Blog

True or False? In the three-lines-of-defense model of risk management, the enterprise risk management program is responsible for controlling risk on a daily basis.

While these two approaches have similarities in terms of the topics they address, __________ covers broad IT management topics and specifies which security controls and management need to be in place, while __________ goes into more detail on how to implement controls but is less specific about the broader IT management over the controls.

Which of the following standards focuses on the secure configuration of a specific system, device, operating system, or application?

In May 2013, a National Security Agency (NSA) contractor named Edward Snowden leaked thousands of documents to a journalist detailing how the United States implements intelligence surveillance across the Internet. In which of the following sectors did this breach occur?

True or False? The charter establishes the information security program and its framework.

Which of the following statements best captures the role of information security teams in ensuring compliance with laws and regulations?

A chief information security officer (CISO) seeks to raise employee awareness of the dangers of malware in the organization. Which of the following is the best approach?

True or False? Disposal of risk demands either adding a control so risk is diffused or accepting the risk.

It is important to create an IT security program structure that aligns with program and organizational goals and describes the operating and risk environment. Which of the following is one of the important issues for the structure of the information security program?

__________ is a term used to indicate any unwanted event that takes place outside normal daily security operations. This type of event relates to a breakdown in controls as identified by the security policies.