Which of the following is MOST critical for an effective information security governance framework?
A. Board members are committed to the information security program.
B. Information security policies are reviewed on a regular basis.
C. The information security program is continually monito...
Which of the following is MOST critical for an effective information security governance
framework?
A. Board members are committed to the information security program.
B. Information security policies are reviewed on a regular basis.
C. The information security program is continually monitored.
D. The CIO is accountable for the information security program. - ANS Board members are
committed to the information security program.
Which of the following is MOST important when establishing a successful information security
governance framework?
A. Selecting information security steering committee members
B. Developing an information security strategy
C. Determining balanced scorecard metrics for information security
D. Identifying information security risk scenarios - ANS Developing an information security
strategy
When creating an information security governance program, which of the following will BEST
enable the organization to address regulatory compliance requirements?
A. Guidelines for processes and procedures
B. A security control framework
C. An approved security strategy plan
D. Input from the security steering committee - ANS Guidelines for processes and
procedures
An organization enacted several information security policies to satisfy regulatory requirements.
Which of the following situations would MOST likely increase the probability of noncompliance
to these requirements?
A. Inadequate buy-in from system owners to support the policies
B. Availability of security policy documents on a public website
C. Lack of training for end users on security policies
,D. Lack of an information security governance framework - ANS Inadequate buy-in from
system owners to support the policies
Which of the following is the BEST evidence that an organization's information security
governance framework is effective?
A. Threats to the organization have diminished.
B. The risk register is reviewed annually.
C. The framework focuses primarily on technical controls.
D. The framework can adapt to organizational changes. - ANS Threats to the organization
have diminished.
In information security governance, the PRIMARY role of the board of directors is to ensure:
A. approval of relevant policies and standards.
B. communication of security posture to stakeholders.
C. compliance with regulations and best practices.
D. alignment with the strategic goals of the organization. - ANS alignment with the strategic
goals of the organization.
Which of the following is the STRONGEST indicator of effective alignment between corporate
governance and information security governance?
A. Senior management sponsors information security efforts.
B. Senior management requests periodic information security updates.
C. Key performance indicators (KPIs) for controls trend positively.
D. Information security initiatives meet scope. schedule, and budget. - ANS Key
performance indicators (KPIs) for controls trend positively.
Which of the following should be the PRIMARY consideration when developing a security
governance framework for an enterprise?
A. Understanding of the current business strategy
B. Assessment of the current security architecture
C. Results of a business impact analysis (BIA)
D. Benchmarking against industry best practice - ANS Understanding of the current
business strategy
Who should decide the extent to which an organization will comply with new cybersecurity
regulatory requirements?
A. Senior management
B. IT steering committee
C. Legal counsel
,D. Information security manager - ANS Senior management
Which of the following would BEST help an information security manager prioritize remediation
activities to meet regulatory requirements?
A. A capability maturity model matrix
B. Annual loss expectancy (ALE) of noncompliance
C. Cost of associated controls
D. Alignment with the IT strategy - ANS Alignment with the IT strategy
Which of the following is the PRIMARY reason an information security strategy should be
deployed across an organization?
A. To ensure that the business complies with security regulations
B. To ensure that management's intent is reflected in security activities
C. To ensure that employees adhere to security standards
D. To ensure that security-related industry best practices are adopted - ANS To ensure that
the business complies with security regulations
Which of the following is the BEST option for addressing regulations that will adversely affect
the allocation of information security program resources?
A. Prioritize compliance efforts based on probability.
B. Determine compliance levels of peer organizations.
C. Delay implementation of compliance activities.
D. Conduct assessments for management decisions - ANS Conduct assessments for
management decisions
Which of the following should an information security manager do FIRST after learning about a
new regulation that affects the organization?
A. Evaluate the changes with legal counsel.
B. Notify the affected business units.
C. Assess the noncompliance risk.
D. Inform senior management of the new regulation - ANS Evaluate the changes with legal
counsel.
Which of the following should be the FIRST step to ensure an information security program
meets the requirements of new regulations?
A. Validate the asset classification schema.
B. Integrate compliance into the risk management process.
C. Assess organizational security controls.
, D. Conduct a gap analysis to determine necessary changes. - ANS Integrate compliance
into the risk management process.
Which of the following is MOST important to consider when handling digital evidence during the
forensics investigation of a cybercrime?
A. Business strategies
B. Industry best practices
C. Global standards
D. Local regulations - ANS Local regulations
A legacy application does not comply with new regulatory requirements to encrypt sensitive data
at rest, and remediating this issue would require significant investment. What should the
information security manager do FIRST?
A. Investigate alternative options to remediate the noncompliance.
B. Assess the business impact to the organization.
C. Present the noncompliance risk to senior management.
D. Determine the cost to remediate the noncompliance. - ANS Assess the business impact
to the organization.
During the establishment of a service level agreement (SLA) with a cloud service provider, it is
MOST important for the information security manager to:
A. update the security policy to reflect the provider's terms of service.
B. ensure security requirements are contractually enforceable.
C. set up proper communication paths with the provider.
D. understand the cloud storage architecture in use to determine security risk. - ANS
ensure security requirements are contractually enforceable
An outsourced vendor handles an organization's business-critical data. Which of the following is
the MOST effective way for the client organization to obtain assurance of the vendor's security
practices?
A. Verifying security certifications held by the vendor
B. Reviewing the vendor's security audit reports
C. Requiring periodic independent third-party reviews
D. Requiring business continuity plans (BCPs) from the vendor - ANS Requiring periodic
independent third-party reviews
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller DocLaura. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.39. You're not tied to anything after your purchase.
