Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 3: Governance and Strategic Planning for Security

Full screen (f)
exit full mode
Question
Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
Use Space or
up arrow
down arrow
to flip the card.
Question
According to the Corporate Governance Task Force (CGTF),during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? 

A) Initiating
B) Establishing 
C) Acting
D) Learning
Question
According to the Corporate Governance Task Force (CGTF),which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? 

A) Initiating
B) Establishing 
C) Acting
D) Learning
Question
Which of the following is true about planning? 

A) Strategic plans are used to create tactical plans 
B) Tactical plans are used to create strategic plans 
C) Operational plans are used to create tactical plans 
D) Operational plans are used to create strategic plans
Question
​A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.
Question
Because it sets out general business intentions,a mission statement does not need to be concise.
Question
​The ISA 27014:2013 standard promotes five risk management processes,which should be adopted by the organization's executive ​management and its governing board.
Question
Which of the following explicitly declares the business of the organization and its intended areas of operations? 

A) vision statement
B) values statement 
C) mission statement
D) business statement
Question
Internal and external stakeholders such as customers,suppliers,or employees who interact with the information in support of their organization's planning and operations  are known as ____________.

A) ​data owners 
B) ​data custodians 
C) ​data users 
D) ​data generators
Question
A clearly directed strategy flows from top to bottom rather than from bottom to top.
Question
The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks,information systems,and information security defenses.
Question
​Values statements should therefore be ambitous; after all,they are meant to express the aspirations of the organization.
Question
The basic outcomes of InfoSec governance should include all but which of the following? 

A) Value delivery by optimizing InfoSec investments in support of organizational objectives 
B) Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved 
C) Time management by aligning resources with personnel schedules and organizational objectives 
D) Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
Question
Penetration testing is often conducted by penetration testers-consultants or outsourced contractors who might be referred to as red teams.
Question
Which of the following should be included in an InfoSec governance program? 

A) An InfoSec development methodology 
B) An InfoSec risk management methodology 
C) An InfoSec project management assessment from an outside consultant 
D) All of these are components of the InfoSec governance program
Question
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
Question
The National Association of Corporate Directors (NACD)recommends four essential practices for boards of directors.Which of the following is NOT one of these recommended practices? 

A) Hold regular meetings with the CIO to discuss tactical InfoSec planning 
B) Assign InfoSec to a key committee and ensure adequate support for that committee 
C) Ensure the effectiveness of the corporation's InfoSec policy through review and approval 
D) Identify InfoSec leaders, hold them accountable, and ensure support for them
Question
Which type of planning is the primary tool in determining the long-term direction taken by an organization? 

A) strategic
B) tactical 
C) operational
D) managerial
Question
Which type of planning is used to organize the ongoing,day-to-day performance of tasks? 

A) Strategic
B) Tactical 
C) Organizational
D) Operational
Question
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? 

A) strategic
B) operational 
C) organizational
D) tactical
Question
Which of the following is an information security governance responsibility of the Chief Security Officer? 

A) Communicate policies and the program 
B) Set security policy, procedures, programs and training 
C) Brief the board, customers and the public 
D) Implement policy, report security vulnerabilities and breaches
Question
​An example of a stakeholder of a company includes all of the following except:​ 

A) ​employees 
B) ​the general public 
C) ​stockholders 
D) management
Question
​A senior executive who promotes the project and ensures its support,both financially and administratively,at the highest levels of the organization is needed to fill the role of a(n)____________ on a development team.

A) ​champion 
B) ​end user 
C) ​team leader 
D) ​policy developer
Question
​The individual accountable for ensuring the day-to-day operation of the InfoSec program,accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n)____________.

A) chief information security officer 
B) security technician 
C) security manager 
D) ​chief technology officer
Question
Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point? 

A) modular continuous
B) elementary cyclical 
C) time-boxed circular
D) traditional waterfall
Question
​When using the Governing for Enterprise Security (GES)program,an Enterprise Security Program (ESP)should be structured so that governance activities are driven by the organization's executive management,select key stakeholders,as well as the ____________.

A) ​Board Risk Committee 
B) ​Board Finance Committee 
C) ​Board Audit Committee 
D) ​Chairman of the Board
Question
A project manager who understands project management,personnel management,and InfoSec technical requirements  is needed to fill the role of a(n)____________.

A) ​champion 
B) ​end user 
C) ​team leader 
D) ​policy developer
Question
​The individual responsible for the assessment,management,and implementation of information-protection activities in the organization is known as a(n)____________.

A) chief information security officer 
B) security technician 
C) security manager 
D) ​chief technology officer
Question
Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies,including users,management,and IT,each with a vested interest in the project's success? 

A) software engineering
B) joint application design 
C) sequence-driven policies
D) event-driven procedures
Question
A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.

A) ​​enterprise risk management. 
B) ​joint application design 
C) ​security policy review 
D) ​disaster recovery planning
Question
​ The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.

A) ​vulnerability assessment 
B) ​penetration testing 
C) ​exploit identification 
D) ​safeguard neutralization
Question
​Individuals who control,and are therefore responsible for,the security and use of a particular set of information are known as ____________.

A) ​data owners 
B) ​data custodians 
C) ​data users 
D) ​data generators
Question
In which phase of the SecSDLC does the risk management task occur? 

A) physical design
B) implementation 
C) investigation
D) analysis
Question
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n)____________.

A) ​penetration tester 
B) ​gray-hat hacker 
C) ​script kiddie 
D) ​zebra team
Question
What is the first phase of the SecSDLC? 

A) analysis
B) investigation 
C) logical design
D) physical design
Question
The impetus to begin an SDLC-based project may be ____________________,that is,a response to some activity in the business community,inside the organization,or within the ranks of employees,customers,or other stakeholders.
Question
​ISO 27014:2013 is the ISO 27000 series standard for ____________.

A) ​Governance of Information Security 
B) ​Information Security Management 
C) ​Risk Management 
D) ​Policy Management
Question
A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.

A) ​vulnerability assessment 
B) ​penetration testing 
C) ​exploit identification 
D) ​safeguard neutralization
Question
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? 

A) system controls
B) technical controls 
C) operational controls
D) managerial controls
Question
Which of the following is a key advantage of the bottom-up approach to security implementation? 

A) strong upper-management support 
B) a clear planning and implementation process 
C) utilizes the technical expertise of the individual administrators 
D) coordinated planning from upper management
Question
Describe what happens during each phase of the IDEAL General governance framework.
Question
Contrast the vision statement with the mission statement.
Question
The ______________________ phase is the last phase of SecSDLC,but perhaps the most important.
Question
What is the values statement and what is its importance to an organization?
Question
What is necessary for a top-down approach to the implementation of InfoSec to succeed?
Question
What is the role of planning in InfoSec management?  What are the factors that affect planning?
Question
Describe the key approaches organizations are using to achieve unified Enterprise Risk Management.
Question
According to the ITGI,what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met?
Question
_________resources include people,hardware,and the supporting system elements and resources associated with the management of information in all its states.
Question
In ____________________ testing,security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
Question
Information security governance yields significant benefits.List five.
Question
How does tactical planning differ from strategic planning?
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/52
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 3: Governance and Strategic Planning for Security
1
Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
 True
2
According to the Corporate Governance Task Force (CGTF),during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? 

A) Initiating
B) Establishing 
C) Acting
D) Learning
B
3
According to the Corporate Governance Task Force (CGTF),which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? 

A) Initiating
B) Establishing 
C) Acting
D) Learning
A
4
Which of the following is true about planning? 

A) Strategic plans are used to create tactical plans 
B) Tactical plans are used to create strategic plans 
C) Operational plans are used to create tactical plans 
D) Operational plans are used to create strategic plans
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
5
​A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
6
Because it sets out general business intentions,a mission statement does not need to be concise.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
7
​The ISA 27014:2013 standard promotes five risk management processes,which should be adopted by the organization's executive ​management and its governing board.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
8
Which of the following explicitly declares the business of the organization and its intended areas of operations? 

A) vision statement
B) values statement 
C) mission statement
D) business statement
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
9
Internal and external stakeholders such as customers,suppliers,or employees who interact with the information in support of their organization's planning and operations  are known as ____________.

A) ​data owners 
B) ​data custodians 
C) ​data users 
D) ​data generators
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
10
A clearly directed strategy flows from top to bottom rather than from bottom to top.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
11
The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks,information systems,and information security defenses.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
12
​Values statements should therefore be ambitous; after all,they are meant to express the aspirations of the organization.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
13
The basic outcomes of InfoSec governance should include all but which of the following? 

A) Value delivery by optimizing InfoSec investments in support of organizational objectives 
B) Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved 
C) Time management by aligning resources with personnel schedules and organizational objectives 
D) Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
14
Penetration testing is often conducted by penetration testers-consultants or outsourced contractors who might be referred to as red teams.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
15
Which of the following should be included in an InfoSec governance program? 

A) An InfoSec development methodology 
B) An InfoSec risk management methodology 
C) An InfoSec project management assessment from an outside consultant 
D) All of these are components of the InfoSec governance program
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
16
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
17
The National Association of Corporate Directors (NACD)recommends four essential practices for boards of directors.Which of the following is NOT one of these recommended practices? 

A) Hold regular meetings with the CIO to discuss tactical InfoSec planning 
B) Assign InfoSec to a key committee and ensure adequate support for that committee 
C) Ensure the effectiveness of the corporation's InfoSec policy through review and approval 
D) Identify InfoSec leaders, hold them accountable, and ensure support for them
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
18
Which type of planning is the primary tool in determining the long-term direction taken by an organization? 

A) strategic
B) tactical 
C) operational
D) managerial
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
19
Which type of planning is used to organize the ongoing,day-to-day performance of tasks? 

A) Strategic
B) Tactical 
C) Organizational
D) Operational
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
20
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? 

A) strategic
B) operational 
C) organizational
D) tactical
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
21
Which of the following is an information security governance responsibility of the Chief Security Officer? 

A) Communicate policies and the program 
B) Set security policy, procedures, programs and training 
C) Brief the board, customers and the public 
D) Implement policy, report security vulnerabilities and breaches
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
22
​An example of a stakeholder of a company includes all of the following except:​ 

A) ​employees 
B) ​the general public 
C) ​stockholders 
D) management
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
23
​A senior executive who promotes the project and ensures its support,both financially and administratively,at the highest levels of the organization is needed to fill the role of a(n)____________ on a development team.

A) ​champion 
B) ​end user 
C) ​team leader 
D) ​policy developer
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
24
​The individual accountable for ensuring the day-to-day operation of the InfoSec program,accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n)____________.

A) chief information security officer 
B) security technician 
C) security manager 
D) ​chief technology officer
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
25
Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point? 

A) modular continuous
B) elementary cyclical 
C) time-boxed circular
D) traditional waterfall
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
26
​When using the Governing for Enterprise Security (GES)program,an Enterprise Security Program (ESP)should be structured so that governance activities are driven by the organization's executive management,select key stakeholders,as well as the ____________.

A) ​Board Risk Committee 
B) ​Board Finance Committee 
C) ​Board Audit Committee 
D) ​Chairman of the Board
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
27
A project manager who understands project management,personnel management,and InfoSec technical requirements  is needed to fill the role of a(n)____________.

A) ​champion 
B) ​end user 
C) ​team leader 
D) ​policy developer
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
28
​The individual responsible for the assessment,management,and implementation of information-protection activities in the organization is known as a(n)____________.

A) chief information security officer 
B) security technician 
C) security manager 
D) ​chief technology officer
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
29
Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies,including users,management,and IT,each with a vested interest in the project's success? 

A) software engineering
B) joint application design 
C) sequence-driven policies
D) event-driven procedures
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
30
A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.

A) ​​enterprise risk management. 
B) ​joint application design 
C) ​security policy review 
D) ​disaster recovery planning
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
31
​ The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.

A) ​vulnerability assessment 
B) ​penetration testing 
C) ​exploit identification 
D) ​safeguard neutralization
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
32
​Individuals who control,and are therefore responsible for,the security and use of a particular set of information are known as ____________.

A) ​data owners 
B) ​data custodians 
C) ​data users 
D) ​data generators
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
33
In which phase of the SecSDLC does the risk management task occur? 

A) physical design
B) implementation 
C) investigation
D) analysis
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
34
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n)____________.

A) ​penetration tester 
B) ​gray-hat hacker 
C) ​script kiddie 
D) ​zebra team
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
35
What is the first phase of the SecSDLC? 

A) analysis
B) investigation 
C) logical design
D) physical design
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
36
The impetus to begin an SDLC-based project may be ____________________,that is,a response to some activity in the business community,inside the organization,or within the ranks of employees,customers,or other stakeholders.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
37
​ISO 27014:2013 is the ISO 27000 series standard for ____________.

A) ​Governance of Information Security 
B) ​Information Security Management 
C) ​Risk Management 
D) ​Policy Management
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
38
A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.

A) ​vulnerability assessment 
B) ​penetration testing 
C) ​exploit identification 
D) ​safeguard neutralization
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
39
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? 

A) system controls
B) technical controls 
C) operational controls
D) managerial controls
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
40
Which of the following is a key advantage of the bottom-up approach to security implementation? 

A) strong upper-management support 
B) a clear planning and implementation process 
C) utilizes the technical expertise of the individual administrators 
D) coordinated planning from upper management
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
41
Describe what happens during each phase of the IDEAL General governance framework.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
42
Contrast the vision statement with the mission statement.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
43
The ______________________ phase is the last phase of SecSDLC,but perhaps the most important.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
44
What is the values statement and what is its importance to an organization?
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
45
What is necessary for a top-down approach to the implementation of InfoSec to succeed?
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
46
What is the role of planning in InfoSec management?  What are the factors that affect planning?
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
47
Describe the key approaches organizations are using to achieve unified Enterprise Risk Management.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
48
According to the ITGI,what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met?
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
49
_________resources include people,hardware,and the supporting system elements and resources associated with the management of information in all its states.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
50
In ____________________ testing,security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
51
Information security governance yields significant benefits.List five.
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
52
How does tactical planning differ from strategic planning?
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 52 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree