A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?
Answer : C
Explanation:
Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment.
Acceptable levels of information security risk should be determined by:
Answer : D
Explanation:
Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume.
Legal counsel, the external auditors and security management are not in a position to make such a decision.
The PRIMARY goal in developing an information security strategy is to:
Answer : D
Explanation:
The business objectives of the organization supersede all other factors. Establishing metrics and measuring performance, meeting legal and regulatory requirements, and educating business process owners are all subordinate to this overall goal.
Senior management commitment and support for information security can BEST be enhanced through:
Answer : C
Explanation:
Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support. Although having the chief executive officer
(CEO) signoff on the security policy and senior management signoff on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Security awareness training for employees will not have as much effect on senior management commitment.
When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?
Answer : B
Explanation:
It will be much more efficient to craft all relevant requirements into policies than to create separate versions. Using statements provided by regulators will not capture all of the requirements mandated by different regulators. A compliance risk assessment is an important tool to verify that procedures ensure compliance once the policies have been established.
Which of the following MOST commonly falls within the scope of an information security governance steering committee?
Answer : C
Explanation:
Prioritizing information security initiatives is the only appropriate item. The interviewing of specialists should be performed by the information security manager, while the developing of program content should be performed by the information security staff. Approving access to critical financial systems is the responsibility of individual system data owners.
Which of the following is the MOST important factor when designing information security architecture?
Answer : D
Explanation:
The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?
Answer : B
Explanation:
Information security will be properly aligned with the goals of the business only with the ability to understand and map organizational needs to enable security technologies. All of the other choices are important but secondary to meeting business security needs.
Which of the following are likely to be updated MOST frequently?
Answer : A
Explanation:
Policies and standards should generally be more static and less subject to frequent change. Procedures on the other hand, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace.
Who should be responsible for enforcing access rights to application data?
Answer : D
Explanation:
As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights.
Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement.
The chief information security officer (CISO) should ideally have a direct reporting relationship to the:
Answer : B
Explanation:
The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become problematic as the CTO's goals for the infrastructure might, at times, run counter to the goals of information security.
Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?
Answer : D
Explanation:
Developing a strategy paper on information security would be the most appropriate. Approving access would be the job of the data owner. Updating platform-level security and conducting recovery test exercises would be less essential since these are administrative tasks.
Developing a successful business case for the acquisition of information security software products can BEST be assisted by:
Answer : C
Explanation:
Calculating the return on investment (ROI) will most closely align security with the impact on the bottom line. Frequency and cost of incidents are factors that go into determining the impact on the business but, by themselves, are insufficient. Comparing spending against similar organizations can be problematic since similar organizations may have different business goals and appetites for risk.
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
Answer : D
Explanation:
Any planning for information security should be properly aligned with the needs of the business. Technology should not come before the needs of the business, nor should planning be done on an artificial timetable that ignores business needs.
Which of the following is the MOST important information to include in a strategic plan for information security?
Answer : B
Explanation:
It is most important to paint a vision for the future and then draw a road map from the stalling point to the desired future state. Staffing, capital investment and the mission all stem from this foundation.
Have any questions or issues ? Please dont hesitate to contact us