Organization XYZ, a lucrative, Internet-only business, recently suffered a power outage that lasted two hours. The organization's data center was unavailable in the interim. In order to mitigate risk in the MOST cost-efficient manner, the organization should:

A. plan to operate at a reduced capacity from the primary place of business.
B. create an IT hot site with immediate fail-over capability.
C. install an uninterruptible power supply (UPS) and generator.
D. set up a duplicate business center in a geographically separate area.

Which of the following is the BEST method to ensure that data owners take responsibility for implementing information security processes?

A. Include security tasks into employee job descriptions.
B. Include membership on project teams.
C. Provide job rotation into the security organization.
D. Increase security awareness training.

Which of the following is the MOST effective way to address an organization's security concerns during contract negotiations with a third party?

A. Ensure security is involved in the procurement process.
B. Communicate security policy with the third-party vendor.
C. Review the third-party contract with the organization's legal department.
D. Conduct an information security audit on the third-party vendor.

Which of the following is the MOST effective way to ensure information security policies are followed?

A. Require sign-off on acceptable use policies.
B. Require regular security awareness training.
C. Provide detailed security procedures.
D. Perform a gap analysis.

Executive leadership has decided to engage a consulting firm to develop and implement a comprehensive security framework for the organization to allow senior management to remain focused on business priorities. Which of the following poses the GREATEST challenge to the successful implementation of a new security governance framework?

A. Information security management does not fully accept the responsibility for information security governance.
B. Executive leadership views information security governance primarily as a concern of the information security management team.
C. Information security staff has little or no experience with the practice of information security governance.
D. Executive leadership becomes involved in decisions about information security governance.

Which of the following information security metrics is the MOST difficult to quantify?

A. Cost of security incidents prevented
B. Percentage of controls mapped to industry frameworks
C. Extent of employee security awareness
D. Proportion of control costs to asset value

Which of the following should be an information security manager's MOST important concern to ensure admissibility of information security evidence from cyber crimes?

A. Chain of custody
B. Tools used for evidence analysis
C. Forensics contractors
D. Efficiency of the forensics team

Reviewing which of the following would provide the GREATEST input to the asset classification process?

A. Risk assessment
B. Replacement cost of the asset
C. Sensitivity of the data
D. Compliance requirements

When an information security manager presents an information security program status report to senior management, the MAIN focus should be:

A. critical risks indicators.
B. key controls evaluation.
C. key performance indicators (KPIs).
D. net present value (NPV).

With limited resources in the information security department, which of the following is the BEST approach for managing security risk?

A. Implement technical solutions to automate security management activities.
B. Prioritize security activities and report to management.
C. Hire additional information security staff.
D. Engage a third-party company to provide security support.