DOMAIN 1 English

La gobernanza de la seguridad de la información está impulsada PRINCIPALMENTE por: las limitaciones tecnológicas. los requisitos normativos. el potencial de litigios. la estrategia empresarial.

What is the BEST evidence of a mature information security program?. A comprehensive risk assessment and analysis exists. Development of a physical security architecture exists. A controls statement of applicability exists. An effective information security strategy exists.

Investments in information security technologies should be based on: Vulnerability assessments. Value analysis. Business climate. Audit recommendations.

Which of the following is the GREATEST success factor for effectively managing information security?. An adequate budget. Senior level authority. Robust technology. Effective business relationships.

Which of the following is characteristic of centralized information security management?. More expensive to administer. Better adherence to policies. More responsive to business unit needs. Faster turnaround of requests.

Successful implementation of information security governance will FIRST require: Security awareness training. Updated security policies. A computer incident management team. A security architecture.

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?. Information security manager. Chief operating officer. Internal auditor. Legal counsel.

Which of the following factors is the MOST significant in determining an enterprise's risk appetite?. The nature and extent of threats. Organizational policies. The overall security strategy. The organizational culture.

An information security manager can BEST attain senior management commitment and support by emphasizing: Organizational risk. Performance metrics. Security needs. The responsibilities of organizational units.

Which of the following roles would represent a conflict of interest for an information security manager?. Which of the following roles would represent a conflict of interest for an information security manager?. Assessment of the adequacy of disaster recovery plans. Final approval of information security policies. Monitoring adherence to physical security controls.

When should a request for proposal be issued?. At the project feasibility stage. Upon management project approval. Prior to developing a project budget. When developing the business case.

Which of the following is MOST appropriate for inclusion in an information security strategy?. Business controls designated as key controls. Security processes, methods, tools and techniques. Firewall rule sets, network defaults and intrusion detection system settings. Budget estimates to acquire specific security tools.

Which of the following situations must be corrected FIRST to ensure successful information security governance within an enterprise?. The information security department has difficulty filling vacancies. The chief operating officer approves security policy changes. The information security oversight committee only meets quarterly. The data center manager has final sign-off on all security projects.

Which of the following requirements would have the LOWEST level of priority in information security?. Technical. Regulatory. Privacy. Business.

Where should resource requirements for information security initially be identified?. In policies. In architecture. In strategy. In procedures.

Security technologies should be selected PRIMARILY on the basis of their: Ability to mitigate business risk. Evaluations in trade publications. Use of new and emerging technologies. Benefits in comparison to their costs.

What activity should the information security manager perform FIRST after finding that compliance with a set of standards is weak?. Initiate the exception process. Modify policy to address the risk. Increase compliance enforcement. Perform a risk assessment.

What must change management achieve from a risk management perspective?. It must be approved by information security to ensure that security is maintained. It must be overseen by the steering committee because of its importance. It must be endorsed by release and configuration management. It must ensure changes will not involve any major risk that exceeds acceptable levels.

Which of the following is characteristic of decentralized information security management across a geographically dispersed enterprise?. More uniformity in quality of service. Better adherence to policies. Better alignment with business unit needs. More savings in total operating costs.

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?. Chief security officer. Chief operating officer. Chief privacy officer. Chief legal counsel.

The MOST important element to consider when developing a business case for a project is the: Feasibility and value proposition. Resource and time commitment. Financial analysis of benefits. Alignment with organizational objectives.

A newly appointed information security manager has been asked to redefine information security requirements because senior management is unhappy with the current state of information security. Which of the following choices would the information security manager consider MOST critical?. An industry framework. The business strategy. The technology infrastructure. User competencies.

The PRIMARY goal of developing an information security strategy is to: Establish security metrics and performance monitoring. Educate business process owners regarding their duties. Ensure that legal and regulatory requirements are met. Support the business objectives of the enterprise.

Senior management commitment and support for information security can BEST be enhanced through: A formal security policy sponsored by the chief executive officer. Regular security awareness training for employees. Periodic review of alignment with business management goals. Senior management sign-off on the information security strategy.

Which of the following activities MOST commonly falls within the scope of an information security steering committee?. Which of the following activities MOST commonly falls within the scope of an information security steering committee?. Developing content for security awareness programs. Developing content for security awareness programs. Approving access to critical financial systems.

Which of the following is the MOST important factor when designing information security architecture?. Technical platform interfaces. Scalability of the network. Development methodologies. Stakeholder requirements.

The action by which senior management supports the implementation strategy for risk management activities in an information security program will FIRST determine: The charter. The budget. Policy. The reporting structure.

Which of the following is the MOST appropriate task for a chief information security officer to perform?. Update platform-level security settings. Conduct disaster recovery test exercises. Approve access to critical financial systems. Develop an information security strategy.

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be: Aligned with the IT strategic plan. Based on the current rate of technological change. Three to five years for both hardware and software. Aligned with business strategy.

Which of the following is the MOST important information to include in a strategic plan for information security?. Information security staffing requirements. Current state and desired future state. IT capital investment requirements. Information security mission statement.

Information security projects should be prioritized on the basis of: Time required for implementation. Impact on the enterprise. Total cost of implementation. Mix of resources required.

Which of the following would BEST prepare an information security manager for regulatory reviews?. Assign an information security administrator as regulatory liaison. Perform self-assessments using regulatory guidelines and report. Assess previous regulatory reports with process owner’s input. Ensure all regulatory inquiries are sanctioned by the legal department.

From an information security manager perspective, what is an immediate benefit of clearly defined roles and responsibilities?. Enhanced policy compliance. Improved procedure flows. Segregation of duties. Better accountability.

Which of the following roles is responsible for legal and regulatory liability for failures of security in the enterprise?. Chief security officer. Chief legal counsel. Board of directors and senior management. Board of directors and senior management.

To implement information security governance, an enterprise should FIRST: Adopt security standards. Determine security baselines. Define the security strategy. Establish security policies.

The MOST basic requirement for an information security governance program is to: Be aligned with the corporate business strategy. Be based on a sound risk management approach. Be based on a sound risk management approach. Provide good practices for security initiatives.

Information security policy enforcement is the responsibility of the: Security steering committee. Chief information officer. Chief information security officer. Chief compliance officer.

An information security manager at a global enterprise has to ensure that the local information security program will initially be in compliance with the: corporate data privacy policy. data privacy policy where data are collected. data privacy policy of the headquarters’ country. data privacy directive applicable globally.

Effective strategic alignment of an information security program requires: active participation by a steering committee. creation of a strategic planning business unit. regular interaction with business owners. acceptance of cultural and technical limitations.

It is MOST important that a privacy statement on a company's e-commerce website include: a statement regarding what the company will do with the information it collects. a disclaimer regarding the accuracy of information on its website. technical information regarding how information is protected. a statement regarding where the information is being hosted.

Business goals define the strategic direction of the enterprise. Functional goals define the tactical direction of a business function. Security goals define the security direction of the enterprise. What is the MOST important relationship between these concepts?. Functional goals should be derived from security goals. Business goals should be derived from security goals. Security goals should be derived from business goals. Security and business goals should be defined independently of each other.

A security manager preparing a report to obtain commitment from executive management for a program. Inclusion of which of the following items would be of MOST value?. Examples of genuine incidents in similar enterprises. Statement of generally accepted good practices. Association of realistic threats with corporate objectives. Analysis of current technological exposures.

The PRIMARY concern of an information security manager documenting a formal data retention policy is: generally accepted industry good practices. business requirements. legislative and regulatory requirements. storage availability.

Who in an enterprise has the responsibility for classifying information?. Data custodian. Database administrator. Information security officer. Data owner.

What is the PRIMARY role of the information security manager related to the data classification and handling process within an enterprise?. Defining and ratifying the enterprise’s data classification structure. Assigning the classification levels to the information assets. Securing information assets in accordance with their data classification. Confirming that information assets have been properly classified.

Which of the following is MOST important in developing a security strategy?. Creating a positive security environment. Understanding key business objectives. Understanding key business objectives. Allocating sufficient resources to information security.

Who is ultimately responsible for an enterprise’s information?. Data custodian. Chief information security officer. Board of directors. Chief information officer.

An enterprise's board of directors has learned of recent legislation requiring enterprises within the industry to enact specific safeguards to protect confidential customer information. What action should the board take next?. Direct Information Security on what actions to take. Research solutions to determine proper safeguards. Require management to report on compliance. Do nothing; Information Security does not report to the board.

Which of the following is the MOST important prerequisite for establishing information security management within an enterprise?. Senior management commitment. Information security framework. Information security organizational structure. Information security policy.

What will have the HIGHEST impact on standard information security governance models?. Number of employees. Distance between physical locations. Complexity of organizational structure. Organizational budget.

Management requests that an information security manager determine which regulations regarding disclosure, reporting and privacy are the most important for the enterprise to address. The recommendations for addressing these legal and regulatory requirements will be MOST useful if based on which of the following choices?. The extent of enforcement actions. The probability and consequences. The sanctions for noncompliance. The amount of personal liability.

How should an information security manager balance potentially conflicting requirements between an international enterprise's security standards with local regulation?. Give organizational standards preference over local regulations. Follow local regulations only. Make enterprise aware of those standards where local regulations cause conflicts. Negotiate a local version of enterprise standards.

The FIRST step in developing an information security management program is to: identify business risk that affects the enterprise. establish the need for creating the program. assign responsibility for the program. assess adequacy of existing controls.

Which of the following should an information security manager PRIMARILY use when proposing implementation of a security solution?. Risk assessment report. Technical evaluation report. Business case. Budgetary requirements.

To justify its ongoing information security budget, which of the following would be MOST useful to the information security department?. Security breach frequency. Annual loss expectancy. Cost-benefit analysis. Peer group comparison.

Which of the following situations would MOST inhibit the effective implementation of security governance?. The complexity of technology. Budgetary constraints. Conflicting business priorities. Lack of high-level sponsorship.

To achieve effective strategic alignment of information security initiatives, it is important that: Steering committee leadership rotates among members. Major organizational units provide input and reach a consensus. The business strategy is updated periodically. Procedures and standards are approved by all departmental heads.

In implementing information security governance, the information security manager is PRIMARILY responsible for: developing the security strategy. reviewing the security strategy. communicating the security strategy. approving the security strategy.

The MOST useful way to describe objectives in an information security strategy is through: attributes and characteristics of desired state. overall control objectives of a program. mapping IT systems to key business processes. calculation of annual loss expectations.

Which of the following choices is the MOST likely cause of significant inconsistencies in system configurations?. A lack of procedures. Inadequate governance. Poor standards. Insufficient training.

Compliance with legal and regulatory requirements is: a security decision. a business decision. an absolute requirement. conditional and based on cost.

An information security manager must understand the relationship between information security and business operations in order to: support organizational objectives. determine likely areas of noncompliance. assess the possible impacts of compromise. understand the threats to the business.

The MOST effective approach to address issues that arise between IT management, business units, and security management when implementing a new security strategy is for the information security manager to: escalate issues to an external third party for resolution. ensure that senior management provide authority for security to address issues. insist that managers or units not in agreement with the security solution accept risk. refer these issues to senior management along with recommendations.

Obtaining senior management support for establishing a warm site can BEST be accomplished by: establishing a periodic risk assessment. promoting regulatory requirements. developing a business case. developing effective metrics.

Which of the following elements is MOST important when developing an information security strategy?. Defined objectives. Time frames for delivery. Adoption of a control framework. Complete policies.

Laws and regulations should be addressed by the information security manager: to the extent that they impact the enterprise. by implementing international standards. by developing policies that address requirements. to ensure that guidelines meet requirements.

Who can BEST advocate the development of and ensure the success of an information security program?. Internal auditor. Chief operating officer. Steering committee. IT management.

Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?. SWOT analysis. Waterfall chart. Gap analysis. Balanced scorecard.

Which of the following choices is the MOST important consideration when developing the security strategy of a company operating in different countries?. Diverse attitudes toward security by employees and management. Time differences and ability to reach security officers. Coherent implementation of security policies and procedures in all countries. Compliance with diverse laws and governmental regulations.

Which of the following BEST contributes to the development of an information security governance framework that supports the maturity model concept?. Continuous analysis, monitoring and feedback. Continuous monitoring of the return on security investment. Continuous risk reduction. Key risk indicator setup to monitor security management processes.

The MOST complete business case for security solutions is one that: includes appropriate justification. explains the current risk profile. details regulatory requirements. identifies incidents and losses.

Which of the following is MOST important to the success of an information security program?. Security awareness training. Achievable goals and objectives. Senior management sponsorship. Adequate startup budget and staffing.

Which of the following actions would help to change an enterprise's security culture?. Develop procedures to enforce the information security policy. Obtain strong management support. Implement strict technical security controls. Periodically audit compliance with the information security policy.

An enterprise has been recently subject to a series of denial-of-service attacks due to a weakness in security. The information security manager needs to present a business case for increasing investment in security. The MOST significant challenge in obtaining approval from senior management for the proposal is: Explaining technology issues of security. Demonstrating value and benefits. Simulating various risk scenarios. Obtaining benchmarking data for comparison.

Which of the following is the BEST source for determining the value of information assets?. Individual business managers. Business systems analysts. Information security management. Industry benchmarking results.

In which of the following areas are data owners PRIMARILY responsible for establishing risk mitigation?. Platform security. Entitlement changes. Intrusion detection. Antivirus controls.

An enterprise's information security strategy should be based on: Managing risk relative to business objectives. Managing risk to a zero level and minimizing insurance premiums. Avoiding occurrence of risk so that insurance is not required. Transferring most risk to insurers and saving on control costs.

Which of the following should be included in an annual information security budget that is submitted for management approval?. A cost-benefit analysis of budgeted resources. All the resources that are recommended by the business. Total cost of ownership. Baseline comparisons.

The PRIMARY goal of a corporate risk management program is to ensure that an enterprise's: IT assets in key business functions are protected. Business risk is addressed by preventive controls. Stated objectives are achieved. IT facilities and systems are always available.

The data access requirements for an application should be determined by the: Legal department. Compliance officer. Information security manager. Business owner.

The PRIMARY purpose of an information security program is to: Provide protection to information assets consistent with business strategy and objectives. Express the results of an operational risk assessment in terms of business impact. Protect the confidentiality of business information and technology resources. Develop information security policy and procedures in line with business objectives.

Effective governance of enterprise security is BEST ensured by: Using a bottom-up approach. Management by the IT department. Referring the matter to the enterprise's legal department. Using a top-down approach.

The FIRST step to create an internal culture that embraces information security is to: Implement stronger controls. Conduct periodic awareness training. Actively monitor operations. Gain endorsement from executive management.

Which of the following recommendations is the BEST one to promote a positive information security governance culture within an enterprise?. Strong oversight by audit committee. Organizational governance transparency. Collaboration across business lines. Positive governance ratings by stock analysts.

After completing a full IT risk assessment, who is in the BEST position to decide which mitigating controls should be implemented?. Senior management. The business manager. The IT audit manager. The information security officer.

Of the following, which is the MOST effective way to measure enterprise alignment of an information security program?. Track audits over time. Evaluate incident losses. Analyze business cases. Interview business owners.

Which of the following is the MOST appropriate as a means of obtaining commitment from senior management for implementation of the information security strategy?. Educational material discussing the importance of good information security practices. Regular group meetings to review the challenges and requirements of daily operations. A cost-benefit analysis detailing how the requested implementation budget will be used. A formal presentation highlighting the relationship between security and business goals.

Which of the following BEST describes the key objective of an information security program?. Achieve strategic business goals and objectives. Establish accountability for information risk. Establish ownership of risk. Eliminate threats to the enterprise.

Which of the following choices would BEST align information security objectives with business objectives?. A capability maturity model. A process assessment model. A risk assessment and analysis. A business balanced scorecard.

What is the MAIN risk when there is no user management representation on the information security steering committee?. Functional requirements are not adequately considered. User training programs may be inadequate. Budgets allocated to business units are not appropriate. Information security plans are not aligned with business requirements.

Which of the following should be responsible for final approval of security patch implementation?. The application development manager. The IT asset owner. The information security officer. The business continuity coordinator.

An enterprise that appoints a chief information security officer (CISO): Improves collaboration among the ranks of senior management. Acknowledges a commitment to legal responsibility for information security. Infringes on the governance role of the board of directors. Enhances the financial accountability of technology projects.

Which of the following is the BEST approach to dealing with inadequate funding for a security program?. Eliminate low-priority activities. Require management to accept increased risk. Prioritize risk mitigation and educate management. Increase monitoring and compliance enforcement activities.

When developing an information security program, what is the MOST useful source of information for determining available human resources?. Proficiency test. Job descriptions. Organization chart. Skills inventory.

Which of the following choices would influence the content of the information security strategy to the GREATEST extent?. Emerging technology. System compromises. Network architecture. Organizational goals.

The enterprise has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?. Laws and regulations of the country of origin may not be enforceable in the foreign country. A security breach notification might get delayed due to the time difference. Additional network intrusion detection sensors should be installed, resulting in an additional cost. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

After obtaining commitment from senior management, which should be completed NEXT when establishing an information security program?. Define security metrics. Conduct a risk assessment. Perform a gap analysis. Procure security tools.

Which of the following would be the FIRST step when developing a business case for an information security investment?. Defining the objectives. Calculating the cost. Defining the need. Analyzing the cost-effectiveness.

What is the BEST technique to determine which security controls to implement with a limited budget?. Risk analysis. Annual loss expectancy calculations. Cost-benefit analysis. Impact analysis.

An enterprise has to comply with recently published industry regulatory requirements that potentially have high implementation costs. What should the information security manager do FIRST?. Consult the security committee. Perform a gap analysis. Implement compensating controls. Demand immediate compliance.

Which of the following BEST indicates senior management commitment toward supporting information security?. Assessment of risk to the assets. Approval of risk management methodology. Review of inherent risk to information assets. Review of residual risk for information assets.

Which of the following roles is responsible for ensuring that information is classified?. Senior management. The security manager. The data owner. The data custodian.

Maturity levels are an approach to determine the extent that sound practices have been implemented in an enterprise based on outcomes. Another approach that has been developed to achieve essentially the same result is: Controls applicability statements. Process performance and capabilities. Probabilistic risk assessment. Factor analysis of information risk.

The PRIMARY objective for information security program development should be: Creating an information security strategy. Establishing incident response procedures. Implementing cost-effective security solutions. Reducing the impact of risk on the business.

During a stakeholder meeting, a question was asked regarding who is ultimately accountable for the protection of sensitive data. Assuming all the following roles exist in the enterprise, which would be the MOST appropriate answer?. Security administrators. The IT steering committee. The board of directors. The information security manager.

Which of the following choices is the BEST indicator of the state of information security governance?. A defined maturity level. A developed security strategy. Complete policies and standards. Low numbers of incidents.

From an information security perspective, which of the following will have the GREATEST impact on a financial enterprise with offices in various countries and involved in transborder transactions?. Current and future technologies. Evolving data protection regulations. Economizing the costs of network bandwidth. Centralization of information security.

Strategic alignment is PRIMARILY achieved when services provided by the information security department: Reflect the requirements of key business stakeholders. Reflect the desires of the IT executive team. Reflect the requirements of industry good practices. Are reliable and cost-effective.

Who should be assigned as data owner for sensitive customer data that are used only by the sales department and stored in a central database?. The sales department. The database administrator. The chief information officer. The head of the sales department.

Who can BEST approve plans to implement an information security governance framework?. Internal auditor. Information security management. Steering committee. Infrastructure management.

Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?. Manager. Custodian. User. Owner.

In an enterprise, information systems security is the responsibility of: All personnel. Information systems personnel. Information systems security personnel. Functional personnel.

IT-related risk management activities are MOST effective when they are: Treated as a distinct process. Conducted by the IT department. Integrated within business processes. Communicated to all employees.

Who should generally determine classification for an information asset?. The asset custodian. The security manager. Senior management. The asset owner.

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: It implies compliance risk. Short-term impact cannot be determined. It violates industry security practices. Changes in the roles matrix cannot be detected.

Which of the following is the MOST important consideration when developing an information security strategy?. Resources available to implement the program. Compliance with legal and regulatory constraints. Effectiveness of risk mitigation. Resources required to implement the strategy.

Which of the following is the MOST effective way to measure strategic alignment of an information security program?. Survey business stakeholders. Track audits over time. Evaluate incident losses. Analyze business cases.

Business objectives should be evident in the security strategy by: Inferred connections. Standardized controls. Managed constraints. Direct traceability.

It is MOST important that information security architecture be aligned with which of the following?. Industry good practices. Business goals and objectives. Information technology plans. International information security frameworks.

Which of the following is MOST likely to remain constant over time? An information security: Policy. Standard. Strategy. Procedure.

An enterprise's board of directors is concerned about recent fraud attempts that originated over the Internet. What action should the board take to address this concern?. Direct information security operations regarding specific solutions that are needed to address the risk. Research solutions to determine appropriate actions for the enterprise. Take no action; information security does not report to the board. Direct executive management to assess the risk and to report the results to the board.

New regulatory and legal compliance requirements that will have an effect on information security will MOST likely come from: Corporate legal officer. Internal audit department. Affected departments. Compliance officer.

Who should PRIMARILY provide direction on impact of new regulatory requirements that may lead to major application system changes?. The internal audit department. System developers/analysts. Key business process owners. Corporate legal counsel.

The BEST approach to developing an information security program is to use a: Process. Framework. Reference model. Guideline.

The FIRST step in developing a business case is to: Determine the probability of success. Calculate the return on investment. Analyze the cost-effectiveness. Define the issues to be addressed.

The IT function has declared that it is not necessary to update the business impact analysis when putting a new application into production because it does not produce modifications in business processes. The information security manager should: Verify this decision with business units. Check the system’s risk analysis. Recommend update after post-implementation review. Request audit review.

Which of the following represents the MAJOR focus of privacy regulations?. Unrestricted data mining. Identity theft. Human rights protection. Identifiable personal data.

The MOST important requirement for gaining management commitment to the information security program is to: Benchmark a number of successful enterprises. Demonstrate potential losses and other impacts that can result from a lack of support. Inform management of the legal requirements of due care. Demonstrate support for desired outcomes.

Which of the following is the MOST important objective of an information security strategy review?. Ensuring that risk is identified, analyzed and mitigated to acceptable levels. Ensuring the information security strategy is aligned with organizational goals. Ensuring the best return on information security investments. Ensuring the efficient utilization of information security resources.

Information security governance must be integrated into all business functions and activities PRIMARILY to: Maximize security efficiency. Standardize operational activities. Achieve strategic alignment. Address operational risk.

Serious security incidents typically lead to renewed focus on information security by management. To BEST use this attention, the information security manager should make the case for: Improving integration of business and information security processes. Increasing information security budgets and staffing levels. Developing tighter controls and stronger compliance efforts. Acquiring better supplemental technical security controls.

Which person or group should have final approval of an enterprise's IT security policies?. Business unit managers. Chief information security officer. Senior management. Chief information officer.

Which one of the following groups has final responsibility for the effectiveness of security controls?. The security administrator who implemented the controls. The enterprise’s chief information security officer. The enterprise’s senior management. The information systems auditor who recommended the controls.

For an enterprise’s information system program to be highly effective, who should have final responsibility for authorizing information system access?. Information owner. Security manager. Chief information officer. System administrator.

An enterprise has consolidated global operations. The chief information officer has asked the chief information security officer to develop a new enterprise information security strategy. Which of the following actions should be taken FIRST?. Identify assets. Conduct a risk assessment. Define scope. Perform a business impact analysis.

The aspect of governance that is MOST relevant to setting security baselines is: Policies. Acceptable risk. Impacts. Standards.

When assessing the maturity of the risk management process, which of the following findings raises the GREATEST concern?. Organizational processes are not adequately documented. Multiple frameworks are used to define the desired state. Required security objectives are not well-defined. The desired state is not based on business objectives.

Retention of business records should PRIMARILY be based on: Business strategy and direction. Regulatory and legal requirements. Storage capacity and longevity. Business case and value analysis.

The concept of governance, risk and compliance serves PRIMARILY to: Align enterprise assurance functions. Ensure that all three activities are addressed by policy. Present the correct sequence of security activities. Define the responsibilities of information security.

Which of the following factors is MOST important for the successful implementation of an enterprise's information security program?. Senior management support. Budget for security activities. Regular vulnerability assessments. Knowledgeable security administrators.

An information strategy presented to senior management for approval MUST incorporate: Specific technologies. Compliance mechanisms. Business priorities. Detailed procedures.

The MOST important component of a privacy policy is: Notifications. Warranties. Liabilities. Standards.

Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale cash register?. Authentication. Hardening. Encryption. Non-repudiation.

Compliance with security policies and standards is the responsibility of: The information security manager. Executive management. The compliance officer. All organizational units.

What is the PRIMARY driver for obtaining external resources to execute the information security program?. External resources can contribute cost-effective expertise not available internally. External resources can be made responsible for meeting the security program requirements. External resources can replace the dependence on internal resources. External resources can deliver more effectively on account of their knowledge.

Which of the following is the MOST important component of information security governance?. Appropriate monitoring and metrics. An established strategy for moving forward. An information security steering committee. Senior management involvement.

Which of the following is the MOST important outcome of an information strategy?. Consistent policies and standards. Ensuring that residual risk is at an acceptable level. An improvement in the threat landscape. Controls consistent with international standards.

Obtaining senior management support for an information security initiative can BEST be accomplished by: Developing and presenting a business case. Defining the risk that will be addressed. Presenting a financial analysis of benefits. Aligning the initiative with organizational objectives.

The PRIMARY focus of information security governance is to: Adequately protect the information and knowledge base of the enterprise. Provide assurance to senior management that the security posture is adequate. Safeguard the IT systems that store and process business information. Optimize the information security strategy to achieve business objectives.

The MOST important basis for developing a business case is: Risk that will be addressed. Financial analysis of benefits. Alignment with organizational objectives. Feasibility and value proposition.

Which of the following is the MOST important consideration when developing an information security strategy?. Supporting business objectives. Maximizing the effectiveness of available resources. Ensuring that legal and regulatory constraints are addressed. Determining the effect on the organizational roles and responsibilities.

The MOST important outcome of aligning information security governance with corporate governance is to: Show that information security understands the rules. Provide regulatory compliance. Maximize the cost-effectiveness of controls. Maximize the cost-effectiveness of controls.

Which of the following is the MOST important consideration in a control policy?. Data protection. Life safety. Security strategy. Regulatory factors.

An enterprise has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross-training. Which type of authorization policy would BEST address this practice?. Multilevel. Role-based. Discretionary. Mandatory.

An enterprise's information security manager is planning the structure of the information security steering committee. Which of the following groups should the manager invite?. External audit and network penetration testers. Board of directors and the enterprise's regulators. External trade union representatives and key security vendors. Leadership from IT, human resources, and sales department.

Which of the following is the MOST cost-effective approach to achieve strategic alignment?. Periodically survey management. Implement a governance framework. Ensure that controls meet objectives. Develop an enterprise architecture.

Which of the following is PRIMARILY related to the emergence of governance, risk and compliance?. The increasing need for controls. The policy development process. The integration of assurance-related activities. A model for information security program development.

Which of the following is MOST likely to be responsible for establishing the information security requirements over an application?. IT steering committee. Data owner. System owner. IT auditor.

Which of the following is MOST useful in managing increasingly complex security deployments?. A standards-based approach. A security architecture. Policy development. Senior management support.

Who is in the BEST position to determine the level of information security needed for a specific business application?. The system developer. The information security manager. The system custodian. The data owner.

Which of the following is the MOST likely to change an enterprise's culture to one that is more security conscious?. Adequate security policies and procedures. Periodic compliance reviews. Security steering committees. Security awareness campaigns.

Which of the following is the MOST important step in developing a cost-effective information security strategy that is aligned with business requirements?. Identification of information assets and resource ownership. Valuation of information assets. Determination of clearly defined objectives. Classification of assets as to criticality and sensitivity.

Determining the nature and extent of activities required to develop an information security program requires assessing existing program components. The BEST way to accomplish this is to perform: A security review. An impact assessment. A vulnerability assessment. A threat analysis.

Systems thinking as it relates to information security is: A prescriptive methodology for designing the systems architecture. An understanding that the whole is greater than the sum of its parts. A process that ensures alignment with business objectives. A framework for information security governance.

Which of the following choices BEST justifies an information security program?. The impact on critical IT assets. A detailed business case. Steering committee approval. User acceptance.

The FIRST action for an information security manager to take when presented with news that new regulations are being applied to how enterprises handle sensitive data is to determine: Processes and activities that may be affected. How senior management would prefer to respond. Whether the enterprise qualifies for an exemption. The approximate cost of compliance.

Which of the following requirements is the MOST important when developing information security governance?. Complying with applicable corporate standards. Achieving cost-effectiveness of risk mitigation. Obtaining consensus of business units. Aligning with organizational goals.

What is the MOST important consideration when developing a business case for an information security investment?. The impact on the risk profile of the enterprise. The acceptability to the board of directors. The implementation benefits. The affordability to the enterprise.

An enterprise has decided to implement governance, risk and compliance processes into several critical areas of the enterprise. Which of the following objectives is the MAIN one?. To reduce governance costs. To improve risk management. To harmonize security activities. To harmonize security activities.

The acceptable limits defined by organizational standards are PRIMARILY determined by: Likelihood and impact. Risk appetite. Relevant policies. The defined strategy.

Which of the following will BEST ensure that management takes ownership of the decision-making process for information security?. Security policies and procedures. Annual self-assessment by management. Security steering committees. Security awareness campaigns.