ISACA questions Flashcards

1
Q

Which of the following would be the BEST indicator of effective infosec governance within an org?
A. The steering committee approves security projects
B. Security policy training is provided to all managers
C. Security training is available to all employees on the intranet
D. IT personnel are trained in testing and applying required patches

A

A
A. The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. To ensure that all stakeholders impacted by security considerations are involved, many orgs us a steering committee comprised of senior representatives of affected groups This composition helps to achieve consensus on priorities and trade-offs and serves as an effective communication channel for ensuring the alignment of the security program with business objectives.
B. Security policy training is important at all levels of the org and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee to ensure all parts of the org are aware of the policies.
XC. The availability of security training, while beneficial to the overalls security program, does not ensure that employees are following the program and have the required level of awareness without a process to enforce awareness and compliance.
D. Even orgs with little overall governance may be effective in patching system sin a timely manner; this is not an indication of effective governance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
What is the MOST essential attribute of an effective key risk indicator (KRI)? It:
A. is acurate and reliable
B. Provides quantitative metrics
C. Indicates required action
D. Is predictive of a risk event.
A

D
XA. KRIs usually signal developing risk but do not indicate what the actual risk is. In that context, they are neither accurate nor reliable.
B. KRIs typically no not provide quantitative metric about risk.
C. KRIs will not indicate that any particular action is required other than to investigate further.
D. A KRI should indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when:

a. assessing overall system risk
b. developing a controls policy
c. determining treatment options
d. developing a classification scheme

A

B
Xa. Overall risk is not affected by determining which element of the triad is of greatest importance because overall risk is constructed from all known risk, regardless of the components of the triad to which each risk applies.
b. Because preventive controls necessarily must fail in either an open or closed state (fail safe or fail secure), and failing open favors availability while failing closed favors confidentiality - each at the expense of the other - a clear prioritization of the triad components is needed to develop a controls policy.
c. Although it is possible that establishing a control that bolsters one component of the triad may diminish another, treatment options may be determined without a clear prioritization of the triad.
d. Classification is based on the potential impact of compromise and is not a function of prioritization within the triad.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is MOST appropriate for inclusion in an infosec strategy?

a. Business controls designated as key controls
b. security processes, methods, tools and techniques
c. firewall rule sets, network defaults and intrusion detection system settings
d. budget estimates to acquire specific security tools

A

B
Xa. Key business controls are only one part of a security strategy and must be related to biz objectives.
b. A set of security objectives supported by processes, methods, tools and techniques together are the elements that constitute a security strategy.
c. Firewall rule sets, network defaults and intrusion detection system settings are technical details subject to periodic change and are not appropriate content for a strategy document.
d. Budgets will generally not be included in an infosec strategy. Until the strategy is formulated and implemented, specific tools will be be identified and specific cost estimate will not be available.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following situations must be corrected FIRST to ensure successful infosec governance w/in an org?

a. The infosec department has difficulty filling vacancies
b. the COO approved security policy changes
c. the infosec oversight committee only meets quarterly
d. the data center manager has final sign-off on all security projects.

A

D
Xa. Difficulty in filling vacancies is not uncommon due to the shortage of qualified infosec professionals.
b. It is important to have senior mgmt approve security policies to ensure that they meet mgmt. intent and direction.
c. It is not inappropriate for an oversight or steering committee to meet quarterly.
d. A steering committee should be in place to approve all security projects. the fact that the data center mgr. has final sign-off indicates that a steering committee is not being used and that infosec is relegated to a subordinate place in the org. The would indicate a failure of infosec governance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is MOST likely to be discretionary?

a. policies
b. procedures
c. guidelines
d. standards

A

C
a. Policies define management’s security goals and expectations for an org. These are defined in more specific terms within standards and procedures.
Xb. Procedures describe how works is to be done.
c. Guidelines provide recommendations that business mgmt. must consider in developing practices within their areas of control; as such, they are discretionary.
d. Standards establish the allowable operational boundaries for people, processes and technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following seldom change in response to technological changes?

a. standards
b. procedures
c. policies
d. guidelines

A

C
a. Security standards must be revised and updated based on the impact of technology changes.
b. Procedures must be revised and updated based on the impact of technology changes.
c. Policies are high-level statements of mgmt. intent and direction, which is not likely to be affected by tech changes.
Xd. Guidelines must be revised and updated based on the impact of technology changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When creating an effective data-protection strategy, the infosec mgr. must understand the flow of data n dis protection at various stages. This is BEST achieved with:
a. a third-party vulnerability assessment
b. a tailored methodology based on exposure
c an insurance policy for accidental data losses
d. a tokenization system set up in a secure network environment

A

B
Xa. Vulnerability assessments, third-party or otherwise, do not take into account threat and other factors that influence risk treatment.
b. Orgs classify data according to their value and exposure. The org can then develop a sensible plan to invest budget and effort where they matter most.
c. An insurance policy is a risk treatment option for the transfer/sharing of risk. Whether it is an appropriate action requires a cost-benefit analysis and a more complete understanding of the risk involved.
d. Tokenization is a technique used to protect data but whether it is appropriate cannot be known w/out an understanding of the various exposures to which the data re subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global org?

a. Chief security officer
b. Chief operating officer
c. Chief privacy officer
d. Chief legal counsel

A

B
Xa. Although the chief security knows what is needed, the sponsor for this task should be someone with far-reaching influence across the org.
b. The COO is the most knowledgeable about biz ops and objectives
c. The chief privacy officer may not have the knowledge of the day-to-day biz ops and overall security requirements to ensure proper guidance.
d. The chief legal counsel will typically have a narrow legal focus on contracts and stock and other regulatory requirements and have little knowledge of overall org security requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The MOST important element(s) to consider when developing a biz case for a project is the:

a. feasibility and value proposition
b. resource and time requirements
c. financial analysis of benefits
d. alignment with org objectives

A

A
a. Feasibility and whether the value proposition makes sense will be major considerations of whether a project will proceed.
b. Resources and time needed are important but will be a component of the value proposition in terms of costs.
c. Financial analysis of benefits is a component of the value proposition but there would typically be other benefits that should be proposed.
Xd. The value proposition would, as a matter of course, have to include alignment with the org’s objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Senior mgmt. commitment and support for infosec can BEST be enhanced through:

a. a formal security policy sponsored by the CEO
b. regular security awareness training for employees
c. periodic review of alignment with biz mgmt. goals
d. senior mgmt. signoff on the infosec strategy

A

C.
a. Although having the CEO sign off on the security policy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete even that may be quickly forgotten by senior mgmt.
b. Security awareness training for employees will not have as much effect on senior mgmt. commitment as alignment with biz goals.
Ensuring that security activities continue to be aligned and support biz goals is critical to obtaining mgmt. support.
Xd. Although having senior mgmt. sign off on the security policy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete even that may be quickly forgotten by senior mgmt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The infosec mgr. receives a report showing an increase in the number of security events. The MOST likely explanation is:

a. exploitation of a vulnerability in the information system
b. threat actors targeting the org in greater numbers
c. failure of a previously deployed detective control
d. approval of a new exception for noncompliance by mgmt.

A

A

a. Exploitation of a vulnerability is likely to generate security events.
b. Absent a change in vulnerability, an increase in the number of threat actors targeting the org would not explain an increase in security events.
c. An increase in the number of security events that appear on reports suggests that detective controls are likely working properly.
xd. Exceptions approved by mgmt. may result in a higher number of security events on reports if notices of the exceptions is not provided to infosec to allow updates to monitoring. However, exceptions are typically communicated to the infosec mgr. so this is an unlikely explanation for the increase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is the MOST important info to include in a strategic plan for infosec?

a. Infosec staffing requirements
b. current stat and desired future state
c. IT capital investment requirements
d. infosec mission statement

A

B

a. Staffing requirements stem from the implementation time lines and requirements of the strategic plan.
b. If is most important to present a vision for the future and then create a road map from the current state to the desired future state based on a gap analysis of the requirements to achieve the desired future state.
c. IT capital investment requirements are generally not determined at the strategic plan level but rather as a result of fap analysis and the options on how to achieve the objectives of the strategic plan.
xd. The mission statement is typically a short, high-level aspirational statement of overall organizational objective and only directly affects the infosec strategy in a very limited way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An infosec mgr. mapping a job description to types of data access is MOST likely to adhere to which of the following infosec principles?

a. ethics
b. proportionality
c. integration
d. accountability

A

B

a. Ethics have the least to do with mapping a job description to types of data access.
b. Information security controls, including access, should be proportionate to the criticality and/or sensitivity of the asset (i.e. the potential impact of compromise).
c. Principles of integration are not relevant to this task.
xd. The principle of accountability would be the second most adhered-to principle because people with access to data my not always be accountable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is the MOST important prerequisite for establishing infosec mgmt. w/in an org?

a. senior mgmt. commitment
b. Infosec framework
c. infosec org structure
d. infosec policy

A

A
a. Senior mgmt. commitment is necessary in order for each other other elements to succeed. W/out senior mgmt. commitment, the other elements will likely be ignored w/in the org.
Xb. W/out senior mgmt. commitment, an infosec framework is not likely to be implemented.
c. W/out senior mgmt. commitment, it isn’t likely that there is support for developing an infosec org structure.
d. The development of effective policies as a statement of mgmt. intent and direction is likely to be inadequate w/out senior mgmt. commitment to infosec.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The FIRST step in developing an infosec mgmt. program is to:

a. identify biz risk that affects the org
b. establish the need for creating the program
c. assign responsibility for the program
d. assess adequacy of existing controls

A

B

xa. The task of identifying biz risk that affects the org is assigned and acted on after establishing the need for creating the program.
b. In developing an infosec mgmt. program, the first step is to establish the need for creating the program. This is a biz decision based more on judgment than on any specific quantitative measures. The other choices are assigned and acted on after establishing the need.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

There is a concern that lack of detail in the recovery plan may prevent an org from meeting its required time objectives when a security incident strikes. Which of the following is MOST likely to ensure the RTOs would be met?

a. establishment of distributed operation centers
b. delegation of authority in recovery execution
c. outsourcing of the biz restoration process
d. incremental backups of voluminous dbs

A

B

a. This doesn’t compensate for a lack of detail in the recovery plan.
b. When recovery is underway in response to an incident, there are many cases where decisions need to be made at each mgmt. level. This may take up considerable time due to escalation procedures. Therefore, it is desirable that delegation of authority becomes effective during the recovery process. Scope of delegation of authority in recovery execution may be assessed beforehand and document in BC policies and procedures.
c. Outsourcing will not resolve any failure to meet RTOs unless the recovery strategy includes a clear line of authority and adequate detail in the plan.
xd. Incremental backup of voluminous dbs may be recommended to expedite the data backup process. However, it generally increased the time needed to recover.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is the BEST justification to convince mgmt. to invest in an infosec program?

a. cost reduction
b. compliance with company policies
c. protection of biz assets
d. increased biz value

A

D

a. This is rarely the motivator by itself.
b. Compliance is secondary to biz value.
xc. Increasing biz value may include protection of biz assets.
d. Investing in an infosec program should increase biz value as a result of fewer biz disruptions, fewer losses and increased productivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following is the MIST important consideration when developing the security strategy of a company operating in different countries?

a. diverse attitudes toward security by employees and mgmt.
b. time differences and the ability to reach security officers
c. a coherent implementation of security policies and procedures in all countries
d. Compliance with diverse laws and governmental regulation

A

D

a. Attitudes among employees and mgrs. may vary by country and this will impact implementation of a security policy. However the impact is not nearly as significant as the variance in national laws.
xd. In addition to laws varying from one country to another, they can also conflict, making it difficult for an org to create an overarching enterprise security policy that adequately addressed the requirements in each nation. The repercussions of failing to adhere to multiple legal frameworks at the same time go well beyond the impacts of the other considerations listed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The enactment of policies and procedures for preventing hacker intrusions is an example of an activity that belongs to:

a. risk mgmt.
b. compliance
c. IT mgmt.
d. governance

A

D

xa. Risk mgmt. is about identifying risk and adequate counter measures and would be concerned if such policies and procedures are necessary based on a risk analysis. However the enactment would not fall into the area of risk mgmt.
b. Compliance would be concerned with the adequacy of the policies and procedures to achiever the control objectives and whether employees act according to the policies and procedures.
c. IT mgmt. would be concerned about setting the policies into operation (e.g. by providing training and resource).
d. Governance is concerned with implementing adequate mechanisms for ensuring that org’al goals ad objectives can be achieved. Policies and procedures are common governance mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following recommendations is the BEST one to promote a positive infosec governance culture w/in an org?

a. strong oversight by the audit committee
b. organizational governance transparency
c. collaboration across biz lines
d. positive governance ratings by stock analysts

A

C

a. Supervision by the audit committee is unlikely to occur and would be of little help.
xb. Governance transparency may contribute to the security mgmt. practice but is not directly liked to the establishment of a positive governance culture.
c. To promote a positive governance culture, it is essential to establish collaboration across biz lines. In this way, line mgmt. will speak a common language and share the same goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the MAIN risk when there is no user mgmt. representation no the infosec steering committee?

a. Functional reqmts. are not adequately considered
b. User training programs may be inadequate
b. budgets allocated to biz units are not appropriate
d. infosec plans are not aligned with biz reqmts.

A

D

xa. Functional reqmts. and user training programs are considered to be part of project devmt but are not the main risk.
d. The steering committee usually controls the execution of the infosec strategy, and lacking representation of user mgmt., the committee may fail to consider impact on productivity and adequate user controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following metrics will provide the BEST indication of orgal risk?

a. annual loss expectancy
b. the number of infosec incidents
c. the extent of unplanned biz interruptions
d. the number of high-impact vulnerabilities

A

C

xa. Annual loss expectancy is the quantification of loss exposure based on probability and frequency of outages with a known or estimated cost. It is part of a BIA and may be calculated the org and/or system level, but it is based on projections rather than on observed data.
b. The number of recorded or recognized incidents does not reveal impact.
c. An unplanned biz interruption is a standard measure b/c it provided a quantifiable measure of how much biz may be lost due to the inability to acquire, process and produce results that affect the customer(s).
d. The number of high-impact vulnerabilities provides an indication of weakness w/in the info network and/or systems but is not by itself an indicator of risk.

24
Q

Which of the following would be the FIRST step when developing a biz case of an infosec investment?

a. defining the objectives
b. calculating the cost
c. defining the need
d. analyzing the cost-effectiveness

A

C

xa. W/o a clear definition of the needs to be addressed, the objective cannot be determined.
c. W/o a clear definition of the needs to be addressed, the rest of the components of the biz case cannot be determined.

25
Q

Effective infosec requires a combination of mgmt., admin, and technical controls b/c:

a. technical controls alone are unable to adequately compensate for faulty processes
b. senior mgmt. is unlikely to fund adequate deployment of technical controls
c. the approach to addressing or treating specific risk has a significant impact on costs
d. development of the right strategy needs to be iterative to achieve the desired state.

A

A

a. In addition to typically being less costly, processes are considerably more effective when flaws in a process are a cause of risk. Attempting to counteract process flaws using technical controls will generally impose substantial restrictions on biz ops and burden the org with disproportionate cost w/o addressing the root cause of the problem.
b. Cost is always a consideration and technical controls tend to be more costly than other types of controls. However, even with unlimited funding, the infosec mgr. is unlikely to be able to adequately compensate for faulty processes solely by deploying technical controls.
xc. While the approach to addressing or treating specific risk has a significant impact on cost, it does not explain why deploying technical controls along cannot create and maintain info security.

26
Q

Which of the following is an indicator of effective governance?

a. a defined infosec architecture
b. compliance with internatl. security standards
c. periodic external audits
d. an established risk mgmt. program

A

D
xb. This is not an indication of the use of effective governance.
D. A risk mgmt. program is a key component of effective governance.

27
Q

Which of the following is the MOST effective approach to identify events that may affect infosec across a large multinatl. enterprise?

a. review internal and external audits to indicate anomalies
b. ensure that intrusion detection sensors are widely deployed
c. develop comm channels throughout the enterprise
d. conduct regular enterprise-wide security reviews

A

C

xa. Events can occur between audits that might not be detected and responded to in a timely manner.
c. Good comm channels can provide timely reporting of events across a large enterprise as well as providing channels for dissemination of security info.

28
Q

Infosec governance must be integrated into all biz fxns and activities PRIMARILY to:

a. maximize security efficiency
b. standardize operational activities
c. achieve strategic alignment
d. address operational risk

A

D

a. efficiency is not necessarily an attribute of the integration of governance throughout the org but the effectiveness of the governance program to address and reduce biz risk is such an attribute.
b. Standardization will help create a more efficient program, but it will not necessarily establish a risk mitigation process that will address operational risk to assist biz in getter managing risk fxns and processes.
xc. While good governance may help promote strategic alignment, the main reason to ensure integration of governance in al org fxns is to prevents gaps in the mgmt. of risk and maintain acceptable risk levels throughout the org.
d. All aspects of organizational activities pose risk that is mitigated through effective infosec governance and the devmt and implementation of policies, standards and procedures.

29
Q

Which of the following is the BEST indicator of the state of infosec governance?

a. a defined maturity level
b. a developed security strategy
c. complete policies and standards
d. low numbers of incidents

A

A

a. A defined maturity level is the best overall indicator of the state of infosec governance. The maturity level indicates how mature a process is on a scale from 0 (incomplete process) to 5 (optimizing process).
b. This is an important first step, but it must be implemented properly to be effective and by itself is not an indication of the state of governance.
xc. Complete policies and standards are required for effective governance but are only one part of the reqmt. By themselves they are not an indicator of the effectiveness of governance.

30
Q

Which of the following is the MOST important consideration when developing an infosec strategy?

a. resources avail to implement the program
b. compliance with legal and regulatory constraints
c. effectiveness of risk mitigation
d. resources required to implement the strategy

A

C

xb. Legal and regulatory reqmts. must be considered in the strategy to the extant mgmt. determined the appropriate level of compliance.
c. Effectively managing info risk to acceptable levels (in alignment with the biz objectives) is the most important overall consideration of an infosec strategy.

31
Q

The MOST important reqmt. for gaining mgmt. commitment to the infosec program is to:

a. benchmark a number of successful orgs
b. demonstrate potential losses and other impacts that can result from a lack of support
c. inform mgmt. of the legal requirements of due care
d. demonstrate support for desired outcomes

A

D

xb. Mgmt. often considers security to be a financial drain and over reactive. Showing probable outcomes can help build a case, but demonstrating how the program will materially assist in achieving the desired biz outcomes will be more effective.
d. The most effective approach to gain support from mgt. for the infosec program is to persuasively demonstrate how the program will help achieve the desired outcomes. This can be done by providing specific biz support in areas of operational predictability and regulatory compliance and by improving resource allocation and meaningful performance metrics.

32
Q

An org has consolidated global ops. The CIO has asked the CISO to develop a new org infosec strategy. Which of the following actions should be taken FIRST?

a. identify the assets
b. conduct a risk assessment
c. define the scope
d. perform a BIA

A

C

c. The scope of the program must be determined before any of the other steps can be performed.

33
Q

To improve the security of an org’s HR system, in infosec mgr. was presented with a choice to either implement an additional packet filtering firewall OR a heuristics-based intrusion detection system. How would a security mgr. with a limited budget choose between the two technologies?

a. risk analysis
b. BIA
c. ROI analysis
d. cost-benefit analysis

A

D

xc. ROI analysis compared the magnitude and timing of investment gains directly with the magnitude and timing of investment costs.
d. Cost-benefit analysis measures the cost of a safeguard vs. the benefit it provides and included risk assessment. The cost of a control should not exceed the benefit to be derived from it. The degree of control employed is a matter of good biz judgment.

34
Q

The concept of governance, risk and compliance serves PRIMARILY to:

a. align org assurance fxns
b. ensure that all 3 activities are addressed by policy
c. present the correct sequence of security activities
d. define the responsibilities of infosec

A

A

a. GRC is an effort to integrate assurance activities across an org to achieve greater efficiency and effectiveness.
xd. GRC is about integration of these activities, not specific responsibilities of various groups.

35
Q

A newly hired infosec mgr. notes that existing infosec practices and procedures appear ad hoc. Based on this observation, the next action should be to:

a. assess the commitment of senior mgmt. to the program
b. assess the maturity level of the org
c. review corp. stds.
d. review corp. risk mgmt. practices

A

C

xb. It is evident from the initial review that maturity is very low and efforts required for a complete assessment are not warranted. It may be better to address the immediate problem of ad hoc practices and procedures.
c. The absence of current, effectve standards is a concern that must be addressed promptly.

36
Q

Which of the following is the MOST important outcome of an infosec strategy?

a. consistent policies and standards
be. ensuring that residual risk is at an acceptable level
c. an improvement in the threat landscape
d. controls consistent with internatl. stds.

A

B

xa. Consistency of document design facilitates maintenance, while consistency of document content across units and entities ensures that documents are applied uniformly; consistency does not ensure alignment with biz objectives.
b. Residual risk is the remaining risk after mgmt. has implemented a risk response or treatment. An important objective of a security strategy is to implement cost-effective controls that ensure that residual risk remains w/in the org’s acceptable risk and tolerance levels.

37
Q

Obtaining senor mgmt. support for an infosec initiative can BEST be accomplished by:

a. developing and presenting a biz case
b. defining the risk that will be addressed
c. presenting a financial analysis of benefits
d. aligning the initiative w/org objectives

A

A

a. A biz case is inclusive of the other options and includes and specifically addresses them.

38
Q

The MOST important basis for developing a biz case is the:

a. risk that will be addressed
b. financial analysis of benefits
c. alignment with org’al objectives
d. feasibility and value proposition

A

D

xc. alignment with org’al objectives is part of what determines feasibility nd whether the benefits are sufficient for the cost.
d. The feasibility and value proposition are the primary factors in determining whether a project will proceed.

39
Q

Which of the following is the MOST important consideration for a control policy?

a. data protection
b. life safety
c. security strategy
d. regulatory factors

A

B

xa. Protecting data is not as important as protecting life.
b. For physical controls, such as electrically controlled doors with swipe card access, the most important consideration is safety, such as ensuring that the doors fail open in case of fire.

40
Q

Senior mgmt. has expressed some concern about the effectiveness of the infosec program. What can the infosec mgr. do to gain the support of senior mgmt. for the program?

a. rebuild the program on the basis of a recognized, auditable std.
b. calculate the cost-benefit analysis of the existing controls that are in place
c. interview senior mgrs. to address their concerns with the program
d. present a report from the steering committee supporting the program

A

C

xb. A cost-benefit analysis of controls demonstrates that they were preferable to alternative methods of risk treatment, but this doesn’t address the overall program effectiveness.
c. It is not uncommon for senior mgrs. to have concerns. An effective infosec mgr. will discuss these concerns and make changes as needed to address them.

41
Q
Which of the following indicators is MOST likely to be of strategic value?
a. # of users w/privileged access
b. trends in incident frequency
c annual network downtime
d. vulnerability scan results
A

B

b. Trends in incident frequency will show whether the infosec program is improving and heading in the right direction.
d. Vulnerability scans are an operational metric.

42
Q

Which of the following is MOST important in the development of infosec policies?

a. adopting an established framework
b. using modular design for easier maintenance
c. using prevailing industry stds.
d. gathering stakeholder reqmts.

A

D

xa. A framework will not be effective e/o including the mgmt. intent and direction provided by policies.
d. The primary stakeholders in policies are mgmt. and policies are the primary governance tool employed in an org; therefore, the policies must reflect mgmt. intent and direction.

43
Q

An org has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating it to employees?

a. requiting employees to formally acknowledge receipt of the policy
b. integrating security reqmts. into job descriptions
c. making the policy avail. on the intranet
d. implementing an annual retreat for employees on infosec.

A

A

a. Requiring employees to formally acknowledge receipt of the policy does not guarantee the it has been read or understood but establishes employee acknowledgment of the existence of the new policy. Each communication should identify a point of contact for follow-up questions.
xb. Current employees don’t necessarily reread job descriptions that would contain the new policy.

44
Q

In a mature org, it would be expected that the security baseline could be approximated by which of the following?

a. organizational policies are in place
b. enterprise architecture is documented
c. control objectives are being met
d. compliance reqmts. are addressed

A

C

xa. Policies, as a statement of mgmt. intent and direction, will only indicate the security baseline in a general sense.
c. The control objectives, when achieved, set the security baselines.

45
Q

Infosec policy development should PRIMARILY be based on:

a. vulnerabilities
b. exposures
c. threats
d. impacts

A

C

c. Policies are developed in response to perceived threats. If there is no perceived threat, there is no need for a policy A threat is defined as anything that is capable of acting against an asset in a manner that can result in harm.
xd. Impact is not an issue if no threat exists. The impact is generally quantified as a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term.

46
Q

The FIRST action for an infosec mgr. to take when presented with news that new regulations are being applied to how orgs handle sensitive data is to determine:

a. processes and activities that may be affected
b. how senior mgmt. would prefer to respond
c. whether the org qualifies for an exemption
d. the approximate cost of compliance

A

A

a. Change to infosec are best made on the basis of risk. To determine the risk associated with the new regs the infosec mgr. must first know what processes and activities may be affected.
xb. Senior mgmt. will not have a basis for preference until potential effects are determined and compliance reqmts. identified.

47
Q

What is the MOST important consideration when developing a biz case for in infosec investment?

a. the impact on the risk profile of the org
b. the acceptability to the board of directors
c. the implementation benefits
d. the affordability to the org

A

C

xa. The impact on the risk profile can be one component of the biz case but does not include all the areas the biz case would cover.
c. A biz case is defined as documentation of the rational for making a biz investment, used both to support a biz decision on whether to proceed with the investment and as an operational tool to support mgmt. of the investment through its full economic life cycle. A biz case covers not only long-term benefits but short-term ones as well as the costs.

48
Q

Which of the following choices will MOST influence how the infosec program will be designed and implemented?

a. type and nature of risk
b. organizational culture
c. overall biz objectives
d. lines of biz

A

B

b. The organizational culture generally influences risk appetite and risk tolerance in addition to how issues are perceived and dealt with and many other aspects, which has significant influence over how an infosec program should b designed and implemented.
xc. Business objectives will determine the specific kinds of risk to be addressed but will not greatly influence the actual program development and implementation.

49
Q

Which of the following reasons is the MOST important to develop a strategy before implementing an infosec program?

a. to justify program devmt. costs
b. to integrate devmt. activities
c. to gain mgmt. support for it
d. to comply w/internatl. stds.

A

B

b. A strategy is a plan to achieve an objective that serves to align and integrate program activities to achieve the defined outcomes.
xc. Mgmt. support will need to be achieved priori to developing the strategy and is more likely based on a biz case that on the strategy.

50
Q

Which of the following elements are the MOST essential to develop an infosec strategy?

a. complete policies and standards
b. an appropriate governance framework
c. current state and objectives
d. mgmt. intent and direction

A

C

c. Because a strategy is essentially a plan to achieve and objective, it is essential to know the current state of infosec and desired future state or objectives.
xd. Mgmt. intent and direction is essential to developing objectives; the current state is also required.

51
Q

Reqmts. for an infosec program should be based PRIMARILY on which of the following choices?

a. governance policies
b. desired outcomes
c. specific objectives
d. the security strategy

A

B
The desired outcomes for the security program will be high-level achievements related to acceptable risk across the enterprise and will determine the reqmts. that must be met to achieve those outcomes.
xc. Objectives are the steps required to achieve the desired outcomes.

52
Q

Which of the following challenges assicated with infosec documentation is MOST likely to affect a large, established org?

a. standards change more slowly than the environment
b. policies change faster than they can be distributed
c. procedures are ignored to meet operational reqmts.
d. policies remain unchanged for long periods of time

A

A

a. Large, established orgs then to have numerous layers of review and approval associated with changes to stds. These review mechanisms are likely to be outpaced by changes in tech and the risk environment.
xc. Large, established orgs typically have formal training programs and internal controls that keep activities substantially in line with published procedures.

53
Q

In a BIA, the value of an information system should be based on the overall:

a. cost of recovery
b. cost to recreate
c. opportunity cost
d. cost of emergency operations

A

C

xa. The cots of recovering the system is tno the basis for determining the value of the system to the org; rather the loss of revenues and/or other costs is the primary basis.
c. Opportunity costs reflects the cost to the org resulting from the loss of a fxn.

54
Q

Which of the following situations presents the GREATEST infosec risk for an org with multiple, but small, domestic processing locations?

a. systems operation guidelines are not enforces
b. change mgmt. procedures are poor
c. systems devmt. is outsourced
d. system capacity mgmt. is not performed

A

B

xa. Because guidelines are generally not mandatory, their lack of enforcement is not a primary concern.
b. The lack of effective oversight is likely to result in inconsistent change mgmt. activities which can present a serious security risk.

55
Q

Which of the following types of risk is BEST assessed using quantitative risk assessment techniques?

a. stolen customer data
b. an electrical power outage
c. a defaced we site
d. loss of the sw devmt. team

A

B

xa. The effect of the theft of customer data could led to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques.
b. The loss of electrical power for a short duration is more easily measurable than the other choices and can be quantified into monetary amounts that can be assessed with quantitative techniques.

56
Q

Infosec mgrs. should use risk assessment techniques to: justify selection of risk mitigation strategies

b. maximize the ROI
c. provide documentation for auditors and regulators
d. quantify risk that would otherwise be subjective

A

A

a. Infosec mgrs. should use risk assessment techniques as one of the main bases to justify and implement a risk mitigation strategy as efficiently as possible.
xd. If assess risk is subjective, risk assessment techniques will not meaningfully quantify them.

57
Q

After completing a full IT risk assessment, who is in the BEST position to decide which mitigating controls should be implemented?

a. senior mgmt.
b. the biz mgr.
c. the IT audit mgr.
d. the infosec officer

A

B

xa. Senior mgmt. will have to ensure that the biz mgr. has a clear understnding of the risk assesssed, but it will not be ain a porision to decide on specific controls.
b. The biz mgr. will be in the best