Set 2

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value? A. Examples of genuine incidents at similar organizations B. Statement of generally accepted best practices C. Associating realistic threats to corporate objectives D. Analysis of current technological exposures

Associating realistic threats to corporate objectives

At what stage of the applications development process should the security department initially become involved? A. When requested B. At testing C. At programming D. At detail requirements

At detail requirements

From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities? A. Enhanced policy compliance B. Improved procedure flows C. Segregation of duties D. Better accountability

Better accountability

Which of the following is responsible for legal and regulatory liability? A. Chief security officer (CSO) B. Chief legal counsel (CLC) C. Board and senior management D. Information security steering group

Board and senior management

Who is ultimately responsible for the organization's information? A. Data custodian B. Chief information security officer (CISO) C. Board of directors D. Chief information officer (CIO)

Board of directors

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution? A. Risk assessment report B. Technical evaluation report C. Business case D. Budgetary requirements

Business case

What will have the HIGHEST impact on standard information security governance models? A. Number of employees B. Distance between physical locations C. Complexity of organizational structure D. Organizational budget

Complexity of organizational structure

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint? A. Compliance with international security standards. B. Use of a two-factor authentication system. C. Existence of an alternate hot site in case of business disruption. D. Compliance with the organization's information security requirements.

Compliance with the organization's information security requirements.

To justify its ongoing security budget, which of the following would be of MOST use to the information security' department? A. Security breach frequency B. Annualized loss expectancy (ALE) C. Cost-benefit analysis D. Peer group comparison

Cost-benefit analysis

Who in an organization has the responsibility for classifying information? A. Data custodian B. Database administrator C. Information security officer D. Data owner

Data owner

What is the PRIMARY role of the information security manager in the process of information classification within an organization? A. Defining and ratifying the classification structure of information assets B. Deciding the classification levels applied to the organization's information assets C. Securing information assets in accordance with their classification D. Checking if information assets have been classified properly

Defining and ratifying the classification structure of information assets

Logging is an example of which type of defense against systems compromise? A. Containment B. Detection C. Reaction D. Recovery

Detection

Which of the following situations would MOST inhibit the effective implementation of security governance: A. The complexity of technology B. Budgetary constraints C. Conflicting business priorities D. High-level sponsorship

High-level sponsorship

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified? A. Business management B. Operations manager C. Information security manager D. System users

Information security manager

To achieve effective strategic alignment of security initiatives, it is important that: A. Steering committee leadership be selected by rotation. B. Inputs be obtained and consensus achieved between the major organizational units. C. The business strategy be updated periodically. D. Procedures and standards be approved by all departmental heads.

Inputs be obtained and consensus achieved between the major organizational units.

How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation? A. Give organization standards preference over local regulations B. Follow local regulations only C. Make the organization aware of those standards where local regulations causes conflicts D. Negotiate a local version of the organization standards

Negotiate a local version of the organization standards

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles? A. Ethics B. Proportionality C. Integration D. Accountability

Proportionality

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification? A. Alignment with industry best practices B. Business continuity investment C. Business benefits D. Regulatory compliance

Regulatory compliance

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management? A. Security metrics reports B. Risk assessment reports C. Business impact analysis (BIA) D. Return on security investment report

Risk assessment reports

What would be the MOST significant security risks when using wireless local area network (LAN) technology? A. Man-in-the-middle attack B. Spoofing of data packets C. Rogue access point D. Session hijacking

Rogue access point

Which of the following would be MOST effective in successfully implementing restrictive password policies? A. Regular password audits B. Single sign-on system C. Security awareness program D. Penalties for noncompliance

Security awareness program

Who should drive the risk analysis for an organization? A. Senior management B. Security manager C. Quality manager D. Legal department

Security manager

Reviewing which of the following would BEST ensure that security controls are effective? A. Risk assessment policies B. Return on security investment C. Security metrics D. User access rights

Security metrics

Which of the following is the MOST important prerequisite for establishing information security management within an organization? A. Senior management commitment B. Information security framework C. Information security organizational structure D. Information security policy

Senior management commitment

When developing an information security program, what is the MOST useful source of information for determining available resources? A. Proficiency test B. Job descriptions C. Organization chart D. Skills inventory

Skills inventory

Which of the following is the MOST important to keep in mind when assessing the value of information? A. The potential financial loss B. The cost of recreating the information C. The cost of insurance coverage D. Regulatory requirement

The potential financial loss

Which of the following is MOST important in developing a security strategy? A. Creating a positive business security environment B. Understanding key business objectives C. Having a reporting line to senior management D. Allocating sufficient resources to information security

Understanding key business objectives

An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of: A. performance measurement. B. integration. C. alignment. D. value delivery.

alignment.

The MOST important characteristic of good security policies is that they: A. state expectations of IT management. B. state only one general security mandate. C. are aligned with organizational goals. D. govern the creation of procedures and guidelines.

are aligned with organizational goals.

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST: A. meet with stakeholders to decide how to comply. B. analyze key risks in the compliance process. C. assess whether existing controls meet the regulation. D. update the existing security/privacy policy.

assess whether existing controls meet the regulation.

The MOST useful way to describe the objectives in the information security strategy is through: A. attributes and characteristics of the "desired state." B. overall control objectives of the security program. C. mapping the IT systems to key business processes. D. calculation of annual loss expectations.

attributes and characteristics of the "desired state."

The MOST basic requirement for an information security governance program is to: A. be aligned with the corporate business strategy. B. be based on a sound risk management approach. C. provide adequate regulatory compliance. D. provide best practices for security- initiatives.

be aligned with the corporate business strategy.

The PRIMARY concern of an information security manager documenting a formal data retention policy would be: A. generally accepted industry best practices. B. business requirements. C. legislative and regulatory requirements. D. storage availability.

business requirements.

Information security policy enforcement is the responsibility of the: A. security steering committee. B. chief information officer (CIO). C. chief information security officer (CISO). D. chief compliance officer (CCO).

chief information security officer (CISO).

The FIRST step in developing an information security management program is to: A. identify business risks that affect the organization. B. clarify organizational purpose for creating the program. C. assign responsibility for the program. D. assess adequacy of controls to mitigate business risks.

clarify organizational purpose for creating the program.

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: A. prepare a security budget. B. conduct a risk assessment. C. develop an information security policy. D. obtain benchmarking information.

conduct a risk assessment.

In order to highlight to management the importance of network security, the security manager should FIRST: A. develop a security architecture. B. install a network intrusion detection system (NIDS) and prepare a list of attacks. C. develop a network security policy. D. conduct a risk assessment.

conduct a risk assessment.

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the: A. corporate data privacy policy. B. data privacy policy where data are collected. C. data privacy policy of the headquarters' country. D. data privacy directive applicable globally.

data privacy policy where data are collected.

While implementing information security governance an organization should FIRST: A. adopt security standards. B. determine security baselines. C. define the security strategy. D. establish security policies.

define the security strategy.

In implementing information security governance, the information security manager is PRIMARILY responsible for: A. developing the security strategy. B. reviewing the security strategy. C. communicating the security strategy. D. approving the security strategy

developing the security strategy.

The PRIMARY objective of a security steering group is to: A. ensure information security covers all business functions. B. ensure information security aligns with business goals. C. raise information security awareness across the organization. D. implement all decisions on security management across the organization.

ensure information security aligns with business goals.

An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to: A. ensure that security processes are consistent across the organization. B. enforce baseline security levels across the organization. C. ensure that security processes are fully documented. D. implement monitoring of key performance indicators for security processes.

ensure that security processes are consistent across the organization.

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: A. it implies compliance risks. B. short-term impact cannot be determined. C. it violates industry security practices. D. changes in the roles matrix cannot be detected.

it implies compliance risks.

When designing an information security quarterly report to management, the MOST important element to be considered should be the: A. information security metrics. B. knowledge required to analyze each issue. C. linkage to business area objectives. D. baseline against which metrics are evaluated.

linkage to business area objectives.

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security: A. baseline. B. strategy. C. procedure. D. policy.

policy.

When personal information is transmitted across networks, there MUST be adequate controls over: A. change management. B. privacy protection. C. consent to data transfer. D. encryption devices.

privacy protection.

An outcome of effective security governance is: A. business dependency assessment B. strategic alignment. C. risk assessment. D. planning.

strategic alignment.

To justify the need to invest in a forensic analysis tool, an information security manager should FIRST: A. review the functionalities and implementation requirements of the solution. B. review comparison reports of tool implementation in peer companies. C. provide examples of situations where such a tool would be useful. D. substantiate the investment in meeting organizational needs.

substantiate the investment in meeting organizational needs.

A security manager meeting the requirements for the international flow of personal data will need to ensure: A. a data processing agreement. B. a data protection registration. C. the agreement of the data subjects. D. subject access procedures.

the agreement of the data subjects.

A good privacy statement should include: A. notification of liability on accuracy of information. B. notification that information will be encrypted. C. what the company will do with information it collects. D. a description of the information classification process.

what the company will do with information it collects.