Last Updated on December 19, 2021 by Admin 2
Explanation: Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.
C. A. A risk assessment should be included in the business case but by itself will not be as effective in gaining management support. B. Informing management of regulatory requirements may help gain support for initiatives, but given that many organizations are not in compliance with regulations, it is unlikely to be sufficient. C. A complete business case, including a cost-benefit analysis, will be most persuasive to management. D. Good metrics that provide assurance that initiatives are meeting organizational goals will also be useful but are likely to be insufficient in gaining management support. Obtaining senior management support for establishing a warm site can BEST be accomplished by: A. establishing a periodic risk assessment. B. promoting regulatory requirements. C. developing a business case. D. developing effective metrics.
B. A. Preparing a security budget follows risk assessment to determine areas of concern. B. Risk assessment, analysis, evaluation and impact analysis will be the starting point for driving management's attention to information security. C. Developing an information security policy is based on and follows risk assessment. D. Benchmarking information will only be relevant after a risk assessment has been performed for comparison purposes. In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: A. prepare a security budget. B. conduct a risk assessment. C. develop an information security policy. D. obtain benchmarking information. D. A. Monitoring and metrics can determine progress but are effective only if there is management support. B. Strategy is only one building block of information security governance and cannot work without management support. C. A steering committee cannot exist without management support. D. Senior management must champion the process and information security spokespersons to create an effective information security governance framework. Which of the following is the MOST important component of information security governance? A. Appropriate monitoring and metrics B. An established strategy for moving forward C. An information security steering committee D. Senior management involvement C. A. While examples of incidents to other organizations may help obtain senior management buy-in, buy-in should be based on realistic threats to the organization's corporate objectives. B. Good practices are rarely useful, although they may enhance senior management buy-in. But this is not as substantial as realistic threats to the organization's corporate objectives. C. Linking realistic threats to key business objectives will direct executive attention to them. D. Analysis of current technological exposures may enhance senior management buy-in but is not as substantial as realistic threats to the organization's corporate objectives. A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following items would be of MOST value? A. Examples of genuine incidents at similar organizations B. Statement of generally accepted good practices C. Associating realistic threats to corporate objectives D. Analysis of current technological exposures D. A. Cost reduction by itself is rarely the motivator for implementing an information security program. B. Compliance is secondary to business value. C. Increasing business value may include protection of business assets. D. Investing in an information security program should increase business value as a result of fewer business disruptions, fewer losses and increased productivity. Which of the following is the BEST justification to convince management to invest in an information security program? A. Cost reduction B. Compliance with company policies C. Protection of business assets D. Increased business value D. A. Senior management will not be as interested in examples of successful attacks if they are not tied to the impact on business environment and objectives. B. Senior management will not be as interested in technical risk to the organization if it is not tied to the impact on business environment and objectives. C. Industry good practices may be important to senior management to the extent they are relevant to the organization and its business objectives. D. Senior management wants to understand the business justification for investing in security in relation to achieving key business objectives. Senior management commitment and support for information security can BEST be obtained through presentations that: A. use illustrative examples of successful attacks. B. explain the technical risks to the organization. C. evaluate the organization against best security practices. D. tie security risks to key business objectives. B. A. Procedures will support an information security policy, but this is not likely to have much impact on the culture of the organization. B. Because culture in an organization is a reflection of senior management whether intentional or accidental, only management support and pressure will help to change an organization's culture. C. Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed. D. Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company. Which of the following would help to change an organization's security culture? A. Develop procedures to enforce the information security policy. B. Obtain strong management support. C. Implement strict technical security controls. D. Periodically audit compliance with the information security policy. D. A. While benchmarking similar organizations can be helpful in some instances to make a case for management support of the information security program, benchmarking by itself is not likely to be sufficient. B. Management often considers security to be a financial drain and over reactive. Showing probable outcomes can help build a case, but demonstrating how the program will materially assist in achieving the desired business outcomes will be more effective. C. Legal requirements are best presented by the legal department and are just another risk. D. The most effective approach to gain support from management for the information security program is to persuasively demonstrate how the program will help achieve the desired outcomes. This can be done by providing specific business support in areas of operational predictability and regulatory compliance, and by improving resource allocation and meaningful performance metrics. The MOST important requirement for gaining management commitment to the information security program is to: A. benchmark a number of successful organizations. B. demonstrate potential losses and other impacts that can result from a lack of support. C. inform management of the legal requirements of due care. D. demonstrate support for desired outcomes A. A. Information security exists to address risk to the organization that may impede achieving its objectives. Organizational risk will be the most persuasive argument for management commitment and support. B. Establishing metrics to measure security status will be viewed favorably by senior management after the overall organizational risk is identified. C. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. D. Identifying organizational responsibilities will be most effective if related directly to addressing organizational risk. An information security manager can BEST attain senior management commitment and support by emphasizing: A. organizational risk. B. organizationwide metrics. C. security needs. D. the responsibilities of organizational units. D. A. The implementation of stronger controls may lead to circumvention. B. Awareness training is important but must be based on policies and supported by management. C. Actively monitoring operations will not directly affect culture. D. Endorsement from executive management in the form of policy approval provides intent, direction and support. The FIRST step to create an internal culture that embraces information security is to: A. implement stronger controls. B. conduct periodic awareness training. C. actively monitor operations. D. gain endorsement from executive management. A. A. Senior management commitment is necessary in order for each of the other elements to succeed. Without senior management commitment, the other elements will likely be ignored within the organization. B. Without senior management commitment, an information security framework is not likely to be implemented. C. Without senior management commitment, it is not likely that there is support for developing an information security organizational structure. D. The development of effective policies as a statement of management intent and direction is likely to be inadequate without senior management commitment to information security. Which of the following is the MOST important prerequisite for establishing information security management within an organization? A. Senior management commitment B. Information security framework C. Information security organizational structure D. Information security policy A. A. Close integration of information security governance with overall organization governance is likely to provide better long-term security by institutionalizing its activities and increasing visibility in all organization activities. B. Increased budgets and staff may improve security, but they will not have the same beneficial impact as incorporating security into the strategic levels of the organization's operations. C. Control strength and compliance efforts must be balanced against business requirements, culture and other organization factors that are best accomplished at governance levels. D. While technical security controls may improve some aspects of security, they will not address management issues nor provide enduring changes that are needed for an overall improvement of the enterprise security posture. Serious security incidents typically lead to renewed focus on information security by management. To BEST utilize this attention, the information security manager should make the case for: A. improving integration of business and information security processes. B. increasing information security budgets and staffing levels. C. developing tighter controls and stronger compliance efforts. D. acquiring better supplemental technical security controls. C. A. The business manager is likely to be focused on getting the business done as opposed to the risk posed to the organization. B. The typical information security manager is focused on risk and on average he/she will overestimate risk by about 100 percent—usually considering worst case scenarios rather than the most probable events. C. Executive management will be in the best position to consider the big picture and the trade-offs between security and functionality in the entire organization. D. There is no indication that the assessments are inadequate or defective in some way; therefore, repeating the exercise is not warranted. A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager? A. Acceptance of the business manager's decision on the risk to the corporation B. Acceptance of the information security manager's decision on the risk to the corporation C. Review of the assessment with executive management for final input D. A new risk assessment and BIA are needed to resolve the disagreement A. A. Senior management support is critical to the implementation of any security program. B. An appropriate budget for security activities is not likely without the support of senior management. C. Vulnerability assessments are an important element of a successful security program but will be of little use without management support for addressing issues that arise. D. Knowledgeable security administrators are important for a successful security program, but they are not likely to be effective without management support. Which of the following factors is MOST important for the successful implementation of an organization's information security program? A. Senior management support B. Budget for security activities C. Regular vulnerability assessments D. Knowledgeable security administrators C. A. Although having the chief executive officer (CEO) signoff on the security policy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. B. Security awareness training for employees will not have as much effect on senior management commitment as alignment with business goals. C. Ensuring that security activities continue to be aligned and support business goals is critical to obtaining management support. D. Although having senior management sign off on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Senior management commitment and support for information security can BEST be enhanced through: A. a formal security policy sponsored by the chief executive officer (CEO). B. regular security awareness training for employees. C. periodic review of alignment with business management goals. D. senior management sign-off on the information security strategy. D. A. A defined information security architecture is helpful but by itself is not a strong indicator of effective governance. B. Compliance with international standards is not an indication of the use of effective governance. C. Periodic external audits may serve to provide an opinion on effective governance. D. A risk management program is a key component of effective governance. Which of the following BEST indicates senior management commitment toward supporting information security? A. Assessment of risk to the assets B. Approval of risk management methodology C. Review of inherent risk to information assets D. Review of residual risk for information assets Which is the best approach to obtain senior management commitment to the information security program?which of the following is the best approach to obtain senior management commitment to the information security program? other notes: seek to reduce risks, must be balanced against the cost and impact to business. learn to mitigate threats while supporting the ultimate business goal.
Which of the following is the most appropriate as a means of obtaining commitment from senior management for implementation of the information security strategy?What is the most appropriate as a means of obtaining commitment from senior management for implementation of the information security strategy? A formal presentation highlighting the relationship between security and business goals.
Which of the following would best ensure success of information security governance within an organization?Which of the following would BEST ensure the success of information security governance within an organization? The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program.
Which of the following steps should be first in developing an information security plan?Steps to Create an Information Security Plan:. Step 1: Perform a Regulatory Review and Landscape. Your firm must first perform a regulatory review, as all businesses have requirement coming from oversight bodies. ... . Step 2: Specify Governance, Oversight & Responsibility. ... . Step 3: Take Inventory of Assets.. |
Which of the following is the best way to obtain senior management commitment and support for information security through presentation?
zusammenhängende Posts
Urheberrechte © © 2024 defrojeostern Inc.
