CIS 425 Domain 1
S1-93 Which of the following choices would BEST align information security objectives to business objectives?
A business balanced scorecard
S1-125 It is MOST importation security architecture be aligned with which of the following
Business goals and objectives
S1-24 Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
Chief operating officer
S1-74 Which of the following BEST contributes to the development of an information security governance framework that supports the maturity model concept?
Continuous analysis monitoring and feedback
S1-192 Which of the following elements are the MOST essential to develop an information security strategy?
Current state and objectives
S1-146 Which of the following will require the MOST effort when supporting an operational information security program?
Reviewing and modifying procedures
S1-144 Which of the following factors is MOST important for the successful implementation of an organization's information security program?
Senior management support
S1-59 To justify its ongoing information security budget, which of the following would be of MOST use to the information security department?
Cost-benefit analysis
S1-22 Which creating an effective data-protection strategy, the information security manager must understand the flow of data and its protection at various stages. This is BEST achieved with:
a tailored methodology based on exposure
S1-41 Information security policy enforcement is the responsibility of the:
chief information security officer
S1-55 In order to highlight to management the importance of integrating information security in the business process, a newly hired information security officer should FIRST:
conduct a risk assessment
S1-42 An information security manager at a global organization has to ensure that the local information security program will initially be in compliance with the:
data privacy policy where data are collected
S1-135 Serious security incident typically lead to renewal focus on information security by management. To BEST use this attention, the information security manager should make the case to:
improving integration of business and information security processes
S1-75 The MOST complete business case for security solution is one that:
includes appropriate justification
S1-6 What is the MOST essential attribute of an effective key risk indicator (KRI)? The KRI:
is predictive of a risk event
S1-37 From an information security manager perspective, what is an immediate benefit of clearly defined roles and responsibilities?
Better accountability
S1-9 Which of the following is characteristic of centralized information security management?
Better adherence to policies
S1-38 Which of the following roles is responsible for legal and regulatory liability?
Board of directors and senior management
S1-58 Which of the following should an information security manager PRIMARILY use when proposing the implementation of security solution?
Business case
S1-157 Which of the following is the MOST important consideration for a control policy?
Life safety
S1-179 Which of the following would be BEST indicator that an organization has good governance?
Maturity level
S1-89 A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will be responsible for evaluating the results and identified risk. Which of the following would be the BEST approach of the information security manager?
Review of the risk assessment with executive management for final input
S1-45 Because goals define the strategic direction of the organization. Functional goals define the tactical direction of a business function. Security goals define the security direction of the organization. What is the MOST important relationship between these concepts?
Security goals should be derived from business goals
S1-14 Which of the following is MOST appropriate for inclusion in an information security strategy?
Security processes, methods, tools and techniques
S1-30 Which of the following is the MOST important factor when designing information security architecture?
Stakeholder requirements
S1-196 Which of the following challenges associated with information security documentation is MOST likely to affect a large established organization?
Standards change more slowly than the environment
S1-116 Who can BEST approve plans to implement an information security governance framework?
Steering committee
S1-184 What should be the PRIMARILY basis of a road map for implementing information security governance:
Strategy
S1-17 Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?
The data center manager has final sign-off on all security projects
S1-174 An organization has decided to implement governance, risk and compliance processes into several critical areas of the enterprise. Which of the following objectives is the MAIN one?
To improve risk managementterm-10
S1-187 Responsibility for information security and related activities involves multiple departments.
To mitigate the tendency for security gaps to exist between assurance functions
S1-159 Which of the following indicators is MOST likely to be of strategic value?
Trends in incident frequency
S1-191 Which of the following tasks should be information security management undertake FIRST while creating the information security strategy of the organization?
Understand the IT service portfolio
S1-96 An organization that appoints a chief information security officer:
acknowledges a commitment to legal responsibility for information security
S1-163 Which of the following BEST supports continuous improvement of the risk management process?
adoption of a maturity model
S1-128 New regulatory and legal compliance requirements that will have an effect on information security will MOST likely come from the:
affected department
S1-33 When an information security manager is developing a strategic plan for information security, the time line for the plan should be:
aligned with the business strategy
S1-3 The MOST appropriate role for senior management in supporting information security is the:
approval of policy statements and funding
S1-92 Information security should:
balance technical and business requirements
S1-119 The corporate information security policy should:
be straightforward and easy to understand
S1-84 The data access requirements for an application should be determined by the:
business owner
S1-47 The PRIMARY concern of an information security manager documenting a formal data retention policy is:
business requirements
S1-5 Information security governance is PRIMARILY driven by:
business strategy
S1-131 The FIRST step in developing a business case is to:
define the issues to be addressed
S1-134 The MOST important requirement for gaining management commitment to the information security program is to:
demonstrate support for desired outcomes
S1-78 An enterprise has been recently subject to a series of denial-of-service attacks due to a weakness in security. The information security manager needs to present a business case for increasing the investment in security. The MOST significant challenge in obtaining approval from senior management for the proposal is:
demonstrating value and benefits
S1-68 Obtaining senior management support for establishing a warm site can BEST be accomplished by:
developing a business case
S1-8 Determining which element of the confidentiality. integrity and availability (CIA) traid is MOST important is a necessary task when
developing a controls policy
S1-57 The FIRST step in developing an information security management program is to:
establish the need for creating the program
S1-31 An information security manager receives a report showing an increase in the number of security events. The MOST likely explanation is:
exploitation of vulnerability in the information system
S1-183 The purpose of an informative security strategy is to:
express the goals of an information security program and the plan to achieve them
S1-154 The MOST important basis for developing a business case is the:
feasibility and value proposition
S1-25 The MOST important element(s) to consider when developing a business case for a project is the:
feasibility and value proposition
S1-164 Which of the following is MOST important in the development of information security policies?
gathering stakeholder requirements
S1-133 A regulatory authority has just introduced a new regulation pertaining to the release of quarterly financial results. The FIRST task that the security officer should perform is to:
identify whether current controls are adequate
S1-101 The formal declaration of organizational information security goals and objectives should be found in the
information security policy
S1-72 Achieving compliance with a particular information security standard selected by management would BEST be described as a:
key performance indicator
S1-197 An information security manager if PRIMARILY responsible for:
managing the risk to the information infrastructure
S1-28 Senior management commitment and support for information security can BEST be enhanced through:
periodic review of alignment with business management goals
S1-107 Maturity levels are an agreement to determine the extent that sound practices have been implemented in an organization based on outcomes. Another approach that been developed to achieve essentially the same result is:
process performance and capabilities
S1-85 The PRIMARY purpose of an information security program is to:
provide protection to information assets consistent with business strategy and objectives
S1-108 The PRIMARY objective for information security program development should be:
reducing the impact of risk on the business
S1-114 Strategic alignment is PRIMARILY achieved when services provided by the information security department:
reflect the requirements of key business stakeholders
S1-147 A newly hired information security manager notes that existing information security practices and procedure appear ad hoc. Based on this observation, the next action should be to:
review the corporate standards
S1-175 The acceptable limits defined by organizational standards are PRIMARILY determined by:
risk appetite
S1-26 Acceptable levels of information security risk determined by:
the steering committee
S1-10 Successful implementation of information security governance will FIRST require:
updated security policies
S1-86 Effective governance of enterprise security is BEST ensured by:
using a top-down approach
S1-106 Which of the following is the MOST effective approach to identify events that may affect information security across a large multinational enterprise?
Develop communication channels throughout the enterprise
S1-188 An information security manager wants to implement a security information and event management (SIEM) system not funded in the current budget. Which of the following choices is MOST likely to persuade management of this need?
A well-developed business case
S1-76 Which of the following choices is a necessary attribute of an effective information security governance framework?
An organizational structure with minimal conflicts of interest, with sufficient resources and defined responsibilities
S1-32 Which of the following is the MOST appropriate task for a chief information security officer to perform?
Develop an information security strategy
S1-182 Which of the following choices is MOST likely to ensure that responsibilities are carried out?
Assigned accountability
S1-70 There is a concern that lack of detail in the recovery plan may prevent an organization from meeting its required time objectives when a security incident strikes. Which of the following is MOST likely to ensure the recovery time objectives would be met?
Delegation of authority in recovery execution
S1-193 Requirements for an information security program should be based PRIMARILY on which of the following choices?
Desired outcomes
S1-181 An organization has decided to implement bring your own device (BYOD) for laptops and mobile phones. What should the information security manger focus on FIRST?
Determining an information security strategy for BYOD
S1-122 Which of the following is the MOST important consideration when developing an information security strategy?
Effectiveness of risk mitigation
S1-151 Which of the following is the MOST important outcome of an information security strategy?
Ensuring that residual risk is at an acceptable level
S1-110 Which of the following is the MOST important objective of an information security strategy review?
Ensuring the information security strategy is aligned with organizational goals
S1-16 Which of the following roles would represent a conflict of interest for an information security manager?
Final approval of information security policies
S1-19 Which of the following is MOST likely to be discretionary?
Guidelines
S1-194 Which of the following choices is the BEST indication that the information security manager is achieving the objective of value delivery?
Having a high resource utilization
S1-160 Which of the following is the MOST cost-effective approach to achieve strategic alignment?
Periodically survey management
S1-64 Which of the following choices is the MOST likely cause of significant inconsistencies in system configuration?
Inadequate governance
S1-71 Which of the following is the BEST justification to convince management to invest in an information security program?
Increased business value
S1-21 Which of the following are seldom changed in responses to technological changes?
Policies
S1-94 What is the MAIN risk when there is no user management representation on the information security steering committee?
Information security plans are not aligned with business requirements
S1-158 Senior management has expressed some concern about the effectiveness of the information security program. What can the information security manager do to gain the support of senior management for the program?
Interview senior management to address their concerns with the program
S1-97 The director of auditing has a recommended a specific information security monitoring solution to the information security manager. What should be information security manger do FIRST?
Perform an assessment to determine correlation with business goals and objectives
S1-36 Which of the following would BEST prepare an information security manager for regulatory reviews?
Perform self-assessments using regulatory guidelines and reports
S1-123 Which of the following is the MOST effective way to measure strategic alignment of an information security program?
Survey business stakeholders
S1-142 Which of the following is the PRIMARY reason to change policies during program development?
The policies no longer reflect management intent and direction
S1-100 Which of the following metrics will provide the BEST indication of organizational risk?
The extent of unplanned business interruptions
S1-173 What is the MOST important consideration when developing a business case for an information security investment?
The implementation benefits
S1-161 Which of the following is PRIMARILY related to the emergence of governance, risk and compliance?
The integration of assurance-related activities
S1-12 Which of the following factors is the MOST significant in determining an organization's risk appetite?
The organizational culture
S1-176 What is the MOST likely reason that an organizational policy can be eliminated?
There is no credible threat
S1-195 Which of the following internal or external influences on an organization is the MOST difficult to estimate?
Threat landscape
