The Information Security Governance program MUST:

A.

integrate with other organizational governance processes

B.

support user choice for Bring Your Own Device (BYOD)

C.

integrate with other organizational governance processes

D.

show a return on investment for the organization

When managing the security architecture for your company you must consider:

A.

Security and IT Staff size

B.

Company Values

C.

Budget

D.

All of the above

What is a difference from the list below between quantitative and qualitative Risk Assessment?

A.

Quantitative risk assessments result in an exact number (in monetary terms)

B.

Qualitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)

C.

Qualitative risk assessments map to business objectives

D.

Quantitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)

One of the MAIN goals of a Business Continuity Plan is to

A.

Ensure all infrastructure and applications are available in the event of a disaster

B.

Allow all technical first-responders to understand their roles in the event of a disaster

C.

Provide step by step plans to recover business processes in the event of a disaster

D.

Assign responsibilities to the technical teams responsible for the recovery of all data.

The purpose of NIST SP 800-53 as part of the NIST System Certification and Accreditation Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for

A.

Confidentiality, Integrity and Availability

B.

Assurance, Compliance and Availability

C.

International Compliance

D.

Integrity and Availability

Which of the following is the MOST important for a CISO to understand when identifying threats?

A.

How vulnerabilities can potentially be exploited in systems that impact the organization

B.

How the security operations team will behave to reported incidents

C.

How the firewall and other security devices are configured to prevent attacks

D.

How the incident management team prepares to handle an attack

What is the MAIN reason for conflicts between Information Technology and Information Security programs?

A.

Technology governance defines technology policies and standards while security governance does not.

B.

Security governance defines technology best practices and Information Technology governance does not.

C.

Technology Governance is focused on process risks whereas Security Governance is focused on business risk.

D.

The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

Which of the following represents the HIGHEST negative impact resulting from an ineffective security governance program?

A.

Reduction of budget

B.

Decreased security awareness

C.

Improper use of information resources

D.

Fines for regulatory non-compliance

When would it be more desirable to develop a set of decentralized security policies and procedures within an enterprise environment?

A.

When there is a need to develop a more unified incident response capability.

B.

When the enterprise is made up of many business units with diverse business activities, risks profiles and regulatory requirements.

C.

When there is a variety of technologies deployed in the infrastructure.

D.

When it results in an overall lower cost of operating the security program.

A company wants to fill a Chief Information Security Officer position in the organization. They need to define and implement a more holistic security program. Which of the following qualifications and experience would be MOST desirable to find in a candidate?

A.

Multiple certifications, strong technical capabilities and lengthy resume

B.

Industry certifications, technical knowledge and program management skills

C.

College degree, audit capabilities and complex project management

D.

Multiple references, strong background check and industry certifications

Risk is defined as:

A.

Threat times vulnerability divided by control

B.

Advisory plus capability plus vulnerability

C.

Asset loss times likelihood of event

D.

Quantitative plus qualitative impact

Which of the following is a benefit of information security governance?

A.

Questioning the trust in vendor relationships.

B.

Increasing the risk of decisions based on incomplete management information.

C.

Direct involvement of senior management in developing control processes

D.

Reduction of the potential for civil and legal liability