ITEC 3500 Exam Questions and
Answers (Latest Update 2026)
Which of the following is NOT a required element for threat
modelling? -
correct answer ✅Data classification standard/policy
As part of the due diligence process for engaging a third party
vendor (entity B), a security assessment was conducted and the
findings suggest that the vendor (entity B) does not have a process
in place to regularly scan its internal networks for vulnerabilities. If
you were the risk assessor representing entity A (purchaser of the
service provided by entity B), your recommended action to address
this particular finding would be: -
correct answer ✅b) Risk to be mitigated by entity B before
finalizing the contract with the vendor
When scanning company-owned systems for technical
vulnerabilities, which of the following would be a risk-based
approach? -
correct answer ✅Scan systems on a regular basis and remediate
findings with varying timelines based on
system criticalities as well as vulnerability ratings
Scan systems on a regular basis and remediate findings with varying
timelines based on
, ITEC 3500 Exam Questions and
Answers (Latest Update 2026)
system criticalities as well as vulnerability ratings -
correct answer ✅It requires assessors to understand the
motivations behind various threat agents
Which of the following statement is NOT correct regarding NIST CSF
framework? -
correct answer ✅c) NIST framework requires security controls
which are fundamentally different than the ones
required by ISO 27001
The Information Security department has recently sent a request to
IT Operations for conducting an asset discovery scan whose
objective is to list all of the active IP addresses used by the
company. The asset discovery exercise is related to which of the
following NIST CSF Category? -
correct answer ✅c) Identify
The Information Security department has recently sent a request to
IT Operations for conducting an asset discovery scan whose
objective is to list all of the active IP addresses used by the
company. The asset discovery exercise is related to which of the
following NIST CSF Category? -
correct answer ✅c) Identify
Answers (Latest Update 2026)
Which of the following is NOT a required element for threat
modelling? -
correct answer ✅Data classification standard/policy
As part of the due diligence process for engaging a third party
vendor (entity B), a security assessment was conducted and the
findings suggest that the vendor (entity B) does not have a process
in place to regularly scan its internal networks for vulnerabilities. If
you were the risk assessor representing entity A (purchaser of the
service provided by entity B), your recommended action to address
this particular finding would be: -
correct answer ✅b) Risk to be mitigated by entity B before
finalizing the contract with the vendor
When scanning company-owned systems for technical
vulnerabilities, which of the following would be a risk-based
approach? -
correct answer ✅Scan systems on a regular basis and remediate
findings with varying timelines based on
system criticalities as well as vulnerability ratings
Scan systems on a regular basis and remediate findings with varying
timelines based on
, ITEC 3500 Exam Questions and
Answers (Latest Update 2026)
system criticalities as well as vulnerability ratings -
correct answer ✅It requires assessors to understand the
motivations behind various threat agents
Which of the following statement is NOT correct regarding NIST CSF
framework? -
correct answer ✅c) NIST framework requires security controls
which are fundamentally different than the ones
required by ISO 27001
The Information Security department has recently sent a request to
IT Operations for conducting an asset discovery scan whose
objective is to list all of the active IP addresses used by the
company. The asset discovery exercise is related to which of the
following NIST CSF Category? -
correct answer ✅c) Identify
The Information Security department has recently sent a request to
IT Operations for conducting an asset discovery scan whose
objective is to list all of the active IP addresses used by the
company. The asset discovery exercise is related to which of the
following NIST CSF Category? -
correct answer ✅c) Identify
