An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?

• A.Nothing, since a risk assessment was completed during development.
• B.A vulnerability assessment should be conducted.
• C.A new risk assessment should be performed.
• D.The new vendor's SAS 70 type II report should be reviewed.

Comment: *

Name: *

Email: *

Verification: *

During an information security audit, it was determined that IT staff did not follow the established standard when configuring and managing IT systems. Which of the following is the BEST way to prevent future occurrences?

• A.Updating configuration baselines to allow exceptions
• B.Conducting periodic vulnerability scanning
• C.Providing annual information security awareness training
• D.Implementing a strict change control process

Comment: *

Name: *

Email: *

Verification: *

The PRIMARY focus of the change control process is to ensure that changes are:

• A.authorized.
• B.applied.
• C.documented.
• D.tested.

Comment: *

Name: *

Email: *

Verification: *

Which of the following provides a sound basis for effective security change management?

• A.Version management
• B.Incident management
• C.Configuration management
• D.Password management

Comment: *

Name: *

Email: *

Verification: *

Which of the following would BEST help to ensure an organization's information security strategy is aligned with business objectives?

• A.Establishing metrics to measure the effectiveness of the information security program
• B.Establishing a change control process for continued updating of security policies
• C.Implementing an automated solution for monitoring information security processes
• D.Requesting senior management to periodically review security incidents

Comment: *

Name: *

Email: *

Verification: *