Deck 4 Flashcards
(158 cards)
Which of the following would be an information security manager ‘s primary challenge when deploying a bring your own device (BYOD) mobile program in an enterprise?
A. Configuration management
B. mobile application control
C. inconsistent device security
D. end user acceptance
C
Which of the following is most important to ensure when an organization is moving portions of its sensitive database to the cloud?
A. The conversion has been approved by the information security team
B. a right to audit clause is included in the contract
C. input from data owners is included in the requirements definition
D. data encryption is used in the cloud hosting solution
C
An information security manager has been made aware of a new data protection regulation that will soon go into effect. Which of the following is the best way to manage the risk of noncompliance?
A. Perform a gap analysis
B. consult with senior management on the best course of action
C. implement a program of work to comply with the new legislation
D. understand the cost of noncompliance
C
Which of the following is the most important function of an information security steering committee?
A. Evaluating the effectiveness of information security controls on a periodic basis
B. defining the objectives of the information security framework
C. conducting regular independent reviews of the state of security in the business
D. approving security awareness content prior to publication
B
A small organization with limited budget hires a new information security manager who finds the same IT staff member is assigned the responsibility of System Administrator, security administrator, database administrator, and application administrator. What is the manager’s best course of action?
A. Formally document IT administrator activities
B. automate user provisioning activities
C. maintain strict control over user provisioning activities
D. implement monitoring of IT administrator activities
D
A risk assessment exercise has identified the threat of a denial of service (DoS) attack. Executive management has decided to take no further action related to this risk. The most likely reason for this decision is:
A. the cost of implementing controls exceeds the potential financial losses
B. the risk assessment has not defined the likelihood of occurrence
C. executive management is not aware of the impact potential
D. the reported vulnerability has not been validated
A
Which of the following is the primary responsibility of an information security steering committee composed of management representation from business units?
A. Oversee the execution of the information security strategy
B. perform business impact analyses (BIAs)
C. manage the implementation of the information security plan
D. monitor the treatment of information security risk
A
When implementing a security policy for an organization handling personally identifiable information (PII), the most important objective should be:
A. strong encryption
B. regulatory compliance
C. security awareness training
D. data availability
B
When drafting the corporate privacy statement for a public website, which of the following must be included?
A. Limited liability clause
B. access control requirements
C. explanation of information usage
D. information encryption requirements
C
After a server has been attacked, which of the following is the best course of action?
A. Isolate the system
B. initiate incident response
C. conduct a security audit
D. review vulnerability assessment
B
Which of the following will provide the most guidance when deciding the level of protection for an information asset?
A. Impact on information security program
B. cost of controls
C. impact to business function
D. cost to replace
A
When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?
A. Access control management
B. change management
C. configuration management
D. risk management
D
Which of the following is most likely to be impacted when emerging technologies are introduced to an organization?
A. Risk profile
B. security policies
C. control effectiveness
D. risk assessment approach
A
A company has a remote office located in a different country. The company’s chief information security officer (CISO) has just learned of a new regulatory requirement mandated by the country of the remote office. Which of the following should be the next step?
A. Integrate new requirements into the corporate policies
B. evaluate whether the new regulation impacts information security
C. create separate security policies and procedures for the new regulation
D. implement the requirement at the remote office location
B
Which of the following metrics is the best measure of the effectiveness of an information security program?
A. Reduction in the amount of risk exposure in an organization
B. reduction in the number of threats to an organization
C. reduction in the cost of risk remediation for an organization
D. reduction in the number of vulnerabilities in an organization
A
Which of the following provides the most useful information for identifying security control gaps on an application server?
A. Risk assessments
B. penetration testing
C. threat models
D. internal audit report
B
The most important attribute of a security control is that it is:
A. auditable
B. measurable
C. scalable
D. reliable
D
An event occurred that resulted in the activation of the business continuity plan (BCP). All employees were notified during the event, and they followed the plan. However, two major suppliers missed deadlines because they were not aware of the disruption. What is the best way to prevent a similar situation in the future?
A. Ensure service level agreement (SLAs) with suppliers are enforced
B. conduct A vulnerability assessment
C. perform testing of the BCP communication plan
D. Provide suppliers with access to the BCP document
A
Which of the following is most appropriate to add to a dashboard for the purpose of illustrating an organization’s risk level to senior management?
A. Results of risk and control testing
B. number of reported incidents
C. budget variance for information security
D. risk heat map
D
To confirm that a third party provider complies with an organization’s information security requirements, it is most important to ensure:
A. contract clauses comply with the organization’s information security policy
B. security metrics are included in the service level agreement (SLA)
C. the information security policy of the third-party service provider is reviewed
D. right to audit is included in the service level agreement (SLA)
C
The primary reason to create and externally store the disc hash value when performing forensic data acquisition from a hard disk is to:
A. validate the integrity during analysis
B. provide backup in case of media failure
C. reinstate original data when accidental changes occur
D. validate the confidentiality during analysis
A
Which of the following should be determined first when preparing a risk communication plan?
A. Reporting content
B. communication channel
C. target audience
D. reporting frequency
C
Which of the following is the major advantage of conducting a post-incident review? The review:
A. helps develop business cases for security monitoring tools
B. provides continuous process improvement
C. facilitates reporting on actions taken during the incident process
D. helps identify current and desired level of risk
B
A small organization has a contract with a multinational cloud computing vendor. Which of the following would present the greatest concern to an information security manager if omitted from the contract?
A. Escrow of software code with conditions for code release
B. right of the subscriber to conduct on-site audits of the vendor
C. authority of the subscriber to approve access to its data
D. commingling of subscribers’ data on the same physical server
C