When an organization claims it is secure because it is PCI-DSS certified, what is a good first question to ask towards assessing the effectiveness of their security program?

A.

How many credit card records are stored?

B.

How many servers do you have?

C.

What is the scope of the certification?

D.

What is the value of the assets at risk?

Which of the following intellectual Property components is focused on maintaining brand recognition?

A.

Trademark

B.

Patent

C.

Research Logs

D.

Copyright

Quantitative Risk Assessments have the following advantages over qualitative risk assessments:

A.

They are objective and can express risk / cost in real numbers

B.

They are subjective and can be completed more quickly

C.

They are objective and express risk / cost in approximates

D.

They are subjective and can express risk /cost in real numbers

Developing effective security controls is a balance between:

A.

Risk Management and Operations

B.

Corporate Culture and Job Expectations

C.

Operations and Regulations

D.

Technology and Vendor Management

The alerting, monitoring and life-cycle management of security related events is typically handled by the

A.

security threat and vulnerability management process

B.

risk assessment process

C.

risk management process

D.

governance, risk, and compliance tools

Which of the following are the MOST important factors for proactively determining system vulnerabilities?

A.

Subscribe to vendor mailing list to get notification of system vulnerabilities

B.

Deploy Intrusion Detection System (IDS) and install anti-virus on systems

C.

Configure firewall, perimeter router and Intrusion Prevention System (IPS)

D.

Conduct security testing, vulnerability scanning, and penetration testing

An organization’s firewall technology needs replaced. A specific technology has been selected that is less costly than others and lacking in some important capabilities. The security officer has voiced concerns about sensitive data breaches but the decision is made to purchase. What does this selection indicate?

A.

A high threat environment

B.

A low risk tolerance environment

C.

I low vulnerability environment

D.

A high risk tolerance environment

When managing an Information Security Program, which of the following is of MOST importance in order to influence the culture of an organization?

A.

An independent Governance, Risk and Compliance organization

B.

Alignment of security goals with business goals

C.

Compliance with local privacy regulations

D.

Support from Legal and HR teams

Which of the following is MOST important when dealing with an Information Security Steering committee:

A.

Include a mix of members from different departments and staff levels.

B.

Ensure that security policies and procedures have been vetted and approved.

C.

Review all past audit and compliance reports.

D.

Be briefed about new trends and products at each meeting by a vendor.

Which of the following is the MAIN reason to follow a formal risk management process in an organization that hosts and uses privately identifiable information (PII) as part of their business models and processes?

A.

Need to comply with breach disclosure laws

B.

Need to transfer the risk associated with hosting PII data

C.

Need to better understand the risk associated with using PII data

D.

Fiduciary responsibility to safeguard credit card information

The Information Security Management program MUST protect:

A.

all organizational assets

B.

critical business processes and /or revenue streams

C.

intellectual property released into the public domain

D.

against distributed denial of service attacks

Why is it vitally important that senior management endorse a security policy?

A.

So that they will accept ownership for security within the organization

B.

So that employees will follow the policy directives.

C.

So that external bodies will recognize the organizations commitment to security.

D.

So that they can be held legally accountable.