QUESTIONS AND CORRECT ANSWERS
⫸ Management wants to ensure that IT is successful in delivering
against business requirements. Which of the following BEST supports
that effort? Answer: An internal control system or framework.
For IT to be successful in delivering against business requirements,
management should develop an internal control system that supports its
business requirements.
⫸ Which of the following risk assessment outputs is MOST suitable to
help justify an enterprise information security program? Answer: A list
of appropriate controls for addressing risk.
A list of information security controls corresponding to risk scenarios
identified during risk assessment is one of the primary deliverables of
the risk assessment exercise. The list demonstrates due consideration of
risk and applicable controls to address the risk and therefore helps justify
a program predicated on risk mitigation.
⫸ Whether a risk has been reduced to an acceptable level should be
determined by: Answer: Enterprise requirements.
Enterprise requirements as dictated by enterprise goals and objectives
should determine when a risk has been reduced to an acceptable level.
Information systems and security requirements and standards may help
,inform enterprise requirements, but in themselves lack the critical
context of enterprise business goals.
⫸ Commitment and support of senior management for information
security investment can BEST be accomplished by a business case that:
Answer: Ties security risk to enterprise business objectives.
Senior management seeks to understand the business justification for
investing in security. This can best be accomplished by tying security to
key business objectives.
⫸ The PRIMARY reason for developing an enterprise security
architecture is to: Answer: Align security strategies among the
functional areas of an enterprise and external entities.
The enterprise security architecture must align strategies and objectives
of diverse functional areas within the enterprise, optimize the flow of
information within an enterprise, and support all required
communication with external partners, customers and suppliers.
⫸ Which of the following signifies the need to review an enterprise's
risk practices? Answer: Business owners regularly challenge risk
assessment findings.
An enterprise's risk management practices must be clearly understood
and supported by business stakeholders. This principle must be
documented in the enterprise's risk management policy/framework/plan
, with senior management approval and direction. Business owners who
challenge the risk assessment findings either do not support the findings
or do not understand them clearly.
⫸ Which of the following choices should drive the IT plan? Answer:
Strategic planning and business requirements.
IT exists to support business objectives. Management of enterprise IT
should align the IT plan closely with the business.
⫸ The GREATEST risk posed by an absence of strategic planning is:
Answer: Improper oversight of IT investment.
Improper oversight of IT investment is the greatest risk. Without proper
oversight from management, IT investment may fail to align with
business strategy, and IT expenditures may not support business
objectives.
⫸ When assessing strategic IT risk, the FIRST step is: Answer:
Understanding enterprise strategy from senior executives.
Strategic IT risk is related to the strategy and objectives of the
enterprise. Senior executives provide the enterprise view of
dependencies and expectations for IT, which aids understanding of
potential risk.