CCNA Information Security Programme Questions

15 of 165 questions · Page 3/3 · Information Security Programme · Answers revealed

151
MCQmedium

Which of the following best describes the role of a security architect in a security program?

A.Designs security controls and integrates them into IT systems
B.Performs penetration testing to identify vulnerabilities
C.Develops and delivers security awareness training
D.Monitors security alerts and responds to incidents
AnswerA

The security architect focuses on designing secure systems and architectures.

Why this answer

The security architect designs and oversees the implementation of security solutions and ensures they align with the overall architecture.

152
MCQmedium

A security awareness program includes phishing simulations. After six months, the click rate has decreased from 15% to 8%, but the number of reported phishing emails has also dropped. The CISO wants to measure the effectiveness of the program. Which metric would best indicate sustained improvement in security behavior?

A.Pass rate on post-training knowledge assessments
B.Number of security incidents caused by phishing
C.Number of employees who completed training
D.Phishing click rate trend over the last 12 months
AnswerD

A sustained downward trend in click rate indicates improved recognition and behavior.

Why this answer

A sustained low click rate over time, with increasing or stable reporting rates, is a leading indicator of improved security awareness. A decreasing click rate alone may be confounded by other factors, but combined with reporting trends it shows behavioral change.

153
MCQhard

A CISO is planning the security programme budget and wants to justify the investment to the CFO. The organization has a moderate risk appetite and an IT budget of $10 million. What is the most appropriate budget range for the security programme based on industry benchmarks?

A.$500,000 to $1,000,000
B.$1,500,000 to $2,000,000
C.$1,000,000 to $1,500,000
D.$200,000 to $500,000
AnswerC

This is 10-15%, the typical range for a mature programme.

Why this answer

For a mature security programme, industry benchmarks suggest 10-15% of IT budget. For a $10M IT budget, that is $1M to $1.5M. 0.2-0.5% of revenue is another benchmark but not directly applicable here without revenue data.

154
MCQhard

A security manager needs to justify an increase in the security budget. Which approach provides the strongest quantitative justification?

A.Comparing the budget to industry benchmarks
B.Presenting the number of vulnerabilities discovered
C.Showing the return on investment using avoided breach costs
D.Listing all pending compliance requirements
AnswerC

ROI based on avoided losses is a strong financial argument.

Why this answer

Quantifying the financial impact of risks avoided (e.g., using annualized loss expectancy) provides a compelling business case.

155
MCQhard

An information security manager is developing a security scorecard for the board. Which combination of metrics BEST provides a balanced view of security program effectiveness?

A.Number of security incidents and percentage of systems with critical patches applied within SLA
B.Percentage of employees who completed security awareness training and number of reported phishing emails
C.Number of security incidents and mean time to detect (MTTD)
D.Phishing click rate and percentage of systems with critical patches applied within SLA
AnswerA

Incidents is a lagging indicator; patch compliance is a leading indicator, providing a balanced view.

Why this answer

Leading indicators (patch compliance) predict future performance, while lagging indicators (breach count) measure past outcomes. Both are needed for balance.

156
MCQhard

A mature security program allocates 12% of IT budget to security. Which combination of budget components is most balanced for a program seeking to improve detection and response capabilities?

A.Personnel 40%, Technology 30%, Services 20%, Training 10%
B.Personnel 20%, Technology 50%, Services 20%, Training 10%
C.Personnel 50%, Technology 20%, Services 20%, Training 10%
D.Personnel 30%, Technology 30%, Services 30%, Training 10%
AnswerA

This allocation prioritizes skilled staff and tools for detection/response.

Why this answer

For improving detection and response, investment in technology (SIEM, SOAR) and personnel (SOC analysts) is most critical, with services for assessments and training for skills.

157
MCQmedium

An organization's security budget is 8% of the IT budget. Industry benchmarks suggest 10-15% for mature programs. Which of the following should the CISO do FIRST to justify an increase?

A.Reduce other IT expenses to free up funds
B.Present a cost-benefit analysis showing breach avoidance value
C.Request additional budget for emerging threats
D.Highlight the percentage gap compared to peers
AnswerB

ROI justification demonstrates business value.

Why this answer

Linking budget requests to specific risk reductions and potential breach costs provides a business case for investment.

158
MCQmedium

An organization wants to implement a defense-in-depth strategy for its web application. Which set of controls best exemplifies this approach?

A.Single sign-on and multi-factor authentication
B.Web application firewall (WAF), input validation, and security awareness training
C.Encryption at rest and in transit
D.Intrusion detection system and vulnerability scanner
AnswerB

WAF (network), input validation (application), and training (human layer) provide layered defense.

Why this answer

Defense-in-depth uses multiple layers: network, host, application, and monitoring controls.

159
MCQmedium

When selecting security controls based on NIST SP 800-53, which control family is MOST directly related to protecting the confidentiality of data?

A.Identification and Authentication (IA)
B.System and Communications Protection (SC)
C.Audit and Accountability (AU)
D.Access Control (AC)
AnswerD

Access control enforces permissions, protecting confidentiality.

Why this answer

Access control (AC) family includes controls that restrict access to data, directly protecting confidentiality.

160
MCQmedium

Which control family from NIST SP 800-53 is MOST directly associated with ensuring that users have appropriate access rights?

A.System and Communications Protection (SC)
B.Identification and Authentication (IA)
C.Personnel Security (PS)
D.Access Control (AC)
AnswerD

AC covers policies and procedures for assigning and managing access.

Why this answer

The Access Control (AC) family specifically addresses user access management.

161
MCQhard

A company has implemented a security awareness program with quarterly phishing simulations. The click rate has remained at 15% for the past two quarters. What is the most effective next step?

A.Increase the frequency of simulations to monthly
B.Implement mandatory remediation training for users who click
C.Discontinue simulations as they are not effective
D.Reduce the difficulty of simulations to lower the click rate
AnswerB

Targeted training addresses behavior and reinforces learning.

Why this answer

Since the click rate is stagnating, the program needs to be adjusted. Remediation training targeted at those who click, combined with increased simulation complexity, can drive improvement.

162
MCQmedium

Which of the following metrics would be MOST useful for measuring the effectiveness of a phishing simulation program?

A.Percentage of employees who failed the simulation
B.Phishing click rate over time
C.Time taken to complete the simulation
D.Number of phishing emails reported
AnswerB

Trend analysis shows improvement or decline in user awareness.

Why this answer

Trending click rates over time show whether user behavior is improving, directly measuring program effectiveness.

163
MCQhard

An organization's third-party risk management program has been in place for two years. Which of the following is the MOST critical action to ensure the program remains effective?

A.Conducting a one-time risk assessment before contract signing
B.Performing annual reassessments for all vendors
C.Maintaining a list of all vendors and their criticality
D.Implementing continuous monitoring of high-risk vendors
AnswerD

Continuous monitoring detects changes promptly, reducing risk exposure.

Why this answer

Continuous monitoring of high-risk vendors is the most critical action because it provides real-time or near-real-time visibility into security posture changes, such as new vulnerabilities, configuration drifts, or breach indicators, which static annual assessments cannot catch. This aligns with the NIST SP 800-137 framework for continuous monitoring and is essential for adapting to evolving threats in a third-party ecosystem.

Exam trap

The trap here is that candidates confuse 'maintaining a list' (a static, necessary but insufficient step) with the active, risk-driven monitoring required to keep the program effective over time.

How to eliminate wrong answers

Option A is wrong because a one-time risk assessment before contract signing is a point-in-time snapshot that fails to account for changes in the vendor's security posture, threat landscape, or regulatory requirements over the two-year program lifespan. Option B is wrong because performing annual reassessments for all vendors is resource-intensive and inefficient; it treats low-risk vendors the same as high-risk ones, missing the need for risk-based prioritization and more frequent checks on critical vendors. Option C is wrong because maintaining a list of all vendors and their criticality is a foundational inventory task, but it is a passive administrative activity that does not actively monitor or verify the ongoing effectiveness of security controls.

164
MCQmedium

An organization wants to measure the effectiveness of its security awareness programme. Which metric is a leading indicator of improved security culture?

A.Number of security incidents attributed to human error
B.Number of phishing emails reported by employees
C.Percentage of employees who completed annual training
D.Average score on knowledge assessment tests
AnswerB

Increased reporting indicates better recognition and engagement.

Why this answer

An increase in the number of phishing emails reported by employees indicates that they are actively recognizing and reporting suspicious activity, which is a leading indicator of improved security awareness and culture.

165
MCQhard

An organization is implementing a security controls framework and must decide on prioritization. According to defense-in-depth principles, which approach should be taken first?

A.Select all controls from NIST SP 800-53 without prioritization
B.Deploy business-enabling controls that support operations
C.Implement compensating controls to address gaps in existing controls
D.Prioritize critical controls that address the most significant risks
AnswerD

Critical controls form the foundation of defense-in-depth.

Why this answer

Defense-in-depth starts with critical controls that protect against the most likely threats, often following frameworks like CIS Critical Controls, which prioritize foundational controls.

← PreviousPage 3 of 3 · 165 questions total

Ready to test yourself?

Try a timed practice session using only Information Security Programme questions.