1. Information Security Governance - 24%

Question 1

What is a RACI Chart

Answer 1

Responsible
Accountable
Consultable
Informed

Question 2

What are the 5 principles of the National Association of Corporate Directors

Answer 2

Principle 1 - cybersecurity is an enterprise-wide issue

Principle 2 - Understand legal implications of cyber risks

Principle 3 - access to cybersecurity expertise

Principle 4 - boards should set expectations that management will establish an enterprise wide cyber risk management framework

Principle 5 - should discuss cyber risk including avoidance, acceptance, mitigation and transfer.

Question 3

What are different types of metrics used for simple categorization

Answer 3

Key Risk Indicators - metrics associated with risk with measurement of risks

Key Goal Indicators - attainment of strategic goals

Key Performance Indicators - show efficiency and effectiveness of security-related goals

Question 4

What is ROSI

Answer 4

Return on Security Investment.

Question 5

What is the acronym SMART in the effective ness of a metric

Answer 5

Specific
Measurable
Attainable
Relevant
Timely

Question 6

What is BMIS

Answer 6

Developed by ISACA in 2009 the Business Model for Information Security is a guide for business aligned risk-based security governance.

This was derived from the Systemic Security Management Framework developed by USC Marshal School of Business

Question 7

What is the dominant enterprise architecture standard established in the late 80s

Answer 7

The Zachman Framework

starts with a high functional level and then in increasing details.

Question 8

What does the Zachman model do not do for IT Systems

Answer 8

It does not convey the relationships between IT System. Data Flow Diagrams are used to depict that.

Question 9

What is the difference between a leading indicator and trailing indicator

Answer 9

leading indicators are a predictor of the probability of future security incidents. Patch Management Stats, Phishing Sim Results, UEBA, etc.

Trailing indicators are more reactive in nature based on security incidents related to attacks blocked by firewall, viruses stopped, etc.

Question 10

What are the elements of the business model for information security (BMIS)

Answer 10

Organization, people, process and technology.

The dynamic interconnections (DI’s) are culture, governing architecture, emergence, enabling and support, and human factors.

Question 11

the Primary Factor to the selection of a control framework is

Answer 11

Industry Vertical - for example a healthcare organization is going to want to utilize HIPAA Security Rules

Question 12

What is the purpose of a balanced scorecard?

Answer 12

Measure organizational performance and effectiveness against strategic goals.

tool used to quantify the performance of an organization against strategic objectives

Question 13

A process that is performed consistently but it is not documented is generally considered to be

Answer 13

Repeatable

Question 14

T or F all processe should reach the maturity level of optimized

Answer 14

False - there are no rules that the maturity levels of different processed need to be the same or at a different level.

Question 15

What is the primary responsibility of the custodial related to customers

Answer 15

Custodian makes decisions based on customer’s defined interests

Question 16

Compare CISO, CRO, CSO, and CIRO

Answer 16

CISO is responsible for information assets and not physical assets

Chief Risk Officer is responsible for managing risks for multiple type of assets.

Chief Security Officer is responsible for design, deployment, and operation of protective controls.

Chief Information Risk Officer is responsible for risk management and protection of information assets but not property, plant and equipment.

Question 17

A completion % metric is most likely associated with what type of Indicator

Answer 17

Key Goal Indicator (KGI)

Question 18

If two organizations are merging which is the greater risk. Difference in practices or gaps in coverage

Answer 18

Differences in practices.

Question 19

What is the purpose of value delivery metrics

Answer 19

Long-term reduction in costs

Question 20

What is a common term for mechanisms that ensure a desired outcome in a selected business process

Answer 20

Control

Question 21

What are the best explanation for the Implementation Tiers in NIST CSF

Answer 21

CSF states that Implementation Tiers are not strictly maturity levels but are very similar to them.

Question 22

What are 3 factors that a risk manager may consider when developing an Infosec Strategy

Answer 22

Risk Levels
Operating Costs
Compliance Levels

Question 23

If an Infosec Policy is considered aspirational what is the consequence and first step

Answer 23

Org does not appear to be in control of its security practice

Meet with legal counsel to develop a plan of action

Roll back controls to reasonable level

Question 24

An organization is required by PCI to include several policies that are highly technical and not applicable to the majority of its employees. What is the best course of action for implementing these policies?

Answer 24

Have a separate technical security policy containing those required items, with a separate aup for all workers.

Question 25

If an org lacks security architecture function what is most likely a result and what is the main advantage for larger distributed organizations

Answer 25

Inconsistent application of standards

Greater consistency in the use of tools and configurations

Question 26

What value does a BIA for a security leader

Answer 26

Provides a view of the criticality of business processes in an organization

Question 27

What are the levels of Capability Maturity Model

Answer 27

Initial
Repeatable
Defined
Managed
Optimizing

Question 28

What source would be the best to learn about the current state of cybersecurity program

Answer 28

Risk Assessment
Followed by
Risk Register

Question 29

What are the elements of a business case

Answer 29

Current state, desired state, success criteria, requirements, constraints, approach and plan

Question 30

Who would make the decision on cyber-risk treatment decision

Answer 30

Information Security Steering Committee

Question 31

An installation metric is typically associated with what type of metric

Answer 31

Key Goal Indicator (KGI)

Question 32

What best describes ISO 27001

Answer 32

Consists primarily of a body of requirements for running a security management program along with an appendix of security controls.

Question 33

What view does the BIA provide for a security leader in an organization

Answer 33

criticality of BUSINESS Processes

Question 34

What makes BMIS unique

Answer 34

It takes into consideration the Organization and its culture through D1 interconnections