Deck 3 Flashcards
An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should the information security manager recommend be done first?
A. Perform a risk assessment of the new technology
B. obtain legal counsels opinion on the standards applicability to regulations
C. determine whether the organization can benefit from adopting the new standard
D. Review industry specialists’ analyses of the new standard
A
Which of the following should an information security manager do first when a legacy application is not compliant with a regulatory requirement, but the business unit does not have the budget for remediation?
A. Develop a business case for funding remediation efforts
B. advise senior management to accept the risk of noncompliance
C. notify legal and internal audit of the non compliant legacy application
D. assess the consequences of non compliance against the cost of remediation
D
An information security manager has been tasked with developing materials to update the board, regulatory agencies, and the media about a security incident. Which of the following should the information security manager do first?
A. Invoke the organization’s incident response plan
B. set up communication channels for the target audience
C. create a comprehensive singular communication
D. determine the needs and requirements of each audience
D
Which of the following is the most important reason for an organization to develop an information security governance program?
A. Establishment of accountability
B. compliance with audit requirements
C. creation of tactical solutions
D. monitoring of security incident
A
When establishing metrics for an information security program, the BEST approach is to identify indicators that:
A. Support major information security initiatives
B. reflect the corporate risk culture
C. reduce information security program spending
D. demonstrate the effectiveness of the security program
D
Which of the following provides the most comprehensive information related to an organization’s current risk profile?
A. Gap analysis results
B. risk register
C. heat map
D. risk assessment results
D
Which type of recovery site is most reliable and can support stringent recovery requirements?
A. Cold site
B. warm site
C. Mobile site
D. Hot site
D
Which of the following is the PRIMARY reason that an information security manager should restrict the use of generic administrator accounts in a multi-user environment?
A. To prevent accountability issues
B. To ensure segregation of duties is maintained
C. To ensure system audit trails are not bypassed
D. To prevent unauthorized user access
A
Which of the following backup methods requires the MOST time to restore data for an application?
A. Disk mirroring
B. Differential
C. Incremental
D. Full backup
C
Which of the following is MOST important to do after a security incident has been verified?
A. Notify the appropriate law enforcement authorities of the incident
B. Follow the escalation process to inform key stakeholders
C. Prevent the incident from creating further damage to the organization
D. Contact forensic investigators to determine the root cause
B
Which of the following is MOST important to review following a security incident?
A. Incident response procedures
B. Response tools and techniques
C. Incident response plan
D. Lesson learned
D
An organization has experienced multiple instances of privileged users misusing their access. Which of the following processes would be MOST helpful in identifying such violations?
A. Policy exception review
B. Review of access controls
C. Security assessment
D. Log review
D
An IT department plans to migrate to the public cloud. Which of the following is the information security manager’s MOST important action in support of this initiative?
A. Review cloud provider independent assessment reports
B. Provide cloud security requirements
C. Evaluate service level agreements (SLAs)
D. Calculate security implementation costs
A
Which of the following is the MOST important reason to implement information security governance?
A. To align the security strategy with the organization’s strategy
B. To monitor the performance of business goals and objectives
C. To monitor the achievement of business goals and objectives
D. To provide adequate resources to achieve business goals
A
Which of the following is the PRIMARY reason for an information security manager to present the business case for an information security initiative to senior management?
A. To aid management in the decision-making process for purchasing the solution
B. To represent stakeholders who will benefit from enhancements in information security
C. To provide management with the status of the information security program
D. To demonstrate to management the due diligence involved with selecting the solution
D
IT projects have gone over budget with too many security controls being added post-production. Which of the following would MOST help to ensure are relevant to a project?
A. Involving information security at each stage of project management
B. Creating a data classification framework and providing it to stakeholders
C. Identifying responsibilities during the project business case analysis
D. Providing stakeholders with minimum information security requirements
A
An information security manager has been asked to provide contract guidance from a security perspective for outsourcing the organization’s payroll processing. Which of the following is MOST important to address?
A. Vendor compliance with the most stringent data security regulations
B. Vendor compliance with the organization’s information security policies
C. Vendor compliance with organizational service level agreement (SLA) requirements
D. Vendor compliance with recognized industry standards
B
A cloud application used by an organization is found to have a serious vulnerability. After assessing the risk, which of the following would be the information security manager’s BEST course of action?
A. Instruct the vendor to conduct penetration testing
B. Suspend the connection to the application in the firewall
C. Initiate the organization’s incident response process
D. Report the situation to the business owner of the application
D
Which of the following is the MOST important element in the evaluation of inherent security risks?
A. Impact to the organization
B. Control effectiveness
C. Residual risk
D. Cost of countermeasures
A
Which of the following is the PRIMARY purpose of implementing information security standards?
A. To provide a basis for developing information security policies
B. To provide step-by-step instructions for performing security-related tasks
C. To provide management direction with a specific security objective
D. To establish a minimum acceptable security baseline
D
Company A, a cloud service provider, is in the process of acquiring Company B to gain new benefits by incorporating their technologies within it’s cloud services. Which of the following should be the PRIMARY focus of company A’s information security manager?
A. The cost to align to Company A’s security policies
B. The organizational structure of Company B
C. Company B’s security policies
D. Company A’s security architecture
C
Which of the following metrics provides the BEST measurement of the effectiveness of a security awareness program?
A. Variance of program cost to allocated budget
B. The number of security breaches
C. Mean time between incident detection and remediation
D. The number of reported security incidents
C
A risk owner has accepted a large amount of risk due to the high cost controls. Which of the following should be the information security manager’s PRIMARY focus in this situation?
A. Conducting an independent review of risk responses
B. Establishing a strong ongoing risk monitoring process
C. Presenting the risk profile for approval by the risk owner
D. Updating the information security standards to include the accepted risk
D
Which of the following should be the PRIMARY driver for selecting and implementing appropriate controls to address the risk associated with weak user passwords?
A. The organization’s risk tolerance
B. The organization’s culture
C. The cost of risk mitigation controls
D. Direction from senior management
B