1.

2. When the inherent risk of a business activity is lower

than the acceptable risk level, the BEST course of action
would be to:

o implement controls to mitigate the risk.

o report compliance to management.
o review the residual risk level.
o monitor for business changes.
3. Over the last year, an information security manager has
performed risk assessments on multiple third-party
vendors. Which of the following criteria would be MOST
helpful in determining the associated level of risk
applied to each vendor?

o Compensating controls in place to protect information security

o Corresponding breaches associated with each vendor
o Criticality of the service to the organization
o Compliance requirements associated with the regulation
4. An information security manager is concerned that
executive management does not support information
security initiatives. Which of the following is the BEST
way to address this situation?

o Demonstrate alignment of the information security function with business

needs.
o Escalate noncompliance concerns to the internal audit manager.
o Report the risk and status of the information security program to the
board.
o Revise the information security strategy to meet executive management’s
expectations.
5. The MOST important reason that security risk
assessment should be conducted frequently throughout
an organization is because:

o threats to the organization may change.

o controls should be regularly tested.
o compliance with legal and regulatory standards should be reassessed.
o control effectiveness may weaken.
6. Which of the following is the MOST important factor to
consider when establishing a severity hierarchy for
information security incidents?

o Management support
o Business impact
 o Regulatory compliance
o Residual risk
7. The PRIMARY reason an organization would require that
users sign an acknowledgment of their system access
responsibilities is to:

o maintain compliance with industry best practices.

o serve as evidence of security awareness training.
o assign accountability for transactions made with the user’s ID.
o maintain an accurate record of users’ access rights.
8. Which of the following would provide the MOST reliable
evidence to indicate whether employee access has been
deactivated in a timely manner following termination?

o Comparing termination forms with dates in the HR system

o Reviewing hardware return-of-asset forms
o Interviewing supervisors to verify employee data is being updated
immediately
o Comparing termination forms with system transaction log entries
9. To effectively classify data, which of the following MUST
be determined?

o Data controls
o Data ownership
o Data users
o Data volume
10. Which of the following is the MOST effective way to
ensure security policies are relevant to organizational
business practices?

o Leverage security steering committee contribution.

o Obtain senior management sign-off.
o Integrate industry best practices.
o Conduct an organization-wide security audit.
11. To integrate security into system development life
cycle (SDLC) processes, an organization MUST ensure
that security:

o is a prerequisite for completion of major phases.

o performance metrics have been met.
o roles and responsibilities have been defined.
o is represented on the configuration control board.
12. Which of the following is the PRIMARY role of a
data custodian?

o Processing information
 o Securing information
o Classifying information
o Validating information
13. The PRIMARY focus of a training curriculum for
members of an incident response team should be:

o technology training.
o security awareness.
o external corporate communication.
o specific role training.
14. Which of the following should be the PRIMARY
objective of the information security incident response
process?

o Minimizing negative impact to critical operations

o Communicating with internal and external parties
o Classifying incidents
o Conducting incident triage
15. Which of the following is MOST important to
include in a contract with a critical service provider to
help ensure alignment with the organization’s
information security program?

o Escalation paths
o Right-to-audit clause
o Termination language
o Key performance indicators (KPIs)
16. Which of the following is MOST important when
selecting an information security metric?

o Defining the metric in quantitative terms

o Aligning the metric to the IT strategy
o Defining the metric in qualitative terms
o Ensuring the metric is repeatable
17. The PRIMARY purpose of asset valuation for the
management of information security is to:

o eliminate the least significant assets.

o provide a basis for asset classification.
o determine the value of each asset.
o prioritize risk management activities.
18. Which of the following is MOST effective in the
strategic alignment of security initiatives?

o A security steering committee is set up within the IT department.

o Key information security policies are updated on a regular basis.
 o Business leaders participate in information security decision making.
o Policies are created with input from business unit managers.
19. Which of the following is the BEST approach for
determining the maturity level of an information
security program?

o Review internal audit results.

o Engage a third-party review.
o Perform a self-assessment.
o Evaluate key performance indicators (KPIs).
20. An organization with a maturing incident response
program conducts post-incident reviews for all major
information security incidents. The PRIMARY goal of
these reviews should be to:

o identify security program gaps or systemic weaknesses that need

correction.
o prepare properly vetted notifications regarding the incidents to external
parties.
o identify who should be held accountable for the security incidents.
o document and report the root cause of the incidents for senior
management.
21. To gain a clear understanding of the impact that a
new regulatory requirement will have on an
organization’s information security controls, an
information security manager should FIRST:

o conduct a risk assessment.

o perform a gap analysis.
o conduct a cost-benefit analysis.
o interview senior management.
22.
23. When the inherent risk of a business activity is lower
than the acceptable risk level, the BEST course of action
would be to:

implement controls to mitigate the risk.

o
report compliance to management.
o
review the residual risk level.
o
monitor for business changes.
o
24. Over the last year, an information security manager has
performed risk assessments on multiple third-party vendors.
Which of the following criteria would be MOST helpful in
determining the associated level of risk applied to each
vendor?
 o Compensating controls in place to protect information
security
o Corresponding breaches associated with each vendor
o Criticality of the service to the organization
o Compliance requirements associated with the regulation
25. An information security manager is concerned that
executive management does not support information
security initiatives. Which of the following is the BEST way
to address this situation?

o Demonstrate alignment of the information security function

with business needs.
o Escalate noncompliance concerns to the internal audit
manager.
o Report the risk and status of the information security
program to the board.
o Revise the information security strategy to meet executive
management’s expectations.
26. The MOST important reason that security risk assessment
should be conducted frequently throughout an organization
is because:

othreats to the organization may change.

ocontrols should be regularly tested.
ocompliance with legal and regulatory standards should be
reassessed.
o control effectiveness may weaken.
27. Which of the following is the MOST important factor to
consider when establishing a severity hierarchy for
information security incidents?

o Management support
o Business impact
o Regulatory compliance
o Residual risk
28. The PRIMARY reason an organization would require that
users sign an acknowledgment of their system access
responsibilities is to:

o maintain compliance with industry best practices.

o serve as evidence of security awareness training.
o assign accountability for transactions made with the user’s
ID.
o maintain an accurate record of users’ access rights.
29. Which of the following would provide the MOST reliable
evidence to indicate whether employee access has been
deactivated in a timely manner following termination?

o Comparing termination forms with dates in the HR system

o Reviewing hardware return-of-asset forms
o Interviewing supervisors to verify employee data is being
updated immediately
o Comparing termination forms with system transaction log
entries
30. To effectively classify data, which of the following MUST
be determined?

o Data controls
o Data ownership
o Data users
o Data volume
31. Which of the following is the MOST effective way to
ensure security policies are relevant to organizational
business practices?

o Leverage security steering committee contribution.

o Obtain senior management sign-off.
o Integrate industry best practices.
o Conduct an organization-wide security audit.
32. To integrate security into system development life cycle
(SDLC) processes, an organization MUST ensure that
security:

o is a prerequisite for completion of major phases.

o performance metrics have been met.
o roles and responsibilities have been defined.
o is represented on the configuration control board.
33. Which of the following is the PRIMARY role of a data
custodian?

o Processing information
o Securing information
o Classifying information
o Validating information
34. The PRIMARY focus of a training curriculum for members
of an incident response team should be:

o technology training.
o security awareness.
 o external corporate communication.
o specific role training.
35. Which of the following should be the PRIMARY objective
of the information security incident response process?

o Minimizing negative impact to critical operations

o Communicating with internal and external parties
o Classifying incidents
o Conducting incident triage
36. Which of the following is MOST important to include in a
contract with a critical service provider to help ensure
alignment with the organization’s information security
program?

o Escalation paths
o Right-to-audit clause
o Termination language
o Key performance indicators (KPIs)
37. Which of the following is MOST important when selecting
an information security metric?

o Defining the metric in quantitative terms

o Aligning the metric to the IT strategy
o Defining the metric in qualitative terms
o Ensuring the metric is repeatable
38. The PRIMARY purpose of asset valuation for the
management of information security is to:

o eliminate the least significant assets.

o provide a basis for asset classification.
o determine the value of each asset.
o prioritize risk management activities.
39. Which of the following is MOST effective in the strategic
alignment of security initiatives?

o A security steering committee is set up within the IT

department.
o Key information security policies are updated on a regular
basis.
o Business leaders participate in information security
decision making.
o Policies are created with input from business unit
managers.
40. Which of the following is the BEST approach for
determining the maturity level of an information security
program?

o Review internal audit results.

o Engage a third-party review.
o Perform a self-assessment.
o Evaluate key performance indicators (KPIs).
41. An organization with a maturing incident response
program conducts post-incident reviews for all major
information security incidents. The PRIMARY goal of these
reviews should be to:

o identify security program gaps or systemic weaknesses

that need correction.
o prepare properly vetted notifications regarding the
incidents to external parties.
o identify who should be held accountable for the security
incidents.
o document and report the root cause of the incidents for
senior management.
42. To gain a clear understanding of the impact that a new
regulatory requirement will have on an organization’s
information security controls, an information security
manager should FIRST:

o conduct a risk assessment.

o perform a gap analysis.
o conduct a cost-benefit analysis.
o interview senior management.