Question 1

In order to build programs suited to their needs,organizations should conduct an annual information security evaluation,the results of which the CISO should review with staff and then report to the board of directors.

Accepted Answer

False

Question 2

A clearly directed strategy flows from top to bottom.

Accepted Answer

A clearly directed strategy should be established at the top-level management and then communicated down to ensure that all employees are aligned with the overarching goals and objectives of the organization.

Question 3

Benefits of Information Security Governance include optimization of the allocation of limited security safeguards.

Accepted Answer

False

Question 4

Because it sets out general business intentions,a mission statement does not need to be concise.

Accepted Answer

A mission statement should be concise and clear, communicating the organization's purpose and goals in a few sentences or paragraphs. It should be easy for stakeholders and employees to understand and remember.

Question 5

A good general governance framework based on the IDEAL model includes initiating,developing,evaluating,acting and leading.

Accepted Answer

The IDEAL model stands for Initiating, Diagnosing, Establishing, Acting, and Learning, not developing, evaluating, acting, and leading.

Question 6

Penetration testing is often conducted by consultants or outsourced contractors,who are commonly referred to as hackers,ninja teams or black teams.

Accepted Answer

Penetration testing is conducted by ethical hackers or security professionals, often referred to as white hat hackers, not black teams, which implies malicious intent.

Question 7

Strategic planning has a more short-term focus than tactical planning.

Accepted Answer

Strategic planning has a more long-term focus, while tactical planning focuses on short-term details and actions to achieve the strategic plan.

Question 8

The primary goal of internal monitoring is to maintain an informed awareness of the state of all of the organization's networks,information systems,and information security defenses.

Accepted Answer

The primary goal of internal monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses, making the statement true.

Question 9

The security governance responsibilities of mid-level managers in the organization includes implementing,auditing,enforcing and assessing compliance.

Accepted Answer

Mid-level managers are responsible for implementing security policies and procedures, auditing security controls and enforcing security compliance within their respective departments, and assessing compliance with security standards and regulations. This is crucial in maintaining an effective security program across the organization.

Question 10

A vision statement is meant to be a factual depiction of the current state of the organization.

Accepted Answer

A vision statement is not a factual depiction of the current state of the organization, but a statement of where the organization wants to be in the future.

Question 11

According to the Information Technology Governance Institute (ITGI),information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction and establishment of objectives.

Accepted Answer

The answer of According to the Information Technology Governance Institute...

Question 12

The success of information security plans can be enhanced by using a formal methodology like that of the systems development life cycle.

Accepted Answer

The answer of The success of information security plans can...

Question 13

Vision statements should be ambitious.

Accepted Answer

The answer of Vision statements should be ambitious....

Question 14

Boards of Directors for Information Security Governance should follow essential practices including identifying information security leaders,holding them accountable and ensuring support for them.

Accepted Answer

The answer of Boards of Directors for Information Security Governance...

Question 15

The CISO plays a more active role in the development of the planning details than does the CIO.

Accepted Answer

The answer of The CISO plays a more active role...

Question 16

Information security governance consists of the leadership,organizational structures,and processes that safeguard information.Critical to the success of these structures and processes is effective interoperability between all parties,which requires constructive relationships,a common language,and shared commitment to addressing the issues.

Accepted Answer

The answer of Information security governance consists of the leadership,organizational...

Question 17

CISOs use the operational plan to organize,prioritize,and acquire resources for major projects.

Accepted Answer

The answer of CISOs use the operational plan to organize,prioritize,and...

Question 18

The champion in a top-down approach to security implementation is usually a network administrator.

Accepted Answer

The answer of The champion in a top-down approach to...

Question 19

Implementation of information security can be accomplished only with a top-down approach.

Accepted Answer

The answer of Implementation of information security can be accomplished...

Question 20

The basic outcomes of information security governance should include strategic alignment of information security with business strategy to support strategic planning.

Accepted Answer

The answer of The basic outcomes of information security governance...

Question 21

A bottom-up approach to information security implementation begins with $\text {\underline{ security managers} }$&#10;&#10; who see to improve the security of their systems._________________________

Accepted Answer

The answer of A bottom-up approach to information security implementation...

Question 22

According to Information Security Roles and Responsibilities Made Easy,the Chief Information Security Officer must understand the fundamental

\text {\underline{ information technology } }

activities performed by the company and,based on this understanding,suggest appropriate information security solutions that uniquely protect these activities._________________________

Accepted Answer

The answer of According to Information Security Roles and Responsibilities...

Question 23

In order to build security programs suited to their needs,the CGTF recommends organizations conduct periodic testing and evaluation of the

\text {\underline{legality } }

of information security policies and procedures._________________________

Accepted Answer

The answer of In order to build security programs suited...

Question 24

Information security governance benefits include increased predictability and reduced uncertainty of

\text {\underline{business operations } }

by lowering information-security-related risks to definable and acceptable levels _________________________

Accepted Answer

The answer of Information security governance benefits include increased predictability...

Question 25

Some companies refer to $\text {\underline{ operationa} }$&#10;&#10; planning as intermediate planning._________________________

Accepted Answer

The answer of Some companies refer to \(\text {\underline{ operationa}...

Question 26

$\text {\underline{Tactical } }$&#10;&#10;planning is the basis for the long-term direction taken by the organization._________________________

Accepted Answer

The answer of $\text {\underline{Tactical } }$&#10;&#10;planning is the basis...

Question 27

Organizations following the IDEAL Governance framework would determine where you are relative to where you want to be in the $\text {\underline{ evaluation} }$&#10;&#10;phase._________________________

Accepted Answer

The answer of Organizations following the IDEAL Governance framework would...

Question 28

$\text {\underline{ Strategic} }$&#10;&#10; plans are used to create tactical plans._________________________

Accepted Answer

The answer of $\text {\underline{ Strategic} }$&#10;&#10; plans are used...

Question 29

Information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction,verification that

\text {\underline{ risk management} }

practices are appropriate,and validation that the organization's assets are used properly._________________________

Accepted Answer

The answer of Information security governance includes all of the...

Question 30

In a(n)$\text {\underline{methodology } }$&#10;&#10;,a problem is solved based on a structured sequence of procedures._________________________

Accepted Answer

The answer of In a(n)$\text {\underline{methodology } }$&#10;&#10;,a problem is...

Question 31

The $\text {\underline{ top-down} }$&#10;&#10; approach to security implementation might begin as a grass-roots effort in which systems administrators attempt to improve the security of their systems._________________________

Accepted Answer

The answer of The $\text {\underline{ top-down} }$&#10;&#10; approach to...

Question 32

The information security governance framework generally includes a comprehensive security strategy explicitly linked with business and IT

\text {\underline{ risks } }

._________________________

Accepted Answer

The answer of The information security governance framework generally includes...

Question 33

A(n)$\text {\underline{ vulnerability} }$&#10;&#10; is an identified weakness of a controlled information asset and is the result of absent or inadequate controls._________________________

Accepted Answer

The answer of A(n)$\text {\underline{ vulnerability} }$&#10;&#10; is an identified...

Question 34

Boards of directors should supervise strategic information security objectives by verifying that management's investment in information security is properly aligned with organizational strategies and the organization's

\text {\underline{competitive } }

environment._________________________

Accepted Answer

The answer of Boards of directors should supervise strategic information...

Question 35

The impetus to begin a SDLC-based project may be either event-driven or $\text {\underline{personnel-driven } }$&#10;&#10;._________________________

Accepted Answer

The answer of The impetus to begin a SDLC-based project...

Question 36

According to NACD,boards of directors should identify information security $\text {\underline{risks } }$&#10;&#10;,hold them accountable,and ensure support for them._________________________

Accepted Answer

The answer of According to NACD,boards of directors should identify...

Question 37

The primary role of the chief

\text {\underline{information } }

officer is to oversee overall "corporate security posture" for which he/she is accountable to the board._________________________

Accepted Answer

The answer of The primary role of the chief \(\text...

Question 38

The basic outcomes of information security governance should include risk management by executing appropriate measures to manage and mitigate

\text {\underline{threats } }

to information resources._________________________

Accepted Answer

The answer of The basic outcomes of information security governance...

Question 39

The $\text {\underline{values statement } }$&#10;&#10; of a business is like its identity card._________________________

Accepted Answer

The answer of The $\text {\underline{values statement } }$&#10;&#10; of...

Question 40

The CISO is also known as the chief security officer,director of information $\text {\underline{security } }$&#10;&#10; or information security manager._________________________

Accepted Answer

The answer of The CISO is also known as the...

Question 41

According to the Corporate Governance Task Force (CGTF),in order to build programs suited to their needs,organizations should do all but which of the following?&#10;A) Create and execute a plan for punitive action for employees who fail to resolve information security deficiencies&#10;B) Use security best practices guidance, such as ISO 17799, to measure information security performance&#10;C) Establish plans, procedures, and tests to provide continuity of operations&#10;D) Develop plans and initiate actions to provide adequate information security for networks, facilities, systems, and information

Accepted Answer

The answer of According to the Corporate Governance Task Force...

Question 42

Operational plans are used by ____.&#10;A) managers&#10;B) security managers&#10;C) the CISO&#10;D) the CIO

Accepted Answer

The answer of Operational plans are used by ____.&#10;A) managers&#10;B)...

Question 43

The basic outcomes of information security governance should include all but which of the following?&#10;A) Value delivery by optimizing information security investments in support of organizational objectives&#10;B) Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved&#10;C) Resource management by executing appropriate measures to manage and mitigate risks to information technologies&#10;D) Resource management by utilizing information security knowledge and infrastructure efficiently and effectively

Accepted Answer

The answer of The basic outcomes of information security governance...

Question 44

The National Association of Corporate Directors (NACD)recommends four essential practices for boards of directors.Which of the following is NOT one of these recommended practices?&#10;A) Place information security at the top of the board's agenda&#10;B) Assign information security to a key committee and ensure adequate support for that committee&#10;C) Ensure the effectiveness of the corporation's information security policy through review and approval&#10;D) Identify information security leaders, hold them accountable, and ensure support for them

Accepted Answer

The answer of The National Association of Corporate Directors (NACD)recommends...

Question 45

The ____ statement contains a formal set of organizational principles,standards,and qualities.&#10;A) vision&#10;B) mission&#10;C) values&#10;D) business

Accepted Answer

The answer of The ____ statement contains a formal set...

Question 46

The long-term direction taken by the organization is based on ____ planning.&#10;A) strategic&#10;B) tactical&#10;C) operational&#10;D) managerial

Accepted Answer

The answer of The long-term direction taken by the organization...

Question 47

The information security governance framework generally consists of which of the following?&#10;A) Security policies that address each aspect of strategy, control, and regulation&#10;B) A security strategy that talks about the value of information technologies protected&#10;C) Institutionalized monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk&#10;D) All of these are components of the information security governance framework

Accepted Answer

The answer of The information security governance framework generally consists...

Question 48

Which of the following is NOT a significant benefit of information security governance?&#10;A) Optimization of the allocation of limited security resources&#10;B) A level of assurance that critical decisions are not based on faulty information&#10;C) Increased predictability and reduced uncertainty of business operations by lowering information security-related risks to definable and acceptable levels&#10;D) All of these are benefits of information security governance

Accepted Answer

The answer of Which of the following is NOT a...

Question 49

The ____ explicitly declares the business of the organization and its intended areas of operations.&#10;A) vision statement&#10;B) values statement&#10;C) mission statement&#10;D) business statement

Accepted Answer

The answer of The ____ explicitly declares the business of...

Question 50

Budgeting,resource allocation,and manpower are critical components of the ____ plan.&#10;A) strategic&#10;B) operational&#10;C) organizational&#10;D) tactical

Accepted Answer

The answer of Budgeting,resource allocation,and manpower are critical components of...

Question 51

According to the Corporate Governance Task Force (CGTF),in order to build programs suited to their needs,organizations should do all but which of the following?&#10;A) Conduct periodic testing and evaluation of the effectiveness of information security policies and procedures&#10;B) Establish a security management structure to assign explicit individual roles, responsibilities, authority, and accountability&#10;C) Conduct an annual information security evaluation, the results of which the CISO should review with security staff and then report to the board of directors&#10;D) Implement policies and procedures based on risk assessments to secure information assets

Accepted Answer

The answer of According to the Corporate Governance Task Force...

Question 52

Information security ____ must be addressed at the highest levels of an organization's management team in order to be effective and offer a sustainable approach.&#10;A) objectives&#10;B) plans&#10;C) governance&#10;D) practices

Accepted Answer

The answer of Information security ____ must be addressed at...

Question 53

Which of the following is true about mission statements?&#10;A) They should be ambitious&#10;B) They express what the organization is&#10;C) They express the aspirations of the organization&#10;D) They are not meant to be probable

Accepted Answer

The answer of Which of the following is true about...

Question 54

____ statements are meant to express the aspirations of the organization.&#10;A) Mission&#10;B) Vision&#10;C) Values&#10;D) Business

Accepted Answer

The answer of ____ statements are meant to express the...

Question 55

Vision statements are meant to be ____.&#10;A) probable&#10;B) realistic&#10;C) factual&#10;D) ambitious

Accepted Answer

The answer of Vision statements are meant to be ____.&#10;A)...

Question 56

According to the IGTI,Boards of directors should supervise strategic information security objectives by all but which of the following?&#10;A) Inculcating a culture that recognizes the criticality of information and information security to the organization&#10;B) Verifying that management's investment in information security is properly aligned with organizational budgets and the organization's financial environment&#10;C) Assuring that a comprehensive information security program is developed and implemented&#10;D) Demanding reports from the various layers of management on the information security program's effectiveness and adequacy

Accepted Answer

The answer of According to the IGTI,Boards of directors should...

Question 57

____ plans are used to organize the ongoing,day-to-day performance of tasks.&#10;A) Strategic&#10;B) Tactical&#10;C) Organizational&#10;D) Operational

Accepted Answer

The answer of ____ plans are used to organize the...

Question 58

Tactical planning is also referred to as ____.&#10;A) strategic planning&#10;B) project planning&#10;C) organizational planning&#10;D) operational planning

Accepted Answer

The answer of Tactical planning is also referred to as...

Question 59

Which of the following is true?&#10;A) Strategic plans are used to create tactical plans&#10;B) Tactical plans are used to create strategic plans&#10;C) Operational plans are used to create tactical plans&#10;D) Operational plans are used to create strategic plans

Accepted Answer

The answer of Which of the following is true?&#10;A) Strategic...

Question 60

Tactical planning usually has a focus of ____.&#10;A) one to five days&#10;B) one to three months&#10;C) one to three years&#10;D) five or more years

Accepted Answer

The answer of Tactical planning usually has a focus of...

Question 61

According to the Corporate Governance Task Force (CGTF),which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?&#10;A) Initiating&#10;B) Establishing&#10;C) Acting&#10;D) Learning

Accepted Answer

The answer of According to the Corporate Governance Task Force...

Question 62

Which of the following is an information security governance responsibility of the organization's employees?&#10;A) Communicate policies and the program&#10;B) Set security policy, procedures, programs and training for the organization&#10;C) Brief the board, customers and the public&#10;D) Implement policy, report security vulnerabilities and breaches

Accepted Answer

The answer of Which of the following is an information...

Question 63

A ____ is a formal approach to solving a problem based on a structured sequence of procedures.&#10;A) plan&#10;B) methodology&#10;C) program&#10;D) control

Accepted Answer

The answer of A ____ is a formal approach to...

Question 64

Which of the following is a characteristic of the bottom-up approach to security implementation?&#10;A) Strong upper-management support&#10;B) A clear planning and implementation process&#10;C) Systems administrators attempting to improve the security of their systems&#10;D) Ability to influence organizational culture

Accepted Answer

The answer of Which of the following is a characteristic...

Deck 2: Planning for Security