Domain 1- Information Security Governance questions
S1-82 Which of the following should be included in annual information security budget that is submitted for management approval? Select one: a. A cost-benefit analysis of budgeted resources b. All of the resources that are recommended by the business c. Total cost of ownership d. Baseline comparisons
a. A cost-benefit analysis of budgeted resources
S1-112 Which of the following choices is the BEST indicator of the state of information security governance? Select one: a. A defined maturity level b. A developed security stage c. Complete policies and standards d. Low numbers of incidents
a. A defined maturity level
S1-144 Which of the following factors is MOST important for the successful implementation of an organization's information security program? Select one: a. Senior management support b. Budget for security activities c. Regular vulnerability assessment d. Knowledgeable security administrators
a. Senior management support
S1-79 The enactment of policies and procedures for preventing hacker intrusion is an example of an activity that belongs to: Select one: a. risk management b. compliance c. IT management d. governance
a. risk management
S1-66 An information security manager must understand the relationship between information security and business operations in order to: Select one: a. support organizational objectives b. determine likely areas of noncompliance c. assess the possible impacts of compromise d. understand the threats to the business
a. support organizational objectives
S1-70 There is a concern that lack of detail in the recovery plan may prevent an organization from meeting its required time objectives when a security incident strikes. Which of the following is MOST likely to ensure the recovery time objectives would be met? Select one: a. Establishment of distributed operation centers b. Delegation of authority in recovery execution c. Outsourcing of the business restoration process d. Incremental backup of voluminous databases
b. Delegation of authority in recovery execution
S1-193 Requirements for an information security program should be based PRIMARILY on which of the following choices? Select one: a. Governance policies b. Desired outcomes c. Specific objectives d. The security strategy
b. Desired outcomes
S1-64 Which of the following choices is the MOST likely cause of significant inconsistencies in system configuration? Select one: a. A lack of procedures b. Inadequate governance c. Poor standards d. Insufficient training
b. Inadequate governance
S1-14 Which of the following is MOST appropriate for inclusion in an information security strategy? Select one: a. Business controls designated as key controls b. Security processes, methods, tools and techniques c. Firewall rule sets, network defaults and intrusion detection system settings d. Budget estimates to acquire specific security tools
b. Security processes, methods, tools and techniques
S1-174 An organization has decided to implement governance, risk and compliance processes into several critical areas of the enterprise. Which of the following objectives is the MAIN one? Select one: a. To reduce governance cost b. To improve risk management c. To harmonize security activities d. To meet or maintain regulatory compliance
b. To improve risk management
S1-189 Which of the following reasons is the MOST important to develop a strategy before implementing an information security program? Select one: a. To justify program development costs b. To integrate development activities c. To gain management support for an information security program d. To comply with international standards
b. To integrate development activities
S1-139 An organization has consolidated global operations. The chief information officer has asked the chief information security officer to develop a new organization information security strategy. Which of the following actions should be taken FIRST? Select one: a. Identify the assets b. Conduct a risk assessment c. Define the scope d. Perform a business impact analysis
c. Define the scope
S1-102 Which of the following would be the FIRST step when developing a business case for an information security investment? Select one: a. Defining the objectives b. Calculating the cost c. Defining the need d. Analyzing the cost-effectiveness
c. Defining the need
S1-16 Which of the following roles would represent a conflict of interest for an information security manager? Select one: a. Evaluation of third parties requesting connectivity b. Assessment of the adequacy of disaster recovery plans c. Final approval of information security policies d. Monitoring adherence to physical security controls
c. Final approval of information security policies
S1-68 Obtaining senior management support for establishing a warm site can BEST be accomplished by: Select one: a. establishing a periodic risk assessment b. promoting regulatory requirements c. developing a business case d. developing effective metrics
c. developing a business case
S1-72 Achieving compliance with a particular information security standard selected by management would BEST be described as a: Select one: a. key goal indicator b. critical success factor c. key performance indicator d. business impact analysis
c. key performance indicator
S1-156 The MOST important outcome of aligning information security governance with corporate governance is to: Select one: a. show that information security understands the rules b. provide regulatory compliance c. maximize the cost-effectiveness of controls d. minimize the number of rules and regulations required
c. maximize the cost-effectiveness of controls
S1-28 Senior management commitment and support for information security can BEST be enhanced through: Select one: a. a formal security policy sponsored by the chief executive officer b. regular security awareness training for employees c. periodic review of alignment with business management goals d. senior management sign-off on the information security strategy
c. periodic review of alignment with business management goals
S1-86 Effective governance of enterprise security is BEST ensured by: Select one: a. using a bottom-up approach b. management by IT department c. using a top-down approach
c. using a top-down approach
S1-184 What should be the PRIMARILY basis of a road map for implementing information security governance: Select one: a. Policies b. Architecture c. Legal requirements d. Strategy
d. Strategy
S1-101 The formal declaration of organizational information security goals and objectives should be found in the Select one: a. information security procedures b. information security principles c. employee code of conduct d. information security policy
d. information security policy
1-27 The PRIMARY goal of developing an information security strategy is to: Select one: a. establish security metrics and performance monitoring b. educate business process owners regarding their duties c. ensure that legal and regulatory requirements are met d. support the business objectives of the organization
-------It IS NOT D. support the business objectives of the organization
S1-137 Which one of the following groups has final responsibility for the effectiveness of security controls? Select one: a. The security administrator who implemented the controls b. The information systems auditor who recommended the controls
------b. The information systems auditor who recommended the controls
S1-43 Segregation of duties (SoD) has been designed and introduced into an accounts payable system. Which of the following should be in place to BEST maintain the effectives of SoD? Select one: a. A strong password rule is assigned to disbursement staff b. Security awareness is publicized by the compliance department c. An operational role matrix is aligned with the organizational chart
Not sure of the right answer, it isn't c.
S1-191 Which of the following tasks should be information security management undertake FIRST while creating the information security strategy of the organization? Select one: a. Understand the IT service portfolio b. Investigate the business security level c. Define the information security policy d. Assess the risk associated with IT
a. Understand the IT service portfolio
S1-118 In an organization, information systems security is the responsibility of: Select one: a. all personnel b. information systems personnel c. information systems security personnel d. functional personnel
a. all personnel
S1-31 An information security manager receives a report showing an increase in the number of security events. The MOST likely explanation is: Select one: a. exploitation of vulnerability in the information system b. threat actors targeting the organization in greater numbers c. failure of a previously deployed detective control d. approval of a new exception for noncompliance by management
a. exploitation of vulnerability in the information system
S1-183 The purpose of an informative security strategy is to: Select one: a. express the goals of an information security program and the plan to achieve them b. outline the intended configuration of information security controls c. mandate the behavior and acceptable actions of all information system users d. authorize the steps and procedures necessary to protect critical information systems
a. express the goals of an information security program and the plan to achieve them
S1-25 The MOST important element(s) to consider when developing a business case for a project is the: Select one: a. feasibility and value proposition b. resource and time requirements c. financial analysis of benefits d. alignment with organizational objectives
a. feasibility and value proposition
S1-135 Serious security incident typically lead to renewal focus on information security by management. To BEST use this attention, the information security manager should make the case to: Select one: a. improving integration of business and information security processes b. increasing information security budgets and staffing levels c. developing tighter controls and stronger compliance efforts d. acquiring better supplemental technical security controls
a. improving integration of business and information security processes
S1-197 An information security manager if PRIMARILY responsible for: Select one: a. managing the risk to the information infrastructure b. implement a standard configuration for IT assets c. conducting a business impact analysis (BIA) d. closing identified technical vulnerabilities
a. managing the risk to the information infrastructure
S1-15 An information security manager can BEST attain senior management commitment and support by emphasizing. Select one: a. organizational risk b. performance metrics c. security needs d. the responsibilities of organizational units
a. organizational risk
S1-171 The FIRST action for an information security manager to take when presented with news that new regulations are being applied to how organizations handle sensitive data is to determine: Select one: a. processes and activities that may be affected b. how senior management would prefer to respond c. whether the organization qualifies for an exemption d. the approximate cost of compliance
a. processes and activities that may be affected
S1-85 The PRIMARY purpose of an information security program is to: Select one: a. provide protection to information assets consistent with business strategy and objectives b. express the results of an organizational risk assessment in terms of business impact c. protect the confidentially of business information and technology resources d. develop information security policy and procedures in line with business objectives
a. provide protection to information assets consistent with business strategy and objectives
S1-103 Effective information security requires a combination of management, administrative and technical controls because: Select one: a. technical controls alone are unable to adequately compensate for faulty processes. b. senior management is unlikely to fund adequately deployment of technical controls c. the approach to addressing or treating specific risk has a significant impact on costs. d. development of the right strategy needs to be iterative to achieve the desired state
a. technical controls alone are unable to adequately compensate for faulty processes.
S1-11 Which of the following individual would be in the BEST position to sponsor the creation of an information security steering group? Select one: a. Information security manager b. Chief operating officer c. Internal auditor d. Legal counsel
b. Chief operating officer
S1-34 Which of the following is the MOST important information to include in a strategic plan for information security? Select one: a. Information security setting requirements b. Current state and desired future state c. IT capital investment requirements d. Information security mission statement
b. Current state and desired future state
S1-157 Which of the following is the MOST important consideration for a control policy? Select one: a. Data protection b. Life safety c. Security strategy d. Regulatory factors
b. Life safety
S1-179 Which of the following would be BEST indicator that an organization has good governance? Select one: a. Risk assessments b. Maturity level c. Audit reports d. Loss history
b. Maturity level
S1-96 An organization that appoints a chief information security officer: Select one: a. improves collaboration among the ranks of senior management b. acknowledges a commitment to legal responsibility for information security c. infringes on the governance role of the board of directors d. enhances the financial accountability of technology projects
b. acknowledges a commitment to legal responsibility for information security
S1-92 Information security should: Select one: a. focus on eliminating all risk b. balance technical and business requirements c. be driven by regular requirements d. be defined by the board of directors
b. balance technical and business requirements
S1-47 The PRIMARY concern of an information security manager documenting a formal data retention policy is: Select one: a. generally accepted industry good practices b. business requirements c. legislative and regulatory requirements d. storage availability
b. business requirements
S1-55 In order to highlight to management the importance of integrating information security in the business process, a newly hired information security officer should FIRST: Select one: a. prepare a security budget b. conduct a risk assessment c. develop an information security policy d. obtain benchmarking information
b. conduct a risk assessment
S1-42 An information security manager at a global organization has to ensure that the local information security program will initially be in compliance with the: Select one: a. corporate date privacy policy b. data privacy policy where data are collected c. data privacy directive applicable globally
b. data privacy policy where data are collected
S1-78 An enterprise has been recently subject to a series of denial-of-service attacks due to a weakness in security. The information security manager needs to present a business case for increasing the investment in security. The MOST significant challenge in obtaining approval from senior management for the proposal is: Select one: a. explaining technology issues of security b. demonstrating value and benefits c. simulating various risk scenarios d. obtaining benchmarking data for comparison
b. demonstrating value and benefits
S1-98 When setting up an information classification scheme, the role of the information owner is to: Select one: a. ensure that data on an information system are protected according to the classification policy b. determine the classification of information across his/her scope of responsibility c. identify all information that requires backup according to its criticality and classification d. delegate the classification of information to responsible information custodians
b. determine the classification of information across his/her scope of responsibility
S1-130 The BEST approach to developing an information security program is to use a: Select one: a. process b. framework c. model d. guideline
b. framework
S1-178 It is essential for the board of directors to be involved with information security activities primarily because of concerns regarding: Select one: a. technology b. liability c. compliance d. strategy
b. liability
S1-61 To achieve effective strategic alignment of information security initiatives, it is important that: Select one: a. steering committee leadership rotates among members b. major organizational units provide input and reach a consensus c. the business strategy in updated periodically d. procedures and standards are approved by all departmental heads
b. major organizational units provide input and reach a consensus
S1-107 Maturity levels are an agreement to determine the extent that sound practices have been implemented in an organization based on outcomes. Another approach that been developed to achieve essentially the same result is: Select one: a. controls applicability statements b. process performance and capabilities c. probabilistic risk assessment d. factor analysis of information risk
b. process performance and capabilities
S1-10 Successful implementation of information security governance will FIRST require: Select one: a. security awareness training b. updated security policies c. a computer incident management team d. security architecture
b. updated security policies
S1-7 Investments in formation security technologies should be based on: Select one: a. vulnerability assessments b. value analysis c. business climate d. audit recommendations
b. value analysis
S1-182 Which of the following choices is MOST likely to ensure that responsibilities are carried out? Select one: a. Signed contracts b. Severe penalties c. Assigned accountability d. Clear policies
c. Assigned accountability
1-46 A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which the following items would be of MOST value? Select one: a. Examples of genuine incidents at similar organizations b. Statement of generally accepted good practices c. Associating realistic threats to corporate objectives d. Analysis of current technological exposures
c. Associating realistic threats to corporate objectives
S1-23 Which of the following characteristic of decentralized information security management across a geographically dispersed organization? Select one: a. More uniformity in quality of service b. better adherence to polices c. Better alignment to business unit needs d. More savings in total operating costs
c. Better alignment to business unit needs
S1-38 Which of the following roles is responsible for legal and regulatory liability? Select one: a. Chief security officer b. Chief legal counsel c. Board of directors and senior management d. Information security steering group
c. Board of directors and senior management
S1-58 Which of the following should an information security manager PRIMARILY use when proposing the implementation of security solution? Select one: a. Risk assessment report b. Technical evaluation report c. Business case d. Budgetary requirements
c. Business case
S1-88 Which of the following recommendations is the BEST one to promote a positive information security governance culture within an organization? Select one: a. Strong oversight by the audit committee b. Organizational governance transparency c. Collaboration across business lines d. Positive governance ratings by stock analysis
c. Collaboration across business lines
S1-54What will have the HIGHEST impact on standard information security governance models? Select one: a. Number of employees b. Distance between physical locations c. Complexity of organizational structure d. Organizational budget
c. Complexity of organizational structure
S1-59 To justify its ongoing information security budget, which of the following would be of MOST use to the information security department? Select one: a. Security breach frequency b. Annual loss expectancy c. Cost-benefit analysis d. Peer group comparison
c. Cost-benefit analysis
S1-158 Senior management has expressed some concern about the effectiveness of the information security program. What can the information security manager do to gain the support of senior management for the program? Select one: a. Rebuild the program on the basis of a reorganized, auditable standard b. Calculate the cost-benefit analysis of the existing controls that are in place c. Interview senior management to address their concerns with the program d. Present a report from the steering committee supporting the program
c. Interview senior management to address their concerns with the program
S1-136 Which person or group should have final approval of an organization's information technology (IT) security policies? Select one: a. Business unit managers b. Chief information security officer c. Senior management d. Chief information officer
c. Senior management
S1-173 What is the MOST important consideration when developing a business case for an information security investment? Select one: a. The impact on the risk profile of the organization b. The acceptability to the board of directors c. The implementation benefits d. The affordability to the organization
c. The implementation benefits
S1-117 What is the MOST important item to be included in an information security policy? Select one: a. The definition of roles and responsibilities b. The scope of the security program c. The key objectives of the security program d. Reference to procedure and standards of the security program
c. The key objectives of the security program
S1-142 Which of the following is the PRIMARY reason to change policies during program development? Select one: a. The policies must comply with new regulatory and legal mandates b. Appropriate security baselines are no longer set in the policies c. The policies no longer reflect management intent and direction d. Employees consistently ignore the policies
c. The policies no longer reflect management intent and direction
S1-163 Which of the following BEST supports continuous improvement of the risk management process? Select one: a. Regular review of risk treatment options b. Classification of assets in order of criticality c. adoption of a maturity model d. Integration of assurance functions
c. adoption of a maturity model
S1-3 The MOST appropriate role for senior management in supporting information security is the: Select one: a. evaluation of vendors offering security products b. assessment of risk to the organization c. approval of policy statements and funding d. developing standards sufficient to achieve acceptable risk
c. approval of policy statements and funding
S1-65 The MOST important characteristic of good security policies is that they: Select one: a. state expectations of IT management b. state only on general security mandate c. are aligned with organizational goals d. govern the creation of procedures and guidelines
c. are aligned with organizational goals
S1-41 Information security policy enforcement is the responsibility of the: Select one: a. security steering committee b. chief information officer c. chief information security officer d. chief compliance officer
c. chief information security officer
S1-44 Information security framework can be MOST useful for the information security manager because they: Select one: a. provide detailed processes and methods b. are designed to achieve specific outcomes c. provide structure and guidance d. provide policy and procedure
c. provide structure and guidance
S1-91 Which of the following is the MOST appropriate as a means of obtaining commitment from senior management for implementation of the information security strategy? Select one: a. Educational material discussing the important of good information security practices b. Regular group meetings to review the challenges and requirements of daily operations c. A cost-benefit analysis detailing how the requested implementation budget will be used d. A formal presentation highlighting the relationship between security and business goals
d. A formal presentation highlighting the relationship between security and business goals
S1-172 Which of the following is the MOST important when developing information security governance? Select one: a. Complying with applicable corporate standards b. Achieving cost-effectiveness of the risk mitigation c. Obtaining consensus of business units d. Aligning with organizational goals
d. Aligning with organizational goals
S1-37 From an information security manager perspective, what is an immediate benefit of clearly defined roles and responsibilities? Select one: a. Enhanced policy compliance b. Improved procedure flows c. Segregation of duties d. Better accountability
d. Better accountability
S1-73 Which of the following choices is the MOST important consideration when developing the security strategy of a company operating in different countries? Select one: a. Diverse attributes toward security by employees and management b. Time differences and the ability to reach security officers c. A coherent implementation of security policies and procedures in all countries d. Compliance with diverse laws and governmental regulations
d. Compliance with diverse laws and governmental regulations
S1-181 An organization has decided to implement bring your own device (BYOD) for laptops and mobile phones. What should the information security manger focus on FIRST? Select one: a. Advising against implementing BYOD because of security risk b. Preparing a business case for new security tools for BYOD c. Updating the security awareness program to include BYOD d. Determining an information security strategy for BYOD
d. Determining an information security strategy for BYOD
S1-32 Which of the following is the MOST appropriate task for a chief information security officer to perform? Select one: a. Update platform-level security settings b. Conduct disaster recovery test exercises c. Approve access to critical financial systems d. Develop an information security strategy
d. Develop an information security strategy
S1-94 What is the MAIN risk when there is no user management representation on the information security steering committee? Select one: a. Functional requirements are not adequately considered b. User training programs may be inadequate c. Budgets allocated to business units are not appropriate d. Information security plans are not aligned with business requirements
d. Information security plans are not aligned with business requirements
S1-99 Which of the following choices would influence the content of the information security strategy to the GREASTEST extent? Select one: a. Emerging technology b. System compromises c. Network architecture d. Organizational goals
d. Organizational goals
S1-150 Which of the following of the MOST important component of information security governance? Select one: a. Appropriate monitoring and metrics b. An established strategy for moving forward c. An information security steering committee d. Senior management involvement
d. Senior management involvement
S1-132 Which of the following choices would be provide the BEST measure of the effectiveness of the security strategy? Select one: a. Minimizing risk across the enterprise b. Countermeasures existing for all known threats c. Losses consistent with annual loss expectations d. The extent to which control objectives are met
d. The extent to which control objectives are me
S1-12 Which of the following factors is the MOST significant in determining an organization's risk appetite? Select one: a. The nature and extent of threats b. Organizational policies c. The overall security strategy d. The organizational culture
d. The organizational culture
S1-111 Information security governance must be integrated into all business functions and activities PRIMARILY to: Select one: a. maximize security efficiency b. standardize operational activities c. achieve strategic alignment d. address operational risk
d. address operational risk
S1-33 When an information security manager is developing a strategic plan for information security, the time line for the plan should be: Select one: a. aligned with IT strategic plan b. based on the current rate of technological change c. three to five years for both hardware and software d. aligned with the business strategy
d. aligned with the business strategy
S1-134 The MOST important requirement for gaining management commitment to the information security program is to: Select one: a. benchmark a number of successful organizations b. demonstrate potential loses and other impacts that can results from a lack of support c. inform management of the legal requirements of due care d. demonstrate support for desired outcomes
d. demonstrate support for desired outcomes
S1-190 Decisions regarding information security are BEST support by: Select one: a. statistical analysis b. expert advice c. benchmarking d. effective metrics
d. effective metrics
S1-154 The MOST important basis for developing a business case is the: Select one: a. risk that will be addressed b. financial analysis of benefits c. alignment with organizational objectives d. feasibility and value proposition
d. feasibility and value proposition
S1-87 The FIRST step to create an internal culture that embraces information security is to: Select one: a. implement strong controls b. conduct periodic awareness training c. actively monitor operations d. gain endorsement from executive management
d. gain endorsement from executive management
S1-164 Which of the following is MOST important in the development of information security policies? Select one: a. Adopting an established framework b. Using modular design for easier maintenance c. Using prevailing industry standards d. gathering stakeholder requirements
d. gathering stakeholder requirements
S1-153 The PRIMARY focus of information security governance is to: Select one: a. adequately protect the information and knowledge base of the organization b. provide assurance to senior management that the security posture is adequate c. safeguard the IT systems that store and process business information d. optimize the information security strategy to achieve business objectives
d. optimize the information security strategy to achieve business objectives
S1-108 The PRIMARILY objective for information security program development should be: Select one: a. creating an information security strategy b. establishing incident response procedures c. implementing cost-effective security solutions d. reducing the impact of risk on the business
d. reducing the impact of risk on the business
S1-2 Senior management commitment and support for information security can BEST be obtained through presentation that: Select one: a. use illustrative examples of successful attacks b. explain the technical risk to the organization c. evaluate the organization d. tie security risk to key business objectives
d. tie security risk to key business objectives
S1-18 Which of the following requirements would have the LOWEST level of priority in the information security? Select one: a. Technical b. Regulatory c. Privacy d. Business
a. Technical
S1-165 An organization has recently developed and approved an access control policy? Which of the following will be MOST effective in communicating the access control policy to the employees? Select one: a. Requiring employees to formally acknowledge receipt of the policy b. Integrating security requirements into job descriptions c. Making the policy available on the intranet d. Implementing an annual retreat for employees on information security
a. Requiring employees to formally acknowledge receipt of the policy
S1-53 Which of the following is the MOST important prerequisite for establishing information security management within an organization? Select one: a. Senior management commitment b. Information security framework c. Information security organizational structure d. Information security policy
a. Senior management commitment
S1-149 Which of the following is a risk that would MOST likely be overlooked by an information security review during an onsite inspection of an offshore provider? Select one: a. Cultural differences b. Technical skills c. Defense in depth d. Adequate policies
a. Cultural differences
S1-160 Which of the following is the MOST cost-effective approach to achieve strategic alignment? Select one: a. Periodically survey management b. Implement a governance framework c. Ensure that controls meet objectives d. Develop enterprise architecture
a. Periodically survey management
S1-155 Which of the following is the MOST important consideration when developing an information security strategy? Select one: a. Supporting business objectives b. Maximizing the effectiveness of available resources c. Ensuring that legal and regulatory constraints are addressed d. Determining the effect on the organizational roles and responsibilities
a. Supporting business objectives
S1-129 Which of the following choices would be the MOST significant key risk indictor? Select one: a. A deviation in employee turnover b. The number of packets dropped by the firewall c. The number of viruses detected d. The reporting relationship of IT
a. A deviation in employee turnover
S1-76 Which of the following choices is a necessary attribute of an effective information security governance framework? Select one: a. An organizational structure with minimal conflicts of interest, with sufficient resources and defined responsibilities? b. Organizational policies and guidelines in line with predefined procedures c. Business objectives aligned with a predefined security strategy d. Security guidelines that address multiple facets of security such as strategy such as strategy, regulatory compliance and controls
a. An organizational structure with minimal conflicts of interest, with sufficient resources and defined responsibilities?
S1-74 Which of the following BEST contributes to the development of an information security governance framework that supports the maturity model concept? Select one: a. Continuous analysis monitoring and feedback b. Continuous monitoring of the return on security investment c. Continuous risk reduction d. Key risk indicator setup to security management processes
a. Continuous analysis monitoring and feedback