Assigning the role and responsibility of Information Assurance to a dedicated and independent security group is an example of:

A.

Detective Controls

B.

Proactive Controls

C.

Preemptive Controls

D.

Organizational Controls

Which of the following set of processes is considered to be one of the cornerstone cycles of the International Organization for Standardization (ISO) 27001 standard?

A.

Plan-Check-Do-Act

B.

Plan-Do-Check-Act

C.

Plan-Select-Implement-Evaluate

D.

SCORE (Security Consensus Operational Readiness Evaluation)

To have accurate and effective information security policies how often should the CISO review the organization policies?

A.

Every 6 months

B.

Quarterly

C.

Before an audit

D.

At least once a year

As a new CISO at a large healthcare company you are told that everyone has to badge in to get in the building. Below your office window you notice a door that is normally propped open during the day for groups of people to take breaks outside. Upon looking closer you see there is no badge reader. What should you do?

A.

Nothing, this falls outside your area of influence.

B.

Close and chain the door shut and send a company-wide memo banning the practice.

C.

Have a risk assessment performed.

D.

Post a guard at the door to maintain physical security

The implementation of anti-malware and anti-phishing controls on centralized email servers is an example of what type of security control?

A.

Organization control

B.

Procedural control

C.

Management control

D.

Technical control

An information security department is required to remediate system vulnerabilities when they are discovered. Please select the three primary remediation methods that can be used on an affected system.

A.

Install software patch, Operate system, Maintain system

B.

Discover software, Remove affected software, Apply software patch

C.

Install software patch, configuration adjustment, Software Removal

D.

Software removal, install software patch, maintain system

The CIO of an organization has decided to assign the responsibility of internal IT audit to the IT team. This is consider a bad practice MAINLY because

A.

The IT team is not familiar in IT audit practices

B.

This represents a bad implementation of the Least Privilege principle

C.

This represents a conflict of interest

D.

The IT team is not certified to perform audits

When measuring the effectiveness of an Information Security Management System which one of the following would be MOST LIKELY used as a metric framework?

A.

ISO 27001

B.

PRINCE2

C.

ISO 27004

D.

ITILv3

Which of the following activities must be completed BEFORE you can calculate risk?

A.

Determining the likelihood that vulnerable systems will be attacked by specific threats

B.

Calculating the risks to which assets are exposed in their current setting

C.

Assigning a value to each information asset

D.

Assessing the relative risk facing the organization’s information assets

A recent audit has identified a few control exceptions and is recommending the implementation of technology and processes to address the finding. Which of the following is the MOST likely reason for the organization to reject the implementation of the recommended technology and processes?

A.

The auditors have not followed proper auditing processes

B.

The CIO of the organization disagrees with the finding

C.

The risk tolerance of the organization permits this risk

D.

The organization has purchased cyber insurance

Which of the following are primary concerns for management with regard to assessing internal control objectives?

A.

Confidentiality, Availability, Integrity

B.

Compliance, Effectiveness, Efficiency

C.

Communication, Reliability, Cost

D.

Confidentiality, Compliance, Cost

Which of the following is the PRIMARY purpose of International Organization for Standardization (ISO) 27001?

A.

Use within an organization to formulate security requirements and objectives

B.

Implementation of business-enabling information security

C.

Use within an organization to ensure compliance with laws and regulations

D.

To enable organizations that adopt it to obtain certifications