Question 1

1. A board of directors uses _____________ to set forth its information security plans.

   policies

   financial statements

   standards

   goals

4 points   

1. A formal ______________ is executive management's high-level statement of information security direction and goals.

   standard

   policy

   guidelines

   procedures

4 points   

1. A risk assessment ____________________.

   should be as broad as possible in scope

   should be narrowly scoped

   does not need to address conflicts of interest when selecting team members

   needs only the approval of information security managers and subject matter experts

4 points   

1. According to the NIST, the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level is ___________.

   incident response management

   security response management

   breach response management

   risk management

4 points   

1. An organization responds to risk according to its:

   monitoring plan

   operation plan

   business strategy

   tactical plan

4 points   

1. An organization's senior IT official is generally referred to as its:

   A.	Chief Information Officer
   B.	Chief Technology Officer
   C.	Chief Information Security Officer
   D.	Information Security Manager
   E.	Chief financial Officer

4 points   

1. Any organization's risk management plan includes:

   risk assessment, risk response, training employees, and continuous monitoring

   risk assessment, ISO compliance, tactical planning, and continuous monitoring

   risk assessment, risk response, ISO compliance, FISMA compliance

   risk assessment, risk response, tactical planning, FISMA compliance

4 points   

1. Parties who are responsible in an organization for functional management of the Organization's information security program. This person manages the operational activities and implement controls specified by higher level management.

   A.	Board of Directors
   B.	Chief Information Officer
   C.	Chief Technology Officer
   D.	Chief Information Security Officer
   E.	Information Security Manager

4 points   

1. One of the main goals of _______________ is to protect an organization's bottom line.

   tactical planning

   risk management

   an incident response plan

   IT management

4 points   

1. Of the following information security assurance documents, which is the most flexible?

   policy

   standard

   guideline

   procedure

4 points   

1. Most flexible type of Information Security Governance Document.

   A.	Guidelines
   B.	Procedures
   C.	Standards
   D.	Policies
   E.	None of the above

4 points   

1. Members of the risk assessment team should include:

   information security managers only

   information security managers and financial planners

   representatives from business, IT, human resources, executive management, and information security managers

   information security managers, financial planners, and representatives from business lines

4 points   

1. Group responsible for information security governance.

   A.	Information Security Management
   B.	Executive Management
   C.	Chief Information Security Officer
   D.	Chief Information Officer
   E.	None of the above

4 points   

1. Following a disaster, what is the best kind of site if you need to resume operations in the shortest possible time?

   hot

   cold

   warm

   nearby

4 points   

1. Executive Management's high-level statement of information security directions and goals.

   A.	Guidelines
   B.	Procedures
   C.	Standards
   D.	Policies
   E.	All of the above

4 points   

1. Data destruction policies do not include which of the following?

   identification of data ready for destruction

   proper destruction methods for different kinds of data or storage media

   consequences for improper destruction

   how long the data should be retained

4 points   

1. Data __________________ policies state how data is controlled throughout its life cycle.

   retention

   privacy

   detention

   use

4 points   

1. When testing a disaster recovery plan, which test involves hypothetical role-playing of a disaster?

   full interruption

   walk-through

   scenario

   parallel

4 points   

1. What type of standard states a minimum level of behavior or actions that must be met to comply with a policy?

   baseline

   minimal

   safeguard

   procedural

4 points   

1. What type of risk assessment uses monetary values to assess a risk?

   ongoing

   quantitative

   probability-based

   qualitative

4 points   

1. What type of risk assessment uses descriptive categories to express asset criticality, risk exposure (likelihood), and risk impact?

   ongoing

   quantitative

   probability-based

   qualitative

4 points   

1. What kind of policy would contain a No Retaliation element?

   acceptable use

   anti-harassment

   intellectual property

   authentication

4 points   

1. What is the primary function of an organization's Information security goals?

   A.	To support the business objectives
   B.	To insure information is not shared
   C.	To support industry guidelines
   D.	To support mid-level decision making
   E.	None of the above

4 points   

1. What do you compare in a risk-level matrix when evaluating the elements of a risk?

   threat and available controls

   threat likelihood and impact

   impact and severity

   cost and impact

4 points   

1. Types or categories of business planning:

   A.	Information Planning
   B.	Strategic Planning
   C.	Strategic Planning and Tactical Planning
   D.	Strategic Planning, Tactical Planning and Operational Planning
   E.	Information Planning, Strategic Planning and Operational Planning