Which of the following is the MOST important consideration when establishing an information security governance framework?

A. Security steering committee meetings are held at least monthly.
B. Members of the security steering committee are trained in information security.
C. Business unit management acceptance is obtained.
D. Executive management support is obtained.

A penetration test was conducted by an accredited third party. Which of the following should be the information security manager's FIRST course of action?

A. Ensure vulnerabilities found are resolved within acceptable timeframes.
B. Request funding needed to resolve the top vulnerabilities.
C. Report findings to senior management.
D. Ensure a risk assessment is performed to evaluate the findings.

Which of the following is the MOST important component of information security governance?

A. Approved Information security strategy
B. Documented information security policies
C. Comprehensive information security awareness program
D. Appropriate information security metrics

Which of the following would MOST effectively ensure that information security is implemented in a new system?

A. Security baselines
B. Security scanning
C. Secure code reviews
D. Penetration testing

Which of the following would be MOST helpful when justifying the funding required for a compensating control?

A. Business case
B. Risk analysis
C. Business impact analysis
D. Threat assessment

Which of the following should be the MOST important consideration of business continuity management?

A. Ensuring human safety
B. Identifying critical business processes
C. Ensuring the reliability of backup data
D. Securing critical information assets

Information classification is a fundamental step in determining:

A. whether risk analysis objectives are met.
B. who has ownership of information.
C. the type of metrics that should be captured.
D. the security strategy that should be used.

When designing security controls, it is MOST important to:

A. apply a risk-based approach.
B. focus on preventive controls.
C. evaluate the costs associated with the controls.
D. apply controls to confidential information.

Which of the following would BEST help to ensure the alignment between information security and business functions?

A. Establishing an information security governance committee
B. Developing information security policies
C. Providing funding for information security efforts
D. Establishing a security awareness program

Which of the following should be the FIRST step to ensure system updates are applied in a timely manner?

A. Run a patch management scan to discover which patches are missing from each machine.
B. Create a regression test plan to ensure business operation is not interrupted.
C. Cross-reference all missing patches to establish the date each patch was introduced.
D. Establish a risk-based assessment process for prioritizing patch implementation.