Revision Questions
- The effectiveness of SoD is best ensured by which of the following?
- Implementing strong password rules
- Making available a security awareness poster on the intranet
- Frequent information security training
- Reviewing access privileges when an operator's role changes
- What is the prime responsibility of an information security manager?
- To manage the risk to information assets
- To implement the security configuration for IT assets
- To conduct disaster recovery testing
- To close identified vulnerabilities
- To determine the extent of sound processes, the maturity model is used. Another approach is to use which of the following?
- The Monte Carlo method
- Process performance and capabilities
- Vulnerability assessments
- Risk analysis
- Information system access should be primarily authorized by which of the following?
- The information owner
- The system auditor
- The CISO
- The system administrator
- The information security manager observes that the incident log is stored on a production database server. Which of the following is a major concern?
- The unavailability of log details if the server crashes
- The unauthorized modification of logs by the database administrator
- Log capturing makes the transaction process slow
- Critical information may not be captured in the log files
- Appointing a CISO indicates which of the following?
- The organization wants to enhance the role of senior management
- The organization is committed to its responsibility for information security
- The board of directors wants to pass on their accountability
- The organization wants to improve its technology architecture
- The main objective of integrating security-related roles and responsibilities is which of the following?
- To address the security gaps that exist between assurance functions
- To address the unavailability of manpower
- To address the gap in business continuity and disaster recovery
- To address the complications in system development processes
- Which of the following is the best compensating control when the same employee is responsible for updating servers, maintaining the access control, and reviewing the logs?
- To verify that only approved changes are made
- To conduct penetration tests
- To conduct risk assessments
- Reviews of log files conducted by the manager
- What is the responsibility of the information owner when complying with the information classification scheme?
- To implement security measures to protect their data
- To determine the level of classification for their data
- To arrange backups of their data
- To delegate the processes of information classification to the system administrator
- The effectiveness of the organization's security measures is the final responsibility of which of the following?
- The security administrator
- The CISO
- Senior management
- The information security auditor
- What is the best way to ensure that responsibilities are carried out?
- Signed non-disclosure agreements
- Heavy penalties for non-compliance
- Assigned accountability
- Documented policies
- Who is responsible for complying with the organization's security policies and standards?
- The CISO
- Senior management
- The compliance officer
- All organizational units
- Continuous improvement of the risk management process is most likely ensured by which of the following?
- The regular review of implemented security controls
- Implementing an information classification policy
- The adoption of a maturity model
- Regular audits of risk management processes
- Information security is the responsibility of which of the following?
- All personnel
- IT personnel
- Security personnel
- Operational personnel
- Who should security policies be finally approved by?
- Operation managers
- The CISO
- Senior management
- The chief technical officer (CTO)
- Confidentiality of information can be best ensured by which of the following?
- Implementing an information classification policy
- Implementing SoD
- Implementing the principle of least privilege
- Implementing information security audits
- As an information security manager, how do you characterize a decentralized information security process?
- Consistency in information security processes
- Better compliance with policy
- Better alignment with decentralized unit requirements
- Optimum utilization of information security resources
