Module 1 - Information Security Governance
What can best align information security objectives to business objectives?
A business balanced scorecard
What is the most appropriate as a means of obtaining commitment from senior management for implementation of the information security strategy?
A formal presentation highlighting the relationship between security and business goals.
Serration of duties (SoD) has been designed and introduced into an account payable system. Which of the following should be in place to BEST maintain the effectiveness of SoD?
Access privilege is reviewed when an operator's role changes
Information security should:
Balance technical and business requirements
The data access requirements for an application should be determined by:
Business owner
Information security governance is PRIMARILY driven by:
Business strategy
Check book
Check book
Information security policy enforcement is the responsibilities of the:
Chief information security officer
How can we promote a positive information security governance culture within an organization?
Collaboration across business lines
What will have the HIGHEST impact on standard information security governance models?
Complexity of organizational structure
In order to highlight to management the importance of integration information security in the business process, a newly hired information security officer should FIRST:
Conduct a risk assessment
What is the best attribute of key risk indicators?
Consistent methodologies and practices
What is BEST contributes to the development of an information security governance framework that supports the maturity model concept?
Continues analysis, monitoring and feedback
Who in an organization hast the responsibilities for classifying information?
Data Owner
Which of the following is the MOST appropriate to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
Chief Operating Officer
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
Chief Operating officer
To justify its ongoing information security budge, which of the following would be of MOST use to the information security department?
Cost-Benefit analysis
The most important characteristics of good security policies is that they:
are aligned with organizational goals
What is the MOST important consideration when developing the security strategy of a company operating in different countries?
compliance with divers laws and governmental regulations
What should be included in an annual information security budget that is submitted for management approval?
A cost-Benefit analysis of budgeted resources
Security technologies should be selected PRIMARILY on the basis of their: 1) Ability to mitigate business risk 2) Evaluations in trade publications 3) Use of new and emerging technologies 4) Benefits in comparison to their costs
Benefits in comparison to their costs
From an information security manager perspective, what is an immediate benefit of clearly defined roles and responsibilities?
Better accountability
Which of the following is characteristic of centralized information security management?
Better adherence to policies
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? 1) More uniformity in quality of service 2) Better adherence to policies 3) Better alignment to business unit needs 4) More savings in total operating costs
Better alignment to business unit needs
Who is ultimately responsible for an organization's information?
Board of directors
Which of the following roles is responsible for legal and regulatory liability?
Board of directors and senior management
The PRIMARY concern of an information security manager documenting a formal data retention policy is:
Business Requirements
Which of the following should an information security manager PRIMARILY use when proposing the implementation of a security solution?
Business case
Achieving compliance with a particular information security standard selected by management would BEST be described as a: 1) Key goal indicator 2) Critical success factor 3) Key performance indicator 4) Business impact analysis
Key performance indicator Note: Key performance indicator is a measure that determines how well the process is performing in enabling the goal to be reached. How well a process is progressing according to exceptions.
Which of the following situations would be MOST inhibit (مانع شدن) the effective implementation of security governance?
Lack of high-level sponsorship
To achieve effective strategic alignment of information security initiatives, it is important that:
Major organizational units provide input and reach a consensus (اجماع، وفاق)
An organization's information security strategy should be based on:
Managing risk relative to business objectives
Which of the following attributes would be MOST essential to developing effective metrics?
Meaningful to the recipient
How should an information security manager balance the potentially conflicting requirements of an international organization's security standards with local regulation?
Negotiate a local version of the organization standards
Which actions would help to change an organization's security culture?
Obtain strong management support
Which of the following activities MOST commonly falls within the scope of an information security governance steering committee? 1) Interviewing candidates for information security specialist positions 2) Developing content for security awareness programs 3) Prioritizing information security initiatives (Ebtekarat) 4) Approving access to critical financial systems
Prioritizing information security initiatives
Business goals define the strategic direction of the organization. Functional goals define the tactical direction of a business function. Security goals define the security direction of the organization. What is the MOST important relationship between these concepts?
Security goals should be derived from business goals
Who is accountable for ensuring that information is categorized and that specific protective measures are taken?
Senior management
Which of the following is the MOST important prerequisite for establishing information security management within an organization?
Senior management commitment
Which of the following is the MOST important factor when designing information security architecture? 1) Technical platform interfaces 2) Sc ability of the network 3) Development methodologies 4) Stakeholder requirements
Stakeholder requirements
which of the following situation must be corrected FIRST to ensure successful information security governance within an organization? 1) The information security department has difficulty filling vacancies 2) The chief operating officer approves security policy changes 3) The information security oversight committee only meets quarterly 3) The data center manager has final-off on all security projects.
The data center manager has final-off on all security projects.
Which of the following is MOST important in developing a security strategy?
Understanding key business objectives
Successful implementation of information security governance will FIRST require:
Updated security policy
Effective governance of enterprise security is best ensured by:
Using a top-down approach
Investment in information security technology should be based on:
Value Analysis
The MOST basic requirement for an information security governance program is to:
be aligned with the corporate business strategy
Which of the following is the MOST important information to include in strategic plan for information security?
current state and desired future
What is the MOST essential attributes of an effective key risk indicator (KRI)? The KRI:
is predictive of a risk event
Senior management commitment and support for information security can BEST be enhanced through:
periodic review of alignment with business management goals
Senior management is reluctant to budget for the acquisition of an intrusion detection system. The chief information security officer should do:
Develop and present a business case for the project
Obtaining senior management support for establishing a warm site can BEST be accomplished by:
Developing a business case
Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when:
Developing a controls policy
In implementing information security governance, the information security manager is PRIMARILY responsible for:
Developing the security strategy
Acceptable levels of information security risk should be determined by:
The steering committee
Which of the following is MOST appropriate for inclusion in an information security strategy?
A set of security objectives supported by Security process, methods, tools and techniques together are the elements that constitute a security strategy.
When creating an effective data-protection strategy, the information security manager must understand the flow of data and its protection at various stages. This is BEST achieved with: 1) A third-party vulnerability assessment 2) A tailored methodology based in exposure 3) Am insurance policy for accidental data losses 4) A ionization system set up in a secure network environment
A tailored methodology based in exposure
An organization that appoints a chief information security officer:
Acknowledges a commitment to legal responsibility for information security
When an information security manager is developing a strategic plan for information security, the time line for the plan should be:
Aligned with the business strategy
What is necessary attribute of an effective information security governance framework?
An organizational structure with minimal conflicts of interest, with sufficient resources and defined responsibilities
Which of the following steps should be FIRST in developing an information security plan?
Analyze the current business strategy
The MOST appropriate role for senior management in supporting information security is the:
Approval of policy statements and funding
Which of the following is the MOST appropriate task for a chief information security officer to perform?
Develop an information security strategy
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following items would be of MOST value?
Associating realistic threats to corporate objectives.
The most useful way to describe the objectives in the information security strategy is through:
Attributes and characteristics of the desired state
An information security manager at a global organization has to ensure that the local information security program will initially compliance with the:
Data privacy policy where data are collected
While implementing information security governance, an organization should FIRST:
Define the security strategy
Which of the following elements is MOST important when developing an information security strategy?
Defined objectives
What is the primary role of the information security manager related to the data classification and handling process within an organization?
Defining and ratifying (تصویب) the organization's data classification structure
There is a concern that lack of detail in the recovery plan may prevent an organization from meeting its required time objectives when a security incident strikes. Which of the following is MOST likely to ensure the recovery time objectives would be met?
Delegation of authority in recovery execution
When setting up an information classification scheme (طرح), the role of the information owner is to:
Determine the classification of information across his/her scope of responsibilities
The FIRST step in developing an information security management program is to:
Establish the need for creating the program
An information security managers receives a report showing an increase in the number of security events the MOST likely explanation is:
Exploitation of a vulnerabilities in the information system
The MOST important elements to consider when developing a business case for a project is the:
Feasibility and value proposition (امکان سنجی و گزاره ارزش)
Which of the following roles would represent a conflict of interest for an information security manager? 1) Evaluation of third parties requesting connectivity 2) Assessment of the adequacy of disaster recovery plans 3) Final approval of information security policies 4) Monitoring adherence to physical security controls
Final approval of information security policies
The first step to create an internal culture that embraces information security is to:
Gain endorsement from executive management
The enactment of policies and procedures for preventing hacker intrusions is an example of an activity that belongs to:
Governance
Which of the following MOST likely to be discretionary? (Ekhtiari) 1) Policies 2) Procedures 3) Guidelines 4) Standards
Guidelines
Information security projects should be prioritized on the basis of:
Impact on the organization
Which of the following choices is the most likely cause if significant inconsistencies (ناسازگاری) in system configuration?
Inadequate governance (ناکافی)
The most complete business case for security solutions is one that: 1) Includes appropriate justification 2) Explains the current risk profile 3) Details regulatory requirements 4) Identifies incidents and losses
Includes appropriate justification
Which of the following is the BEST justification to convince management to invest in an information security program? 1) Cost Reduction 2) Compliance with company policies 3) Protection of business assets 4) Increased business value
Increased business value
Which of the following are seldom changed in response to technological changes? 1) Standards 2) Procedures 3) Policies 4) Guidelines
Policies
What is the main risk when there is no user management representation on the information security steering committee?
Information security plans are not aligned with business requirements
An information security manager can BEST attain senior management commitment and support by emphasizing:
Organizational Risk
What would influence the content of the information security strategy to the greatest extent?
Organizational goal
The director of auditing has recommended a specific information security monitoring solution to the information security manager. What should the information security manager do first?
Perform an assessment to determine correlation with business goals and objectives
Which of the following would be BEST prepare an information security manager for regulatory reviews?
Perform self-assessment using regulatory guidelines and reports
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
Proportionality (تناسب) Information security controls, including access, should be proportionate to the critically and/or sensitivity of the asset.
What is the primary purpose of an information security program?
Provide protection to information assets consistent with business strategy and objectives
Information security frameworks can be MOST useful for the information security manager because they:
Provide structure and guidance
Read book about executive manager
Read book about executive manager
The most effective approach to address issues that raise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
Refer the issues to senior management along with any security recommendations
An information security manager must understand the relationship between information security and business operations in order to:
Support organizational Objectives
The PRIMARY goal of developing an information security strategy is to:
Support the business objectives of the organization
Which of the following requirements would have the LOWEST level of priority in information security? 1) Technical 2) Regulatory 3) Privacy 4) Business
Technical
Which metrics will provide the best indication of organizational risk?
The extent of unplanned business interruptions read book for notes
Which of the following is the MOST significant in determining an organization's risk appetite?
The organizational Culture
Which of the following would be the BEST indicator of effective information security governance within an organization?
The steering committee approves security projects.
Senior management commitment and support for information security can BEST be obtained through presentation that:
Tie security risk to key business objectives