DOMAIN 1—INFORMATION SECURITY GOVERNANCE (24%)

Question 1

Which of the following steps should be FIRST in developing an information security plan?

A. Perform a technical vulnerabilities assessment.
B. Analyze the current business strategy.
C. Perform a business impact analysis.
D. Assess the current levels of security awareness.

Answer 1

B. Analyze the current business strategy.

B is the correct answer.
Justification:

A. Technical vulnerabilities as a component of risk will be most relevant in the context of threats to achieving the business objectives defined in the business strategy.

B. An information security manager needs to gain an understanding of the current business strategy and direction to understand the organization’s objectives and the impact of the other answers on achieving those objectives.

C. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security plan because it focuses on availability, which is also primarily relevant in terms of the business objectives that are the basis of the strategy.

D. Without understanding the business strategy, it will not be possible to determine the current level of awareness because to be effective, awareness must include understanding the context and threats to the organization’s business objectives.

Question 2

Senior management commitment and support for information security can BEST be obtained through presentations that:

A. use illustrative examples of successful attacks.
B. explain the technical risk to the organization.
C. evaluate the organization against good security practices.
D. tie security risk to key business objectives.

Answer 2

D. tie security risk to key business objectives.

D is the correct answer.
Justification:

A. Senior management will not be as interested in examples of successful attacks if they are not tied to the impact on business environment and objectives.

B. Senior management will not be as interested in technical risk to the organization if it is not tied to the impact on business environment and objectives.

C. Industry good practices may be important to senior management to the extent they are relevant to the organization and its business objectives.

D. Senior management wants to understand the business justification for investing in security in relation to achieving key business objectives.

Question 3

The MOST appropriate role for senior management in supporting information security is the:

A. evaluation of vendors offering security products.
B. assessment of risk to the organization.
C. approval of policy statements and funding.
D. developing standards sufficient to achieve acceptable risk.

Answer 3

C. approval of policy statements and funding.

C is the correct answer.
Justification:

A. Evaluation of vendors is a day-to-day responsibility of the information security manager. In some organizations, business management may be involved in vendor evaluation, but their primary role is setting the organization’s direction, oversight and governance.

B. Assessment of risk is a day-to-day responsibility of the information security manager.

C. Policies are a statement of senior management intent and direction. Therefore, senior management must approve them in addition to providing sufficient funding to achieve the organization’s risk management objectives.

D. The development of standards that meet the policy intent is typically a function of the information security manager.

Question 4

Which of the following would be the BEST indicator of effective information security governance within an organization?

A. The steering committee approves security projects.
B. Security policy training is provided to all managers.
C. Security training is available to all employees on the intranet.
D. IT personnel are trained in testing and applying required patches.

Answer 4

A. The steering committee approves security projects.

A is the correct answer.
Justification:

A. The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. To ensure that all stakeholders impacted by security considerations are involved, many organizations use a steering committee comprised of senior representatives of affected groups. This composition helps to achieve consensus on priorities and trade-offs and serves as an effective communication channel for ensuring the alignment of the security program with business objectives.
B. Security policy training is important at all levels of the organization and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee to ensure all parts of the organization are aware of the policies.
C. The availability of security training, while beneficial to the overall security program, does not ensure that employees are following the program and have the required level of awareness without a process to enforce awareness and compliance.
D. Even organizations with little overall governance may be effective in patching systems in a timely manner; this is not an indication of effective governance.

Question 5

Information security governance is PRIMARILY driven by:

A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.

Answer 5

D. business strategy.

D is the correct answer.
Justification:

A. Strategy is the plan to achieve the business objectives of the organization that must be supported by governance. While technology constraints must be considered in developing governance and planning the strategy, it is not the driver.
B. Regulatory requirements must be addressed by governance and may affect how the strategy develops. However, regulatory requirements are not the driver of information security governance.
C. Litigation potential is usually an aspect of liability and is also a consideration for governance and when designing the strategy, but it may be a constraint, not a driver.
D. Business strategy is the main determinant of information security governance because security must align with the business objectives set forth in the business strategy.

Question 6

What is the MOST essential attribute of an effective key risk indicator (KRI)? The KRI:

A. is accurate and reliable.
B. provides quantitative metrics.
C. indicates required action.
D. is predictive of a risk event.

Answer 6

D. is predictive of a risk event.

D is the correct answer.
Justification:

A. Key risk indicators (KRIs) usually signal developing risk but do not indicate what the actual risk is. In that context, they are neither accurate nor reliable.
B. KRIs typically do not provide quantitative metrics about risk.
C. KRIs will not indicate that any particular action is required other than to investigate further.
D. A KRI should indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk.

Question 7

Investments in information security technologies should be based on:

A. vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations.

Answer 7

B. value analysis.

B is the correct answer.
Justification:

A. Vulnerability assessments are useful, but they do not determine whether the cost of the technology is justified.
B. Investments in security technologies should be based on a value analysis and a sound business case.
C. Demonstrated value takes precedence over the current business because the climate is continually changing.
D. Basing decisions on audit recommendations alone would be reactive in nature and might not address the key business needs comprehensively.

Question 8

Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when:

A. assessing overall system risk.
B. developing a controls policy.
C. determining treatment options.
D. developing a classification scheme.

Answer 8

B. developing a controls policy.

B is the correct answer.
Justification:

A. Overall risk is not affected by determining which element of the triad is of greatest importance because overall risk is constructed from all known risk, regardless of the components of the triad to which each risk applies.
B. Because preventive controls necessarily must fail in either an open or closed state (i.e., fail safe or fail secure), and failing open favors availability while failing closed favors confidentiality— each at the expense of the other—a clear prioritization of the triad components is needed to develop a controls policy.
C. Although it is feasible that establishing a control that bolsters one component of the triad may diminish another, treatment options may be determined without a clear prioritization of the triad.
D. Classification is based on the potential impact of compromise and is not a function of prioritization within the confidentiality, integrity and availability (CIA) triad.

Question 9

Which of the following is characteristic of centralized information security management?

A. More expensive to administer
B. Better adherence to policies
C. More responsive to business unit needs
D. Faster turnaround of requests

Answer 9

B. Better adherence to policies

B is the correct answer.
Justification:

A. Centralized information security management is generally less expensive to administer due to the economies of scale.
B. Centralization of information security management results in greater uniformity and better adherence to security policies.
C. With centralized information security management, information security is typically less responsive to specific business unit needs.
D. With centralized information security management, turnaround can be slower due to greater separation and more bureaucracy between the information security department and end users.

Question 10

Successful implementation of information security governance will FIRST require:

A. security awareness training.
B. updated security policies.
C. a computer incident management team.
D. a security architecture.

Answer 10

B. updated security policies.

B is the correct answer.
Justification:

A. Security awareness training will promote the security policies, procedures and appropriate use of the security mechanisms but will not precede information security governance implementation.
B. Updated security policies are required to align management business objectives with security processes and procedures. Management objectives translate into policy; policy translates into standards and procedures.
C. An incident management team will not be the first requirement for the implementation of information security governance and can exist even if formal governance is minimal.
D. Information security governance provides the basis for architecture and must be implemented before a security architecture is developed.

Question 11

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

A. Information security manager
B. Chief operating officer
C. Internal auditor
D. Legal counsel

Answer 11

B. Chief operating officer

B is the correct answer.
Justification:

A. Sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Because a security manager is looking to this group for direction, he/she is not in the best position to oversee the formation of this group.
B. The chief operating officer (COO) is highly placed within an organization and has the most knowledge of business operations and objectives. Sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business, such as the COO.
C. The internal auditor is an appropriate member of a steering group but would not oversee the formation of the committee.
D. Legal counsel is an appropriate member of a steering group but would not oversee the formation of the committee.

Question 12

Which of the following factors is the MOST significant in determining an organization’s risk appetite?

A. The nature and extent of threats
B. Organizational policies
C. The overall security strategy
D. The organizational culture

Answer 12

D. The organizational culture

D is the correct answer.
Justification:

A. Knowledge of the threat environment is constantly changing.
B. Policies are written in support of business objectives and parameters, including risk appetite.
C. Risk appetite is an input to the security strategy because the strategy is partly focused on mitigating
risk to acceptable levels.
D. The extent to which the culture is risk adverse or risk aggressive, along with the objective ability of the organization to recover from loss, is the main factor in risk appetite.

Question 13

Which of the following attributes would be MOST essential to developing effective metrics?

A. Easily implemented
B. Meaningful to the recipient
C. Quantif iably represented
D. Meets regulatory requirements

Answer 13

B. Meaningful to the recipient

B is the correct answer.
Justification:
A. Ease of implementation is valuable when developing metrics, but not essential. Metrics are most effective when they are meaningful to the person receiving the information.
B. Metrics will only be effective if the recipient can take appropriate action based upon the results.
C. Quantifiable representations can be useful, but qualitative measures are often just as useful.
D. Meeting legal and regulatory requirements may be important, but this is not always essential when
developing metrics for meeting business goals.

Question 14

Which of the following is MOST appropriate for inclusion in an information security strategy?

A. Business controls designated as key controls
B. Security processes, methods, tools and techniques
C. Firewall rule sets, network defaults and intrusion detection system settings
D. Budget estimates to acquire specific security tools

Answer 14

B. Security processes, methods, tools and techniques

B is the correct answer.
Justification:

A. Key business controls are only one part of a security strategy and must be related to business objectives.
B. A set of security objectives supported by processes, methods, tools and techniques together are the elements that constitute a security strategy.
C. Firewall rule sets, network defaults and intrusion detection system settings are technical details subject to periodic change and are not appropriate content for a strategy document.
D. Budgets will generally not be included in an information security strategy. Additionally, until the information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available.

Question 15

An information security manager can BEST attain senior management commitment and support by emphasizing:

A. organizational risk.
B. performance metrics.
C. security needs.
D. the responsibilities of organizational units.

Answer 15

A. organizational risk.

A is the correct answer.
Justification:
A. Information security exists to address risk to the organization that may impede achieving
its objectives. Organizational risk will be the most persuasive argument for management
commitment and support.
B. Establishing metrics to measure security status will be viewed favorably by senior management after the overall organizational risk is identified.
C. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence.
D. Identifying organizational responsibilities will be most effective if related directly to addressing organizational risk.

Question 16

Which of the following roles would represent a conflict of interest for an information security manager?

A. Evaluation of third parties requesting connectivity
B. Assessment of the adequacy of disaster recovery plans
C. Final approval of information security policies
D. Monitoring adherence to physical security controls

Answer 16

C. Final approval of information security policies

C is the correct answer.
Justification:
A. Evaluation of third parties requesting connectivity is an acceptable practice and does not present any conflict of interest.
B. Assessment of disaster recovery plans is an acceptable practice and does not present any conflict of interest.
C. Because senior management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval.
D. Monitoring of adherence to physical security controls is an acceptable practice and does not present any conflicts of interest.

Question 17

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?

A. The information security department has difficulty filling vacancies.
B. The chief operating officer approves security policy changes.
C. The information security oversight committee only meets quarterly.
D. The data center manager has final sign-off on all security projects.

Answer 17

D. The data center manager has final sign-off on all security projects.

D is the correct answer.
Justification:
A. Difficulty in filling vacancies is not uncommon due to the shortage of qualified information security professionals.
B. It is important to have senior management, such as the chief operating officer, approve security policies to ensure they meet management intent and direction.
C. It is not inappropriate for an oversight or steering committee to meet quarterly.
D. A steering committee should be in place to approve all security projects. The fact that the data center manager has final sign-off for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance.

Question 18

Which of the following requirements would have the LOWEST level of priority in information security?

A. Technical
B. Regulatory
C. Privacy
D. Business

Answer 18

A. Technical

A is the correct answer.
Justification:
A. Information security priorities may, at times, override technical specifications, which then must
be rewritten to conform to minimum security standards.
B. Regulatory requirements are government-mandated and, therefore, not subject to override.
C. Privacy requirements are usually government-mandated and, therefore, not subject to override.
D. The needs of the business should always take precedence in deciding information security priorities.

Question 19

Which of the following is MOST likely to be discretionary?

A. Policies
B. Procedures
C. Guidelines
D. Standards

Answer 19

C. Guidelines

C is the correct answer.
Justification:

A. Policies define management’s security goals and expectations for an organization. These are defined in more specific terms within standards and procedures.
B. Procedures describe how work is to be done.
C. Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary.
D. Standards establish the allowable operational boundaries for people, processes and technology.

Question 20

Security technologies should be selected PRIMARILY on the basis of their:

A. ability to mitigate business risk.
B. evaluations in trade publications.
C. use of new and emerging technologies.
D. benefits in comparison to their costs.

Answer 20

D. benefits in comparison to their costs.

D is the correct answer.
Justification:

A. The most fundamental evaluation criterion for the appropriate selection of any security technology is its ability to reduce or eliminate business risk but only if the cost is acceptable.
B. The technology’s ability to cost-effectively mitigate risk for a particular organization takes precedence over how it is evaluated in trade publications.
C. While new or emerging technologies may offer potential benefits, the lack of being time tested reduces their acceptability in critical areas and by itself will not be the primary selection basis.
D. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation.

Question 21

Which of the following are seldom changed in response to technological changes?

A. Standards
B. Procedures
C. Policies
D. Guidelines

Answer 21

C. Policies

C is the correct answer.
Justification:
A. Security standards must be revised and updated based on the impact of technology changes.
B. Procedures must be revised and updated based on the impact of technology or standards changes.
C. Policies are high-level statements of management intent and direction, which is not likely to be
affected by technology changes.
D. Guidelines must be revised and updated based on the impact of technology changes.

Question 22

When creating an effective data-protection strategy, the information security manager must understand the flow of data and its protection at various stages. This is BEST achieved with:

A. a third-party vulnerability assessment.
B. a tailored methodology based on exposure.
C. an insurance policy for accidental data losses.
D. a tokenization system set up in a secure network environment.

Answer 22

B. a tailored methodology based on exposure.

B is the correct answer.
Justification:
A. Vulnerability assessments, third-party or otherwise, do not take into account threat and other factors that influence risk treatment.
B. Organizations classify data according to their value and exposure. The organization can then develop a sensible plan to invest budget and effort where they matter most.
C. An insurance policy is a risk treatment option for the transfer/sharing of risk. Whether it is an appropriate action requires a cost-benefit analysis and a more complete understanding of the risk involved.
D. Tokenization is a technique used to protect data, but whether it is appropriate cannot be known without an understanding of the various exposures to which the data are subject.

Question 23

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

A. More uniformity in quality of service
B. Better adherence to policies
C. Better alignment to business unit needs
D. More savings in total operating costs

Answer 23

C. Better alignment to business unit needs

C is the correct answer.
Justification:
A. Uniformity in quality of service tends to vary from unit to unit.
B. Adherence to policies is likely to vary considerably between various business units.
C. Decentralization of information security management generally results in better alignment to business unit needs because security management is closer to the end user.
D. Decentralization of information security management is generally more expensive to administer due to the lack of economies of scale.

Question 24

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?

A. Chief security officer
B. Chief operating officer
C. Chief privacy officer
D. Chief legal counsel

Answer 24

B. Chief operating officer

B is the correct answer.
Justification:

A. Although the chief security officer knows what is needed, the sponsor for this task should be someone with far-reaching influence across the organization.
B. The chief operating officer is most knowledgeable of business operations and objectives.
C. The chief privacy officer may not have the knowledge of the day-to-day business operations and overall security requirements to ensure proper guidance.
D. The chief legal counsel will typically have a narrow legal focus on contracts and stock and other regulatory requirements and have little knowledge of overall organizational security requirements.

Question 25

The MOST important element(s) to consider when developing a business case for a project is the:

A. feasibility and value proposition.
B. resource and time requirements.
C. financial analysis of benefits.
D. alignment with organizational objectives.

Answer 25

A. feasibility and value proposition.

A is the correct answer.
Justification:
A. Feasibility and whether the value proposition makes sense will be major considerations of
whether a project will proceed.
B. Resources and time needed are important but will be a component of the value proposition in terms of costs.
C. Financial analysis of benefits is a component of the value proposition, but there would typically be other benefits that should be proposed.
D. The value proposition would, as a matter of course, have to include alignment with the organization’s objectives.

Question 26

Acceptable levels of information security risk should be determined by:

A. legal counsel.
B. security management.
C. external auditors.
D. the steering committee.

Answer 26

D. the steering committee.

D is the correct answer.
Justification:
A. Legal counsel is not in a position to determine what levels of business risk the organization is willing to assume.
B. An acceptable level of risk in an organization is a business decision, not a security decision.
C. External auditors can point out areas of risk but are not in a position to determine what levels of risk
the organization is willing to assume.
D. Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume.

Question 27

The PRIMARY goal of developing an information security strategy is to:

A. establish security metrics and performance monitoring.
B. educate business process owners regarding their duties.
C. ensure that legal and regulatory requirements are met.
D. support the business objectives of the organization.

Answer 27

D. support the business objectives of the organization.

D is the correct answer.
Justification:

A. Establishing metrics and performance monitoring is very important to the extent they indicate the achievement of business objectives, but this is only one aspect of the primary requirement to support business objectives.
B. Educating business process owners is subordinate to supporting the business objectives and is only incidental to developing an information security strategy.
C. Meeting legal and regulatory requirements is just one of the objectives of the strategy needed to support business objectives.
D. The purpose of information security in an organization is to assist the organization in achieving its objectives, and it is the primary goal of an information security strategy.

Question 28

Senior management commitment and support for information security can BEST be enhanced through:

A. a formal security policy sponsored by the chief executive officer.
B. regular security awareness training for employees.
C. periodic review of alignment with business management goals.
D. senior management sign-off on the information security strategy.

Answer 28

C. periodic review of alignment with business management goals.

C is the correct answer.
Justification:

A. Although having the chief executive officer sign-off on the security policy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management.
B. Security awareness training for employees will not have as much effect on senior management commitment as alignment with business goals.
C. Ensuring that security activities continue to be aligned and support business goals is critical to obtaining management support.
D. Although having senior management sign-off on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management.

Question 29

Which of the following activities MOST commonly falls within the scope of an information security governance steering committee?

A. Interviewing candidates for information security specialist positions
B. Developing content for security awareness programs
C. Prioritizing information security initiatives
D. Approving access to critical financial systems

Answer 29

C. Prioritizing information security initiatives

C is the correct answer.
Justification:

A. Interviewing specialists should be performed by the information security manager.
B. Development of program content should be performed by the information security staff.
C. Prioritizing information security initiatives falls within the scope of an information security
governance committee.
D. Approving access to critical financial systems is the responsibility of individual system data owners.

Question 30

Which of the following is the MOST important factor when designing information security architecture?

A. Technical platform interfaces
B. Scalability of the network
C. Development methodologies
D. Stakeholder requirements

Answer 30

D. Stakeholder requirements

D is the correct answer.
Justification:

A. Interoperability is important but without merit if a technologically elegant solution is achieved that does not meet the needs of the business.
B. Scalability is important but only to the extent the architecture meets stakeholder requirements.
C. There are a number of viable developmental methodologies, and the choice of which is used is not
particularly important as long as it meets the needs of the organization.
D. The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements.

Question 31

An information security manager receives a report showing an increase in the number of security events. The MOST likely explanation is:

A. exploitation of a vulnerability in the information system.
B. threat actors targeting the organization in greater numbers.
C. failure of a previously deployed detective control.
D. approval of a new exception for noncompliance by management.

Answer 31

A. exploitation of a vulnerability in the information system.

A is the correct answer.
Justification:

A. Exploitation of a vulnerability is likely to generate security events.
B. Absent a change in vulnerability, an increase in the number of threat actors targeting the organization
would not explain an increase in security events.
C. An increase in the number of security events that appear on reports suggests that detective controls are
likely working properly.
D. Exceptions approved by management may result in a higher number of security events on reports
if notice of the exceptions is not provided to information security to allow updates to monitoring. However, exceptions are typically communicated to the information security manager, so this is an unlikely explanation for the increase.

Question 32

Which of the following is the MOST appropriate task for a chief information security officer to perform?

A. Update platform-level security settings.
B. Conduct disaster recovery test exercises.
C. Approve access to critical financial systems.
D. Develop an information security strategy.

Answer 32

D. Develop an information security strategy.

D is the correct answer.
Justification:

A. Updating platform-level security settings would typically be performed by lower-level personnel because this is a basic administrative task.
B. Conducting recovery test exercises would typically be performed by operational personnel.
C. Approving access would be the job of the data owner.
D. Developing a strategy for information security would be the most appropriate task for the chief
information security officer.

Question 33

When an information security manager is developing a strategic plan for information security, the time line for the plan should be:

A. aligned with the IT strategic plan.
B. based on the current rate of technological change.
C. three to five years for both hardware and software.
D. aligned with the business strategy.

Answer 33

D. aligned with the business strategy.

D is the correct answer.
Justification:
A. Any planning for information security should be properly aligned with the needs of the business, not necessarily the IT strategic plan.
B. Technology needs should not come before the needs of the business.
C. Planning should not be done on an artificial timetable that ignores business needs.
D. Any planning for information security should be properly aligned with the needs of the business.

Question 34

Which of the following is the MOST important information to include in a strategic plan for information security?

A. Information security staffing requirements
B. Current state and desired future state
C. IT capital investment requirements
D. Information security mission statement

Answer 34

B. Current state and desired future state

B is the correct answer.
Justification:
A. Staffing requirements stem from the implementation time lines and requirements of the strategic plan.
B. It is most important to present a vision for the future and then create a road map from the current state to the desired future state based on a gap analysis of the requirements to achieve the desired or future state.
C. IT capital investment requirements are generally not determined at the strategic plan level but rather as a result of gap analysis and the options on how to achieve the objectives of the strategic plan.
D. The mission statement is typically a short, high-level aspirational statement of overall organizational objectives and only directly affects the information security strategy in a very limited way.

Question 35

Information security projects should be prioritized on the basis of:

A. time required for implementation.
B. impact on the organization.
C. total cost for implementation.
D. mix of resources required.

Answer 35

B. impact on the organization.

B is the correct answer.
Justification:
A. Time required for implementation is potentially one impact on the organization but is subordinate to the overall impact of the project on the organization.
B. Information security projects should be assessed on the basis of the positive impact that they will have on the organization.
C. Total cost for implementation is just one aspect of the impact of the project on the organization.
D. A mix of resources required is not particularly relevant to prioritizing security projects.

Question 36

Which of the following would BEST prepare an information security manager for regulatory reviews?

A. Assign an information security administrator as regulatory liaison.
B. Perform self-assessments using regulatory guidelines and reports.
C. Assess previous regulatory reports with process owners input.
D. Ensure all regulatory inquiries are sanctioned by the legal department.

Answer 36

B. Perform self-assessments using regulatory guidelines and reports.

B is the correct answer.
Justification:
A. Directing regulators to a specific person or department is not as effective as performing self-assessments.
B. Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation.
C. Assessing previous regulatory reports is not as effective as performing self-assessments because conditions may have changed.
D. The legal department should review all formal inquiries, but this does not help prepare for a regulatory review.

Question 37

From an information security manager perspective, what is an immediate benefit of clearly defined roles and responsibilities?

A. Enhanced policy compliance
B. Improved procedure flows
C. Segregation of duties
D. Better accountability

Answer 37

D. Better accountability

D is the correct answer.
Justification:
A. Defining roles and responsibilities does not by itself improve policy compliance without proper monitoring and enforcement of accountability.
B. Procedure flows are not necessarily affected by defining roles and responsibilities.
C. Segregation of duties is more likely to occur as a result of policy compliance enforcement than simply
defining roles and responsibilities, although that is a necessary first step.
D. Defining roles and responsibilities makes it clear who is accountable for performance and outcomes.

Question 38

Which of the following roles is responsible for legal and regulatory liability?

A. Chief security off icer
B. Chief legal counsel
C. Board of directors and senior management
D. Information security steering group

Answer 38

C. Board of directors and senior management

C is the correct answer.
Justification:
A. The chief security officer is not individually liable for failures of security in the organization.
B. The chief legal counsel is not individually liable for failures of security in the organization.
C. The board of directors and senior management are ultimately responsible for ensuring
regulations are appropriately addressed.
D. The information security steering group is not individually liable for failures of security in the organization.

Question 39

While implementing information security governance, an organization should FIRST:

A. adopt security standards.
B. determine security baselines.
C. define the security strategy.
D. establish security policies.

Answer 39

C. define the security strategy.

C is the correct answer.
Justification:
A. Adopting suitable security standards that implement the intent of the policies follows the development of policies that support the strategy.
B. Security baselines are established as a result of determining acceptable risk, which should be defined as a requirement prior to strategy development.
C. Security governance must be developed to meet and support the objectives of the information security strategy.
D. Policies are a primary instrument of governance and must be developed or modified to support the strategy.

Question 40

The MOST basic requirement for an information security governance program is to:

A. be aligned with the corporate business strategy.
B. be based on a sound risk management approach.
C. provide adequate regulatory compliance.
D. provide good practices for security initiatives.

Answer 40

A. be aligned with the corporate business strategy.

A is the correct answer.
Justification:
A. To be effective and receive senior management support, an information security program must
be aligned with the corporate business strategy.
B. An otherwise sound risk management approach may be of little benefit to an organization unless it specifically addresses and is consistent with the organization’s business strategy.
C. The governance program must address regulatory requirements that affect that particular organization to an extent determined by management, but this is not the most basic requirement.
D. Good practices are generally a substitute for specific knowledge of the organization’s requirements and may be excessive for some and inadequate for others.

Question 41

Information security policy enforcement is the responsibility of the:

A. security steering committee.
B. chief information officer.
C. chief information security officer.
D. chief compliance officer.

Answer 41

C. chief information security officer.

C is the correct answer.
Justification:
A. The security steering committee should ensure that a security policy is in line with corporate objectives but typically is not responsible for enforcement.
B. The chief information officer may to some extent be involved in the enforcement of the policy but is not directly responsible for it.
C. Information security policy enforcement is generally the responsibility of the chief information security officer.
D. The chief compliance officer is usually involved in determining the level of compliance but is usually not directly involved in the enforcement of the policy.

Question 42

An information security manager at a global organization has to ensure that the local information security program will initially be in compliance with the:

A. corporate data privacy policy.
B. data privacy policy where data are collected.
C. data privacy policy of the headquarters’ country.
D. data privacy directive applicable globally.

Answer 42

B. data privacy policy where data are collected.

B is the correct answer.
Justification:
A. The corporate data privacy policy, being internal, cannot supersede the local law.
B. As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for compliance.
C. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.
D. With local regulations differing from the country in which the organization is headquartered, it is improbable that a groupwide policy will address all the local legal requirements. The data privacy laws are country-specific.

Question 43

Segregation of duties (SoD) has been designed and introduced into an accounts payable system. Which of the following should be in place to BEST maintain the effectiveness of SoD?

A. A strong password rule is assigned to disbursement staff.
B. Security awareness is publicized by the compliance department.
C. An operational role matrix is aligned with the organizational chart.
D. Access privilege is reviewed when an operator’s role changes.

Answer 43

D. Access privilege is reviewed when an operator’s role changes.

D is the correct answer.
Justification:
A. Password strength is important for each staff member, but complexity of passwords does not ensure segregation of duties (SoD).
B. Effective SoD is not based on self-governance, so security awareness is inadequate.
C. It is not uncommon for staff to have ancillary roles beyond what is shown on the organizational chart,
so aligning a role matrix with the organizational chart is not sufficiently granular to maintain the
effectiveness of SoD.
D. In order to maintain the effectiveness of SoD established in an application system, user access privilege must be reviewed whenever an operator’s role changes. If this effort is neglected, there is a risk that a single staff member could acquire excessive operational capabilities. For instance, if a cash disbursement staff member accidentally acquires a trade input role, this person is technically able to accomplish illegal payment operation.

Question 44

Information security frameworks can be MOST useful for the information security manager because they:

A. provide detailed processes and methods.
B. are designed to achieve specific outcomes.
C. provide structure and guidance.
D. provide policy and procedure.

Answer 44

C. provide structure and guidance.

C is the correct answer.
Justification:
A. Frameworks are general structures rather than detailed processes and methods.
B. Frameworks do not specify particular outcomes but may provide the structure to assess outcomes
against requirements.
C. Frameworks are like a skeleton; they provide the outlines and basic structure but not the specifics of process and outcomes.
D. Frameworks do not specify policies and procedures. Their creation is left to the implementer.

Question 45

Business goals define the strategic direction of the organization. Functional goals define the tactical direction of a business function. Security goals define the security direction of the organization. What is the MOST important relationship between these concepts?

A. Functional goals should be derived from security goals.
B. Business goals should be derived from security goals.
C. Security goals should be derived from business goals.
D. Security and business goals should be defined independently from each other.

Answer 45

C. Security goals should be derived from business goals.

C is the correct answer.
Justification:
A. Functional goals and security goals need to be aligned at the operational level, but neither is derived from the other.
B. Security is not an end in itself, but it should serve the overall business goals.
C. Security goals should be developed based on the overall business strategy. The business strategy is the most important steering mechanism for directing the business and is defined by the highest management level.
D. If security goals are defined independently from business goals, the security function would not support the overall business strategy or it might even hinder the achievement of overall business objectives.

Question 46

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following items would be of MOST value?

A. Examples of genuine incidents at similar organizations
B. Statement of generally accepted good practices
C. Associating realistic threats to corporate objectives
D. Analysis of current technological exposures

Answer 46

C. Associating realistic threats to corporate objectives

C is the correct answer.
Justification:
A. While examples of incidents to other organizations may help obtain senior management buy-in, it should be based on realistic threats to the organization’s corporate objectives.
B. Good practices are rarely useful, although they may enhance senior management buy-in. However, this is not as substantial as realistic threats to the organization’s corporate objectives.
C. Linking realistic threats to key business objectives will direct executive attention to them.
D. Analysis of current technological exposures may enhance senior management buy-in but is not as substantial as realistic threats to the organization’s corporate objectives.

Question 47

The PRIMARY concern of an information security manager documenting a formal data retention policy is:

A. generally accepted industry good practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.

Answer 47

B. business requirements.

B is the correct answer.
Justification:
A. Good practices are rarely the most effective answer for a particular organization. They may be a useful guide but not a primary concern.
B. The primary concern will be business requirements that may include the regulatory issues management has decided to address.
C. Legislative and regulatory requirements are only relevant if compliance is a business need.
D. Storage is irrelevant because whatever is needed must be provided.

Question 48

Who in an organization has the responsibility for classifying information?

A. Data custodian
B. Database administrator
C. Information security officer
D. Data owner

Answer 48

D. Data owner

D is the correct answer.
Justification:
A. The data custodian is responsible for securing the information in alignment with the data classif ication.
B. The database administrator carries out the technical administration of the database and handling requirements that apply to data in storage and transit in accordance with the protection standards for each classification.
C. The information security officer oversees the overall data classification and handling process to ensure conformance to policy and standards.
D. The data owner has responsibility for data classification consistent with the organization’s classification criteria.

Question 49

What is the PRIMARY role of the information security manager related to the data classification and handling process within an organization?

A. Defining and ratifying the organization’s data classification structure
B. Assigning the classification levels to the information assets
C. Securing information assets in accordance with their data classification
D. Confirming that information assets have been properly classified

Answer 49

A. Defining and ratifying the organization’s data classification structure

A is the correct answer.
Justification:
A. Defining and ratifying the data classification structure consistent with the organization’s risk
appetite and the business value of information assets is the primary role of the information
security manager related to the data classification and handling process within the organization.
B. The final responsibility for assigning the classification levels to information assets rests with the data owners.
C. The job of securing information assets is the responsibility of the data custodians.
D. Confirming proper classification of information assets may be a role of an information security manager
performing security reviews or of IS auditors based on the organization’s classification criteria.

Question 50

Which of the following is MOST important in developing a security strategy?

A. Creating a positive security environment
B. Understanding key business objectives
C. Having a reporting line to senior management
D. Allocating sufficient resources to information security

Answer 50

B. Understanding key business objectives

B is the correct answer.
Justification:
A. A positive security environment (culture) enables successful implementation of the security strategy but is not as important as alignment with business objectives during the development of the strategy.
B. Alignment with business strategy is essential in determining the security needs of the organization; this can only be achieved if key business objectives driving the strategy are understood.
C. A reporting line to senior management may be helpful in developing a strategy but does not ensure an understanding of business objectives necessary for strategic alignment.
D. Allocation of resources is not likely to be effective if the business objectives are not well understood.

Question 51

Who is ultimately responsible for an organization’s information?

A. Data custodian
B. Chief information security officer
C. Board of directors
D. Chief information officer

Answer 51

C. Board of directors

C is the correct answer.
Justification:
A. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department.
B. The chief information security officer is responsible for security and carrying out senior management’s directives.
C. Responsibility for all organizational assets, including information, falls to the board of directors, which is tasked with responding to issues that affect the information’s protection.
D. The chief information officer is responsible for information technology within the organization but is not ultimately legally responsible for an organization’s information.

Question 52

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?

A. Ethics
B. Proportionality
C. Integration
D. Accountability

Answer 52

B. Proportionality

B is the correct answer.
Justification:
A. Ethics have the least to do with mapping a job description to types of data access.
B. Information security controls, including access, should be proportionate to the criticality and/or sensitivity of the asset (i.e., the potential impact of compromise).
C. Principles of integration are not relevant to mapping a job description to types of data access.
D. The principle of accountability would be the second most adhered to principle because people with
access to data may not always be accountable.

Question 53

Which of the following is the MOST important prerequisite for establishing information security management within an organization?

A. Senior management commitment
B. Information security framework
C. Information security organizational structure
D. Information security policy

Answer 53

A. Senior management commitment

A is the correct answer.
Justification:
A. Senior management commitment is necessary in order for each of the other elements to
succeed. Without senior management commitment, the other elements will likely be ignored
within the organization.
B. Without senior management commitment, an information security framework is not likely to be implemented.
C. Without senior management commitment, it is not likely that there is support for developing an information security organizational structure.
D. The development of effective policies as a statement of management intent and direction is likely to be inadequate without senior management commitment to information security.

Question 54

What will have the HIGHEST impact on standard information security governance models?

A. Number of employees
B. Distance between physical locations
C. Complexity of organizational structure
D. Organizational budget

Answer 54

C. Complexity of organizational structure

C is the correct answer.
Justification:
A. The number of employees has little or no effect on standard information security governance models. B. The distance between physical locations has little or no effect on standard information security
governance models.
C. Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership, and lines of communication.
D. Organizational budget may have some impact on suitable governance models depending on the one chosen because some models will be more costly to implement.

Question 55

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:

A. prepare a security budget.
B. conduct a risk assessment.
C. develop an information security policy.
D. obtain benchmarking information.

Answer 55

B. conduct a risk assessment.

B is the correct answer.
Justification:
A. Preparing a security budget follows risk assessment to determine areas of concern.
B. Risk assessment, analysis, evaluation and impact analysis will be the starting point for driving management’s attention to information security.
C. Developing an information security policy is based on and follows risk assessment.
D. Benchmarking information will only be relevant after a risk assessment has been performed for comparison purposes.

Question 56

How should an information security manager balance the potentially conflicting requirements of an international organization’s security standards with local regulation?

A. Give organizational standards preference over local regulations.
B. Follow local regulations only.
C. Make the organization aware of those standards where local regulations causes conflicts.
D. Negotiate a local version of the organization standards.

Answer 56

D. Negotiate a local version of the organization standards.

D is the correct answer.
Justification:
A. Organizational standards must be subordinate to local regulations.
B. It would be incorrect to follow local regulations only because there must be recognition of
organizational requirements.
C. Making an organization aware of standards is a sensible step but is not a complete solution.
D. Negotiating a local version of the organization’s standards is the most effective compromise in
this situation.

Question 57

The FIRST step in developing an information security management program is to:

A. identify business risk that affects the organization.
B. establish the need for creating the program.
C. assign responsibility for the program.
D. assess adequacy of existing controls.

Answer 57

B. establish the need for creating the program.

B is the correct answer.
Justification:
A. The task of identifying business risk that affects the organization is assigned and acted on after establishing the need for creating the program.
B. In developing an information security management program, the first step is to establish the need for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. The other choices are assigned and acted on after establishing the need.
C. The task of assigning responsibility for the program is assigned and acted on after establishing the need for creating the program.
D. The task of assessing the adequacy of existing controls is assigned and acted on after establishing the need for creating the program.

Question 58

Which of the following should an information security manager PRIMARILY use when proposing the implementation of a security solution?

A. Risk assessment report
B. Technical evaluation report
C. Business case
D. Budgetary requirements

Answer 58

C. Business case

C is the correct answer.
Justification:
A. The risk assessment report provides the rationale for the business case for implementing a particular security solution.
B. The technical evaluation report provides supplemental information for the business case.
C. The information security manager needs to have knowledge of the development of business cases to illustrate the costs and benefits, or value proposition, of the various security solutions.
D. Budgetary requirements provides part of the information required in the business case.

Question 59

To justify its ongoing information security budget, which of the following would be of MOST use to the information security department?

A. Security breach frequency
B. Annual loss expectancy
C. Cost-benefit analysis
D. Peer group comparison

Answer 59

C. Cost-benefit analysis

C is the correct answer.
Justification:
A. The frequency of information security breaches may assist in justifying the budget but is not the key tool because it does not address the benefits from the budget expenditure.
B. Annual loss expectancy does not address the potential benefit of information security investment.
C. Cost-benefit analysis is the best way to justify budget.
D. Peer group comparison would provide support for the necessary information security budget, but it would not take into account the specific needs and activities of the organization.

Question 60

Which of the following situations would MOST inhibit the effective implementation of security governance?

A. The complexity of technology
B. Budgetary constraints
C. Conflicting business priorities
D. Lack of high-level sponsorship

Answer 60

D. Lack of high-level sponsorship

D is the correct answer.
Justification:
A. Complexity of technology should be factored into the governance model of the organization but is not likely to have a major effect on security governance.
B. Budget constraints will inhibit effective implementation of security governance but is likely to be a consequence of the lack of high-level sponsorship and, therefore, secondary.
C. Conflicting business priorities must be addressed by senior management in order to implement effective security governance, which will be more likely to be accomplished with high-level sponsorship.
D. The need for senior management involvement and support is a key success factor for the implementation of appropriate security governance.

Question 61

To achieve effective strategic alignment of information security initiatives, it is important that:

A. steering committee leadership rotates among members.
B. major organizational units provide input and reach a consensus.
C. the business strategy is updated periodically.
D. procedures and standards are approved by all departmental heads.

Answer 61

B. major organizational units provide input and reach a consensus.

B is the correct answer.
Justification:
A. Rotation of steering committee leadership does not help in achieving strategic alignment.
B. It is important to achieve consensus on risk and controls and obtain inputs from various organizational entities because security must be aligned with the needs of the various parts of the organization.
C. Updating business strategy does not lead to strategic alignment of security initiatives.
D. Procedures and standards do not need to be approved by ALL departmental heads.

Question 62

In implementing information security governance, the information security manager is PRIMARILY responsible for:

A. developing the security strategy.
B. reviewing the security strategy.
C. communicating the security strategy.
D. approving the security strategy.

Answer 62

A. developing the security strategy.

A is the correct answer.
Justification:
A. The information security manager is responsible for developing a security strategy based on
business objectives with the help of business process owners.
B. Reviewing the security strategy is the responsibility of a steering committee or management.
C. The information security manager is not necessarily responsible for communicating the security strategy.
D. Management must approve and fund the security strategy implementation.

Question 63

The MOST useful way to describe the objectives in the information security strategy is through:

A. attributes and characteristics of the desired state.
B. overall control objectives of the security program.
C. mapping the IT systems to key business processes.
D. calculation of annual loss expectations.

Answer 63

A. attributes and characteristics of the desired state.

A is the correct answer.
Justification:
A. Security strategy will typically cover a wide variety of issues, processes, technologies and
outcomes that can best be described by a set of characteristics and attributes that are desired.
B. Control objectives are a function of acceptable risk determination and one part of strategy development but at a high level, best described in terms of desired outcomes.
C. Mapping IT to business processes must occur as one part of strategy implementation but is too specific to describe general strategy objectives.
D. Calculation of annual loss expectations would not describe the objectives in the information security strategy.