When would it be more desirable to develop a set of decentralized security policies and procedures within an enterprise environment?

A.

When there is a need to develop a more unified incident response capability.

B.

When the enterprise is made up of many business units with diverse business activities, risks profiles and regulatory requirements.

C.

When there is a variety of technologies deployed in the infrastructure.

D.

When it results in an overall lower cost of operating the security program.

A company wants to fill a Chief Information Security Officer position in the organization. They need to define and implement a more holistic security program. Which of the following qualifications and experience would be MOST desirable to find in a candidate?

A.

Multiple certifications, strong technical capabilities and lengthy resume

B.

Industry certifications, technical knowledge and program management skills

C.

College degree, audit capabilities and complex project management

D.

Multiple references, strong background check and industry certifications

Risk is defined as:

A.

Threat times vulnerability divided by control

B.

Advisory plus capability plus vulnerability

C.

Asset loss times likelihood of event

D.

Quantitative plus qualitative impact

Which of the following is a benefit of information security governance?

A.

Questioning the trust in vendor relationships.

B.

Increasing the risk of decisions based on incomplete management information.

C.

Direct involvement of senior management in developing control processes

D.

Reduction of the potential for civil and legal liability

According to ISO 27001, of the steps for establishing an Information Security Governance program listed below, which comes first?

A.

Identify threats, risks, impacts and vulnerabilities

B.

Decide how to manage risk

C.

Define the budget of the Information Security Management System

D.

Define Information Security Policy

What role should the CISO play in properly scoping a PCI environment?

A.

Validate the business units’ suggestions as to what should be included in the scoping process

B.

Work with a Qualified Security Assessor (QSA) to determine the scope of the PCI environment

C.

Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data

D.

Complete the self-assessment questionnaire and work with an Approved Scanning Vendor (ASV) to determine scope

Risk appetite directly affects what part of a vulnerability management program?

A.

Staff

B.

Scope

C.

Schedule

D.

Scan tools

In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?

A.

The organization uses exclusively a quantitative process to measure risk

B.

The organization uses exclusively a qualitative process to measure risk

C.

The organization’s risk tolerance is high

D.

The organization’s risk tolerance is lo

You have a system with 2 identified risks. You determine the probability of one risk occurring is higher than the

A.

Controlled mitigation effort

B.

Risk impact comparison

C.

Relative likelihood of event

D.

Comparative threat analysis

What two methods are used to assess risk impact?

A.

Cost and annual rate of expectance

B.

Subjective and Objective

C.

Qualitative and percent of loss realized

D.

Quantitative and qualitative