When briefing senior management on the creation of a governance process, the MOST important aspect should be:

A. knowledge required to analyze each issue

B. information security metrics

C. linkage to business area objectives

D. baseline against which metrics are evaluated

An organization licenses and uses personal information for business operations, and a server containing that information has been compromised.

What kind of law would require notifying the owner or licensee of this incident?

A. Consumer right disclosure

B. Data breach disclosure

C. Special circumstance disclosure

D. Security incident disclosure

Which of the following is a benefit of information security governance?

A. Direct involvement of senior management in developing control processes

B. Reduction of the potential for civil and legal liability

C. Questioning the trust in vendor relationships

D. Increasing the risk of decisions based on incomplete management information

Which of the following most commonly falls within the scope of an information security governance steering committee?

A. Vetting information security policies

B. Approving access to critical financial systems

C. Interviewing candidates for information security specialist positions

D. Developing content for security awareness programs

You have purchased a new insurance policy as part of your risk strategy. Which of the following risk strategy options have you engaged in?

A. Risk Mitigation

B. Risk Acceptance

C. Risk Avoidance

D. Risk Transfer

In order for a CISO to have true situational awareness there is a need to deploy technology that can give a real-time view of security events across the enterprise. Which of the following tools represents the BEST choice to achieve this awareness?

A. Intrusion Detection System (IDS), firewall, switch, syslog

B. Security Incident Event Management (SIEM), IDS, router, syslog

C. VMware, router, switch, firewall, syslog, vulnerability management system (VMS)

D. SIEM, IDS, firewall, VMS

You are the Chief Information Security Officer of a large, multinational bank and you suspect there is a flaw in a two factor authentication token management process.

Which of the following represents your BEST course of action?

A. Determine program ownership to implement compensating controls

B. Send a report to executive peers and business unit owners detailing your suspicions

C. Validate that security awareness program content includes information about the potential vulnerability

D. Conduct a throughout risk assessment against the current implementation to determine system functions

When managing the critical path of an IT security project, which of the following is MOST important?

A. Knowing all the stakeholders.

B. Knowing the milestones and timelines of deliverables.

C. Knowing the people on the data center team.

D. Knowing the threats to the organization.

You have implemented the new controls. What is the next step?

A. Perform a risk assessment

B. Monitor the effectiveness of the controls

C. Document the process for the stakeholders

D. Update the audit findings report

What does RACI stand for?

A. Reasonable, Actionable, Controlled, and Implemented

B. Responsible, Actors, Consult, and Instigate

C. Responsible, Accountable, Consulted, and Informed

D. Review, Act, Communicate, and Inform