D2-Information Security Governance Flashcards
What does the acronym GRC denote?
Governance, Risk Mgmt and compliance
What does R in a RACI chart demote?
Activity
Responsible
Accountable
Consulted
Informed
Responsible
A goal of the security program is to continue to contribute toward fulfillment of the security strategy, which itself will continue to align to the business and business objectives
True
False
True
The purpose of security governance is to
- Align the organization’s security program with the needs of the business
- Create policies for IT
- Align the organization’s security program with the needs of the business
These are desired capabilities or end states, ideally expressed in achievable, measurable terms.
Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting
Objectives
This is a plan to achieve one or more objectives.
Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting
Strategy
At its minimum, security policy should directly reflect the mission, objectives, and goals of the overall organization.
Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting
Policy
These in the security program should flow directly from the organization’s mission, objectives, and goals. Whatever is most important to the organization as a whole should be important to information security as well.
Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting
Priorities
The technologies, protocols, and practices used
by IT should be a reflection of the organization’s needs. On
their own, these help to drive a consistent approach to
solving business challenges; the choice of these should
facilitate solutions that meet the organization’s needs in a
cost effective and secure manner.
Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting
Standards
These are formalized descriptions of repeated
business activities that include instructions to applicable
personnel. Processes include one or more procedures, as well
as definitions of business records and other facts that help
workers understand how things are supposed to be done.
Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting
Processes
These are formal descriptions of critical activities
to ensure desired outcomes.
Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting
Controls
The organization’s IT and security programs and projects should be organized and performed in a consistent manner that reflects business priorities and supports the business.
Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Metrics/reporting
Program and project management
This includes the formal measurement of processes and controls so that management understands and can measure them.
Objectives
Strategy
Policy
Priorities
Standards
Processes
Controls
Program and project management
Improved compliance
Metrics Reporting
Metrics/reporting
Management will ensure that risk assessments will be performed to identify risks in information systems and supported processes. Follow-up actions will be carried out that will reduce the risk of system failure and
compromise.
Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance
Risk management
Management will ensure that key changes will be made to business processes that will result in security improvements.
Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance
Process improvement
Management will be sure to put technologies and processes in place to ensure that security events and incidents will be identified as quickly as possible.
Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance
Event identification
Management will put __________ procedures into place that will help to avoid incidents, reduce the impact and probability of incidents, and improve response to incidents so that their impact on the organization is minimized.
Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance
Incident response
Management will be sure to identify all applicable laws, regulations, and standards and carry out activities to confirm that the organization is able to attain and maintain compliance.
Risk management
Process improvement
Event identification
Incident response
Business continuity
Improved compliance
Metrics Management
Resource management
Improved IT governance
Improved compliance
Management will define objectives and allocate resources for
the development of business continuity and disaster recovery
plans.
Risk management
Process improvement
Event identification
Incident response
Business continuity and disaster recovery planning
Metrics Management
Resource management
Improved IT governance
Business continuity and disaster recovery planning
Management will establish processes to measure key security events such as incidents, policy changes and violations, audits, and training.
Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance
Metrics Management
The allocation of manpower, budget, and other resources to meet security objectives is monitored by management.
Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance
Resource management
An effective security governance program will result in better strategic decisions in the IT organization that keep risks at an acceptably low level.
Risk management
Process improvement
Event identification
Incident response
Business continuity
Metrics Management
Resource management
Improved IT governance
Improved IT governance
These are two key results of an effective security governance
program:
- Increased trust Customers, suppliers, and partners trust
the organization to a greater degree when they see that
security is managed effectively. - Improved reputation The business community, including
customers, investors, and regulators, will hold the
organization in higher regard.
True
False
True
An organization’s information security program needs to fit into the
rest of the organization. This means that the program needs to
understand and align with the organization’s highest-level guiding
principles including the following:
- Mission Why does the organization exist? Who does it
serve, and through what products and services? - Goals and objectives What achievements does the
organization want to accomplish, and when does it want to
accomplish them? - Strategy What are the activities that need to take place so
that the organization’s goals and objectives can be fulfilled?
To be business aligned, people in the security program should be
aware of several characteristics about the organization, including the
following:
- Culture Culture includes how personnel in the organization
work, think, and relate to each other. - Asset value This includes information the organization uses
to operate. This often consists of intellectual property such as
designs, source code, production costs, and pricing, as well as
sensitive information related to not only its personnel but its
customers, its information-processing infrastructure, and its
service functions. - Risk tolerance Risk tolerance for the organization’s
information security program needs to align with the
organization’s overall tolerance for risk. - Legal obligations What external laws and regulations
govern what the organization does and how it operates?
These laws and regulations include the Gramm-Leach-Bliley
Act (GLBA), Payment Card Industry Data Security Standard
(PCI-DSS), European General Data Protection Regulation
(GDPR), Health Insurance Portability and Accountability Act
(HIPAA), and the North American Electric Reliability
Corporation (NERC) standard. Also, contractual obligations
with other parties often shape the organization’s behaviors
and practices. - Market conditions How competitive is the marketplace in
which the organization operates? What strengths and
weaknesses does the organization have in comparison with its
competitors? How does the organization want its security
differentiated from its competitors?
ISACA defines risk appetite as the
- level of risk that an organization is willing to accept while in pursuit
of its mission, strategy, and objectives, and before action is needed
to treat the risk. - level of risk that an organization is NOT willing to accept while in pursuit
of its mission, strategy, and objectives, and before action is needed
to treat the risk.
- level of risk that an organization is willing to accept while in pursuit
of its mission, strategy, and objectives, and before action is needed
to treat the risk.
ISACA defines risk capacity
- As the objective amount of loss that an organization can tolerate without its continued existence being called into question.
- As the SUBJECTIVE amount of loss that an organization can tolerate without its continued existence being called into question.
- As the objective amount of loss that an organization can toleratewithout its continued existence being called into question.
A ______ is a statement of activities that a person is expected to perform. Like roles, responsibilities are typically documented in position descriptions and job descriptions. Typical responsibilities include the following:
- Perform monthly corporate expense reconciliation
- Troubleshoot network faults and develop solutions
- Audit user account terminations and develop exception
reports
Responsibility
A RACI chart assigns
1.Levels of responsibility to individuals and groups.
2.Levels of responsibility to individuals ONLY.
1.Levels of responsibility to individuals and groups.
Development of a RACI chart does not helps personnel determine roles for various business activities. A typical RACI chart follows.
True
False
False
What does A in a RACI chart demote?
Activity
Responsible
Accountable
Consulted
Informed
Accountable
What does I in a RACI chart demote?
Activity
Responsible
Accountable
Consulted
Informed
Informed
What does C in a RACI chart demote?
Activity
Responsible
Accountable
Consulted
Informed
Consulted
What are two key results of an effective security governance
program:
- Increased trust Customers, suppliers, and partners trust
the organization to a greater degree when they see that
security is managed effectively. - Improved reputation The business community, including
customers, investors, and regulators, will hold the
organization in higher regard. - Meetings will include a discussion of the impact of
regulatory changes, alignment with business objectives,
effectiveness of measurements, recent incidents, recent audits, and
risk assessments. - 1 and 3
- 1 and 2
- 2 and 3
- 1 and 2
In a RACI chart the role carry out by several parties in the user account access request process. This role is The person or group that performs the actual work or task.
- Responsible
- Accountable
- Consulted
- Informed
- Responsible
In a RACI chart the role carry out by several parties in the user account access request process. This role is The person who is ultimately answerable for complete, accurate, and timely execution of the work. Often this is a person who manages those in the Responsible role.
- Responsible
- Accountable
- Consulted
- Informed
- Accountable
In a RACI chart the role carry out by several parties in the user account access request process. This role is One or more people or groups who are consulted for their opinions, experience, or insight. People in
the Consulted role may be a subject-matter expert for the work or task, or they may be an owner, steward, or custodian of an asset associated with the work or task. Communication with the Consulted role is two-way.
- Responsible
- Accountable
- Consulted
- Informed
- Consulted
In a RACI chart the role carry out by several parties in the user account access request process. This role is One or more people or groups who are informed by those in other roles. Depending on the process or task,
Informed may be told of an activity before, during, or after its
completion. Communication with Informed is one-way.
- Responsible
- Accountable
- Consulted
- Informed
- Informed
Several considerations (3) must be taken into account when assigning
roles to individuals and groups in a RACI chart. This consideration depicts Some or all individuals in a team assignment, as well as specific named individuals, need to have the skills, training, and competence to carry out tasks as required
- Skills
- Segregation of Duties
- Conflict of Interest
- Skills
Several considerations (3) must be taken into account when assigning
roles to individuals and groups in a RACI chart. This consideration depicts Critical tasks must not be assigned to individuals or groups when such assignments will create conflicts of interest. For example, a user who is an approver cannot approve a request for their own access. In this case, a
different person must approve the request—while also avoid a
segregation of duties conflict.
- Skills
- Segregation of Duties
- Conflict of Interest
- Conflict of Interest
Several considerations (3) must be taken into account when assigning
roles to individuals and groups in a RACI chart. This consideration depicts Critical tasks such as the user account provisioning RACI chart depicted earlier must be free of duty conflicts. This means that there must be two or more individuals or groups required to carry out a critical task. In this example, the requestor, approver, and provisioner cannot be the same person or group.
- Skills
- Segregation of Duties
- Conflict of Interest
- Segregation of Duties
In an organization is a body of people who oversee activities in an organization
- Security board
- Board of directors
- Board of directors
Activities performed by the board of directors, as well as directors’
authority, are usually defined by a constitution, bylaws, or external
regulation. The board of directors is typically accountable to the
owners of the organization or, in the case of a government body, to
the electorate.
In many cases, board members have fiduciary duty. This means
they are accountable to shareholders or constituents to act in the
best interests of the organization with no appearance of impropriety,
conflict of interest, or ill-gotten profit as a result of their actions.
Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Directors need to understand and approach
cybersecurity as an enterprise-wide risk management issue,
not just an IT issue.
- Principle 1
- Principle 2
- Principle 3
- Principle 4
- Principle 5
Principle 1
Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Directors should understand the legal
implications of cyber risks as they relate to their company’s
specific circumstances.
- Principle 1
- Principle 2
- Principle 3
- Principle 4
- Principle 5
Principle 2
Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Boards should have adequate access to
cybersecurity expertise, and discussions about cyber-risk
management should be given regular and adequate time on
board meeting agendas.
- Principle 1
- Principle 2
- Principle 3
- Principle 4
- Principle 5
Principle 3
Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Boards should set the expectation that
management will establish an enterprise-wide cyber-risk
management framework with adequate staffing and budget.
- Principle 1
- Principle 2
- Principle 3
- Principle 4
- Principle 5
Principle 4
Cyber-Risk Oversight, the National Association of Corporate Directors has developed five principles about the importance of information security:
This principle states Board management discussions about cyber risk
should include identification of which risks to avoid, which to
accept, and which to mitigate or transfer through insurance,
as well as specific plans associated with each approach.
- Principle 1
- Principle 2
- Principle 3
- Principle 4
- Principle 5
Principle 5
This team is responsible for carrying out directives issued by the board of directors.
- Board of directors
- Security committee
- Executive management
- Executive management
In the context of information security management, this includes ensuring that there are sufficient resources for the organization to implement a security program and to develop and maintain security controls to protect critical assets.
Executive management must ensure that priorities are balanced.
In the case of IT and information security, these functions are
usually tightly coupled but sometimes in conflict. IT’s primary
mission is the development and operation of business-enabling
capabilities through the use of information systems, while
information security’s mission includes security and compliance.
Executive management must ensure that these two sometimes conflicting
missions are successful.
To ensure the success of the organization’s information security
program, executive management should be involved in three key
areas: This area is where Security policies that are
developed by the information security function should be
visibly ratified or endorsed by executive management. This
may take different forms, such as formal minuted ratification
in a governance meeting, a statement for the need for
compliance along with a signature within the body of the
security policy document, a separate memorandum to all
personnel, or other visible communication to the
organization’s rank and file that stresses the importance of,
and need for compliance to, the organization’s information
security policy.
- Ratify corporate security policy
- Leadership by example
- Ultimate responsibility
- Ratify corporate security policy
To ensure the success of the organization’s information security
program, executive management should be involved in three key
areas: This area is where With regard to information security policy, executive management should lead by example and not exhibit behavior suggesting they are “above” security policy—or other policies. Executives should not be seen to enjoy special privileges of the nature that suggest
that one or more security policies do not apply to them. Instead, their behavior should visibly support security policies that all personnel are expected to comply with.
- Ratify corporate security policy
- Leadership by example
- Ultimate responsibility
- Leadership by example
To ensure the success of the organization’s information security
program, executive management should be involved in three key
areas: This area is where Executives are ultimately responsible for all actions carried out by the personnel who report to them. Executives are also ultimately responsible for all outcomes related to organizations to which operations have been outsourced.
- Ratify corporate security policy
- Leadership by example
- Ultimate responsibility
- Ultimate responsibility
Who is responsible for overseeing all activities in an organization. This team selects and manage a chief executive officer who is responsible for developing a governance function to manage assets, budgets, personnel,
processes, and risk.
- The board of director
- Executive Team
- The security steering committee
- The chief information security officer
5.The chief privacy officer
- The board of director
This team is responsible for security strategic planning. This team will develop and approve security policies and appoint managers to develop and maintain processes, procedures, and standards, all of which should align with each other and with the organization’s overall mission, strategy, goals, and objectives.
- The board of director
- Executive Team
- The security steering committee
- The chief information security officer
5.The chief privacy officer
3.The security steering committee
This employee in the organization develops business-aligned security strategies that support the organization’s overall mission and goals and is responsible for the organization’s overall security program, including policy development, risk management, and perhaps some operational activities such as vulnerability
management, incident management, access management, and security awareness training.
- The board of director
- Executive Team
- The security steering committee
- The chief information security officer
- The chief privacy officer
- The chief information security officer
This officer is responsible for the protection andproper use of sensitive personal information (often referred to as
personally identifiable information). This officers information protection
responsibilities are sometimes shared with the CISO who has overall information protection responsibilities. Virtually all other roles in IT have security responsibilities, including software development and integration, data management,network management, systems management, operations, service
desk, internal audit, and all staff members.
- The board of director
- Executive Team
- The chief information security officer
4.The chief privacy officer
4.The chief privacy officer
The business model for information security, is a guide for business-aligned, risk-based security governance. BMIS was developed by
- NIST
2.ISO - ISACA
- IC2
- ISACA
BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting organization and people elements is
- culture
- governing
- architecture
- emergence
- enabling and support
- human factors
- culture
BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting organization and process elements is
- culture
- governing
- architecture
- emergence
- enabling and support
- human factors
- governing
BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting organization and technology elements
- culture
- governing
- architecture
- emergence
- enabling and support
- human factors
- architecture
BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting people and process elements
- culture
- governing
- architecture
- emergence
- enabling and support
- human factors
- emergence
BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting process and technology elements
- culture
- governing
- architecture
- emergence
- enabling and support
- human factors
- enabling and support
BMIS consists of four elements: organization, people, process, and
technology. It consists of six dynamic interconnections: This interconnection connecting people and technology elements
- culture
- governing
- architecture
- emergence
- enabling and support
- human factors
- Security governance is most concerned with:
A. Security policy
B. IT policy
C. Security strategy
D. Security executive compensation
- C. Security governance is the mechanism through which
security strategy is established, controlled, and monitored.
Long-term and other strategic decisions are made in the
context of security governance.
- A gaming software startup company does not employ
penetration testing of its software. This is an example of:
A. High tolerance of risk
B. Noncompliance
C. Irresponsibility
D. Outsourcing
- A. A software startup in an industry like gaming is going to
be highly tolerant of risk: time to market and signing up new
customers will be its primary objectives. As the organization
achieves viability, other priorities such as security will be
introduced.
- An organization’s board of directors wants to see quarterly
metrics on risk reduction. What would be the best metric for
this purpose?
A. Number of firewall rules triggered
B. Viruses blocked by antivirus programs
C. Packets dropped by the firewall
D. Time to patch vulnerabilities on critical servers
- D. The metric on time to patch critical servers will be the
most meaningful metric for the board of directors. The other
metrics, while potentially interesting at the operational level,
do not convey business meaning to board members.
- Which of the following metrics is the best example of a
leading indicator?
A. Average time to mitigate security incidents
B. Increase in the number of attacks blocked by the
intrusion prevention system (IPS)
C. Increase in the number of attacks blocked by the firewall
D. Percentage of critical servers being patched within service
level agreements (SLAs)
- D. The metric of percentage of critical servers being
patched within SLAs is the best leading indicator because it is
a rough predictor of the probability of a future security
incident. The other metrics are trailing indicators because
they report on past incidents.
- What are the elements of the business model for information
security (BMIS)?
A. Culture, governing, architecture, emergence, enabling and
support, human factors
B. People, process, technology
C. Organization, people, process, technology
D. Financial, customer, internal processes, innovation, and
learning
- C. The elements of BMIS are organization, people,
process, and technology. The dynamic interconnections (DIs)
are culture, governing, architecture, emergence, enabling and
support, and human factors.
- The best definition of a strategy is:
A. The objective to achieve a plan
B. The plan to achieve an objective
C. The plan to achieve business alignment
D. The plan to reduce risk
- B. A strategy is the plan to achieve an objective. An
objective is the “what” that an organization wants to achieve,
and a strategy is the “how” the objective will be achieved.
- The primary factor related to the selection of a control
framework is:
A. Industry vertical
B. Current process maturity level
C. Size of the organization
D. Compliance level
- A. The most important factor influencing a decision of selecting a control framework are the industry vertical. For example, a healthcare organization would likely select HIPAA as its primary control framework, whereas a retail organization might select PCI-DSS.
- As part of understanding the organization’s current state, a
security strategist is examining the organization’s securitypolicy. What does the policy tell the strategist?
A. The level of management commitment to security
B. The compliance level of the organization
C. The maturity level of the organization
D. None of these
- D. By itself, security policy tells someone little about an organization’s security practices. An organization’s policy is
only a collection of statements; without examining business processes, business records, and interviewing personnel, a
security professional cannot develop any conclusions about an organization’s security practices.
- While gathering and examining various security-related business records, the security manager has determined that
the organization has no security incident log. What conclusion can the security manager make from this?
A. The organization does not have security incident detection capabilities.
B. The organization has not yet experienced a security incident.
C. The organization is recording security incidents in its risk register.
D. The organization has effective preventive and detective controls.
- A. An organization that does not have a security incident
log probably lacks the capability to detect and respond to an
incident. It is not reasonable to assume that the organization
has had no security incidents since minor incidents occur with
regularity. Claiming that the organization has effective
controls is unreasonable, as it is understood that incidents
occur even when effective controls are in place (because not
all types of incidents can reasonably be prevented).
- The purpose of a balanced scorecard is to:
A. Measure the efficiency of a security organization
B. Evaluate the performance of individual employees
C. Benchmark a process in the organization against peer
organizations
D. Measure organizational performance and effectiveness
against strategic goals
- D. The balanced scorecard is a tool that is used to quantify
the performance of an organization against strategic
objectives. The focus of a balanced scorecard is financial,
customer, internal processes, and innovation/learning.
- A security strategist has examined a business process and
has determined that personnel who perform the process do
so consistently, but there is no written process document. The
maturity level of this process is:
A. Initial
B. Repeatable
C. Defined
D. Managed
- B. A process that is performed consistently but is
undocumented is generally considered to be Repeatable.
- A security strategist has examined several business
processes and has found that their individual maturity levels
range from Repeatable to Optimizing. What is the best future
state for these business processes?
A. All processes should be changed to Repeatable.
B. All processes should be changed to Optimizing.
C. There is insufficient information to determine the desired
end states of these processes.
D. Processes that are Repeatable should be changed to
Defined.
- C. There are no rules that specify that the maturity levels
of different processes need to be the same or at different
values relative to one another. In this example, each process
may already be at an appropriate level, based on risk
appetite, risk levels, and other considerations.
- In an organization using PCI-DSS as its control framework,
the conclusion of a recent risk assessment stipulates that
additional controls not present in PCI-DSS but present in ISO
27001 should be enacted. What is the best course of action in
this situation?
A. Adopt ISO 27001 as the new control framework.
B. Retain PCI-DSS as the control framework and update
process documentation.
C. Add the required controls to the existing control
framework.
D. Adopt NIST 800-53 as the new control framework.
- C. An organization that needs to implement new controls
should do so within its existing control framework. It is not
necessary to adopt an entirely new control framework when a
few controls need to be added.
- A security strategist is seeking to improve the security
program in an organization with a strong but casual culture.
What is the best approach here?
A. Conduct focus groups to discuss possible avenues of
approach.
B. Enact new detective controls to identify personnel who are
violating policy.
C. Implement security awareness training that emphasizes
new required behavior.
D. Lock users out of their accounts until they agree to be
compliant.
- A. Organizational culture is powerful, as it reflects how
people think and work. In this example, there is no mention
that the strong culture is bad, only that it is casual. Punishing
people for their behavior may cause resentment, a revolt, or
people to leave the organization. The best approach here is to
better understand the culture and to work with people in the
organization to figure out how a culture of security can be
introduced successfully.
- A security strategist recently joined a retail organization that operates with slim profit margins and has discovered that the
organization lacks several important security capabilities.
What is the best strategy here?
A. Insist that management support an aggressive program to quickly improve the program.
B. Develop a risk ledger that highlights all identified risks.
C. Recommend that the biggest risks be avoided.
D. Develop a risk-based strategy that implements changes
slowly over an extended period of time.
Answers
- D. A security strategist needs to understand an
organization’s capacity to spend its way to lower risk. In an
organization with profit margins, it is unlikely that the
organization is going to agree to an aggressive improvement
plan. Developing a risk ledger that depicts these risks may be
a helpful tool for communicating risk, but by itself there is no
action to change anything. Similarly, recommending risk
avoidance may mean discontinuing the very operations that
bring in revenue.
Which of the following should be the FIRST step in developing an information security plan?
A. Perform a technical vulnerabilities assessment
B. Analyze the current business strategy
C. Perform a business impact analysis
D. Assess the current levels of security awareness
Answer: B
Explanation:
Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.
Senior management commitment and support for information security can BEST be obtained
through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives.
Answer: D
Explanation:
Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the
impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.
The MOST appropriate role for senior management in supporting information security is the:
A. evaluation of vendors offering security products.
B. assessment of risks to the organization.
C. approval of policy statements and funding.
D. monitoring adherence to regulatory requirements.
Answer: C
Explanation:
Since the members of senior management are ultimately responsible for information security, they are the ultimate decision makers in terms of governance and direction. They are responsible for approval of major policy statements and requests to fund the information security practice.
Evaluation of vendors, assessment of risks and monitoring compliance with regulatory requirements are day-to-day responsibilities of the information security manager; in some organizations, business management is involved in these other activities, though their primary role
is direction and governance.
Which of the following would BEST ensure the success of information security governance within an organization?
A.Steering committees approve security projects
B.Security policy training provided to all managers
C.Security training available to all employees on the intranet
D.Steering committees enforce compliance with laws and regulations
Answer: A
Explanation:
The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer. Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee.
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.
Answer: D
Explanation:
Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.
Which of the following represents the MAJOR focus of privacy regulations?
A. Unrestricted data mining
B. Identity theft
C. Human rights protection
D. Identifiable personal data
Answer: D
Explanation:
Protection of identifiable personal data is the major focus of recent privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA). Data mining is an accepted tool for ad hoc reporting; it could pose a threat to privacy only if it violates regulatory provisions. Identity
theft is a potential consequence of privacy violations but not the main focus of many regulations. Human rights addresses privacy issues but is not the main focus of regulations.
Investments in information security technologies should be based on:
A. vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations.
Answer: B
Explanation:
Investments in security technologies should be based on a value analysis and a sound business case. Demonstrated value takes precedence over the current business climate because it is ever changing. Basing decisions on audit recommendations would be reactive in nature and might not
address the key business needs comprehensively. Vulnerability assessments are useful, but they do not determine whether the cost is justified.
Retention of business records should PRIMARILY be based on:
A. business strategy and direction.
B. regulatory and legal requirements.
C. storage capacity and longevity.
D. business ease and value analysis.
Answer: B
Explanation:
Retention of business records is generally driven by legal and regulatory requirements. Business strategy and direction would not normally apply nor would they override legal and regulatory requirements. Storage capacity and longevity are important but secondary issues. Business case
and value analysis would be secondary to complying with legal and regulatory requirements.
Which of the following is characteristic of centralized information security management?
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests
Answer: B
Explanation:
Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economics of scale. However, turnaround can be slower due to the lack of alignment with business units.
Successful implementation of information security governance will FIRST require:
A. security awareness training.
B. updated security policies.
C. a computer incident management team.
D. a security architecture.
Answer: B
Explanation:
Updated security policies are required to align management objectives with security procedures; management objectives translate into policy; policy translates into procedures. Security procedures will necessitate specialized teams such as the computer incident response and
management group as well as specialized tools such as the security mechanisms that comprise the security architecture. Security awareness will promote the policies, procedures and appropriate use of the security mechanisms.
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
A. Information security manager
B. Chief operating officer (COO)
C. Internal auditor
D. Legal counsel
Answer: B
Explanation:
The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group.
The MOST important component of a privacy policy is:
A. notifications.
B. warranties.
C. liabilities.
D. geographic coverage.
Answer: A
Explanation:
Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.
The cost of implementing a security control should not exceed the:
A. annualized loss expectancy.
B. cost of an incident.
C. asset value.
D. implementation opportunity costs.
Answer: C
Explanation:
The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses drat are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision.
When a security standard conflicts with a business objective, the situation should be resolved by:
A. changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance.
Answer: C
Explanation:
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance is a process that derives
from the risk analysis.
Minimum standards for securing the technical infrastructure should be defined in a security:
A. strategy.
B. guidelines.
C. model.
D. architecture.
Answer: D
Explanation:
Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components.
Which of the following is MOST appropriate for inclusion in an information security strategy?
A. Business controls designated as key controls
B. Security processes, methods, tools and techniques
C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings
D. Budget estimates to acquire specific security tools
Answer: B
Explanation:
A set of security objectives, processes, methods, tools and techniques together constitute a security strategy. Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy. Additionally, until information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets,
network defaults and intrusion detection system (IDS) settings are technical details subject to periodic change, and are not appropriate content for a strategy document.
Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
A. organizational risk.
B. organization wide metrics.
C. security needs.
D. the responsibilities of organizational units.
Answer: A
Explanation:
Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified.
Which of the following roles would represent a conflict of interest for an information security manager?
A. Evaluation of third parties requesting connectivity
B. Assessment of the adequacy of disaster recovery plans
C. Final approval of information security policies
D. Monitoring adherence to physical security controls
Answer: C
Explanation:
Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Evaluation of third parties requesting access, assessment of disaster recovery plans and
monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest.
Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?
A. The information security department has difficulty filling vacancies.
B. The chief information officer (CIO) approves security policy changes.
C. The information security oversight committee only meets quarterly.
D. The data center manager has final signoff on all security projects.
Answer: D
Explanation:
A steering committee should be in place to approve all security projects. The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance. It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief
information officer (CIO) approve the security policy due to the size of the organization and frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good, qualified information security professionals.
Which of the following requirements would have the lowest level of priority in information security?
A. Technical
B. Regulatory
C. Privacy
D. Business
Answer: A
Explanation:
Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are
government-mandated and, therefore, not subject to override. The needs of the business should always take precedence in deciding information security priorities.
When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?
A. Develop a security architecture
B. Establish good communication with steering committee members
C. Assemble an experienced staff
D. Benchmark peer organizations
Answer: B
Explanation:
New information security managers should seek to build rapport and establish lines of communication with senior management to enlist their support. Benchmarking peer organizations is beneficial to better understand industry best practices, but it is secondary to obtaining senior
management support. Similarly, developing a security architecture and assembling an experienced staff are objectives that can be obtained later.
It is MOST important that information security architecture be aligned with which of the following?
A. Industry best practices
B. Information technology plans
C. Information security best practices
D. Business objectives and goals
Answer: D
Explanation:
Information security architecture should always be properly aligned with business goals and objectives. Alignment with IT plans or industry and security best practices is secondary by comparison.
Which of the following is MOST likely to be discretionary?
A. Policies
B. Procedures
C. Guidelines
D. Standards
Answer: C
Explanation:
Policies define security goals and expectations for an organization. These are defined in more specific terms within standards and procedures. Standards establish what is to be done while procedures describe how it is to be done. Guidelines provide recommendations that business management must consider in developing practices within their areas of control, as such, they are discretionary.
Security technologies should be selected PRIMARILY on the basis of their:
A. ability to mitigate business risks.
B. evaluations in trade publications.
C. use of new and emerging technologies.
D. benefits in comparison to their costs.
Answer: A
Explanation:
The most fundamental evaluation criterion for the appropriate selection of any security technology is its ability to reduce or eliminate business risks. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over whether they use new or exotic technologies or how they are evaluated in trade publications.
Which of the following are seldom changed in response to technological changes?
A. Standards
B. Procedures
C. Policies
D. Guidelines
Answer: C
Explanation:
Policies are high-level statements of objectives. Because of their high-level nature and statement of broad operating principles, they are less subject to periodic change. Security standards and procedures as well as guidelines must be revised and updated based on the impact of technology changes.
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life.
B. regulatory and legal requirements.
C. business strategy and direction.
D. application systems and media.
Answer: D
Explanation:
Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to
recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and shelf life are important but secondary issues.
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?
A. More uniformity in quality of service
B. Better adherence to policies
C. Better alignment to business unit needs
D. More savings in total operating costs
Answer: C
Explanation:
Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit.
Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
A. Chief security officer (CSO)
B. Chief operating officer (COO)
C. Chief privacy officer (CPO)
D. Chief legal counsel (CLC)
Answer: B
Explanation:
The chief operating officer (COO) is most knowledgeable of business operations and objectives. The chief privacy officer (CPO) and the chief legal counsel (CLC) may not have the knowledge of the day- to-day business operations to ensure proper guidance, although they have the same influence within the organization as the COO. Although the chief security officer (CSO) is knowledgeable of what is needed, the sponsor for this task should be someone with far-reaching influence across the organization.
Which of the following would be the MOST important goal of an information security governance program?
A. Review of internal control mechanisms
B. Effective involvement in business decision making
C. Total elimination of risk factors
D. Ensuring trust in data
Answer: D
Explanation:
The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to
auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just
the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.
Relationships among security technologies are BEST defined through which of the following?
A. Security metrics
B. Network topology
C. Security architecture
D. Process improvement models
.
Answer: C
Explanation:
Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of
security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies
A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?
A. Enforce the existing security standard
B. Change the standard to permit the deployment
C. Perform a risk analysis to quantify the risk
D. Perform research to propose use of a better technology
Answer: C
Explanation:
Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however,
standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment.
Acceptable levels of information security risk should be determined by:
A. legal counsel.
B. security management.
C. external auditors.
D. steering committee.
Answer: D
Explanation:
Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. Legal counsel, the external auditors and security management are not in a position to make such a decision.
The PRIMARY goal in developing an information security strategy is to:
A. establish security metrics and performance monitoring.
B. educate business process owners regarding their duties.
C. ensure that legal and regulatory requirements are met
D. support the business objectives of the organization.
Answer: D
Explanation:
The business objectives of the organization supersede all other factors. Establishing metrics and measuring performance, meeting legal and regulatory requirements and educating business process owners are all subordinate to this overall goal.
Senior management commitment and support for information security can BEST be enhanced through:
A. a formal security policy sponsored by the chief executive officer (CEO).
B. regular security awareness training for employees.
C. periodic review of alignment with business management goals.
D. senior management signoff on the information security strategy.
Answer: C
Explanation:
Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support. Although having the chief executive officer (CEO) signoff on the security policy and senior management signoff on the security strategy makes for good visibility and
demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Security awareness training for employees will not have as much effect on senior management commitment.
When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?
A. Create separate policies to address each regulation
B. Develop policies that meet all mandated requirements
C. Incorporate policy statements provided by regulators
D. Develop a compliance risk assessment
Answer: B
Explanation:
It will be much more efficient to craft all relevant requirements into policies than to create separate versions. Using statements provided by regulators will not capture all of the requirements mandated by different regulators. A compliance risk assessment is an important tool to verify that procedures ensure compliance once the policies have been established.
Which of the following MOST commonly falls within the scope of an information security governance steering committee?
A. Interviewing candidates for information security specialist positions
B. Developing content for security awareness programs
C. Prioritizing information security initiatives
D. Approving access to critical financial systems
Answer: C
Explanation:
Prioritizing information security initiatives is the only appropriate item. The interviewing of specialists should be performed by the information security manager, while the developing of program content should be performed by the information security staff. Approving access to critical
financial systems is the responsibility of individual system data owners.
Which of the following is the MOST important factor when designing information security architecture?
A. Technical platform interfaces
B. Scalability of the network
C. Development methodologies
D. Stakeholder requirements
Answer: D
Explanation:
The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?
A. Knowledge of information technology platforms, networks and development methodologies
B. Ability to understand and map organizational needs to security technologies
C. Knowledge of the regulatory environment and project management techniques
D. Ability to manage a diverse group of individuals and resources across an organization
Answer: B
Explanation:
Information security will be properly aligned with the goals of the business only with the ability to understand and map organizational needs to enable security technologies. All of the other choices
are important but secondary to meeting business security needs.
Which of the following are likely to be updated MOST frequently?
A. Procedures for hardening database servers
B. Standards for password length and complexity
C. Policies addressing information security governance
D. Standards for document retention and destruction
Answer: A
Explanation:
Policies and standards should generally be more static and less subject to frequent change. Procedures on the other hand, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace.
Who should be responsible for enforcing access rights to application data?
A. Data owners
B. Business process owners
C. The security steering committee
D. Security administrators
Answer: D
Explanation:
As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security
steering committee would not be responsible for enforcement.
The chief information security officer (CISO) should ideally have a direct reporting relationship to the:
A. head of internal audit.
B. chief operations officer (COO).
C. chief technology officer (CTO).
D. legal counsel.
Answer: B
Explanation:
The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of
internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become
problematic as the CTO’s goals for the infrastructure might, at times, run counter to the goals of information security.
Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?
A. Update platform-level security settings
B. Conduct disaster recovery test exercises
C. Approve access to critical financial systems
D. Develop an information security strategy paper
Answer: D
Explanation:
Developing a strategy paper on information security would be the most appropriate. Approving
access would be the job of the data owner. Updating platform-level security and conducting
recovery test exercises would be less essential since these are administrative tasks.
Developing a successful business case for the acquisition of information security software products can BEST be assisted by:
A. assessing the frequency of incidents.
B. quantifying the cost of control failures.
C. calculating return on investment (ROI) projections.
D. comparing spending against similar organizations.
Answer: C
Explanation:
Calculating the return on investment (ROI) will most closely align security with the impact on the
bottom line. Frequency and cost of incidents are factors that go into determining the impact on the
business but, by themselves, are insufficient. Comparing spending against similar organizations
can be problematic since similar organizations may have different business goals and appetites for
risk.
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
A. aligned with the IT strategic plan.
B. based on the current rate of technological change.
C. three-to-five years for both hardware and software.
D. aligned with the business strategy.
Answer: D
Explanation:
Any planning for information security should be properly aligned with the needs of the business.
Technology should not come before the needs of the business, nor should planning be done on an
artificial timetable that ignores business needs.
Which of the following is the MOST important information to include in a strategic plan for information security?
A. Information security staffing requirements
B. Current state and desired future state
C. IT capital investment requirements
D. information security mission statement
Answer: B
Explanation:
It is most important to paint a vision for the future and then draw a road map from the stalling point to the desired future state. Staffing, capital investment and the mission all stem from this foundation.
Information security projects should be prioritized on the basis of:
A. time required for implementation.
B. impact on the organization.
C. total cost for implementation.
D. mix of resources required.
Answer: B
Explanation:
Information security projects should be assessed on the basis of the positive impact that they will have on the organization. Time, cost and resource issues should be subordinate to this objective.
Which of the following is the MOST important information to include in an information security standard?
A. Creation date
B. Author name
C. Initial draft approval date
D. Last review date
Answer: D
Explanation:
The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard. The name of the author as well as the creation and draft
dates are not that important.
Which of the following would BEST prepare an information security manager for regulatory reviews?
A. Assign an information security administrator as regulatory liaison
B. Perform self-assessments using regulatory guidelines and reports
C. Assess previous regulatory reports with process owners input
D. Ensure all regulatory inquiries are sanctioned by the legal department
Answer: B
Explanation:
Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation. Directing regulators to a specific person or department, or assessing previous reports, is not as effective. The legal department should review all formal inquiries but
this does not help prepare for a regulatory review.
An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:
A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
B. establish baseline standards for all locations and add supplemental standards as required.
C. bring all locations into conformity with a generally accepted set of industry best practices.
D. establish a baseline standard incorporating those requirements that all jurisdictions have in common.
Answer: B
Explanation:
It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance. The
opposite approach—forcing all locations to be in compliance with the regulations places an undue
burden on those locations.