TEST 6

Which of the following is the GREATEST benefit of effective information security governance?. Treatment priorities are based on risk exposure. Information security standards are communicated to primary stakeholders. The information security budget is aligned to the organization. Executive management's strategy is aligned to the information security strategy.

The ability to integrate information security governance into corporate governance is PRIMARILY driven by: the percentage of corporate budget allocated to the information security program. how often information security metrics are presented to senior management. how often the information security steering committee reviews and updates security policies. how well the information security program supports business objectives.

Which of the following presents the GREATEST challenge for protecting Internet of Things (IoT) devices?. IoT vendor reputation. IoT architecture diversity. IoT-specific training. IoT device policies.

Which of the following parameters is MOST helpful when designing a disaster recovery strategy?. Maximum tolerable downtime (MTD). Mean time between failures (MTBF). Allowable interruption window (AIW). Recovery point objective (RPO).

An IT service desk was not adequately prepared for a recent ransomware attack on user workstations. Which of the following should be given HIGHEST priority by the information security team when creating an action plan to improve service desk readiness?. Investing in threat intelligence capability. Implementing key risk indicators (KRIs) for ransomware attacks. Updating the information security incident response manual. Strengthening the organization's data backup capability.

After a risk has been identified, analyzed, and evaluated, which of the following should be done NEXT?. Monitor the risk. Prioritize the risk for treatment. Identify the risk owner. Identify controls for risk mitigation.

Which of the following will BEST facilitate timely and effective incident response?. Including penetration test results in incident response planning. Assessing the risk of compromised assets. Notifying stakeholders when invoking the incident response plan. Classifying the severity of an incident.

Which of the following MOST effectively communicates the current risk profile to senior management after controls are applied?. Residual risk. Impact of loss events. Inherent risk. Number of risks avoided.

Which of the following processes should be done NEXT after completing a business impact analysis (BIA)?. Evaluate the disaster recovery plan (DRP). Develop the requirements for the incident response plan. Develop a business continuity plan (BCP). Identify resources for business recovery.

Which of the following is MOST important to include in an information security policy?. Maturity levels. Baselines. Best practices. Management objectives.

Which of the following should an information security manager do FIRST when creating an organization's disaster recovery plan (DRP)?. Develop response and recovery strategies. Identify the response and recovery teams. Review the communications plan. Conduct a business impact analysis (BIA).

Which of the following would be the MOST effective use of findings from a post-incident review?. Providing input for updates to the incident response plan. Developing cost reports regarding the incident. Providing justification for an increase in the incident response plan budget. Incorporating the results into information security awareness training materials.

During a post-incident review, it was determined that a known vulnerability was exploited in order to gain access to a system. The vulnerability was patched as part of the remediation on the offending system. Which of the following should be done NEXT?. Scan to determine whether the vulnerability is present on other systems. Review the vulnerability management process. Install patches an all existing systems. Report the root cause of the vulnerability to senior management.

Which of the following is MOST helpful in determining the realization of benefits from an information security program?. Vulnerability assessments. Key risk indicators (KRIs). Business impact analysis (BIA). Key performance indicators (KPIs).

During an internal compliance review, the review team discovers that a critical legacy application is unable to meet the organization's mandatory security requirements. Which of the following should be done FIRST?. Update the risk register. Recommend taking the application out of service. Implement compensating controls. Monitor the application until it can be replaced.

Which of the following is the BEST way to improve an organization's ability to detect and respond to incidents?. Conduct a business impact analysis (BIA). Conduct periodic awareness training. Perform a security gap analysis. Perform network penetration testing.

Of the following, who would provide the MOST relevant input when aligning the information security strategy with organizational goals?. Data privacy officer (DPO). Chief information security officer (CISO). Information security steering committee. Enterprise risk committee.

Which of the following is the PRIMARY role of the information security manager in application development?. To ensure control procedures address business risk. To ensure enterprise security controls are implemented. To ensure compliance with industry best practice. To ensure security is integrated into the system development life cycle (SDLC).

Which of the following actions by senior management would BEST enable a successful implementation of an information security governance framework?. Demonstrating support for the business and information security governance functions. Delegating the implementation of the framework to information security management. Promoting the use of an internationally recognized governance framework. Engaging a consulting firm specializing in information security governance and standards.

Which of the following is the BEST way to reduce the risk of security incidents from targeted email attacks?. Conduct awareness training across the organization. Require acknowledgment of the acceptable use policy. Disable all incoming cloud mail services. Implement a data loss prevention (DLP) system.

Which of the following is the PRIMARY benefit of an information security awareness training program?. Evaluating organizational security culture. Enforcing security policy. Influencing human behavior. Defining risk accountability.

Which of the following MOST effectively supports an organization's security culture?. Business unit security metrics. An information governance framework. Stakeholder involvement. A security mission statement.

A new type of ransomware has infected an organization's network. Which of the following would have BEST enabled the organization to detect this situation?. Periodic information security training for end users. Use of integrated patch deployment tools. Regular review of the threat landscape. Monitoring of anomalies in system behavior.

Which of the following should an information security manager do FIRST upon notification of a potential security risk associated with a third-party service provider?. Determine risk treatment options. Conduct a vulnerability analysis. Escalate to the third-party provider. Conduct a risk analysis.

A security incident has been reported within an organization. When should an information security manager contact the information owner?. After the potential incident has been logged. After the incident has been contained. After the incident has been confirmed. After the incident has been mitigated.

An incident management team leader sends out a notification that the organization has successfully recovered from a cyberattack. Which of the following should be done NEXT?. Secure and preserve digital evidence for analysis. Gather feedback on business impact. Conduct a meeting to capture lessons learned. Prepare an executive summary for senior management.

Which of the following defines the MOST comprehensive set of security requirements for a newly developed information system?. Baseline controls. Audit findings. Risk assessment results. Key risk indicators (KRIs).

Which of the following information security practices would BEST prevent a SQL injection attack?. Adopting agile development. Enhancing the patching program. Training developers on secure coding practices to reduce vulnerabilities. Performing vulnerability testing before each version release.

Which of the following is a viable containment strategy for a distributed denial of service (DDoS) attack?. Block IP addresses used by the attacker. Disable firewall ports exploited by the attacker. Power oft affected servers. Redirect the attacker's traffic.

A data discovery project uncovers an unclassified process document. Of the following, who is BEST suited to determine the classification?. Creator of the document. Data custodian. Information security manager. Security policy author.

Which of the following is MOST important to include in a post-incident report?. Forensic analysis results. List of potentially compromised assets. Root cause analysis. Service level agreements (SLAs).

When creating an incident response plan, the triggers for the business continuity plan (BCP) MUST be based on: a threat assessment. recovery time objectives (RTOs). a business impact analysis (BIA). a risk assessment.

An organization's information security strategy should be the PRIMARY input to which of the following?. Security governance framework design. Enterprise risk scenario development. Security program metrics. Organizational risk appetite.

Which of the following BEST enables an organization to enhance its incident response plan processes and procedures?. Information security audits. Security risk assessments. Lessons learned analysis. Key performance indicators (KPIs).

Which of the following is BEST used to determine the maturity of an information security program?. Organizational risk appetite. Risk assessment results. Security metrics. Security budget allocation.

Which of the following should be done FIRST when developing an information security strategy that is aligned with organizational goals?. Establish a security risk framework with key risk indicators (KRIs). Determine information security's impact on the achievement of organizational goals. Assess information security risk associated with the organizational goals. Select information security projects related to the organizational goals.

A business impact analysis (BIA) BEST enables an organization to establish: annualized loss expectancy (ALE). recovery methods. restoration priorities. total cost of ownership (TCO).

Which of the following is the PRIMARY objective of developing an information security program that aligns with the information security strategy?. To define the resources required to achieve information security goals. To define a bottom-up approach for implementing information security policies. To define standards to be implemented. To define risk mitigation plans for security technologies.

Which of the following is MOST important to include in an information security framework?. Guidance for designing information security controls. Information security organizational structure. Industry benchmarks of information security metrics. Information security risk assessment.

An organization learns that a service provider experienced a breach last month and did not notify the organization. Which of the following should be the information security manager's FIRST course of action?. Terminate the provider contract. Conduct a business impact analysis (BIA). Inform senior management. Review the provider contract.

Which of the following approaches to communication with senior management BEST enables an information security manager to maximize the effectiveness of the information security program?. Reporting on industry security threats with potential impact to business objectives. Conducting periodic one-on-one meetings to align security with business objectives. Participating in operational review meetings to discuss daily operations and dependencies. Providing regular status of updates to security policies and standards.

Which of the following control types should be considered FIRST for aligning employee behavior with an organization's information security objectives?. Administrative security controls. Access security controls. Technical security controls. Physical security controls.

An organization's information security team presented the risk register at a recent information security steering committee meeting. Which of the following should be of MOST concern to the committee?. No owners were identified for some risks. Business applications had the highest number of risks. Risk mitigation action plans had no timelines. Risk mitigation action plan milestones were delayed.

Which of the following BEST enables an organization to determine what activities and changes have occurred on a system during a cybersecurity incident?. Penetration testing. Root cause analysis. Continuous log monitoring. Computer forensics.

Which of the following should the information security manager do FIRST upon learning that a business department wants to use blockchain technology for a new payment process?. Include the new requirements in the system development life cycle (SDLC) pipeline. Update the business case to include security budget and resource needs for the new process. Perform a risk assessment to identify emerging risks. Benchmark blockchain solutions to determine which one is most secure.

Which of the following BEST facilitates the development of information security procedures that effectively support the information security policy?. Aligning procedures with industry best practices. Classifying the information assets to be protected. Considering the impact of systemic risk events. Conducting an external benchmarking exercise.

Which of the following would provide the BEST input to a business case for a technical solution to address potential system vulnerabilities?. Business impact analysis (BIA). Business impact analysis (BIA). Risk assessment. Penetration test results.

Which of the following is MOST helpful for determining priorities when creating a long-term information security roadmap?. The organization's information security framework. Information security steering committee input. Enterprise architecture (EA). Industry best practices.

A KEY consideration in the use of quantitative risk analysis is that it: applies commonly used labels to information assets. assigns numeric values to exposures of information assets. is based on criticality analysis of information assets. aligns with best practice for risk analysis of information assets.

A situation where an organization has unpatched IT systems in violation of the patching policy should be treated as: an increased threat profile. a vulnerability management failure. an increased risk profile. a security control failure.