Which of the following processes would BEST aid an information security manager in resolving systemic security issues?

A. Root cause analysis
B. Business impact analysis (BIA)
C. Reinforced security controls
D. Security reviews

Cold sites for disaster recovery events are MOST helpful in situations in which a company:

A. has a limited budget for coverage.
B. uses highly specialized equipment that must be custom manufactured.
C. is located in close proximity to the cold site.
D. does not require any telecommunications connectivity

Which of the following will BEST facilitate the understanding of information security responsibilities by users across the organization?

A. Conducting security awareness training with performance incentives
B. Communicating security responsibilities as an acceptable usage policy
C. Warning users that disciplinary action will be taken for violations
D. Incorporating information security into the organization's code of conduct

Which of the following is the BEST way for an organization that outsources many business processes to gain assurance that services provided are adequately secured?

A. Review the service providers’ information security policies and procedures.
B. Conduct regular vulnerability assessments on the service providers’ IT systems.
C. Perform regular audits on the service providers’ applicable controls.
D. Provide information security awareness training to service provider staff.

An external security audit has reported multiple instances of control noncompliance. Which of the following is MOST important for the information security manager to communicate to senior management?

A. Control owner responses based on a root cause analysis
B. The impact of noncompliance on the organization's risk profile
C. An accountability report to initiate remediation activities
D. A plan for mitigating the risk due to noncompliance

Which of the following is the MOST effective method to help ensure information security incidents are reported?

A. Providing information security awareness training to employees
B. Integrating information security language in conditions of employment
C. Integrating information security language in corporate compliance rules
D. Implementing an incident management system

Which of the following statements indicates that a previously failing security program is becoming successful?

A. The number of threats has been reduced.
B. More employees and stakeholders are attending security awareness programs.
C. The number of vulnerability false positives is decreasing.
D. Management's attention and budget are now focused on risk reduction.

Which of the following provides the BEST evidence that the information security program is aligned to the business strategy?

A. The information security program manages risk within the business's risk tolerance.
B. The information security team is able to provide key performance indicators (KPIs) to senior management.
C. Business senior management supports the information security policies.
D. Information security initiatives are directly correlated to business processes.

Which of the following is the BEST way to ensure information security metrics are meaningful?

A. Using a dashboard to present the information security metrics
B. Requiring information security metrics to be approved by senior management
C. Aligning information security metrics with business drivers
D. Correlating information security metrics to industry best practices

Which of the following is the MOST important security consideration when using Infrastructure as a Service (IaaS)?

A. Backup and recovery strategy
B. Compliance with internal standards
C. User access management
D. Segmentation among tenants