You have recently drafted a revised information security policy. From whom should you seek endorsement in order to have the GREATEST chance for adoption and implementation throughout the entire organization?

A.

Chief Information Security Officer

B.

Chief Executive Officer

C.

Chief Information Officer

D.

Chief Legal Counsel

A method to transfer risk is to:

A.

Implement redundancy

B.

move operations to another region

C.

purchase breach insurance

D.

Alignment with business operations

The Information Security Governance program MUST:

A.

integrate with other organizational governance processes

B.

support user choice for Bring Your Own Device (BYOD)

C.

integrate with other organizational governance processes

D.

show a return on investment for the organization

When managing the security architecture for your company you must consider:

A.

Security and IT Staff size

B.

Company Values

C.

Budget

D.

All of the above

What is a difference from the list below between quantitative and qualitative Risk Assessment?

A.

Quantitative risk assessments result in an exact number (in monetary terms)

B.

Qualitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)

C.

Qualitative risk assessments map to business objectives

D.

Quantitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)

One of the MAIN goals of a Business Continuity Plan is to

A.

Ensure all infrastructure and applications are available in the event of a disaster

B.

Allow all technical first-responders to understand their roles in the event of a disaster

C.

Provide step by step plans to recover business processes in the event of a disaster

D.

Assign responsibilities to the technical teams responsible for the recovery of all data.

The purpose of NIST SP 800-53 as part of the NIST System Certification and Accreditation Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for

A.

Confidentiality, Integrity and Availability

B.

Assurance, Compliance and Availability

C.

International Compliance

D.

Integrity and Availability

Which of the following is the MOST important for a CISO to understand when identifying threats?

A.

How vulnerabilities can potentially be exploited in systems that impact the organization

B.

How the security operations team will behave to reported incidents

C.

How the firewall and other security devices are configured to prevent attacks

D.

How the incident management team prepares to handle an attack

What is the MAIN reason for conflicts between Information Technology and Information Security programs?

A.

Technology governance defines technology policies and standards while security governance does not.

B.

Security governance defines technology best practices and Information Technology governance does not.

C.

Technology Governance is focused on process risks whereas Security Governance is focused on business risk.

D.

The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

Which of the following represents the HIGHEST negative impact resulting from an ineffective security governance program?

A.

Reduction of budget

B.

Decreased security awareness

C.

Improper use of information resources

D.

Fines for regulatory non-compliance