An information security team has been tasked with identifying confidential data within the organization to formalize its asset classification scheme. The MOST relevant input would be provided by:

• A.database administrators (DBAs).
• B.business process owners.
• C.the chief information officer (CIO),
• D.the legal department.

Comment: *

Name: *

Email: *

Verification: *

During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?

• A.Feasibility
• B.Design
• C.Development
• D.Testing

Comment: *

Name: *

Email: *

Verification: *

The ability to integrate information security governance into corporate governance is PRIMARILY driven by:

• A.how often information security metrics are presented to senior management.
• B.how well the information security program supports business objectives.
• C.how often the information security steering committee reviews and updates security policies.
• D.the percentage of corporate budget allocated to the information security program.

Comment: *

Name: *

Email: *

Verification: *

An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to have access to critical business information. The security manager should focus PRIMARILY on defining:

• A.security metrics
• B.risk-reporting methodologies
• C.service level agreements (SLAs)
• D.security requirements for the process being outsourced

Comment: *

Name: *

Email: *

Verification: *

A new system has been developed that does not comply with password-aging rules. This noncompliance can BEST be identified through:

• A.a progressive series of warnings
• B.a business impact analysis
• C.an incident management process
• D.an internal audit assessment

Comment: *

Name: *

Email: *

Verification: *