Information Security Management Quiz

Questions and Answers

When deciding the level of protection for an information asset, which factor provides the MOST guidance?

Impact on information security program

Cost of controls

Cost to replace

Impact to business function (correct)

What is the BEST indication of information security strategy alignment with the business?

Percentage of information security incidents resolved within defined service level agreements (SLAs)

Percentage of corporate budget allocated to information security initiatives

Number of business objectives directly supported by information security initiatives (correct)

Number of business executives who have attended information security awareness sessions

Which analysis will BEST identify the external influences to an organization's information security?

Gap analysis

Threat analysis (correct)

Vulnerability analysis

Business impact analysis (BIA)

What is the MOST important detail to capture in an organization's risk register?

Risk ownership

Who is the most appropriate role to determine access rights for specific users of an application?

Information security manager

What is the best evidence to senior management that security control performance has improved?

Review of security metrics trends

What is the best course of action when an online company discovers a network attack in progress?

Isolate the affected network segment

What is the best tool to monitor the effectiveness of information security governance?

Balanced scorecard

Who is most appropriate to own the risk associated with the failure of a privileged access control?

Business owner

During the initiation phase of the system development life cycle (SDLC) for a software project, what should information security activities address?

Baseline security controls

What is the most important element in achieving executive commitment to an information security governance program?

Identified business drivers

To minimize the risk of data exposure from a stolen personal mobile device, what is the best course of action?

Wipe the device remotely

For aligning security operations with the IT governance framework, what is most helpful?

Security operations program

What are the recovery time objectives (RTOs) an output of?

Business impact analysis (BIA)

What is the primary objective of performing a post-incident review?

Identify the root cause

What is the best approach for managing user access permissions to ensure alignment with data classification?

Reviewing access permissions annually or whenever job responsibilities change

What is the primary reason to monitor key risk indicators (KRIs) related to information security?

To benchmark control performance

What enhances the likelihood of secure handling of information?

Labeling information according to security classification

What should the information security manager first determine when updating about a security incident?

The needs and requirements of each audience

What is the best method to evaluate the effectiveness of an alternate processing site when continuous uptime is required?

A parallel test

What is the most common legal issue associated with a transborder flow of technology-related items?

Encryption tools and personal data

What should be the first step in establishing a new data protection program that must comply with applicable data privacy regulations?

Creating an inventory of systems where personal data is stored

What should the content of the most effective information security training program be based on?

Employees' roles

What should information security controls primarily be based on?

Business risk scenarios

What should effective management decisions concerning information security investments be based on?

Consistent and periodic risk assessments

What is indicated by the information security steering committee being composed of business leaders?

Integration of information security governance and corporate governance

What did regular vulnerability scanning identify on user workstations?

Unpatched software

When should the security manager update details in the risk register?

When senior management accepts risk of noncompliance

What is the strongest justification for granting an exception to the policy of disabling access to USB storage devices?

The benefit is greater than the potential risk

What is the primary goal of the eradication phase in an incident response process?

To remove the threat and restore affected systems

What should the information security manager primarily focus on when developing an RFP for a new outsourced service?

Defining security requirements for the process being outsourced

What has the greatest influence on the successful implementation of information security strategy goals?

Management support

What is the best action to mitigate the risk of theft of tablets containing critical business data?

Conduct a mobile device risk assessment

How should the security awareness program be aligned with the organization's business strategy?

Consideration of people and culture

What should the primary basis for information security strategy be?

Organization's vision and mission

What is the most effective way to demonstrate alignment of information security strategy with business objectives?

Use a balanced scorecard

What should the incident response team document during the eradication phase?

Actions required to remove the threat

What should the organization's information security be aligned with to optimize security risk management?

Organization's strategy

What should the organization's plans to use social networks for promotion prompt the security manager to do?

Assess security risks

What is the main purpose of senior management review and approval of an information security strategic plan?

To ensure the plan aligns with corporate governance

What is the most important consideration when confirming a third-party provider's compliance with an organization's information security requirements?

Ensure the right to audit is included in the service level agreement (SLA)

How can an organization best communicate the effectiveness of an information security governance framework to stakeholders?

Establish metrics for each milestone

What is the most effective way to help ensure procurement decisions consider information security concerns when an organization increasingly uses Software as a Service (SaaS)?

Integrating information security risk assessments into the procurement process

What provides the most comprehensive insight into ongoing threats facing an organization?

The risk register

What is essential when developing a categorization method for security incidents?

The categories must have agreed-upon definitions

Who would find key performance indicators (KPIs) most useful to understand the status of information security compliance?

Senior management

What is the contribution of recovery point objective (RPO) to disaster recovery?

To define backup strategy

What are cybersecurity policies considered to be for an organization's management of emerging cyber risk?

The best enablers

What represents a risk treatment option to limit the risk exposure to the business when a legacy application cannot be patched?

Implementing a firewall in front of the legacy application

What should be the first action when notified of a new vulnerability affecting key data processing systems?

Re-evaluating the risk

What is the best way to ensure the capability to restore clean data after a ransomware attack?

Maintain multiple offline backups

What should the security manager do if the organization plans to use social networks for promotion?

Assess security risks

What should be the primary basis for the information security strategy?

Organization's vision and mission

When should the information security manager update details in the risk register?

When senior management accepts risk of noncompliance

What is the most important consideration to align a security awareness program with the organization's business strategy?

People and culture

What is the best action to mitigate the risk of theft of tablets containing critical business data?

Conduct a mobile device risk assessment

What should information security be aligned with to optimize security risk management?

Organization's strategy

How can the alignment of information security strategy with business objectives be effectively demonstrated?

Use a balanced scorecard

What is the strongest justification for granting an exception to the policy of disabling access to USB storage devices?

The benefit is greater than the potential risk

What should the incident response team document during the eradication phase?

Actions required to remove the threat

What is the primary goal of the eradication phase in an incident response process?

Remove the threat and restore affected systems

What should the information security manager primarily focus on when developing an RFP for a new outsourced service?

Defining security requirements for the process being outsourced

What has the greatest influence on the successful implementation of information security strategy goals?

Management support

What is the main purpose of senior management review and approval of an information security strategic plan?

To ensure the plan aligns with corporate governance

What is the most effective way to help ensure procurement decisions consider information security concerns when an organization increasingly uses Software as a Service (SaaS)?

Integrating information security risk assessments into the procurement process

What is the best way to ensure the capability to restore clean data after a ransomware attack?

Maintain multiple offline backups

What is the main contribution of recovery point objective (RPO) to disaster recovery?

Defining backup strategy

What is essential when developing a categorization method for security incidents?

The categories must have agreed-upon definitions

What would be most useful to help senior management understand the status of information security compliance?

Key performance indicators (KPIs)

What represents a risk treatment option to limit the risk exposure to the business when a legacy application cannot be patched?

Implementing a firewall in front of the legacy application

When notified of a new vulnerability affecting key data processing systems, what should be the first action?

Re-evaluating the risk

What is the best enabler for an organization to effectively manage emerging cyber risk?

Cybersecurity policies

What is the most comprehensive insight into ongoing threats facing an organization?

The risk register

What is the most important element to communicate the effectiveness of an information security governance framework to stakeholders?

Establish metrics for each milestone

What is the best action to take to confirm a third-party provider's compliance with an organization's information security requirements?

Ensure the right to audit is included in the service level agreement (SLA)

Study Notes

Information Security Management Summary

• Organization plans to use social networks for promotion, security manager's best course of action is to assess security risks.
• Primary basis for information security strategy should be the organization's vision and mission.
• When senior management accepts risk of noncompliance, the information security manager should update details in the risk register.
• To align a security awareness program with the organization's business strategy, the most important consideration is people and culture.
• To mitigate the risk of theft of tablets containing critical business data, the best action is to conduct a mobile device risk assessment.
• Information security should be aligned with the organization's strategy to optimize security risk management.
• To demonstrate alignment of information security strategy with business objectives, the most effective way is to use a balanced scorecard.
• Strongest justification for granting an exception to the policy of disabling access to USB storage devices is that the benefit is greater than the potential risk.
• Incident response team should document actions required to remove the threat during the eradication phase.
• The primary goal of the eradication phase in an incident response process is to remove the threat and restore affected systems.
• Information security manager developing an RFP for a new outsourced service should focus primarily on defining security requirements for the process being outsourced.
• Management support has the greatest influence on the successful implementation of information security strategy goals.

Information Security Management Questions and Answers Summary

• Senior management review and approval of an information security strategic plan is mainly to ensure the plan aligns with corporate governance.
• To confirm a third-party provider's compliance with an organization's information security requirements, it is most important to ensure the right to audit is included in the service level agreement (SLA).
• To communicate the effectiveness of an information security governance framework to stakeholders, it is most important to establish metrics for each milestone.
• When an organization increasingly uses Software as a Service (SaaS), integrating information security risk assessments into the procurement process is the most effective way to help ensure procurement decisions consider information security concerns.
• The most comprehensive insight into ongoing threats facing an organization is provided by the risk register.
• When developing a categorization method for security incidents, the categories must have agreed-upon definitions.
• Key performance indicators (KPIs) would be most useful to help senior management understand the status of information security compliance.
• The contribution of recovery point objective (RPO) to disaster recovery is to define backup strategy.
• Cybersecurity policies are the best enablers for an organization to effectively manage emerging cyber risk.
• To limit the risk exposure to the business when a legacy application cannot be patched, a firewall is implemented in front of the legacy application, representing a risk treatment option of mitigate.
• When notified of a new vulnerability affecting key data processing systems, re-evaluating the risk should be the first action.
• The best way to ensure the capability to restore clean data after a ransomware attack is to maintain multiple offline backups.

Description

Test your knowledge of information security management with this quiz covering topics such as vulnerability scanning, security controls, governance integration, risk assessments, data protection, and more. Assess your understanding of important concepts and best practices in information security management through these questions and answers.