Question 1

To inform a risk treatment decision, which of the following should the information security manager compare with the organization's risk appetite?

Options :

A : Gap analysis results

B : Level of risk treatment

C : Configuration parameters

D : Level of residual risk

Answer: D

Question 2

Which of the following is the MOST essential element of an information security program?

Options :

A : Prioritizing program deliverables based on available resources

B : Benchmarking the program with global standards for relevance

C : Involving functional managers in program development

D : Applying project management practices used by the business

Answer: B

Question 3

Which of the following is the MOST important consideration when developing incident classification methods?

Options :

A : Data classification

B : Data owner input

C : Service level agreements (SLAs)

D : Business impact

Answer: D

Question 4

Which of the following is MOST helpful for aligning security operations with the IT governance framework?

Options :

A : Business impact analysis (BIA)

B : Security operations program

C : Information security policy

D : Security risk assessment

Answer: C

Question 5

A CISO learns that a third-party service provider did not notify the organization of a data breach that affected the service provider's data center. Which of the following should the CISO do FIRST?

Options :

A : Determine the extent of the impact to the organization.

B : Request an independent review of the provider-s data center.

C : Notify affected customers of the data breach.

D : Recommend canceling the outsourcing contract.

Answer: A