Which of the following is the best approach to obtain senior management commitment?

What is the BEST method to verify that all security patches applied to servers were properly documented?

Trace OS patch logs to change control requests

Who is responsible for raising awareness of the need for adequate funding to support risk mitigation plans?

Information security manager

An information security manager must understand the relationship between information security and business operations in order to:

A. support organizational objectives.
B. determine likely areas of noncompliance.
C. assess the possible impacts of compromise.
D. understand the threats to the business.

Correct A. support organizational objectives.

Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?

Encrypting by the sender's private key ensures authentication. By being able to decrypt with the sender's public key, the receiver would know that the message is sent by the sender only and the sender cannot deny/repudiate the message

The PRIMARY goal of developing an information security program is to:

The development of an information security program is usually seen as a manifestation of the information security strategy. Thus, the goal of developing the information security program is to implement the strategy.

An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:

The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed.

Which of the following BEST indicates senior management commitment toward supporting information security?

Management sign-off on risk management methodology helps in performing the entire risk cycle.

Minimum standards for securing the technical infrastructure should be defined in a security:

Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place.

The PRIMARY focus of information security governance is to:

Optimize the information security strategy to achieve business objectives.

Governance ensures that business objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against plans.

When performing an information risk analysis, an information security manager should FIRST:

Assets must be inventoried before any of the other choices can be performed.

Which of the following roles is MOST appropriately responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience?

The information security department oversees the information security program. This includes ensuring that training reaches the intended audience.

When should a request for proposal (RFP) be issued?

Prior to developing a project budget

Senior management commitment and support for information security can BEST be enhanced through:

Periodic review of alignment with business management goals.

Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support.

Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?

System users, specifically the user acceptance testers, would be in the best position to note whether new exposures are introduced during the change management process. The system designer or system analyst, data security officer and operations manager would not be as closely involved in testing code changes.

Which of the following is an indicator of effective governance?

A risk management program is a key component of effective governance.

The development of an information security program begins with:

an effective information security strategy.

Which of the following is the MOST usable deliverable of an information security risk analysis?

Assignment of risks to process owners

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?

A. Defining job roles
B. Performing a risk assessment
C. Identifying data owners
D. Establishing data retention policies

Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified).

Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?

A. The program's governance oversight mechanisms
B. Information security periodicals and manuals
C. The program's security architecture and design
D. Training and certification of the information security team

A. The program's governance oversight mechanisms

Relationships among security technologies are BEST defined through which of the following?

A. Security metrics
B. Network topology
C. Security architecture
D. Process improvement models

Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies.

The BEST strategy for risk management is to:

A. achieve a balance between risk and organizational goals.
B. reduce risk to an acceptable level.
C. ensure that policy development properly considers organizational risks.
D. ensure that all unmitigated risks are accepted by management.

B. reduce risk to an acceptable level.

Obtaining senior management support for an information security initiative can BEST be accomplished by:

A. developing and presenting a business case.
B. defining the risk that will be addressed.
C. presenting a financial analysis of benefits.
D. aligning the initiative with organizational objectives.

developing and presenting a business case.

A business case is inclusive of the other options and includes and specifically addresses them.

The MOST important requirement for gaining management commitment to the information security program is to:

A. benchmark a number of successful organizations.

B. demonstrate potential losses and other impacts that can result from a lack of support.

C. inform management of the legal requirements of due care.

D. demonstrate support for desired outcomes.

D. demonstrate support for desired outcomes.