01. After an incident has been fully resolved and systems restored, the response team holds a structured review meeting to analyze what happened, how well the response worked, and what should improve.
What is the primary purpose of this final phase?
a) To remove the attacker's tools and malware from the affected systems
b) To detect whether an incident has occurred
c) To capture lessons learned and improve future preparedness and processes
d) To reconnect isolated systems so the business can resume operations
02. An operations analyst distinguishes two related activities: one identifies missing fixes and weaknesses across systems, and the other applies the vendor-released fixes to close them.
Which statement correctly describes patch management?
a) It intercepts network traffic to detect intrusions in real time
b) It simulates attacks to prove which vulnerabilities are exploitable
c) It classifies data by sensitivity so access can be restricted
d) It is the process of acquiring, testing, and deploying vendor-released updates to remediate known weaknesses
03. Two documents are being written: one describes how the whole organization will keep essential functions such as customer service and payroll operating during a major disruption, and the other focuses specifically on restoring IT systems and data after an outage.
How are these two documents best characterized?
a) The first is the business continuity plan and the second is the disaster recovery plan
b) The first is the disaster recovery plan and the second is the business continuity plan
c) Both are incident response playbooks with no meaningful difference
d) Both are vulnerability management procedures
04. A security tool sends malformed inputs to a web application while it is running in a test environment and observes how the application responds, without access to the source code.
Which testing approach is being used?
a) Static Application Security Testing (SAST)
b) Manual secure code review
c) Threat modeling
d) Dynamic Application Security Testing
05. A development team has finished writing a module but has not yet built or deployed it. They want the earliest possible feedback on insecure coding patterns and have full access to the source code.
Which security testing technique best fits this situation?
a) DAST, because it can be run against the module while it executes in production
b) Penetration testing, because it provides the earliest possible feedback on code quality
c) SAST, because it can analyze the source code before the application is built or deployed
d) A post-incident review, because it identifies coding flaws before release
06. A team is using the STRIDE model during threat modeling to categorize potential threats to a login service. The threat of an attacker pretending to be a legitimate user maps to which STRIDE category?
a) Tampering
b) Spoofing
c) Repudiation
d) Elevation of privilege
07. Which principle should be followed when gathering access control requirements?
a) Principle of Least Privilege.
b) Principle of Defense in Depth.
c) Principle of Thinking Evil.
d) Principle of Simplicity.
08. The amount of risk an organization requires to meet their goals is called:
a) vulnerability impact.
b) risk management.
c) risk appetite.
d) risk capacity.
09. What type of access is granted for groups of employees based on job classification and function?
a) Information Classification.
b) Role Based Access.
c) Preferred Access.
d) Shared Account.
10. In Security Engineering, the Business Analyst's role is to represent the enterprise-level security requirements, to ensure that:
a) the architecture and designs align with the organization's core goals and strategic direction.
b) employees are trained to recognize phishing attacks.
c) a control framework is in place.
d) an organizational risk assessment includes assets used by engineering teams.