A.  

Risk levels may be elevated beyond acceptable limits.

B.  

Security audits may report more high-risk findings.

C.  

The compensating controls may not be cost efficient.

D.  

Noncompliance with industry best practices may result.

A.  

Prevent the user from using personal mobile devices.

B.  

Report the incident to the police.

C.  

Wipe the device remotely.

D.  

Remove user's access to corporate data.

A.  

re-evaluate the impact of incidents.

B.  

identify vulnerabilities.

C.  

identify control improvements.

D.  

identify the root cause.

A.  

Information security training is mandatory for all staff.

B.  

The organization's information security policy is documented and communicated.

C.  

The chief information security officer (CISO) regularly interacts with the board.

D.  

Staff consistently consider risk in making decisions.

A.  

Security key performance indicators (KPIs)

B.  

Project resource optimization

C.  

Regular security policy reviews

D.  

Senior management sponsorship

A.  

Patch management files

B.  

Network system logs

C.  

Configuration management files

D.  

Intrusion detection system (IDS) logs

A.  

isolate the affected network segment.

B.  

report the root cause to the board of directors.

C.  

assess whether personally identifiable information (Pll) is compromised.

D.  

shut down the entire network.

A.  

Regulatory requirements

B.  

Compliance acceptance

C.  

Management support

D.  

Budgetary approval

A.  

boot the original hard disk on a clean system.

B.  

create an image of the original data on new media.

C.  

duplicate data from the backup media.

D.  

shut down and relocate the server.

A.  

Periodic updates to risk register

B.  

Risk management dashboards

C.  

Security information and event management (SIEM) systems

D.  

Vulnerability assessment results

A.  

Establish regular information security status reporting.

B.  

Establish an information security steering committee.

C.  

Establish business unit security working groups.

D.  

Establish periodic senior management meetings.

A.  

Documenting actions taken in sufficient detail

B.  

Updating key risk indicators (KRIs)

C.  

Evaluating the performance of incident response team members

D.  

Evaluating incident response effectiveness

A.  

project management

B.  

governance.

C.  

performance.

D.  

risk management.

A.  

Host patching

B.  

Penetration testing

C.  

Infrastructure hardening

D.  

Data classification

A.  

Helping to determine the recovery point objective (RPO)

B.  

Providing a basis for implementing a need-to-know policy

C.  

Supporting segregation of duties

D.  

Defining resource ownership

A.  

business managers

B.  

business continuity officers

C.  

executive management

D.  

database administrators (DBAs).

A.  

Reduction in residual risk

B.  

Security framework alignment

C.  

Speed of implementation

D.  

Industry peer benchmarking

A.  

The benefit is greater than the potential risk.

B.  

USB storage devices are enabled based on user roles.

C.  

Users accept the risk of noncompliance.

D.  

Access is restricted to read-only.

A.  

rely on senior management to enforce security.

B.  

promote the relevance and contribution of security.

C.  

focus on compliance.

D.  

reiterate the necessity of security.

A.  

Cost of the attack to the organization

B.  

Location of the attacker

C.  

Method of operation used by the attacker

D.  

Details from intrusion detection system (IDS) logs

A.  

Alive demonstration of the third-party supplier's security capabilities

B.  

The ability to i third-party supplier's IT systems and processes

C.  

Third-party security control self-assessment (CSA) results

D.  

An independent review report indicating compliance with industry standards

A.  

Provide employee training on secure mobile device practices

B.  

Implement a mobile device management (MDM) solution.

C.  

Require employees to install an effective anti-malware app.

D.  

Implement a mobile device policy and standard.

A.  

Wipe and reset the endpoint device.

B.  

Isolate the endpoint device.

C.  

Power off the endpoint device.

D.  

Run a virus scan on the endpoint device.

A.  

Communicate disciplinary processes for policy violations.

B.  

Require staff to participate in information security awareness training.

C.  

Require staff to sign confidentiality agreements.

D.  

Include information security responsibilities in job descriptions.

A.  

cause fewer potential production issues.

B.  

require less IT staff preparation.

C.  

simulate real-world attacks.

D.  

identify more threats.

A.  

Metrics to drive the information security program

B.  

Information security policies

C.  

A defined security organizational structure

D.  

An information security strategy

A.  

used to establish security investments

B.  

the basis for setting control objectives.

C.  

elements of the organization's security posture.

D.  

needed to estimate risk.

A.  

Database analyst

B.  

Database administrator (DBA)

C.  

Information security analyst

D.  

Data owner

A.  

External consultant

B.  

Information owners

C.  

Information security manager

D.  

Business continuity coordinator

A.  

consultants review the information security governance framework.

B.  

a culture of legal and regulatory compliance is promoted by management.

C.  

risk management is built into operational and strategic activities.

D.  

IS auditors are empowered to evaluate governance activities

A.  

Conduct user awareness training within the IT function.

B.  

Propose that IT update information security policies and procedures.

C.  

Determine the risk related to noncompliance with the policy.

D.  

Request that internal audit conduct a review of the policy development process,

A.  

security metrics are included in the service level agreement (SLA).

B.  

contract clauses comply with the organization's information security policy.

C.  

the information security policy of the third-party service provider is reviewed.

D.  

right to audit is included in the service level agreement (SLA).

A.  

Instruct the vendor to conduct penetration testing.

B.  

Suspend the connection to the application in the firewall

C.  

Report the situation to the business owner of the application.

D.  

Initiate the organization's incident response process.

A.  

enhances the likelihood of people handling information securely.

B.  

reduces the number and type of countermeasures required.

C.  

reduces the need to identify baseline controls for each classification.

D.  

affects the consequences if information is handled insecurely.

A.  

change activities are documented.

B.  

the rationale for acceptance is periodically reviewed.

C.  

the acceptance is aligned with business strategy.

D.  

compliance with the risk acceptance framework.

A.  

Establishing risk metrics

B.  

Training on risk management procedures

C.  

Reporting on documented deficiencies

D.  

Assigning a risk owner

A.  

Revise the policy.

B.  

Perform a root cause analysis.

C.  

Conduct a risk assessment,

D.  

Communicate the acceptable use policy.

A.  

The information security strategy

B.  

Losses due to security incidents

C.  

The results of a risk assessment

D.  

Security investment trends in the industry

A.  

The information security manager

B.  

The data owner

C.  

The application owner

D.  

The security engineer

A.  

security configuration controls.

B.  

assurance that security requirements are met.

C.  

guidance for security strategy.

D.  

a repository for security systems documentation.

A.  

Members have knowledge of information security controls.

B.  

Members are business risk owners.

C.  

Members are rotated periodically.

D.  

Members represent functions across the organization.

A.  

Security policy

B.  

Risk management framework

C.  

Risk appetite

D.  

Security standards

A.  

The definition of an incident

B.  

Compliance with regulations

C.  

Management support

D.  

Previously reported incidents

A.  

To enhance awareness for secure software design

B.  

To assess and approve the security application architecture

C.  

To identify noncompliance in the early design stage

D.  

To identify software security weaknesses

A.  

Including service level agreements (SLAs) in vendor contracts

B.  

Establishing communication paths with vendors

C.  

Requiring security awareness training for vendor staff

D.  

Performing integration testing with vendor systems

A.  

Follow the escalation process.

B.  

Identify the indicators of compromise.

C.  

Notify law enforcement.

D.  

Contact forensic investigators.

A.  

Information security is considered the responsibility of the entire information security team.

B.  

Information security controls are assigned to risk owners.

C.  

Information security is integrated into corporate governance.

D.  

Information security governance is based on an external security framework.

A.  

Inform senior management

B.  

Re-evaluate the risk

C.  

Implement compensating controls

D.  

Ask the business owner for the new remediation plan