Which of the following is a MAJOR consideration when an organization retains sensitive customer data and uses this data to better target the organization’s products and services?

A.

Strong authentication technologies

B.

Financial reporting regulations

C.

Credit card compliance and regulations

D.

Local privacy laws

When dealing with a risk management process, asset classification is important because it will impact the overall:

A.

Threat identification

B.

Risk monitoring

C.

Risk treatment

D.

Risk tolerance

According to the National Institute of Standards and Technology (NIST) SP 800-40, which of the following considerations are MOST important when creating a vulnerability management program?

A.

Susceptibility to attack, mitigation response time, and cost

B.

Attack vectors, controls cost, and investigation staffing needs

C.

Vulnerability exploitation, attack recovery, and mean time to repair

D.

Susceptibility to attack, expected duration of attack, and mitigation availability

A global retail organization is looking to implement a consistent Disaster Recovery and Business Continuity Process across all of its business units. Which of the following standards and guidelines can BEST address this organization’s need?

A.

International Organization for Standardizations – 22301 (ISO-22301)

B.

Information Technology Infrastructure Library (ITIL)

C.

Payment Card Industry Data Security Standards (PCI-DSS)

D.

International Organization for Standardizations – 27005 (ISO-27005)

Who in the organization determines access to information?

A.

Legal department

B.

Compliance officer

C.

Data Owner

D.

Information security officer

The FIRST step in establishing a security governance program is to?

A.

Conduct a risk assessment

B.

Obtain senior level sponsorship

C.

Conduct a workshop for all end users

D.

Prepare a security budget

Within an organization’s vulnerability management program, who has the responsibility to implement remediation actions?

A.

Security officer

B.

Data owner

C.

Vulnerability engineer

D.

System administrator

The establishment of a formal risk management framework and system authorization program is essential. The LAST step of the system authorization process is:

A.

Contacting the Internet Service Provider for an IP scope

B.

Getting authority to operate the system from executive management

C.

Changing the default passwords

D.

Conducting a final scan of the live system and mitigating all high and medium level vulnerabilities

Information security policies should be reviewed:

A.

by stakeholders at least annually

B.

by the CISO when new systems are brought online

C.

by the Incident Response team after an audit

D.

by internal audit semiannually

What is the relationship between information protection and regulatory compliance?

A.

That all information in an organization must be protected equally

B.

The information required to be protected by regulatory mandate does not have to be identified in the organizations data classification policy.

C.

That the protection of some information such as National ID information is mandated by regulation and other information such as trade secrets are protected based on business need.

D.

There is no relationship between the two.