Q1. To achieve an effective ____ focus, the governance process should document the requisite day-to-day actions of the everyday information security function down to whatever level of detail is necessary to ensure consistent performance.

    a. tactical

    b. strategic

    c. operational

    d. practical

 

Q2. The role of ____ is to establish and maintain coordination and coherence in the overall information security scheme.

    a. enterprise management

    b. tactical management

    c. strategic management

    d. risk management

 

Q3. ____ must be standard, because they are used for causal analysis and comparative purposes across the organization.

    a. Security metrics

    b. Security controls

    c. Security objectives

    d. Security records

 

Q4. The ____ are an explicit statement of the expected outcome of each information security activity.

    a. controls

    b. control objectives

    c. control structures

    d. control blocks

 

Q5. In order to ensure that the strategic management plan is composed of tangible activities, it is documented using a ____ process.

    a. bottom-up

    b. top-down

    c. middle-out

    d. sides-in

 

Q6. ____ is the principle that without continuous upkeep, a well-organized process will tend to fall apart over time.

    a. Process entropy

    b. System entropy

    c. Collective entropy

    d. Practical entropy

 

Q7. ____ is created when the satisfaction of one constraint causes problems with another.

    a. Negative problem space

    b. Negative utility space

    c. Positive problem space

    d. Positive utility space

 

Q8. Much of modern technical work is done through a ____.

    a. chain of suppliers

    b. chain of trust

    c. chain of consumption

    d. chain of value

 

Q9. A ____ lets the customer determine whether an individual supplier is carrying out the practices that the customer considers necessary to ensure security.

    a. baseline profile

    b. custom profile

    c. standard profile

    d. reference profile

 

Q10. In order for the procurement process to be secure, the activities of both sides of that transaction have to be properly coordinated.

    a. True

    b. False

 

Q11. The primary purpose of ____ is to help the developing organization build a product that reflects the security aims of the business.

    a. individual review

    b. hybrid review

    c. directed review

    d. joint review

 

Q12. Because of its purpose, the ____ stage of the lifecycle is the appropriate place for cybersecurity professionals to be involved in software assurance.

    a. review

    b. specification

    c. design

    d. testing

 

Q13. ____ are defects in application and system software that can be exploited by a threat.

    a. Threats

    b. Vulnerabilities

    c. Risks

    d. Patches

 

Q14. In conventional practice, applications and systems pass through five general stages of development that constitute a ______.

    a. tide

    b. framework

    c. specification

    d. lifecycle

 

Q15. From an application and system security standpoint, it is vitally important to ensure that every activity and task within the assurance process can be related to an ____.

    a. established policy

    b. expected result

    c. indirect result

    d. observed result

 

Q16. Compliance is a minor consideration in the information security universe.

    a. True

    b. False

 

Q17. ____ simply designates a condition or state in which the organization can be assured to satisfy relevant legal and regulatory requirements.

    a. Certification

    b. Confirmation

    c. Compliance

    d. Completion

 

Q18. Critical ____ factors are the basis for determining whether the compliance process has achieved its goals.

    a. success

    b. work

    c. control

    d. design

 

Q19. Formal ____ are the most effective means to ensure general assurance of the compliance process.

    a. management of controls

    b. infrastructures of controls

    c. certification of controls

    d. compliance of controls

 

Q20. In the case of ____, the response requires an outside party to assume the consequences of the risk.

    a. risk mitigation

    b. risk transference

    c. risk acceptance

    d. risk avoidance

 

Q21. A(n) ____ is one that occurs at regular intervals, ranging typically from one to three years between reviews.

    a. risk-based review

    b. cost-based review

    c. asset-based review

    d. time-based review

 

Q22. The ____ process gathers and uses information from all available sources in order to decrease the possibility of overall risks to information assets.

    a. risk mitigation

    b. risk management

    c. risk evaluation

    d. risk improvement

 

Q23. ____ would be those risks that might not compromise critical information but where the losses would still have business impacts.

    a. Critical risks

    b. Minor risks

    c. Avoidable risks

    d. Moderate risks

 

Q24. Risk response is organized and managed by a(n) ____.

    a. all-hazards plan

    b. all-risk plan

    c. risk management plan

    d. risk mitigation plan

 

Q25. Operational risk assessment typically entails the sort of strategic focus that was involved in the formulation of the security strategy.

    a. True

    b. False