Topic 1: Governance (Policy, Legal & Compliance)
Which of the following functions MUST your Information Security Governance program include for formal organizational reporting?
A.
Audit and Legal
B.
Budget and Compliance
C.
Human Resources and Budget
D.
Legal and Human Resources
Audit and Legal
What is the first thing that needs to be completed in order to create a security program for your organization?
A.
Risk assessment
B.
Security program budget
C.
Business continuity plan
D.
Compliance and regulatory analysis
Risk assessment
A.
The types of cardholder data retained
B.
The duration card holder data is retained
C.
The size of the organization processing credit card data
D.
The number of transactions performed per year by an organization
The number of transactions performed per year by an organization
You have purchased a new insurance policy as part of your risk strategy. Which of the following risk strategy options have you engaged in?
A.
Risk Avoidance
B.
Risk Acceptance
C.
Risk Transfer
D.
Risk Mitigation
Risk Transfer
If your organization operates under a model of "assumption of breach", you should:
A.
Protect all information resource assets equally
B.
Establish active firewall monitoring protocols
C.
Purchase insurance for your compliance liability
D.
Focus your security efforts on high value assets
Purchase insurance for your compliance liability
What should an organization do to ensure that they have a sound Business Continuity (BC) Plan?
A.
Test every three years to ensure that things work as planned
B.
Conduct periodic tabletop exercises to refine the BC plan
C.
Outsource the creation and execution of the BC plan to a third party vendor
D.
Conduct a Disaster Recovery (DR) exercise every year to test the plan
Conduct periodic tabletop exercises to refine the BC plan
After a risk assessment is performed, a particular risk is considered to have the potential of costing the organization 1.2 Million USD. This is an example of
A.
Risk Tolerance
B.
Qualitative risk analysis
C.
Risk Appetite
D.
Quantitative risk analysis
Quantitative risk analysis
An organization has defined a set of standard security controls. This organization has also defined the circumstances and conditions in which they must be applied. What is the NEXT logical step in applying the controls in the organization?
A.
Determine the risk tolerance
B.
Perform an asset classification
C.
Create an architecture gap analysis
D.
Analyze existing controls on systems
Perform an asset classification
A global retail company is creating a new compliance management process. Which of the following regulations is of MOST importance to be tracked and managed by this process?
A.
Information Technology Infrastructure Library (ITIL)
B.
International Organization for Standardization (ISO) standards
C.
Payment Card Industry Data Security Standards (PCI-DSS)
D.
National Institute for Standards and Technology (NIST) standard
Payment Card Industry Data Security Standards (PCI-DSS)
Which of the following provides an audit framework?
A.
Control Objectives for IT (COBIT)
B.
Payment Card Industry-Data Security Standard (PCI-DSS)
C.
International Organization Standard (ISO) 27002
D.
National Institute of Standards and Technology (NIST) SP 800-30
Control Objectives for IT (COBIT)