Which of the following is MOST important when selecting an information security metric?

A. Aligning the metric to the IT strategy
B. Defining the metric in quantitative terms
C. Ensuring the metric is repeatable
D. Defining the metric in qualitative terms

A cloud service provider is unable to provide an independent assessment of controls. Which of the following is the BEST way to obtain assurance that the provider can adequately protect the organization’s information?

A. Invoke the right to audit per the contract
B. Review the provider’s information security policy
C. Check references supplied by the provider’s other customers
D. Review the provider’s self-assessment

An internal audit has found that critical patches were not implemented within the timeline established by policy without a valid reason. Which of the following is the BEST course of action to address the audit findings?

A. Perform regular audits on the implementation of critical patches.
B. Evaluate patch management training.
C. Assess the patch management process.
D. Monitor and notify IT staff of critical patches.

Which of the following will BEST provide an organization with ongoing assurance of the information security services provided by a cloud provider?

A. Requiring periodic self-assessments by the provider
B. Evaluating the provider’s security incident response plan
C. Continuous monitoring of an information security risk profile
D. Ensuring the provider’s roles and responsibilities are established

An organization implemented a mandatory information security awareness training program a year ago. What is the BEST way to determine its effectiveness?

A. Analyze findings from previous audit reports
B. Analyze results from training completion reports
C. Analyze results of a social engineering test
D. Analyze responses from an employee survey of training satisfaction

Which of the following is the PRIMARY objective of a business impact analysis (BIA)?

A. Analyze vulnerabilities
B. Determine recovery priorities
C. Confirm control effectiveness
D. Define the recovery point objective (RPO)

What should the information security manager do FIRST when end users express that new security controls are too restrictive?

A. Conduct a business impact analysis (BIA)
B. Obtain process owner buy-in to remove the controls
C. Perform a risk assessment on modifying the control environment
D. Perform a cost-benefit analysis on modifying the control environment

An organization’s marketing department has requested access to cloud-based collaboration sites for exchanging media files with external marketing companies. As a result, the information security manager has been asked to perform a risks assessment. Which of the following should be the MOST important consideration?

A. The information to be exchanged
B. Methods for transferring the information
C. Reputations of the external marketing companies
D. The security of the third-party cloud provider

A message is being sent with a hash. The risk of an attacker changing the message and generating an authentic hash value can be mitigated by:

A. using a secret key in conjunction with the hash algorithm
B. requiring the recipient to use a different hash algorithm
C. using the sender’s public key to encrypt the message
D. generating hash output that is the same size as the original message

Which of the following is the BEST approach for determining the maturity level of an information security program?

A. Evaluate key performance indicators (KPIs)
B. Engage a third-party review
C. Review internal audit results
D. Perform a self-assessment