A CISO sees abnormally high volumes of exceptions to security requirements and constant pressure from business units to change security processes. Which of the following represents the MOST LIKELY cause of this situation?

A.

Poor audit support for the security program

B.

A lack of executive presence within the security program

C.

Poor alignment of the security program to business needs

D.

This is normal since business units typically resist security requirements

A stakeholder is a person or group:

A.

Vested in the success and/or failure of a project or initiative regardless of budget implications.

B.

Vested in the success and/or failure of a project or initiative and is tied to the project budget.

C.

That has budget authority.

D.

That will ultimately use the system.

A person in your security team calls you at night and informs you that one of your web applications is potentially under attack from a cross-site scripting vulnerability. What do you do?

A.

tell him to shut down the server

B.

tell him to call the police

C.

tell him to invoke the incident response process

D.

tell him to analyze the problem, preserve the evidence and provide a full analysis and report

Which of the following represents the best method of ensuring business unit alignment with security program requirements?

A.

Provide clear communication of security requirements throughout the organization

B.

Demonstrate executive support with written mandates for security policy adherence

C.

Create collaborative risk management approaches within the organization

D.

Perform increased audits of security processes and procedures

A department within your company has proposed a third party vendor solution to address an urgent, critical business need. As the CISO you have been asked to accelerate screening of their security control claims. Which of the following vendor provided documents is BEST to make your decision:

A.

Vendor’s client list of reputable organizations currently using their solution

B.

Vendor provided attestation of the detailed security controls from a reputable accounting firm

C.

Vendor provided reference from an existing reputable client detailing their implementation

D.

Vendor provided internal risk assessment and security control documentation

Risk appetite is typically determined by which of the following organizational functions?

A.

Security

B.

Business units

C.

Board of Directors

D.

Audit and compliance

To get an Information Security project back on schedule, which of the following will provide the MOST help?

A.

Upper management support

B.

More frequent project milestone meetings

C.

Stakeholder support

D.

Extend work hours

Your incident response plan should include which of the following?

A.

Procedures for litigation

B.

Procedures for reclamation

C.

Procedures for classification

D.

Procedures for charge-back

Which of the following will be MOST helpful for getting an Information Security project that is behind schedule back on schedule?

A.

Upper management support

B.

More frequent project milestone meetings

C.

More training of staff members

D.

Involve internal audit

Which of the following is critical in creating a security program aligned with an organization’s goals?

A.

Ensure security budgets enable technical acquisition and resource allocation based on internal compliance requirements

B.

Develop a culture in which users, managers and IT professionals all make good decisions about information risk

C.

Provide clear communication of security program support requirements and audit schedules

D.

Create security awareness programs that include clear definition of security program goals and charters

Which of the following information may be found in table top exercises for incident response?

A.

Security budget augmentation

B.

Process improvements

C.

Real-time to remediate

D.

Security control selection

A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the concepts of how hardware and software is implemented and managed within the organization. Which of the following principles does this best demonstrate?

A.

Alignment with the business

B.

Effective use of existing technologies

C.

Leveraging existing implementations

D.

Proper budget management