Your company decides to invest in solutions, in the coming year, to support salespeople as road warriors and boost sales. Laptops, mobile phones, VPN, wireless networks, and customer relationship management (CRM) systems are parts of the selected solution. As a CISO, which of the following is the least concern when developing a risk management strategy?
A. Foreign ownership, control, or influence over suppliers
B. Investment strategies
C. The impact of the solution upon business processes
D. Laws and regulations
Continue reading →

You are considering solutions to connect multiple branches to the headquarters. You select MPLS and RIP as the solution in the end. Between which layers are the protocols in terms of the ISO OSI model?
A. Data Link, Network
B. Transport, Physical
C. Data Link, Internet
D. Network, Transport
Continue reading →

As a security professional, you are attending the risk management meeting. A member points out a maintenance service provider for the ERP system is suffering financial problems that might hinder the service level. Which of the following should be conducted first?
A. Escalate this problem to the management and suggest sourcing a backup provider
B. Activate the information system contingency plan (ISCP)
C. Train in-house team members to support the system as a backup solution
D. Identify affected business processes and related resources
Continue reading →

You are the manger authorized to make decisions on the acceptance of risk. After risk treatment, you are considering a case that the cost of handling the residual risk is much higher than the risk acceptance criteria. Even though quantitative economic benefits cannot justify it, you deeply believe the risk with low likelihood is not urgent but brings a significant impact on the organization and should be handled. Which of the following decisions best meets the risk acceptance principles?
A. No further treatment because it doesn’t meet the risk acceptance criteria
B. No further treatment because subjective judgment is not reliable
C. Revise the risk acceptance criteria if possible, and implement risk treatment
D. Implement exception risk treatment but comment and justify your decision.
Continue reading →

To address security concerns, you align the software development life cycle to ISO 15288, which consists of four families or groups of system life cycle processes: agreement, organizational project-enabling, technical management, and technical processes. Which of the following belongs to the process family, Technical Processes?
A. Configuration Management
B. Life Cycle Model Management
C. Quality Assurance
D. Business or Mission Analysis
Continue reading →

Your organization adopts the NIST FARM risk management approach to frame, assess, respond to, and monitor risks that arise from a variety of sources or tiers such as information systems, business processes, or the organization. As a CISO, you are considering the governance structures from the organizational perspective to address risk. Which of the following is not your primary concern?
A. Strategies for internal development and external acquisition of IT products
B. Risk management strategy
C. Approaches to replacing legacy information systems
D. Enterprise Architecture
Continue reading →

You learned from the news that the World Health Organization (WHO) is closely monitoring a novel deadly coronavirus under spreading. As a CISO, which of the following will you do first?
A. Implement emergent update for latest antivirus signatures
B. Conduct the exercise of the Occupant Emergency Plan (OEP)
C. Enable the incident response plan and security incident response team
D. Review and test the business continuity plan (BCP)
Continue reading →