Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified. The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning.
Which of the following is the MOST logical next step?

• A.Validate the effectiveness of current controls
• B.Review security procedures to determine if they need modified according to findings
• C.Create detailed remediation funding and staffing plans
• D.Report the audit findings and remediation status to business stake holders

Comment: *

Name: *

Email: *

Verification: *

Scenario: Your program is developed around minimizing risk to information by focusing on people, technology, and operations.
An effective way to evaluate the effectiveness of an information security awareness program for end users, especially senior executives, is to conduct periodic:

• A.Password changes
• B.Baselining of computer systems
• C.Scanning for viruses
• D.Controlled spear phishing campaigns

Comment: *

Name: *

Email: *

Verification: *

What are the three hierarchically related aspects of strategic planning and in which order should they be done?

• A.1) Enterprise strategic planning, 2) Cybersecurity or information security strategic planning, 3) Information technology strategic planning
• B.1) Enterprise strategic planning, 2) Information technology strategic planning, 3) Cybersecurity or information security strategic planning
• C.1) Cybersecurity or information security strategic planning, 2) Enterprise strategic planning, 3) Information technology strategic planning
• D.1) Information technology strategic planning, 2) Enterprise strategic planning, 3) Cybersecurity or information security strategic planning

Comment: *

Name: *

Email: *

Verification: *

A business unit within your organization intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should the information security manager take?

• A.Enforce the existing security standards and do not allow the deployment of the new technology.
• B.Amend the standard to permit the deployment.
• C.Permit a 90-day window to see if an issue occurs and then amend the standard if there are no issues.
• D.If the risks associated with that technology are not already identified, perform a risk analysis to quantify the risk, and allow the business unit to proceed based on the identified risk level.

Comment: *

Name: *

Email: *

Verification: *

Which of the following international standards can be BEST used to define a Risk Management process in an organization?

• A.National Institute for Standards and Technology 800-50 (NIST 800-50)
• B.International Organization for Standardizations - 27005 (ISO-27005)
• C.Payment Card Industry Data Security Standards (PCI-DSS)
• D.International Organization for Standardizations - 27004 (ISO-27004)

Comment: *

Name: *

Email: *

Verification: *