While performing a security assessment for a client, you discover confidential information that suggests the client’s employees are engaging in activity that may be illegal but is unrelated to the scope of your engagement. According to the ISC2 Code of Ethics, what is the BEST action for you to take? A. Report the activity directly to law enforcement. B. Inform your client’s senior management about the findings. C. Document the evidence and keep it in case it’s needed later. D. Ignore the activity since it is outside the scope of your contract.

An organization is classifying its data to ensure proper handling. A security manager notices that some employees are sending sensitive financial reports through unsecured email because the classification label is not clearly understood. What is the BEST action the organization should take to address this issue? A. Enforce encryption on all outbound email by default. B. Provide mandatory training on data classification and handling requirements. C. Revise the classification scheme to use simpler and clearer labels. D. Implement a data loss prevention (DLP) solution to block unencrypted sensitive emails.

A development team is adopting a secure software development lifecycle (SDLC). The security manager wants to ensure that vulnerabilities are identified before code is executed, but also wants to minimize cost and disruption to developers. Which of the following activities BEST meets this requirement? A. Static application security testing (SAST) B. Dynamic application security testing (DAST) C. Fuzz testing D. Penetration testing

An internal audit for an organization recently identified malicious actions by a user account. Upon further investigation, it was determined the offending user account was used by multiple people at multiple locations simultaneously for various services and applications. What is the BEST method to prevent this problem in the future? A. Ensure the security information and event management (SIEM) is set to alert. B. Inform users only one user should be using the account at a time. C. Ensure each user has their own unique account. D. Allow several users to share a generic account.

An organization wants to implement digital signatures to ensure integrity and non-repudiation of sensitive documents exchanged between business partners. Which of the following BEST describes how a digital signature is created? A. The sender encrypts the message with their private key, and the recipient decrypts it with the sender’s public key. B. The sender hashes the message and encrypts the hash with their private key; the recipient verifies it with the sender’s public key. C. The sender encrypts the message with the recipient’s public key, and the recipient decrypts it with their private key. D. The sender hashes the message and encrypts the hash with the recipient’s public key; the recipient decrypts it with their private key.