Reference no: EM133478210
Question
1. Successful policies establish what must be done and why it must be done, but not how to do it. Good policy has several characteristics that help to drive success of the policy. Which one of the following is NOT one of those characteristics?
a. Adaptable: The policy can accommodate change.
b. The policy can be codified
c. Realistic: The policy make sense.
d. Inclusive: The policy scope includes all relevant parties.
2. What is a necessary preliminary step to the development of security controls and policies for protecting information?
a. information assets of the organization must be classified according to their importance and according to the impact of security breaches involving the information.
b. information assets of the organization must be classified according to their availability cost and the likelihood that the assets will be compromised or lost.
c. information assets of the organization must be grouped by their data source and according to the impact of security breaches involving the information.
d. information assets of the organization must be categorized according to the business need and importance of data in the event of data loss.
3. What is the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk?
a. Information security governance
b. Data governance
c. Information security Policy Framework
d. Information strategy
4.The IT Governance Institute defines five basic outcomes of information security governance that lead to successful integration of information security with the organization's mission [ITGI06]. Which of the following is not one of them?
a. Performance measurement
b. Value Delivery
c. Threat detection
d. Risk management
5.Reporting enables stakeholders to ensure that information security is being managed effectively, and it should include the following:
Information security policy
Risk evaluation
Risk measures and response
Management systems
Why is reporting to stakeholders an important part of the Information Security Governance Framework?
a. Creates organizational synergy
b. Details Performance
c. Fosters innovation
d. Provides Accountability
6. What provides people who deal with information with a concise indication of how to handle and protect that information?
a. Classification
b. Risk management
c. Security controls
d. Threat intelligence
7. When defining Security Direction, the SGP recommends that the governing body include which C-level executive in order to support their activities as well as the activities that are under their direction. Which C-level exec is the SGP referring to?
a. CTO
b. CISO
c. CDO
d. CIO
8. Cybersecurity programs and policies recognize that organizations must be vigilant, resilient, and ready to protect and defend every ingress and egress connection as well as organizational data wherever it is stored, transmitted, or processed.
a. True
b. False
9. Regardless of whether a policy is based on guiding principles or regulatory requirements, its success depends in large part upon how the organization approaches the policy lifecycle. What are the components of the lifecycle?
a. Ideate, Publish, Execute, Adopt
b. Plan, Publish, Revise, Review
c. Develop, Publish, Execute, Revise
d. Develop, Publish, Adopt, Review
10. The first step in this process, according to SP 800-60, is to identify the information types to be classified. The result of this step should be an information taxonomy or catalog of information types. The level of detail, or granularity, must be decided by those involved in security governance. The determination may be based on factors such as the size of the organization, its range of activities, and the perceived overall level of risk.
a. security categorization process
b. data definition process
c. master data management process
d. data governance process