a. Centralized governance

b. Decentralized governance

c. Hybrid governance

d. Virtual governance

219. a. The information security governance model should be aligned with the IT governance model and the corporate governance model. A centralized approach to governance requires strong, well-informed central leadership and provides consistency throughout the organization. Centralized governance structures also provide less autonomy for subordinate (sector) organizations that are part of the parent organization. To achieve the centralized governance, interorganizational and intra-organizational communication mechanisms are created.

Decentralized governance is the opposite of the centralized governance, hybrid governance is a combination of centralized and decentralized governance, and virtual governance does not and should not exist.

220. Which of the following outcomes of information security governance, a part of information technology (IT) governance, relates to investments in risk management?

a. Strategic alignment

b. Risk management processes

c. Risk management resources

d. Delivered value

220. d. The information security governance model should be aligned with the IT governance model and the corporate governance model. Delivered value means optimizing risk management investments in support of organizational objectives (i.e., demanding value from the investments).

Strategic alignment means risk management decisions made in business functions should be consistent with organizational goals and objectives. Risk management processes frame, assess, respond to, and monitor risk to organizational operations and assets, individuals, and other organizations. Risk management resources deal with effective and efficient allocation of given resources.

221. Which of the following information security governance structures establish the appropriate policies, procedures, and processes dealing with risk management and information security strategies at the cost of consistency throughout the organization as a whole?

a. Centralized governance

b. Decentralized governance

c. Hybrid governance

d. Virtual governance

221. b. The information security governance model should be aligned with the IT governance model and the corporate governance model. A decentralized approach accommodates subordinate (sector) organizations with divergent business needs and operating unit environments at the cost of consistency throughout the organization as a whole. The effectiveness of this approach is greatly increased by the sharing of risk-related information among subordinate units so that no subordinate sector is able to transfer risk to another without the latter’s informed consent. The sector also shares risk-related information with parent organization to determine its impact on the organization as a whole.

Centralized governance is the opposite of the decentralized governance, hybrid governance is a combination of centralized and decentralized governance, and virtual governance does not and should not exist.

222. Which of the following is not an example of issue-specific policies?

a. Use of unauthorized software

b. Operational security rules

c. Acquisition of software

d. Doing computer work at home

222. b. Operational security rules are part of system-specific security policy, whereas the other three choices are part of issue-specific policies.

223. Which of the following IT security metrics focuses on effectiveness?

a. Average frequency of audit records reviewed and analyzed for inappropriate activity

b. Percentage of security incidents caused by improperly configured access controls

c. Percentage of audit log findings reported to appropriate officials

d. Percentage of systems using automated mechanisms to conduct analysis and reporting of inappropriate activities

223. b. “Percentage of security incidents caused by improperly configured access controls” is an example of effectiveness metrics.

The other three choices deal with efficiency and implementation metrics. Audit records reviewed deals with efficiency metrics, whereas audit log findings and automated mechanisms deal with implementation metrics.

Effectiveness or efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation).

Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts).

224. Which of the following IT security metrics focuses on impact?

a. Percentage of information system security personnel that have received security training

b. Percentage of systems compliant with the baseline configuration

c. Sum of costs of each incident within the reporting period

d. Percentage of configuration changes documented in the latest baseline configuration

224. c. “Sum of costs of each incident within the reporting period” is an example of impact metrics. The other three choices are examples of implementation metrics.

Impact metrics measure the results of business or mission impact of security activities and events (i.e., provides the most direct insight into the value of security to the firm). Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts).

225. IT security training provides which of the following levels?

a. Data

b. Information

c. Knowledge

d. Insight

225. c. IT security training provides knowledge levels, awareness provides data and information levels, and education provides insight levels.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 9.

Risk management is a major priority of the SPK Company. The following data has been collected for one asset in the company: Natural threats are realized once every five years. The total asset value is $1,000,000. Every time a threat causes damage, it cost the company an average of $100,000. The company has the choice of getting insurance for $10,000 per year or moving to a new location that will be a onetime cost of $35,000. The SPK priorities in the risk management strategy are accuracy and long-term repeatability of process.

1. What can be done with the residual risk?

a. It can be either assigned or accepted.

b. It can be either identified or evaluated.

c. It can be either reduced or calculated.

d. It can be either exposed or assessed.

1. a. Residual risk is the remaining risk after countermeasures (controls) cover the risk population. The residual risk is either assigned to a third party (e.g., insurance company) or accepted by management as part of doing business. It may not be cost-effective to further reduce residual risk.