According to ISO 27001, of the steps for establishing an Information Security Governance program listed below, which comes first?

A.

Identify threats, risks, impacts and vulnerabilities

B.

Decide how to manage risk

C.

Define the budget of the Information Security Management System

D.

Define Information Security Policy

What role should the CISO play in properly scoping a PCI environment?

A.

Validate the business units’ suggestions as to what should be included in the scoping process

B.

Work with a Qualified Security Assessor (QSA) to determine the scope of the PCI environment

C.

Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data

D.

Complete the self-assessment questionnaire and work with an Approved Scanning Vendor (ASV) to determine scope

Risk appetite directly affects what part of a vulnerability management program?

A.

Staff

B.

Scope

C.

Schedule

D.

Scan tools

In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?

A.

The organization uses exclusively a quantitative process to measure risk

B.

The organization uses exclusively a qualitative process to measure risk

C.

The organization’s risk tolerance is high

D.

The organization’s risk tolerance is lo

You have a system with 2 identified risks. You determine the probability of one risk occurring is higher than the

A.

Controlled mitigation effort

B.

Risk impact comparison

C.

Relative likelihood of event

D.

Comparative threat analysis

What two methods are used to assess risk impact?

A.

Cost and annual rate of expectance

B.

Subjective and Objective

C.

Qualitative and percent of loss realized

D.

Quantitative and qualitative

What is the definition of Risk in Information Security?

A.

Risk = Probability x Impact

B.

Risk = Threat x Probability

C.

Risk = Financial Impact x Probability

D.

Risk = Impact x Threat

The framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve is referred to as a standard of:

A.

Due Protection

B.

Due Care

C.

Due Compromise

D.

Due process

A security officer wants to implement a vulnerability scanning program. The officer is uncertain of the state of vulnerability resiliency within the organization’s large IT infrastructure. What would be the BEST approach to minimize scan data output while retaining a realistic view of system vulnerability?

A.

Scan a representative sample of systems

B.

Perform the scans only during off-business hours

C.

Decrease the vulnerabilities within the scan tool settings

D.

Filter the scan output so only pertinent data is analyzed

Who is responsible for securing networks during a security incident?

A.

Chief Information Security Officer (CISO)

B.

Security Operations Center (SO

C.

Disaster Recovery (DR) manager

D.

Incident Response Team (IRT)

Which of the following is the MOST important benefit of an effective security governance process?

A.

Reduction of liability and overall risk to the organization

B.

Better vendor management

C.

Reduction of security breaches

D.

Senior management participation in the incident response process

Which of the following international standards can be BEST used to define a Risk Management process in an organization?

A.

National Institute for Standards and Technology 800-50 (NIST 800-50)

B.

International Organization for Standardizations – 27005 (ISO-27005)

C.

Payment Card Industry Data Security Standards (PCI-DSS)

D.

International Organization for Standardizations – 27004 (ISO-27004)