An organization is selecting a system that must provide strong assurance that all access control decisions are enforced correctly and cannot be bypassed. The evaluation team is considering systems certified under the Common Criteria (ISO/IEC 15408) framework. Which of the following Common Criteria assurance levels BEST meets this requirement? A. EAL2 – Structurally Tested B. EAL4 – Methodically Designed, Tested, and Reviewed C. EAL5 – Semiformally Designed and Tested D. EAL7 – Formally Verified, Designed, and Tested

While performing a security assessment for a client, you discover confidential information that suggests the client’s employees are engaging in activity that may be illegal but is unrelated to the scope of your engagement. According to the ISC2 Code of Ethics, what is the BEST action for you to take? A. Report the activity directly to law enforcement. B. Inform your client’s senior management about the findings. C. Document the evidence and keep it in case it’s needed later. D. Ignore the activity since it is outside the scope of your contract.

A development team is adopting a secure software development lifecycle (SDLC). The security manager wants to ensure that vulnerabilities are identified before code is executed, but also wants to minimize cost and disruption to developers. Which of the following activities BEST meets this requirement? A. Static application security testing (SAST) B. Dynamic application security testing (DAST) C. Fuzz testing D. Penetration testing

An organization is classifying its data to ensure proper handling. A security manager notices that some employees are sending sensitive financial reports through unsecured email because the classification label is not clearly understood. What is the BEST action the organization should take to address this issue? A. Enforce encryption on all outbound email by default. B. Provide mandatory training on data classification and handling requirements. C. Revise the classification scheme to use simpler and clearer labels. D. Implement a data loss prevention (DLP) solution to block unencrypted sensitive emails.

An organization wants to implement digital signatures to ensure integrity and non-repudiation of sensitive documents exchanged between business partners. Which of the following BEST describes how a digital signature is created? A. The sender encrypts the message with their private key, and the recipient decrypts it with the sender’s public key. B. The sender hashes the message and encrypts the hash with their private key; the recipient verifies it with the sender’s public key. C. The sender encrypts the message with the recipient’s public key, and the recipient decrypts it with their private key. D. The sender hashes the message and encrypts the hash with the recipient’s public key; the recipient decrypts it with their private key.