CCNA Information Security Governance Questions

10 of 85 questions · Page 2/2 · Information Security Governance · Answers revealed

76
MCQmedium

An organization is implementing a new security policy. Which step should occur AFTER the policy is approved?

A.Stakeholder consultation
B.Gap analysis
C.Training and communication
D.Legal review
AnswerC

After approval, the policy must be communicated and trained.

Why this answer

After approval, training and awareness are essential to ensure employees understand and comply with the policy.

77
Multi-Selecthard

An organization is designing a security metrics dashboard for the board of directors. Which THREE metrics are most appropriate for board-level reporting?

Select 3 answers
A.Average age of security patches in days
B.Patch compliance percentage for critical systems
C.Mean time to respond (MTTR) to incidents
D.Number of intrusion detection alerts per day
E.Security investment as a percentage of IT budget
AnswersB, C, E

Indicates vulnerability management posture.

Why this answer

These metrics provide strategic insight into security effectiveness and compliance.

78
MCQmedium

An organization has a decentralized governance model with security teams embedded in each business unit. The CISO is concerned about inconsistent security controls across the enterprise. What is the BEST recommendation to address this?

A.Adopt a hybrid governance model with enterprise-wide standards and local execution
B.Conduct a risk assessment to prioritize controls
C.Implement a centralized security operations center (SOC) to monitor all units
D.Move to a fully centralized governance model
AnswerA

Hybrid model enforces standards while allowing local flexibility.

Why this answer

A hybrid model combines the benefits of centralized oversight with decentralized execution, ensuring consistency while maintaining business unit flexibility.

79
Multi-Selectmedium

Which TWO regulations are MOST likely to impact an organization that processes credit card payments and handles personal data of EU residents?

Select 2 answers
A.HIPAA
B.SOX
C.GDPR
D.CCPA
E.PCI DSS
AnswersC, E

GDPR protects personal data of individuals in the EU.

Why this answer

PCI DSS applies to payment card processing, and GDPR applies to personal data of EU residents. These are the two most relevant regulations.

80
Multi-Selecthard

A security policy is being developed. Which THREE steps are part of the policy development lifecycle? (Select THREE)

Select 3 answers
A.Drafting the policy based on input
B.Conducting penetration testing
C.Stakeholder consultation to gather input
D.Implementing the policy in firewalls
E.Gap analysis against existing policies and standards
AnswersA, C, E

Drafting is the core step in policy creation.

Why this answer

The lifecycle includes analysis, consultation, drafting, review, approval, training, and monitoring.

81
Multi-Selecthard

An organization is updating its information security strategy. Which THREE elements should be included to ensure alignment with business objectives? (Select THREE)

Select 3 answers
A.Risk appetite and tolerance levels defined by the board
B.Compliance requirements from applicable regulations
C.Daily monitoring schedule for security operations center
D.A detailed list of firewall ports to block
E.Multi-year roadmap with key milestones
AnswersA, B, E

Risk appetite guides security investments and priorities.

Why this answer

Strategy must be driven by business needs, risk appetite, and regulatory requirements.

82
Multi-Selectmedium

A CISO is developing a security strategy. Which THREE elements should be included in a multi-year security roadmap?

Select 3 answers
A.Milestones for achieving target capability maturity levels
B.Current vulnerability scan results
C.Detailed network architecture diagrams
D.Resource allocation for each initiative
E.Alignment with business strategic goals
AnswersA, D, E

Milestones help track progress and ensure the roadmap is actionable.

Why this answer

A roadmap should include milestones, resource allocation, and alignment with business objectives to guide implementation over time.

83
MCQhard

An organization is subject to GDPR, PCI DSS, and SOX. What is the BEST approach to manage compliance with multiple regulations?

A.Assign each regulation to a separate compliance team
B.Develop a control framework that maps to all regulations
C.Implement the most stringent requirements for all
D.Focus only on the regulation with the highest fines
AnswerB

A unified framework streamlines compliance and reduces overlap.

Why this answer

A unified compliance framework that maps common controls to multiple regulations reduces duplication and cost.

84
MCQmedium

Which capability maturity model (CMM) level is characterized by security processes being standardized and documented across the organization?

A.Level 4 - Managed
B.Level 1 - Initial
C.Level 3 - Defined
D.Level 2 - Repeatable
AnswerC

Level 3 processes are standardized and documented organization-wide.

Why this answer

CMM Level 3 (Defined) involves standardized, documented processes.

85
Multi-Selecthard

An organization is designing a policy exception management process. Which THREE elements are critical for this process to be effective?

Select 3 answers
A.Approval by the CISO or designated authority
B.Automatic approval if no response within 24 hours
C.Formal documentation of the exception request
D.Ability for any employee to request an exception
E.An expiration date for the exception
AnswersA, C, E

Ensures consistent decision-making and oversight.

Why this answer

Effective exception management requires formal documentation, time limits, and review by appropriate authority to prevent misuse.

← PreviousPage 2 of 2 · 85 questions total

Ready to test yourself?

Try a timed practice session using only Information Security Governance questions.