Your company initiated a business continuity program (BCP) to implement the business continuity management system (BCMS) compliant with ISO 22301. The BCP team is planning for business continuity. Which of the following is the most feasible requirement? (Wentz QOTD)
A. The BCP team shall also consider the incident response.
B. Risk assessment shall be completed before business impact analysis.
C. Risk assessment shall be completed during business impact analysis.
D. The scope of BCP shall be enterprise-wide to cover the enterprise as a whole.

Your company is developing a web site for E-Commerce. As an architect, you have just finished the architectural design. Which of the following best supports the identification of security issues? (Wentz QOTD)
A. Penetration testing
B. Vulnerability scanning
C. Common Weakness Enumeration (CWE)
D. Common Vulnerabilities and Exposures (CVE)

Your company is a well-known global cloud service provider serving millions of customers. Which of the following best supports the multi-tenancy feature mentioned in ISO/IEC 17888? (Wentz QOTD)
A. EAP over LAN (EAPoL) based on 802.1X
B. Virtual LAN (VLAN) based on IEEE 802.1Q
C. Virtual eXtensible Local Area Network (VXLAN) based on RFC 7348
D. Spanning Tree Protocol based on 802.1D

Your company started an engineering project to develop an E-Commerce website following ISO 15288. Which of the following is least likely to be treated as an organizational project enabler? (Wentz QOTD)
A. Life cycle model management
B. Risk management
C. Knowledge management
D. Infrastructure management

Your company is a cloud service provider. Which of the following provides the highest security assurance to customers? (Wentz QOTD)
A. SOC 2 attestation
B. ISO 27001 certification
C. Security Self-Assessment
D. STAR attestation or certification

Fuzz testing is an automated software testing technique that employs a fuzzer to generate test data as inputs to software under test randomly. Which of the following is correct? (Wentz QOTD)
A. Fuzzing test using a smart fuzzer is white-box testing.
B. A smart fuzzer aware of input structure primarily mutates meaningful test data.
C. A generation-based fuzzer relies on modifying existing test data randomly.
D. A dumb fuzzer doesn’t rely on detecting input structure to generate test data.

There exist many perspectives of Zero Trust. Which of the following is correct? (Wentz QOTD)
A. Zero Trust adoption uses the big bang strategy.
B. Zero Trust networks may coexist with legacy networks isolated by firewalls.
C. Zero Trust prevents lateral movement through the castle-and-moat architecture.
D. Zero Trust, aka perimeterless security, doesn’t define any forms of the perimeter.

Which of the following is not one of the common assessment methods used in a risk-based audit? (Wentz QOTD)
A. Examining
B. Interviewing
C. Testing
D. Delphi method

After suffering from an attack of ransomware, the board of directors is concerned with the effectiveness of security function. If the CEO’s time is tied up, which of the following is the best reporting line of the information security head to enforce security? (Wentz QOTD)
A. Report to the CEO to get full commitment and support
B. Report to the CIO to take advantages of cutting edge technologies
C. Report to the COO to fully integrate security into business processes
D. Report to the CAE (chief audit executive) to eradicate uncompliant findings

An asset owner is authorizing user access to resources. Which of the following is the most crucial element that determines the scope of a user’s privileges? (Wentz QOTD)
A. Job description
B. Access control matrix
C. Acceptable use policy (AUP)
D. Information security strategy