During an internal investigation of suspected data theft, the incident response team collects a laptop from an employee’s desk. To preserve admissibility of evidence, which of the following is the MOST important step to take FIRST? A. Create a forensic image of the laptop using a write blocker. B. Power down the laptop to prevent further tampering. C. Document the time, date, and individuals involved in seizing the device. D. Secure the laptop in a locked evidence cabinet.

While performing a security assessment for a client, you discover confidential information that suggests the client’s employees are engaging in activity that may be illegal but is unrelated to the scope of your engagement. According to the ISC2 Code of Ethics, what is the BEST action for you to take? A. Report the activity directly to law enforcement. B. Inform your client’s senior management about the findings. C. Document the evidence and keep it in case it’s needed later. D. Ignore the activity since it is outside the scope of your contract.

You are designing a system for a law firm that represents multiple competing corporations. The system must: - Prevent lawyers from accessing case files of competing clients - Ensure paralegals can enter data but only senior attorneys can approve filings - Maintain confidentiality of client records Which combination of models is most relevant here? A. Bell–LaPadula and Biba B. Clark–Wilson and Brewer–Nash C. Bell–LaPadula and Clark–Wilson D. Brewer–Nash and Biba

An internal audit for an organization recently identified malicious actions by a user account. Upon further investigation, it was determined the offending user account was used by multiple people at multiple locations simultaneously for various services and applications. What is the BEST method to prevent this problem in the future? A. Ensure the security information and event management (SIEM) is set to alert. B. Inform users only one user should be using the account at a time. C. Ensure each user has their own unique account. D. Allow several users to share a generic account.

A development team is adopting a secure software development lifecycle (SDLC). The security manager wants to ensure that vulnerabilities are identified before code is executed, but also wants to minimize cost and disruption to developers. Which of the following activities BEST meets this requirement? A. Static application security testing (SAST) B. Dynamic application security testing (DAST) C. Fuzz testing D. Penetration testing