D2-Information Security Governance Flashcards

Question 1

Q

What does the acronym GRC denote?

Answer

A

Governance, Risk Mgmt and compliance

Question 2

Q

What does R in a RACI chart demote?

Activity
Responsible
Accountable
Consulted
Informed

Answer

A

Responsible

Question 3

Q

A goal of the security program is to continue to contribute toward fulfillment of the security strategy, which itself will continue to align to the business and business objectives

True
False

Question 4

Q

The purpose of security governance is to

Align the organization’s security program with the needs of the business
Create policies for IT

Answer

A

Align the organization’s security program with the needs of the business

Question 5

Q

These are desired capabilities or end states, ideally expressed in achievable, measurable terms.

Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting

Answer

A

Objectives

Question 6

Q

This is a plan to achieve one or more objectives.

Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting

Question 7

Q

At its minimum, security policy should directly reflect the mission, objectives, and goals of the overall organization.

Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting

Question 8

Q

These in the security program should flow directly from the organization’s mission, objectives, and goals. Whatever is most important to the organization as a whole should be important to information security as well.

Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting

Answer

A

Priorities

Question 9

Q

The technologies, protocols, and practices used
by IT should be a reflection of the organization’s needs. On
their own, these help to drive a consistent approach to
solving business challenges; the choice of these should
facilitate solutions that meet the organization’s needs in a
cost effective and secure manner.

Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting

Answer

A

Standards

Question 10

Q

These are formalized descriptions of repeated
business activities that include instructions to applicable
personnel. Processes include one or more procedures, as well
as definitions of business records and other facts that help
workers understand how things are supposed to be done.

Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting

Answer

A

Processes

Question 11

Q

These are formal descriptions of critical activities
to ensure desired outcomes.

Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting

Question 12

Q

The organization’s IT and security programs and projects should be organized and performed in a consistent manner that reflects business priorities and supports the business.

Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting

Answer

A

Program and project management

Question 13

Q

This includes the formal measurement of processes and controls so that management understands and can measure them.

Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Improved compliance
Metrics Reporting

Answer

A

Metrics/reporting

Question 14

Q

Management will ensure that risk assessments will be performed to identify risks in information systems and supported processes. Follow-up actions will be carried out that will reduce the risk of system failure and
compromise.

Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance

Answer

A

Risk management

Question 15

Q

Management will ensure that key changes will be made to business processes that will result in security improvements.

Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance

Answer

A

Process improvement

Question 16

Q

Management will be sure to put technologies and processes in place to ensure that security events and incidents will be identified as quickly as possible.

Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance

Answer

A

Event identification

Question 17

Q

Management will put __________ procedures into place that will help to avoid incidents, reduce the impact and probability of incidents, and improve response to incidents so that their impact on the organization is minimized.

Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance

Answer

A

Incident response

Question 18

Q

Management will be sure to identify all applicable laws, regulations, and standards and carry out activities to confirm that the organization is able to attain and maintain compliance.

Risk management
Process improvement
Event identification
Incident response
Business continuity
Improved compliance
Metrics Management
Resource management
Improved IT governance

Answer

A

Improved compliance

Question 19

Q

Management will define objectives and allocate resources for
the development of business continuity and disaster recovery
plans.

Risk management
Process improvement
Event identification
Incident response
Business continuity and disaster recovery planning
Metrics Management
Resource management
Improved IT governance

Answer

A

Business continuity and disaster recovery planning

Question 20

Q

Management will establish processes to measure key security events such as incidents, policy changes and violations, audits, and training.

Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance

Answer

A

Metrics Management

Question 21

Q

The allocation of manpower, budget, and other resources to meet security objectives is monitored by management.

Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance

Answer

A

Resource management

Question 22

Q

An effective security governance program will result in better strategic decisions in the IT organization that keep risks at an acceptably low level.

Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance

Answer

A

Improved IT governance

Question 23

Q

These are two key results of an effective security governance
program:

Increased trust Customers, suppliers, and partners trust
the organization to a greater degree when they see that
security is managed effectively.
Improved reputation The business community, including
customers, investors, and regulators, will hold the
organization in higher regard.

True
False

Question 24

Q

An organization’s information security program needs to fit into the
rest of the organization. This means that the program needs to
understand and align with the organization’s highest-level guiding
principles including the following:

Mission Why does the organization exist? Who does it
serve, and through what products and services?
Goals and objectives What achievements does the
organization want to accomplish, and when does it want to
accomplish them?
Strategy What are the activities that need to take place so
that the organization’s goals and objectives can be fulfilled?

Question 25

Q

To be business aligned, people in the security program should be
aware of several characteristics about the organization, including the
following:

Culture Culture includes how personnel in the organization
work, think, and relate to each other.
Asset value This includes information the organization uses
to operate. This often consists of intellectual property such as
designs, source code, production costs, and pricing, as well as
sensitive information related to not only its personnel but its
customers, its information-processing infrastructure, and its
service functions.
Risk tolerance Risk tolerance for the organization’s
information security program needs to align with the
organization’s overall tolerance for risk.
Legal obligations What external laws and regulations
govern what the organization does and how it operates?
These laws and regulations include the Gramm-Leach-Bliley
Act (GLBA), Payment Card Industry Data Security Standard
(PCI-DSS), European General Data Protection Regulation
(GDPR), Health Insurance Portability and Accountability Act
(HIPAA), and the North American Electric Reliability
Corporation (NERC) standard. Also, contractual obligations
with other parties often shape the organization’s behaviors
and practices.
Market conditions How competitive is the marketplace in
which the organization operates? What strengths and
weaknesses does the organization have in comparison with its
competitors? How does the organization want its security
differentiated from its competitors?

Question 26

Q

ISACA defines risk appetite as the

level of risk that an organization is willing to accept while in pursuit
of its mission, strategy, and objectives, and before action is needed
to treat the risk.
level of risk that an organization is NOT willing to accept while in pursuit
of its mission, strategy, and objectives, and before action is needed
to treat the risk.

Answer

A

level of risk that an organization is willing to accept while in pursuit
of its mission, strategy, and objectives, and before action is needed
to treat the risk.

Question 27

Q

ISACA defines risk capacity

As the objective amount of loss that an organization can tolerate without its continued existence being called into question.
As the SUBJECTIVE amount of loss that an organization can tolerate without its continued existence being called into question.

Answer

A

As the objective amount of loss that an organization can toleratewithout its continued existence being called into question.

Question 28

Q

A ______ is a statement of activities that a person is expected to perform. Like roles, responsibilities are typically documented in position descriptions and job descriptions. Typical responsibilities include the following:

Perform monthly corporate expense reconciliation
Troubleshoot network faults and develop solutions
Audit user account terminations and develop exception
reports

Answer

A

Responsibility

Question 29

Q

A RACI chart assigns

1.Levels of responsibility to individuals and groups.
2.Levels of responsibility to individuals ONLY.

Answer

A

1.Levels of responsibility to individuals and groups.

Question 30

Q

Development of a RACI chart does not helps personnel determine roles for various business activities. A typical RACI chart follows.

True
False

Question 31

Q

What does A in a RACI chart demote?

Activity
Responsible
Accountable
Consulted
Informed

Answer

A

Accountable

Question 32

Q

What does I in a RACI chart demote?

Activity
Responsible
Accountable
Consulted
Informed

Question 33

Q

What does C in a RACI chart demote?
Activity
Responsible
Accountable
Consulted
Informed

Answer

A

Consulted

Question 34

Q

What are two key results of an effective security governance
program:

Increased trust Customers, suppliers, and partners trust
the organization to a greater degree when they see that
security is managed effectively.
Improved reputation The business community, including
customers, investors, and regulators, will hold the
organization in higher regard.
Meetings will include a discussion of the impact of
regulatory changes, alignment with business objectives,
effectiveness of measurements, recent incidents, recent audits, and
risk assessments.
1 and 3
1 and 2
2 and 3

Question 35

Q

In a RACI chart the role carry out by several parties in the user account access request process. This role is The person or group that performs the actual work or task.

Responsible
Accountable
Consulted
Informed

Answer

A

Responsible

Question 36

Q

In a RACI chart the role carry out by several parties in the user account access request process. This role is The person who is ultimately answerable for complete, accurate, and timely execution of the work. Often this is a person who manages those in the Responsible role.

Responsible
Accountable
Consulted
Informed

Answer

A

Accountable

Question 37

Q

In a RACI chart the role carry out by several parties in the user account access request process. This role is One or more people or groups who are consulted for their opinions, experience, or insight. People in
the Consulted role may be a subject-matter expert for the work or task, or they may be an owner, steward, or custodian of an asset associated with the work or task. Communication with the Consulted role is two-way.

Responsible
Accountable
Consulted
Informed

Answer

A

Consulted

Question 38

Q

In a RACI chart the role carry out by several parties in the user account access request process. This role is One or more people or groups who are informed by those in other roles. Depending on the process or task,
Informed may be told of an activity before, during, or after its
completion. Communication with Informed is one-way.

Responsible
Accountable
Consulted
Informed

Question 39

Q

Several considerations (3) must be taken into account when assigning
roles to individuals and groups in a RACI chart. This consideration depicts Some or all individuals in a team assignment, as well as specific named individuals, need to have the skills, training, and competence to carry out tasks as required

Skills
Segregation of Duties
Conflict of Interest

Question 40

Q

Several considerations (3) must be taken into account when assigning
roles to individuals and groups in a RACI chart. This consideration depicts Critical tasks must not be assigned to individuals or groups when such assignments will create conflicts of interest. For example, a user who is an approver cannot approve a request for their own access. In this case, a
different person must approve the request—while also avoid a
segregation of duties conflict.

Skills
Segregation of Duties
Conflict of Interest

Answer

A

Conflict of Interest

Question 41

Q

Several considerations (3) must be taken into account when assigning
roles to individuals and groups in a RACI chart. This consideration depicts Critical tasks such as the user account provisioning RACI chart depicted earlier must be free of duty conflicts. This means that there must be two or more individuals or groups required to carry out a critical task. In this example, the requestor, approver, and provisioner cannot be the same person or group.

Skills
Segregation of Duties
Conflict of Interest

Answer

A

Segregation of Duties

Question 42

Q

In an organization is a body of people who oversee activities in an organization

Security board
Board of directors

Answer

A

Board of directors

Activities performed by the board of directors, as well as directors’
authority, are usually defined by a constitution, bylaws, or external
regulation. The board of directors is typically accountable to the
owners of the organization or, in the case of a government body, to
the electorate.
In many cases, board members have fiduciary duty. This means
they are accountable to shareholders or constituents to act in the
best interests of the organization with no appearance of impropriety,
conflict of interest, or ill-gotten profit as a result of their actions.

Question 43

Q

Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Directors need to understand and approach
cybersecurity as an enterprise-wide risk management issue,
not just an IT issue.

Principle 1
Principle 2
Principle 3
Principle 4
Principle 5

Answer

A

Principle 1

Question 44

Q

Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Directors should understand the legal
implications of cyber risks as they relate to their company’s
specific circumstances.

Principle 1
Principle 2
Principle 3
Principle 4
Principle 5

Answer

A

Principle 2

Question 45

Q

Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Boards should have adequate access to
cybersecurity expertise, and discussions about cyber-risk
management should be given regular and adequate time on
board meeting agendas.

Principle 1
Principle 2
Principle 3
Principle 4
Principle 5

Answer

A

Principle 3

Question 46

Q

Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Boards should set the expectation that
management will establish an enterprise-wide cyber-risk
management framework with adequate staffing and budget.

Principle 1
Principle 2
Principle 3
Principle 4
Principle 5

Answer

A

Principle 4

Question 47

Q

Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Board management discussions about cyber risk
should include identification of which risks to avoid, which to
accept, and which to mitigate or transfer through insurance,
as well as specific plans associated with each approach.

Principle 1
Principle 2
Principle 3
Principle 4
Principle 5

Answer

A

Principle 5

Question 48

Q

This team is responsible for carrying out directives issued by the board of directors.

Board of directors
Security committee
Executive management

Answer

A

Executive management

In the context of information security management, this includes ensuring that there are sufficient resources for the organization to implement a security program and to develop and maintain security controls to protect critical assets.

Executive management must ensure that priorities are balanced.
In the case of IT and information security, these functions are
usually tightly coupled but sometimes in conflict. IT’s primary
mission is the development and operation of business-enabling
capabilities through the use of information systems, while
information security’s mission includes security and compliance.

Executive management must ensure that these two sometimes conflicting
missions are successful.

Question 49

Q

To ensure the success of the organization’s information security
program, executive management should be involved in three key
areas: This area is where Security policies that are
developed by the information security function should be
visibly ratified or endorsed by executive management. This
may take different forms, such as formal minuted ratification
in a governance meeting, a statement for the need for
compliance along with a signature within the body of the
security policy document, a separate memorandum to all
personnel, or other visible communication to the
organization’s rank and file that stresses the importance of,
and need for compliance to, the organization’s information
security policy.

Ratify corporate security policy
Leadership by example
Ultimate responsibility

Answer

A

Ratify corporate security policy

Question 50

Q

To ensure the success of the organization’s information security
program, executive management should be involved in three key
areas: This area is where With regard to information security policy, executive management should lead by example and not exhibit behavior suggesting they are “above” security policy—or other policies. Executives should not be seen to enjoy special privileges of the nature that suggest
that one or more security policies do not apply to them. Instead, their behavior should visibly support security policies that all personnel are expected to comply with.

Ratify corporate security policy
Leadership by example
Ultimate responsibility

Answer

A

Leadership by example

Question 51

Q

To ensure the success of the organization’s information security
program, executive management should be involved in three key
areas: This area is where Executives are ultimately responsible for all actions carried out by the personnel who report to them. Executives are also ultimately responsible for all outcomes related to organizations to which operations have been outsourced.

Ratify corporate security policy
Leadership by example
Ultimate responsibility

Answer

A

Ultimate responsibility

Question 52

Q

Who is responsible for overseeing all activities in an organization. This team selects and manage a chief executive officer who is responsible for developing a governance function to manage assets, budgets, personnel,
processes, and risk.

The board of director
Executive Team
The security steering committee
The chief information security officer
5.The chief privacy officer

Answer

A

The board of director

Question 53

Q

This team is responsible for security strategic planning. This team will develop and approve security policies and appoint managers to develop and maintain processes, procedures, and standards, all of which should align with each other and with the organization’s overall mission, strategy, goals, and objectives.

The board of director
Executive Team
The security steering committee
The chief information security officer
5.The chief privacy officer

Answer

A

3.The security steering committee

Question 54

Q

This employee in the organization develops business-aligned security strategies that support the organization’s overall mission and goals and is responsible for the organization’s overall security program, including policy development, risk management, and perhaps some operational activities such as vulnerability
management, incident management, access management, and security awareness training.

The board of director
Executive Team
The security steering committee
The chief information security officer
The chief privacy officer

Answer

A

The chief information security officer

Question 55

Q

This officer is responsible for the protection andproper use of sensitive personal information (often referred to as
personally identifiable information). This officers information protection
responsibilities are sometimes shared with the CISO who has overall information protection responsibilities. Virtually all other roles in IT have security responsibilities, including software development and integration, data management,network management, systems management, operations, service
desk, internal audit, and all staff members.

The board of director
Executive Team
The chief information security officer
4.The chief privacy officer

Answer

A

4.The chief privacy officer

Question 56

Q

The business model for information security, is a guide for business-aligned, risk-based security governance. BMIS was developed by

NIST
2.ISO
ISACA
IC2

Question 57

Q

BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting organization and people elements is

culture
governing
architecture
emergence
enabling and support
human factors

Question 58

Q

BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting organization and process elements is

culture
governing
architecture
emergence
enabling and support
human factors

Answer

A

governing

Question 59

Q

BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting organization and technology elements

culture
governing
architecture
emergence
enabling and support
human factors

Answer

A

architecture

Question 60

Q

BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting people and process elements

culture
governing
architecture
emergence
enabling and support
human factors

Answer

A

emergence

Question 61

Q

BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting process and technology elements

culture
governing
architecture
emergence
enabling and support
human factors

Answer

A

enabling and support

Question 62

Q

BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting people and technology elements

culture
governing
architecture
emergence
enabling and support
human factors

Question 63

Q

Security governance is most concerned with:
A. Security policy
B. IT policy
C. Security strategy
D. Security executive compensation

Answer

A

C. Security governance is the mechanism through which
security strategy is established, controlled, and monitored.
Long-term and other strategic decisions are made in the
context of security governance.

Question 64

Q

A gaming software startup company does not employ
penetration testing of its software. This is an example of:
A. High tolerance of risk
B. Noncompliance
C. Irresponsibility
D. Outsourcing

Answer

A

A. A software startup in an industry like gaming is going to
be highly tolerant of risk: time to market and signing up new
customers will be its primary objectives. As the organization
achieves viability, other priorities such as security will be
introduced.

Answer 50

A

D. The metric on time to patch critical servers will be the
most meaningful metric for the board of directors. The other
metrics, while potentially interesting at the operational level,
do not convey business meaning to board members.

Answer 51

A

D. The metric of percentage of critical servers being
patched within SLAs is the best leading indicator because it is
a rough predictor of the probability of a future security
incident. The other metrics are trailing indicators because
they report on past incidents.

Answer 52

A

C. The elements of BMIS are organization, people,
process, and technology. The dynamic interconnections (DIs)
are culture, governing, architecture, emergence, enabling and
support, and human factors.

Answer 53

A

B. A strategy is the plan to achieve an objective. An
objective is the “what” that an organization wants to achieve,
and a strategy is the “how” the objective will be achieved.

Answer 54

A

A. The most important factor influencing a decision of selecting a control framework are the industry vertical. For example, a healthcare organization would likely select HIPAA as its primary control framework, whereas a retail organization might select PCI-DSS.

Answer 55

A

D. By itself, security policy tells someone little about an organization’s security practices. An organization’s policy is
only a collection of statements; without examining business processes, business records, and interviewing personnel, a
security professional cannot develop any conclusions about an organization’s security practices.

Answer 56

A

A. An organization that does not have a security incident
log probably lacks the capability to detect and respond to an
incident. It is not reasonable to assume that the organization
has had no security incidents since minor incidents occur with
regularity. Claiming that the organization has effective
controls is unreasonable, as it is understood that incidents
occur even when effective controls are in place (because not
all types of incidents can reasonably be prevented).

Answer 57

A

D. The balanced scorecard is a tool that is used to quantify
the performance of an organization against strategic
objectives. The focus of a balanced scorecard is financial,
customer, internal processes, and innovation/learning.

Answer 58

A

B. A process that is performed consistently but is
undocumented is generally considered to be Repeatable.

Answer 59

A

C. There are no rules that specify that the maturity levels
of different processes need to be the same or at different
values relative to one another. In this example, each process
may already be at an appropriate level, based on risk
appetite, risk levels, and other considerations.

Answer 60

A

C. An organization that needs to implement new controls
should do so within its existing control framework. It is not
necessary to adopt an entirely new control framework when a
few controls need to be added.

Answer 61

A

A. Organizational culture is powerful, as it reflects how
people think and work. In this example, there is no mention
that the strong culture is bad, only that it is casual. Punishing
people for their behavior may cause resentment, a revolt, or
people to leave the organization. The best approach here is to
better understand the culture and to work with people in the
organization to figure out how a culture of security can be
introduced successfully.

Answer 62

A

D. A security strategist needs to understand an
organization’s capacity to spend its way to lower risk. In an
organization with profit margins, it is unlikely that the
organization is going to agree to an aggressive improvement
plan. Developing a risk ledger that depicts these risks may be
a helpful tool for communicating risk, but by itself there is no
action to change anything. Similarly, recommending risk
avoidance may mean discontinuing the very operations that
bring in revenue.

Answer 63

A

Answer: B
Explanation:
Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.

Answer 64

A

Answer: D
Explanation:
Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the
impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.

Answer 65

A

Answer: C
Explanation:
Since the members of senior management are ultimately responsible for information security, they are the ultimate decision makers in terms of governance and direction. They are responsible for approval of major policy statements and requests to fund the information security practice.
Evaluation of vendors, assessment of risks and monitoring compliance with regulatory requirements are day-to-day responsibilities of the information security manager; in some organizations, business management is involved in these other activities, though their primary role
is direction and governance.

Answer 66

A

Answer: A
Explanation:
The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer. Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee.

Answer 67

A

Answer: D
Explanation:
Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.

Answer 68

A

Answer: D
Explanation:
Protection of identifiable personal data is the major focus of recent privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA). Data mining is an accepted tool for ad hoc reporting; it could pose a threat to privacy only if it violates regulatory provisions. Identity
theft is a potential consequence of privacy violations but not the main focus of many regulations. Human rights addresses privacy issues but is not the main focus of regulations.

Answer 69

A

Answer: B
Explanation:
Investments in security technologies should be based on a value analysis and a sound business case. Demonstrated value takes precedence over the current business climate because it is ever changing. Basing decisions on audit recommendations would be reactive in nature and might not
address the key business needs comprehensively. Vulnerability assessments are useful, but they do not determine whether the cost is justified.

Answer 70

A

Answer: B
Explanation:
Retention of business records is generally driven by legal and regulatory requirements. Business strategy and direction would not normally apply nor would they override legal and regulatory requirements. Storage capacity and longevity are important but secondary issues. Business case
and value analysis would be secondary to complying with legal and regulatory requirements.

Answer 71

A

Answer: B
Explanation:
Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economics of scale. However, turnaround can be slower due to the lack of alignment with business units.

Answer 72

A

Answer: B
Explanation:
Updated security policies are required to align management objectives with security procedures; management objectives translate into policy; policy translates into procedures. Security procedures will necessitate specialized teams such as the computer incident response and
management group as well as specialized tools such as the security mechanisms that comprise the security architecture. Security awareness will promote the policies, procedures and appropriate use of the security mechanisms.

Answer 73

A

Answer: B
Explanation:
The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group.

Answer 74

A

Answer: A
Explanation:
Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.

Answer 75

A

Answer: C
Explanation:
The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses drat are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision.

Answer 76

A

Answer: C
Explanation:
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance is a process that derives
from the risk analysis.

Answer 77

A

Answer: D
Explanation:
Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components.

Answer 78

A

Answer: B
Explanation:
A set of security objectives, processes, methods, tools and techniques together constitute a security strategy. Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy. Additionally, until information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets,
network defaults and intrusion detection system (IDS) settings are technical details subject to periodic change, and are not appropriate content for a strategy document.

Answer 79

A

Answer: A
Explanation:
Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified.

Answer 80

A

Answer: C
Explanation:
Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Evaluation of third parties requesting access, assessment of disaster recovery plans and
monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest.

Answer 81

A

Answer: D
Explanation:
A steering committee should be in place to approve all security projects. The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance. It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief
information officer (CIO) approve the security policy due to the size of the organization and frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good, qualified information security professionals.

Answer 82

A

Answer: A
Explanation:
Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are
government-mandated and, therefore, not subject to override. The needs of the business should always take precedence in deciding information security priorities.

Answer 83

A

Answer: B
Explanation:
New information security managers should seek to build rapport and establish lines of communication with senior management to enlist their support. Benchmarking peer organizations is beneficial to better understand industry best practices, but it is secondary to obtaining senior
management support. Similarly, developing a security architecture and assembling an experienced staff are objectives that can be obtained later.

Answer 84

A

Answer: D
Explanation:
Information security architecture should always be properly aligned with business goals and objectives. Alignment with IT plans or industry and security best practices is secondary by comparison.

Answer 85

A

Answer: C
Explanation:
Policies define security goals and expectations for an organization. These are defined in more specific terms within standards and procedures. Standards establish what is to be done while procedures describe how it is to be done. Guidelines provide recommendations that business management must consider in developing practices within their areas of control, as such, they are discretionary.

Answer 86

A

Answer: A
Explanation:
The most fundamental evaluation criterion for the appropriate selection of any security technology is its ability to reduce or eliminate business risks. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over whether they use new or exotic technologies or how they are evaluated in trade publications.

Answer 87

A

Answer: C
Explanation:
Policies are high-level statements of objectives. Because of their high-level nature and statement of broad operating principles, they are less subject to periodic change. Security standards and procedures as well as guidelines must be revised and updated based on the impact of technology changes.

Answer 88

A

Answer: D
Explanation:
Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to
recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and shelf life are important but secondary issues.

Answer 89

A

Answer: C
Explanation:
Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit.

Answer 90

A

Answer: B
Explanation:
The chief operating officer (COO) is most knowledgeable of business operations and objectives. The chief privacy officer (CPO) and the chief legal counsel (CLC) may not have the knowledge of the day- to-day business operations to ensure proper guidance, although they have the same influence within the organization as the COO. Although the chief security officer (CSO) is knowledgeable of what is needed, the sponsor for this task should be someone with far-reaching influence across the organization.

Answer 91

A

Answer: D
Explanation:
The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to
auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just
the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.

Answer 92

A

Answer: C
Explanation:
Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of
security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies

Answer 93

A

Answer: C
Explanation:
Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however,
standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment.

Answer 94

A

Answer: D
Explanation:
Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. Legal counsel, the external auditors and security management are not in a position to make such a decision.

Answer 95

A

Answer: D
Explanation:
The business objectives of the organization supersede all other factors. Establishing metrics and measuring performance, meeting legal and regulatory requirements and educating business process owners are all subordinate to this overall goal.

Answer 96

A

Answer: C
Explanation:
Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support. Although having the chief executive officer (CEO) signoff on the security policy and senior management signoff on the security strategy makes for good visibility and
demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Security awareness training for employees will not have as much effect on senior management commitment.

Answer 97

A

Answer: B
Explanation:
It will be much more efficient to craft all relevant requirements into policies than to create separate versions. Using statements provided by regulators will not capture all of the requirements mandated by different regulators. A compliance risk assessment is an important tool to verify that procedures ensure compliance once the policies have been established.

Answer 98

A

Answer: C
Explanation:
Prioritizing information security initiatives is the only appropriate item. The interviewing of specialists should be performed by the information security manager, while the developing of program content should be performed by the information security staff. Approving access to critical
financial systems is the responsibility of individual system data owners.

Answer 99

A

Answer: D
Explanation:
The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.

Answer 100

A

Answer: B
Explanation:
Information security will be properly aligned with the goals of the business only with the ability to understand and map organizational needs to enable security technologies. All of the other choices
are important but secondary to meeting business security needs.

Answer 101

A

Answer: A
Explanation:
Policies and standards should generally be more static and less subject to frequent change. Procedures on the other hand, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace.

Answer 102

A

Answer: D
Explanation:
As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security
steering committee would not be responsible for enforcement.

Answer 103

A

Answer: B
Explanation:
The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of
internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become
problematic as the CTO’s goals for the infrastructure might, at times, run counter to the goals of information security.

Answer 104

A

Answer: D
Explanation:
Developing a strategy paper on information security would be the most appropriate. Approving
access would be the job of the data owner. Updating platform-level security and conducting
recovery test exercises would be less essential since these are administrative tasks.

Answer 105

A

Answer: C
Explanation:
Calculating the return on investment (ROI) will most closely align security with the impact on the
bottom line. Frequency and cost of incidents are factors that go into determining the impact on the
business but, by themselves, are insufficient. Comparing spending against similar organizations
can be problematic since similar organizations may have different business goals and appetites for
risk.

Answer 106

A

Answer: D
Explanation:
Any planning for information security should be properly aligned with the needs of the business.
Technology should not come before the needs of the business, nor should planning be done on an
artificial timetable that ignores business needs.

Answer 107

A

Answer: B
Explanation:
It is most important to paint a vision for the future and then draw a road map from the stalling point to the desired future state. Staffing, capital investment and the mission all stem from this foundation.

Answer 108

A

Answer: B
Explanation:
Information security projects should be assessed on the basis of the positive impact that they will have on the organization. Time, cost and resource issues should be subordinate to this objective.

Answer 109

A

Answer: D
Explanation:
The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard. The name of the author as well as the creation and draft
dates are not that important.

Answer 110

A

Answer: B
Explanation:
Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation. Directing regulators to a specific person or department, or assessing previous reports, is not as effective. The legal department should review all formal inquiries but
this does not help prepare for a regulatory review.

Answer 111

A

Answer: B
Explanation:
It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance. The
opposite approach—forcing all locations to be in compliance with the regulations places an undue
burden on those locations.

Answer 112

A

Answer: B
Explanation:
The job of the information security officer on such a team is to assess the risks to the business
operation. Choice A is incorrect because information security is not limited to IT issues. Choice C
is incorrect because at the time a team is formed to assess risk, it is premature to assume that any
demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it
is premature at the time of the formation of the team to assume that any suggestion of new IT
controls will mitigate business operational risk.

Answer 113

A

Answer: D
Explanation:
Without well-defined roles and responsibilities, there cannot be accountability.
Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct.
Choice B is incorrect because people can be assigned to execute procedures that are not well designed.
Choice C is incorrect because segregation of duties is not automatic, and
roles may still include conflicting duties.

Answer 114

A

Answer: B
Explanation:
Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.

Answer 115

A

Answer: C
Explanation:
Reviewing security metrics provides senior management a snapshot view and trends of an organization’s security posture.

Choice A is incorrect because reviewing risk assessment policies
would not ensure that the controls are actually working.
Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does
not measure effectiveness of the control itself.
Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not
measure control effectiveness.

Answer 116

A

Answer: C
Explanation:
The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.

Answer 117

A

Answer: C
Explanation:
The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable security- standards, performing risk assessment and implementing security policy are steps that follow the definition of
the security strategy.

Answer 118

A

Answer: A
Explanation:
To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much
broader than just regulatory compliance. Best practice is an operational concern and does not have a direct impact on a governance program.

Answer 119

A

Answer: C
Explanation:
Information security policy enforcement is the responsibility of the chief information security officer (CISO), first and foremost. The board of directors and executive management should ensure that a security policy is in line with corporate objectives. The chief information officer (CIO) and the chief compliance officer (CCO) are involved in the enforcement of the policy but are not directly responsible for it.

Answer 120

A

Answer: C
Explanation:
Most privacy laws and regulations require disclosure on how information will be used.
Choice A is incorrect because that information should be located in the web site’s disclaimer.
Choice B is incorrect because, although encryption may be applied, this is not generally disclosed.
Choice D is incorrect because information classification would be contained in a separate policy.

Answer 121

A

Answer: C
Explanation:
To be successful in implementing restrictive password policies, it is necessary to obtain the buy-in of the end users. The best way to accomplish this is through a security awareness program.
Regular password audits and penalties for noncompliance would not be as effective on their own; people would go around them unless forced by the system. Single sign-on is a technology solution that would enforce password complexity but would not promote user compliance. For the effort to be more effective, user buy-in is important.

Answer 122

A

Answer: C
Explanation:
The link to business objectives is the most important clement that would be considered by
management. Information security metrics should be put in the context of impact to management
objectives. Although important, the security knowledge required would not be the first element to
be considered. Baselining against the information security metrics will be considered later in the
process.

Answer 123

A

Answer: B
Explanation:
As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the
country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law
applicable to the head office. The data privacy laws are country-specific.

Answer 124

A

Answer: C
Explanation:
If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing
control gap.

Answer 125

A

Answer: B
Explanation:
The security steering group comprises senior management of key business functions and has the primary objective to align the security strategy with the business direction. Option A is incorrect
because all business areas may not be required to be covered by information security; but, if they do, the main purpose of the steering committee would be alignment more so than coverage. While
raising awareness is important, this goal would not be carried out by the committee itself. The steering committee may delegate part of the decision making to the information security manager; however, if it retains this authority, it is not the primary’ goal.

Answer 126

A

Answer: D
Explanation:
A policy is a high-level statement of an organization’s beliefs, goals, roles and objectives. Baselines assume a minimum security level throughout an organization. The information security strategy aligns the information security program with business objectives rather than making
control statements. A procedure is a step-by-step process of how policy and standards will be implemented.

Answer 127

A

Answer: D
Explanation:
Information security has to be integrated into the requirements of the application’s design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process.

Answer 128

A

Answer: C
Explanation:
Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.

Answer 129

A

Answer: B
Explanation:
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided

Answer 130

A

Answer: B
Explanation:
Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data. Change management primarily protects only the information, not the privacy of the individuals. Consent is one of the protections that is frequently, but not always, required. Encryption is a method of achieving the actual control, but controls over the devices may not ensure adequate privacy protection and, therefore, is a partial answer.

Answer 131

A

Answer: A
Explanation:
The organization first needs to move from ad hoc to repeatable processes. The organization then needs to document the processes and implement process monitoring and measurement.
Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement. The organization needs to standardize processes both
before documentation, and before monitoring and measurement.

Answer 132

A

Answer: D
Explanation:
The data owner has full responsibility over data. The data custodian is responsible for securing the information. The database administrator carries out the technical administration. The information security officer oversees the overall classification management of the information.

Answer 133

A

Answer: A
Explanation:
Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization. Choice B is incorrect because the final responsibility for deciding the classification levels rests with the data owners. Choice C is incorrect because the job of securing information assets is the responsibility of the data custodians. Choice D may be a role of an information security manager
but is not the key role in this context.

Answer 134

A

Answer: B
Explanation:
Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.

Answer 135

A

Answer: B
Explanation:
Alignment with business strategy is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.

Answer 136

A

Answer: C
Explanation:
The board of directors is ultimately responsible for the organization’s information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management’s directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization’s
information.

Answer 137

A

Answer: D
Explanation:
Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information
security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on
qualitative business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.

Answer 138

A

Answer: B
Explanation:
Information security controls should be proportionate to the risks of modification, denial of use or disclosure of the information. It is advisable to learn if the job description is apportioning more data
than are necessary for that position to execute the business rules (types of data access). Principles of ethics and integration have the least to do with mapping job description to types of data access. The principle of accountability would be the second most adhered to principle since
people with access to data may not always be accountable but may be required to perform an
operation.

Answer 139

A

Answer: A
Explanation:
Senior management commitment is necessary in order for each of the other elements to succeed. Without senior management commitment, the other elements will likely be ignored within the organization.

Answer 140

A

Answer: C
Explanation:
Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the
proper governance. Organizational budget is not a major impact once good governance models are in place; hence governance will help in effective management of the organization’s budget.

Answer 141

A

Answer: C
Explanation:
Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer.

Answer 142

A

Answer: B
Explanation:
Risk assessment, evaluation and impact analysis will be the starting point for driving management’s attention to information security. All other choices will follow the risk assessment.

Answer 143

A

Answer: A
Explanation:
Monitoring processes are also required to guarantee fulfillment of laws and regulations of the organization and, therefore, the information security manager will be obligated to comply with the law.

Choices B and C are evaluated as part of the operational risk.
Choice D is unlikely to be as critical a breach of regulatory legislation. The acceptance of operational risks overrides choices B,
C and D.

Answer 144

A

Answer: B
Explanation:
Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management.
Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.

Answer 145

A

Answer: D
Explanation:
Adherence to local regulations must always be the priority. Not following local regulations can prove detrimental to the group organization. Following local regulations only is incorrect since
there needs to be some recognition of organization requirements. Making an organization aware of standards is a sensible step, but is not a total solution. Negotiating a local version of the organization standards is the most effective compromise in this situation.

Answer 146

A

Answer: B
Explanation:
Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department. Quality management and the legal department will contribute to the project.

Answer 147

A

Answer: B
Explanation:
In developing an information security management program, the first step is to clarify the organization’s purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon.

Answer 148

A

Answer: A
Explanation:
The potential for financial loss is always a key factor when assessing the value of information.
Choices B, C and D may be contributors, but not the key factor.

Answer 149

A

Answer: C
Explanation:
The information security manager needs to prioritize the controls based on risk management and
the requirements of the organization. The information security manager must look at the costs of
the various controls and compare them against the benefit the organization will receive from the
security solution. The information security manager needs to have knowledge of the development
of business cases to illustrate the costs and benefits of the various controls. All other choices are
supplemental.

Answer 150

A

Answer: C
Explanation:
Cost-benefit analysis is the legitimate way to justify budget. The frequency of security breaches may assist the argument for budget but is not the key tool; it does not address the impact.
Annualized loss expectancy (ALE) does not address the potential benefit of security investment. Peer group comparison would provide a good estimate for the necessary security budget but it would not take into account the specific needs of the organization.

Answer 151

A

Answer: D
Explanation:
The need for senior management involvement and support is a key success factor for the implementation of appropriate security governance. Complexity of technology, budgetary
constraints and conflicting business priorities are realities that should be factored into the governance model of the organization, and should not be regarded as inhibitors.

Answer 152

A

Answer: B
Explanation:
It is important to achieve consensus on risks and controls, and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization. Rotation
of steering committee leadership does not help in achieving strategic alignment. Updating business strategy does not lead to strategic alignment of security initiatives. Procedures and standards need not be approved by all departmental heads

Answer 153

A

Answer: C
Explanation:
A rogue access point masquerades as a legitimate access point. The risk is that legitimate users may connect through this access point and have their traffic monitored. All other choices are not dependent on the use of a wireless local area network (LAN) technology.

Answer 154

A

Answer: C
Explanation:
The escalation process in critical situations should involve the information security manager as the first contact so that appropriate escalation steps are invoked as necessary. Choices A, B and D
would be notified accordingly.

Answer 155

A

Answer: A
Explanation:
The information security manager is responsible for developing a security strategy based on
business objectives with the help of business process owners. Reviewing the security strategy is
the responsibility of a steering committee. The information security manager is not necessarily
responsible for communicating or approving the security strategy.

Answer 156

A

Answer: C
Explanation:
Strategic alignment of security with business objectives is a key indicator of performance
measurement. In guiding a security program, a meaningful performance measurement will also
rely on an understanding of business objectives, which will be an outcome of alignment. Business
linkages do not by themselves indicate integration or value delivery. While alignment is an
important precondition, it is not as important an indicator.

Answer 157

A

Answer: D
Explanation:
From a security standpoint, compliance with the organization’s information security requirements
is one of the most important topics that should be included in the contract with third-party service
provider. The scope of implemented controls in any ISO 27001-compliant organization depends on
the security requirements established by each organization. Requiring compliance only with this
security standard does not guarantee that a service provider complies with the organization’s
security requirements. The requirement to use a specific kind of control methodology is not usually
stated in the contract with third- party service providers.

Answer 158

A

Answer: D
Explanation:
Any investment must be reviewed to determine whether it is cost effective and supports the
organizational strategy. It is important to review the features and functionalities provided by such a
tool, and to provide examples of situations where the tool would be useful, but that comes after
substantiating the investment and return on investment to the organization.

Answer 159

A

Answer: A
Explanation:
Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT systems to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.

Answer 160

A

Answer: D
Explanation:
A risk assessment would be most helpful to management in understanding at a very high level the
threats, probabilities and existing controls. Developing a security architecture, installing a network
intrusion detection system (NIDS) and preparing a list of attacks on the network and developing a
network security policy would not be as effective in highlighting the importance to management
and would follow only after performing a risk assessment.

Answer 161

A

Answer: D
Explanation:
A skills inventory would help identify- the available resources, any gaps and the training
requirements for developing resources. Proficiency testing is useful but only with regard to specific
technical skills. Job descriptions would not be as useful since they may be out of date or not
sufficiently detailed. An organization chart would not provide the details necessary to determine
the resources required for this activity.

Answer 162

A

Answer: C
Explanation:
The most important characteristic of good security policies is that they be aligned with
organizational goals. Failure to align policies and goals significantly reduces the value provided by
the policies. Stating expectations of IT management omits addressing overall organizational goals
and objectives. Stating only one general security mandate is the next best option since policies
should be clear; otherwise, policies may be confusing and difficult to understand. Governing the
creation of procedures and guidelines is most relevant to information security standards.

Answer 163

A

Answer: A
Explanation:
Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts
and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.

Answer 164

A

Answer: D
Explanation:
Senior management is in the best position to arbitrate since they will look at the overall needs of the business in reaching a decision. The authority may be delegated to others by senior management after their review of the issues and security recommendations. Units should not be
asked to accept the risk without first receiving input from senior management.

Answer 165

A

Answer: C
Explanation:
Business case development, including a cost-benefit analysis, will be most persuasive to
management. A risk assessment may be included in the business ease, but by itself will not be as
effective in gaining management support. Informing management of regulatory requirements may
help gain support for initiatives, but given that more than half of all organizations are not in
compliance with regulations, it is unlikely to be sufficient in many cases. Good metrics which
provide assurance that initiatives are meeting organizational goals will also be useful, but are
insufficient in gaining management support.

Answer 166

A

Answer: A
Explanation:
The first step to improve accountability is to include security responsibilities in a job description.
This documents what is expected and approved by the organization. The other choices are
methods to ensure that the system administrator has the training to fulfill the responsibilities
included in the job description.

Answer 167

A

Answer: A
Explanation:
Without defined objectives, a strategy — the plan to achieve objectives — cannot be developed.
Time frames for delivery are important but not critical for inclusion in the strategy document.
Similarly, the adoption of a control framework is not critical to having a successful information
security strategy. Policies are developed subsequent to, and as a part of, implementing a strategy.

Answer 168

A

Answer: C
Explanation:
Culture has a significant impact on how information security will be implemented. Representation
by regional business leaders may not have a major influence unless it concerns cultural issues.
Composition of the board may not have a significant impact compared to cultural issues. IT
security skills are not as key or high impact in designing a multinational information security
program as would be cultural issues.

Answer 169

A

Answer: D
Explanation:
Investing in an information security program should increase business value and confidence. Cost
reduction by itself is rarely the motivator for implementing an information security program.
Compliance is secondary to business value. Increasing business value may include protection of
business assets.

Answer 170

A

Answer: A
Explanation:
Most privacy laws and regulations require disclosure on how information will be used. A disclaimer
is not necessary since it does not refer to data privacy. Technical details regarding how
information is protected are not mandatory to publish on the web site and in fact would not be
desirable. It is not mandatory to say where information is being hosted.

Answer 171

A

Answer: C
Explanation:
A security program enabling business activities would be most helpful to achieve alignmentbetween information security and organization objectives. All of the other choices are part of thesecurity program and would not individually and directly help as much as the security program.

Answer 172

A

Answer: A
Explanation:
To improve the governance framework and achieve a higher level of maturity, an organization
needs to conduct continuous analysis, monitoring and feedback compared to the current state of
maturity. Return on security investment (ROSD may show the performance result of the security related
activities; however, the result is interpreted in terms of money and extends to multiple
facets of security initiatives. Thus, it may not be an adequate option. Continuous risk reduction
would demonstrate the effectiveness of the security governance framework, but does not indicate
a higher level of maturity. Key risk indicator (KRD setup is a tool to be used in internal control
assessment. KRI setup presents a threshold to alert management when controls are being
compromised in business processes. This is a control tool rather than a maturity model support
tool.

Answer 173

A

Answer: A
Explanation:
Management is primarily interested in security solutions that can address risks in the most cost effective
way. To address the needs of an organization, a business case should address
appropriate security solutions in line with the organizational strategy.

Answer 174

A

Answer: D
Explanation:
Alignment of security with business objectives requires an understanding of what an organization
is trying to accomplish. The other choices are all elements that must be considered, but their
importance is secondary and will vary depending on organizational goals.

Answer 175

A

Answer: B
Explanation:
It is easier to manage and control a centralized structure. Promoting security awareness is an
advantage of decentralization. Decentralization allows you to use field security personnel as
security missionaries or ambassadors to spread the security awareness message. Decentralized
operations allow security administrators to be more responsive. Being close to the business allows
decentralized security administrators to achieve a faster turnaround than that achieved in a
centralized operation.

Answer 176

A

Answer: B
Explanation:
Management support and pressure will help to change an organization’s culture. Procedures will
support an information security policy, but cannot change the culture of the organization. Technical
controls will provide more security to an information system and staff; however, this does not
mean the culture will be changed. Auditing will help to ensure the effectiveness of the information
security policy; however, auditing is not effective in changing the culture of the company.

Answer 177

A

Answer: D
Explanation:
A business case shows both direct and indirect benefits, along with the investment required and
the expected returns, thus making it useful to present to senior management. Return on
investment (ROD would only provide the costs needed to preclude specific risks, and would not
provide other indirect benefits such as process improvement and learning. A vulnerability
assessment is more technical in nature and would only identify and assess the vulnerabilities. This
would also not provide insights on indirect benefits. Annual loss expectancy (ALE) would not
weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of
implementation

Answer 178

A

Answer: D
Explanation:
The establishment of a security governance program is possible only with the support and
sponsorship of top management since security governance projects are enterprise wide and
integrated into business processes. Conducting a risk assessment, conducting a workshop for all
end users and preparing a security budget all follow once high-level sponsorship is obtained.

Answer 179

A

Answer: A
Explanation:
The needs of the organization were not taken into account, so there is a conflict. This example is
not strong protection; it is poorly configured. Implementing appropriate controls to reduce risk is
not an appropriate control as it is being used. This does not prove the ability to protect, but proves
the ability to interfere with business.

Answer 180

A

Answer: A
Explanation:
Organizations must manage risks to a level that is acceptable for their business model, goals and
objectives. A zero-level approach may be costly and not provide the effective benefit of additional
revenue to the organization. Long-term maintenance of this approach may not be cost effective.
Risks vary as business models, geography, and regulatory- and operational processes change.
Insurance covers only a small portion of risks and requires that the organization have certain
operational controls in place.

Answer 181

A

Answer: A
Explanation:
A brief explanation of the benefit of expenditures in the budget helps to convey the context of how
the purchases that are being requested meet goals and objectives, which in turn helps build
credibility for the information security function or program. Explanations of benefits also help
engage senior management in the support of the information security program. While the budget
should consider all inputs and recommendations that are received from the business, the budget
that is ultimately submitted to management for approval should include only those elements that
are intended for purchase. TCO may be requested by management and may be provided in an
addendum to a given purchase request, but is not usually included in an annual budget. Baseline
comparisons (cost comparisons with other companies or industries) may be useful in developing a
budget or providing justification in an internal review for an individual purchase, but would not be
included with a request for budget approval.

Answer 182

A

Answer: A

Explanation:
Information security governance decreases the risk of civil or legal liability. The remaining answers
are incorrect. Option D appears to be correct, but senior management would provide oversight and
approval as opposed to direct involvement in developing control processes.

Answer 183

A

Answer: A
Explanation:
Organization maturity level for the protection of information is a clear alignment with goals and
objectives of the organization. Experience in previous projects is dependent upon other business
models which may not be applicable to the current model. Best business practices may not be
applicable to the organization’s business needs. Safeguards inherent to existing technology are
low cost but may not address all business needs and/or goals of the organization.

Answer 184

A

Answer: D
Explanation:
Business owners are ultimately responsible for their applications. The legal department,
compliance officer and information security manager all can advise, but do not have final
responsibility.

Answer 185

A

Answer: A
Explanation:
Option A is the type of analysis that will determine whether the organization is required to maintain
the data for business, legal or regulatory reasons. Keeping data that are no longer required
unnecessarily consumes resources, and, in the case of sensitive personal information, can
increase the risk of data compromise. Options B. C and D are attributes that should be considered
in the destruction and retention policy. A BIA could help determine that this information does not
support the main objective of the business, but does not indicate the action to take.

Answer 186

A

Answer: A
Explanation:
A company is held to the local laws and regulations of the country in which the company resides,
even if the company decides to place servers with a vendor that hosts the servers in a foreign
country. A potential violation of local laws applicable to the company might not be recognized or
rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and
the inability to enforce the laws. Option B is not a problem. Time difference does not play a role in
a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to
communicate notifications. Option C is a manageable problem that requires additional funding, but
can be addressed. Option D is a problem that can be addressed. Most hosting providers have
standardized the level of physical security that is in place. Regular physical audits or a SAS 70
report can address such concerns.

Answer 187

A

Answer: D
Explanation:
Effective IT governance needs to be a top-down initiative, with the board and executive
management setting clear policies, goals and objectives and providing for ongoing monitoring of
the same. Focus on the regulatory issues and management priorities may not be reflected
effectively by a bottom-up approach. IT governance affects the entire organization and is not a
matter concerning only the management of IT. The legal department is part of the overall
governance process, but cannot take full responsibility.

Answer 188

A

Answer: D
Explanation:
Endorsement of executive management in the form of policies provides direction and awareness.
The implementation of stronger controls may lead to circumvention. Awareness training is
important, but must be based on policies. Actively monitoring operations will not affect culture at all
levels.

Answer 189

A

Answer: A
Explanation:
It is extremely difficult to implement an information security program without the aid and support of
the board of directors. If they do not understand the importance of security to the achievement of
the business objectives, other measures will not be sufficient. Options B and (‘ are measures
proposed to ensure the efficiency of the information security program implementation, but are of
less significance than obtaining the aid and support of the board of directors. Option D is a
measure to secure the enterprise information, but by itself is not a measure to ensure the broader
effectiveness of an information security program.

Answer 190

A

Answer: C
Explanation:
A board of directors should establish the strategic direction of the program to ensure that it is in
sync with the company’s vision and business goals. The board must incorporate the governance
program into the overall corporate business strategy. Drafting information security policies is best
fulfilled by someone such as a security manager with the expertise to bring balance, scope and
focus to the policies. Reviewing training and awareness programs may best be handled by
security management and training staff to ensure that the training is on point and follows best
practices. Auditing for compliance is best left to the internal and external auditors to provide an
objective review of the program and how it meets regulatory and statutory compliance.

Answer 191

A

Answer: C
Explanation:
Executive management must be supportive of the process and fully understand and agree with the
results since risk management decisions can often have a large financial impact and require major
changes. Risk management means different things to different people, depending upon their role
in the organization, so the input of executive management is important to the process.

Answer 192

A

Answer: B
Explanation:
Routine administration of all aspects of security is delegated, but top management must retain
overall responsibility. The security officer supports and implements information security for senior
management. The end user does not perform categorization. The custodian supports and
implements information security measures as directed.

Answer 193

A

Answer: C
Explanation:
Information security governance is the responsibility of the board of directors and executive
management. In this instance, the appropriate action is to ensure that a plan is in place for
implementation of needed safeguards and to require updates on that implementation.

Answer 194

A

Answer: B
Explanation:
Information security should ensure that business objectives are met given available technical
capabilities, resource constraints and compliance requirements. It is not practical or feasible to
eliminate all risks. Regulatory requirements must be considered, but are inputs to the business
considerations. The board of directors does not define information security, but provides direction
in support of the business goals and objectives.

Answer 195

A

Answer: C
Explanation:
Without the support of senior management, an information security program has little chance of
survival. A company’s leadership group, more than any other group, will more successfully drive
the program. Their authoritative position in the company is a key factor. Budget approval, resource
commitments, and companywide participation also require the buy-in from senior management.
Senior management is responsible for providing an adequate budget and the necessary
resources. Security awareness is important, but not the most important factor. Recalculation of the
work factor is a part of risk management.

Answer 196

A

Answer: D
Explanation:
The steering committee controls the execution of the information security strategy, according to
the needs of the organization, and decides on the project prioritization and the execution plan.
User management is an important group that should be represented to ensure that the information
security plans are aligned with the business needs. Functional requirements and user training
programs are considered to be part of the projects but are not the main risks. The steering
committee does not approve budgets for business units.

Answer 197

A

Answer: A
Explanation:
The steering committee controls the execution of the information security strategy according to the
needs of the organization and decides on the project prioritization and the execution plan. The
steering committee does not allocate department budgets for business units. While ensuring that
regulatory oversight requirements are met could be a consideration, it is not the main reason for
the review. Reducing the impact on the business units is a secondary concern but not the main
reason for the review.

Answer 198

A

Answer: B
Explanation:
While defining risk management strategies, one needs to analyze the organization’s objectives and risk appetite and define a risk management framework based on this analysis. Some
organizations may accept known risks, while others may invest in and apply mitigation controls to reduce risks. Risk assessment criteria would become part of this framework, but only after proper analysis. IT architecture complexity and enterprise disaster recovery plans are more directly related to assessing risks than defining strategies.

Answer 199

A

Answer: A
Explanation:
The goal of information security is to protect the organization’s information assets. International security standards are situational, depending upon the company and its business. Adhering to corporate privacy standards is important, but those standards must be appropriate and adequate and are not the most important factor to consider. All employees are responsible for information security, but it is not the most important factor to consider.

Answer 200

A

Answer: A
Explanation:
The BIA is included as part of the process to determine the current state of risk and helps
determine the acceptable levels of response from impacts and the current level of response,
leading to a gap analysis. Budgeting appropriately may come as a result, but is not the reason to
perform the analysis. Performing an analysis may satisfy regulatory requirements, bill is not the
reason to perform one. Analyzing the effect on the business is part of the process, but one must
also determine the needs or acceptable effect or response.

Answer 201

A

Answer: D

Answer 202

A

Answer: C
One of the most important aspects of the action plan to execute the strategy is to create or modify,
as needed, policies and standards. Policies are one of the primary elements of governance and
each policy should state only one general security mandate. The road map should show the steps
and the sequence, dependencies, and milestones.

Answer 203

A

Answer: D

Answer 204

A

Answer: B

Answer 205

A

Answer: A

Answer 206

A

Answer: B

Answer 207

A

Answer: A

Answer 208

A

Answer: A

Answer 209

A

Answer: D

Answer 210

A

Answer: C

Answer 211

A

Answer: B

Answer 212

A

Answer: A

Answer 213

A

Answer: A

Answer 214

A

Answer: C

Answer 215

A

Answer: B

Answer 216

A

Answer: A

Answer 217

A

Answer: A

Answer 218

A

Answer: B

Answer 219

A

Answer: C

Answer 220

A

Answer: B

Answer 221

A

Answer: B

Answer 222

A

Answer: B

Answer 223

A

Answer: C

Answer 224

A

Answer: B

Answer 225

A

Answer: B

Answer 226

A

Answer: C

Answer 227

A

Answer: B

Answer 228

A

Answer: A

Answer 229

A

Answer: B

Answer 230

A

Answer: A

Answer 231

A

Answer: A

Answer 232

A

Answer: C

Answer 233

A

Answer: A

Answer 234

A

Answer: C

Answer 235

A

Answer: C

Answer 236

A

Answer: A

Answer 237

A

Answer: D

Answer 238

A

Answer: C

Answer 239

A

Answer: B

Answer 240

A

Answer: D

Answer 241

A

Answer: D

Answer 242

A

Answer: B

Answer 243

A

Answer: D

Answer 244

A

Answer: D

Answer 245

A

Answer: D

Answer 246

A

Answer: B

Answer 247

A

Answer: C

Answer 248

A

Answer: D

Answer 249

A

Answer: A

Answer 250

A

Answer: A

Answer 251

A

Answer: A

Answer 252

A

Answer: B

Answer 253

A

Answer: A

Answer 254

A

Answer: C

Answer 255

A

Answer: C

Answer 256

A

Answer: D

Answer 257

A

Answer: C

Answer 258

A

Answer: C

Answer 259

A

Answer: D

Answer 260

A

Answer: D

Answer 261

A

Answer: B

Answer 262

A

Answer: A

Answer 263

A

Answer: D

Answer 264

A

Answer: D

Answer 265

A

Answer: A

Answer 266

A

Answer: A

Answer 267

A

Answer: D

Answer 268

A

Answer: B

Answer 269

A

Answer: A

Answer 270

A

Answer: A

Answer 271

A

Answer: D

Answer 272

A

Answer: A

Answer 273

A

Answer: D

Answer 274

A

Answer: A

Answer 275

A

Answer: B

Answer 276

A

Answer: D

Answer 277

A

Answer: B

Answer 278

A

Answer: B

Answer 279

A

Answer: C

Answer 280

A

Answer: D

Answer 281

A

Answer: A

Answer 282

A

Answer: D

Answer 283

A

Answer: C

Answer 284

A

Answer: D

Answer 285

A

Answer: D

Answer 286

A

Answer: C
Explanation:
The success of security programs is dependent upon alignment with organizational goals and
objectives. Communication is a secondary step. Effective communication and education of users
is a critical determinant of success but alignment with organizational goals and objectives is the
most important factor for success. Mere formulation of policies without effective communication to
users will not ensure success. Monitoring compliance with information security policies and
procedures can be, at best, a detective mechanism that will not lead to success in the midst of
uninformed users.

Answer 287

A

C. Monitoring key risk indicators (KRIs)

Answer 288

A

A. affected stakeholders.

Answer 289

A

A. Value to the business

Answer 290

A

A. the incident response process is updated based on lessons learned

Answer 291

A

D. define key performance indicators (KPIs).

Answer 292

A

C. Deploying a security information and event management system (SIEM)

Answer 293

A

D. demonstrate the effectiveness of the security program.

Answer 294

A

A. Anti-malware alerts on several employeesג€™ workstations

Answer 295

A

C. Establish an acceptable use policy.

Answer 296

A

B. Access logs

Answer 297

A

D. Integrate organizationג€™s security requirements into project management.

Answer 298

A

D. Balanced scorecard

Answer 299

A

D. Removing local administrator rights

Answer 300

A

B. provide participants with situations to ensure understanding of their roles.

Brainscape's Knowledge GenomeTM

D2-Information Security Governance Flashcards

Brainscape's Knowledge Genome^TM