The foundation of an information security program is:
Alignment with the goals and objectives of the organization
The core principles of an information security program are:
Confidentiality, Integrity and Availability
The key factor in a successful information security program is:
Senior Management support
A threat can be described as:
Any event or action that could cause harm to the organization
True/False: Threats can be either intentional or accidental
True
Personnel Security requires trained personnel to manage systems and
networks. When does personnel security begin?
Through pre-employment checks
Who plays the most important role in information security?
Upper management
The advantage of an IPS (intrusion prevention system) over an IDS
(intrusion detection system) is that:
The IPS can block suspicious activity in real time
True/False: Physical security is an important part of an Information
Security program
True
The Sherwood Applied Business Security Architecture (SABSA) is
primarily concerned with:
An enterprise=wide approach to security architecture
A centralized approach to security has the primary advantage of:
Uniform enforcement of security policies
The greatest advantage to a decentralized approach to security is:
More adjustable to local laws and requirements
A primary objective of an information security strategy is to:
Identify and protect information assets
The first step in an information security strategy is to:
Determine the desired state of security
Effective information security governance is based on:
implementing security policies and procedures
The use of a standard such as ISO27001 is useful to:
Ensure that all relevant security needs have been addressed
Three main factors in a business case are resource usage, regulatory
compliance and:
, Return on investment
What is a primary method for justifying investments in information
security?
development of a business case
Relationships with third parties may:
Require the organization to comply with the security standards of the
third party
True or False? The organization does not have to worry about the
impact of third party relationships on the security program
False
The role of an Information Systems Security Steering Committee is to:
Provide feedback from all areas of the organization
The most effective tool a security department has is:
A security awareness program
The role of Audit in relation to Information Security is:
The validate the effectiveness of the security program against
established metrics
Who should be responsible for development of a risk management
strategy?
The Security Manager
The security requirements of each member of the organization should
be documented in:
Their job descriptions
What could be the greatest challenge to implementing a new security
strategy?
Obtaining buy-in from employees
A disgruntled former employee is a:
Threat
A bug or software flaw is a:
Vulnerability
An audit log is an example of a:
Detective control
A compensating control is used:
When normal controls are not sufficient to mitigate the trick
Encryption is an example of a:
Countermeasure
The examination of risk factors would be an example of:
Risk analysis
True/False: The only real risk mitigation technique is based on
effective implementation of technical controls.
False
Should a risk assessment consider controls that are planned but not
yet implemented?
Alignment with the goals and objectives of the organization
The core principles of an information security program are:
Confidentiality, Integrity and Availability
The key factor in a successful information security program is:
Senior Management support
A threat can be described as:
Any event or action that could cause harm to the organization
True/False: Threats can be either intentional or accidental
True
Personnel Security requires trained personnel to manage systems and
networks. When does personnel security begin?
Through pre-employment checks
Who plays the most important role in information security?
Upper management
The advantage of an IPS (intrusion prevention system) over an IDS
(intrusion detection system) is that:
The IPS can block suspicious activity in real time
True/False: Physical security is an important part of an Information
Security program
True
The Sherwood Applied Business Security Architecture (SABSA) is
primarily concerned with:
An enterprise=wide approach to security architecture
A centralized approach to security has the primary advantage of:
Uniform enforcement of security policies
The greatest advantage to a decentralized approach to security is:
More adjustable to local laws and requirements
A primary objective of an information security strategy is to:
Identify and protect information assets
The first step in an information security strategy is to:
Determine the desired state of security
Effective information security governance is based on:
implementing security policies and procedures
The use of a standard such as ISO27001 is useful to:
Ensure that all relevant security needs have been addressed
Three main factors in a business case are resource usage, regulatory
compliance and:
, Return on investment
What is a primary method for justifying investments in information
security?
development of a business case
Relationships with third parties may:
Require the organization to comply with the security standards of the
third party
True or False? The organization does not have to worry about the
impact of third party relationships on the security program
False
The role of an Information Systems Security Steering Committee is to:
Provide feedback from all areas of the organization
The most effective tool a security department has is:
A security awareness program
The role of Audit in relation to Information Security is:
The validate the effectiveness of the security program against
established metrics
Who should be responsible for development of a risk management
strategy?
The Security Manager
The security requirements of each member of the organization should
be documented in:
Their job descriptions
What could be the greatest challenge to implementing a new security
strategy?
Obtaining buy-in from employees
A disgruntled former employee is a:
Threat
A bug or software flaw is a:
Vulnerability
An audit log is an example of a:
Detective control
A compensating control is used:
When normal controls are not sufficient to mitigate the trick
Encryption is an example of a:
Countermeasure
The examination of risk factors would be an example of:
Risk analysis
True/False: The only real risk mitigation technique is based on
effective implementation of technical controls.
False
Should a risk assessment consider controls that are planned but not
yet implemented?
