CCNA Information Security Governance Questions

75 of 85 questions · Page 1/2 · Information Security Governance · Answers revealed

1
MCQmedium

Which capability maturity model (CMM) level indicates that security processes are proactively measured and optimized?

A.Level 4 (Managed)
B.Level 2 (Repeatable)
C.Level 5 (Optimizing)
D.Level 3 (Defined)
AnswerC

Level 5 focuses on continuous improvement and optimization based on metrics.

Why this answer

Level 5 (Optimizing) focuses on continuous improvement through quantitative measurement.

2
MCQhard

A CISO is building a business case for a new security tool. Which approach BEST quantifies the value of the investment?

A.Industry analyst recommendations
B.Number of features compared to competitors
C.Total cost of ownership (TCO) analysis
D.Risk reduction value and breach cost avoidance
AnswerD

This directly links investment to avoided losses.

Why this answer

Comparing the cost of the tool against the average cost of a data breach (e.g., $4.35M) provides a clear financial justification.

3
Multi-Selecthard

An organization is updating its security governance framework. Which three elements are essential for ensuring board-level oversight?

Select 3 answers
A.Security awareness training for board members
B.CISO reporting directly to the CEO
C.Board-level risk committee review of security posture
D.Approval of the information security strategy by the board
E.Regular security incident reports to the board
AnswersC, D, E

Committee provides dedicated oversight.

Why this answer

These three elements ensure the board can fulfill its oversight role effectively.

4
MCQmedium

During a security policy development lifecycle, which step should occur immediately after 'drafting' the policy?

A.Gap analysis
B.Legal review
C.Training
D.Stakeholder consultation
AnswerB

Legal review follows drafting to ensure legal validity.

Why this answer

After drafting, legal review ensures compliance with laws and regulations.

5
MCQmedium

A security manager wants to measure the effectiveness of the security awareness program. Which metric is most relevant?

A.Security budget variance
B.Mean time to detect incidents
C.Phishing simulation click rate
D.Number of security policies updated
AnswerC

Correct: Direct measure of user behavior.

Why this answer

Phishing simulation click rate directly measures user behavior change, a key indicator of awareness effectiveness.

6
MCQhard

A CISO reports to the CIO and provides regular security updates to the board audit committee. The CEO has delegated security accountability to the CFO. Which governance structure does this reflect?

A.Decentralized with business unit CISO
B.Outsourced security management
C.Centralized with CISO reporting to CEO
D.Hybrid with executive accountability
AnswerD

Correct: CISO to CIO, board updates, CFO accountable.

Why this answer

This structure shows the CISO reporting to CIO (dotted line to board), with executive accountability assigned to CFO, typical of a tiered governance model.

7
MCQeasy

Which of the following is the PRIMARY responsibility of the CISO in an organization?

A.Managing the IT infrastructure
B.Auditing security controls
C.Performing day-to-day security operations
D.Owning the information security strategy and programme
AnswerD

The CISO leads the security strategy and programme.

Why this answer

The CISO is accountable for developing and maintaining the information security strategy and programme.

8
MCQeasy

What is the primary purpose of a security incident near-miss reporting culture?

A.To increase the security budget
B.To reduce the number of security policies
C.To assign blame for potential incidents
D.To identify and address security gaps proactively
AnswerD

Correct: Proactive improvement.

Why this answer

Encouraging reporting of near misses helps identify weaknesses and prevent future incidents.

9
MCQmedium

Which of the following is the correct order in the security policy hierarchy, from highest to lowest level?

A.Standards, Enterprise Policy, Procedures, Guidelines
B.Procedures, Standards, Enterprise Policy, Guidelines
C.Guidelines, Procedures, Standards, Enterprise Policy
D.Enterprise Policy, Standards, Procedures, Guidelines
AnswerD

This is the correct hierarchical order.

Why this answer

Enterprise policy sets the tone, followed by standards, then procedures, then guidelines.

10
Multi-Selectmedium

Which TWO factors are most important when prioritizing security investments? (Select TWO.)

Select 2 answers
A.The ease of implementation
B.The level of risk reduction achieved
C.Alignment with business objectives and strategy
D.The cost of the security solution
E.The popularity of the solution in the industry
AnswersB, C

Risk reduction directly impacts security posture.

Why this answer

Risk reduction and alignment with business strategy ensure investments address the most critical needs and support organizational goals.

11
MCQhard

A CISO is preparing a multi-year security roadmap. Which of the following is the MOST critical factor for ensuring the roadmap aligns with business strategy?

A.Benchmarking against industry peers
B.Assessing current security maturity level
C.Reviewing recent security incidents and lessons learned
D.Understanding the organization's strategic business objectives and risk appetite
AnswerD

Directly linking roadmap to business objectives ensures relevance and executive support.

Why this answer

Understanding business objectives first ensures that security initiatives support the organization's goals and are prioritized accordingly.

12
MCQeasy

Which component is essential for building a strong security culture within an organization?

A.Mandatory annual password changes
B.Increasing the security budget
C.Executive sponsorship and visible leadership
D.Implementing the latest technology
AnswerC

Leadership commitment drives culture.

Why this answer

Executive sponsorship demonstrates leadership commitment and sets the tone at the top.

13
MCQeasy

Which metric best indicates the effectiveness of a security awareness program in changing employee behavior?

A.Phishing simulation click rates
B.Percentage of employees who completed training
C.Number of security posters displayed
D.Number of training sessions delivered
AnswerA

Directly measures employee behavior.

Why this answer

Phishing simulation click rates directly measure how employees respond to a common threat.

14
MCQhard

A CISO is reporting to the board of directors. Which metric would BEST demonstrate the effectiveness of the security program in reducing business impact?

A.Security investment vs. loss avoidance
B.Number of security incidents
C.Patch compliance percentage
D.Mean time to detect (MTTD)
AnswerA

This metric quantifies the financial benefit of security spending.

Why this answer

Security investment vs. loss avoidance directly links spending to prevented losses, demonstrating ROI and program effectiveness to the board.

15
MCQmedium

An organization is updating its security policy framework. The current enterprise security policy has not been reviewed in three years. What is the FIRST step in the policy development lifecycle?

A.Obtaining legal review
B.Training employees on the updated policy
C.Drafting the revised policy language
D.Conducting a gap analysis
AnswerD

A gap analysis identifies what needs to change based on new regulations, business changes, or incident lessons.

Why this answer

The policy lifecycle begins with a gap analysis to identify deficiencies between current policies and business/regulatory requirements.

16
Multi-Selectmedium

A security manager is conducting a regulatory compliance review. Which THREE regulations are most likely to apply to a financial services company operating in the United States?

Select 3 answers
A.HIPAA (Health Insurance Portability and Accountability Act)
B.SOX (Sarbanes-Oxley Act)
C.PCI DSS (Payment Card Industry Data Security Standard)
D.Sector-specific regulations (e.g., SEC cybersecurity rules)
E.GDPR (General Data Protection Regulation)
AnswersB, C, D

Applies to financial reporting controls.

Why this answer

SOX applies to financial reporting, PCI DSS to payment cards, and sector-specific regulations may apply; GDPR is EU-specific.

17
MCQeasy

An organization has a decentralized governance model where each business unit manages its own security. What is a key challenge of this model?

A.Lower cost due to elimination of central security team
B.Rapid decision-making due to fewer layers
C.Increased central control and uniformity
D.Inconsistent security policies and controls across units
AnswerD

Without central oversight, policies can vary widely.

Why this answer

Decentralized models often lead to inconsistent security practices and lack of standardization across the organization.

18
MCQmedium

An organization is implementing a hybrid governance model for information security. Which statement best describes this approach?

A.All security decisions are made by a central security team
B.Each business unit has full autonomy over security without central coordination
C.Security is outsourced to a third-party provider
D.A central security team sets policies and provides oversight, while business units execute security operations
AnswerD

Hybrid combines central direction with local execution.

Why this answer

Hybrid combines centralized oversight with decentralized execution within business units.

19
MCQeasy

Which capability maturity model (CMM) level indicates that security processes are managed and measured using quantitative metrics?

A.Level 4: Managed
B.Level 3: Defined
C.Level 2: Repeatable
D.Level 5: Optimizing
AnswerA

Managed uses quantitative measures.

Why this answer

Level 4 (Managed) is characterized by quantitative management of processes.

20
MCQeasy

Which capability maturity model (CMM) level indicates that security processes are measured and controlled?

A.Level 3: Defined
B.Level 5: Optimizing
C.Level 4: Managed
D.Level 2: Repeatable
AnswerC

Correct: Quantitative measurement and control.

Why this answer

Level 4 (Managed) involves quantitative measurement and control of processes.

21
MCQhard

A company is considering a policy exception that would allow temporary non-compliance with a data encryption standard due to a legacy system. What is the most important element of the exception management process?

A.Notification to all employees
B.Annual renewal without further review
C.Approval by the CISO only
D.A documented remediation plan with timelines and risk acceptance
AnswerD

This ensures the exception is temporary and risks are accepted.

Why this answer

Exceptions must include a documented remediation plan and risk acceptance to ensure accountability.

22
MCQeasy

Which governance structure is characterized by a single security team that serves the entire organization?

A.Matrix
B.Hybrid
C.Centralized
D.Decentralized
AnswerC

Centralized uses a single security team for the whole organization.

Why this answer

A centralized governance model consolidates security responsibilities under one team, ensuring consistent policy enforcement and resource allocation.

23
MCQmedium

Which regulatory requirement mandates that organizations implement data protection measures for personal data of EU citizens?

A.SOX
B.GDPR
C.PCI DSS
D.HIPAA
AnswerB

Correct: General Data Protection Regulation.

Why this answer

GDPR is the primary regulation for personal data protection in the EU.

24
MCQeasy

Which of the following is the PRIMARY reason for aligning the information security program with business objectives?

A.To reduce the cost of security operations
B.To comply with regulatory requirements
C.To ensure security initiatives receive adequate funding
D.To demonstrate the value of security to the business and gain executive support
AnswerD

Demonstrating value and gaining support is essential for long-term sustainability.

Why this answer

Aligning security with business objectives ensures that security investments support business goals and demonstrate value to stakeholders.

25
MCQhard

A multinational organization must comply with GDPR, CCPA, and PCI DSS. The security manager is designing a compliance monitoring program. Which approach is MOST efficient?

A.Create separate monitoring programs for each regulation
B.Outsource compliance to a third-party
C.Focus only on the strictest regulation
D.Map common controls to multiple regulations
AnswerD

Control mapping leverages overlaps for efficiency.

Why this answer

Mapping controls to multiple regulations reduces duplication and ensures comprehensive coverage across requirements.

26
MCQmedium

Which of the following is the PRIMARY benefit of having a formal policy exception management process?

A.Eliminating all security risks
B.Reducing the number of security policies
C.Ensuring consistent treatment of exceptions with proper risk acceptance
D.Automating policy enforcement
AnswerC

Formal process ensures exceptions are managed consistently and risks are accepted by appropriate authority.

Why this answer

A formal process ensures that exceptions are documented, reviewed, and approved, reducing uncontrolled risk.

27
Multi-Selectmedium

A CISO is reporting to the board on the effectiveness of the security programme. Which TWO metrics are MOST appropriate for board-level reporting? (Select TWO)

Select 2 answers
A.Number of firewall rules changed
B.Mean time to detect (MTTD) and mean time to respond (MTTR)
C.Number of employees who completed security training
D.Security investment vs. loss avoidance
E.Patch compliance percentage
AnswersB, D

These reflect the effectiveness of detection and response capabilities.

Why this answer

Board-level metrics should focus on strategic impact, such as overall risk posture and financial implications.

28
MCQhard

An organization's security strategy includes a goal to achieve CMM Level 3. What capability does the organization need to demonstrate?

A.Standardized and documented security processes
B.Ad-hoc security processes
C.Quantitative measurement of process effectiveness
D.Continuous process optimization
AnswerA

Correct: Level 3 requires standardization.

Why this answer

Level 3 (Defined) requires standardized, documented processes across the organization.

29
MCQmedium

An organization is developing a security policy for remote access. According to the policy hierarchy, where should this policy fit?

A.Procedure
B.Guideline
C.Enterprise security policy
D.Domain-specific standard
AnswerD

Standards define mandatory requirements for specific domains.

Why this answer

Enterprise security policy is high-level; domain-specific standards provide mandatory requirements for specific areas like remote access.

30
Multi-Selectmedium

A CISO is preparing a business case for a new security investment. Which TWO elements are most important to include to justify the investment?

Select 2 answers
A.Breach cost avoidance based on industry benchmarks
B.Vendor reputation
C.Ease of implementation
D.Risk reduction value
E.Number of security team members
AnswersA, D

Quantifies potential savings by avoiding breaches.

Why this answer

Risk reduction value and breach cost avoidance directly quantify the benefits.

31
MCQhard

A multinational organization handles personal data of EU residents. Which regulatory requirement must the information security program address?

A.SOX
B.PCI DSS
C.HIPAA
D.GDPR
AnswerD

GDPR protects personal data of EU residents.

Why this answer

GDPR applies to any organization processing personal data of EU residents, regardless of location.

32
MCQeasy

A policy exception management process allows a business unit to temporarily deviate from a security policy. What is the MOST important requirement for such an exception?

A.Documentation of the exception
B.Implementation of compensating controls
C.Approval by the CISO only
D.A fixed expiration date
AnswerB

Compensating controls reduce risk to an acceptable level.

Why this answer

Compensating controls are essential to mitigate the risk of the exception, ensuring the organization's risk posture is acceptable.

33
Multi-Selectmedium

A CISO is presenting a security investment proposal to the board. Which two metrics are most effective for articulating the business value of the investment?

Select 2 answers
A.Breach cost avoidance
B.Mean time to patch
C.Number of security staff
D.Number of security tools deployed
E.Compliance cost avoidance
AnswersA, E

Measures financial benefit of preventing breaches.

Why this answer

Breach cost avoidance directly quantifies risk reduction, and compliance cost avoidance shows regulatory value.

34
MCQhard

A CISO is building a business case for a new security tool. Which approach BEST articulates the return on investment (ROI) to the board?

A.Total cost of ownership (TCO) compared to competitors
B.Risk reduction value minus total cost of ownership
C.Compliance with industry standards
D.Number of alerts the tool will generate
AnswerB

This shows net benefit (ROI) by comparing risk reduction to cost.

Why this answer

Risk reduction value quantifies the expected reduction in loss, which directly ties to business value.

35
MCQmedium

An organization's board of directors wants to improve security culture. Which initiative would have the GREATEST impact?

A.Increasing the security awareness training budget
B.Implementing a near-miss reporting system
C.Establishing executive sponsorship of security
D.Conducting monthly phishing simulations
AnswerC

Executive sponsorship signals priority and accountability.

Why this answer

Executive sponsorship from the board demonstrates top-down commitment, which is critical for driving cultural change.

36
Multi-Selecthard

An organization is implementing a policy exception management process. Which THREE elements are essential for effective exception handling? (Select THREE.)

Select 3 answers
A.Periodic review and renewal of exceptions
B.Publicizing the exception to all employees
C.Automatic expiration of the exception after a defined period
D.Approval by the CISO or designated authority
E.Documentation of the business justification
AnswersA, D, E

Periodic review ensures exceptions remain valid.

Why this answer

Effective exception management requires documentation, approval, and periodic review to prevent exceptions from becoming permanent risks.

37
MCQhard

A CISO is developing a multi-year security roadmap aligned with business strategy. The organization is in a highly regulated industry with frequent regulatory changes. Which of the following should be the PRIMARY driver for prioritizing security initiatives?

A.Reduction of the mean time to detect (MTTD) security incidents
B.Cost savings from consolidating security tools
C.Achieving a target capability maturity model (CMM) level
D.Alignment with current and upcoming regulatory requirements
AnswerD

Regulatory compliance is a critical business requirement; non-compliance can result in fines, legal action, and reputational damage.

Why this answer

While risk reduction is important, in a highly regulated environment with frequent changes, compliance alignment ensures the organization avoids legal penalties and maintains business continuity.

38
Multi-Selecthard

An organization is implementing a security culture measurement program. Which THREE metrics would BEST indicate a positive security culture?

Select 3 answers
A.Percentage of employees completing security training
B.Incidents caused by human error
C.Time since last security audit
D.Near-miss reporting rate
E.Number of security incidents reported to management
AnswersA, B, D

High completion shows engagement and commitment to security.

Why this answer

A positive culture is reflected in proactive reporting, low error rates, and high engagement. Near miss reporting, training completion, and low human error incidents are key indicators.

39
MCQhard

A CISO is building a business case for a new security tool. Which of the following approaches is MOST effective for justifying the investment?

A.Highlighting that competitors are using the same tool
B.Comparing the tool's cost to industry averages for similar tools
C.Demonstrating how the tool reduces the likelihood and impact of a potential breach, translating to expected loss avoidance
D.Emphasizing the tool's advanced features and technical capabilities
AnswerC

This approach quantifies risk reduction and shows financial benefit.

Why this answer

Quantifying risk reduction in monetary terms directly links security investment to business value and risk management.

40
MCQmedium

Which of the following is the PRIMARY role of the board of directors in information security governance?

A.Conducting daily security operations
B.Developing detailed security policies
C.Approving specific security technologies
D.Providing oversight and ensuring security is aligned with business strategy
AnswerD

Board oversight is a key governance responsibility.

Why this answer

The board sets the tone from the top and ensures security is integrated into organizational strategy and risk management.

41
MCQeasy

Which of the following is the primary responsibility of the board of directors in information security governance?

A.Implementing day-to-day security operations
B.Conducting vulnerability assessments
C.Setting risk appetite and overseeing security governance
D.Writing security policies
AnswerC

Board sets risk appetite and provides oversight.

Why this answer

The board is responsible for oversight, ensuring security aligns with business strategy and risk appetite.

42
MCQmedium

An organization is deciding whether to adopt a centralized or hybrid security governance model. Which factor MOST strongly favors a hybrid model?

A.High degree of autonomy needed by business units with diverse needs
B.Minimal security budget
C.Low regulatory requirements
D.Uniform security across all business units
AnswerA

Hybrid balances central control with unit flexibility.

Why this answer

A hybrid model allows business units to maintain some autonomy while benefiting from central standards and oversight.

43
MCQhard

A multinational organization must comply with GDPR, CCPA, and PCI DSS. Which approach is MOST effective for managing these overlapping requirements?

A.Outsource compliance management to a third-party consultant
B.Develop a unified compliance framework that maps controls to multiple regulations
C.Prioritize compliance based on the most stringent regulation
D.Assign separate teams to manage each regulation
AnswerB

A unified framework streamlines compliance and reduces redundancy.

Why this answer

A unified compliance framework reduces duplication and ensures consistent control application across regulations.

44
MCQmedium

An organization's board of directors wants to ensure that security activities align with business objectives. Which governance practice best supports this alignment?

A.Conducting annual security awareness training
B.Implementing a decentralized security model
C.Developing a multi-year security roadmap tied to business strategy
D.Hiring a CISO with a technical background
AnswerC

Correct: Roadmap explicitly aligns with business objectives.

Why this answer

A security strategy that directly references business goals ensures that security investments and initiatives support organizational priorities.

45
MCQeasy

Which of the following is the PRIMARY responsibility of the board of directors regarding information security governance?

A.Performing technical vulnerability assessments
B.Approving specific security tools and technologies
C.Conducting daily security monitoring activities
D.Setting the strategic direction and oversight of the security programme
AnswerD

The board provides strategic direction and oversight, ensuring alignment with business goals.

Why this answer

The board is responsible for ensuring that information security is aligned with business objectives and that adequate resources are allocated.

46
MCQeasy

Which of the following best describes a key benefit of a centralized information security governance model?

A.Greater autonomy for business units
B.Reduced need for executive oversight
C.Consistent enforcement of security policies and standards
D.Faster adaptation to local business needs
AnswerC

Centralization ensures uniformity.

Why this answer

Centralized models provide consistent application of controls and policies across the organization.

47
MCQeasy

Which of the following is the BEST example of a board-level security metric?

A.Security investment versus loss avoidance
B.Vulnerability scan completion rate
C.Number of firewall rules implemented
D.Percentage of employees who completed security training
AnswerA

This metric helps the board understand the return on security investments and the value of preventing losses.

Why this answer

Board-level metrics should reflect impact on business objectives and financial performance. Investment vs. loss avoidance directly ties security spending to business value.

48
MCQeasy

Which of the following is the FIRST step in the security policy development lifecycle?

A.Legal review
B.Stakeholder consultation
C.Drafting the policy
D.Gap analysis
AnswerD

Gap analysis determines what policies are needed.

Why this answer

A gap analysis identifies current state vs. desired state, which is necessary before drafting policy.

49
Multi-Selecteasy

Which TWO elements are key components of a security culture measurement program?

Select 2 answers
A.Number of security policies
B.Vulnerability scan frequency
C.Phishing simulation click rates
D.Firewall log size
E.Training completion rates
AnswersC, E

Indicates user awareness and behavior.

Why this answer

Phishing simulation click rates and training completion rates are common quantitative measures of security culture.

50
Multi-Selectmedium

A CISO is presenting a security metrics dashboard to the board. Which TWO metrics are most appropriate for board-level reporting? (Select TWO.)

Select 2 answers
A.Number of security staff per business unit
B.Security investment vs. loss avoidance
C.Number of firewall rules changed
D.Mean time to detect (MTTD)
E.Average patch deployment time
AnswersB, D

Demonstrates ROI and is strategic.

Why this answer

Board-level metrics should focus on strategic outcomes such as incident response and financial impact.

51
MCQeasy

A security metrics program should include key performance indicators (KPIs) for board reporting. Which metric is most appropriate for executive oversight?

A.Number of firewall rules configured
B.Daily log volume
C.Patch management tool version
D.Mean time to detect (MTTD) incidents
AnswerD

MTTD is a strategic metric for board visibility.

Why this answer

Mean time to detect is a high-level metric that reflects security effectiveness.

52
MCQmedium

An organization is developing an information security strategy aligned with business objectives. Which of the following is the BEST approach to prioritize security investments?

A.Follow industry benchmarks without adjustment
B.Use a risk-based approach aligned to business impact
C.Prioritize based on the cost of security controls
D.Allocate budget equally across all security domains
AnswerB

Risk-based prioritization ensures investments address the highest risks.

Why this answer

A risk-based approach aligns security investments with the organization's risk appetite, ensuring resources are directed to the most critical areas.

53
MCQmedium

An organization is updating its security policies. After drafting the policy, which step should occur NEXT?

A.Stakeholder consultation
B.Training and awareness
C.Approval by management
D.Legal review
AnswerD

Legal review is the next logical step.

Why this answer

Legal review ensures the policy complies with applicable laws and regulations before seeking approval.

54
MCQhard

A security awareness programme is being evaluated. Which metric BEST indicates a positive security culture?

A.Number of policy violations
B.Percentage of employees who completed training
C.Number of security incidents reported
D.Phishing simulation click rate
AnswerD

Lower click rates indicate better security awareness and culture.

Why this answer

A low click rate on simulated phishing emails indicates that employees are cautious and apply training.

55
MCQmedium

Which board-level metric is MOST useful for measuring the effectiveness of the incident response process?

A.Mean time to respond (MTTR)
B.Patch compliance percentage
C.Mean time to detect (MTTD)
D.Number of security incidents
AnswerA

MTTR indicates how quickly the organization responds to incidents.

Why this answer

Mean time to respond (MTTR) directly measures how quickly incidents are contained and remediated.

56
Multi-Selectmedium

A CISO is building a business case for a new security tool. Which TWO metrics would BEST justify the investment to senior leadership?

Select 2 answers
A.Compliance cost avoidance
B.Breach cost avoidance
C.Mean time to respond (MTTR) improvements
D.Phishing simulation click rate
E.Number of vulnerabilities discovered
AnswersA, B

Shows how the tool reduces costs related to regulatory compliance (e.g., fines, audits).

Why this answer

Senior leadership cares about financial impact. Breach cost avoidance and compliance cost avoidance directly demonstrate value by reducing potential losses.

57
MCQeasy

What is the first step in the security policy development lifecycle?

A.Gap analysis
B.Legal review
C.Drafting the policy
D.Stakeholder consultation
AnswerA

Correct: Identifies needs first.

Why this answer

Gap analysis identifies missing or inadequate controls before drafting new policies.

58
MCQeasy

Which governance model is characterized by a single, centralized security team that serves the entire organization?

A.Centralized
B.Federated
C.Decentralized
D.Hybrid
AnswerA

Correct: Single team serves entire organization.

Why this answer

Centralized governance consolidates security resources and authority under one team, ensuring consistent policy enforcement and streamlined management.

59
Multi-Selecthard

A financial services firm is subject to SOX, PCI DSS, and GDPR. The CISO needs to implement a regulatory change management process. Which THREE steps are essential?

Select 3 answers
A.Assess impact on existing controls
B.Immediately enforce all changes regardless of cost
C.Outsource compliance to a single vendor
D.Monitor regulatory updates from authorities
E.Update policies and controls accordingly
AnswersA, D, E

Determines required adjustments.

Why this answer

Monitoring regulatory changes, assessing impact, and updating controls are critical to maintaining compliance.

60
Multi-Selectmedium

A CISO is designing a security metrics program for the board. Which TWO metrics are MOST appropriate for board-level reporting?

Select 2 answers
A.Phishing simulation click rate
B.Average patch deployment time
C.Number of firewall rules
D.Security investment vs. loss avoidance
E.Mean time to respond (MTTR)
AnswersD, E

Demonstrates financial ROI.

Why this answer

Mean time to respond (MTTR) and security investment vs. loss avoidance are strategic metrics that inform risk management and resource allocation.

61
Multi-Selecteasy

Which TWO components are essential for an effective information security governance framework?

Select 2 answers
A.Implementation of an intrusion detection system
B.Detailed technical configuration guides
C.Board-level oversight of security programs
D.Alignment of security program with business objectives
E.Daily threat intelligence feeds
AnswersC, D

Governance requires board accountability and oversight to ensure security is prioritized.

Why this answer

Board-level oversight and alignment with business objectives are foundational to governance, ensuring security is integrated into organizational strategy.

62
MCQmedium

Which of the following is the FIRST step in the security policy development lifecycle?

A.Gap analysis
B.Legal review
C.Approval
D.Stakeholder consultation
AnswerA

Gap analysis identifies what policies are needed.

Why this answer

The lifecycle begins with gap analysis to identify missing or outdated policies before drafting or approval.

63
MCQhard

A CISO is developing a multi-year security roadmap. Which approach best ensures the roadmap aligns with business strategy?

A.Prioritize initiatives based on security team capacity
B.Align security initiatives with the organization's strategic business objectives
C.Base the roadmap on the latest industry threat intelligence
D.Create the roadmap based on compliance requirements only
AnswerB

Directly aligning ensures security supports business.

Why this answer

Roadmaps should be derived from business objectives to ensure relevance and executive support.

64
MCQmedium

An organization has a decentralized governance model where each business unit manages its own security team. The CISO reports to the CIO. Which of the following is the GREATEST risk associated with this structure?

A.Difficulty in achieving economies of scale for security operations
B.Lack of skilled security personnel in some business units
C.Increased cost due to duplication of security tools
D.Inconsistent enforcement of security policies across business units
AnswerD

Decentralized structures often lead to varying levels of security maturity and policy adherence, creating gaps that attackers can exploit.

Why this answer

In a decentralized model, inconsistent security practices across business units can lead to gaps in protection and difficulty in enforcing enterprise-wide standards.

65
MCQhard

During a policy exception review, the CISO identifies that multiple exceptions have been granted for the same control due to business constraints. What is the best course of action?

A.Revise the policy to accommodate the business need
B.Escalate to the board for approval
C.Increase monitoring of excepted systems
D.Reject all future exceptions for that control
AnswerA

Correct: Revising policy addresses root cause.

Why this answer

Addressing root causes reduces reliance on exceptions and strengthens the security posture.

66
MCQmedium

Which of the following is the BEST metric for the board to assess the security program's effectiveness in detecting threats?

A.Patch compliance percentage
B.Number of security incidents
C.Phishing simulation click rate
D.Mean time to detect (MTTD)
AnswerD

MTTD is a standard detection metric.

Why this answer

Mean time to detect (MTTD) directly measures the speed of threat detection, a key indicator of detection capability.

67
MCQmedium

Which board-level committee typically receives security reports to provide oversight?

A.Nominating committee
B.Compensation committee
C.Audit/risk committee
D.Finance committee
AnswerC

Correct: Oversees risk and controls.

Why this answer

The audit/risk committee is responsible for oversight of risk management and control, including security.

68
MCQmedium

In a Capability Maturity Model (CMM) for information security processes, which level is characterized by processes being measured and controlled?

A.Level 5 (Optimizing)
B.Level 2 (Repeatable)
C.Level 4 (Managed)
D.Level 3 (Defined)
AnswerC

Level 4 uses metrics and statistical control to manage processes.

Why this answer

Level 4 (Managed) involves quantitative measurement and control of processes.

69
MCQmedium

A CISO is developing a multi-year security roadmap. Which of the following should be the PRIMARY driver for prioritizing initiatives?

A.Ease of implementation
B.Availability of new technology
C.Alignment with business strategy and risk appetite
D.Cost of the initiative
AnswerC

Security must support business goals and risk tolerance.

Why this answer

The roadmap must align security initiatives with the organization's strategic business objectives to ensure relevance and support.

70
MCQmedium

Which of the following best describes the role of the chief information security officer (CISO) in a governance context?

A.The CISO delegates all strategic decisions to the CIO
B.The CISO is a peer to the board with voting rights
C.The CISO oversees the security program and reports to executive leadership
D.The CISO is primarily a technical role focused on firewall management
AnswerC

CISO is accountable for security program and reports to executives.

Why this answer

The CISO is responsible for developing and implementing the security program, reporting to executive leadership.

71
Multi-Selectmedium

A security manager is measuring the security culture of the organization. Which three metrics are most appropriate?

Select 3 answers
A.Phishing simulation click rate
B.Training completion rate
C.Security budget as percentage of IT budget
D.Number of security policies published
E.Percentage of incidents due to human error
AnswersA, B, E

Measures user susceptibility to phishing.

Why this answer

These metrics directly reflect employee behavior and the effectiveness of the security culture program.

72
MCQeasy

The board of directors has requested a security metrics dashboard. Which metric would BEST demonstrate the effectiveness of the incident response process?

A.Percentage of users trained
B.Mean Time to Respond (MTTR)
C.Number of security incidents
D.Patch compliance percentage
AnswerB

MTTR indicates how quickly incidents are contained and remediated.

Why this answer

Mean Time to Respond (MTTR) directly measures the speed and effectiveness of incident response.

73
MCQmedium

An organization is implementing a security awareness program. Which metric is MOST indicative of a positive security culture?

A.Low number of incidents caused by human error
B.Low phishing simulation click rate
C.High near-miss reporting rate
D.High training completion percentage
AnswerC

Indicates proactive security behavior and trust in reporting channels.

Why this answer

A high near-miss reporting rate indicates that employees are vigilant and willing to report potential issues without fear of blame.

74
MCQmedium

In which reporting model does the CISO have a direct reporting line to the CEO while also reporting to the CIO on operational matters?

A.Solid line to CEO, dotted line to CIO
B.Solid line to CIO, dotted line to CEO
C.Dotted line to both CEO and CIO
D.Solid line to both CEO and CIO
AnswerA

This structure balances strategic and operational reporting.

Why this answer

A dotted line reporting to the CIO and solid line to the CEO gives the CISO strategic authority while maintaining operational alignment.

75
MCQmedium

A company is developing a business case for a new security tool. Which metric best demonstrates the value of the investment?

A.Number of security incidents
B.Percentage of budget spent on security
C.Security investment vs. loss avoidance
D.Time to implement the tool
AnswerC

Correct: Direct ROI comparison.

Why this answer

Comparing security investment to potential loss avoidance quantifies ROI in business terms.

Page 1 of 2 · 85 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Information Security Governance questions.