- All Exams Instant Download
When would it be more desirable to develop a set of decentralized security policies and procedures within an enterprise environment?
When would it be more desirable to develop a set of decentralized security policies and procedures within an enterprise environment?A . When there is a need to develop a more unified incident response capability.B . When the enterprise is made up of many business units with diverse business activities, risks...
Risk is defined as:
Risk is defined as:A . Threat times vulnerability divided by controlB . Advisory plus capability plus vulnerabilityC . Asset loss times likelihood of eventD . Quantitative plus qualitative impactView AnswerAnswer: A
What is the NEXT logical step in applying the controls in the organization?
An organization has defined a set of standard security controls. This organization has also defined the circumstances and conditions in which they must be applied. What is the NEXT logical step in applying the controls in the organization?A . Determine the risk toleranceB . Perform an asset classificationC . Create...
Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?
Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?A . Single loss expectancy multiplied by the annual rate of occurrenceB . Total loss expectancy multiplied by the total loss frequencyC . Value of the asset multiplied by the loss expectancyD . Replacement cost multiplied by the...
The success of the Chief Information Security Officer is MOST dependent upon:
The success of the Chief Information Security Officer is MOST dependent upon:A . favorable audit findingsB . following the recommendations of consultants and contractorsC . development of relationships with organization executivesD . raising awareness of security issues with end usersView AnswerAnswer: C
What kind of law would require notifying the owner or licensee of this incident?
An organization licenses and uses personal information for business operations, and a server containing that information has been compromised. What kind of law would require notifying the owner or licensee of this incident?A . Data breach disclosureB . Consumer right disclosureC . Security incident disclosureD . Special circumstance disclosureView AnswerAnswer:...
Topic 1, Governance (Policy, Legal & Compliance)
Topic 1, Governance (Policy, Legal & Compliance) The framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve is referred to as a standard of:A . Due ProtectionB . Due CareC . Due CompromiseD . Due processView AnswerAnswer: B
When briefing senior management on the creation of a governance process, the MOST important aspect should be:
When briefing senior management on the creation of a governance process, the MOST important aspect should be:A . information security metrics.B . knowledge required to analyze each issue.C . baseline against which metrics are evaluated.D . linkage to business area objectives.View AnswerAnswer: D
Which of the following provides an audit framework?
Which of the following provides an audit framework?A . Control Objectives for IT (COBIT)B . Payment Card Industry-Data Security Standard (PCI-DSS)C . International Organization Standard (ISO) 27002D . National Institute of Standards and Technology (NIST) SP 800-30View AnswerAnswer: A
Quantitative Risk Assessments have the following advantages over qualitative risk assessments:
Quantitative Risk Assessments have the following advantages over qualitative risk assessments:A . They are objective and can express risk / cost in real numbersB . They are subjective and can be completed more quicklyC . They are objective and express risk / cost in approximatesD . They are subjective and...
