Information Security Management Quiz

Questions and Answers

When deciding the level of protection for an information asset, which factor provides the MOST guidance?

• Impact on information security program
• Cost of controls
• Cost to replace
• Impact to business function (correct)

What is the BEST indication of information security strategy alignment with the business?

• Percentage of information security incidents resolved within defined service level agreements (SLAs)
• Percentage of corporate budget allocated to information security initiatives
• Number of business objectives directly supported by information security initiatives (correct)
• Number of business executives who have attended information security awareness sessions

Which analysis will BEST identify the external influences to an organization's information security?

• Gap analysis
• Threat analysis (correct)
• Vulnerability analysis
• Business impact analysis (BIA)

What is the MOST important detail to capture in an organization's risk register?

Risk ownership (C)

Who is the most appropriate role to determine access rights for specific users of an application?

Information security manager (D)

What is the best evidence to senior management that security control performance has improved?

Review of security metrics trends (B)

What is the best course of action when an online company discovers a network attack in progress?

Isolate the affected network segment (D)

What is the best tool to monitor the effectiveness of information security governance?

Balanced scorecard (A)

Who is most appropriate to own the risk associated with the failure of a privileged access control?

Business owner (D)

During the initiation phase of the system development life cycle (SDLC) for a software project, what should information security activities address?

Baseline security controls (D)

What is the most important element in achieving executive commitment to an information security governance program?

Identified business drivers (D)

To minimize the risk of data exposure from a stolen personal mobile device, what is the best course of action?

Wipe the device remotely (D)

For aligning security operations with the IT governance framework, what is most helpful?

Security operations program (B)

What are the recovery time objectives (RTOs) an output of?

Business impact analysis (BIA) (B)

What is the primary objective of performing a post-incident review?

Identify the root cause (D)

What is the best approach for managing user access permissions to ensure alignment with data classification?

Reviewing access permissions annually or whenever job responsibilities change (A)

What is the primary reason to monitor key risk indicators (KRIs) related to information security?

To benchmark control performance (D)

What enhances the likelihood of secure handling of information?

Labeling information according to security classification (B)

What should the information security manager first determine when updating about a security incident?

The needs and requirements of each audience (D)

What is the best method to evaluate the effectiveness of an alternate processing site when continuous uptime is required?

A parallel test (A)

What is the most common legal issue associated with a transborder flow of technology-related items?

Encryption tools and personal data (A)

What should be the first step in establishing a new data protection program that must comply with applicable data privacy regulations?

Creating an inventory of systems where personal data is stored (A)

What should the content of the most effective information security training program be based on?

Employees' roles (C)

What should information security controls primarily be based on?

Business risk scenarios (A)

What should effective management decisions concerning information security investments be based on?

Consistent and periodic risk assessments (A)

What is indicated by the information security steering committee being composed of business leaders?

Integration of information security governance and corporate governance (B)

What did regular vulnerability scanning identify on user workstations?

Unpatched software (D)

When should the security manager update details in the risk register?

When senior management accepts risk of noncompliance (C)

What is the strongest justification for granting an exception to the policy of disabling access to USB storage devices?

The benefit is greater than the potential risk (B)

What is the primary goal of the eradication phase in an incident response process?

To remove the threat and restore affected systems (B)

What should the information security manager primarily focus on when developing an RFP for a new outsourced service?

Defining security requirements for the process being outsourced (C)

What has the greatest influence on the successful implementation of information security strategy goals?

Management support (A)

What is the best action to mitigate the risk of theft of tablets containing critical business data?

Conduct a mobile device risk assessment (D)

How should the security awareness program be aligned with the organization's business strategy?

Consideration of people and culture (C)

What should the primary basis for information security strategy be?

Organization's vision and mission (D)

What is the most effective way to demonstrate alignment of information security strategy with business objectives?

Use a balanced scorecard (C)

What should the incident response team document during the eradication phase?

Actions required to remove the threat (A)

What should the organization's information security be aligned with to optimize security risk management?

Organization's strategy (D)

What should the organization's plans to use social networks for promotion prompt the security manager to do?

Assess security risks (A)

What is the main purpose of senior management review and approval of an information security strategic plan?

To ensure the plan aligns with corporate governance (A)

What is the most important consideration when confirming a third-party provider's compliance with an organization's information security requirements?

Ensure the right to audit is included in the service level agreement (SLA) (B)

How can an organization best communicate the effectiveness of an information security governance framework to stakeholders?

Establish metrics for each milestone (A)

What is the most effective way to help ensure procurement decisions consider information security concerns when an organization increasingly uses Software as a Service (SaaS)?

Integrating information security risk assessments into the procurement process (B)

What provides the most comprehensive insight into ongoing threats facing an organization?

The risk register (A)

What is essential when developing a categorization method for security incidents?

The categories must have agreed-upon definitions (D)

Who would find key performance indicators (KPIs) most useful to understand the status of information security compliance?

Senior management (A)

What is the contribution of recovery point objective (RPO) to disaster recovery?

To define backup strategy (C)

What are cybersecurity policies considered to be for an organization's management of emerging cyber risk?

The best enablers (B)

What represents a risk treatment option to limit the risk exposure to the business when a legacy application cannot be patched?

Implementing a firewall in front of the legacy application (D)

What should be the first action when notified of a new vulnerability affecting key data processing systems?

Re-evaluating the risk (A)

What is the best way to ensure the capability to restore clean data after a ransomware attack?

Maintain multiple offline backups (C)

What should the security manager do if the organization plans to use social networks for promotion?

Assess security risks (B)

What should be the primary basis for the information security strategy?

Organization's vision and mission (B)

When should the information security manager update details in the risk register?

When senior management accepts risk of noncompliance (C)

What is the most important consideration to align a security awareness program with the organization's business strategy?

People and culture (D)

What is the best action to mitigate the risk of theft of tablets containing critical business data?

Conduct a mobile device risk assessment (C)

What should information security be aligned with to optimize security risk management?

Organization's strategy (C)

How can the alignment of information security strategy with business objectives be effectively demonstrated?

Use a balanced scorecard (C)

What is the strongest justification for granting an exception to the policy of disabling access to USB storage devices?

The benefit is greater than the potential risk (D)

What should the incident response team document during the eradication phase?

Actions required to remove the threat (C)

What is the primary goal of the eradication phase in an incident response process?

Remove the threat and restore affected systems (D)

What should the information security manager primarily focus on when developing an RFP for a new outsourced service?

Defining security requirements for the process being outsourced (A)

What has the greatest influence on the successful implementation of information security strategy goals?

Management support (C)

What is the main purpose of senior management review and approval of an information security strategic plan?

To ensure the plan aligns with corporate governance (D)

What is the most effective way to help ensure procurement decisions consider information security concerns when an organization increasingly uses Software as a Service (SaaS)?

Integrating information security risk assessments into the procurement process (D)

What is the best way to ensure the capability to restore clean data after a ransomware attack?

Maintain multiple offline backups (C)

What is the main contribution of recovery point objective (RPO) to disaster recovery?

Defining backup strategy (A)

What is essential when developing a categorization method for security incidents?

The categories must have agreed-upon definitions (C)

What would be most useful to help senior management understand the status of information security compliance?

Key performance indicators (KPIs) (C)

What represents a risk treatment option to limit the risk exposure to the business when a legacy application cannot be patched?

Implementing a firewall in front of the legacy application (B)

When notified of a new vulnerability affecting key data processing systems, what should be the first action?

Re-evaluating the risk (B)

What is the best enabler for an organization to effectively manage emerging cyber risk?

Cybersecurity policies (B)

What is the most comprehensive insight into ongoing threats facing an organization?

The risk register (D)

What is the most important element to communicate the effectiveness of an information security governance framework to stakeholders?

Establish metrics for each milestone (B)

What is the best action to take to confirm a third-party provider's compliance with an organization's information security requirements?

Ensure the right to audit is included in the service level agreement (SLA) (C)

Flashcards are hidden until you start studying

Study Notes

Information Security Management Summary

• Organization plans to use social networks for promotion, security manager's best course of action is to assess security risks.
• Primary basis for information security strategy should be the organization's vision and mission.
• When senior management accepts risk of noncompliance, the information security manager should update details in the risk register.
• To align a security awareness program with the organization's business strategy, the most important consideration is people and culture.
• To mitigate the risk of theft of tablets containing critical business data, the best action is to conduct a mobile device risk assessment.
• Information security should be aligned with the organization's strategy to optimize security risk management.
• To demonstrate alignment of information security strategy with business objectives, the most effective way is to use a balanced scorecard.
• Strongest justification for granting an exception to the policy of disabling access to USB storage devices is that the benefit is greater than the potential risk.
• Incident response team should document actions required to remove the threat during the eradication phase.
• The primary goal of the eradication phase in an incident response process is to remove the threat and restore affected systems.
• Information security manager developing an RFP for a new outsourced service should focus primarily on defining security requirements for the process being outsourced.
• Management support has the greatest influence on the successful implementation of information security strategy goals.

Information Security Management Questions and Answers Summary

• Senior management review and approval of an information security strategic plan is mainly to ensure the plan aligns with corporate governance.
• To confirm a third-party provider's compliance with an organization's information security requirements, it is most important to ensure the right to audit is included in the service level agreement (SLA).
• To communicate the effectiveness of an information security governance framework to stakeholders, it is most important to establish metrics for each milestone.
• When an organization increasingly uses Software as a Service (SaaS), integrating information security risk assessments into the procurement process is the most effective way to help ensure procurement decisions consider information security concerns.
• The most comprehensive insight into ongoing threats facing an organization is provided by the risk register.
• When developing a categorization method for security incidents, the categories must have agreed-upon definitions.
• Key performance indicators (KPIs) would be most useful to help senior management understand the status of information security compliance.
• The contribution of recovery point objective (RPO) to disaster recovery is to define backup strategy.
• Cybersecurity policies are the best enablers for an organization to effectively manage emerging cyber risk.
• To limit the risk exposure to the business when a legacy application cannot be patched, a firewall is implemented in front of the legacy application, representing a risk treatment option of mitigate.
• When notified of a new vulnerability affecting key data processing systems, re-evaluating the risk should be the first action.
• The best way to ensure the capability to restore clean data after a ransomware attack is to maintain multiple offline backups.