Which of the following best describes the relationship between CobiT and ITIL?
A. CobiT is a model for IT governance, whereas ITIL is a model for corporate governance.
B. CobiT provides a corporate governance roadmap, whereas ITIL is a customizable framework for IT service management.
C. CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.
D. CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.
Jane has been charged with ensuring that clients' personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to?
B. NIST SP 800-66
C. Safe Harbor
D. European Union Principles on Privacy
Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?
A. Committee of Sponsoring Organizations of the Treadway Commission
B. The Organisation for Economic Co-operation and Development
C. CobiT D. International Organization for Standardization
Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?
A. Security policy committee
B. Audit committee
C. Risk management committee
D. Security steering committee
As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim's responsibility as information owner?
A. Assigning information classifications
B. Dictating how data should be protected
C. Verifying the availability of data
D. Determining how long to retain data
Assigning data classification levels can help with all of the following except:
A. The grouping of classified information with hierarchical and restrictive security
B. Ensuring that nonsensitive data is not being protected by unnecessary controls
C. Extracting data from a database
D. Lowering the costs of protecting data
Which of the following is not included in a risk assessment?
A. Discontinuing activities that introduce risk
B. Identifying assets
C. Identifying threats
D. Analyzing risk in order of cost or criticality
Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company's e-mail system. What type of approach is her company taking to handle the risk posed by the system?
A. Risk mitigation
B. Risk acceptance
C. Risk avoidance
D. Risk transference
The integrity of data is not related to which of the following?
A. Unauthorized manipulation or changes to data
B. The modification of data without authorization
C. The intentional or accidental substitution of data
D. The extraction of data to share with unauthorized entities
There are several methods an intruder can use to gain access to company assets. Which of the following best describes masquerading? A. Changing an IP packet's source address
B. Elevating privileges to gain access
C. An attempt to gain unauthorized access as another user
D. Creating a new authorized user with hacking tools
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset?
A. The asset's value in the external marketplace
B. The level of insurance required to cover the asset
C. The initial and outgoing costs of purchasing, licensing, and supporting the asset
D. The asset's value to the organization's production operations
Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?
A. Increase the database's security controls and provide more granularity.
B. Implement access controls that display each user's permissions each time they access the database.
C. Change the database's classification label to a higher security status.
D. Decrease the security so that all users can access the information as needed.
As his company's CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the company's residual risk?
A. threats × vulnerability × asset value = residual risk
B. SLE × frequency = ALE, which is equal to residual risk
C. (threats × asset value × vulnerability) × control gap = residual risk
D. (total risk - asset value) × countermeasures = residual risk
Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?
A. Users have a tendency to request additional permissions without asking for others to be taken away.
B. It is a violation of "least privilege."
C. It enforces the "need-to-know" concept.
D. It commonly occurs when users transfer to other departments or change positions.
For what purpose was the COSO framework developed?
A. To address fraudulent financial activities and reporting
B. To help organizations install, implement, and maintain CobiT controls
C. To serve as a guideline for IT security auditors to use when verifying compliance
D. To address regulatory requirements related to protecting private health information
Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role?
A. Ensuring the protection of partner data
B. Ensuring the accuracy and protection of company financial information
C. Ensuring that security policies are defined and enforced
D. Ensuring the protection of customer, company, and employee data
Jared plays a role in his company's data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared's role?
A. Data owner
B. Data custodian
C. Data user
D. Information systems auditor
Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks?
C. ANZ 4360
D. NIST SP 800-30
Which of the following is not a characteristic of a company with a security governance program in place?
A. Board members are updated quarterly on the company's state of security.
B. All security activity takes place within the security department.
C. Security products, services, and consultants are deployed in an informed manner.
D. The organization has established metrics and goals for improving security.
Michael is charged with developing a classification program for his company. Which of the following should he do first?
A. Understand the different levels of protection that must be provided.
B. Specify data classification criteria.
C. Identify the data custodians.
D. Determine protection mechanisms for each classification level.
There are four ways of dealing with risk. In the graphic that follows, which method is missing and what is the purpose of this method?
A. Risk transference. Share the risk with other entities.
B. Risk reduction. Reduce the risk to an acceptable level.
C. Risk rejection. Accept the current risk.
D. Risk assignment. Assign risk to a specific owner.
The following graphic contains a commonly used risk scorecard. Identify the proper quadrant and its description.
A. Top-right quadrant is high impact, low probability.
B. Top-left quadrant is high impact, medium probability.
C. Bottom-left quadrant is low impact, high probability.
D. Bottom-right quadrant is low impact, high probability.
What are the three types of policies that are missing from the following graphic?
A. Regulatory, Informative, Advisory
B. Regulatory, Mandatory, Advisory
C. Regulatory, Informative, Public
D. Regulatory, Informative, Internal Use
List in the proper order from the table on the top of the next page the learning objectives that are missing and their proper definitions. A. Understanding, recognition and retention, skill
B. Skill, recognition and retention, skill
C. Recognition and retention, skill, understanding
D. Skill, recognition and retention, understanding
What type of risk analysis approach does the following graphic provide?
C. Operationally Correct
D. Operationally Critical