Set 2
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value? A. Examples of genuine incidents at similar organizations B. Statement of generally accepted best practices C. Associating realistic threats to corporate objectives D. Analysis of current technological exposures
Associating realistic threats to corporate objectives
At what stage of the applications development process should the security department initially become involved? A. When requested B. At testing C. At programming D. At detail requirements
At detail requirements
From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities? A. Enhanced policy compliance B. Improved procedure flows C. Segregation of duties D. Better accountability
Better accountability
Which of the following is responsible for legal and regulatory liability? A. Chief security officer (CSO) B. Chief legal counsel (CLC) C. Board and senior management D. Information security steering group
Board and senior management
Who is ultimately responsible for the organization's information? A. Data custodian B. Chief information security officer (CISO) C. Board of directors D. Chief information officer (CIO)
Board of directors
What would a security manager PRIMARILY utilize when proposing the implementation of a security solution? A. Risk assessment report B. Technical evaluation report C. Business case D. Budgetary requirements
Business case
What will have the HIGHEST impact on standard information security governance models? A. Number of employees B. Distance between physical locations C. Complexity of organizational structure D. Organizational budget
Complexity of organizational structure
When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint? A. Compliance with international security standards. B. Use of a two-factor authentication system. C. Existence of an alternate hot site in case of business disruption. D. Compliance with the organization's information security requirements.
Compliance with the organization's information security requirements.
To justify its ongoing security budget, which of the following would be of MOST use to the information security' department? A. Security breach frequency B. Annualized loss expectancy (ALE) C. Cost-benefit analysis D. Peer group comparison
Cost-benefit analysis
Who in an organization has the responsibility for classifying information? A. Data custodian B. Database administrator C. Information security officer D. Data owner
Data owner
What is the PRIMARY role of the information security manager in the process of information classification within an organization? A. Defining and ratifying the classification structure of information assets B. Deciding the classification levels applied to the organization's information assets C. Securing information assets in accordance with their classification D. Checking if information assets have been classified properly
Defining and ratifying the classification structure of information assets
Logging is an example of which type of defense against systems compromise? A. Containment B. Detection C. Reaction D. Recovery
Detection
Which of the following situations would MOST inhibit the effective implementation of security governance: A. The complexity of technology B. Budgetary constraints C. Conflicting business priorities D. High-level sponsorship
High-level sponsorship
When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified? A. Business management B. Operations manager C. Information security manager D. System users
Information security manager
To achieve effective strategic alignment of security initiatives, it is important that: A. Steering committee leadership be selected by rotation. B. Inputs be obtained and consensus achieved between the major organizational units. C. The business strategy be updated periodically. D. Procedures and standards be approved by all departmental heads.
Inputs be obtained and consensus achieved between the major organizational units.
How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation? A. Give organization standards preference over local regulations B. Follow local regulations only C. Make the organization aware of those standards where local regulations causes conflicts D. Negotiate a local version of the organization standards
Negotiate a local version of the organization standards
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles? A. Ethics B. Proportionality C. Integration D. Accountability
Proportionality
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification? A. Alignment with industry best practices B. Business continuity investment C. Business benefits D. Regulatory compliance
Regulatory compliance
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management? A. Security metrics reports B. Risk assessment reports C. Business impact analysis (BIA) D. Return on security investment report
Risk assessment reports
What would be the MOST significant security risks when using wireless local area network (LAN) technology? A. Man-in-the-middle attack B. Spoofing of data packets C. Rogue access point D. Session hijacking
Rogue access point
Which of the following would be MOST effective in successfully implementing restrictive password policies? A. Regular password audits B. Single sign-on system C. Security awareness program D. Penalties for noncompliance
Security awareness program
Who should drive the risk analysis for an organization? A. Senior management B. Security manager C. Quality manager D. Legal department
Security manager
Reviewing which of the following would BEST ensure that security controls are effective? A. Risk assessment policies B. Return on security investment C. Security metrics D. User access rights
Security metrics
Which of the following is the MOST important prerequisite for establishing information security management within an organization? A. Senior management commitment B. Information security framework C. Information security organizational structure D. Information security policy
Senior management commitment
When developing an information security program, what is the MOST useful source of information for determining available resources? A. Proficiency test B. Job descriptions C. Organization chart D. Skills inventory
Skills inventory
Which of the following is the MOST important to keep in mind when assessing the value of information? A. The potential financial loss B. The cost of recreating the information C. The cost of insurance coverage D. Regulatory requirement
The potential financial loss
Which of the following is MOST important in developing a security strategy? A. Creating a positive business security environment B. Understanding key business objectives C. Having a reporting line to senior management D. Allocating sufficient resources to information security
Understanding key business objectives
An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of: A. performance measurement. B. integration. C. alignment. D. value delivery.
alignment.
The MOST important characteristic of good security policies is that they: A. state expectations of IT management. B. state only one general security mandate. C. are aligned with organizational goals. D. govern the creation of procedures and guidelines.
are aligned with organizational goals.
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST: A. meet with stakeholders to decide how to comply. B. analyze key risks in the compliance process. C. assess whether existing controls meet the regulation. D. update the existing security/privacy policy.
assess whether existing controls meet the regulation.
The MOST useful way to describe the objectives in the information security strategy is through: A. attributes and characteristics of the "desired state." B. overall control objectives of the security program. C. mapping the IT systems to key business processes. D. calculation of annual loss expectations.
attributes and characteristics of the "desired state."
The MOST basic requirement for an information security governance program is to: A. be aligned with the corporate business strategy. B. be based on a sound risk management approach. C. provide adequate regulatory compliance. D. provide best practices for security- initiatives.
be aligned with the corporate business strategy.
The PRIMARY concern of an information security manager documenting a formal data retention policy would be: A. generally accepted industry best practices. B. business requirements. C. legislative and regulatory requirements. D. storage availability.
business requirements.
Information security policy enforcement is the responsibility of the: A. security steering committee. B. chief information officer (CIO). C. chief information security officer (CISO). D. chief compliance officer (CCO).
chief information security officer (CISO).
The FIRST step in developing an information security management program is to: A. identify business risks that affect the organization. B. clarify organizational purpose for creating the program. C. assign responsibility for the program. D. assess adequacy of controls to mitigate business risks.
clarify organizational purpose for creating the program.
In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: A. prepare a security budget. B. conduct a risk assessment. C. develop an information security policy. D. obtain benchmarking information.
conduct a risk assessment.
In order to highlight to management the importance of network security, the security manager should FIRST: A. develop a security architecture. B. install a network intrusion detection system (NIDS) and prepare a list of attacks. C. develop a network security policy. D. conduct a risk assessment.
conduct a risk assessment.
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the: A. corporate data privacy policy. B. data privacy policy where data are collected. C. data privacy policy of the headquarters' country. D. data privacy directive applicable globally.
data privacy policy where data are collected.
While implementing information security governance an organization should FIRST: A. adopt security standards. B. determine security baselines. C. define the security strategy. D. establish security policies.
define the security strategy.
In implementing information security governance, the information security manager is PRIMARILY responsible for: A. developing the security strategy. B. reviewing the security strategy. C. communicating the security strategy. D. approving the security strategy
developing the security strategy.
The PRIMARY objective of a security steering group is to: A. ensure information security covers all business functions. B. ensure information security aligns with business goals. C. raise information security awareness across the organization. D. implement all decisions on security management across the organization.
ensure information security aligns with business goals.
An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to: A. ensure that security processes are consistent across the organization. B. enforce baseline security levels across the organization. C. ensure that security processes are fully documented. D. implement monitoring of key performance indicators for security processes.
ensure that security processes are consistent across the organization.
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: A. it implies compliance risks. B. short-term impact cannot be determined. C. it violates industry security practices. D. changes in the roles matrix cannot be detected.
it implies compliance risks.
When designing an information security quarterly report to management, the MOST important element to be considered should be the: A. information security metrics. B. knowledge required to analyze each issue. C. linkage to business area objectives. D. baseline against which metrics are evaluated.
linkage to business area objectives.
Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security: A. baseline. B. strategy. C. procedure. D. policy.
policy.
When personal information is transmitted across networks, there MUST be adequate controls over: A. change management. B. privacy protection. C. consent to data transfer. D. encryption devices.
privacy protection.
An outcome of effective security governance is: A. business dependency assessment B. strategic alignment. C. risk assessment. D. planning.
strategic alignment.
To justify the need to invest in a forensic analysis tool, an information security manager should FIRST: A. review the functionalities and implementation requirements of the solution. B. review comparison reports of tool implementation in peer companies. C. provide examples of situations where such a tool would be useful. D. substantiate the investment in meeting organizational needs.
substantiate the investment in meeting organizational needs.
A security manager meeting the requirements for the international flow of personal data will need to ensure: A. a data processing agreement. B. a data protection registration. C. the agreement of the data subjects. D. subject access procedures.
the agreement of the data subjects.
A good privacy statement should include: A. notification of liability on accuracy of information. B. notification that information will be encrypted. C. what the company will do with information it collects. D. a description of the information classification process.
what the company will do with information it collects.