When a CISO considers delaying or not remediating system vulnerabilities which of the following are MOST important to take into account?

A.

Threat Level, Risk of Compromise, and Consequences of Compromise

B.

Risk Avoidance, Threat Level, and Consequences of Compromise

C.

Risk Transfer, Reputational Impact, and Consequences of Compromise

D.

Reputational Impact, Financial Impact, and Risk of Compromise

The mean time to patch, number of virus outbreaks prevented, and number of vulnerabilities mitigated are examples of what type of performance metrics?

A.

Risk metrics

B.

Management metrics

C.

Operational metrics

D.

Compliance metrics

An audit was conducted and many critical applications were found to have no disaster recovery plans in place. You conduct a Business Impact Analysis (BIA) to determine impact to the company for each application. What should be the NEXT step?

A.

Determine the annual loss expectancy (ALE)

B.

Create a crisis management plan

Which of the following is the MOST important reason to measure the effectiveness of an Information Security Management System (ISMS)?

A.

Meet regulatory compliance requirements

B.

Better understand the threats and vulnerabilities affecting the environment

C.

Better understand strengths and weaknesses of the program

D.

Meet legal requirements

Your IT auditor is reviewing significant events from the previous year and has identified some procedural oversights. Which of the following would be the MOST concerning?

A.

Lack of notification to the public of disclosure of confidential information.

B.

Lack of periodic examination of access rights

C.

Failure to notify police of an attempted intrusion

D.

Lack of reporting of a successful denial of service attack on the network.

How often should an environment be monitored for cyber threats, risks, and exposures?

A.

Weekly

B.

Monthly

C.

Quarterly

D.

Daily

Many times a CISO may have to speak to the Board of Directors (BOD) about their cyber security posture. What would be the BEST choice of security metrics to present to the BOD?

A.

All vulnerabilities found on servers and desktops

B.

Only critical and high vulnerabilities on servers and desktops

C.

Only critical and high vulnerabilities that impact important production servers

D.

All vulnerabilities that impact important production servers

Control Objectives for Information and Related Technology (COBIT) is which of the following?

A.

An Information Security audit standard

B.

An audit guideline for certifying secure systems and controls

C.

A framework for Information Technology management and governance

D.

A set of international regulations for Information Technology governance

You work as a project manager for TYU project. You are planning for risk mitigation. You need to quickly identify high-level risks that will need a more in-depth analysis. Which of the following activities will help you in this?

A.

Qualitative analysis

B.

Quantitative analysis

C.

Risk mitigation

D.

Estimate activity duration

When a critical vulnerability has been discovered on production systems and needs to be fixed immediately, what is the BEST approach for a CISO to mitigate the vulnerability under tight budget constraints?

A.

Transfer financial resources from other critical programs

B.

Take the system off line until the budget is available

C.

Deploy countermeasures and compensating controls until the budget is available

D.

Schedule an emergency meeting and request the funding to fix the issue

An organization is required to implement background checks on all employees with access to databases containing credit card information. This is considered a security

A.

Procedural control

B.

Management control

C.

Technical control

D.

Administrative control

Step-by-step procedures to regain normalcy in the event of a major earthquake is PRIMARILY covered by which of the following plans?

A.

Incident response plan

B.

Business Continuity plan

C.

Disaster recovery plan

D.

Damage control plan