DOMAIN 1

Which of the following is the most effective way to ensure that noncompliance to information security standards is resolved?. Periodic audits of noncompliant areas. An ongoing vulnerability scanning program. Annual security awareness training. Regular reports to the audit committee.

Senior management commitment and support for information security can BEST be obtained through presentations that: Use illustrative examples of successful attacks. Explain the technical risk to the enterprise. Evaluate the enterprise against good security practices. Tie security risk to key business objectives.

The MOST appropriate role for senior management in supporting information security is the: Evaluation of vendors offering security products. Assessment of risk to the enterprise. Approval of policy statements and funding. Developing standards sufficient to achieve acceptable risk.

Which of the following would be the BEST indicator of effective information security governance within an enterprise?. The steering committee approves security projects. Security policy training is provided to all managers. Security training is available to all employees on the intranet. IT personnel are trained in testing and applying required patches.

Information security governance is PRIMARILY driven by: technology constraints. regulatory requirements. litigation potential. business strategy.

What is the BEST evidence of a mature information security program?. A comprehensive risk assessment and analysis exists. Development of a physical security architecture exists. A controls statement of applicability exists. An effective information security strategy exists.

Investments in information security technologies should be based on: Vulnerability assessments. Value analysis. Business climate. Audit recommendations.

Which of the following is the GREATEST success factor for effectively managing information security?. An adequate budget. Senior level authority. Robust technology. Effective business relationships.

Which of the following is characteristic of centralized information security management?. More expensive to administer. Better adherence to policies. More responsive to business unit needs. Faster turnaround of requests.

Successful implementation of information security governance will FIRST require: Security awareness training. Updated security policies. A computer incident management team. A security architecture.

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?. Information security manager. Chief operating officer. Internal auditor. Legal counsel.

Which of the following factors is the MOST significant in determining an enterprise's risk appetite?. The nature and extent of threats. Organizational policies. The overall security strategy. The organizational culture.

An information security manager can BEST attain senior management commitment and support by emphasizing: Organizational risk. Performance metrics. Security needs. The responsibilities of organizational units.

Which of the following roles would represent a conflict of interest for an information security manager?. Which of the following roles would represent a conflict of interest for an information security manager?. Assessment of the adequacy of disaster recovery plans. Final approval of information security policies. Monitoring adherence to physical security controls.

When should a request for proposal be issued?. At the project feasibility stage. Upon management project approval. Prior to developing a project budget. When developing the business case.

Which of the following is MOST appropriate for inclusion in an information security strategy?. Business controls designated as key controls. Security processes, methods, tools and techniques. Firewall rule sets, network defaults and intrusion detection system settings. Budget estimates to acquire specific security tools.

Which of the following situations must be corrected FIRST to ensure successful information security governance within an enterprise?. The information security department has difficulty filling vacancies. The chief operating officer approves security policy changes. The information security oversight committee only meets quarterly. The data center manager has final sign-off on all security projects.

Which of the following requirements would have the LOWEST level of priority in information security?. Technical. Regulatory. Privacy. Business.

Where should resource requirements for information security initially be identified?. In policies. In architecture. In strategy. In procedures.

Security technologies should be selected PRIMARILY on the basis of their: Ability to mitigate business risk. Evaluations in trade publications. Use of new and emerging technologies. Benefits in comparison to their costs.

What activity should the information security manager perform FIRST after finding that compliance with a set of standards is weak?. Initiate the exception process. Modify policy to address the risk. Increase compliance enforcement. Perform a risk assessment.

What must change management achieve from a risk management perspective?. It must be approved by information security to ensure that security is maintained. It must be overseen by the steering committee because of its importance. It must be endorsed by release and configuration management. It must ensure changes will not involve any major risk that exceeds acceptable levels.

Which of the following is characteristic of decentralized information security management across a geographically dispersed enterprise?. More uniformity in quality of service. Better adherence to policies. Better alignment with business unit needs. More savings in total operating costs.

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?. Chief security officer. Chief operating officer. Chief privacy officer. Chief legal counsel.

The MOST important element to consider when developing a business case for a project is the: Feasibility and value proposition. Resource and time commitment. Financial analysis of benefits. Alignment with organizational objectives.

A newly appointed information security manager has been asked to redefine information security requirements because senior management is unhappy with the current state of information security. Which of the following choices would the information security manager consider MOST critical?. An industry framework. The business strategy. The technology infrastructure. User competencies.

The PRIMARY goal of developing an information security strategy is to: Establish security metrics and performance monitoring. Educate business process owners regarding their duties. Ensure that legal and regulatory requirements are met. Support the business objectives of the enterprise.

Senior management commitment and support for information security can BEST be enhanced through: A formal security policy sponsored by the chief executive officer. Regular security awareness training for employees. Periodic review of alignment with business management goals. Senior management sign-off on the information security strategy.

Which of the following activities MOST commonly falls within the scope of an information security steering committee?. Which of the following activities MOST commonly falls within the scope of an information security steering committee?. Developing content for security awareness programs. Developing content for security awareness programs. Approving access to critical financial systems.

Which of the following is the MOST important factor when designing information security architecture?. Technical platform interfaces. Scalability of the network. Development methodologies. Stakeholder requirements.

The action by which senior management supports the implementation strategy for risk management activities in an information security program will FIRST determine: The charter. The budget. Policy. The reporting structure.

Which of the following is the MOST appropriate task for a chief information security officer to perform?. Update platform-level security settings. Conduct disaster recovery test exercises. Approve access to critical financial systems. Develop an information security strategy.

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be: Aligned with the IT strategic plan. Based on the current rate of technological change. Three to five years for both hardware and software. Aligned with business strategy.

Which of the following is the MOST important information to include in a strategic plan for information security?. Information security staffing requirements. Current state and desired future state. IT capital investment requirements. Information security mission statement.

Information security projects should be prioritized on the basis of: Time required for implementation. Impact on the enterprise. Total cost of implementation. Mix of resources required.

Which of the following would BEST prepare an information security manager for regulatory reviews?. Assign an information security administrator as regulatory liaison. Perform self-assessments using regulatory guidelines and report. Assess previous regulatory reports with process owner’s input. Ensure all regulatory inquiries are sanctioned by the legal department.

From an information security manager perspective, what is an immediate benefit of clearly defined roles and responsibilities?. Enhanced policy compliance. Improved procedure flows. Segregation of duties. Better accountability.

Which of the following roles is responsible for legal and regulatory liability for failures of security in the enterprise?. Chief security officer. Chief legal counsel. Board of directors and senior management. Board of directors and senior management.

To implement information security governance, an enterprise should FIRST: Adopt security standards. Determine security baselines. Define the security strategy. Establish security policies.

The MOST basic requirement for an information security governance program is to: Be aligned with the corporate business strategy. Be based on a sound risk management approach. Be based on a sound risk management approach. Provide good practices for security initiatives.

Information security policy enforcement is the responsibility of the: Security steering committee. Chief information officer. Chief information security officer. Chief compliance officer.

An information security manager at a global enterprise has to ensure that the local information security program will initially be in compliance with the: corporate data privacy policy. data privacy policy where data are collected. data privacy policy of the headquarters’ country. data privacy directive applicable globally.

Effective strategic alignment of an information security program requires: active participation by a steering committee. creation of a strategic planning business unit. regular interaction with business owners. acceptance of cultural and technical limitations.

It is MOST important that a privacy statement on a company's e-commerce website include: a statement regarding what the company will do with the information it collects. a disclaimer regarding the accuracy of information on its website. technical information regarding how information is protected. a statement regarding where the information is being hosted.

Business goals define the strategic direction of the enterprise. Functional goals define the tactical direction of a business function. Security goals define the security direction of the enterprise. What is the MOST important relationship between these concepts?. Functional goals should be derived from security goals. Business goals should be derived from security goals. Security goals should be derived from business goals. Security and business goals should be defined independently of each other.

A security manager preparing a report to obtain commitment from executive management for a program. Inclusion of which of the following items would be of MOST value?. Examples of genuine incidents in similar enterprises. Statement of generally accepted good practices. Association of realistic threats with corporate objectives. Analysis of current technological exposures.

The PRIMARY concern of an information security manager documenting a formal data retention policy is: generally accepted industry good practices. business requirements. legislative and regulatory requirements. storage availability.

Who in an enterprise has the responsibility for classifying information?. Data custodian. Database administrator. Information security officer. Data owner.

What is the PRIMARY role of the information security manager related to the data classification and handling process within an enterprise?. Defining and ratifying the enterprise’s data classification structure. Assigning the classification levels to the information assets. Securing information assets in accordance with their data classification. Confirming that information assets have been properly classified.

Which of the following is MOST important in developing a security strategy?. Creating a positive security environment. Understanding key business objectives. Understanding key business objectives. Allocating sufficient resources to information security.

Who is ultimately responsible for an enterprise’s information?. Data custodian. Chief information security officer. Board of directors. Chief information officer.

An enterprise's board of directors has learned of recent legislation requiring enterprises within the industry to enact specific safeguards to protect confidential customer information. What action should the board take next?. Direct Information Security on what actions to take. Research solutions to determine proper safeguards. Require management to report on compliance. Do nothing; Information Security does not report to the board.

Which of the following is the MOST important prerequisite for establishing information security management within an enterprise?. Senior management commitment. Information security framework. Information security organizational structure. Information security policy.

What will have the HIGHEST impact on standard information security governance models?. Number of employees. Distance between physical locations. Complexity of organizational structure. Organizational budget.

Management requests that an information security manager determine which regulations regarding disclosure, reporting and privacy are the most important for the enterprise to address. The recommendations for addressing these legal and regulatory requirements will be MOST useful if based on which of the following choices?. The extent of enforcement actions. The probability and consequences. The sanctions for noncompliance. The amount of personal liability.

How should an information security manager balance potentially conflicting requirements between an international enterprise's security standards with local regulation?. Give organizational standards preference over local regulations. Follow local regulations only. Make enterprise aware of those standards where local regulations cause conflicts. Negotiate a local version of enterprise standards.

The FIRST step in developing an information security management program is to: identify business risk that affects the enterprise. establish the need for creating the program. assign responsibility for the program. assess adequacy of existing controls.

Which of the following should an information security manager PRIMARILY use when proposing implementation of a security solution?. Risk assessment report. Technical evaluation report. Business case. Budgetary requirements.

To justify its ongoing information security budget, which of the following would be MOST useful to the information security department?. Security breach frequency. Annual loss expectancy. Cost-benefit analysis. Peer group comparison.

Which of the following situations would MOST inhibit the effective implementation of security governance?. The complexity of technology. Budgetary constraints. Conflicting business priorities. Lack of high-level sponsorship.

To achieve effective strategic alignment of information security initiatives, it is important that: Steering committee leadership rotates among members. Major organizational units provide input and reach a consensus. The business strategy is updated periodically. Procedures and standards are approved by all departmental heads.

In implementing information security governance, the information security manager is PRIMARILY responsible for: developing the security strategy. reviewing the security strategy. communicating the security strategy. approving the security strategy.

The MOST useful way to describe objectives in an information security strategy is through: attributes and characteristics of desired state. overall control objectives of a program. mapping IT systems to key business processes. calculation of annual loss expectations.

Which of the following choices is the MOST likely cause of significant inconsistencies in system configurations?. A lack of procedures. Inadequate governance. Poor standards. Insufficient training.

Compliance with legal and regulatory requirements is: a security decision. a business decision. an absolute requirement. conditional and based on cost.

An information security manager must understand the relationship between information security and business operations in order to: support organizational objectives. determine likely areas of noncompliance. assess the possible impacts of compromise. understand the threats to the business.

The MOST effective approach to address issues that arise between IT management, business units, and security management when implementing a new security strategy is for the information security manager to: escalate issues to an external third party for resolution. ensure that senior management provide authority for security to address issues. insist that managers or units not in agreement with the security solution accept risk. refer these issues to senior management along with recommendations.

Obtaining senior management support for establishing a warm site can BEST be accomplished by: establishing a periodic risk assessment. promoting regulatory requirements. developing a business case. developing effective metrics.

Which of the following elements is MOST important when developing an information security strategy?. Defined objectives. Time frames for delivery. Adoption of a control framework. Complete policies.

Laws and regulations should be addressed by the information security manager: to the extent that they impact the enterprise. by implementing international standards. by developing policies that address requirements. to ensure that guidelines meet requirements.

Who can BEST advocate the development of and ensure the success of an information security program?. Internal auditor. Chief operating officer. Steering committee. IT management.

Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?. SWOT analysis. Waterfall chart. Gap analysis. Balanced scorecard.

Which of the following choices is the MOST important consideration when developing the security strategy of a company operating in different countries?. Diverse attitudes toward security by employees and management. Time differences and ability to reach security officers. Coherent implementation of security policies and procedures in all countries. Compliance with diverse laws and governmental regulations.

Which of the following BEST contributes to the development of an information security governance framework that supports the maturity model concept?. Continuous analysis, monitoring and feedback. Continuous monitoring of the return on security investment. Continuous risk reduction. Key risk indicator setup to monitor security management processes.

The MOST complete business case for security solutions is one that: includes appropriate justification. explains the current risk profile. details regulatory requirements. identifies incidents and losses.

Which of the following is MOST important to the success of an information security program?. Security awareness training. Achievable goals and objectives. Senior management sponsorship. Adequate startup budget and staffing.

Which of the following actions would help to change an enterprise's security culture?. Develop procedures to enforce the information security policy. Obtain strong management support. Implement strict technical security controls. Periodically audit compliance with the information security policy.

An enterprise has been recently subject to a series of denial-of-service attacks due to a weakness in security. The information security manager needs to present a business case for increasing investment in security. The MOST significant challenge in obtaining approval from senior management for the proposal is: Explaining technology issues of security. Demonstrating value and benefits. Simulating various risk scenarios. Obtaining benchmarking data for comparison.

Which of the following is the BEST source for determining the value of information assets?. Individual business managers. Business systems analysts. Information security management. Industry benchmarking results.

In which of the following areas are data owners PRIMARILY responsible for establishing risk mitigation?. Platform security. Entitlement changes. Intrusion detection. Antivirus controls.

An enterprise's information security strategy should be based on: Managing risk relative to business objectives. Managing risk to a zero level and minimizing insurance premiums. Avoiding occurrence of risk so that insurance is not required. Transferring most risk to insurers and saving on control costs.

Which of the following should be included in an annual information security budget that is submitted for management approval?. A cost-benefit analysis of budgeted resources. All the resources that are recommended by the business. Total cost of ownership. Baseline comparisons.

The PRIMARY goal of a corporate risk management program is to ensure that an enterprise's: IT assets in key business functions are protected. Business risk is addressed by preventive controls. Stated objectives are achieved. IT facilities and systems are always available.

The data access requirements for an application should be determined by the: Legal department. Compliance officer. Information security manager. Business owner.

The PRIMARY purpose of an information security program is to: Provide protection to information assets consistent with business strategy and objectives. Express the results of an operational risk assessment in terms of business impact. Protect the confidentiality of business information and technology resources. Develop information security policy and procedures in line with business objectives.

Effective governance of enterprise security is BEST ensured by: Using a bottom-up approach. Management by the IT department. Referring the matter to the enterprise's legal department. Using a top-down approach.

The FIRST step to create an internal culture that embraces information security is to: Implement stronger controls. Conduct periodic awareness training. Actively monitor operations. Gain endorsement from executive management.

Which of the following recommendations is the BEST one to promote a positive information security governance culture within an enterprise?. Strong oversight by audit committee. Organizational governance transparency. Collaboration across business lines. Positive governance ratings by stock analysts.

After completing a full IT risk assessment, who is in the BEST position to decide which mitigating controls should be implemented?. Senior management. The business manager. The IT audit manager. The information security officer.

Of the following, which is the MOST effective way to measure enterprise alignment of an information security program?. Track audits over time. Evaluate incident losses. Analyze business cases. Interview business owners.

Which of the following is the MOST appropriate as a means of obtaining commitment from senior management for implementation of the information security strategy?. Educational material discussing the importance of good information security practices. Regular group meetings to review the challenges and requirements of daily operations. A cost-benefit analysis detailing how the requested implementation budget will be used. A formal presentation highlighting the relationship between security and business goals.

Which of the following BEST describes the key objective of an information security program?. Achieve strategic business goals and objectives. Establish accountability for information risk. Establish ownership of risk. Eliminate threats to the enterprise.

Which of the following choices would BEST align information security objectives with business objectives?. A capability maturity model. A process assessment model. A risk assessment and analysis. A business balanced scorecard.

What is the MAIN risk when there is no user management representation on the information security steering committee?. Functional requirements are not adequately considered. User training programs may be inadequate. Budgets allocated to business units are not appropriate. Information security plans are not aligned with business requirements.

Which of the following should be responsible for final approval of security patch implementation?. The application development manager. The IT asset owner. The information security officer. The business continuity coordinator.

An enterprise that appoints a chief information security officer (CISO): Improves collaboration among the ranks of senior management. Acknowledges a commitment to legal responsibility for information security. Infringes on the governance role of the board of directors. Enhances the financial accountability of technology projects.

Which of the following is the BEST approach to dealing with inadequate funding for a security program?. Eliminate low-priority activities. Require management to accept increased risk. Prioritize risk mitigation and educate management. Increase monitoring and compliance enforcement activities.

When developing an information security program, what is the MOST useful source of information for determining available human resources?. Proficiency test. Job descriptions. Organization chart. Skills inventory.

Which of the following choices would influence the content of the information security strategy to the GREATEST extent?. Emerging technology. System compromises. Network architecture. Organizational goals.

The enterprise has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?. Laws and regulations of the country of origin may not be enforceable in the foreign country. A security breach notification might get delayed due to the time difference. Additional network intrusion detection sensors should be installed, resulting in an additional cost. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

After obtaining commitment from senior management, which should be completed NEXT when establishing an information security program?. Define security metrics. Conduct a risk assessment. Perform a gap analysis. Procure security tools.