In the absence of technical controls, what would be the BEST way to reduce unauthorized text messaging on company-supplied mobile devices?

A. Conduct a business impact analysis (BIA) and provide the report to management.
B. Update the corporate mobile usage policy to prohibit texting.
C. Stop providing mobile devices until the organization is able to implement controls.
D. Include the topic of prohibited texting in security awareness training.

Which of the following is the MOST effective way to ensure security policies are relevant to organizational business practices?

A. Integrate industry best practices
B. Obtain senior management sign-off
C. Conduct an organization-wide security audit
D. Leverage security steering committee contribution

Which of the following will identify a deviation in the information security management process from generally accepted standards of good practices?

A. Risk assessment
B. Business impact analysis (BIA)
C. Penetration testing
D. Gap analysis

Which of the following is the MOST important factor when determining the frequency of information security reassessment?

A. Risk priority
B. Risk metrics
C. Audit findings
D. Mitigating controls

Which of the following is MOST useful to include in a report to senior management on a regular basis to demonstrate the effectiveness of the information security program?

A. Key risk indicators (KRIs)
B. Capability maturity models
C. Critical success factors (CSFs)
D. Key performance indicators (KPIs)

Which of the following is MOST critical to review when preparing to outsource a data repository to a cloud-based solution?

A. Disaster recovery plan
B. Identity and access management
C. Vendor’s information security policy
D. A risk assessment

An information security manager learns users of an application are frequently using emergency elevated access privileges to process transactions. Which of the following should be done FIRST?

A. Request justification from the user’s managers for emergency access.
B. Request the application administrator block all emergency access profiles.
C. Update the frequency and usage of the emergency access profile in the policy.
D. Review the security architecture of the application and recommend changes.

Which of the following is MOST important when selecting a third-party security operations center?

A. Indemnity clauses
B. Independent controls assessment
C. Incident response plans
D. Business continuity plans

Which of the following is the MOST important step when establishing guidelines for the use of social networking sites in an organization?

A. Establish disciplinary actions for noncompliance.
B. Define acceptable information for posting.
C. Identity secure social networking sites.
D. Perform a vulnerability assessment.

An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective.
Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?

A. Risk assessment
B. Gap analysis
C. Cost-benefit analysis
D. Business case