CISM Practice B Topic 1 Flashcards
Which of the following should be the FIRST step in developing an information security plan?
Perform a technical vulnerabilities assessment
Analyze the current business strategy
Perform a business impact analysis
Assess the current levels of security awareness
Analyze the current business strategy
Senior management commitment and support for information security can BEST be obtained through presentations that:
use illustrative examples of successful attacks.
explain the technical risks to the organization.
evaluate the organization against best security practices.
tie security risks to key business objectives.
tie security risks to key business objectives.
The MOST appropriate role for senior management in supporting information security is the:
evaluation of vendors offering security products.
assessment of risks to the organization.
approval of policy statements and funding.
monitoring adherence to regulatory requirements.
approval of policy statements and funding.
Which of the following would BEST ensure the success of information security governance within an organization?
Steering committees approve security projects
Security policy training provided to all managers
Security training available to all employees on the intranet
Steering committees enforce compliance with laws and regulations
Steering committees approve security projects
Information security governance is PRIMARILY driven by:
technology constraints.
regulatory requirements.
litigation potential.
business strategy.
business strategy.
Which of the following represents the MAJOR focus of privacy regulations?
Unrestricted data mining
Identity theft
Human rights protection
Identifiable personal data
Identifiable personal data
Investments in information security technologies should be based on:
vulnerability assessments.
value analysis.
business climate.
audit recommendations.
value analysis.
Retention of business records should PRIMARILY be based on:
business strategy and direction.
regulatory and legal requirements.
storage capacity and longevity.
business case and value analysis.
regulatory and legal requirements.
Which of the following is characteristic of centralized information security management?
More expensive to administer
Better adherence to policies
More aligned with business unit needs
Faster turnaround of requests
Better adherence to policies
Successful implementation of information security governance will FIRST require:
security awareness training.
updated security policies.
a computer incident management team.
a security architecture.
updated security policies.
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
Information security manager
Chief operating officer (COO)
Internal auditor
Legal counsel
Chief operating officer (COO)
The MOST important component of a privacy policy is:
notifications.
warranties.
liabilities.
geographic coverage.
notifications.
The cost of implementing a security control should not exceed the:
annualized loss expectancy.
cost of an incident.
asset value.
implementation opportunity costs
asset value.
When a security standard conflicts with a business objective, the situation should be resolved by:
changing the security standard.
changing the business objective.
performing a risk analysis.
authorizing a risk acceptance.
performing a risk analysis.
Minimum standards for securing the technical infrastructure should be defined in a security:
strategy.
guidelines.
model.
architecture.
architecture.
Which of the following is MOST appropriate for inclusion in an information security strategy?
Business controls designated as key controls
Security processes, methods, tools and techniques
Firewall rule sets, network defaults and intrusion detection system (IDS) settings
Budget estimates to acquire specific security tools
Security processes, methods, tools and techniques
Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
organizational risk.
organization wide metrics.
security needs.
the responsibilities of organizational units.
organizational risk.
Which of the following roles would represent a conflict of interest for an information security manager?
Evaluation of third parties requesting connectivity
Assessment of the adequacy of disaster recovery plans
Final approval of information security policies
Monitoring adherence to physical security controls
Final approval of information security policies
Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?
The information security department has difficulty filling vacancies.
The chief information officer (CIO) approves security policy changes.
The information security oversight committee only meets quarterly.
The data center manager has final signoff on all security projects.
The data center manager has final signoff on all security projects.
Which of the following requirements would have the lowest level of priority in information security?
Technical
Regulatory
Privacy
Business
Technical
When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?
Develop a security architecture
Establish good communication with steering committee members
Assemble an experienced staff
Benchmark peer organizations
Establish good communication with steering committee members
It is MOST important that information security architecture be aligned with which of the following?
Industry best practices
Information technology plans
Information security best practices
Business objectives and goals
Business objectives and goals
Which of the following is MOST likely to be discretionary?
Policies
Procedures
Guidelines
Standards
Guidelines
Security technologies should be selected PRIMARILY on the basis of their:
ability to mitigate business risks.
evaluations in trade publications.
use of new and emerging technologies.
benefits in comparison to their costs.
ability to mitigate business risks.
Which of the following are seldom changed in response to technological changes?
Standards
Procedures
Policies
Guidelines
Policies
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
storage capacity and shelf life.
regulatory and legal requirements.
business strategy and direction.
application systems and media.
application systems and media.
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?
More uniformity in quality of service
Better adherence to policies
Better alignment to business unit needs
More savings in total operating costs
Better alignment to business unit needs
Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
Chief security officer (CSO)
Chief operating officer (COO)
Chief privacy officer (CPO)
Chief legal counsel (CLC)
Chief operating officer (COO)
Which of the following would be the MOST important goal of an information security governance program?
Review of internal control mechanisms
Effective involvement in business decision making
Total elimination of risk factors
Ensuring trust in data
Ensuring trust in data
Relationships among security technologies are BEST defined through which of the following?
Security metrics
Network topology
Security architecture
Process improvement models
Security architecture
A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?
Enforce the existing security standard
Change the standard to permit the deployment
Perform a risk analysis to quantify the risk
Perform research to propose use of a better technology
Perform a risk analysis to quantify the risk
Acceptable levels of information security risk should be determined by:
legal counsel.
security management.
external auditors.
the steering committee.
the steering committee.
The PRIMARY goal in developing an information security strategy is to:
- establish security metrics and performance monitoring.
- educate business process owners regarding their duties.
- ensure that legal and regulatory requirements are met
- support the business objectives of the organization.
support the business objectives of the organization.
Senior management commitment and support for information security can BEST be enhanced through:
a formal security policy sponsored by the chief executive officer (CEO).
regular security awareness training for employees.
periodic review of alignment with business management goals.
senior management signoff on the information security strategy.
periodic review of alignment with business management goals.
When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?
Create separate policies to address each regulation
Develop policies that meet all mandated requirements
Incorporate policy statements provided by regulators
Develop a compliance risk assessment
Develop policies that meet all mandated requirements
Which of the following MOST commonly falls within the scope of an information security governance steering committee?
Interviewing candidates for information security specialist positions
Developing content for security awareness programs
Prioritizing information security initiatives
Approving access to critical financial systems
Prioritizing information security initiatives
Which of the following is the MOST important factor when designing information security architecture?
Technical platform interfaces
Scalability of the network
Development methodologies
Stakeholder requirements
Stakeholder requirements
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?
Knowledge of information technology platforms, networks and development methodologies
Ability to understand and map organizational needs to security technologies
Knowledge of the regulatory environment and project management techniques
Ability to manage a diverse group of individuals and resources across an organization
Ability to understand and map organizational needs to security technologies
Which of the following are likely to be updated MOST frequently?
Procedures for hardening database servers
Standards for password length and complexity
Policies addressing information security governance
Standards for document retention and destruction
Procedures for hardening database servers
Who should be responsible for enforcing access rights to application data?
Data owners
Business process owners
The security steering committee
Security administrators
Security administrators
The chief information security officer (CISO) should ideally have a direct reporting relationship to the:
head of internal audit.
chief operations officer (COO).
chief technology officer (CTO).
legal counsel.
chief operations officer (COO).
Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?
Update platform-level security settings
Conduct disaster recovery test exercises
Approve access to critical financial systems
Develop an information security strategy paper
Develop an information security strategy paper
Developing a successful business case for the acquisition of information security software products can BEST be assisted by:
assessing the frequency of incidents.
quantifying the cost of control failures.
calculating return on investment (ROI) projections.
comparing spending against similar organizations.
calculating return on investment (ROI) projections.
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
aligned with the IT strategic plan.
based on the current rate of technological change.
three-to-five years for both hardware and software.
aligned with the business strategy.
aligned with the business strategy.
Which of the following is the MOST important information to include in a strategic plan for information security?
Information security staffing requirements
Current state and desired future state
IT capital investment requirements
Information security mission statement
Current state and desired future state
Information security projects should be prioritized on the basis of:
time required for implementation.
impact on the organization.
total cost for implementation.
mix of resources required.
impact on the organization.
Which of the following is the MOST important information to include in an information security standard?
Creation date
Author name
Initial draft approval date
Last review date
Last review date
Which of the following would BEST prepare an information security manager for regulatory reviews?
Assign an information security administrator as regulatory liaison
Perform self-assessments using regulatory guidelines and reports
Assess previous regulatory reports with process owners input
Ensure all regulatory inquiries are sanctioned by the legal department
Perform self-assessments using regulatory guidelines and reports
An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:
- bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
- establish baseline standards for all locations and add supplemental standards as required.
- bring all locations into conformity with a generally accepted set of industry best practices.
- establish a baseline standard incorporating those requirements that all jurisdictions have in common.
establish baseline standards for all locations and add supplemental standards as required.
Which of the following BEST describes an information security manager’s role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?
Ensure that all IT risks are identified
Evaluate the impact of information security risks
Demonstrate that IT mitigating controls are in place
Suggest new IT controls to mitigate operational risk
Evaluate the impact of information security risks
From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities?
Enhanced policy compliance
Improved procedure flows
Segregation of duties
Better accountability
Better accountability
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
Security metrics reports
Risk assessment reports
Business impact analysis (BIA)
Return on security investment report
Risk assessment reports
Reviewing which of the following would BEST ensure that security controls are effective?
Risk assessment policies
Return on security investment
Security metrics
User access rights
Security metrics
Which of the following is responsible for legal and regulatory liability?
Chief security officer (CSO)
Chief legal counsel (CLC)
Board and senior management
Information security steering group
Board and senior management
While implementing information security governance an organization should FIRST:
adopt security standards.
determine security baselines.
define the security strategy.
establish security policies.
define the security strategy.
Information security policy enforcement is the responsibility of the:
security steering committee.
chief information officer (CIO).
chief information security officer (CISO).
chief compliance officer (CCO).
chief information security officer (CISO).
A good privacy statement should include:
notification of liability on accuracy of information.
notification that information will be encrypted.
what the company will do with information it collects.
a description of the information classification process
what the company will do with information it collects.
Which of the following would be MOST effective in successfully implementing restrictive password policies?
Regular password audits
Single sign-on system
Security awareness program
Penalties for noncompliance
Security awareness program
When designing an information security quarterly report to management, the MOST important element to be considered should be the:
information security metrics.
knowledge required to analyze each issue.
linkage to business area objectives.
baseline against which metrics are evaluated.
linkage to business area objectives.
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
corporate data privacy policy.
data privacy policy where data are collected.
data privacy policy of the headquarters’ country.
data privacy directive applicable globally.
data privacy policy where data are collected.
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
meet with stakeholders to decide how to comply.
analyze key risks in the compliance process.
assess whether existing controls meet the regulation.
update the existing security/privacy policy
assess whether existing controls meet the regulation.
The PRIMARY objective of a security steering group is to:
- ensure information security covers all business functions.
- ensure information security aligns with business goals.
- raise information security awareness across the organization.
- implement all decisions on security management across the organization
ensure information security aligns with business goals.
Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
baseline.
strategy.
procedure.
policy.
policy.
At what stage of the applications development process should the security department initially become involved?
When requested
At testing
At programming
At detail requirements
At detail requirements
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?
Examples of genuine incidents at similar organizations
Statement of generally accepted best practices
Associating realistic threats to corporate objectives
Analysis of current technological exposures
Associating realistic threats to corporate objectives
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
generally accepted industry best practices.
business requirements.
legislative and regulatory requirements.
storage availability.
business requirements.
When personal information is transmitted across networks, there MUST be adequate controls over:
change management.
privacy protection.
consent to data transfer.
encryption devices.
privacy protection.
An organization’s information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:
ensure that security processes are consistent across the organization.
enforce baseline security levels across the organization.
ensure that security processes are fully documented.
implement monitoring of key performance indicators for security processes.
ensure that security processes are consistent across the organization.
Who in an organization has the responsibility for classifying information?
Data custodian
Database administrator
Information security officer
Data owner
Data owner
What is the PRIMARY role of the information security manager in the process of information classification within an organization?
Defining and ratifying the classification structure of information assets
Deciding the classification levels applied to the organization’s information assets
Securing information assets in accordance with their classification
Checking if information assets have been classified properly
Defining and ratifying the classification structure of information assets
Logging is an example of which type of defense against systems compromise?
Containment
Detection
Reaction
Recovery
Detection
Which of the following is MOST important in developing a security strategy?
Creating a positive business security environment
Understanding key business objectives
Having a reporting line to senior management
Allocating sufficient resources to information security
Understanding key business objectives
Who is ultimately responsible for the organization’s information?
Data custodian
Chief information security officer (CISO)
Board of directors
Chief information officer (CIO)
Board of directors
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?
Alignment with industry best practices
Business continuity investment
Business benefits
Regulatory compliance
Regulatory compliance
A security manager meeting the requirements for the international flow of personal data will need to ensure:
a data processing agreement.
a data protection registration.
the agreement of the data subjects.
subject access procedures.
the agreement of the data subjects.
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
Ethics
Proportionality
Integration
Accountability
Proportionality
Which of the following is the MOST important prerequisite for establishing information securitymanagement within an organization?
Senior management commitment
Information security framework
Information security organizational structure
Information security policy
Senior management commitment
What will have the HIGHEST impact on standard information security governance models?
Number of employees
Distance between physical locations
Complexity of organizational structure
Organizational budget
Complexity of organizational structure
In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
prepare a security budget.
conduct a risk assessment.
develop an information security policy.
obtain benchmarking information.
conduct a risk assessment.
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:
it implies compliance risks.
short-term impact cannot be determined.
it violates industry security practices.
changes in the roles matrix cannot be detected.
it implies compliance risks.
An outcome of effective security governance is:
business dependency assessment
strategic alignment.
risk assessment.
planning.
strategic alignment.
How would an information security manager balance the potentially conflicting requirements of an international organization’s security standards and local regulation?
Give organization standards preference over local regulations
Follow local regulations only
Make the organization aware of those standards where local regulations causes conflicts
Negotiate a local version of the organization standards
Negotiate a local version of the organization standards
Who should drive the risk analysis for an organization?
Senior management
Security manager
Quality manager
Legal department
Security manager
The FIRST step in developing an information security management program is to:
- identify business risks that affect the organization.
- clarify organizational purpose for creating the program.
- assign responsibility for the program.
- assess adequacy of controls to mitigate business risks
clarify organizational purpose for creating the program.
Which of the following is the MOST important to keep in mind when assessing the value of information?
The potential financial loss
The cost of recreating the information
The cost of insurance coverage
Regulatory requirement
The potential financial loss
What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?
Risk assessment report
Technical evaluation report
Business case
Budgetary requirements
Business case
To justify its ongoing security budget, which of the following would be of MOST use to the information security department?
Security breach frequency
Annualized loss expectancy (ALE)
Cost-benefit analysis
Peer group comparison
Cost-benefit analysis
Which of the following situations would MOST inhibit the effective implementation of security governance:
The complexity of technology
Budgetary constraints
Conflicting business priorities
High-level sponsorship
High-level sponsorship
To achieve effective strategic alignment of security initiatives, it is important that:
Steering committee leadership be selected by rotation.
Inputs be obtained and consensus achieved between the major organizational units.
The business strategy be updated periodically.
Procedures and standards be approved by all departmental heads.
Inputs be obtained and consensus achieved between the major organizational units.
What would be the MOST significant security risks when using wireless local area network (LAN) technology?
Man-in-the-middle attack
Spoofing of data packets
Rogue access point
Session hijacking
Rogue access point
When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?
Business management
Operations manager
Information security manager
System users
Information security manager
In implementing information security governance, the information security manager is PRIMARILY responsible for:
developing the security strategy.
reviewing the security strategy.
communicating the security strategy.
approving the security strategy
developing the security strategy.
An information security strategy document that includes specific links to an organization’s business activities is PRIMARILY an indicator of:
performance measurement.
integration.
alignment.
value delivery.
alignment.
When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?
Compliance with international security standards.
Use of a two-factor authentication system.
Existence of an alternate hot site in case of business disruption.
Compliance with the organization’s information security requirements
Compliance with the organization’s information security requirements
To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
review the functionalities and implementation requirements of the solution.
review comparison reports of tool implementation in peer companies.
provide examples of situations where such a tool would be useful.
substantiate the investment in meeting organizational needs.
substantiate the investment in meeting organizational needs.
The MOST useful way to describe the objectives in the information security strategy is through:
attributes and characteristics of the “desired state.”
overall control objectives of the security program.
mapping the IT systems to key business processes.
calculation of annual loss expectations.
attributes and characteristics of the “desired state.”
In order to highlight to management the importance of network security, the security manager should FIRST:
- develop a security architecture.
- install a network intrusion detection system (NIDS) and prepare a list of attacks.
- develop a network security policy.
- conduct a risk assessment.
conduct a risk assessment.
When developing an information security program, what is the MOST useful source of information for determining available resources?
Proficiency test
Job descriptions
Organization chart
Skills inventory
Skills inventory
The MOST important characteristic of good security policies is that they:
state expectations of IT management.
state only one general security mandate.
are aligned with organizational goals.
govern the creation of procedures and guidelines.
are aligned with organizational goals.
An information security manager must understand the relationship between information security and business operations in order to:
support organizational objectives.
determine likely areas of noncompliance.
assess the possible impacts of compromise.
understand the threats to the business.
support organizational objectives.
The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
- escalate issues to an external third party for resolution.
- ensure that senior management provides authority for security to address the issues.
- insist that managers or units not in agreement with the security solution accept the risk.
- refer the issues to senior management along with any security recommendations.
refer the issues to senior management along with any security recommendations.
Obtaining senior management support for establishing a warm site can BEST be accomplished by:
establishing a periodic risk assessment.
promoting regulatory requirements.
developing a business case.
developing effective metrics
developing a business case.
Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
Include security responsibilities in the job description
Require the administrator to obtain security certification
Train the system administrator on penetration testing and vulnerability assessment
Train the system administrator on risk assessment
Include security responsibilities in the job description
Which of the following is the MOST important element of an information security strategy?
Defined objectives
Time frames for delivery
Adoption of a control framework
Complete policies
Defined objectives
A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?
Representation by regional business leaders
Composition of the board
Cultures of the different countries
IT security skills
Cultures of the different countries
Which of the following is the BEST justification to convince management to invest in an information security program?
Cost reduction
Compliance with company policies
Protection of business assets
Increased business value
Increased business valueI
On a company’s e-commerce web site, a good legal statement regarding data privacy should include:
- a statement regarding what the company will do with the information it collects.
- a disclaimer regarding the accuracy of information on its web site.
- technical information regarding how information is protected.
- a statement regarding where the information is being hosted.
a statement regarding what the company will do with the information it collects.
The MOST important factor in ensuring the success of an information security program is effective:
- communication of information security requirements to all users in the organization.
- formulation of policies and procedures for information security.
- alignment with organizational goals and objectives.
- monitoring compliance with information security policies and procedures.
alignment with organizational goals and objectives.
Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?
Key control monitoring
A robust security awareness program
A security program that enables business activities
An effective security architecture
A security program that enables business activities
Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?
Continuous analysis, monitoring and feedback
Continuous monitoring of the return on security investment (ROI)
Continuous risk reduction
Key risk indicator (KRI) setup to security management processes
Continuous analysis, monitoring and feedback
The MOST complete business case for security solutions is one that:
includes appropriate justification.
explains the current risk profile.
details regulatory requirements.
identifies incidents and losses.
includes appropriate justification.
Which of the following is MOST important to understand when developing a meaningful information security strategy?
Regulatory environment
International security standards
Organizational risks
Organizational goals
Organizational goals
Which of the following is an advantage of a centralized information security organizational structure?
It is easier to promote security awareness.
It is easier to manage and control.
It is more responsive to business unit needs.
It provides a faster turnaround for security requests.
It is easier to manage and control.
Which of the following would help to change an organization’s security culture?
Develop procedures to enforce the information security policy
Obtain strong management support
Implement strict technical security controls
Periodically audit compliance with the information security policy
Obtain strong management support
The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
return on investment (ROI).
a vulnerability assessment.
annual loss expectancy (ALE).
a business case.
a business case.
The FIRST step in establishing a security governance program is to:
conduct a risk assessment.
conduct a workshop for all end users.
prepare a security budget.
obtain high-level sponsorship.
obtain high-level sponsorship.
An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
conflicting security controls with organizational needs.
strong protection of information resources.
implementing appropriate controls to reduce risk.
proving information security’s protective abilities.
conflicting security controls with organizational needs.
An organization’s information security strategy should be based on:
- managing risk relative to business objectives.
- managing risk to a zero level and minimizing insurance premiums.
- avoiding occurrence of risks so that insurance is not required.
- transferring most risks to insurers and saving on control costs.
managing risk relative to business objectives.
Which of the following should be included in an annual information security budget that is submitted for management approval?
A cost-benefit analysis of budgeted resources
All of the resources that are recommended by the business
Total cost of ownership (TCO)
Baseline comparisons
A cost-benefit analysis of budgeted resources
Which of the following is a benefit of information security governance?
Reduction of the potential for civil or legal liability
Questioning trust in vendor relationships
Increasing the risk of decisions based on incomplete management information
Direct involvement of senior management in developing control processes
Reduction of the potential for civil or legal liability
Investment in security technology and processes should be based on:
- clear alignment with the goals and objectives of the organization.
- success cases that have been experienced in previous projects.
- best business practices.
- safeguards that are inherent in existing technology.
clear alignment with the goals and objectives of the organization.
The data access requirements for an application should be determined by the:
legal department.
compliance officer.
information security manager.
business owner.
business owner.
From an information security perspective, information that no longer supports the main purpose of the business should be:
analyzed under the retention policy.
protected under the information classification policy.
analyzed under the backup policy.
protected under the business impact analysis (BIA).
analyzed under the retention policy.
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
Laws and regulations of the country of origin may not be enforceable in the foreign country.
A security breach notification might get delayed due to the time difference.
Additional network intrusion detection sensors should be installed, resulting in an additional cost.
The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.
Laws and regulations of the country of origin may not be enforceable in the foreign country.
Effective IT governance is BEST ensured by:
- utilizing a bottom-up approach.
- management by the IT department.
- referring the matter to the organization’s legal department.
- utilizing a top-down approach.
utilizing a top-down approach.
The FIRST step to create an internal culture that focuses on information security is to:
implement stronger controls.
conduct periodic awareness training.
actively monitor operations.
gain the endorsement of executive management.
gain the endorsement of executive management.
Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?
Obtain the support of the board of directors.
Improve the content of the information security awareness program.
Improve the employees’ knowledge of security policies.
Implement logical access controls to the information systems.
Obtain the support of the board of directors.
When an organization is implementing an information security governance program, its board of directors should be responsible for:
drafting information security policies.
reviewing training and awareness programs.
setting the strategic direction of the program.
auditing for compliance.
setting the strategic direction of the program.
A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?
Acceptance of the business manager’s decision on the risk to the corporation
Acceptance of the information security manager’s decision on the risk to the corporation
Review of the assessment with executive management for final input
A new risk assessment and BIA are needed to resolve the disagreement
Review of the assessment with executive management for final input
Who is responsible for ensuring that information is categorized and that specific protective measures are taken?
The security officer
Senior management
The end user
The custodian
Senior management
An organization’s board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?
Direct information security on what they need to do
Research solutions to determine the proper solutions
Require management to report on compliance
Nothing; information security does not report to the board
Require management to report on compliance
Information security should be:
focused on eliminating all risks.
a balance between technical and business requirements.
driven by regulatory requirements.
defined by the board of directors.
a balance between technical and business requirements.
What is the MOST important factor in the successful implementation of an enterprise wide information security program?
Realistic budget estimates
Security awareness
Support of senior management
Recalculation of the work factor
Support of senior management
What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?
Functional requirements are not adequately considered.
User training programs may be inadequate.
Budgets allocated to business units are not appropriate.
Information security plans are not aligned with business requirements
Information security plans are not aligned with business requirements
The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
- the plan aligns with the organization’s business plan.
- departmental budgets are allocated appropriately to pay for the plan.
- regulatory oversight requirements are met.
- the impact of the plan on the business units is reduced.
the plan aligns with the organization’s business plan.
The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
- the plan aligns with the organization’s business plan.
- departmental budgets are allocated appropriately to pay for the plan.
- regulatory oversight requirements are met.
- the impact of the plan on the business units is reduced.
the plan aligns with the organization’s business plan.
Which of the following should be determined while defining risk management strategies?
Risk assessment criteria
Organizational objectives and risk appetite
IT architecture complexity
Enterprise disaster recovery plans
Organizational objectives and risk appetite
When implementing effective security governance within the requirements of the company’s security strategy, which of the following is the MOST important factor to consider?
Preserving the confidentiality of sensitive data
Establishing international security standards for data sharing
Adhering to corporate privacy standards
Establishing system manager responsibility for information security
Preserving the confidentiality of sensitive data
Which of the following is the BEST reason to perform a business impact analysis (BIA)?
To help determine the current state of risk
To budget appropriately for needed controls
To satisfy regulatory requirements
To analyze the effect on the business
To help determine the current state of risk
