Information security controls should be designed PRIMARILY based on:

1. A. a business impact analysis (BIA).
2. B. regulatory requirements.
3. C. business risk scenarios,
4. D. a vulnerability assessment.

Correct Answer: C

An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should the information security manager recommend be done FIRST?

1. A. Determine whether the organization can benefit from adopting the new standard.
2. B. Obtain legal counsel's opinion on the standard's applicability to regulations,
3. C. Perform a risk assessment on the new technology.
4. D. Review industry specialists’ analyses of the new standard.

Correct Answer: C

In an organization with a rapidly changing environment, business management has accepted an information security risk. It is MOST important for the information security manager to ensure:

1. A. change activities are documented.
2. B. the rationale for acceptance is periodically reviewed.
3. C. the acceptance is aligned with business strategy.
4. D. compliance with the risk acceptance framework.

Correct Answer: B

Which of the following is the BEST way to achieve compliance with new global regulations related to the protection of personal information?

1. A. Execute a risk treatment plan.
2. B. Review contracts and statements of work (SOWs) with vendors.
3. C. Implement data regionalization controls.
4. D. Determine current and desired state of controls.

Correct Answer: D

An incident response team has been assembled from a group of experienced individuals, Which type of exercise would be MOST beneficial for the team at the first drill?

1. A. Red team exercise
2. B. Black box penetration test
3. C. Disaster recovery exercise
4. D. Tabletop exercise

Correct Answer: D