When reviewing the security controls of an application service provider, an information security manager discovers the provider's change management controls are insufficient. Changes to the provided application often occur spontaneously with no notification to clients. Which of the following would BEST facilitate a decision to continue or discontinue services with this provider?

A. Comparing the client organization's risk appetite to the disaster recovery plan of the service provider.
B. Comparing the client organization's risk appetite to the criticality of the supplied application.
C. Comparing the client organization's risk appetite to the frequency of application downtimes.
D. Comparing the client organization's risk appetite to the vendor's change control policy.

Which of the following should occur FIRST in the process of managing security risk associated with the transfer of data from unsupported legacy systems to supported systems?

A. Make backups of the affected systems prior to transfer.
B. Increase cyber insurance coverage.
C. Identify all information assets in the legacy environment.
D. Assign owners to be responsible for the transfer of each asset.

Which of the following provides the GREATEST assurance that an organization allocates appropriate resources to respond to information security events?

A. Threat analysis and intelligence reports
B. Incident classification procedures
C. Information security policies and standards
D. An approved IT staffing plan

Which of the following is the FIRST step to perform before outsourcing critical information processing to a third party?

A. Require background checks for third-party employees.
B. Perform a risk assessment.
C. Ensure that risks are formally accepted by third party.
D. Negotiate a service level agreement.

Which of the following provides the MOST relevant information to determine the overall effectiveness of an information security program and underlying business processes?

A. Balanced scorecard
B. Cost-benefit analysis
C. Industry benchmarks
D. SWOT analysis

When conducting a post-incident review, the GREATEST benefit of collecting mean time to resolution (MTTR) data is the ability to:

A. reduce the costs of future preventive controls.
B. provide metrics for reporting to senior management.
C. learn of potential areas of improvement.
D. verify compliance with the service level agreement (SLA).

Who should determine data access requirements for an application hosted at an organization's data center?

A. Business owner
B. Information security manager
C. Systems administrator
D. Data custodian

An information security manager determines the organization's critical systems may be vulnerable to a new zero-day attack. The FIRST course of action is to:

A. advise management of risk and remediation cost.
B. analyze the probability of compromise.
C. survey peer organizations to see how they have addressed the issue.
D. re-assess the firewall configuration.

When outsourcing information security administration, it is MOST important for an organization to include:

A. nondisclosure agreements (NDAs)
B. contingency plans
C. insurance requirements
D. service level agreements (SLAs)

Which of the following will provide the MOST guidance when deciding the level of protection for an information asset?

A. Cost of controls
B. Cost to replace
C. Classification of information
D. Impact to business function