Module 1 - Information Security Governance

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

What can best align information security objectives to business objectives?

A business balanced scorecard

What is the most appropriate as a means of obtaining commitment from senior management for implementation of the information security strategy?

A formal presentation highlighting the relationship between security and business goals.

Serration of duties (SoD) has been designed and introduced into an account payable system. Which of the following should be in place to BEST maintain the effectiveness of SoD?

Access privilege is reviewed when an operator's role changes

Information security should:

Balance technical and business requirements

The data access requirements for an application should be determined by:

Business owner

Information security governance is PRIMARILY driven by:

Business strategy

Check book

Check book

Information security policy enforcement is the responsibilities of the:

Chief information security officer

How can we promote a positive information security governance culture within an organization?

Collaboration across business lines

What will have the HIGHEST impact on standard information security governance models?

Complexity of organizational structure

In order to highlight to management the importance of integration information security in the business process, a newly hired information security officer should FIRST:

Conduct a risk assessment

What is the best attribute of key risk indicators?

Consistent methodologies and practices

What is BEST contributes to the development of an information security governance framework that supports the maturity model concept?

Continues analysis, monitoring and feedback

Who in an organization hast the responsibilities for classifying information?

Data Owner

Which of the following is the MOST appropriate to sponsor the design and implementation of a new security infrastructure in a large global enterprise?

Chief Operating Officer

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

Chief Operating officer

To justify its ongoing information security budge, which of the following would be of MOST use to the information security department?

Cost-Benefit analysis

The most important characteristics of good security policies is that they:

are aligned with organizational goals

What is the MOST important consideration when developing the security strategy of a company operating in different countries?

compliance with divers laws and governmental regulations

What should be included in an annual information security budget that is submitted for management approval?

A cost-Benefit analysis of budgeted resources

Security technologies should be selected PRIMARILY on the basis of their: 1) Ability to mitigate business risk 2) Evaluations in trade publications 3) Use of new and emerging technologies 4) Benefits in comparison to their costs

Benefits in comparison to their costs

From an information security manager perspective, what is an immediate benefit of clearly defined roles and responsibilities?

Better accountability

Which of the following is characteristic of centralized information security management?

Better adherence to policies

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? 1) More uniformity in quality of service 2) Better adherence to policies 3) Better alignment to business unit needs 4) More savings in total operating costs

Better alignment to business unit needs

Who is ultimately responsible for an organization's information?

Board of directors

Which of the following roles is responsible for legal and regulatory liability?

Board of directors and senior management

The PRIMARY concern of an information security manager documenting a formal data retention policy is:

Business Requirements

Which of the following should an information security manager PRIMARILY use when proposing the implementation of a security solution?

Business case

Achieving compliance with a particular information security standard selected by management would BEST be described as a: 1) Key goal indicator 2) Critical success factor 3) Key performance indicator 4) Business impact analysis

Key performance indicator Note: Key performance indicator is a measure that determines how well the process is performing in enabling the goal to be reached. How well a process is progressing according to exceptions.

Which of the following situations would be MOST inhibit (مانع شدن) the effective implementation of security governance?

Lack of high-level sponsorship

To achieve effective strategic alignment of information security initiatives, it is important that:

Major organizational units provide input and reach a consensus (اجماع، وفاق)

An organization's information security strategy should be based on:

Managing risk relative to business objectives

Which of the following attributes would be MOST essential to developing effective metrics?

Meaningful to the recipient

How should an information security manager balance the potentially conflicting requirements of an international organization's security standards with local regulation?

Negotiate a local version of the organization standards

Which actions would help to change an organization's security culture?

Obtain strong management support

Which of the following activities MOST commonly falls within the scope of an information security governance steering committee? 1) Interviewing candidates for information security specialist positions 2) Developing content for security awareness programs 3) Prioritizing information security initiatives (Ebtekarat) 4) Approving access to critical financial systems

Prioritizing information security initiatives

Business goals define the strategic direction of the organization. Functional goals define the tactical direction of a business function. Security goals define the security direction of the organization. What is the MOST important relationship between these concepts?

Security goals should be derived from business goals

Who is accountable for ensuring that information is categorized and that specific protective measures are taken?

Senior management

Which of the following is the MOST important prerequisite for establishing information security management within an organization?

Senior management commitment

Which of the following is the MOST important factor when designing information security architecture? 1) Technical platform interfaces 2) Sc ability of the network 3) Development methodologies 4) Stakeholder requirements

Stakeholder requirements

which of the following situation must be corrected FIRST to ensure successful information security governance within an organization? 1) The information security department has difficulty filling vacancies 2) The chief operating officer approves security policy changes 3) The information security oversight committee only meets quarterly 3) The data center manager has final-off on all security projects.

The data center manager has final-off on all security projects.

Which of the following is MOST important in developing a security strategy?

Understanding key business objectives

Successful implementation of information security governance will FIRST require:

Updated security policy

Effective governance of enterprise security is best ensured by:

Using a top-down approach

Investment in information security technology should be based on:

Value Analysis

The MOST basic requirement for an information security governance program is to:

be aligned with the corporate business strategy

Which of the following is the MOST important information to include in strategic plan for information security?

current state and desired future

What is the MOST essential attributes of an effective key risk indicator (KRI)? The KRI:

is predictive of a risk event

Senior management commitment and support for information security can BEST be enhanced through:

periodic review of alignment with business management goals

Senior management is reluctant to budget for the acquisition of an intrusion detection system. The chief information security officer should do:

Develop and present a business case for the project

Obtaining senior management support for establishing a warm site can BEST be accomplished by:

Developing a business case

Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when:

Developing a controls policy

In implementing information security governance, the information security manager is PRIMARILY responsible for:

Developing the security strategy

Acceptable levels of information security risk should be determined by:

The steering committee

Which of the following is MOST appropriate for inclusion in an information security strategy?

A set of security objectives supported by Security process, methods, tools and techniques together are the elements that constitute a security strategy.

When creating an effective data-protection strategy, the information security manager must understand the flow of data and its protection at various stages. This is BEST achieved with: 1) A third-party vulnerability assessment 2) A tailored methodology based in exposure 3) Am insurance policy for accidental data losses 4) A ionization system set up in a secure network environment

A tailored methodology based in exposure

An organization that appoints a chief information security officer:

Acknowledges a commitment to legal responsibility for information security

When an information security manager is developing a strategic plan for information security, the time line for the plan should be:

Aligned with the business strategy

What is necessary attribute of an effective information security governance framework?

An organizational structure with minimal conflicts of interest, with sufficient resources and defined responsibilities

Which of the following steps should be FIRST in developing an information security plan?

Analyze the current business strategy

The MOST appropriate role for senior management in supporting information security is the:

Approval of policy statements and funding

Which of the following is the MOST appropriate task for a chief information security officer to perform?

Develop an information security strategy

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following items would be of MOST value?

Associating realistic threats to corporate objectives.

The most useful way to describe the objectives in the information security strategy is through:

Attributes and characteristics of the desired state

An information security manager at a global organization has to ensure that the local information security program will initially compliance with the:

Data privacy policy where data are collected

While implementing information security governance, an organization should FIRST:

Define the security strategy

Which of the following elements is MOST important when developing an information security strategy?

Defined objectives

What is the primary role of the information security manager related to the data classification and handling process within an organization?

Defining and ratifying (تصویب) the organization's data classification structure

There is a concern that lack of detail in the recovery plan may prevent an organization from meeting its required time objectives when a security incident strikes. Which of the following is MOST likely to ensure the recovery time objectives would be met?

Delegation of authority in recovery execution

When setting up an information classification scheme (طرح), the role of the information owner is to:

Determine the classification of information across his/her scope of responsibilities

The FIRST step in developing an information security management program is to:

Establish the need for creating the program

An information security managers receives a report showing an increase in the number of security events the MOST likely explanation is:

Exploitation of a vulnerabilities in the information system

The MOST important elements to consider when developing a business case for a project is the:

Feasibility and value proposition (امکان سنجی و گزاره ارزش)

Which of the following roles would represent a conflict of interest for an information security manager? 1) Evaluation of third parties requesting connectivity 2) Assessment of the adequacy of disaster recovery plans 3) Final approval of information security policies 4) Monitoring adherence to physical security controls

Final approval of information security policies

The first step to create an internal culture that embraces information security is to:

Gain endorsement from executive management

The enactment of policies and procedures for preventing hacker intrusions is an example of an activity that belongs to:

Governance

Which of the following MOST likely to be discretionary? (Ekhtiari) 1) Policies 2) Procedures 3) Guidelines 4) Standards

Guidelines

Information security projects should be prioritized on the basis of:

Impact on the organization

Which of the following choices is the most likely cause if significant inconsistencies (ناسازگاری) in system configuration?

Inadequate governance (ناکافی)

The most complete business case for security solutions is one that: 1) Includes appropriate justification 2) Explains the current risk profile 3) Details regulatory requirements 4) Identifies incidents and losses

Includes appropriate justification

Which of the following is the BEST justification to convince management to invest in an information security program? 1) Cost Reduction 2) Compliance with company policies 3) Protection of business assets 4) Increased business value

Increased business value

Which of the following are seldom changed in response to technological changes? 1) Standards 2) Procedures 3) Policies 4) Guidelines

Policies

What is the main risk when there is no user management representation on the information security steering committee?

Information security plans are not aligned with business requirements

An information security manager can BEST attain senior management commitment and support by emphasizing:

Organizational Risk

What would influence the content of the information security strategy to the greatest extent?

Organizational goal

The director of auditing has recommended a specific information security monitoring solution to the information security manager. What should the information security manager do first?

Perform an assessment to determine correlation with business goals and objectives

Which of the following would be BEST prepare an information security manager for regulatory reviews?

Perform self-assessment using regulatory guidelines and reports

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?

Proportionality (تناسب) Information security controls, including access, should be proportionate to the critically and/or sensitivity of the asset.

What is the primary purpose of an information security program?

Provide protection to information assets consistent with business strategy and objectives

Information security frameworks can be MOST useful for the information security manager because they:

Provide structure and guidance

Read book about executive manager

Read book about executive manager

The most effective approach to address issues that raise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:

Refer the issues to senior management along with any security recommendations

An information security manager must understand the relationship between information security and business operations in order to:

Support organizational Objectives

The PRIMARY goal of developing an information security strategy is to:

Support the business objectives of the organization

Which of the following requirements would have the LOWEST level of priority in information security? 1) Technical 2) Regulatory 3) Privacy 4) Business

Technical

Which metrics will provide the best indication of organizational risk?

The extent of unplanned business interruptions read book for notes

Which of the following is the MOST significant in determining an organization's risk appetite?

The organizational Culture

Which of the following would be the BEST indicator of effective information security governance within an organization?

The steering committee approves security projects.

Senior management commitment and support for information security can BEST be obtained through presentation that:

Tie security risk to key business objectives


Ensembles d'études connexes

Midwife's Apprentice Chapter 7-9

View Set

Direct and Indirect Object Pronouns - Las pronombres directo y indirecto

View Set

Live Virtual Machine Lab 5.3: Module 05 Physical Networking Tools

View Set

Римське приватне право

View Set

Computer Security Quiz for Exam 1-CGS2060

View Set

AP Computer Science Principles EXAM Quizlet

View Set

Estructura 3.1: El pretérito y Limpiamos la casa

View Set