Question 1

In the context of the CIS Controls version 8, which Implementation Group (IG) is defined as the set of 'Essential Cyber Hygiene' safeguards that all organizations should implement regardless of their size or resource level?

Accepted Answer

Implementation Group 1 (IG1)

Answer

Implementation Group 0 (IG0)

Answer

Implementation Group 2 (IG2)

Answer

Implementation Group 3 (IG3)

Question 2

Which of the following describes the fundamental shift in organization from CIS Controls v7.1 to CIS Controls v8?

Accepted Answer

The controls were reorganized from 20 controls to 18 controls, focused on task-based Safeguards rather than individual tools.

Answer

The controls removed the focus on cloud assets to prioritize on-premises industrial control systems.

Answer

The controls were renamed to the NIST Cybersecurity Framework to ensure global standardization.

Answer

The controls were expanded from 15 to 25 to cover new Internet of Things (IoT) vulnerabilities.

Question 3

Which CIS Control focuses on the processes and tools used to track, log, and correct configuration changes to network devices, servers, and client devices?

Accepted Answer

Control 4: Secure Configuration of Enterprise Assets and Software

Answer

Control 1: Inventory and Control of Enterprise Assets

Answer

Control 10: Malware Defenses

Answer

Control 17: Incident Response Management

Question 4

Under the CIS Controls v8 framework, what is the primary purpose of 'Control 1: Inventory and Control of Enterprise Assets'?

Accepted Answer

To actively manage all enterprise assets so that only authorized devices are given access and unauthorized assets are identified and disconnected.

Answer

To perform monthly penetration tests on all external-facing web applications.

Answer

To provide security awareness training to all employees and contractors.

Answer

To encrypt all data at rest on mobile devices to prevent data breaches.

Question 5

Which CIS Control involves the process of using automated tools to continuously monitor workstations, servers, and software for new vulnerabilities and to verify that patches are applied within a timely manner?

Accepted Answer

Control 7: Continuous Vulnerability Management

Answer

Control 3: Data Protection

Answer

Control 12: Network Infrastructure Management

Answer

Control 16: Application Software Security

Question 6

In CIS Controls v8, which control replaces the previous versions' separate focuses on administrative privileges by requiring the centralized management of account lifecycle and the use of multi-factor authentication?

Accepted Answer

Control 6: Access Control Management

Answer

Control 9: Email and Web Browser Protections

Answer

Control 5: Account Management

Answer

Control 13: Network Monitoring and Defense

Question 7

Which of the following describes the purpose of CIS Control 11: Data Recovery?

Accepted Answer

To establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Answer

To ensure that all sensitive data is encrypted using AES-256 before it is transmitted over a public network.

Answer

To perform deep packet inspection on all outgoing traffic to prevent data exfiltration by malicious actors.

Answer

To identify and categorize data based on its sensitivity and regulatory requirements like GDPR or HIPAA.

Question 8

Which CIS Control focuses on the collection, analysis, and retention of audit logs that could help detect, understand, or recover from an attack?

Accepted Answer

Control 8: Audit Log Management

Answer

Control 2: Inventory and Control of Software Assets

Answer

Control 13: Network Monitoring and Defense

Answer

Control 14: Security Awareness and Skills Training

Question 9

Which CIS Control focuses on preventing the execution of unauthorized software and ensuring that only authorized software is installed and can execute on enterprise assets?

Accepted Answer

Control 2: Inventory and Control of Software Assets

Answer

Control 13: Network Monitoring and Defense

Answer

Control 18: Penetration Testing

Answer

Control 9: Email and Web Browser Protections

Question 10

Which CIS Control addresses the protection of the organization's intellectual property and sensitive information through processes such as data classification, encryption, and data loss prevention (DLP)?

Accepted Answer

Control 3: Data Protection

Answer

Control 8: Audit Log Management

Answer

Control 15: Service Provider Management

Answer

Control 11: Data Recovery

Question 11

When comparing security frameworks, which international standard specifically focuses on a 'Plan-Do-Check-Act' (PDCA) model for the establishment and continuous improvement of an Information Security Management System (ISMS)?

Accepted Answer

ISO/IEC 27001

Answer

NIST SP 800-53

Answer

SOC 2 Type II

Answer

PCI DSS

Question 12

In the context of understanding related security standards, which framework is specifically designed to provide a common language for describing the security posture of an organization's internal controls based on the five trust service principles of Security, Availability, Processing Integrity, Confidentiality, and Privacy?

Accepted Answer

SOC 2

Answer

ISO/IEC 27002

Answer

COBIT 2019

Answer

NIST Cybersecurity Framework (CSF)

Question 13

Which security framework is primarily focused on protecting federal information systems in the United States and categorizes security controls into three distinct impact levels: Low, Moderate, and High?

Accepted Answer

NIST SP 800-53

Answer

GDPR

Answer

COSO

Answer

ISO/IEC 27005

Question 14

Which industry-specific standard is mandatory for any organization that handles, processes, or stores branded credit cards from the major card schemes, focusing specifically on protecting cardholder data?

Accepted Answer

PCI DSS

Answer

ISO/IEC 27001

Answer

NIST SP 800-37

Answer

HIPAA

Question 15

Which framework provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes via five core functions: Identify, Protect, Detect, Respond, and Recover?

Accepted Answer

NIST Cybersecurity Framework (CSF)

Answer

ITIL

Answer

COBIT

Answer

ISO/IEC 31000

Question 16

Which of the following describes the primary difference between ISO/IEC 27001 and ISO/IEC 27002 within the context of security standards?

Accepted Answer

ISO/IEC 27001 provides the requirements for an ISMS, while ISO/IEC 27002 provides a code of practice for implementing security controls.

Answer

ISO/IEC 27001 is focused on cloud security, while ISO/IEC 27002 is focused on physical security.

Answer

ISO/IEC 27001 is used for risk assessment, while ISO/IEC 27002 is used for financial auditing.

Answer

ISO/IEC 27001 is a mandatory law, while ISO/IEC 27002 is a voluntary industry guideline.

Question 17

When establishing a governance foundation using the CIS Controls framework, which underlying principle is essential for ensuring that the security program remains effective and accountable over time?

Accepted Answer

Establishing a formal policy and procedure for regular security program review and improvement.

Answer

Implementing high-end encryption across all data storage systems immediately.

Answer

Ensuring that the IT department operates independently of the organization's legal and compliance team.

Answer

Purchasing the most expensive automated firewall solutions available on the market.

Question 18

According to CIS Control 1, which action is considered a fundamental step in establishing the governance foundation to ensure visibility across the enterprise?

Accepted Answer

Maintaining a detailed and up-to-date inventory of all enterprise assets.

Answer

Conducting annual physical security drills for all staff members.

Answer

Developing custom proprietary encryption algorithms for internal communications.

Answer

Outsourcing all security operations to a third-party managed service provider.

Question 19

In the context of the CIS Controls framework, how does the assignment of specific roles and responsibilities contribute to the governance foundation of a security program?

Accepted Answer

It ensures clear accountability and resource allocation for the implementation and maintenance of security safeguards.

Answer

It allows the organization to bypass legal requirements for data privacy by delegating authority.

Answer

It eliminates the need for automated technical controls by relying on manual oversight.

Answer

It guarantees that no data breaches will occur as long as every role is filled.

Question 20

Which of the following describes the role of Implementation Groups (IGs) in the CIS Controls, and how they assist in establishing a governance foundation?

Accepted Answer

They provide a prioritized path for organizations to implement security sub-controls based on their risk profile and available resources.

Answer

They are a set of hardware specifications required for data center ventilation.

Answer

They serve as a strictly legal document used to prosecute internal policy violations.

Answer

They represent the final step of a security program that only applies after a breach has occurred.

Question 21

In the context of the CIS Controls, why is the establishment of a data management process (CIS Control 3) considered a critical pillar of a security governance foundation?

Accepted Answer

Because it allows the organization to align protection efforts with the sensitivity and business value of its information assets.

Answer

Because it focuses solely on the physical destruction of old hard drives and external media.

Answer

Because it mandates that all data, regardless of importance, be treated with the highest level of security.

Answer

Because it replaces the need for network-level access controls and perimeter firewalls.

Question 22

Which component of the CIS Controls framework is most vital for establishing a governance foundation that ensures security policies remain aligned with evolving business objectives and external regulatory requirements?

Accepted Answer

The establishment of a continuous vulnerability management and policy review cycle.

Answer

The restriction of all internet access for non-management employees.

Answer

The use of a single vendor for all hardware and software components to ensure compatibility.

Answer

The deployment of biometric scanners at every physical entry point of the facility.

Question 23

When leveraging the CIS Controls to build a security governance foundation, what is the primary purpose of aligning controls with a recognized Risk Assessment process?

Accepted Answer

To provide a rational basis for decision-making and to prioritize the implementation of safeguards based on actual organizational threats.

Answer

To eliminate the need for technical staff to communicate with the board of directors regarding security posture.

Answer

To ensure the organization can pass any government audit without having to provide evidence of technical controls.

Answer

To delegate all legal responsibility for data breaches to third-party insurance providers.

Question 24

In the CIS Controls framework, which governance-focused activity is essential to ensure that technical controls are actually achieving the organization's security objectives?

Accepted Answer

Establishing a routine for independent or internal audits and assessments to measure control effectiveness.

Answer

Replacing all open-source software with proprietary versions to simplify legal liability.

Answer

Disabling all system logging to maximize processing speed for business applications.

Answer

Ensuring that the Chief Executive Officer personally reviews every firewall log entry daily.

Question 25

Which specific CIS Governance-based control involves the development and maintenance of a security awareness program to build a foundation of human-centric defense?

Accepted Answer

CIS Control 14: Security Awareness and Skills Training

Answer

CIS Control 1: Inventory and Control of Enterprise Assets

Answer

CIS Control 11: Data Recovery

Answer

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Question 26

Which organizational practice is a key element of 'Establish and Maintain a Security Awareness Program' within the CIS Controls to support governance at the leadership level?

Accepted Answer

Ensuring that senior management consistently reviews and approves the security program's strategic objectives.

Answer

Automatically terminating any employee who fails a single simulated social engineering test.

Answer

Replacing all employee workstations with localized, non-networked machines to avoid phishing.

Answer

Encrypting all public-facing marketing documents to prevent competitors from reading them.

Question 27

According to CIS Control 1: Inventory and Control of Enterprise Assets, which of the following is considered a primary 'Safeguard' for achieving a comprehensive inventory?

Accepted Answer

Utilize an active discovery tool to identify assets connected to the enterprise's network.

Answer

Ensure all software patches are applied within 30 days of release.

Answer

Implement multi-factor authentication for all remote administrative access.

Answer

Conduct quarterly physical audits of all paper records and filing cabinets.

Question 28

When implementing CIS Control 1, why is it critical to identify and document 'unauthorized' assets discovered on the network?

Accepted Answer

To minimize the attack surface by removing or remediating assets that are not managed and secured.

Answer

To prioritize the installation of high-bandwidth streaming services on those specific devices.

Answer

To ensure that all personal devices of employees are granted automatic access to the production environment.

Answer

To increase the complexity of the network architecture for better security by obscurity.

Question 29

Which specific CIS Safeguard within Control 1 requires the use of DHCP logging on all applicable servers to update the enterprise asset inventory?

Accepted Answer

Use DHCP logging to update asset inventory

Answer

Assign a unique identifier to every asset

Answer

Address unauthorized assets periodically

Answer

Maintain an inventory of authorized software

Question 30

Which of the following describes the 'Passive Asset Discovery' technique as recommended in CIS Control 1?

Accepted Answer

Identifying assets by monitoring network traffic for known device communications without actively probing the devices.

Answer

Running a port scan against all internal IP address ranges to find open services.

Answer

Restricting access to the network based on the physical MAC address of the device.

Answer

Manually entering serial numbers into a centralized database from a physical inspection.

Question 31

Under CIS Control 1, specifically Safeguard 1.4, what type of inventory is required to ensure that all assets are properly managed and accounted for throughout their lifecycle?

Accepted Answer

Maintain a detailed inventory of all enterprise assets, including both physical and virtual devices.

Answer

Store a list of all historical passwords used by administrative accounts for auditing.

Answer

Maintain a database of all physical keys and biometric access control logs only.

Answer

Keep a log of all employee social media accounts used for business purposes.

Question 32

In the context of CIS Control 1: Inventory and Control of Enterprise Assets, which of the following best describes the requirement for 'Address Unauthorized Assets' (Safeguard 1.5)?

Accepted Answer

The organization must have a process to deny access to, or quarantine, any asset that is not identified in the inventory.

Answer

The organization must automatically enroll any unknown device into the domain controller with full administrative rights.

Answer

The organization must only conduct manual audits of unauthorized assets during an annual compliance review.

Answer

The organization must charge employees a fee for connecting personal devices to the guest network.

Question 33

Which of the following attributes is required to be recorded in the inventory for every enterprise asset according to the CIS Control 1 guidelines?

Accepted Answer

The asset's hardware address, network address, and asset owner.

Answer

The physical weight, dimensions, and power consumption metrics.

Answer

The purchase price, depreciation schedule, and tax identification number.

Answer

The last user to log in and their social media handles.

Question 34

Which of the following describes the 'Active Asset Discovery' safeguard (CIS Safeguard 1.2) as defined in the CIS Critical Security Controls?

Accepted Answer

Utilizing toolsets to 'scan' or 'poll' the network's address space to identify assets and gather information from them.

Answer

Manually reviewing purchase orders and matching them against physical stickers on hardware.

Answer

Only checking the Active Directory 'Computers' container for joined workstation names.

Answer

Reviewing firewall logs to see which external IP addresses attempted to connect to the DMZ.

Question 35

Which of the following describes the difference between 'Passive' and 'Active' asset discovery as defined in CIS Critical Security Control 1?

Accepted Answer

Active discovery probes the network to identify devices, while passive discovery monitors network traffic to identify devices already communicating.

Answer

Active discovery monitors network performance, while passive discovery focuses on hardware repair logs.

Answer

Active discovery requires manual data entry, while passive discovery uses automated barcode scanners.

Answer

Active discovery is only for cloud-based virtual machines, while passive discovery is for physical servers.

Question 36

Which of the following describes the 'Passive Asset Discovery' technique as recommended in CIS Control 1: Inventory and Control of Enterprise Assets?

Accepted Answer

Utilizing network traffic monitoring tools to identify assets based on the data packets they transmit.

Answer

Running an automated port scan across all internal IP ranges to identify responsive hosts.

Answer

Requiring all employees to register their MAC addresses on a web portal before gaining network access.

Answer

Manually verifying hardware serial numbers against a spreadsheet during a physical walk-through.

Related quizzes

Related quizzes