Which of the following tools is MOST appropriate for determining how long a security project will take to implement? -Answer- Critical path When speaking to an organization's human resources department about information security, an information security manager should focus on the need for: -Answersecurity awareness training for employees. Good information security standards should: -Answer- define precise and unambiguous allowable limits. Which of the following should be the FIRST step in developing an information security plan? -Answer- Analyze the current business strategy Senior management commitment and support for information security can BEST be obtained through presentations that: -Answer- tie security risks to key business objectives The MOST appropriate role for senior management in supporting information security is the: -Answer- approval of policy statements and funding Which of the following would BEST ensure the success of information security governance within an organization? -Answer- Steering committees approve security projects Information security governance is PRIMARILY driven by: -Answer- business strategy Which of the following represents the MAJOR focus of privacy regulations? -AnswerIdentifiable personal data Investments in information security technologies should be based on: -Answer- value analysis Retention of business records should PRIMARILY be based on -Answer- regulatory and legal requirements Which of the following is characteristic of centralized information security management? -Answer- Better adherence to policies Successful implementation of information security governance will FIRST require: - Answer- updated security policies Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group? -Answer- Chief operating officer (COO) The MOST important component of a privacy policy is: -Answer- notifications The cost of implementing a security control should not exceed the: -Answer- asset value When a security standard conflicts with a business objective, the situation should be resolved by: -Answer- performing a risk analysis Minimum standards for securing the technical infrastructure should be defined in a security: -Answer- architecture Which of the following is MOST appropriate for inclusion in an information security strategy? -Answer- Security processes, methods, tools and techniques Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing: -Answer- organizational risk Which of the following roles would represent a conflict of interest for an information security manager? -Answer- Final approval of information security policies Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization? -Answer- The data center manager has final signoff on all security projects Which of the following requirements would have the lowest level of priority in information security? -Answer- Technical When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST? -Answer- Establish good communication with steering committee members It is MOST important that information security architecture be aligned with which of the following? -Answer- Business goals and objectives Which of the following is MOST likely to be discretionary? -Answer- Guidelines Security technologies should be selected PRIMARILY on the basis of their: -Answerability to mitigate business risks Which of the following are seldom changed in response to technological changes? - Answer- Policies The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in: -Answerapplication systems and media