Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?
A. More uniformity in quality of service
B. Better adherence to policies
C. Better alignment to business unit needs
D. More savings in total operating costs
Answer: C
Explanation:
Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit.
Q2. Senior management commitment and support for information security can BEST be enhanced through:
A. a formal security policy sponsored by the chief executive officer (CEO).
B. regular security awareness training for employees.
C. periodic review of alignment with business management goals.
D. senior management signoff on the information security strategy.
Answer: C
Explanation:
Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support. Although having the chief executive officer (CEO) signoff on the security policy and senior management signoff on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Security awareness training for employees will not have as much effect on senior management commitment.
Q3. When implementing security controls, an information security manager must PRIMARILY focus on:
A. minimizing operational impacts.
B. eliminating all vulnerabilities.
C. usage by similar organizations.
D. certification from a third party.
Answer: A
Explanation:
Security controls must be compatible with business needs. It is not feasible to eliminate all vulnerabilities. Usage by similar organizations does not guarantee that controls are adequate. Certification by a third party is important, but not a primary concern.
Q4. Which of the following steps should be performed FIRST in the risk assessment process?
A. Staff interviews
B. Threat identification
C. Asset identification and valuation
D. Determination of the likelihood of identified risks
Answer: C
Explanation:
The first step in the risk assessment methodology is a system characterization, or identification and valuation, of all of the enterprise's assets to define the boundaries of the assessment. Interviewing is a valuable tool to determine qualitative information about an organization's objectives and tolerance for risk. Interviews are used in subsequent steps. Identification of threats comes later in the process and should not be performed prior to an inventory since many possible threats will not be applicable if there is no asset at risk. Determination of likelihood comes later in the risk assessment process.
Q5. A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A. meet with stakeholders to decide how to comply.
B. analyze key risks in the compliance process.
C. assess whether existing controls meet the regulation.
D. update the existing security/privacy policy.
Answer: C
Explanation:
If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.
Q6. Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
A. Information security manager
B. Chief operating officer (COO)
C. Internal auditor
D. Legal counsel
Answer: B
Explanation:
The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group.
Q7. Security technologies should be selected PRIMARILY on the basis of their:
A. ability to mitigate business risks.
B. evaluations in trade publications.
C. use of new and emerging technologies.
D. benefits in comparison to their costs.
Answer: A
Explanation:
The most fundamental evaluation criterion for the appropriate selection of any security technology is its ability to reduce or eliminate business risks. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over whether they use new or exotic technologies or how they are evaluated in trade publications.
Q8. Which of the following BEST indicates a successful risk management practice?
A. Overall risk is quantified
B. Inherent risk is eliminated
C. Residual risk is minimized
D. Control risk is tied to business units
Answer: C
Explanation:
A successful risk management practice minimizes the residual risk to the organization. Choice A is incorrect because the fact that overall risk has been quantified does not necessarily indicate the existence of a successful risk management practice. Choice B is incorrect since it is virtually impossible to eliminate inherent risk. Choice D is incorrect because, although the tying of control risks to business may improve accountability, this is not as desirable as minimizing residual risk.
Q9. Which of the following is MOST essential for a risk management program to be effective?
A. Flexible security budget
B. Sound risk baseline
C. New risks detection
D. Accurate risk reporting
Answer: C
Explanation:
All of these procedures are essential for implementing risk management. However, without identifying new risks, other procedures will only be useful for a limited period.
Q10. In implementing information security governance, the information security manager is PRIMARILY responsible for:
A. developing the security strategy.
B. reviewing the security strategy.
C. communicating the security strategy.
D. approving the security strategy
Answer: A
Explanation:
The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners. Reviewing the security strategy is the responsibility of a steering committee. The information security manager is not necessarily responsible for communicating or approving the security strategy.
Q11. To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
A. review the functionalities and implementation requirements of the solution.
B. review comparison reports of tool implementation in peer companies.
C. provide examples of situations where such a tool would be useful.
D. substantiate the investment in meeting organizational needs.
Answer: D
Explanation:
Any investment must be reviewed to determine whether it is cost effective and supports the organizational strategy. It is important to review the features and functionalities provided by such a tool, and to provide examples of situations where the tool would be useful, but that comes after substantiating the investment and return on investment to the organization.
Q12. Quantitative risk analysis is MOST appropriate when assessment data:
A. include customer perceptions.
B. contain percentage estimates.
C. do not contain specific details.
D. contain subjective information.
Answer: B
Explanation:
Percentage estimates are characteristic of quantitative risk analysis. Customer perceptions, lack of specific details or subjective information lend themselves more to qualitative risk analysis.
Q13. When developing an information security program, what is the MOST useful source of information for determining available resources?
A. Proficiency test
B. Job descriptions
C. Organization chart
D. Skills inventory
Answer: D
Explanation:
A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.
Q14. What is the MOST important factor in the successful implementation of an enterprise wide information security program?
A. Realistic budget estimates
B. Security awareness
C. Support of senior management
D. Recalculation of the work factor
Answer: C
Explanation:
Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management.
Q15. Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
A. organizational risk.
B. organization wide metrics.
C. security needs.
D. the responsibilities of organizational units.
Answer: A
Explanation:
Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified.