Domain 1 - Information Security Governance

Question 1

what does governance do

Answer 1

ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agree-upon enterprise objectives to be achieved; setting directions through prioritization and decision making; and monitoring performance and compliance against agreed-upon direction and objectives

Question 2

what must you primarily think about when suggesting security changes
1. Risk
2. user security
3. value
4. stakeholder concerns

Answer 2

Value

Question 3

4 things about corporate governance

Answer 3

1. providing strategic vision and direction
2. reaching secuirty and business objectives
3. ensure that risks are managed appropriately and practivley
4. verify that the enterprise’s resources are used responsibly

Question 4

• governance answers 4 questions (what are they)
• What do we do if any of the questions are no?

Answer 4

1. are we doing ithe right things
2. are we doing them the right way
3. are we getting them done well
4. are we getting the benefits

• we find a way to close the gap (current state and desired state)

Question 5

Principles of Corporate Governance

Answer 5

• Fairness: Act without partiality or prejudice
• Accountability: The right to hold people to a set of standards and to
  judge whether they have fulfilled their responsibilities in light of these
  standards
• Transparency: Provide timely reporting of potential issues faced by the enterprise. Shareholders should have a transparent view of the
  organization on a regular basis to understand the risk posed to their
  investments.
• Responsibility: The actions to be performed by stakeholders as part of the corporate governance structure. Failing to fulfill the assigned
  responsibilities could result in risk.

Question 6

which of the following is the most effective way to ensure that noncompliance to information security standards is resolved

1. periodic audits of noncompliant areas
2. an ongoing vulnerability scanning program
3. annual security awareness training
4. regular reports to the audit committee

Answer 6

4. regular reports to the audit committee

Question 7

the most appropriate role for senior management is supporting information security is the:
a. evaluation of vendors offering security products
b. assessment of risk to the enterprise
c. approval of policy statements and funding
d: developing standards sufficient to achieve acceptable risk

Answer 7

c. approval of policy statements and funding

reason:
C. policies are a statement of senior management intent and direction that should be approved by senior management. it should also provide sufficient funding to achieve the enterprise’s information security objectives. this is the most appropriate role for senior management in supporting information security.

d. developing standards the meet the policy is typically a function of the information security manager

Question 8

Senior management commitment and support for information security can BEST be obtained through
presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risk to the enterprise.
C. evaluate the enterprise against good security practices.
D. tie security risk to key business objectives.

Answer 8

D. Tying security risk to key business objectives is the best option to obtain senior managers’
commitment and support as they want to understand the justification for investing in security in
relation to achieving key business objectives.

Question 9

The MOST appropriate role for senior management in supporting information security is the:
A. evaluation of vendors offering security products.
B. assessment of risk to the enterprise.
C. approval of policy statements and funding.
D. developing standards sufficient to achieve acceptable\e risk.

Answer 9

C. Policies are a statement of senior management intent and direction that should be approved by
senior management. It should also provide sufficient funding to achieve the enterprise’s informafim
security objectives. This is the most appropriate role for senior management in Supporting
information security.

Question 10

Which of the following would be the BEST indicator of effective information security governance within enterprise?
A. The steering committee approves security projects.
B. Security policy training is provided to all managers.
C. Security training is available to all employees on the intranet.
D. IT personnel are trained in testing and applying required patches.

Answer 10

A. The existence of a steering committee that approves all security projects is the best indicator of an effective governance program. To ensure that all stakeholders impacted by security considerations
are involved, many enterprises use a steering committee comprised of senior representatives of
affected groups. This composition helps to achieve consensus on priorities and trade-offs and serves
as an effective communication channel for ensuring the alignment of the security program with
business objectives.

Question 11

Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.

Answer 11

D. Business strategy is the primary driver of information security governance because security must
align with the business objectives of the enterprise, as set forth in the business strategy.

Question 12

What is the BEST evidence of a mature information security program?
A. A comprehensive risk assessment and analysis exists.
B. Development of a physical security architecture exists.
C. A controls statement of applicability exists.
D. An effective information security strategy exists.

Answer 12

D. The process of developing information security governance structures, achieving organizational
adoption and developing a strategy to implement will define the scope and responsibilities of the
security program.

Question 13

which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
A. Information security manager
B. Chief operating officer
C. Internal auditor
D. Legal counsel

Answer 13

B. The chief operating officer (COO) represents senior management, which is responsible for providing support for information security initiatives with a positive tone at the top. The information security steering group should bc sponsored by the COO (senior management), as that individual would have the authority (and responsibility) to direct the participation of business unit heads and authorize the mandate or charter.

Question 14

Which of the following factors is the MOST significant in determining an enterprise’s risk appetite?
A. The nature and extent of threats
B. Organizational policies
C. The overall security strategy
D. The organizational culture

Answer 14

D. The extent to which the culture is risk-averse or risk-aggressive, in the context of the objective
ability of the enterprise to recover from loss, is the main factor in determining risk appetite.

C. Risk appetite is an input to the security strategy because the strategy is partly focused on mitigating risk to
acceptable levels.

Question 15

when should a request for proposal be issued?
A. At the project feasibility stage
B. Upon management project approval
C. Prior to developing a project budget
D. developing the business case

Answer 15

C. Development of a project budget depends on the responses to an RFP

Question 16

which of the following is MOST appropriate for inclusion in an information security strategy?
A. Business controls designated as key controls
B. Security processes, methods, tools and techniques
C. Firewall rule sets, network defaults and intrusion detection system settings
D. Budget estimates to acquire specific security tools

Answer 16

B. A set of security objectives supported by processes, methods, tools and techniques constitutes a
security strategy.

Question 17

list the 5 phases in NIST CSF

Answer 17

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover