Which of the following BEST describes an information security manager's role in a multidisciplinary

team that will address a new regulatory requirement regarding operational risk?

A. Ensure that all IT risks are identified

B. Evaluate the impact of information security risks

C. Demonstrate that IT mitigating controls are in place

D. Suggest new IT controls to mitigate operational risk

Answer: B

The job of the information security officer on such a team is to assess the risks to the business
operation. Choice A is incorrect because information security is not limited to IT issues. Choice C is
incorrect because at the time a team is formed to assess risk, it is premature to assume that any
demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it is
premature at the time of the formation of the team to assume that any suggestion of new IT controls
will mitigate business operational risk.

An internal audit has identified major weaknesses over IT processing. Which of the following should
an information security manager use to BEST convey a sense of urgency to management?

A. Security metrics reports

B. Risk assessment reports

C. Business impact analysis (BIA)

D. Return on security investment report

Answer: B

Performing a risk assessment will allow the information security manager to prioritize the remedial
measures and provide a means to convey a sense of urgency to management. Metrics reports are
normally contained within the methodology of the risk assessment to give it credibility and provide an
ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security
investment cannot be determined until a plan is developed based on the BIA.
SS4-4 Which of the following is the MOST important consideration when developing a service level
agreement (SLA) to mitigate the risk that outsourcing will result in a loss to the business?

A. The nature of the indemnity clause

B. Ensuring that the business objectives are defined and met

C. Alignment of information system security objectives with enterprise goals

D. Compliance with legal requirements

B An indemnity clause is not the most important consideration and may not be part of the SLA. An
SLA should be designed to deliver and protect the business needs. The security objective is what is being
sought by implementing the control. While important, compliance with legal requirements is not
generally a primary consideration for SLAs and, in many cases, is not a factor.

SS5-2 Which of the follow ing is the MOST important to successfully manage an incident?

A. Clearly documented roles and responsibilities

B. An approved and tested incident management and response plan

C. IT personnel with ready access to hardware and software to restore operations

D. An updated incident response training program

B An approved and tested incident management and response plan provides a needed course of
action, depending upon the incident, and includes the other options. Clearly documented roles and
responsibilities are a part of an approved and tested incident management and response plan. An
incident does not necessarily involve hardware or software restoration. While training is important, this
is not the most important component.

8. Determining the nature and extent of activities required in developing or improving an

information security program often requires assessing the existing security levels of various program
components. The BEST process to accomplish this task is to perform a(n):

A. impact assessment.

B. vulnerability assessment.

C. gap analysis.

D. threat assessment.
Which of the following constitutes the MAIN project activities undertaken in developing an information security
program?

A. Controls design and deployment

B. Security organization development
C. Logical and conceptual architecture design
D. Development of risk management objectives

Which of the following would be of GREATEST importance to the security manager in determining
whether to accept residual risk?

A. Historical cost of the asset

B. Acceptable level of potential business impacts
C. Cost versus benefit of additional mitigating controls
D. Annualized loss expectancy (ALE)

An information security manager uses security metrics to measure the:

A. performance of the information security program.

B. performance of the security baseline.

C. effectiveness of the security risk analysis.

D. effectiveness of the incident response team.

QUESTION NO: 85

Which would be the BEST recommendation to protect against phishing attacks?

A. Install an anti spam system

B. Publish security guidance for customers

C. Provide security awareness to the organization's staff

D. Install an application-level firewall

QUESTION NO: 86

What is the BEST way to alleviate security team understaffing while retaining the capability inhouse?

A. Hire a contractor that would not be included in the permanent headcount

B. Outsource with a security services provider while retaining the control internally

C. Establish a virtual security team from competent employees across the company

D. Provide cross training to minimize the existing resources gap

QUESTION NO: 87

A desktop computer that was involved in a computer security incident should be secured as evidence
by:

A. disconnecting the computer from all power sources.

B. disabling all local user accounts except for one administrator.

C. encrypting local files and uploading exact copies to a secure server.

D. copying all files using the operating system (OS) to write-once media.

QUESTION NO: 137

To determine the selection of controls required to meet business objectives, an information security
manager should:

A. prioritize the use of role-based access controls.

B. focus on key controls.

C. restrict controls to only critical applications.

D. focus on automated controls.

Which of the following is the MOST important reason why information security objectives should be
defined?

A. Tool for measuring effectiveness

B. General understanding of goals

C. Consistency with applicable standards

D. Management sign-off and support initiatives

QUESTION NO: 161

Which of the following would be the FIRST step in establishing an information security program?

A. Develop the security policy.

B. Develop security operating procedures.

C. Develop the security plan.

D. Conduct a security controls study.

QUESTION NO: 176

The management staff of an organization that does not have a dedicated security function decide to use
its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT
manager:

A. report risks in other departments.

B. obtain support from other departments.

C. report significant security risks.

D. have knowledge of security standards.

A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step
before initiating any changes?

A. Prepare an impact assessment report.

B. Conduct a penetration test.

C. Obtain approval from senior management.

D. Back up the firewall configuration and policy files.

Question # 528

Which of the following is the MOST likely to change an organization's culture to one that is more
security conscious?

A. Adequate security policies and procedures

B. Periodic compliance reviews

C. Security steering committees

D. Security awareness campaigns

Answer: D

Security awareness campaigns will be more effective at changing an organizational culture than
the creation of steering

committees and security policies and procedures. Compliance reviews are helpful; however,
awareness by all staff is

more effective because compliance reviews are focused on certain areas/groups and do not
necessarily educate.
Question # 123

Which of the following would help to change an organization's security culture?

A. Develop procedures to enforce the information security policy

B. Obtain strong management support

C. Implement strict technical security controls

D. Periodically audit compliance with the information security policy

Answer: B

Management support and pressure will help to change an organization's culture.

Procedures will support an information security policy, but cannot change the culture of the
organization.

Technical controls will provide more security to an information system and staff; however, this
does not mean the culture will be changed.

Auditing will help to ensure the effectiveness of the information security policy; however,
auditing is not effective in changing the culture of the company.

2. Which of the following is the MOST important to successfully manage an incident?

A. Clearly documented roles and responsibilities

B. An approved and tested incident management and response plan

C. IT personnel with ready access to hardware and software to restore operations

D. An updated incident response training program