Which of the following is the BEST course of action if the business activity residual risk is lower than the acceptable risk level?

• A.Monitor the effectiveness of controls
• B.Update the risk assessment framework
• C.Review the inherent risk level
• D.Review the risk probability and impact

Comment: *

Name: *

Email: *

Verification: *

When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because:

• A.this is a requirement of the security policy.
• B.software licenses may expire in the future without warning.
• C.the asset inventory must be maintained.
• D.service level agreements may not otherwise be met.

Comment: *

Name: *

Email: *

Verification: *

Which of the following BEST enables an organization to enhance its incident response plan processes and procedures?

• A.Security risk assessments
• B.Lessons learned analysis
• C.Information security audits
• D.Key performance indicators (KPIs)

Comment: *

Name: *

Email: *

Verification: *

The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:

• A.determining the scope for inclusion in an information security program.
• B.defining the level of access controls.
• C.justifying costs for information resources.
• D.determining the overall budget of an information security program.

Comment: *

Name: *

Email: *

Verification: *

How would an organization know if its new information security program is accomplishing its goals?

• A.Key metrics indicate a reduction in incident impacts.
• B.Senior management has approved the program and is supportive of it.
• C.Employees are receptive to changes that were implemented.
• D.There is an immediate reduction in reported incidents.

Comment: *

Name: *

Email: *

Verification: *