Which of the following would be the FIRST step when developing a business case f

or an information security investment?

A. Without a clear definition of the needs to be addressed, the objectives canno
t be determined.
B. The objectives cannot be determined without a definition of the needs to be a
ddressed; therefore, the costs to achieve the objectives cannot be determined be
fore the needs are defined.
ans:==C. Without a clear definition of the needs to be fulfilled, the rest of th
e components of the business case cannot be determined.
D. Without a need requiring a solution, cost-effectiveness cannot be determined.
Which of the following BEST supports continuous improvement of the risk manageme
nt process?
ans:c
A. Risk treatment is an element of the risk management process. Other elements s
uch as risk identification, risk communication and acceptance also need to be co
nsidered.
B. Classification of assets is important, but is an element of the risk manageme
nt process and is not sufficient to ensure continuous improvement.
C. A maturity model such as the capability maturity model (CMM) can be used to c
lassify an organization as initial, repeatable, defined, managed or optimized. A
s a result, an organization can easily know where it falls and then start workin
g to reach the optimized state.
D. There are many benefits from integrating assurance functions. However, this i
s not a holistic approach because the best of assurance functions will be reacti
ve if risk management does not cascade through the entire organization. Measures
must be taken to ensure that the entire staff, rather than only the assurance f
unctions, is risk conscious.
Which of the following is the MOST effective way to measure strategic alignment
of an information security program?
ans :==A
The best indicator of strategic alignment is the opinion of the business stakeho
lders and the best way to obtain this information is to periodically ask them.
B. Audits might indicate something is amiss, but audits do not have a direct cor
relation with the effectiveness of the information security program to support b
usiness goals and objectives.
C. Incident losses may indicate the overall effectiveness of the program but may
have more to do with inadequate budgets or staffing than with alignment.
D. Business cases for security projects may indicate where alignment went astray
. However, business cases are indirect and analysis of them would be too lare of
one element causes a sequence of failures.

Aggregated risk can occur in homogenous systems where one threat vector can comp
romise many systems whether integrated or not.

B.

Systemic risk is unrelated to the degree of integration.

C.

Operational risk is also unrelated to the degree of integration.

D.
Tightly integrated systems are more susceptible to cascading risk because
the failure of one element causes a sequence of failures.

Release management is the specific process to manage risk of production system

deployment.
B. Incident management is not directly relevant to life cycle stages.
C. Change management is the overall process to assess and control risk introduce
d by changes.
D. Configuration management is the specific process to manage risk associated wi
th system configuration.
A.
es.

The system analyst would not be as closely involved in testing code chang

B.
System users, specifically the user acceptance testers, would be in the b
est position to note whether new exposures are introduced during the change mana
gement process.
C.

The operations manager would not be involved in testing code changes.

D.

The data security officer would not be involved in testing code changes.

A. A lack of proper procedures may well be the issue, but that is a failure of g
overnance. Good governance would ensure that procedures are consistent with stan
dards that meet policy intent. Procedures for configuration that meet standards
for a particular security domain will be consistent.
B. Governance is the rules the organization operates by and the oversight to ens
ure compliance as well as feedback mechanisms that provide assurance that the ru
les are followed. A failure of one or more of those processes is likely to be th
e reason that system configurations are inconsistent.
C. Poor standards are also a sign of inadequate governance and likely to result
in poor consistency in configurations.
D. Insufficient training indicates that there are no requirements, they are not
being met or the trainers are not competent in the subject matter, which is also
a lack of effective governance resulting in a lack of oversight, clear requirem
ents for training or a lack of suitable metrics.
A.

Firewalls attempt to keep the hacker out.

B.

Bastion hosts attempt to keep the hacker out.

C. Decoy files, often referred to as honeypots, are the best choice for divert
ing a hacker away from critical files and alerting security of the hacker s presen
ce.
D. Screened subnets or demilitarized zones (DMZs) provide a middle ground betw
een the trusted internal network and the external untrusted Internet but does no

t help detect hacker activities.