Which of the following is a PRIMARY responsibility of the information security governance function

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

• A. corporate data privacy policy.
• B. data privacy policy where data are collected.
• C. data privacy policy of the headquarters' country.
• D. data privacy directive applicable globally.

Answer : B

Explanation:
As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

• A. meet with stakeholders to decide how to comply.
• B. analyze key risks in the compliance process.
• C. assess whether existing controls meet the regulation.
• D. update the existing security/privacy policy.

Answer : C

Explanation:
If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.

The PRIMARY objective of a security steering group is to:

• A. ensure information security covers all business functions.
• B. ensure information security aligns with business goals.
• C. raise information security awareness across the organization.
• D. implement all decisions on security management across the organization.

Answer : B

Explanation:
The security steering group comprises senior management of key business functions and has the primary objective to align the security strategy with the business direction. Option A is incorrect because all business areas may not be required to be covered by information security; but, if they do, the main purpose of the steering committee would be alignment more so than coverage. While raising awareness is important, this goal would not be carried out by the committee itself. The steering committee may delegate part of the decision making to the information security manager; however, if it retains this authority, it is not the primary' goal.

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

• A. baseline.
• B. strategy.
• C. procedure.
• D. policy.

Answer : D

Explanation:
A policy is a high-level statement of an organization's beliefs, goals, roles and objectives. Baselines assume a minimum security level throughout an organization. The information security strategy aligns the information security program with business objectives rather than making control statements. A procedure is a step-by- step process of how policy and standards will be implemented.

At what stage of the applications development process should the security department initially become involved?

• A. When requested
• B. At testing
• C. At programming
• D. At detail requirements

Answer : D

Explanation:
Information security has to be integrated into the requirements of the application's design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process.

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?

• A. Examples of genuine incidents at similar organizations
• B. Statement of generally accepted best practices
• C. Associating realistic threats to corporate objectives
• D. Analysis of current technological exposures

Answer : C

Explanation:
Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.

The PRIMARY concern of an information security manager documenting a formal data retention policy would be:

• A. generally accepted industry best practices.
• B. business requirements.
• C. legislative and regulatory requirements.
• D. storage availability.

Answer : B

Explanation:
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided

When personal information is transmitted across networks, there MUST be adequate controls over:

• A. change management.
• B. privacy protection.
• C. consent to data transfer.
• D. encryption devices.

Answer : B

Explanation:
Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data. Change management primarily protects only the information, not the privacy of the individuals.
Consent is one of the protections that is frequently, but not always, required. Encryption is a method of achieving the actual control, but controls over the devices may not ensure adequate privacy protection and, therefore, is a partial answer.

An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:

• A. ensure that security processes are consistent across the organization.
• B. enforce baseline security levels across the organization.
• C. ensure that security processes are fully documented.
• D. implement monitoring of key performance indicators for security processes.

Answer : A

Explanation:
The organization first needs to move from ad hoc to repeatable processes. The organization then needs to document the processes and implement process monitoring and measurement. Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement. The organization needs to standardize processes both before documentation, and before monitoring and measurement.

Who in an organization has the responsibility for classifying information?

• A. Data custodian
• B. Database administrator
• C. Information security officer
• D. Data owner

Answer : D

Explanation:
The data owner has full responsibility over data. The data custodian is responsible for securing the information. The database administrator carries out the technical administration. The information security officer oversees the overall classification management of the information.

What is the PRIMARY role of the information security manager in the process of information classification within an organization?

• A. Defining and ratifying the classification structure of information assets
• B. Deciding the classification levels applied to the organization's information assets
• C. Securing information assets in accordance with their classification
• D. Checking if information assets have been classified properly

Answer : A

Explanation:
Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization. Choice B is incorrect because the final responsibility for deciding the classification levels rests with the data owners. Choice C is incorrect because the job of securing information assets is the responsibility of the data custodians. Choice D may be a role of an information security manager but is not the key role in this context.

Logging is an example of which type of defense against systems compromise?

• A. Containment
• B. Detection
• C. Reaction
• D. Recovery

Answer : B

Explanation:
Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion.
Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.

Which of the following is MOST important in developing a security strategy?

• A. Creating a positive business security environment
• B. Understanding key business objectives
• C. Having a reporting line to senior management
• D. Allocating sufficient resources to information security

Answer : B

Explanation:
Alignment with business strategy is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.

Who is ultimately responsible for the organization's information?

• A. Data custodian
• B. Chief information security officer (CISO)
• C. Board of directors
• D. Chief information officer (CIO)

Answer : C

Explanation:
The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management's directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?

• A. Alignment with industry best practices
• B. Business continuity investment
• C. Business benefits
• D. Regulatory compliance

Answer : D

Explanation:
Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on qualitative business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.

What is the primary purpose of information security governance?

What are the five goals of information security governance?

What is information security governance who in the organization should plan for it?

Which of the following would be the best indicator of effective information security governance within an organization?