Information Security Governance Flashcards
Which of the following will BEST ensure that management takes ownership of the decision-making process for information security?
A.Security policies and procedures
B.Annual self-assessment by management
C.Security steering committees
D.Security awareness campaigns
C is the correct answer.
Justification
Security policies and procedures are good but do not necessarily result in the taking of ownership by management.
Self-assessment exercises do not necessarily indicate management has taken ownership of the security decision-making process.
Security steering committees provide a forum for management to express its opinion and take ownership in the decision-making process.
Awareness campaigns are not an indication that management has taken ownership of the security decision-making process.
Which of the following is the MOST likely to change an enterprise’s culture to one that is more security conscious?
A.Adequate security policies and procedures
B.Periodic compliance reviews
C.Security steering committees
D.Security awareness campaigns
D is the correct answer.
Justification
Adequate policies and procedures will have little effect on changing security culture.
Compliance reviews can have a minor impact on an enterprise’s security culture.
Steering committees that have high-level management representation can affect the security culture.
Of these options, security awareness campaigns are likely to be the most effective at improving security consciousness.
Which of the following BEST describes the key objective of an information security program?
A.Achieve strategic business goals and objectives.
B.Establish accountability for information security risk
C.Establish ownership of information security risk
D.Eliminate threats to the enterprise.
A is the correct answer.
Justification
While the activities of the security program are primarily concerned with protection of the enterprise’s assets, the key objective is to support the achievement of the strategic business goals and objectives.
An information security program focuses on protecting information assets using manual and automated controls with the objective of supporting the achievement of strategic business goals.
Information security is achieved by implementing any type of control; it is achieved not just by using IT controls, but also by using manual controls.
Threats cannot be eliminated; information security controls help reduce risk to an acceptable level.
Which of the following factors is the MOST significant in determining an enterprise’s risk appetite?
A.The nature and extent of threats
B.Organizational policies
C.The overall security strategy
D.The organizational culture
D is the correct answer.
Justification
The threat environment is constantly changing and identification of risk against the enterprise does not determine its tolerable limits or appetite.
Policies are written in support of business objectives and parameters and may refer to risk appetite, but because it is not a constant value, risk appetite must be determined during the course of a risk assessment.
Risk appetite is an input to the security strategy because the strategy is partly focused on mitigating risk to acceptable levels.
The extent to which the culture is risk-averse or risk-aggressive, in the context of the objective ability of the enterprise to recover from loss, is the main factor in determining risk appetite.
A bank is implementing a new digital banking platform to enhance customer experience and streamline operations. However, employees are resistant to change due to concerns about job security and technological competence. Which of the following would BEST help the information security manager navigate this change?
A. Create a policy mandating the adoption of the new platform and enforce compliance.
B. Offer financial incentives to employees who embrace the new digital banking platform.
C. Provide comprehensive training and support to help employees transition to the new platform.
D. Offer a severance package to those who do not have the new skills required and hire new talent.
C is the correct answer.
Justification
This approach ignores the valid concerns of employees and may lead to resentment, decreased morale, and potentially lower productivity. It disregards the importance of addressing cultural barriers and risk undermining the success of the implementation.
While financial incentives may motivate some employees in the short term, they may not address the underlying cultural barriers to change. Additionally, reliance solely on financial incentives may create a transactional rather than a supportive work environment, potentially leading to disengagement once incentives are removed.
This option recognizes the challenges posed by cultural barriers to change, such as concerns about job security and technological competence. By offering training and support, employees can develop the necessary skills and confidence to embrace the new platform, leading to smoother adoption and reduced resistance.
Letting go of employees rather than listening to their concerns and investing in their training is a destructive way to navigate change and creates a negative culture that will harm the organization.
Which of the following choices will MOST influence how the information security program will be designed and implemented?
A.Type and nature of risk
B.Organizational culture
C.Overall business objectives
D.Lines of business
B is the correct answer.
Justification
The specific risk faced by the enterprise will affect the security program, but how this risk is perceived and dealt with depends on the organizational culture.
The organizational culture generally influences risk appetite and risk tolerance in addition to how issues are perceived and dealt with and many other aspects that have significant influence over how an information security program should be designed and implemented.
Business objectives will determine the specific kinds of risk to be addressed but will not greatly influence the actual program development and implementation.
The lines of business will affect the specific kinds of risk to be addressed but will not greatly influence the actual program development and implementation.
What is the BEST strategy to ensure success when expanding business in a new country or region?
A. Maintain a uniform organizational culture across all regions to ensure consistency.
B. Adopt the best practices of a neighboring country where the bank already has an established presence.
C. Focus on the culture and practices of the country where the headquarters are located.
D. Tailor organizational practices to accommodate local norms and values.
D is the correct answer.
Justification
While consistency across regions may seem desirable for control purposes, it can overlook the importance of local context and cultural differences. Maintaining a uniform organizational culture may lead to resistance and lack of alignment with local needs and preferences, potentially hindering the organization’s success in diverse markets.
While a neighboring country may have a similar culture, it is necessary to tailor practices to the target country’s culture to ensure that all nuances and unique aspects are addressed.
While alignment with headquarters is important, imposing the culture of a different country, without considering the local one, can create tensions and conflicts. It may hinder collaboration, diminish employee morale, and limit the subsidiary’s ability to adapt to local markets and conditions, ultimately impacting its performance.
In a globalized business environment, organizations should recognize and respect cultural diversity. By embracing different cultural perspectives and adapting organizational practices to accommodate local norms and values, organizations can foster inclusivity, enhance employee engagement, and effectively navigate cultural differences to thrive in diverse markets.
The MOST basic requirement for an information security governance program is to:
A.be aligned with the corporate business strategy.
B.be based on a sound risk management approach.
C.provide adequate regulatory compliance.
D.provide good practices for security initiatives.
A is the correct answer.
Justification
To be effective and receive senior management support, an information security program must be aligned with the corporate business strategy.
An otherwise sound risk management approach may be of little benefit to an enterprise unless it specifically addresses and is consistent with the enterprise’s business strategy.
The governance program must address regulatory requirements that affect that particular enterprise to an extent determined by management, but this is not the most basic requirement.
Good practices are the foundation of the governance program but do not have precedence over business strategy as the most basic requirement.
An information security strategy presented to senior management for approval MUST incorporate:
A.specific technologies.
B.compliance mechanisms.
C.business priorities.
D.detailed procedures.
C is the correct answer.
Justification
The strategy is a forward-looking document that reflects awareness of technological baselines and developments in general, but specific technologies are typically addressed at lower levels based on the strategy.
Mechanisms for compliance with legal and regulatory requirements are generally controls implemented at the tactical level based on direction from the strategy.
Strategy is the high-level approach by which priorities and goals can be met. The information security strategy must incorporate the priorities of the business to be meaningful.
Detailed procedures are inappropriate at the strategic level.
Which of the following recommendations is the BEST one to promote a positive information security governance culture within an enterprise?
A.Strong oversight by the audit committee
B.Organizational governance transparency
C.Collaboration across business lines
D.Positive governance ratings by stock analysts
C is the correct answer.
Justification
Supervision by the audit committee would provide inputs and recommendations but would be of little help to promote a positive culture.
Governance transparency may contribute to the security management practice but is not directly linked to the establishment of a positive governance culture.
To promote a positive governance culture, it is essential to establish collaboration across business lines. This will enable line management to speak a common language and share the same goals.
Positive governance ratings by stock analysts may be useful for investors but will have little or no effect on internal organizational culture.
A multinational enterprise operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the information security program?
A.Representation by regional business leaders
B.Composition of the board
C.Cultures of the different countries
D.IT security skills
C is the correct answer.
Justification
Representation by regional business leaders may not have a major influence unless it concerns cultural issues.
Composition of the board may not have a significant impact compared to cultural issues.
Culture has a significant impact on how information security will be implemented.
IT security skills are not as key or high impact in designing a multinational information security program as cultural issues.
Which of the following choices is the MOST likely cause of significant inconsistencies in system configurations?
A.A lack of procedures
B.Inadequate governance
C.Poor standards
D.Insufficient training
B is the correct answer.
Justification
A lack of proper procedures is a failure of governance and may be a cause of significant inconsistencies in system configurations; however, it is not the most likely one. Governance takes precedence, as it has to be in place to ensure proper procedures.
Governance includes the set of rules the enterprise operates by, oversight to ensure compliance, and feedback mechanisms that provide assurance the rules are followed. A failure of one or more of these processes is most likely to be the reason for inconsistencies in system configurations.
Poor standards are a sign of inadequate governance and may result in inconsistencies in system configurations; however, this is not the most likely reason, as governance takes precedence.
Insufficient training indicates that there are no requirements, or that the requirements are not being met, or that the trainers are not competent in the subject matter, all of which reflect ineffective governance that can result in a lack of oversight, a lack of clear requirements for training, or a lack of suitable metrics.
A large software organization is experiencing high turnover rates among its employees, particularly on the software development team. The turnover is attributed to dissatisfaction with the leadership style of the department head, who has an authoritative approach. What action should the information security manager recommend to address this issue?
A. Terminate the department head to minimize further turnover.
B. Offer financial incentives to the members of the department to reduce the turnover rate.
C. Conduct an organizational restructuring to remove hierarchical leadership structures.
D. Implement leadership training to help the department head to adapt their leadership style.
D is the correct answer.
Justification
This option suggests a drastic measure of terminating the department head. While it might address the immediate turnover issue, it does not address the underlying problem of leadership style mismatch and may create further disruption and instability within the organization.
While financial incentives may motivate some employees in the short term, they do not address the underlying problem of leadership style and can even worsen the situation.
This option proposes a significant organizational change to eliminate hierarchical leadership structures entirely. While it aims to address the issue of authoritarian leadership, it may not be practical or necessary, and such a restructuring could introduce new challenges and disruptions to the company’s operations.
This option acknowledges the issue of dissatisfaction with the leadership style and proposes a proactive solution by providing training to the department head. It aims to address the root cause of the turnover by helping the department head develop a leadership style that aligns better with the preferences of the employees.
Which of the following actions would help to change an enterprise’s security culture?
A.Develop procedures to enforce the information security policy.
B.Obtain strong management support.
C.Implement strict technical security controls.
D.Periodically audit compliance with the information security policy.
B is the correct answer.
Justification
Procedures will support an information security policy, but this is not likely to have much impact on the security culture of the enterprise.
Culture in an enterprise, is a reflection of senior management vision and guidance, and only management support and pressure will help to change an enterprise’s security culture.
Technical controls will provide more security to an information system and staff; however, this will not help change the security culture.
Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company.
Which of the following is the GREATEST success factor for effectively managing information security?
A.An adequate budget
B.Senior level authority
C.Robust technology
D.Effective business relationshipsWhich of the following is the GREATEST success factor for effectively managing information security?
D is the correct answer.
Justification
An adequate budget is important, but without cooperation and support from senior managers, it is unlikely that the security program will be effective.
Senior level authority can be helpful in communicating at the right organizational levels, but effective security requires persuasion, cooperation and operating collaboratively.
Good technology and a robust network will certainly help security be effective, but they are only part of what is required.
Support for information security from senior managers is essential for an effective security program. This requires developing good relationships throughout the enterprise and particularly with influential managers.
Effective governance of enterprise security is BEST ensured by:
A.using a bottom-up approach.
B.management by the IT department.
C.referring the matter to the enterprise’s legal department.
D.using a top-down approach.
D is the correct answer.
Justification
Enterprise security governance may not be reflected effectively by a bottom-up approach, as it will not bring focus to management priorities.
Governance of enterprise security affects the entire enterprise, not just the management of IT.
The legal department is part of the overall governance process and may provide useful input but cannot take full responsibility.
Effective governance of enterprise security needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for their ongoing monitoring.
An enterprise’s board of directors has learned of recent legislation requiring enterprises within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?
A.Direct information security on what actions to take.
B.Research solutions to determine the proper solutions.
C.Require management to report on compliance.
D.Do nothing; information security does not report to the board.
C is the correct answer.
Justification
The board would not direct information security activities; this would be the function of executive management.
The board would not undertake research but might direct the executive to see that it was completed.
Information security governance is the responsibility of the board of directors and executive management. In this instance, the appropriate action would be to ensure that a plan was in place for implementation of needed safeguards and to require updates on that implementation.
The board has oversight responsibilities and doing nothing would not be a prudent course of action.
Which of the following choices is the BEST indicator of the state of information security governance?
A.A defined maturity level
B.A developed security strategy
C.Complete policies and standards
D.Low numbers of incidents
A is the correct answer.
Justification
A defined maturity level is the best overall indicator of the state of information security governance. The maturity level indicates how mature a process is on a scale from 0 (incomplete process) to 5 (optimized process).
A developed security strategy is an important first step, but it must be implemented properly to be effective; by itself, it is not an indication of the state of information security governance.
Complete policies and standards are required for effective governance but are only one part of the requirement. By themselves, they are not an indicator of the effectiveness of information security governance.
The number of incidents is relatively unconnected to the effectiveness of information security governance. Trends in incidents would be a better indicator.
The FIRST step to create an internal culture that embraces information security is to:
A.implement stronger controls.
B.conduct periodic awareness training.
C.actively monitor operations.
D.gain endorsement from executive management.
D is the correct answer.
Justification
The implementation of stronger controls may lead to circumvention.
Awareness training is important but must be based on policies and supported by management.
Actively monitoring operations will not directly affect culture.
Endorsement from executive management in the form of policy approval provides intent, direction and support.
The enterprise has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
A.Laws and regulations of the country of origin may not be enforceable in the foreign country.
B.A security breach notification might get delayed due to the time difference.
C.Additional network intrusion detection sensors should be installed, resulting in an additional cost.
D.The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.
A is the correct answer.
Justification
A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws.
Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc., are usually available to communicate notifications.
Installation of additional network intrusion detection sensors is a manageable problem that requires additional funding but it can be addressed.
Most hosting providers have standardized the level of physical security in place. Regular physical audits can address such concerns.
How should an information security manager balance the potentially conflicting requirements of an international enterprise’s security standards with local regulation?
A.Give organizational standards preference over local regulations.
B.Follow local regulations only.
C.Make the enterprise aware of those standards where local regulations cause conflicts.
D.Negotiate a local version of the enterprise standards.
D is the correct answer.
Justification
Organizational standards must be subordinate to local regulations.
It would be incorrect to follow local regulations only, because there must be recognition of organizational requirements.
Making an enterprise aware of standards is a sensible step but is not a complete solution.
Negotiating a local version of the enterprise’s standards is the most effective compromise in this situation. Regulations cannot be changed by the enterprise, and it must achieve compliance, making it necessary to develop a local version of its standards in consultation with the principal office.
What must change management achieve from a risk management perspective?
A.It must be operated by information security to ensure that security is maintained.
B.It must be overseen by the steering committee because of its importance.
C.It must be secondary to release and configuration management.
D.It must assure that any changes will not involve any risk that exceeds the acceptable risk level.
D is the correct answer.
Justification
It is not important who oversees the change management process provided notification occurs and a consistent process is in place.
Change management oversight may or may not be the responsibility of the steering committee.
Change management is just as essential as release and configuration management to properly manage risk. Release and configuration management may be included as part of the change management process.
It is very important for change management to assure that any new changes or modifications will not affect the existing risk level or exceed the risk appetite. In general, risk reassessment should be conducted in case of any major changes, in order to conform with the acceptable level of security.
Laws and regulations should be addressed by the information security manager:
A.to the extent that they impact the enterprise.
B.by implementing international standards.
C.by developing policies that address the requirements.
D.to ensure that guidelines meet the requirements.
A is the correct answer.
Justification
Legal and regulatory requirements should be assessed based on the extent and nature of enforcement, the probability of enforcement action and sanctions, and the impact of noncompliance or partial compliance balanced against the costs of compliance.
International standards may not address the legal requirements in question.
Policies should not address particular regulations because regulations are subject to change. Policies should only address the need to assess regulatory requirements and deal with them appropriately based on risk and impact.
Guidelines would normally not address regulations, although standards may address regulations based on management’s determination of the appropriate level of compliance.
Which of the following choices is the MOST important consideration when developing the security strategy of a company operating in different countries?
A.Diverse attitudes toward security by employees and management
B.Time differences and the ability to reach security officers
C.A coherent implementation of security policies and procedures in all countries
D.Compliance with diverse laws and governmental regulations
D is the correct answer.
Justification
Attitudes among employees and managers may vary by country, and this will impact implementation of a security policy. However, the impact is not nearly as significant as the variance in national laws.
Time differences and reachability are not significant considerations when developing a security strategy.
Implementation occurs after a security strategy has been developed, so this cannot be a consideration in its development.
Laws vary from one country to another, and they can also be in conflict, making it difficult for an enterprise to create an overarching enterprise security policy that adequately addresses the requirements in each nation. The repercussions of failing to adhere to multiple legal frameworks at the same time is the most important among the considerations listed.
The FIRST action for an information security manager to take when presented with news that new regulations are being applied to how enterprises handle sensitive data is to determine:
A.processes and activities that may be affected.
B.how senior management would prefer to respond.
C.whether the enterprise qualifies for an exemption.
D.the approximate cost of compliance.
A is the correct answer.
Justification
Changes to information security are best made on the basis of risk. To determine the risk associated with the new regulations, the information security manager must first know what processes and activities may be affected.
Senior management will not have a basis for preference until potential effects are determined and compliance requirements are identified.
Requesting exemptions comes at a cost, at least in terms of time and potentially with reputational consequences. Also, if there is little or no effect on the enterprise, there will be no need to request an exemption even if one is available.
Until the scope of potential effects and the changes that may be needed to comply are understood, the cost of compliance cannot be reasonably approximated.
An enterprise has to comply with recently published industry regulatory requirements that potentially have high implementation costs. What should the information security manager do FIRST?
A.Consult the security committee.
B.Perform a gap analysis.
C.Implement compensating controls.
D.Demand immediate compliance.
B is the correct answer.
Justification
Consulting the steering committee before knowing the extent of the issues would not be the first step.
Because they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place.
Implementing compensating controls would not be the first step.
Demanding immediate compliance without knowing the extent of possible noncompliance would not be a prudent first step.
Which of the following is the MOST effective way to ensure that noncompliance to information security standards is resolved?
A.Periodic audits of noncompliant areas
B.An ongoing vulnerability scanning program
C.Annual security awareness training
D.Regular reports to the audit committee
D is the correct answer.
Justification
Periodic audits can be effective but only when combined with reporting.
Vulnerability scanning has little to do with noncompliance with standards.
Training can increase management’s awareness regarding information security, but awareness training is generally not as compelling to management as having individual names highlighted on a compliance report.
Reporting noncompliance to the audit committee is the most effective way to have enforcement for concerned parties to take the proper action in order to comply.
New regulatory and legal compliance requirements that will have an effect on information security will MOST likely come from the:
A.corporate legal officer.
B.internal audit department.
C.affected departments.
D.compliance officer.
C is the correct answer.
Justification
Corporate legal officers are often focused on contractual matters and disclosure requirements for reporting to the agencies regulating publicly held corporations.
Internal auditors would typically be concerned with review of existing compliance requirements rather than with new legal or regulatory requirements.
The departments affected by legal and regulatory requirements (such as the human resources department) are typically advised by their respective associations of new or changing regulations and the probable impacts on various enterprises.
Compliance officers are typically charged with determining compliance with internal policies and standards.
Retention of business records should PRIMARILY be based on:
A.business strategy and direction.
B.regulatory and legal requirements.
C.storage capacity and longevity.
D.business case and value analysis.
B is the correct answer.
Justification
Business strategy and direction would address the issue of business record retention among numerous others but would typically not be the primary focus.
Retention of business records is primarily driven by legal and regulatory requirements.
Storage capacity and longevity are important but secondary issues.
Business case and value analysis would be secondary to complying with legal and regulatory requirements.
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:
A.it implies compliance risk.
B.short-term impact cannot be determined.
C.it violates industry security practices.
D.changes in the roles matrix cannot be detected.
A is the correct answer.
Justification
Monitoring processes are required to guarantee compliance with laws and enterprise regulations; therefore, the information security manager will be obligated to advise compliance with the law.
Even if short-term impact cannot be determined, it is a business decision to accept the risk.
Industry security practices do not override the business decision to accept the risk.
Changes in the roles matrix do not override the business decision to accept the risk.
Which of the following roles is responsible for legal and regulatory liability for failures of security in the enterprise?
A.Chief security officer
B.Chief legal counsel
C.Board of directors and senior management
D.Information security steering group
C is the correct answer.
Justification
The chief security officer is not responsible for the legal and regulatory liability of the enterprise arising from failures of security.
The chief legal counsel is not individually responsible for the legal and regulatory liability for failures of security in the enterprise.
The board of directors and senior management are ultimately responsible for ensuring regulations are appropriately addressed and will be responsible for the legal and regulatory liability for failures of security in the enterprise.
The information security steering group is not responsible for the legal and regulatory liability arising from failures of security in the enterprise.
Management requests that an information security manager determine which regulations regarding disclosure, reporting and privacy are the most important for the enterprise to address. The recommendations for addressing these legal and regulatory requirements will be MOST useful if based on which of the following choices?
A.The extent of enforcement actions
B.The probability and consequences
C.The sanctions for noncompliance
D.The amount of personal liability
B is the correct answer.
Justification
The extent of enforcement is a measure of probability. Without knowing the scope of consequences, probability cannot be viewed in context.
Legal and regulatory requirements should be treated as any other risk to the enterprise, calculated as the probability of enforcement and the magnitude of possible sanctions (impact or consequences).
Sanctions or impact must be considered in the context of the enforcement mechanisms. If sanctions have less probability of being implemented due to lax enforcement, their severity poses lower risk to the enterprise than if they are widely enforced.
Except in extreme cases of fraud or other criminal activity, liability for regulatory sanctions generally lies with senior management and the board of directors. It is not a driving factor in the evaluation of regulatory requirements.
Compliance with legal and regulatory requirements is:
A.a security decision.
B.a business decision.
C.an absolute requirement.
D.conditional and based on cost.
B is the correct answer.
Justification
Information security can advise management on the risk and possible impact of compliance failure, but the business decision must be made by senior management.
The extent of compliance with legal and regulatory requirements is a business decision that must be made by senior management.
Legal and regulatory requirements are no different from other requirements for purposes of risk assessment and decision-making. Each legal or regulatory requirement is evaluated in the context of the risk posed by failure to comply.
Cost is only one aspect of the overall business decision to comply with legal and regulatory requirements.
It is MOST important that a privacy statement on a company’s e-commerce website include:
A.a statement regarding what the company will do with the information it collects.
B.a disclaimer regarding the accuracy of information on its website.
C.technical information regarding how information is protected.
D.a statement regarding where the information is being hosted.
A is the correct answer.
Justification
Most privacy laws and regulations require disclosure on how information will be used.
A disclaimer may be prudent but is not necessary because it does not refer to data privacy.
Technical details regarding how information is protected are not mandatory to publish on the website and would not be desirable.
It is not mandatory to say where information is being hosted.
Which of the following represents the MAJOR focus of privacy regulations?
A.Unrestricted data mining
B.Identity theft
C.Human rights protection
D.Identifiable personal data
D is the correct answer.
Justification
Data mining is an accepted tool for ad hoc reporting; it could pose a threat to privacy only if it should violate regulatory provisions.
Identity theft is a potential consequence of privacy violations but not the main focus of many regulations.
Human rights protection addresses privacy issues but is not the main focus of regulations.
Protection of identifiable personal data is the major focus of privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA).
Which of the following would BEST prepare an information security manager for regulatory reviews?
A.Assign an information security administrator as regulatory liaison.
B.Perform self-assessments using regulatory guidelines and reports.
C.Assess previous regulatory reports with process owner’s input.
D.Ensure all regulatory inquiries are sanctioned by the legal department.
B is the correct answer.
Justification
Directing regulators to a specific person or department is not a method for being prepared for a regulatory review as this will only serve as an action for facilitation of the review.
Self-assessments provide the best feedback on level of compliance or readiness and permit identification of items requiring remediation.
Assessing previous regulatory reports is not as effective as performing self-assessments because conditions may have changed.
The legal department should review all formal inquiries, but that would not help prepare for a regulatory review.
What activity should the information security manager perform FIRST after finding that compliance with a set of standards is weak?
A.Initiate the exception process.
B.Modify policy to address the risk.
C.Increase compliance enforcement.
D.Perform a risk assessment.
D is the correct answer.
Justification
The exception process can be used after assessing the noncompliance risk and determining whether compensating controls are required.
Modifying policy is not necessary unless there is no applicable standard and policy.
It is not appropriate to increase compliance enforcement until the information security manager has determined the extent of the risk posed by weak compliance.
The first action after finding noncompliance with particular standards should be to determine the risk to the enterprise and the potential impact (for both compliance and security risk).
An information security manager at a global enterprise has to ensure that the local information security program will initially be in compliance with the:
A.corporate data privacy policy.
B.data privacy policy where data are collected.
C.data privacy policy of the headquarters’ country.
D.data privacy directive applicable globally.
B is the correct answer.
Justification
The corporate data privacy policy cannot direct that the information security policy be in compliance with it, as it addresses a different function and may be a subset itself.
As a subsidiary, the local entity will have to ensure that the information security program complies with local law of the land for data protection, privacy and security. Senior management may be held accountable in event of noncompliance.
Data privacy policy directives of the headquarters country may not be applicable, since the enterprise policies should be in compliance with requirements of the local law that applies and not the law applicable to the head office under which the privacy policy would have been made. Data privacy laws are country-specific.
With local regulations differing from the country in which the enterprise is headquartered, it is improbable that a group-wide policy would address all the local legal requirements. Data privacy laws are country-specific.
The PRIMARY concern of an information security manager documenting a formal data retention policy is:
A.generally accepted industry good practices.
B.business requirements.
C.legislative and regulatory requirements.
D.storage availability.
C is the correct answer.
Justification
Good practices are rarely the most effective answer for a particular enterprise. They may be a useful guide but typically are not a primary concern.
Business requirements are a concern for formulating data retention policies and will have to be compliant with the requirements of the law of the land.
The primary concern for development of the data retention policy is alignment with the local legislative and regulatory requirements. Compliance is a business need, and internal policies or procedures cannot take precedence over the law of the land.
Storage is an irrelevant consideration when developing the data retention policy, as necessary provisions must be made as needed.
The MOST important component of a privacy policy is:
A.notifications.
B.warranties.
C.liabilities.
D.standards.
A is the correct answer.
Justification
Privacy policies must contain notification requirements in the event of unauthorized disclosure and opt-out provisions.
Privacy policies do not address warranties, which are generally unrelated to a privacy policy.
Privacy policies may address liabilities as a consequence of unauthorized disclosure, but that is not the most important component.
Standards regarding privacy would be separate and not a part of the policy.
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale cash register?
A.Authentication
B.Hardening
C.Encryption
D.Non-repudiation
C is the correct answer.
Justification
Authentication of the point-of-sale terminal will not prevent unauthorized reading of the data.
Hardening will protect the point-of-sale but will not prevent unauthorized reading of the data.
Cardholder data should be encrypted using strong encryption techniques.
Non-repudiation is not relevant to credit card data protection.
From an information security perspective, which of the following will have the GREATEST impact on a financial enterprise with offices in various countries and involved in transborder transactions?
A.Current and future technologies
B.Evolving data protection regulations
C.Economizing the costs of network bandwidth
D.Centralization of information security
B is the correct answer.
Justification
Current and future technologies would be considered but will not generally be affected by operational regions or countries.
Information security laws vary from country to country. An enterprise must be aware of and comply with the applicable laws from each country, as noncompliance may have a great impact on local operations.
Economizing the costs of network bandwidth is a part of business costs; however, this is not a relevant consideration for information security.
Centralization of information security is a business decision and is not a significant factor in multinational operations to impact security operations.
Which one of the following groups has final responsibility for the effectiveness of security controls?
A.The security administrator who implemented the controls
B.The enterprise’s chief information security officer
C.The enterprise’s senior management
D.The information systems auditor who recommended the controls
C is the correct answer.
Justification
Senior management, not the security administrator, holds ultimate responsibility for the effectiveness of security controls. Although the authority to implement is delegated, responsibility cannot be delegated.
The chief information security officer may have been delegated the authority to verify the effectiveness of security controls, but final responsibility still rests with senior management.
Senior management holds ultimate responsibility for the effectiveness of security controls.
The information systems auditor may be assigned testing of the effectiveness of security controls but is not responsible for their effectiveness.
The PRIMARY purpose of an information security program is to:
A.provide protection to information assets consistent with business strategy and objectives.
B.express the results of an operational risk assessment in terms of business impact.
C.protect the confidentiality of business information and technology resources.
D.develop information security policy and procedures in line with business objectives.
A is the correct answer.
Justification
The primary purpose of the information security program is to provide protection to information assets and it must be aligned with the business’s strategy and objectives.
The risk assessment program is focused on identifying risk scenarios based on the business’s strategy and objectives. It is a part of the information security program and one of its key activities but not it’s primary purpose.
The information security program needs to address confidentiality, integrity and availability. Confidentiality alone cannot be considered the primary purpose of the information security program.
Security policy and procedures are developed as part of the security program to achieve protection for information assets consistent with business strategy and objectives.
While governance, risk and compliance (GRC) can be applied to any area of an enterprise, it is MOST often focused on which of the following areas?
A.Operations and marketing
B.IT, finance and legal
C.Audit, risk and regulations
D.Information security and risk
B is the correct answer.
Justification
Governance, risk and compliance (GRC) is generally not used in support of operations and marketing.
GRC is largely concerned with ensuring that processes in IT, finance and legal are in compliance with regulatory requirements; that proper rules are in place; and that risk is appropriately addressed.
Audit, risk and regulations are functions to support IT, finance and legal.
Information security and risk can be a part of GRC and interrelate to audit, risk and regulations, but are primarily in support of IT, finance and legal.
What is the PRIMARY role of the information security manager related to the data classification and handling process within an enterprise?
A.Defining and ratifying the enterprise’s data classification structure
B.Assigning the classification levels to the information assets
C.Securing information assets in accordance with their data classification
D.Confirming that information assets have been properly classified
A is the correct answer.
Justification
Defining and ratifying the data classification structure and handling procedures, consistent with the enterprise’s risk appetite and the business value of information assets, is the primary role of the information security manager in relation to the data classification and handling process within the enterprise.
The responsibility for assigning the classification levels to information assets rests with the data owners and not the information security manager.
The job of securing information assets is the responsibility of the data custodians and not the information security manager.
Confirming proper classification of information assets may be a role of the information security auditor performing compliance reviews.
During a stakeholder meeting, a question was asked regarding who is ultimately accountable for the protection of sensitive data. Assuming all the following roles exist in the enterprise, which would be the MOST appropriate answer?
A.Security administrators
B.The IT steering committee
C.The board of directors
D.The information security manager
C is the correct answer.
Justification
Security administrators are responsible for implementing, monitoring and enforcing security rules established and authorized by management, but they are not ultimately accountable for the protection of sensitive data.
The IT steering committee assists in the delivery of the IT strategy, oversees management of IT service delivery and IT projects, and focuses on implementation aspects, but it is not ultimately accountable for the protection of sensitive data.
The board of directors is ultimately accountable for information security, just as it is for all organizational assets.
The information security manager is responsible for identifying and explaining to stakeholders the risk to the enterprise’s information, presenting alternatives for mitigation, and then implementing an approach supported by the enterprise.
Which of the following activities MOST commonly falls within the scope of an information security steering committee?
A.Interviewing candidates for information security specialist positions
B.Developing content for security awareness programs
C.Prioritizing information security initiatives
D.Approving access to critical financial systems
C is the correct answer.
Justification
Interviewing specialists should be performed by the information security manager.
Development of program content should be performed by the information security staff.
Prioritizing information security initiatives falls within the scope of an information security steering committee.
Approving access to critical financial systems is the responsibility of individual system data owners.
Which of the following is MOST useful in managing increasingly complex security deployments?
A.A standards-based approach
B.A security architecture
C.Policy development
D.Senior management support
B is the correct answer.
Justification
Standards may provide metrics for deployment but would not provide significant management tools.
Deploying complex security initiatives and integrating a range of diverse projects and activities would be more easily managed with the overview and relationships provided by a security architecture.
Policies would guide direction but would not provide significant management tools.
Management support is always helpful and may assist in providing resources, but it would be of little direct benefit in managing complex security deployments.
What responsibility do data owners normally have?
A.Applying emergency changes to application data
B.Administering security over database records
C.Migrating application code changes to production
D.Determining the level of application security required
D is the correct answer.
Justification
Making emergency changes to data is an infrastructure task performed by custodians of the data.
Administering database security is an infrastructure task performed by custodians of the data.
Migrating code to production is an infrastructure task performed by custodians of the data.
Data owners approve access to data and determine the degree of protection that should be applied (data classification).
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
A.Information security manager
B.Chief operating officer
C.Internal auditor
D.Legal counsel
B is the correct answer.
Justification
Sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. A security manager would be looking to this group for direction and is therefore not in the best position to oversee the formation of this group.
The chief operating officer (COO) represents senior management, which is responsible for providing support for information security initiatives with a positive tone at the top. The information security steering group should be sponsored by the COO (senior management), as that individual would have the authority (and responsibility) to direct the participation of business unit heads and authorize the mandate or charter.
The internal auditor may be a member of the steering group but would not have the authority to make decisions or take actions to oversee the formation of the committee.
Legal counsel may be a member of a steering group but would not have the authority to make decisions or take actions to oversee the formation of the committee.
Which of the following should be responsible for final approval of security patch implementation?
A.The application development manager
B.The IT asset owner
C.The information security officer
D.The business continuity coordinator
B is the correct answer.
Justification
When business logic has been modified, the application development team may be involved in testing; however, the team’s involvement will be less necessary when a security patch is being released.
In order to ensure that no serious business interruption takes place due to any unexpected problems, it is important to bring IT asset owners into the final sign-off loop when a security patch is being released.
The information security officer is informed of security patches currently being released; however, the information security officer’s approval may not always be required for patch release.
A business continuity coordinator would not be involved in approving security patches in normal day-to-day operations.
The PRIMARY goal of a corporate risk management program is to ensure that an enterprise’s:
A.IT assets in key business functions are protected.
B.business risk is addressed by preventive controls.
C.stated objectives are achieved.
D.IT facilities and systems are always available.
C is the correct answer.
Justification
Protecting IT assets is one goal among many others included in the stated objectives. However, it should be viewed from the perspective of achieving an enterprise’s objectives.
Preventive controls are not always possible or necessary; risk management will address issues with an appropriate mix of preventive and corrective controls to achieve the stated objectives.
Risk management’s primary goal is to ensure an enterprise maintains the ability to achieve its objectives.
Ensuring infrastructure and systems availability is one typical goal included in the stated objectives.
The IT function has declared that it is not necessary to update the business impact analysis when putting a new application into production because it does not produce modifications in the business processes. The information security manager should:
A.verify the decision with the business units.
B.check the system’s risk analysis.
C.recommend update after post-implementation review.
D.request an audit review.
A is the correct answer.
Justification
Verifying the decision with the business units is the correct answer because it is not the IT function’s responsibility to decide whether a new application modifies business processes.
Checking the system’s risk analysis does not consider the change in the applications.
Recommending the update after post-implementation review delays the update.
Requesting an audit review delays the update.
For an enterprise’s information security program to be highly effective, who should have final responsibility for authorizing information system access?
A.Information owner
B.Security manager
C.Chief information officer
D.System administrator
A is the correct answer.
Justification
Because the information owner best understands the nature of the information in the system and who needs access to the information, the information owner should provide authorization for users to access the information systems under their control.
The security manager will be responsible for ensuring that access controls are functioning properly and for assessing the risk of unauthorized access but is not responsible for granting access rights.
The chief information officer will only have responsibility for authorizing access to information related to systems and networks within the CIO’s domain.
System administrators are primarily custodians and should only have access to their required operational systems information.
To achieve effective strategic alignment of information security initiatives, it is important that:
A.steering committee leadership rotates among members.
B.major organizational units provide input and reach a consensus.
C.the business strategy is updated periodically.
D.procedures and standards are approved by all departmental heads.
B is the correct answer.
Justification
Rotation of steering committee leadership does not help in achieving strategic alignment of information security initiatives.
It is important to achieve consensus on risk and controls and obtain inputs from various organizational entities because security must be aligned with the needs of all business units in the enterprise.
Updating business strategy does not lead to achieving strategic alignment of information security initiatives.
Procedures and standards do not need to be approved by all departmental heads and this activity would not lead to achieving strategic alignment of information security initiatives.
Which of the following choices is MOST likely to ensure that responsibilities are carried out?
A.Signed contracts
B.Severe penalties
C.Assigned accountability
D.Clear policies
C is the correct answer.
Justification
Contracts can define responsibilities, but it is essential that individuals are accountable.
Penalties can reinforce accountability and are a deterrent control but will not ensure that responsibilities are always discharged properly.
Assigning accountability to individuals is most likely to ensure that duties are properly carried out.
Policies generally record a high-level principle or course of action that has been decided on; they are advantageous, but it is more effective to establish direct accountability to ensure that responsibilities are performed.
An information security manager is PRIMARILY responsible for:
A.managing the risk to the information infrastructure.
B.implementing a standard configuration for IT assets.
C.conducting a business impact analysis.
D.closing identified technical vulnerabilities.
A is the correct answer.
Justification
An information security manager is primarily responsible and accountable for managing the information security risk management plan by involving various asset and risk owners to identify and implement appropriate responses.
An information security manager may help in standardizing the baseline configuration for IT assets, but implementing the configuration is the responsibility of the asset owners.
The information security manager may facilitate a business impact analysis (BIA) conducted by business process owners.
The information security manager monitors closure of vulnerabilities by asset owners.
Information security policy enforcement is the responsibility of the:
A.security steering committee.
B.chief information officer.
C.chief information security officer.
D.chief compliance officer.
C is the correct answer.
Justification
The security steering committee will guide and ensure that a security policy is aligned with business objectives but is not responsible for enforcement.
The chief information officer may to some extent be involved in the enforcement of the policy but is not directly responsible for it.
Information security policy enforcement is the responsibility of the chief information security officer.
The chief compliance officer is usually involved in determining the level of compliance but is usually not directly involved in the enforcement of the policy.
Which of the following would be the FIRST step when developing a business case for an information security investment?
A.Defining the objectives
B.Calculating the cost
C.Defining the need
D.Analyzing the cost-effectiveness
C is the correct answer.
Justification
Without a clear definition of the needs to be addressed, the objectives cannot be determined.
Costs cannot be determined without a definition of the needs to be addressed.
The first step is to have a clear definition of the needs to be fulfilled when developing a business case for an information security investment.
Without a defined need requiring a solution, cost-effectiveness cannot be determined.
Which of the following should be included in an annual information security budget that is submitted for management approval?
A.A cost–benefit analysis of budgeted resources
B.All the resources that are recommended by the business
C.Total cost of ownership
D.Baseline comparisons
A is the correct answer.
Justification
A brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested will meet business goals and objectives. This helps build credibility for the information security function or program. Explanations of benefits will make it easy for senior management to understand the requirements and support the information security program.
While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase.
Total cost of ownership may be requested by management and may be provided in an addendum to a given purchase request, but it is not usually included in an annual budget.
Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase but usually do not need to be included in the request for budget approval.
Information security governance must be integrated into all business functions and activities PRIMARILY to:
A.maximize security efficiency.
B.standardize operational activities.
C.achieve strategic alignment.
D.address operational risk.
D is the correct answer.
Justification
Efficiency is not the primary desired outcome of the integration of governance throughout enterprise business functions.
Standardization will help create a more efficient program, but it is not the primary objective for integration of information security governance into all business functions.
While good governance may help promote strategic alignment, it is not the primary reason to ensure integration of governance in all organizational functions.
The primary objective for integration of information security governance into all business functions and activities is to address operational risk. All aspects of organizational activities pose risk that is mitigated through effective information security governance and the development and implementation of policies, standards and procedures.
Who should be assigned as data owner for sensitive customer data that are used only by the sales department and stored in a central database?
A.The sales department
B.The database administrator
C.The chief information officer
D.The head of the sales department
D is the correct answer.
Justification
The sales department cannot be the owner of the asset because that removes personal responsibility.
The database administrator is a custodian.
The chief information officer (CIO) is not an owner of this database because the CIO is less likely to be knowledgeable about the specific needs of sales operations and security concerns.
The owner of the information asset should be the individual with the decision-making power in the department deriving the most benefit from the asset. In this case, it is the head of the sales department.
Who should generally determine the classification of an information asset?
A.The asset custodian
B.The security manager
C.Senior management
D.The asset owner
D is the correct answer.
Justification
The custodian enforces protection of assets, depending on their classification.
The security manager develops the structure and standards for classification and may classify the information under the role’s ownership.
Senior management generally does not determine classification levels unless it is also the information owner.
Classifying an information asset is the responsibility of the asset owner.
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
A.Manager
B.Custodian
C.User
D.Owner
D is the correct answer.
Justification
Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc.
The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc.
Users are the lowest level. They use the data but do not classify the data. The owner classifies the data.
Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels.
Which person or group should have final approval of an enterprise’s IT security policies?
A.Business unit managers
B.Chief information security officer
C.Senior management
D.Chief information officer
C is the correct answer.
Justification
Business unit managers should have input into IT security policies, but they should not have authority to give final approval.
The chief information security officer would more than likely be the primary author of the policies and, therefore, would not be the appropriate individual to approve the policies.
Senior management should have final approval of all enterprise policies, including IT security policies.
The chief information officer should provide input into IT security policies but should not have the authority to give final approval.
Who in an enterprise has the responsibility for classifying information?
A.Data custodian
B.Database administrator
C.Information security officer
D.Data owner
D is the correct answer.
Justification
The data custodian is responsible for handling and operational management of information in alignment with the data classification.
The database administrator is responsible not for data classification but for the technical administration of the database and for handling requirements that apply to data in storage and transit in accordance with the requirements for each classification level.
The information security officer has oversight of the overall data classification and handling process to ensure conformance with enterprise policies and standards.
The data owner has responsibility for data classification and to ensure consistency with the enterprise’s classification criteria.
Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
A.System analyst
B.System user
C.Operations manager
D.Data security officer
B is the correct answer.
Justification
The system analyst would not be closely involved in testing code changes.
System users, specifically the user acceptance testers, would be in the best position to note whether new exposures were introduced during the change management process.
The operations manager would not be involved in testing code changes.
The data security officer would not be involved in testing code changes.
Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
A.Chief security officer
B.Chief operating officer
C.Chief privacy officer
D.Chief legal counsel
B is the correct answer.
Justification
The chief security officer may know what is needed but will not have the authority to sponsor initiatives. A sponsor should have far-reaching influence across the enterprise.
The chief operating officer has the authority and will be responsible to sponsor the design and implementation of new security infrastructure. This is in line with the commitment of top management to support information security.
The chief privacy officer may not have the knowledge of the day-to-day business operations and overall security requirements to ensure proper guidance; nor will this position have the authority to sponsor the initiative.
The chief legal counsel will typically have a narrow legal focus on contracts and stock and other regulatory requirements and have little knowledge of overall organizational security requirements; nor will this position have the authority to sponsor the initiative.
Which of the following is the BEST source for determining the value of information assets?
A.Individual business managers
B.Business systems analysts
C.Information security management
D.Industry benchmarking results
A is the correct answer.
Justification
Individual business managers are in the best position to determine the value of information assets since they are most knowledgeable of the assets’ impact on the business.
Business systems analysts are not as knowledgeable as individual business managers regarding the impact on the business.
Information security managers are not as knowledgeable as individual business managers regarding the impact on the business.
Peer companies’ industry averages do not necessarily provide information that is detailed enough, nor are they as relevant to the unique aspects of the business as information from individual business managers.
Which of the following situations would MOST inhibit the effective implementation of security governance?
A.The complexity of technology
B.Budgetary constraints
C.Conflicting business priorities
D.Lack of high-level sponsorship
D is the correct answer.
Justification
Complexity of technology would be factored into the security governance model of the enterprise, so, it would not have a major effect on implementation.
Budgetary constraints would inhibit effective implementation of security governance but likely would be a consequence of the lack of high-level sponsorship and, therefore, a secondary situation.
Conflicting business priorities must be addressed by senior management in order to facilitate implementation of effective security governance, which would more likely be accomplished with high-level sponsorship.
The need for senior management involvement and support is a key success factor for the implementation of effective security governance.
Which of the following roles would represent a conflict of interest for an information security manager?
A.Evaluation of third parties requesting connectivity
B.Assessment of the adequacy of disaster recovery plans
C.Final approval of information security policies
D.Monitoring adherence to physical security controls
C is the correct answer.
Justification
Evaluation of third parties requesting connectivity is an acceptable practice and does not present any conflict of interest.
Assessment of disaster recovery plans is an acceptable practice and does not present any conflict of interest.
Because senior management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval as it would represent a conflict of interest.
Monitoring of adherence to physical security controls is an acceptable practice and does not present any conflicts of interest.
Compliance with security policies and standards is the responsibility of:
A.the information security manager.
B.executive management.
C.the compliance officer.
D.all organizational units.
D is the correct answer.
Justification
The information security manager usually has some responsibility for monitoring and assessing security compliance, but enforcement is typically the responsibility of the unit management or human resources.
Executive management normally monitors compliance.
Compliance officers are usually concerned with legal and regulatory compliance issues such as privacy.
Compliance responsibilities are usually shared across organizational units and the results shared with executive management and the board of directors’ audit or compliance committee.
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
A.Information security officer
B.Security steering committee
C.Data owner
D.Data custodian
B is the correct answer.
Justification
The information security officer supports and implements information security for senior management.
Routine administration of all aspects of security is delegated, but the security steering committee must retain overall responsibility.
The data owner is responsible for categorizing data security requirements.
The data custodian supports and implements information security as directed.
Serious security incidents typically lead to renewed focus on information security by management. To BEST use this attention, the information security manager should make the case for:
A.improving integration of business and information security processes.
B.increasing information security budgets and staffing levels.
C.developing tighter controls and stronger compliance efforts.
D.acquiring better supplemental technical security controls.
A is the correct answer.
Justification
Close integration of information security governance with overall enterprise governance is likely to provide better long-term security by institutionalizing its activities and increasing visibility in all enterprise activities.
Increased budgets and staff may improve security, but they will not have the same beneficial impact as incorporating security into the strategic levels of the enterprise’s operations.
Control strength and compliance efforts must be balanced against business requirements, culture and other enterprise factors that are best accomplished at governance levels.
While technical security controls may improve some aspects of security, they will not address management issues nor provide enduring changes that are needed for an overall improvement of the enterprise security posture.
From an information security manager perspective, what is an immediate benefit of clearly defined roles and responsibilities?
A.Enhanced policy compliance
B.Improved procedure flows
C.Segregation of duties
D.Better accountability
D is the correct answer.
Justification
Defining roles and responsibilities does not by itself improve policy compliance without proper monitoring and enforcement of accountability.
Procedure flows are not necessarily affected by defining roles and responsibilities.
Segregation of duties is more likely to occur as a result of policy compliance enforcement than simply defining roles and responsibilities, although that is a necessary first step.
Defining roles and responsibilities makes it clear who is accountable for performance and outcomes.
To justify its ongoing information security budget, which of the following would be of MOST use to the information security department?
A.Security breach frequency
B.Annual loss expectancy
C.Cost-benefit analysis
D.Peer group comparison
C is the correct answer.
Justification
The frequency of information security breaches may assist in justifying the budget but is not of much use because it only illustrates the volume of incidents and does not provide information about the benefits from the expenditure.
Annual loss expectancy does not address the potential benefit of information security investment.
Cost-benefit analysis is the best way to justify the information security budget.
Peer group comparison would provide support for the necessary information security budget, but it would not take into account the specific needs and activities of the enterprise.
Which of the following roles is responsible for ensuring that information is classified?
A.Senior management
B.The security manager
C.The data owner
D.The data custodian
C is the correct answer.
Justification
Senior management is ultimately responsible for the enterprise.
The security manager is responsible for applying security protection relative to the level of classification specified by the owner.
The data owner is responsible for applying the proper classification to the data.
The technology group is delegated the custody of the data by the data owner, but the group does not classify the information.
Which of the following situations must be corrected FIRST to ensure successful information security governance within an enterprise?
A.The information security department has difficulty filling vacancies.
B.The chief operating officer approves security policy changes.
C.The information security oversight committee only meets quarterly.
D.The data center manager has final sign-off on all security projects.
D is the correct answer.
Justification
Difficulty in filling vacancies is not uncommon due to the shortage of qualified information security professionals.
It is important to have senior management, such as the chief operating officer, approve security policies to ensure they meet management intent and direction.
It is not inappropriate for an oversight or steering committee to meet quarterly.
A steering committee should be in place to approve all security projects. The fact that the data center manager has final sign-off for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the enterprise. This would indicate a failure of information security governance and would need to be corrected first.
An enterprise’s board of directors is concerned about recent fraud attempts that originated over the Internet. What action should the board take to address this concern?
A.Direct information security operations regarding specific solutions that are needed to address the risk.
B.Research solutions to determine appropriate actions for the enterprise.
C.Take no action; information security does not report to the board.
D.Direct executive management to assess the risk and to report the results to the board.
D is the correct answer.
Justification
The board does not direct security operations, which are delegated to executive management.
The board would not research solutions but might direct executive management to do so.
Taking no action would not be a responsible course of action.
The board would typically direct executive management to assess the risk and report results to enable informed decision-making.
Which of the following BEST indicates senior management commitment toward supporting information security?
A.Assessment of risk to the assets
B.Approval of risk management methodology
C.Review of inherent risk to information assets
D.Review of residual risk for information assets
B is the correct answer.
Justification
An assessment of risk to assets by itself does not indicate senior management commitment and support for information security.
Management sign-off on risk management methodology is the best indicator of support and commitment to information security, as it demonstrates management involvement in control design.
A review of inherent risk to information assets is not an indication of senior management commitment and support for information security.
Reviewing residual risk may be a step in gaining commitment and support for information security but by itself is not sufficient.
What is the MAIN risk when there is no user management representation on the information security steering committee?
A.Functional requirements are not adequately considered.
B.User training programs may be inadequate.
C.Budgets allocated to business units are not appropriate.
D.Information security plans are not aligned with business requirements.
D is the correct answer.
Justification
Functional requirements and user training programs are parts of project development and are not the main risk.
Specifics of training programs are usually not under the purview of the steering committee; training is an operational/delivery issue to be managed by the team or person responsible for the program.
The information security steering committee does not have the mandate to approve budgets for business units.
The steering committee is responsible for the execution of the information security strategy; lacking representation of user management, the committee may miss consideration of the impact on productivity and the need for adequate user controls.
In which of the following areas are data owners PRIMARILY responsible for establishing risk mitigation?
A.Platform security
B.Entitlement changes
C.Intrusion detection
D.Antivirus controls
B is the correct answer.
Justification
Platform security is usually the responsibility of the information security manager.
Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Intrusion detection is the responsibility of the information security manager.
Antivirus controls are the responsibility of the information security manager.
Which of the following is characteristic of decentralized information security management across a geographically dispersed enterprise?
A.More uniformity in quality of service
B.Better adherence to policies
C.Better alignment with business unit needs
D.More savings in total operating costs
C is the correct answer.
Justification
Uniformity in quality of service tends to vary from unit to unit.
Adherence to policies is likely to vary considerably between various business units.
Decentralization of information security management generally results in better alignment with business unit needs because security management is closer to the end user and can be cognizant of the local risk and threat scenario.
Decentralization of information security management is generally more expensive to administer due to the lack of economies of scale.
An enterprise’s information security manager is planning the structure of the information security steering committee. Which of the following groups should the manager invite?
A.External audit and network penetration testers
B.Board of directors and the enterprise’s regulators
C.External trade union representatives and key security vendors
D.Leadership from IT, human resources and the sales department
D is the correct answer.
Justification
External audit may assess and advise on the program, and testers may be used by the program; however, they are not appropriate steering committee members.
The steering committee needs to have practitioner-level executive representation. It may report to the board, but board members would not generally be part of the steering committee, except for its executive sponsor. Regulators would not participate in this committee.
External trade union representatives and key security vendors are entities that may need to be consulted as part of program activities, but they would not be members of the steering committee.
Leaders from IT, human resources and sales are some key individuals who must support an information security program.
Senior management commitment and support for information security can BEST be enhanced through:
A.a formal security policy sponsored by the chief executive officer.
B.regular security awareness training for employees.
C.periodic review of alignment with business management goals.
D.senior management sign-off on the information security strategy.
C is the correct answer.
Justification
Although having the chief executive officer sign-off on the security policy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management.
Security awareness training for employees will not have as much effect on senior management commitment as alignment with business goals.
Ensuring that security activities continue to be aligned and support business goals is critical to obtaining enhanced management support. Periodic review of security activities will provide regular visibility to senior management.
Although having senior management sign-off on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management.
Which of the following is characteristic of centralized information security management?
A.More expensive to administer
B.Better adherence to policies
C.More responsive to business unit needs
D.Faster turnaround of requests
B is the correct answer.
Justification
Centralized information security management is generally less expensive to administer due to the economies of scale.
Centralization of information security management results in greater uniformity and better adherence to security policies.
With centralized information security management, information security is typically less responsive to specific business unit needs due to greater separation and more bureaucracy between the information security department and end users.
With centralized information security management, turnaround can be slower due to greater separation and more bureaucracy between the information security department and end users.
In an enterprise, information systems security is the responsibility of:
A.all personnel.
B.information systems personnel.
C.information systems security personnel.
D.functional personnel.
A is the correct answer.
Justification
All personnel of the enterprise have the responsibility of ensuring information system security—including those with indirect responsibility, such as those dealing with physical security.
Information systems security cannot be the sole responsibility of information systems personnel because they cannot ensure security across the entire enterprise.
Information systems security cannot be the sole responsibility of information systems security personnel because they must rely on numerous other departments to ensure security and must have the buy-in and cooperation of all personnel.
Information systems security cannot be the responsibility of functional personnel alone because they have limited authority and must count on other personnel to collectively ensure security.
Which of the following would be the BEST indicator of effective information security governance within an enterprise?
A.The steering committee approves security projects.
B.Security policy training is provided to all managers.
C.Security training is available to all employees on the intranet.
D.IT personnel are trained in testing and applying required patches.
A is the correct answer.
Justification
The existence of a steering committee that approves all security projects is the best indicator of an effective governance program. To ensure that all stakeholders impacted by security considerations are involved, many enterprises use a steering committee comprised of senior representatives of affected groups. This composition helps to achieve consensus on priorities and trade-offs and serves as an effective communication channel for ensuring the alignment of the security program with business objectives.
Security policy training for all managers is important at all levels of the enterprise but it is not the best indicator of effective governance. The training program should be guided and approved as a security project by the steering committee.
The availability of security training to all over the intranet, while beneficial to the overall security program, is not the best indicator of effective governance, as it is an operational activity in information security. Security training should be guided and approved as a security project by the steering committee.
Even enterprises with little overall governance may be effective in patching systems in a timely manner; this is not the best indicator of effective governance. Testing and applying patches is an operational activity in information security and not part of governance.
The data access requirements for an application should be determined by the:
A.legal department.
B.compliance officer.
C.information security manager.
D.business owner.
D is the correct answer.
Justification
The legal department can advise but does not have final responsibility, as it may not be familiar with the roles and responsibilities within the department.
The compliance officer can advise but does not have final responsibility, as the compliance officer may not be familiar with the roles and responsibilities within the department.
The information security manager can advise but does not have final responsibility, as the information security manager may not be familiar with the roles and responsibilities within the department.
Since business owners are ultimately responsible for their applications and data, they should determine data access requirements.
What will have the HIGHEST impact on standard information security governance models?
A.Number of employees
B.Distance between physical locations
C.Complexity of organizational structure
D.Organizational budget
C is the correct answer.
Justification
The number of employees has little or no effect on standard information security governance models.
The distance between physical locations has little or no effect on standard information security governance models.
Information security governance modeling is highly dependent on the overall organizational structure. Some elements of organizational structure that impact information security governance are multiple missions and functions across the enterprise, leadership and lines of communication.
The organizational budget may have some impact on suitable governance models depending on the one chosen because implementation of some models might not be economically viable.
An enterprise that appoints a chief information security officer:
A.improves collaboration among the ranks of senior management.
B.acknowledges a commitment to legal responsibility for information security.
C.infringes on the governance role of the board of directors.
D.enhances the financial accountability of technology projects.
B is the correct answer.
Justification
Whether senior managers collaborate is not substantially influenced by the presence or absence of a chief information security officer (CISO).
Appointing a CISO creates a clear line of responsibility for information security. Due to the scope and breadth of information security, the required authority and responsibility should be assigned to a chief officer in recognition of the enterprise’s commitment.
The board of directors retains its governance role regardless of whether a CISO is formally designated.
The CISO is typically not associated with financial accountability for technology projects.
Who should PRIMARILY provide direction on the impact of new regulatory requirements that may lead to major application system changes?
A.The internal audit department
B.System developers/analysts
C.Key business process owners
D.Corporate legal counsel
C is the correct answer.
Justification
Internal auditors would not be in a good position to fully understand all the business ramifications.
System developers would not be aware of the impact on business operations.
Business process owners are in the best position to understand how new regulatory requirements may affect their systems.
Legal counsel would not be in a position to understand the ramifications.
The MOST important outcome of aligning information security governance with corporate governance is to:
A.show that information security understands the rules.
B.provide regulatory compliance.
C.maximize the cost-effectiveness of controls.
D.minimize the number of rules and regulations required.
C is the correct answer.
Justification
While it is important that information security understands the corporate rules, that is not the main reason for alignment.
Regulatory compliance is not a primary driver in governance alignment.
Corporate governance includes a structure and rules that in most cases are related to managing various types of risk. A lack of alignment can result in duplicate or contradictory controls, which negatively impact cost-effectiveness.
Minimizing the number of rules is helpful; however, it is just one element of achieving cost-effectiveness.
Responsibility for information security and related activities involves multiple departments. What is the PRIMARY reason the information security manager should develop processes that integrate these roles and responsibilities?
A.To mitigate the tendency for security gaps to exist between assurance functions
B.To reduce manpower requirements for providing effective information security
C.To ensure effective business continuity and disaster recovery
D.To simplify specification development and acquisition processes
A is the correct answer.
Justification
Wherever multiple departments have shared responsibility for related activities, gaps tend to emerge or there can be unneeded duplication of activities. Integrating the roles and responsibilities is the best way to mitigate these gaps, minimize duplication and ensure consistent risk management.
Integrating roles and responsibilities may allow for reductions in manpower, but this is not the driving consideration of integration.
Integrating roles and responsibilities may allow for more effective business continuity and disaster recovery, but this is just one of the considerations for integration.
Specifications and acquisition may not be affected, depending on the particular needs of each department involved.
Who is in the BEST position to determine the level of information security needed for a specific business application?
A.The system developer
B.The information security manager
C.The system custodian
D.The data owner
D is the correct answer.
Justification
The system developer will have specific knowledge in limited areas but will not have full knowledge of the business issues that affect the level of security required.
The security manager’s responsibility is to ensure that the level of protection required by the data owner is provided.
The custodian provides the level of protection required by the owner.
Data owners are the most knowledgeable of the security needs of the business application for which they are responsible.
Who is ultimately responsible for an enterprise’s information?
A.Data custodian
B.Chief information security officer
C.Board of directors
D.Chief information officer
C is the correct answer.
Justification
The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department.
The chief information security officer is responsible for security operations and management and for carrying out senior management’s directives.
Responsibility for all organizational assets, including information, falls to the board of directors, which is tasked with responding to issues that affect information protection.
The chief information officer is responsible for information technology within the enterprise but is not ultimately legally responsible for an enterprise’s information.
An enterprise has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross-training. Which type of authorization policy would BEST address this practice?
A.Multilevel
B.Role-based
C.Discretionary
D.Mandatory
B is the correct answer.
Justification
Multilevel policies are based on classifications and clearances.
A role-based policy will associate data access with the role performed by an individual, thus restricting access to data required to perform the individual’s tasks.
Discretionary policies leave access decisions to be made by the information resource managers.
Mandatory access control requires a clearance equal to or greater than the classification level of the asset. It generally also includes the need to know.
Who should approve user access in business-critical applications?
A.The information security manager
B.The data owner
C.The data custodian
D.Business management
B is the correct answer.
Justification
An information security manager will coordinate and execute the implementation of the role-based access control.
Data owners are in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy.
A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian’s responsibility to assign access rights.
Business management is not, in all cases, the owner of the data.
It is essential for the board of directors to be involved with information security activities primarily because of concerns regarding:
A.technology.
B.liability.
C.compliance.
D.strategy.
B is the correct answer.
Justification
The board is typically not essential in selecting particular technical solutions.
The insurance policies that enterprises typically obtain to shield owners and key stakeholders from liability frequently require a good-faith effort on the part of the board to exercise due care as a precondition for coverage. If the board is not involved, this liability protection may be lost.
Compliance is addressed as part of the risk management program.
The board sets goals, for which strategies are then developed by senior management or subordinate steering committees.
After completing a full IT risk assessment, who is in the BEST position to decide which mitigating controls should be implemented?
A.Senior management
B.The business manager
C.The IT audit manager
D.The information security officer
B is the correct answer.
Justification
Senior management will have to ensure that the business manager has a clear understanding of the risk assessed, but it will not be in a position to decide on specific controls.
The business manager will be in the best position, based on the risk assessment and mitigation proposals, to decide which controls to implement, in line with the business strategy and budget.
The IT audit manager will take part in the process of identifying threats and vulnerabilities and make recommendations for mitigation.
The information security officer could make some decisions regarding implementation of controls. However, the business manager will have a broader business view and better understanding of control impact on the business goals and, therefore, will be in a better position to make strategic decisions.
The MOST appropriate role for senior management in supporting information security is the:
A.evaluation of vendors offering security products.
B.assessment of risk to the enterprise.
C.approval of policy statements and funding.
D.developing standards sufficient to achieve acceptable risk.
C is the correct answer.
Justification
Evaluation of vendors is the responsibility of the information security manager; however, this is not a role for senior management in supporting information security. Senior management may be involved in vendor evaluation in some enterprises, but its primary role is in setting the enterprise’s business direction, oversight and governance.
Assessment of risk is the responsibility of the information security manager and this is not a role for senior management in supporting information security.
Policies are a statement of senior management intent and direction that should be approved by senior management. It should also provide sufficient funding to achieve the enterprise’s information security objectives. This is the most appropriate role for senior management in supporting information security.
The development of standards that meet the policy intent is typically a function of the information security manager and this is not a role for senior management in supporting information security.
Which of the following is MOST likely to be responsible for establishing the information security requirements over an application?
A.IT steering committee
B.Data owner
C.System owner
D.IT auditor
B is the correct answer.
Justification
The IT steering committee is an executive management–level committee that assists in the delivery of the IT strategy, oversees day-to-day management of IT service delivery and IT projects, and focuses on implementation aspects.
Data owners determine the level of controls deemed necessary to secure data and the applications that store or process the data.
System owners are responsible for platforms, rather than for applications or data.
The IT auditor evaluates the adequacy, efficiency and effectiveness of controls.
Which of the following is the MOST appropriate task for a chief information security officer to perform?
A.Update platform-level security settings.
B.Conduct disaster recovery test exercises.
C.Approve access to critical financial systems.
D.Develop an information security strategy.
D is the correct answer.
Justification
Updating platform-level security settings would typically be performed by lower-level personnel because this is a basic task for IT administrators.
Conducting disaster recovery test exercises would typically be performed by operational personnel belonging to the BCP/DR teams and various functions.
Approving access to critical financial systems would be the responsibility of the data owner.
Developing a strategy for information security would be the most appropriate task for the chief information security officer.
After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?
A.Define security metrics.
B.Conduct a risk assessment.
C.Perform a gap analysis.
D.Procure security tools.
B is the correct answer.
Justification
Defining security metrics should take place after control objectives are determined and a strategy is developed.
When establishing an information security program, conducting a risk assessment is key to identifying the needs of the enterprise and developing a security strategy.
A gap analysis would be used after the desired state of security and the current state are determined to assess what needs to be done to fill the gap.
Procuring security tools is a subsequent consideration.
Business objectives should be evident in the security strategy by:
A.inferred connections.
B.standardized controls.
C.managed constraints.
D.direct traceability.
D is the correct answer.
Justification
Inferred connections to business objectives are not as good as traceable connections.
Standardized controls may or may not be relevant to a particular business objective.
Addressing and managing constraints is not as useful alone as with the addition of defining explicit benefits.
The security strategy is most useful if there is a direct traceable connection with business objectives.
Effective strategic alignment of the information security program requires:
A.active participation by a steering committee.
B.creation of a strategic planning business unit.
C.regular interaction with business owners.
D.acceptance of cultural and technical limitations.
C is the correct answer.
Justification
Active participation by a steering committee made up of business owners or their delegates is one way to accomplish strategic alignment, but a steering committee is not the only way to achieve this goal.
If an enterprise has a strategic planning business unit, active participation in its activities may provide insight into future business directions and ensure that security considerations are included in the planning progress, but strategic alignment of the information security program does not require creation of such a unit.
Alignment of the information security program requires an understanding of business plans and objectives as determined by business owners. Although the method of achieving regular interaction with business owners can vary based on the size and structure of an enterprise, the interaction itself is a requirement.
Alignment of an information security program must take into account culture and existing technology, but information security supports the business objectives of the enterprise, which may include changes to the culture and technology currently in place. These aspects of the enterprise should not be accepted as foundations for program alignment when they are misaligned with business objectives.
Systems thinking as it relates to information security is:
A.a prescriptive methodology for designing the systems architecture.
B.an understanding that the whole is greater than the sum of its parts.
C.a process that ensures alignment with business objectives.
D.a framework for information security governance.
B is the correct answer.
Justification
While systems thinking is essential to developing a sound systems architecture, it is not a prescriptive approach.
A systems approach for developing information security includes the understanding that the whole is more than the sum of its parts, and that changes in any one part affect the rest.
Alignment with business objectives is one of the desired outcomes, but systems thinking does not ensure it.
Systems thinking is not a framework for information security governance, although the systems approach can be helpful in implementing an effective information security governance framework and information security management program.
The MOST useful way to describe the objectives in the information security strategy is through:
A.attributes and characteristics of the desired state.
B.overall control objectives of the security program.
C.mapping the IT systems to key business processes.
D.calculation of annual loss expectations.
A is the correct answer.
Justification
The security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of desired characteristics and attributes.
Control objectives are a function of acceptable risk determination and one part of strategy development, but the desired state of the information security function is a better tool.
Mapping IT to key business processes must occur as one part of strategy implementation but it is an operational activity and not a way to describe strategy objectives.
Calculation of annual loss expectations is not a way to describe the objectives in the information security strategy.
The PRIMARY goal of developing an information security strategy is to:
A.establish security metrics and performance monitoring.
B.educate business process owners regarding their duties.
C.ensure that legal and regulatory requirements are met.
D.support the business objectives of the enterprise.
D is the correct answer.
Justification
Establishing security metrics and performance monitoring is very important to the extent that they indicate the achievement of security objectives, but this is only one aspect of the primary requirement to support business objectives.
Educating business process owners is subordinate to supporting the business objectives and is only incidental to developing an information security strategy.
Meeting legal and regulatory requirements is just one of the objectives of the strategy needed to support business objectives.
The purpose of information security in an enterprise is to assist the enterprise in achieving its objectives, and it is the primary goal of an information security strategy.
The purpose of an information security strategy is to:
A.express the goals of an information security program and the plan to achieve them.
B.outline the intended configuration of information system security controls.
C.mandate the behavior and acceptable actions of all information system users.
D.authorize the steps and procedures necessary to protect critical information systems.
A is the correct answer.
Justification
The purpose of the strategy is to set out the goals of the information security program and the plan to achieve those objectives.
A strategy is usually too high level to deal specifically with control configuration.
Some elements of strategy may deal with required behaviors and actions, but it will not be a mandate; rather, it will be part of a process to achieve a particular objective.
Strategy will not deal with authorizing specific actions.
To ensure effective information security governance, the FIRST activity that an enterprise would perform is:
A.establishing and maintaining an IT governance framework.
B.implementing policies and procedures that address the security strategy.
C.gaining a clear understanding of its organizational objectives.
D.developing a well-rounded security strategy.
C is the correct answer.
Justification
An IT governance framework guides the development and management of a comprehensive information security program that supports clear and identified organizational objectives.
Policies and procedures should be implemented after defining information security governance objectives.
Information security governance aligns all security initiatives, plans and activities with the enterprise’s strategic goals. Governance assures resources are optimized for achieving the enterprise’s objectives. Therefore, understanding the organizational objectives would be the first step in effective information security governance.
A security strategy is developed after the establishment of clear organizational objectives.
To implement information security governance, an enterprise should FIRST:
A.adopt security standards.
B.determine security baselines.
C.define the security strategy.
D.establish security policies.
C is the correct answer.
Justification
Adopting suitable security standards is based on the implementation of the intent of the policies and is not the first step, as it follows the development of policies that support the strategy.
Security baselines are established as a result of determining acceptable risk. Their determination is not the first step in implementing information security, which is taken up as a requirement prior to strategy development.
Security governance is based on the information security strategy, which is the first step in the implementation. An information security strategy that meets and supports business objectives must be developed first.
Policies are an instrument for governance and are developed to support the strategy; policies are not the first among activities undertaken to implement information security governance.
Where should resource requirements for information security initially be identified?
A.In policies
B.In the architecture
C.In the strategy
D.In procedures
C is the correct answer.
Justification
Policies may specify some requirements, but policies are developed during implementation of the strategy.
The architecture must implement the policies and standards.
The strategy must initially define the requirements for the resources necessary to implement the program. This is different from the tactical detail level necessary to identify specific resources.
Procedures will define resource acquisition processes but will not specify requirements.
Which of the following factors is the MOST important for determining the success of an information security strategy?
A.It is approved by the chief technology officer.
B.It is aligned with the long-term IT plan.
C.It is aligned with goals set by the board of directors.
D.It is supported by key performance indicators.
C is the correct answer.
Justification
The chief technology officer will support the strategy but is not the person who would generally approve it.
The long-term IT plan in part implements the information security strategy.
The strategy is the plan to achieve objectives. The board of directors sets the objectives.
Key performance indicators are used to measure the milestones necessary to achieve goals.
Which of the following is MOST appropriate for inclusion in an information security strategy?
A.Business controls designated as key controls
B.Security processes, methods, tools and techniques
C.Firewall rule sets, network defaults and intrusion detection system settings
D.Budget estimates to acquire specific security tools
B is the correct answer.
Justification
Key business controls are only one part of a security strategy and must be related to business objectives.
A set of security objectives supported by processes, methods, tools and techniques constitutes a security strategy.
Firewall rule sets, network defaults and intrusion detection system settings are technical details subject to periodic change and are not appropriate content for a strategy document.
Budgets will generally not be included in an information security strategy. Additionally, until the information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available.
Which of the following is MOST likely to remain constant over time? An information security:
A.policy.
B.standard.
C.strategy.
D.procedure.
C is the correct answer.
Justification
Policies do not change as frequently as procedures and standards; however, security policies do change to adjust to new regulations or laws, to respond to organizational changes, or to address emerging technology trends. These changes do not typically require adjustments to the information security strategy.
Standards change more frequently because they must often be adjusted to allow for changes in technology and business processes.
Of the choices provided, the information security strategy is the least likely to change. An information security strategy is a reflection of high-level objectives and the direction of the security program, as dictated by business leadership. Information security policies, standards and procedures are derived from the information security strategy.
Procedures change more frequently because they must often be adjusted to allow for changes in technology and business processes.
Which of the following is the MOST important consideration when developing an information security strategy?
A.Supporting business objectives
B.Maximizing the effectiveness of available resources
C.Ensuring that legal and regulatory constraints are addressed
D.Determining the effect on the organizational roles and responsibilities
A is the correct answer.
Justification
The overall objective of an information security strategy is to support business objectives and activities and minimize disruptions.
Maximizing the effectiveness of resources is one of the factors in developing a strategy but is secondary to supporting organizational activities.
The strategy must consider legal and regulatory requirements, but they are just one category of potential impact considerations.
Organizational structure affects the approaches to developing a strategy but is just one of the considerations.
Which of the following is the MOST important information to include in a strategic plan for information security?
A.Information security staffing requirements
B.Current state and desired future state
C.IT capital investment requirements
D.Information security mission statement
B is the correct answer.
Justification
Staffing requirements stem from the implementation time lines and requirements of the strategic plan.
It is most important to present a vision for the future and then create a road map from the current state to the desired future state based on a gap analysis that will identify the requirements to achieve the future state.
IT capital investment requirements are generally not determined at the strategic plan level but rather from a financial assessment and operational evaluation of the capital assets required to achieve the objectives of the strategic plan.
The mission statement is typically a short, high-level aspirational statement of overall organizational objectives and only directly affects the information security strategy by setting the context.
Which of the following reasons is the MOST important to develop a strategy before implementing an information security program?
A.To justify program development costs
B.To integrate development activities
C.To gain management support for an information security program
D.To comply with international standards
B is the correct answer.
Justification
Justification for program costs will need to be achieved prior to developing the strategy and is more likely based on a business case than on the strategy.
A strategy is a plan to achieve an objective that serves to align and integrate program activities to achieve the defined outcomes.
Management support will need to be achieved prior to developing the strategy and is more likely based on a business case than on the strategy.
Compliance with international standards, such as International Organization for Standardization (ISO) 27001, does not necessarily require a cohesive plan of action or strategy and can be done piecemeal. If meeting the standard is one of the objectives, a strategy should encompass the actions needed to meet those requirements.
Who can BEST advocate the development of and ensure the success of an information security program?
A.Internal auditor
B.Chief operating officer
C.Steering committee
D.IT management
C is the correct answer.
Justification
An internal auditor is a good advocate but is secondary to the influence of senior management.
The chief operating officer will be a member of the steering committee.
Senior management represented in the security steering committee is in the best position to advocate the establishment of, and continued support for, an information security program.
IT management has a lesser degree of influence and would also be part of the steering committee.
Business goals define the strategic direction of the enterprise. Functional goals define the tactical direction of a business function. Security goals define the security direction of the enterprise. What is the MOST important relationship between these concepts?
A.Functional goals should be derived from security goals.
B.Business goals should be derived from security goals.
C.Security goals should be derived from business goals.
D.Security and business goals should be defined independently of each other.
C is the correct answer.
Justification
Functional goals and security goals need to be aligned at the operational level, but neither are derived from the other.
Security is not an end in itself and should serve the overall business goals. As such, business goals are not derived from security goals.
Security goals should be derived from business goals, which are developed based on the overall business strategy. This is the most important relationship, as it depends on business strategy defined by top management.
If security goals are defined independently of business goals, the security function would not support the overall business strategy, or it might hinder the achievement of overall business objectives.
In implementing information security governance, the information security manager is PRIMARILY responsible for:
A.developing the security strategy.
B.reviewing the security strategy.
C.communicating the security strategy.
D.approving the security strategy.
A is the correct answer.
Justification
The information security manager is responsible for developing a security strategy based on business objectives with the inputs from business process owners.
Reviewing the security strategy is the responsibility of a steering committee or top management.
The information security manager is not necessarily responsible for communicating the security strategy.
Management or the security steering committee has the responsibility to approve and fund the security strategy implementation.
Strategic alignment is PRIMARILY achieved when services provided by the information security department:
A.reflect the requirements of key business stakeholders.
B.reflect the desires of the IT executive team.
C.reflect the requirements of industry good practices.
D.are reliable and cost-effective.
A is the correct answer.
Justification
Information security exists to minimize business disruptions and support the achievement of organizational objectives. When the services provided reflect the requirements of key business stakeholders, alignment is primarily achieved.
The IT executive team is just one of the stakeholders, and its desires may not reflect the requirements of the rest of the enterprise.
Good practices may be excessive or insufficient for a particular enterprise and do not ensure alignment of information security with business.
Services should be reliable and cost-effective but that would not ensure alignment with business objectives.
The PRIMARY objective for information security program development should be:
A.creating an information security strategy.
B.establishing incident response procedures.
C.implementing cost-effective security solutions.
D.reducing the impact of risk on the business.
D is the correct answer.
Justification
An information security strategy is important for creating the information security program and cannot be its objective.
Establishing incident response procedures is important, and it is a component of an information security program but not its primary objective.
Cost-effective security solutions are essential but are not the objective of security program development.
Reducing risk to and impact on the business is the most important objective of an information security program.
The purpose of an information security strategy is to:
A.express the goals of an information security program and the plan to achieve them.
B.outline the intended configuration of information system security controls.
C.mandate the behavior and acceptable actions of all information system users.
D.authorize the steps and procedures necessary to protect critical information systems.
A is the correct answer.
Justification
The purpose of the strategy is to set out the goals of the information security program and the plan to achieve those objectives.
A strategy is usually too high level to deal specifically with control configuration.
Some elements of strategy may deal with required behaviors and actions, but it will not be a mandate; rather, it will be part of a process to achieve a particular objective.
Strategy will not deal with authorizing specific actions.
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
A.aligned with the IT strategic plan.
B.based on the current rate of technological change.
C.three to five years for both hardware and software.
D.aligned with the business strategy.
D is the correct answer.
Justification
Any planning for information security should be properly aligned with the needs of the business, not necessarily the IT strategic plan.
Technology needs should not come before the needs of the business and one cannot base the information security strategy on the current rate of technological change, without ascertaining whether it aligns with business needs.
Planning should not be done on an artificial timetable that ignores business needs—a timeline of three to five years needs to be justified and seems to be arbitrary.
Any plans for information security should be aligned with the business strategy.
Which of the following elements is MOST important when developing an information security strategy?
A.Defined objectives
B.Time frames for delivery
C.Adoption of a control framework
D.Complete policies
A is the correct answer.
Justification
Without defined objectives, the information security strategy and plan to achieve objectives cannot be developed, so defined objectives are the most important element.
Time frames for delivery are important but not critical in the strategy document development process.
The adoption of a control framework is not critical prior to developing an information security strategy.
Policies are developed during and after strategy implementation; they are not prerequisites for developing the information security strategy.
Which of the following is MOST important in developing a security strategy?
A.Creating a positive security environment
B.Understanding key business objectives
C.Having a reporting line to senior management
D.Allocating sufficient resources to information security
B is the correct answer.
Justification
A positive security environment (culture) enables successful management of the security implementation but is not important in developing a security strategy.
Understanding key business objectives is most important in developing a security strategy because the business strategy drives security.
A reporting line to senior management is not important in developing a security strategy. It is needed to ensure senior management is informed about security initiatives and to ensure its commitment.
Allocation of resources is a factor of high importance in the development of a security strategy.
Which of the following is the MOST important consideration when developing an information security strategy?
A.Resources available to implement the program
B.Compliance with legal and regulatory constraints
C.Effectiveness of risk mitigation
D.Resources required to implement the strategy
C is the correct answer.
Justification
The availability of resources is a factor in developing and implementing the program but is not a consideration for developing an information security strategy.
Legal and regulatory requirements should be considered in the strategy to the extent management determines the appropriate level of compliance, but it is not the most important consideration.
Effectively managing information risk to acceptable levels (in alignment with the business objectives) is the most important overall consideration of an information security strategy.
The resource requirements to implement the strategy is a consideration but a secondary one.
Which of the following is the MOST important outcome of an information security strategy?
A.Consistent policies and standards
B.Ensuring that residual risk is at an acceptable level
C.An improvement in the threat landscape
D.Controls consistent with international standards
B is the correct answer.
Justification
Consistency of document design facilitates maintenance, while consistency of document content across units and entities ensures that documents are applied uniformly; consistency does not ensure alignment with business objectives.
Residual risk is the remaining risk after management has implemented a risk response or treatment. An important objective of a security strategy is to implement cost-effective controls that ensure that residual risk remains within the enterprise’s acceptable risk and tolerance levels.
Most threats cannot be affected by policy; however, risk likelihood and impact can be affected.
Standard controls may or may not be relevant to a particular business objective.
Which of the following is the MOST important step in developing a cost-effective information security strategy that is aligned with business requirements?
A.Identification of information assets and resource ownership
B.Valuation of information assets
C.Determination of clearly defined objectives
D.Classification of assets as to criticality and sensitivity
C is the correct answer.
Justification
Identification of information assets and asset ownership is a good starting point for implementing an information security strategy. However, having a clear objective is essential.
Valuation of information assets is best performed after the asset inventory has been compiled and the asset owners are assigned. Asset owners generally classify assets according to the enterprise’s asset classification scheme. Asset classification represents the business value of the asset to the enterprise and is the basis for the required protection levels.
Determining the objectives of information security provides the basis for a plan to achieve those objectives, which is the definition of a strategy.
Asset classification represents the business value of the asset to the enterprise and is the basis for the required protection levels.
Which of the following would be the FIRST step in launching an information security governance program?
A.Documenting information security policy
B.Defining organizational objectives
C.Inventorying business applications
D.Establishing security awareness
B is the correct answer.
Justification
Policy is an executive mandate on strategy to achieve objectives, so the objectives must be established first.
Just as any organizational support program exists to achieve organizational objectives, an information security program must begin with a complete and accurate description of those objectives.
While an inventory of business applications may be useful in establishing a security program, enumerating organizational objectives should be completed at an earlier stage in order to define the critical business functions.
Security awareness should be customized to organizational requirements and roles and responsibilities, so it relies on prerequisite strategy and policy based on organizational objectives.
Who can BEST advocate the development of and ensure the success of an information security program?
A.Internal auditor
B.Chief operating officer
C.Steering committee
D.IT management
C is the correct answer.
Justification
An internal auditor is a good advocate but is secondary to the influence of senior management.
The chief operating officer will be a member of the steering committee.
Senior management represented in the security steering committee is in the best position to advocate the establishment of, and continued support for, an information security program.
IT management has a lesser degree of influence and would also be part of the steering committee.
A newly appointed information security manager has been asked to redefine information security requirements because senior management is unhappy with the current state of information security. Which of the following choices would the information security manager consider MOST critical?
A.An industry framework
B.The business strategy
C.The technology infrastructure
D.User competencies
B is the correct answer.
Justification
Industry frameworks are useful in improving security implementation to the extent that they align with and support business objectives.
The most critical factor to be considered in defining information security requirements is the business strategy because everything that the business does—including information security—is only done for the sake of pursuing the business strategy.
Security requirements are driven by the information security policy, procedures and practices. The technology infrastructure needs to be considered while implementing security, but if the current infrastructure cannot support information security requirements that are aligned with the business strategy, then the infrastructure will also need to be reevaluated.
User competencies reflect a current state and may be useful in mapping a path forward for the lowest cost, but competencies can be enhanced by providing training to bring users to the required level. The business strategy is the driver of information security requirements (and all other activities).
Information security governance is PRIMARILY driven by:
A.technology constraints.
B.regulatory requirements.
C.litigation potential.
D.business strategy.
D is the correct answer.
Justification
Technology constraints are not the primary drivers for information security governance, though they may be considered in developing governance and planning the strategy.
Regulatory requirements are not the primary drivers of information security governance, though these requirements are addressed by governance and may affect how the governance strategy develops.
Litigation potential is usually an aspect of liability risk and a consideration for information security governance but it is not a primary driver.
Business strategy is the primary driver of information security governance because security must align with the business objectives of the enterprise, as set forth in the business strategy.
The FIRST step in developing an information security management program is to:
A.identify business risk that affects the enterprise.
B.establish the need for creating the program.
C.assign responsibility for the program.
D.assess adequacy of existing controls.
B is the correct answer.
Justification
The task of identifying business risk that affects the enterprise is assigned and acted on after establishing the need for creating the program.
In developing an information security management program, the first step is to establish the need for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. The other choices are assigned and acted on after the need is established.
The task of assigning responsibility for the program follows establishing the need for creating the program.
The task of assessing the adequacy of existing controls follows establishing the need for creating the program.
Business goals define the strategic direction of the enterprise. Functional goals define the tactical direction of a business function. Security goals define the security direction of the enterprise. What is the MOST important relationship between these concepts?
A.Functional goals should be derived from security goals.
B.Business goals should be derived from security goals.
C.Security goals should be derived from business goals.
D.Security and business goals should be defined independently of each other.
C is the correct answer.
Justification
Functional goals and security goals need to be aligned at the operational level, but neither are derived from the other.
Security is not an end in itself and should serve the overall business goals. As such, business goals are not derived from security goals.
Security goals should be derived from business goals, which are developed based on the overall business strategy. This is the most important relationship, as it depends on business strategy defined by top management.
If security goals are defined independently of business goals, the security function would not support the overall business strategy, or it might hinder the achievement of overall business objectives.
An enterprise’s information security strategy should be based on:
A.managing risk relative to business objectives.
B.managing risk to a zero level and minimizing insurance premiums.
C.avoiding occurrence of risk so that insurance is not required.
D.transferring most risk to insurers and saving on control costs.
A is the correct answer.
Justification
Enterprises must manage risk to a level that is relative to, and acceptable for their business model, goals and objectives.
A zero-level approach may be costly and may not provide the effective benefit of additional revenue to the enterprise. Long-term maintenance of this approach may not be cost-effective. Further, risk levels cannot be zero.
Risk varies as business models and geography, regulatory and operational processes change. Besides, all risk cannot be avoided and appropriate controls will have to be enabled as part of the information security strategy.
Insurance is generally used to protect against low-probability high-impact events and requires that the enterprise have certain operational controls in place to mitigate risk in addition to generally high deductibles. Therefore, transferring most risk is not cost-effective.
Which of the following is the MOST important information to include in a strategic plan for information security?
A.Information security staffing requirements
B.Current state and desired future state
C.IT capital investment requirements
D.Information security mission statement
B is the correct answer.
Justification
Staffing requirements stem from the implementation time lines and requirements of the strategic plan.
It is most important to present a vision for the future and then create a road map from the current state to the desired future state based on a gap analysis that will identify the requirements to achieve the future state.
IT capital investment requirements are generally not determined at the strategic plan level but rather from a financial assessment and operational evaluation of the capital assets required to achieve the objectives of the strategic plan.
The mission statement is typically a short, high-level aspirational statement of overall organizational objectives and only directly affects the information security strategy by setting the context.
The PRIMARY goal of developing an information security strategy is to:
A.establish security metrics and performance monitoring.
B.educate business process owners regarding their duties.
C.ensure that legal and regulatory requirements are met.
D.support the business objectives of the enterprise.
D is the correct answer.
Justification
Establishing security metrics and performance monitoring is very important to the extent that they indicate the achievement of security objectives, but this is only one aspect of the primary requirement to support business objectives.
Educating business process owners is subordinate to supporting the business objectives and is only incidental to developing an information security strategy.
Meeting legal and regulatory requirements is just one of the objectives of the strategy needed to support business objectives.
The purpose of information security in an enterprise is to assist the enterprise in achieving its objectives, and it is the primary goal of an information security strategy.
To implement information security governance, an enterprise should FIRST:
A.adopt security standards.
B.determine security baselines.
C.define the security strategy.
D.establish security policies.
C is the correct answer.
Justification
Adopting suitable security standards is based on the implementation of the intent of the policies and is not the first step, as it follows the development of policies that support the strategy.
Security baselines are established as a result of determining acceptable risk. Their determination is not the first step in implementing information security, which is taken up as a requirement prior to strategy development.
Security governance is based on the information security strategy, which is the first step in the implementation. An information security strategy that meets and supports business objectives must be developed first.
Policies are an instrument for governance and are developed to support the strategy; policies are not the first among activities undertaken to implement information security governance.
The MOST useful way to describe the objectives in the information security strategy is through:
A.attributes and characteristics of the desired state.
B.overall control objectives of the security program.
C.mapping the IT systems to key business processes.
D.calculation of annual loss expectations.
A is the correct answer.
Justification
The security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of desired characteristics and attributes.
Control objectives are a function of acceptable risk determination and one part of strategy development, but the desired state of the information security function is a better tool.
Mapping IT to key business processes must occur as one part of strategy implementation but it is an operational activity and not a way to describe strategy objectives.
Calculation of annual loss expectations is not a way to describe the objectives in the information security strategy.
Which of the following tasks should information security management undertake FIRST while creating the information security strategy of the enterprise?
A.Understand the IT service portfolio.
B.Investigate the baseline security level.
C.Define the information security policy.
D.Assess the risk associated with IT.
A is the correct answer.
Justification
While defining the information security strategy, it is essential to align it with the business and the IT strategy. The security manager must first focus on understanding the business and the IT strategy.
Investigating baseline security is a task associated with strategy implementation.
Defining the information security policy is performed after defining security strategy.
Risk assessment is performed to determine the control objectives. It is generally performed after the security strategy is defined.
Which of the following choices would influence the content of the information security strategy to the GREATEST extent?
A.Emerging technology
B.System compromises
C.Network architecture
D.Organizational goals
D is the correct answer.
Justification
Emerging technology may help bring an enterprise up to current standards, but it may not be part of the enterprise’s goals or mission.
Handling or preventing system compromises is important but is not the influence that will affect content of the information security strategy as it is most likely to affect control design and implementation.
The network architecture is not the influence that will affect content of the information security strategy, as it is an operational design that must support the security strategy.
The information security strategy will be influenced by organizational goals, as objectives should be aligned with business.
Of the following, which is the MOST effective way to measure enterprise alignment of an information security program?
A.Track audits over time.
B.Evaluate incident losses.
C.Analyze business cases.
D.Interview business owners.
D is the correct answer.
Justification
Audit reports may indicate areas of security activity that do not optimally support the enterprise objectives, but they will not be as good an indicator as insight from business owners.
Losses may or may not be considered acceptable by the enterprise but will not be well correlated with the perception of business support.
To the extent that business cases have been developed for particular security activities, they will be a good indication of how well business requirements were considered; however, the perception of business owners will ultimately be the most important factor.
It is essential that business owners understand and support the security program and fully understand how its controls impact their activities. This can be most readily accomplished through direct interaction with business leadership.
Which of the following is MOST important to the success of an information security program?
A.Security awareness training
B.Achievable goals and objectives
C.Senior management sponsorship
D.Adequate startup budget and staffing
C is the correct answer.
Justification
Security awareness training, although important, is secondary.
Achievable goals and objectives are important but will not ensure success if senior management support is not present.
Sufficient senior management support is the most important factor for the success of an information security program.
Having adequate budget and staffing is important, but in the unlikely event they existed without senior management support, they would not by themselves ensure success.
Which of the following requirements would have the LOWEST level of priority in information security?
A.Technical
B.Regulatory
C.Privacy
D.Business
A is the correct answer.
Justification
Information security priorities may sometimes override technical specifications, which then must be rewritten to conform to minimum security standards.
Regulatory requirements are government-mandated and, therefore, not subject to override.
Privacy requirements are usually government-mandated and, therefore, not subject to override.
The needs of the business should always take precedence in deciding information security priorities.
Which of the following is fundamental for scoping an information security program?
A.Alignment with business objectives
B.An asset inventory
C.A risk matrix
D.Risk assessment
B is the correct answer.
Justification
Alignment with business objectives will help prioritize information security program objectives and what the program will focus on as it is developed.
Building an asset inventory will help determine what the enterprise needs to protect and sets the scope for the information security program.
The risk matrix will not be accurate if the assets are resources that are unknown.
A risk assessment relies on the identification of assets in an enterprise.
An enterprise has consolidated global operations. The chief information officer has asked the chief information security officer to develop a new enterprise information security strategy. Which of the following actions should be taken FIRST?
A.Identify the assets.
B.Conduct a risk assessment.
C.Define the scope.
D.Perform a business impact analysis.
C is the correct answer.
Justification
The scope of the program must be determined before asset identification can be performed.
The scope of the program must be determined before a risk assessment can be performed.
The scope of the program must be determined before any of the other steps can be performed.
The scope of the program must be determined before a business impact analysis can be performed.
Determining the nature and extent of activities required in developing an information security program often requires assessing the existing program components. The BEST way to accomplish this is to perform:
A.a security review.
B.an impact assessment.
C.a vulnerability assessment.
D.a threat analysis.
A is the correct answer.
Justification
A security review is used to determine the current state of security for various program components.
An impact assessment is used to determine potential impact in the event of the loss of a resource.
Vulnerability is only one specific aspect that can be considered in a security review.
A threat analysis would not normally be a part of a security review.
It is MOST important that information security architecture be aligned with which of the following?
A.Industry good practices
B.Business goals and objectives
C.Information technology plans
D.International information security frameworks
B is the correct answer.
Justification
Industry good practices may serve as a guideline but may be excessive or insufficient for a particular enterprise.
The security architecture, most importantly, must be aligned with business goals and objectives.
Information technology plans are created once the architecture and strategy are in place and are aligned with business goals and objectives by default.
International frameworks can serve as a general guide to the extent they support business goals and objectives.
Which of the following elements are the MOST essential to develop an information security strategy?
A.Complete policies and standards
B.An appropriate governance framework
C.Current state and objectives
D.Management intent and direction
C is the correct answer.
Justification
Policies and standards are among the primary tools to implement a strategy and are subsequent steps in the process.
Implementing the information security strategy is the activity that populates or develops the governance framework.
Because a strategy is essentially a plan to achieve an objective, it is essential to know the current state of information security and the desired future state or objectives.
Management intent and direction are essential to developing objectives; the current state is also required.
In implementing information security governance, the information security manager is PRIMARILY responsible for:
A.developing the security strategy.
B.reviewing the security strategy.
C.communicating the security strategy.
D.approving the security strategy.
A is the correct answer.
Justification
The information security manager is responsible for developing a security strategy based on business objectives with the inputs from business process owners.
Reviewing the security strategy is the responsibility of a steering committee or top management.
The information security manager is not necessarily responsible for communicating the security strategy.
Management or the security steering committee has the responsibility to approve and fund the security strategy implementation.
The maturity of an information security program is PRIMARILY the result of:
A.a comprehensive risk assessment and analysis.
B.an effective information security strategy.
C.the development of a security architecture.
D.completing a controls statement of applicability.
B is the correct answer.
Justification
Assessing and analyzing risk is required to develop a strategy and will provide some of the information needed to develop it, but will not define the scope and charter of the security program. Also, how the enterprise chooses to approach identified risk is a business decision that must be made by senior management and identified in a strategy.
An effective information security strategy provides clear direction on how the enterprise will attain security outcomes desired and directed by senior management.
A security architecture is ideally a part of implementation after developing the strategy. It is possible to adopt an architecture without a strategy, but its implementation will not necessarily help the enterprise to attain the security outcomes desired by senior management.
The applicability statement is a part of strategy implementation using International Organization for Standardization (ISO) 27001 or 27002 after determining the scope and responsibilities of the program. Like a security architecture, an applicability statement can be adopted without a strategy, but will not necessarily help the enterprise to attain the security outcomes desired by senior management.
Which of the following is the MOST cost-effective approach to achieve strategic alignment?
A.Periodically survey management
B.Implement a governance framework
C.Ensure that controls meet objectives
D.Develop an enterprise architecture
A is the correct answer.
Justification
Achieving and maintaining strategic alignment means that business process owners and managers believe that information security is effectively supporting their organizational activities. This can most easily and inexpensively be determined by periodic surveys, which will also indicate improvement or degradation over time.
Implementing an appropriate governance framework may improve strategic alignment in addition to a number of other benefits, but it is exceedingly complex, time-consuming and expensive and may not directly capture business owners’ perceptions or show changes over time.
While important, controls meeting objectives may not be perceived by managers as helpful to the business and may, in fact, be seen as an impediment to their activities.
An enterprise architecture should consider business objectives during design and development, but in an effort to balance many other requirements, such as security and functionality, it may or may not be perceived as supporting business activities.
The aspect of governance that is MOST relevant to setting security baselines is:
A.policies.
B.acceptable risk.
C.impacts.
D.standards.
D is the correct answer.
Justification
Policies may require that baselines be defined, but the specifics will be in the standards.
Acceptable risk will define the control objectives, which are then expressed in the standards.
Potential impacts will help determine acceptable risk expressed in the standards, which collectively set the baseline.
Standards taken together define the lowest limits of security, thereby defining the baseline.
Which of the following requirements is the MOST important when developing information security governance?
A.Complying with applicable corporate standards
B.Achieving cost-effectiveness of risk mitigation
C.Obtaining consensus of business units
D.Aligning with organizational goals
D is the correct answer.
Justification
Corporate standards are established on the basis of policies that support organizational strategy. Complying with corporate standards is only one aspect of developing governance.
While the cost-effectiveness of risk mitigation approaches is an important consideration, aspects of information security governance cannot be implemented if they are contrary to organizational goals.
Consensus is valuable, but not required.
Information security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately, and verifying that the enterprise’s resources are used responsibly. It should support and reflect the goals of the enterprise.
Which of the following is the MOST important component of information security governance?
A.Appropriate monitoring and metrics
B.An established strategy for moving forward
C.An information security steering committee
D.Senior management involvement
D is the correct answer.
Justification
Monitoring and metrics can determine progress but are effective only if there is management support.
Strategy is only one building block of information security governance and cannot work without management support.
A steering committee cannot exist without management support.
Senior management must champion the process and information security spokespersons to create an effective information security governance framework.
Which of the following choices would BEST align information security objectives with business objectives?
A.A capability maturity model
B.A process assessment model
C.A risk assessment and analysis
D.A business balanced scorecard
D is the correct answer.
Justification
A capability maturity model may not include business objectives; in that case, it would not provide a complete perspective, being more focused on security objectives.
While providing greater detail into processes and capabilities, a process assessment model only provides a process-focused view rather than a multidimensional one covering business and security.
A risk assessment is used to identify vulnerabilities and controls and does not address alignment of security with business objectives.
A business balanced scorecard will align information security goals with business goals and provide a multidimensional view of both quantitative and qualitative factors.
Successful implementation of information security governance will FIRST require:
A.security awareness training.
B.updated security policies.
C.a computer incident management team.
D.a security architecture.
B is the correct answer.
Justification
Security awareness training will promote the security policies, procedures and appropriate use of the security mechanisms but will not precede information security governance implementation.
Updated security policies are required to align management business objectives with security processes and procedures. Management objectives translate into policy; policy translates into standards and procedures.
An incident management team will not be the first requirement for the implementation of information security governance and can exist even if formal governance is minimal.
Information security governance provides the basis for architecture and must be implemented before a security architecture is developed.
The PRIMARY focus of information security governance is to:
A.adequately protect the information and knowledge base of the enterprise.
B.provide assurance to senior management that the security posture is adequate.
C.safeguard the IT systems that store and process business information.
D.optimize the information security strategy to achieve business objectives.
D is the correct answer.
Justification
While adequately protecting information and the knowledge base is important, governance is ultimately about achieving business objectives.
Unless information security strategy is aligned with business objectives, there is no basis to determine the adequacy of the security posture.
Information security governance is more than IT systems.
Governance ensures that business objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision-making; and monitoring performance, compliance and progress against plans.
Which of the following ways is the BEST to establish a basis on which to build an information security governance program?
A.Align the business with an information security framework.
B.Understand the objectives of the various business units.
C.Direct compliance with regulatory and legal requirements.
D.Meet with representatives of the various security functions.
B is the correct answer.
Justification
Frameworks are beneficial as a means of tracking what functions should be performed by effective governance, but the establishment of governance is primarily a matter of understanding business objectives.
The governance program needs to be a comprehensive security strategy intrinsically linked with business objectives. It is impossible to build an effective program for governance without understanding the objectives of the business units, and the objectives of the business units can best be understood by examining their processes and functions.
Meeting regulatory and legal requirements may be included among the objectives of the business, but compliance with laws and regulations is not the primary function of information security governance. Depending on the cost associated with doing so, businesses may, in some cases, even opt to accept the risk of noncompliance.
Governance reflects the approach to achieving the objectives of the business. Meeting with the security functions can only provide insight with regard to the technical posture and goals as they currently exist; it does not provide a basis on which to build a program.
When assessing the maturity of the risk management process, which of the following findings raises the GREATEST concern?
A.Organizational processes are not adequately documented.
B.Multiple frameworks are used to define the desired state.
C.Required security objectives are not well-defined.
D.The desired state is not based on the business objectives.
D is the correct answer.
Justification
It is expected that the enterprise will start work to improve the system beyond this level. It is not wrong for an enterprise to start off at the base of the maturity model.
This method could be unnecessarily expensive if not well planned and may result in conflicts between the frameworks.
It is very important that qualitative and quantitative objectives be well-defined for a gap analysis to be effective. However, defining a desired state without input from the business strategy invalidates the entire process.
Risk management is about the business. Defining a desired state without consideration of business objectives implies that the stated desired outcome may not be effective, even if attained.
Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?
A.SWOT analysis
B.Waterfall chart
C.Gap analysis
D.Balanced scorecard
D is the correct answer.
Justification
A SWOT analysis addresses strengths, weaknesses, opportunities and threats. Although useful, a SWOT analysis is not as effective a tool as a balanced scorecard (BSC).
A waterfall chart is used to understand the flow of one process into another.
A gap analysis, while useful for identifying differences between the current state and the desired future state, is not the most appropriate tool.
A BSC is most effective for evaluating the degree to which information security objectives are being met.
What is the BEST evidence of a mature information security program?
A.A comprehensive risk assessment and analysis exists.
B.Development of a physical security architecture exists.
C.A controls statement of applicability exists.
D.An effective information security strategy exists.
D is the correct answer.
Justification
Assessing and analyzing risk is required to develop a strategy and will provide some information needed to develop it but will not define the scope and charter of the security program.
A physical security architecture is a part of an implementation.
The applicability statement is a part of the strategy implementation using International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 or 27002 after determining the scope and responsibilities of the program.
The process of developing information security governance structures, achieving organizational adoption and developing a strategy to implement will define the scope and responsibilities of the security program.
The acceptable limits defined by organizational standards are PRIMARILY determined by:
A.likelihood and impact.
B.risk appetite.
C.relevant policies.
D.the defined strategy.
B is the correct answer.
Justification
The likelihood of an adverse event and the consequences of such an event will define the risk, but only the risk appetite will indicate if the risk is acceptable.
Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission. The risk appetite sets the acceptable limits for organizational standards.
Standards interpret policy, but boundaries are set based on risk.
Standards are a part of implementing strategy, but boundaries are set based on risk.
Which of the following is the MOST important factor when designing information security architecture?
A.Technical platform interfaces
B.Scalability of the network
C.Development methodologies
D.Stakeholder requirements
D is the correct answer.
Justification
Interoperability is important but without merit if a technologically elegant solution is achieved that does not meet the needs of the business.
Scalability is important but only to the extent the architecture meets stakeholder requirements.
There are a number of viable developmental methodologies, and the choice of which is used is not particularly important as long as it meets the needs of the enterprise.
The most important factor for information security architecture design is that of safeguards for stakeholder requirements as defined by business needs.
Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?
A.User security procedures
B.Business process flow
C.IT security standards
D.Regulatory requirements
C is the correct answer.
Justification
Procedures will not indicate the appropriateness of control mechanisms.
The business process flow is not relevant to the access control mechanism.
IT management should ensure that mechanisms are implemented in line with IT security standards.
The enterprise’s own policies, standards and procedures should take into account regulatory requirements.
An enterprise has decided to implement governance, risk and compliance processes into several critical areas of the enterprise. Which of the following objectives is the MAIN one?
A.To reduce governance costs
B.To improve risk management
C.To harmonize security activities
D.To meet or maintain regulatory compliance
B is the correct answer.
Justification
Governance costs may or may not be reduced, but that is not the primary objective.
The overarching objective of governance, risk and compliance (GRC) is improved risk management achieved by integrating interrelated activities across the enterprise, primarily focused on finance, legal and IT domains.
Convergence of security activities would be just one element of GRC.
Achieving an appropriate level of regulatory compliance is likely to be one of the goals, but with the overall objective of more effective and efficient management of risk.
The BEST approach to developing an information security program is to use a:
A.process.
B.framework.
C.reference model.
D.guideline.
B is the correct answer.
Justification
Processes support an information security program’s implementation and management but by themselves are not as useful as a framework.
Adoption of a framework, such as the International Organization for Standardization (ISO) 27001 or COBIT, is the best and most widely recognized approach to information security program development.
A reference model is one approach to developing an information security program, but it is less flexible than a framework.
Guidelines assist an information security program’s implementation and management but by themselves are not as useful as a framework.
Which of the following BEST contributes to the development of an information security governance framework that supports the maturity model concept?
A.Continuous analysis, monitoring and feedback
B.Continuous monitoring of the return on security investment
C.Continuous risk reduction
D.Key risk indicator setup to monitor security management processes
A is the correct answer.
Justification
To improve the governance framework and achieve a higher level of maturity, an enterprise needs to conduct continuous analysis, monitoring and feedback, comparing the desired state of maturity to the current state.
Return on security investment may show the performance result of the security-related activities in terms of cost-effectiveness; however, this is not an indication or consideration for the maturity model concept.
Continuous risk reduction demonstrates the effectiveness of the security governance framework but is not an indication or consideration for the maturity model concept.
A key risk indicator setup is a tool to be used in internal control assessment, and it presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a consideration to support maturity models.
IT-related risk management activities are MOST effective when they are:
A.treated as a distinct process.
B.conducted by the IT department.
C.integrated within business processes.
D.communicated to all employees.
C is the correct answer.
Justification
IT risk is part of the broader risk landscape and must be integrated into overall risk management activities.
To ensure an objective, holistic approach, IT risk management must be addressed on an enterprise-wide basis, separate from the IT department.
IT is an enabler of business activities; to be effective, it must be integrated into business processes.
Communication alone does not necessarily correlate with successful execution of a process.
Which of the following is PRIMARILY related to the emergence of governance, risk and compliance?
A.The increasing need for controls
B.The policy development process
C.The integration of assurance-related activities
D.A model for information security program development
C is the correct answer.
Justification
One of the outcomes of governance, risk and compliance (GRC) is the increased attention on general controls, because they are more pervasive and cost-effective than application-level controls. However, the primary driver for GRC is the increased complexity and diversity of assurance requirements and the need to address them through one integrated process.
As with most information security activities, appropriate policy support is needed for effective GRC implementation, but that is only one aspect of achieving integration.
GRC is a process to integrate multiple disparate but related activities to improve effectiveness, reduce or eliminate conflicting approaches, and reduce costs.
GRC is not a model, but an approach to achieving greater assurance process integration.
Which of the following is the MOST important consideration for a control policy?
A.Data protection
B.Life safety
C.Security strategy
D.Regulatory factors
B is the correct answer.
Justification
Protecting data is not as important as protecting life.
For physical controls, such as electrically controlled doors with swipe card access, the most important consideration is safety, such as ensuring that the doors will not fail to open in case of fire.
The control policy is part of the information security strategy.
Compliance with regulatory requirements, where relevant, is important, but ultimately, the safety of people has the highest priority.
Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements?
A.Standards
B.Guidelines
C.Security metrics
D.Gap analysis
A is the correct answer.
Justification
Standards set the allowable boundaries for procedures to ensure they comply with the intent of policies.
Guidelines are a description of a particular way of accomplishing something that is less prescriptive than a procedure.
Security metrics will detect but not necessarily ensure alignment between policies and procedures.
Gap analysis is used to determine what is required to move from an existing state to a desired state but is not useful in determining the alignment of procedures and policy.
Who can BEST approve plans to implement an information security governance framework?
A.Internal auditor
B.Information security management
C.Steering committee
D.Infrastructure management
C is the correct answer.
Justification
An internal auditor is responsible for the audit function and does not have the authority to approve plans to implement the information security governance framework.
Information security management is responsible for security operations and should not have the authority to approve the security governance framework.
Senior management that is part of the security steering committee is the best authority to approve plans to implement an information security governance framework.
Infrastructure management is not in the best position because it focuses more on the technologies than on the business.
The concept of governance, risk and compliance serves PRIMARILY to:
A.align enterprise assurance functions.
B.ensure that all three activities are addressed by policy.
C.present the correct sequence of security activities.
D.define the responsibilities of information security.
A is the correct answer.
Justification
Governance, risk and compliance (GRC) is an effort to integrate assurance activities across an enterprise to achieve greater efficiency and effectiveness.
It is unlikely that all three activities would not be covered by policies, but GRC may unify existing policies to reduce complexity and any differences that exist.
GRC deals directly with sequence of security activities and all three may occur concurrently.
GRC is about integration of security activities, not specific responsibilities of various groups.
Obtaining senior management support for establishing a warm site can BEST be accomplished by:
A.establishing a periodic risk assessment.
B.promoting regulatory requirements.
C.developing a business case.
D.developing effective metrics.
C is the correct answer.
Justification
A risk assessment should be carried out for making a business case to obtain management support, but the risk assessment by itself will not be effective.
Informing management of regulatory requirements may help gain support for initiatives but given that many enterprises are not in compliance with regulations, it is unlikely to be sufficient.
A complete business case, including a cost-benefit analysis, will be most persuasive to management.
Good metrics that provide assurance that initiatives are meeting organizational goals will be useful but are not likely to be sufficient for gaining management support.
Investments in information security technologies should be based on:
A.vulnerability assessments.
B.value analysis.
C.business climate.
D.audit recommendations.
B is the correct answer.
Justification
Vulnerability assessments are useful, but they do not provide information that can help determine whether the cost of the technology is justified.
Investments in security technologies should be based on a value analysis and a sound business case. Value analysis provides an assessment that the product features help address the business case and that the cost is no greater than the impact of the security risk being mitigated.
Demonstrated value takes precedence over the current business because the climate is continually changing.
Basing decisions on audit recommendations alone would be reactive in nature and might not address the key business needs comprehensively.
An enterprise has been recently subject to a series of denial-of-service attacks due to a weakness in security. The information security manager needs to present a business case for increasing the investment in security. The MOST significant challenge in obtaining approval from senior management for the proposal is:
A.explaining technology issues of security.
B.demonstrating value and benefits.
C.simulating various risk scenarios.
D.obtaining benchmarking data for comparison.
B is the correct answer.
Justification
In a business case, there is no need to explain technology issues of security.
Business cases are prepared on the basis of business value and benefits to the enterprise. This is usually difficult for security managers to identify and present effectively.
Simulating various risk scenarios must be done as part of risk assessment, but these are not usually included in a business case.
Benchmarking data is an approach to value demonstration and does not present a significant challenge to support the business case.
Which of the following is the BEST approach to dealing with inadequate funding of the security program?
A.Eliminate low-priority security services.
B.Require management to accept the increased risk.
C.Prioritize risk mitigation and educate management.
D.Reduce monitoring and compliance enforcement activities.
C is the correct answer.
Justification
Prioritizing security activities is always useful but eliminating any security services, even low-priority, should be a last resort.
If budgets are seriously constrained, management is already addressing increases in other risk and is likely to be aware of the issue; a proactive approach to doing more with less will be well-received.
Allocating resources to the areas of highest risk and benefit and educating management on the potential consequences of underfunding is the best approach.
Reducing monitoring activities may unnecessarily increase risk when lower-cost options to perform those functions may be available.
What is the MOST important consideration when developing a business case for an information security investment?
A.The impact on the risk profile of the enterprise
B.The acceptability to the board of directors
C.The implementation benefits
D.The affordability to the enterprise
C is the correct answer.
Justification
The impact on the risk profile can be one component of the business case but does not include all the areas the business case would cover.
The basis for acceptance among the directors should be the impact on the risk profile.
A business case is defined as documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle. A business case covers not only long-term benefits, but also short-term ones, along with costs.
While cost is important to consider, if the benefits outweigh the costs, it will be in the best interests of the enterprise to go ahead with the investment.
Security technologies should be selected PRIMARILY on the basis of their:
A.ability to mitigate business risk.
B.evaluations in trade publications.
C.use of new and emerging technologies.
D.benefits in comparison to their costs.
D is the correct answer.
Justification
One regular evaluation criterion for the appropriate selection of any security technology is its ability to cost-effectively reduce or eliminate business risk.
Trade publication evaluations may not provide all information on the technology’s abilities and may be written by sponsors or influencers.
While new or emerging technologies may offer potential benefits, they are not time-tested, which reduces their acceptability as the primary selection basis.
Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation.
The PRIMARY purpose of a business case for an information security investment is to provide the:
A.support needed for senior management to approve the security program’s proposed budget.
B.support needed for senior management to approve the security program’s projected return on investment.
C.rationale that the proposed security program aligns with organizational goals and objectives.
D.rationale that the proposed security program aligns with regulatory and compliance requirements.
C is the correct answer.
Justification
Budget justification is not a primary purpose of the investment decision; it acts as an input to the decision-making process.
Return on investment is not a primary purpose of the investment decision; it acts as an input to the decision-making process.
Providing explanations on how the proposed information security investment supports the achievement of organizational objectives provides senior management with an understanding of how the investment will add value to the enterprise and increase its chances of success.
Regulatory and compliance requirements are an input, but the business goals are the primary driver of the decision-making process.
The MOST complete business case for security solutions is one that:
A.includes appropriate justification.
B.explains the current risk profile.
C.details regulatory requirements.
D.identifies incidents and losses.
A is the correct answer.
Justification
There are many possible justifications for implementing a security solution; however, the key is to choose the most appropriate justification for the business case.
The current risk profile may be one of a number of possible justifications and cannot, by itself, be the input for a complete business case.
Regulatory requirements may be one of many possible justifications and cannot be the sole input for a complete business case.
Incidents and losses are possible justifications for implementing security solutions and cannot be the sole input for a complete business case.
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following items would be of MOST value?
A.Examples of genuine incidents at similar enterprises
B.Statement of generally accepted good practices
C.Association of realistic threats to corporate objectives
D.Analysis of current technological exposures
C is the correct answer.
Justification
While examples of incidents at other enterprises may help obtain senior management buy-in, the security program should be based on realistic threats to the enterprise’s corporate objectives.
Good practices are useful, and they may be the foundation for the security program, which may enhance senior management buy-in. However, this may not be a substantial argument to obtain executive management commitment.
Linking realistic threats to key business objectives will direct executive attention and provide the necessary understanding of the risk scenario for executive management to ensure their commitment to the security program.
Analysis of current technological exposures may enhance senior management buy-in but the argument may not be as substantial as realistic threats to the enterprise’s corporate objectives.
What is the BEST technique to determine which security controls to implement with a limited budget?
A.Risk analysis
B.Annual loss expectancy calculations
C.Cost-benefit analysis
D.Impact analysis
C is the correct answer.
Justification
Risk analysis quantifies risk to prioritize risk responses.
The annual loss expectancy is the monetary loss that can be expected for an asset due to a risk over a one-year period but does nothing to prioritize controls.
Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh its benefit and that the best safeguard is provided for the cost of implementation.
An impact analysis is a study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events. In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and determine recovery time frames. This analysis is the basis for establishing the recovery strategy.
The MOST important requirement for gaining management commitment to the information security program is to:
A.benchmark a number of successful enterprises.
B.demonstrate potential losses and other impacts that can result from a lack of support.
C.inform management of the legal requirements of due care.
D.demonstrate support for desired outcomes.
D is the correct answer.
Justification
While benchmarking similar enterprises can be helpful in some instances to make a case for management support of the information security program, benchmarking by itself is not likely to be sufficient.
Management often considers security to be a financial drain and over-reactive. Showing probable outcomes can help build a case, but demonstrating how the program will materially assist in achieving the desired business outcomes will be more effective.
Due care is a legal requirement and best presented by the legal department. By itself, the due care requirement is not enough to translate the value of an information security program to management.
The most effective approach to gain support from management for the information security program is to persuasively demonstrate how the program will help achieve the desired outcomes. This can be done by providing specific business support in areas of operational predictability and regulatory compliance, and by improving resource allocation and meaningful performance metrics.
Information security projects should be prioritized on the basis of:
A.time required for implementation.
B.impact on the enterprise.
C.total cost for implementation.
D.mix of resources required.
B is the correct answer.
Justification
Time required for implementation is potentially one impact on the enterprise but is subordinate to the overall impact of the project on the enterprise.
Prioritization of information security projects should be assessed on the basis of the positive impact that they will have on the enterprise.
Total cost for implementation is one aspect of the information security project but is not the factor on which prioritization can be assessed.
A mix of resources required may be a factor in delivery but it is not particularly relevant to prioritizing security projects.
Obtaining senior management support for an information security initiative can BEST be accomplished by:
A.developing and presenting a business case.
B.defining the risk that will be addressed.
C.presenting a financial analysis of benefits.
D.aligning the initiative with organizational objectives.
A is the correct answer.
Justification
A business case is inclusive of the other options and specifically addresses them.
A business case must enumerate the risk that the initiative will address.
The value proposition is an essential part of the business case that addresses the financial aspects of the initiative.
The business case must show how the initiative will align with and support organizational objectives.
When should a request for proposal be issued?
A.At the project feasibility stage
B.Upon management project approval
C.Prior to developing a project budget
D.When developing the business case
C is the correct answer.
Justification
Assessing project feasibility involves a variety of factors that must be determined prior to issuing a request for proposal (RFP).
An RFP is a document distributed to vendors asking them to submit a proposal to develop or provide a solution. Final management approval is likely to occur after receiving responses to an RFP.
Development of a project budget depends on the responses to an RFP.
The business case will be developed as a part of determining feasibility, which occurs prior to issuing an RFP.
Which of the following choices BEST justifies an information security program?
A.The impact on critical IT assets
B.A detailed business case
C.Steering committee approval
D.User acceptance
B is the correct answer.
Justification
The impact on IT assets is an important component but by itself is insufficient to justify the information security program.
A business case contains documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle. A business case will provide the justification for the information security program by demonstrating the benefits of implementation.
Approval by the steering committee validates the justification contained in the business case.
User acceptance is highly relevant during the system development life cycle; however, it is ill-advised to rely on user acceptance as justification for a security program, particularly because security and performance often clash.
Which of the following is the MOST important objective of an information security strategy review?
A.Ensuring that risk is identified, analyzed and mitigated to acceptable levels
B.Ensuring the information security strategy is aligned with organizational goals
C.Ensuring the best return on information security investments
D.Ensuring the efficient utilization of information security resources
B is the correct answer.
Justification
Ensuring that risk is identified and mitigated is not sufficient to qualify as the most important objective of the information security strategy, as one needs to consider all controls and business issues.
The most important part of an information security strategy is that it supports the business objectives and goals of the enterprise.
Maximizing return on information security investment can only be achieved if the information security strategy is aligned with the business strategy.
Efficient utilization of resources at the enterprise level can only be achieved if the information security strategy is aligned with the business strategy.
Which of the following should an information security manager PRIMARILY use when proposing the implementation of a security solution?
A.Risk assessment report
B.Technical evaluation report
C.Business case
D.Budgetary requirements
C is the correct answer.
Justification
The risk assessment report provides the rationale for the business case for implementing a particular security solution.
The technical evaluation report provides supplemental information for the business case.
The information security manager needs to have knowledge of the development of business cases to illustrate the costs and benefits, or value proposition, of the security solution.
Budgetary requirements provide part of the information required in the business case.
The extent to which senior management supports the implementation of the strategy and risk management activities of an information security program will FIRST determine:
A.the charter.
B.the budget.
C.policy.
D.the reporting structure.
A is the correct answer.
Justification
Without management support, the program will never be able to establish a charter that will allow it to function within the environment. All the other choices follow the charter.
Without a charter for the program, there will be no budget because the program will not exist.
A charter is needed to establish the program before policy can be developed.
The reporting structure will not be established until the program is chartered.
What is the PRIMARY driver for obtaining external resources to execute the information security program?
A.External resources can contribute cost-effective expertise not available internally.
B.External resources can be made responsible for meeting the security program requirements.
C.External resources can replace the dependence on internal resources.
D.External resources can deliver more effectively on account of their knowledge.
A is the correct answer.
Justification
External resources that can contribute cost-effective expertise that are not available internally represent the primary driver for the information security manager to make use of external resources.
The information security manager will continue to be responsible for meeting the security program requirements despite using the services of external resources.
The external resources should never completely replace the role of internal resources from a strategic perspective.
The external resources cannot have a better knowledge of the business of the information security manager’s enterprise than do the internal resources.
Which of the following is the MOST effective way to measure strategic alignment of an information security program?
A.Survey business stakeholders
B.Track audits over time
C.Evaluate incident losses
D.Analyze business cases
A is the correct answer.
Justification
The best indicator of strategic alignment is the opinion of the business stakeholders—and the best way to obtain this information is to periodically obtain their feedback.
Audits may indicate something is amiss, but audits do not have a direct correlation with the effectiveness of the information security program to support business goals and objectives.
Incident losses may indicate the overall effectiveness of the program but may have more to do with inadequate budgets or staffing than with alignment.
Business cases for security projects may indicate where alignment went astray. However, business cases are indirect, and an analysis would be too late to be useful as an indicator of alignment.
The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
A.escalate issues to an external third party for resolution.
B.ensure that senior management provide authority for security to address the issues.
C.insist that managers or units not in agreement with the security solution accept the risk.
D.refer the issues to senior management along with security recommendations.
D is the correct answer.
Justification
Senior management would be responsible for escalating issues to relevant external third parties.
Security is only one aspect of issues that may arise between parts of the enterprise, and authority to address issues must be at a higher level to arbitrate between conflicting requirements.
It is unlikely that the security manager is in a position of authority to insist that business unit managers should accept the risk, and the matter should be escalated to senior management to issue such directives.
Senior management is in the best position to arbitrate issues between organizational units because it will consider the overall needs of the business in reaching a decision.
Which of the following is the MOST important prerequisite for establishing information security management within an enterprise?
A.Senior management commitment
B.Information security framework
C.Information security organizational structure
D.Information security policy
A is the correct answer.
Justification
Senior management commitment is the most important prerequisite for establishing security management within the enterprise. Without senior management commitment, the seriousness of the security initiative is likely to be ignored within the enterprise.
Without senior management commitment, an information security framework is not likely to be implemented.
Without senior management commitment, it is not likely that there is support for developing an information security organizational structure.
The development of effective policies as a statement of management intent and direction is likely to be inadequate without senior management commitment to information security.
Which of the following factors is MOST important for the successful implementation of an enterprise’s information security program?
A.Senior management support
B.Budget for security activities
C.Regular vulnerability assessments
D.Knowledgeable security administrators
A is the correct answer.
Justification
Senior management support is critical to the implementation of any security program.
An appropriate budget for security activities is not likely without the support of senior management.
Vulnerability assessments are an important element of a successful security program but will be of little use without management support for addressing issues that arise.
Knowledgeable security administrators are important for a successful security program, but they are not likely to be effective without management support.
What should be the PRIMARY basis of a road map for implementing information security governance?
A.Policies
B.Architecture
C.Legal requirements
D.Strategy
D is the correct answer.
Justification
Policies are developed or modified after a strategy is defined and are one of the controls to implement it.
Logical security architecture will be a reflection of the road map and may serve as the road map after a strategy has been developed.
While legal and regulatory requirements must be considered, the road map is based on the strategy, which in turn is based on the enterprise’s objectives.
The road map detailing the steps, resources and timelines for development of the strategy is developed after the strategy is determined.
The FIRST step in developing a business case is to:
A.determine the probability of success.
B.calculate the return on investment.
C.analyze the cost-effectiveness.
D.define the issues to be addressed.
D is the correct answer.
Justification
Without a clear definition of the issues to be addressed, the probability of success is low.
Without a clear definition of the issues to be addressed, the solutions proposed and the results expected, return on investment cannot be calculated.
Without a clear definition of the issues to be addressed, the solutions proposed and the results expected, cost-effectiveness cannot be analyzed.
Without a clear definition of the issues to be addressed, a business case is not complete and cannot demonstrate the benefits of the new business vision.
An information security manager can BEST attain senior management commitment and support by emphasizing:
A.organizational risk.
B.performance metrics.
C.security needs.
D.the responsibilities of organizational units.
A is the correct answer.
Justification
Information security exists to address risk to the enterprise that may impede achievement of its objectives. Organizational risk will be the most persuasive argument for management commitment and support.
Performance metrics will only provide operational information or insight about the information security function but not the business value, which will emphasize a need that forms the basis for senior management support.
The information security manager should identify information security needs based on organizational needs; however, security needs alone are not the factor to emphasize to attain senior management commitment.
Identifying organizational responsibilities is a task for management and is not related to the objective of attainment of senior management commitment for information security.
Which of the following are the MOST important individuals to include as members of an information security steering committee?
A.Direct reports to the chief information officer
B.IT management and key business process owners
C.Cross-section of end users and IT professionals
D.Internal audit and corporate legal departments
B is the correct answer.
Justification
Direct reports to the chief information officer do not include business process owners, and their input is necessary.
Security steering committees provide a forum for management to express its opinion and take some ownership in the decision-making process. It is imperative that business process owners be included in this process.
End users and IT professionals would not be part of the steering committee.
Internal audit would not be on the steering committee, although legal representation might.
When developing an information security program, what is the MOST useful source of information for determining available human resources?
A.Proficiency test
B.Job descriptions
C.Organization chart
D.Skills inventory
D is the correct answer.
Justification
Proficiency testing is useful but only with regard to specific technical skills.
Job descriptions would not be as useful because they may be out of date or not sufficiently detailed.
An organization chart would not provide the details necessary to determine the resources required for this activity.
A skills inventory would help identify the available human resources, any gaps, and the training requirements for developing resources.
Maturity levels are an approach to determine the extent that sound practices have been implemented in an enterprise based on outcomes. Another approach that has been developed to achieve essentially the same result is:
A.controls applicability statements.
B.process performance and capabilities.
C.probabilistic risk assessment.
D.factor analysis of information risk.
B is the correct answer.
Justification
A controls applicability statement identifies which risk controls are applied but is not directly related to performance or maturity assessments.
The process performance and capabilities approach provides a more detailed perspective of maturity levels and serves essentially the same purpose.
Probabilistic risk assessment provides quantitative results of probability and magnitude of risk; it is not related to assessment of performance or capabilities.
Factor analysis of information risk is an approach to assessing risk that does not address performance.
Which of the following is the MOST appropriate as a means of obtaining commitment from senior management for implementation of the information security strategy?
A.Educational material discussing the importance of good information security practices
B.Regular group meetings to review the challenges and requirements of daily operations
C.A cost-benefit analysis detailing how the requested implementation budget will be used
D.A formal presentation highlighting the relationship between security and business goals
D is the correct answer.
Justification
Education regarding good information security practices is a part of implementing an effective information security program and is best distributed across the workforce.
Senior managers are unlikely to be able to accommodate regular group meetings, and daily operations are better addressed at the level of business process owners.
A detailed cost-benefit analysis of the implementation budget is a supporting document that can be referenced to answer questions and establish credibility. However, as a stand-alone document it is not the means by which an information security manager obtains commitment from senior management to implement the information security strategy.
A formal presentation to senior management is most appropriate to obtain management commitment when used as a means to educate and communicate key aspects of the overall security program and how security is enabling the achievement of business goals.
The MOST important element to consider when developing a business case for a project is the:
A.feasibility and value proposition.
B.resource and time commitment.
C.financial analysis of benefits.
D.alignment with organizational objectives.
A is the correct answer.
Justification
Feasibility and whether the value proposition makes sense will be major considerations for whether a project will proceed.
Resources and time needed are important but will be a component of the value proposition in terms of costs.
Financial analysis of benefits is a component of the value proposition, but typically other benefits should be proposed.
The value proposition would have to include alignment with the enterprise’s objectives.
The MOST important basis for developing a business case is the:
A.risk that will be addressed.
B.financial analysis of benefits.
C.alignment with organizational objectives.
D.feasibility and value proposition.
D is the correct answer.
Justification
Risk that will be addressed is a part of what determines feasibility and whether the benefits are sufficient for the cost.
Benefits analysis is a part of what determines feasibility and whether the benefits are sufficient for the cost.
Alignment with organizational objectives is a part of what determines feasibility and whether the benefits are sufficient for the cost.
The feasibility and value proposition are the primary factors in determining whether a project will proceed.
An information security manager wants to implement a security information and event management (SIEM) system not funded in the current budget. Which of the following choices is MOST likely to persuade management of this need?
A.A comprehensive risk assessment
B.An enterprise-wide impact assessment
C.A well-developed business case
D.Computing the net present value of future savings
C is the correct answer.
Justification
A risk assessment is a process used to identify and evaluate risk and its potential effects. This may be part of a business case but alone is less likely to persuade management.
An enterprise-wide impact assessment would review the possible consequences of a risk. This may be part of a business case but alone is less likely to persuade management.
A business case demonstrating the need and the value proposition is most likely to be persuasive to management. All the other options could be part of a well-developed business case.
The net present value would be calculated by using an after-tax discount rate of an investment and a series of expected incremental cash outflows (the initial investment and operational costs) and cash inflows (cost savings or revenues) that occur at regular periods during the life cycle of the investment. This may be part of a business case but alone is less likely to persuade management.
Senior management commitment and support for information security can BEST be obtained through presentations that:
A.use illustrative examples of successful attacks.
B.explain the technical risk to the enterprise.
C.evaluate the enterprise against good security practices.
D.tie security risk to key business objectives.
D is the correct answer.
Justification
Senior management may not be as interested in examples of successful attacks if they are not tied to the impact on business environment and objectives.
Senior management will not be as interested in technical risk to the enterprise if it is not tied to the impact on business environment and objectives.
Industry good practices may be important to senior management to the extent they are relevant to the enterprise and its business objectives; however, this is not the best method of gaining commitment and support for information security.
Tying security risk to key business objectives is the best option to obtain senior managers’ commitment and support as they want to understand the justification for investing in security in relation to achieving key business objectives.
