Domain 5: Program Management & Oversight
15 questions · Instant feedback · 20% of the exam
Which of the following techniques can be used to sanitize a hard drive while allowing it to be repurposed?
A wipe tool overwrites existing data on the hard drive, ensuring old information cannot be recovered while keeping the hardware usable. Unlike degaussing or shredding, this method preserves the drive for future use.
Which of the following explains how to determine the global regulations that data is subject to regardless of the country where the data is stored?
Data sovereignty refers to the concept that data is subject to the laws and regulations of the country where it is stored, regardless of where it is accessed.
A security analyst is evaluating a SaaS application that the human resources department would like to implement. The analyst requests a SOC 2 report from the SaaS vendor. Which of the following processes is the analyst most likely conducting?
Due diligence involves evaluating the security practices of vendors to ensure they meet the organization's standards.
For an upcoming product launch, a company hires a marketing agency whose owner is a close relative of the CEO. Which of the following did the company violate?
Hiring a vendor owned by a close relative of the CEO violates the conflict of interest policy because personal relationships can bias business decisions. Such conflicts undermine transparency, fairness, and trust in the company’s governance.
Which of the following should an analyst consider when performing a business impact analysis? (Select two).
RPO (Recovery Point Objective) and RTO (Recovery Time Objective) are key factors to consider when assessing business impact.
A company has yearly engagements with a service provider. The general terms and conditions are the same for all engagements. The company wants to simplify the process and revisit the general terms every three years. Which of the following documents would provide the best way to set the general terms?
An MSA (Master Service Agreement) outlines the general terms for ongoing relationships and can be updated periodically to reflect changes.
Which of the following best describes the concept of information being stored outside of its country of origin while still being subject to the laws and requirements of the country of origin?
Data sovereignty refers to the concept where data is subject to the laws and regulations of the country where it is stored, regardless of its physical location.
A new employee accessed an unauthorized website. An investigation found that the employee violated the company’s rules. Which of the following did the employee violate?
Visiting blocked or non-business websites violates the Acceptable Use Policy, which outlines permissible internet activities. The AUP helps enforce acceptable behavior on corporate networks.
The security department is remediating vulnerabilities that were found during an audit of newly deployed systems. Which of the following must be done to ensure compliance?
Conducting a rescan verifies that vulnerabilities were successfully remediated and provides evidence of compliance.
An organization is required to provide assurance that its controls are properly designed and operating effectively. Which of the following reports will best achieve the objective?
An independent audit evaluates controls against recognized standards by a third‐party assessor. It produces formal findings on design effectiveness and operational performance. This level of assurance is often required by regulators and stakeholders.
Which of the following factors are the most important to address when formulating a training curriculum plan for a security awareness program? (Select two).
When creating a security awareness training plan, the cadence and duration of training events and threat vectors based on the industry are most important. The cadence and duration ensure effective learning, while considering industry-specific threats tailors the training to relevant risks.
Which of the following should an internal auditor check for first when conducting an audit of the organization's risk management program?
The internal auditor should first review the policies and procedures as they form the foundation of the risk management program, outlining the organization's approach to risk management.
Which of the following objectives is best achieved by a tabletop exercise?
A tabletop exercise is a discussion-based simulation of an incident response scenario. It familiarizes stakeholders with their roles, communication paths, and decision points without touching live systems. By walking through the steps in a controlled environment, teams build confidence and identify procedural gaps.
An administrator has configured a quarantine subnet for all guest devices that connect to the network. Which of the following would be best for the security team to configure on the MDM before allowing access to corporate resources?
Compliance attestation ensures that a device meets the organization's security policies (e.g., antivirus, encryption, OS version) before it's granted access to corporate resources. It is typically enforced through MDM solutions.
Which of the following would a service provider supply as an assurance for a disposal service as part of a disposal process?
A certification (e.g., NAID AAA) demonstrates that the disposal vendor follows industry best practices and standards for data destruction. It provides documented assurance on methods used, chain of custody, and compliance. Clients rely on these certifications to validate secure disposal.
Quiz Complete!
Domain 5: Program Management & Oversight