The reason that would MOST inhibit the effective implementation of security governance is:

lack of high-level sponsorship.

Which of the following is the MOST important factor on which to rely to successfully assign
cross-organizational responsibility to integrate an information security program?

The roles of different job functions

The PRIMARY focus of information security governance is to:

optimize the information security strategy to achieve business objectives.

An organization that has decided to implement a formal information security program should
FIRST: define high-level business security requirements.

Network Security is : an ever evolving process

A security manager from XYZ, Inc. suggests that the company needs to employ a more threat-
centered security program. What is implied by this approach?

The organization will focus on understanding adversaries' motivations and capabilities

Successful implementation of information security governance will FIRST require: updated

security policies.

Which resource should you protect first when designing continuity plan provisions and
processes? People

The minimum and customary practice of responsible protection of information assets is defined
by which of the following terms? Due Care

The MOST important characteristic of good security policies is that they: are
aligned with organizational goals.

Which of the following would generally not be considered an asset in a risk analysis? Users’
personal files

A company has a network of branch offices with local file/print and mail servers; each branch
individually contracts a hot site. Which of the following would be the GREATEST weakness in
recovery capability? The provider services all major companies in the area

Policies, standards, guidelines, and security awareness training fall under which of the following
control category? Directive controls
Which of the following is the MOST effective way to measure strategic alignment of an
information security program? Survey business stakeholders

Which of the following would be the first step in establishing an information security program?
Adoption of a corporate information security policy statement

An organization's board of directors is concerned about recent fraud attempts that originated
over the Internet. What action should the board take to address this concern? Direct
management to assess the risk and to report the results to the board.

Who is in the BEST position to implement and monitor a balanced scorecard (BSC) for the
information systems (IS) security program? The chief information security officer (CISO)

XYZ, Inc. is concerned about an unpatchable vulnerability on an internal critical system. External
threats are aware of the vulnerability, but are unable to exploit the flaw. The risk for this
particular threat vulnerability pair is calculated to be zero. How is this possible given the
standard risk formula? A threat vector is not available for remote exploitation

Which of the following is MOST likely to be discretionary? Guidelines

Which of the following embodies all the detailed actions that personnel are required to follow?
Procedures

When personal information is transmitted across networks, there MUST be adequate controls
over: privacy protection.

In implementing information security governance, the information security manager is

PRIMARILY responsible for: developing the security strategy.

Reducing exposure of a critical asset is an effective mitigation measure because it reduces:

The likelihood of being exploited

Management requests that an information security manager determine which regulations

regarding disclosure, reporting and privacy are the most important for the organization to
address. The recommendations for addressing these legal and regulatory requirements will be
MOST useful if based on which of the following choices? The probability and consequences

If risks were categorized as either critical or normal, which risk assessment method is being
used: The Qualitative approach

Which of the following would generally not be considered an asset in a risk analysis? Users'
personal files

Which of the following is the BEST justification to convince management to invest in an

information security program? Increased business value
Which of the following is the MOST important factor when designing information security
architecture? Stakeholder requirements

Retention of business records should PRIMARILY be based on: regulatory and legal requirements.

Which one of the following types of licensing agreements does not require that the user
acknowledge that they have read the agreement prior to executing it? Shrink-wrap agreement

When a safeguard or a countermeasure is not present or is not sufficient, what remains?

Vulnerability

Which of the following BEST contributes to the development of a security governance

framework that supports the maturity model concept? Continuous analysis, monitoring and
feedback

Mary is the co-founder of Acme Widgets, a manufacturing firm. Together with her partner, Joe,
she has developed a special oil that will dramatically improve the widget manufacturing process.
To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves
in the plant after the other workers have left. They want to protect this formula for as long as
possible. What type of intellectual property protection best suits their needs?

Trade secret

Which of the following is not an element of the risk analysis process? Selecting appropriate
safeguards and implementing them

If two people are working together and we are concerned about collusion, what should be
performed? Rotation of duties

Which task of BCP bridges the gap between the business impact assessment and the continuity
planning phases? Strategy development

Data owners are PRIMARILY responsible for: approving access to systems.

Which of the following is the MOST important information to include in a strategic plan for
information security? Current state and desired future state

How would an information security manager balance the potentially conflicting requirements of
an international organization's security standards and local regulation? Negotiate a local version
of the organization standards

What is the first step that individuals responsible for the development of a business continuity
plan should perform? Business organization analysis

Which of the following is the MOST important reason for aligning information security
governance with corporate governance? To maximize the cost-effectiveness of controls
An organization's board of directors has learned of recent legislation requiring organizations
within the industry to enact specific safeguards to protect confidential customer information.
What actions should the board take next? Require management to report on compliance

Which of the following would help to change an organization's security culture? Obtain strong
management support

Which of the following is not a valid definition for risk? Anything that removes a vulnerability or
protects against one or more specific threats

Which one of the following is an important characteristic of an information security policy?

Identifies major functional areas of information.

What type of mitigation provision is utilized when redundant communications links are installed?
Alternative systems

It is MOST important that information security architecture be aligned with which of the
following? Business goals and objectives

“Sensitive data must be protected to prevent loss, theft, unauthorized access and/or
unauthorized disclosure” is a statement that would MOST likely be found in a: policy.

Which of the following is MOST important to understand when developing a meaningful

information security strategy? Organizational goals

Which of the following is the MOST important consideration for a control policy? Life safety

The MOST important reason for aligning information security governance with corporate
governance is to: maximize the cost-effectiveness of controls.

How is single loss expectancy (SLE) calculated? Asset value ($) * exposure factor

Which of the following department managers would be best suited to oversee the development
of an information security policy? Business operations

Which of the following would BEST prepare an information security manager for regulatory
reviews? Perform self-assessments using regulatory guidelines and reports.

Acceptable levels of information security risk should be determined by: the steering committee

Which of the following is MOST important in developing a security strategy? Understanding key
business objectives

Once you understand risk, you can decide to not become involved in the risk situation. Which of
the choices below describes this decision? Risk avoidance

What is the MOST important item to be included in an information security policy? The key
objectives of the security program

Obtaining senior management support for establishing a warm site can BEST be accomplished
by: developing a business case.

Why should the analysis of risk include consideration of potential impact?

Potential impact affects the extent of mitigation

Who should be responsible for enforcing access rights to application data? Security
administrators

While performing a risk analysis, you identify a threat of fire and a vulnerability because there
are no fire extinguishers. Based on this information, which of the following is a possible risk?
Damage to equipment

“Sensitive data must be protected to prevent loss, theft, unauthorized access and/or
unauthorized disclosure” is a statement that would MOST likely be found in a: policy.

Information security projects should be prioritized on the basis of: impact on the organization.

Which of the following would help to change an organization's security culture? Obtain strong
management support

The cost of implementing a security control should not exceed the: asset value.

The BEST way to justify the implementation of a single sign-on (SSO) product is to use: a business
case.

An organization's board of directors is concerned about recent fraud attempts that originated
over the Internet. What action should the board take to address this concern? Direct
management to assess the risk and to report the results to the board.

A company has a network of branch offices with local file/print and mail servers; each branch
individually contracts a hot site. Which of the following would be the GREATEST weakness in
recovery capability? The provider services all major companies in the area

An organization that has decided to implement a formal information security program should
FIRS ? define high-level business security requirements.

Serious security incidents typically lead to renewed focus on information security by

management. To BEST utilize this attention, the information security manager should make the
case for: improving integration of business and information security processes

Which of the following should be included in an annual information security budget that is
submitted for management approval? A cost-benefit analysis of budgeted resources
During a stakeholder meeting, a question was asked regarding who is ultimately accountable for
the protection and security of sensitive data. Assuming that all of the choices below exist in the
enterprise, which would be the MOST appropriate? The board of directors

You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation.

You select a possible countermeasure. When performing the calculations again, which of the
following factors will change? Annualized rate of occurrence

Of the following, which is the MOST effective way to measure strategic alignment of an
information security program? Interview business owners.

Investments in information security technologies should be based on: value analysis

Which of the following is the MOST cost-effective approach to achieve strategic alignment?

Periodically survey management

Which of the following is the BEST method or technique to ensure the effective implementation
of an information security program? Obtain the support of the board of directors.

Why should the analysis of risk include consideration of potential impact?Potential impact
affects the extent of mitigation

When calculating the cost of a risk, you need to look at two factors. Which of the following
choices is one of those factors? Single Loss Expectancy

Requiring all employees and contractors to meet personnel security/suitability requirements

commensurate with their position sensitivity level and subject to personnel screening is an
example of a security: policy

It is MOST important that information security architecture be aligned with which of the
following? Business goals and objectives

What is the formula used to compute the single loss expectancy for a risk scenario? SLE = AV × EF

Which of the following represents accidental or intentional exploitation of vulnerabilities? Threat

events

A risk management process is MOST effective in achieving organizational objectives if: Risk
activities are embedded in business processes

The formal declaration of organizational security goals and objectives should be found in which
of the following documents? An information security policy

Which of the following should be determined while defining risk management strategies?
Organizational objectives and risk appetite
A newly hired information security manager notes that existing information security practices
and procedures appear ad hoc. Based on this observation, the next action should be to:review
the corporate standards.

To achieve effective strategic alignment of security initiatives, it is important that: inputs be

obtained and consensus achieved between the major organizational units

Which of the following individuals would be in the BEST position to sponsor the creation of an
information security steering group? Chief operating officer (COO)

Priority should be given to which of the following to ensure effective implementation of

information security governance? Planning

Compliance with security policies and standards is the responsibility of: all organizational units.

Which one of the following concerns is not suitable for quantitative measurement during the
business impact assessment? Negative publicity

Which of the following choices defines the strategic goals for the organizations? Policy

What process customizes a standard for an organization, beginning with scoping, and then
adding compensating controls and parameters (security configuration settings)? Tailoring

On a company's e-commerce web site, a good legal statement regarding data privacy should
include: a statement regarding what the company will do with the information it collects.

Once you understand risk, you can decide if you want to shift the responsibility to someone else.
Which of the choices below describes this decision? Risk transfer

Which of the following should be the FIRST step in developing an information security plan?
Analyze the current business strategy

Once you understand risk, you can decide to not become involved in the risk situation. Which of
the choices below describes this decision? Risk avoidance

Which of the following is NOT a valid definition for risk? Anything that removes a vulnerability or
protects against one or more specific threats

Reducing exposure of a critical asset is an effective mitigation measure because it reduces:The

likelihood of being exploited

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and
availability of the transaction. This is an example of an information security: policy.

In the formula displayed below, what does the "Exposure Factor" represent? Single Loss
Expectancy = Asset Values X Exposure Factor: The percentage of loss a threat event would have
on the asset
Which of the following is MOST likely to be discretionary? Guidelines

The MOST important aspect in establishing good information security policies is to ensure that
they:capture the intent of management and align with business goals.

The concept of governance, risk and compliance (GRC) serves PRIMARILY to: align organization
assurance functions.

Business objectives should be evident in the security strategy by: direct traceability.

If risks were categorized as either critical or normal, which risk assessment method is being
used: The Qualitative approach

What security control is directly focused on preventing collusion? Separation of duties

Which of the following is a key area of the ISO 27001 framework? Business continuity
management

The MOST important reason for aligning information security governance with corporate
governance is to: maximize the cost-effectiveness of controls.

Which of the following choices would be the MOST significant key risk indicator?A deviation in
employee turnover

From an information security manager perspective, what is the immediate benefit of clearly-
defined roles and responsibilities?Better accountability

XYZ, Inc. is concerned about an unpatchable vulnerability on an internal critical system. External
threats are aware of the vulnerability, but are unable to exploit the flaw. The risk for this
particular threat vulnerability pair is calculated to be zero. How is this possible given the
standard risk formula?A threat vector is not available for remote exploitation

How is single loss expectancy (SLE) calculated?Asset value ($) * exposure factor

Which of the following is characteristic of centralized information security management?Better

adherence to policies

Information security policies should:be straightforward and easy to understand.

Which of the following is a risk that would MOST likely be overlooked by an information security
review during an onsite inspection of an offshore provider? Cultural differences

An information security strategy document that includes specific links to an organization's

business activities is PRIMARILY an indicator of: alignment.

Of the following, which best describes the 'insurance model' of Risk Management? Pass the risk
over to a third-party
What is the PRIMARY role of the information security manager in the process of information
classification within an organization?Defining and ratifying the classification structure of
information assets

The formal declaration of organizational security goals and objectives should be found in which
of the following documents?An information security policy

A developer comes by your desk with a document that details all the entry points through which
an attacker could attempt to introduce code into the application environment. What does the
document represent?Attack Surface

Which of the following roles would represent a conflict of interest for an information security
manager? Final approval of information security policies

Obtaining senior management support for establishing a warm site can BEST be accomplished
by: developing a business case.

The PRIMARY objective for information security program development should be: reducing the
impact of the risk in the business.

Who is in the BEST position to implement and monitor a balanced scorecard (BSC) for the
information systems (IS) security program? The chief information security officer (CISO)

You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation.

You select a possible countermeasure. When performing the calculations again, which of the
following factors will change? Annualized rate of occurrence

An organization's board of directors is concerned about recent fraud attempts that originated
over the Internet. What action should the board take to address this concern? Direct
management to assess the risk and to report the results to the board.

Which of the following would BEST prepare an information security manager for regulatory
reviews? Perform self-assessments using regulatory guidelines and reports.

Laws and regulations should be addressed by the information security manager: to the extent
that they impact the enterprise.

Which one of the following factors of a risk assessment typically involves the GREATEST amount
of speculation? Likelihood

The chief information security officer (CISO) has recommended several information security
controls (such as antivirus) to protect the organization's information systems. Which one of the
following risk treatment options is the CISO recommending? Risk mitigation

The PRIMARY goal of developing an information security strategy is to: support the business
objectives of the organization.
n a business impact analysis, the value of an information system should be based on the overall:
opportunity cost.

Maturity levels are an approach to determine the extent that sound practices have been
implemented in an organization based on outcomes. Another approach that has been developed
to achieve essentially the same result is: process performance and capabilities.

Which of the following is MOST likely to be responsible for establishing the information security
requirements over an application? Data owner

An enterprise is transferring its IT operations to an offshore location. An information security

manager should PRIMARILY focus on: conducting a risk assessment.

Tightly integrated IT systems are MOST likely to be affected by: cascading risk.

Strategic alignment is PRIMARILY achieved when services provided by the information security
department: closely reflect the requirements of key business stakeholders.

What is the PRIMARY deficiency in utilizing annual loss expectancy (ALE) to predict the annual
extent of losses? It is based on at least some subjective information.

Considering financial matters beyond just acquisition costs is most closely associated with what?
TCO

Which of the following techniques MOST clearly indicates whether specific risk-reduction
controls should be implemented? Cost-benefit analysis

Which of the following authentication methods prevents authentication replay?

Challenge/response mechanism

What is a reasonable approach to determine control effectiveness? Confirm the control's ability
to meet intended objectives.

Which of the following is the MOST important factor to be considered in the loss of mobile
equipment with unencrypted data? Potential impact of the data loss

Which of the following is the MOST important component of information security governance?
Senior management involvement

Which of the following is the MOST supportable basis for prioritizing risk for treatment?
Frequency and impact

An organization's information security manager is planning the structure of the Information

Security Steering Committee. Which of the following groups should the manager invite?
Leadership from IT, human resources and the sales department

An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and
encourage crosstraining. Which type of authorization policy would BEST address this practice?
Role-based

The MOST complete business case for security solutions is one that: includes appropriate
justification.

When performing a qualitative risk analysis, which of the following will BEST produce reliable
results? Possible scenarios with threats and impacts

Which of the following are seldom changed in response to technological changes? Policies

A control for protecting an information technology (IT) asset, such as a laptop computer, is BEST
selected if the cost of the control is less than the: impact on the business if the asset is lost or
stolen.

The classification level of an asset must be PRIMARILY based on which of the following choices?
Criticality and sensitivity

Which of the following would be MOST effective in successfully implementing restrictive

password policies? Security awareness program

Which of the following is an advantage of a centralized information security organizational

structure? It is easier to manage and control.

After a risk assessment study, a bank with global operations decided to continue conducting
business in certain regions of the world where identity theft is rampant. The information security
manager should encourage the business to: implement monitoring techniques to detect and
react to potential fraud.

What is the BEST strategy for risk management? Reduce risk to an acceptable level.

Which of the following is the BEST source for determining the value of information assets?
Individual business managers

Which of the following is the MOST effective approach to identify events that may affect
information security across a large multinational enterprise? Develop communication channels
throughout the enterprise.

After obtaining commitment from senior management, which of the following should be
completed NEXT when establishing an information security program? Conduct a risk assessment

There is a delay between the time when a security vulnerability is first published, and the time
when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk
during this time period? Identify the vulnerable systems and apply compensating controls.

An information security manager is working with a business manager to develop risk

management strategies for an application. The business manager believes that using an external
application service provider (ASP) will eliminate all of its risk. Which of the following should the
security manager explain to the business manager? Outsourcing will only transfer some of the
risk.

Which one of the following groups has final responsibility for the effectiveness of security
controls? The organization's senior management

Control objectives are MOST closely aligned with: risk appetite.

Which of the following is the PRIMARY reason for implementing a risk management program? A
risk management program: is a necessary part of management's due diligence.

Of the following, retention of business records should be PRIMARILY based on: regulatory and
legal requirements.

Security risk assessments are MOST cost-effective to a software development organization when
they are performed: at each stage of the software development life cycle.

Why might an organization rationally choose to mitigate a risk that is estimated to be at a level
higher than its stated risk appetite but within its stated risk tolerance? Senior management may
have concern that the stated impact is underestimated.

An organization that appoints a chief information security officer (CISO): acknowledges a

commitment to legal responsibility for information security.

Which of the following would be the BEST indicator of the readiness of the incident response
team in the context of the overall incident management program? Time between detection and
response

Which of the following is the MOST useful indicator of control effectiveness? The extent to which
control objectives are achieved

From an information security perspective, which of the following will have the GREATEST impact
on a financial enterprise with offices in various countries and involved in transborder
transactions? Evolving data protection regulations

Systems thinking as it relates to information security is: an understanding that the whole is
greater than the sum of its parts.

Which of the following measures would be MOST effective against insider threats to confidential
information? Role-based access control

The MOST appropriate owner of customer data stored in a central database, used only by an
organization's sales department, would be the: head of the sales department.

The acquisition of new information technology (IT) systems that are critical to an organization's
core business can create significant risk. To effectively manage the risk, the information security
manager should FIRST: ensure that appropriate procurement processes are employed.

Which of the following roles would represent a conflict of interest for an information security
manager? Final approval of information security policies

At what interval should a risk assessment TYPICALLY be conducted? On a continuous basis

XYZ, Inc. is considering the purchase of a data breach insurance policy. What risk management
principle are they considering? Risk Transfer

Which is the BEST way to assess aggregate risk derived from a chain of linked system
vulnerabilities? Penetration tests

Which of the following are the MOST important individuals to include as members of an
information security steering committee? IT management and key business process owners

When a user employs a client-side digital certificate to authenticate to a web server through
Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following? Trojan

Which of the following BEST indicates senior management commitment toward supporting
information security? Approval of risk management methodology

The aspect of governance that is MOST relevant to setting security baselines is: standards.

Objectives for preventive controls should be developed PRIMARILY on the basis of: risk levels
aligned with the enterprise risk appetite.

If a defined threat needs to be addressed and a preventive control is not feasible, the next BEST
option is to do which of the following activities? Reduce exposure.

Effective information security requires a combination of management, administrative and

technical controls because: Technical controls alone are unable to adequately compensate for
faulty processes.

A project manager is developing a developer portal and requests that the security manager
assign a public IP address so that it can be accessed by in-house staff and by external consultants
outside the organization's local area network. What should the security manager do FIRST?
Understand the business requirements of the developer portal

When corporate standards change due to new technology, which of the following choices is
MOST likely to be impacted? Systems security baselines

Which of the following activities MOST commonly falls within the scope of an information
security governance steering committee? Prioritizing information security initiatives

When should risk assessments be performed for optimum effectiveness? On a continuous basis
The PRIMARY reason to consider information security during the first stage of a project life cycle
is: information security may affect project feasibility.

Which of the following is the MOST important reason to include an effective threat and
vulnerability assessment in the change management process? To reduce the need for periodic
full risk assessments.

Which of the following security activities should be implemented in the change management
process to identify key vulnerabilities introduced by changes? Penetration testing

The MOST important aspect in establishing good information security policies is to ensure that
they: capture the intent of management.

When performing a review of risk treatment options, the MOST important benefit to consider is:
achieving control objectives

Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked
system vulnerabilities? Penetration tests

What is the MAIN risk when there is no user management representation on the Information
Security Steering Committee? Information security plans are not aligned with business
requirements.

What should be the PRIMARY basis of a road map for implementing information security
governance? Strategy

Who is responsible for ensuring that information is classified? The data owner

The PRIMARY objective of asset classification is to: determine protection level.

Who is responsible for ensuring that information is categorized and that specific protective
measures are taken? Senior management

An information security manager's MOST effective efforts to manage the inherent risk related to
a third-party service provider will be the result of: limiting organizational exposure.

The impact of losing frame relay network connectivity for 18–24 hours should be calculated
using the: financial losses incurred by affected business units.

The FIRST action for an information security manager to take when presented with news that
new regulations are being applied to how organizations handle sensitive data is to determine:
Processes and activities that may be affected

An effective risk management program should reduce risk to: an acceptable level.

The information security policies of an organization require that all confidential information must
be encrypted while communicating to external entities. A regulatory agency insisted that a
compliance report must be sent without encryption. The information security manager should:
Initiate an exception process for sending the report without encryption

Which of the following would govern which information assets need more protection than other
information assets? Data classification

Who in an organization has the responsibility for classifying information? Data owner

Which of the following risk scenarios would BEST be assessed using qualitative risk assessment
techniques? Permanent decline in customer confidence

When performing a quantitative risk analysis, which of the following is MOST important to
estimate the potential loss? Calculate the value of the information or asset

When calculating an annual loss expectancy (ALE), which variable MOST requires the information
systems (IS) manager to form an opinion based on the uncertainty of the future? Annual rate of
occurrence

The MOST direct way to accurately determine the control baseline in an IT system is to do which
of the following activities? Review standards and system compliance.

Which of the following is the MOST important step in developing a cost-effective information
security strategy that is aligned with business requirements? Determination of clearly defined
objectives

The PRIMARY reason for initiating a policy exception process is when: the risk is justified by the
benefit.

When setting up an information classification scheme, the role of the information owner is to:
determine the classification of information across his/her scope of responsibility.

What is the TYPICAL output of a risk assessment? An inventory of risk that may impact the
organization

Of the following, retention of business records should be PRIMARILY based on: business
requirements.

Obtaining senior management support for an information security initiative can BEST be
accomplished by: developing and presenting a business case.

Due to limited storage media, an IT operations employee has requested permission to overwrite
data stored on a magnetic tape. The decision of the authorizing manager will MOST likely be
influenced by the data: retention policy.

Business objectives should be evident in the security strategy by: direct traceability.

When creating an effective data-protection strategy, the information security manager must
understand the flow of data and its protection at various stages. This is BEST achieved with: A
tailored methodology based on exposure