most critical security policies are being effectively enforced where they matter most.
Incorrect
Correct: Prioritizing controls for systems handling MNPI and PII ensures that the audit focuses on the areas of highest risk and regulatory impact. This approach aligns with NIST guidelines and US financial regulations which demand rigorous protection of sensitive data and market-moving information. By focusing on high-value assets identified in the risk register, the auditor can provide assurance that the most critical security policies are being effectively enforced where they matter most.
-
Question 18 of 20
18. Question
Following a recent cybersecurity assessment at a SEC-registered investment adviser in Chicago, the IT audit team noted that the firm’s internal network lacks sufficient isolation between administrative functions and the client account management system. To comply with the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) and follow NIST Cybersecurity Framework best practices, the firm must restructure its network to prevent unauthorized lateral movement. Which of the following strategies provides the most robust protection against an attacker moving from a compromised employee laptop to the sensitive client database?
Correct
Correct: Implementing a Zero Trust architecture with micro-segmentation is the most effective way to prevent lateral movement. This approach assumes that no user or system is inherently trusted, even if they are already inside the network perimeter. By breaking the network into small, isolated segments and enforcing granular access policies at the workload level, the firm can ensure that a compromise of a single workstation does not grant automatic access to the client database. This aligns with the SEC’s emphasis on protecting non-public personal information and the NIST Cybersecurity Framework’s ‘Protect’ and ‘Detect’ functions.
Incorrect: Relying solely on a demilitarized zone (DMZ) protects external-facing assets but fails to address the lack of isolation between internal segments where the primary risk of lateral movement exists. Simply deploying a signature-based IPS at the gateway is an ineffective strategy for stopping internal threats that have already bypassed the perimeter or are using encrypted channels. Opting for a VPN with multi-factor authentication secures the entry point for remote users but does not restrict the movement of a threat actor once they have successfully authenticated to the internal network environment.
Takeaway: Zero Trust micro-segmentation is essential for preventing lateral movement by enforcing granular access controls within the internal network environment.
Incorrect
Correct: Implementing a Zero Trust architecture with micro-segmentation is the most effective way to prevent lateral movement. This approach assumes that no user or system is inherently trusted, even if they are already inside the network perimeter. By breaking the network into small, isolated segments and enforcing granular access policies at the workload level, the firm can ensure that a compromise of a single workstation does not grant automatic access to the client database. This aligns with the SEC’s emphasis on protecting non-public personal information and the NIST Cybersecurity Framework’s ‘Protect’ and ‘Detect’ functions.
Incorrect: Relying solely on a demilitarized zone (DMZ) protects external-facing assets but fails to address the lack of isolation between internal segments where the primary risk of lateral movement exists. Simply deploying a signature-based IPS at the gateway is an ineffective strategy for stopping internal threats that have already bypassed the perimeter or are using encrypted channels. Opting for a VPN with multi-factor authentication secures the entry point for remote users but does not restrict the movement of a threat actor once they have successfully authenticated to the internal network environment.
Takeaway: Zero Trust micro-segmentation is essential for preventing lateral movement by enforcing granular access controls within the internal network environment.
-
Question 19 of 20
19. Question
A Chief Information Security Officer (CISO) at a financial services firm in the United States is preparing the annual security budget. A recent assessment against the NIST Cybersecurity Framework (CSF) revealed significant gaps in the Respond and Recover functions. The CISO must now justify a substantial increase in funding for an external Incident Response (IR) retainer and enhanced immutable backup systems to the Board of Directors.
Correct
Correct: This approach ensures that resource allocation is driven by a formal risk management process. US regulatory bodies, including the SEC, expect firms to use recognized frameworks like the NIST CSF to identify and remediate risks. By connecting the budget to the Board’s risk appetite, the CISO fulfills governance requirements for oversight and strategic alignment, ensuring that the most critical deficiencies are addressed first.
Incorrect: Relying solely on industry benchmarks fails to address the unique threat landscape and internal vulnerabilities specific to the organization. Simply using historical firewall data as a primary driver is a reactive method that ignores qualitative risks and potential high-impact, low-frequency events. The strategy of prioritizing compliance automation tools over identified security gaps may satisfy reporting requirements but leaves the actual infrastructure vulnerable to the gaps found in the assessment. Choosing to follow peer spending patterns does not guarantee that the firm’s specific critical assets are adequately protected.
Takeaway: Security budgeting should be a risk-based exercise that prioritizes closing framework-identified gaps to meet the organization’s established risk tolerance.
Incorrect
Correct: This approach ensures that resource allocation is driven by a formal risk management process. US regulatory bodies, including the SEC, expect firms to use recognized frameworks like the NIST CSF to identify and remediate risks. By connecting the budget to the Board’s risk appetite, the CISO fulfills governance requirements for oversight and strategic alignment, ensuring that the most critical deficiencies are addressed first.
Incorrect: Relying solely on industry benchmarks fails to address the unique threat landscape and internal vulnerabilities specific to the organization. Simply using historical firewall data as a primary driver is a reactive method that ignores qualitative risks and potential high-impact, low-frequency events. The strategy of prioritizing compliance automation tools over identified security gaps may satisfy reporting requirements but leaves the actual infrastructure vulnerable to the gaps found in the assessment. Choosing to follow peer spending patterns does not guarantee that the firm’s specific critical assets are adequately protected.
Takeaway: Security budgeting should be a risk-based exercise that prioritizes closing framework-identified gaps to meet the organization’s established risk tolerance.
-
Question 20 of 20
20. Question
A mid-sized investment firm in New York is upgrading its security surveillance capabilities to align with the NIST Cybersecurity Framework and SEC compliance requirements. The firm needs to implement a system that not only detects known signature-based threats but also identifies anomalous behavior that could indicate a zero-day exploit or an insider threat. Which approach provides the most comprehensive surveillance and response capability according to industry best practices?
Correct
Correct: A behavior-based IDPS allows for the detection of deviations from established baselines, which is essential for identifying zero-day attacks and insider threats that signatures might miss. Integrating this with a SIEM ensures that logs from various sources are correlated in real-time, providing the visibility required by NIST and SEC standards for rapid incident response and continuous monitoring.
Incorrect: Relying on standalone signature-based firewalls with manual weekly reviews is insufficient because it fails to detect novel threats and introduces a significant delay in response time that violates modern compliance expectations. Simply using packet-filtering routers and antivirus software is inadequate for modern surveillance as it lacks the depth of analysis needed to identify sophisticated lateral movement within a network. The strategy of using internal ACLs and employee self-reporting is reactive and fails to provide the automated, continuous monitoring necessary to meet professional security governance standards.
Takeaway: Effective surveillance requires combining behavior-based detection with centralized log correlation to identify and respond to both known and unknown security threats.
Incorrect
Correct: A behavior-based IDPS allows for the detection of deviations from established baselines, which is essential for identifying zero-day attacks and insider threats that signatures might miss. Integrating this with a SIEM ensures that logs from various sources are correlated in real-time, providing the visibility required by NIST and SEC standards for rapid incident response and continuous monitoring.
Incorrect: Relying on standalone signature-based firewalls with manual weekly reviews is insufficient because it fails to detect novel threats and introduces a significant delay in response time that violates modern compliance expectations. Simply using packet-filtering routers and antivirus software is inadequate for modern surveillance as it lacks the depth of analysis needed to identify sophisticated lateral movement within a network. The strategy of using internal ACLs and employee self-reporting is reactive and fails to provide the automated, continuous monitoring necessary to meet professional security governance standards.
Takeaway: Effective surveillance requires combining behavior-based detection with centralized log correlation to identify and respond to both known and unknown security threats.
