CCNA Information Security Governance Questions

17 of 92 questions · Page 2/2 · Information Security Governance · Answers revealed

76
MCQhard

A company is considering outsourcing its security operations center (SOC). Which governance consideration is MOST critical before finalizing the decision?

A.The vendor's service level agreements (SLAs) for incident response times.
B.The vendor's technical expertise and certifications.
C.The cost savings compared to in-house operations.
D.The ability to maintain oversight and accountability for security outcomes.
AnswerD

Governance requires clear accountability even when services are outsourced.

Why this answer

Option D is correct because governance requires that the organization retains ultimate responsibility for security outcomes, even when functions are outsourced. Without the ability to maintain oversight and accountability, the company cannot ensure that its security posture aligns with business risk tolerance and regulatory compliance requirements. This is a fundamental principle of information security governance, as the board and senior management cannot delegate accountability.

Exam trap

The trap here is that candidates often mistake operational metrics (like SLAs or certifications) for governance considerations, but CISM emphasizes that governance is about ensuring the organization retains ultimate accountability and oversight, not just delegating tasks to a vendor.

How to eliminate wrong answers

Option A is wrong because while SLAs for incident response times are important operational metrics, they are not the most critical governance consideration; governance focuses on strategic oversight and accountability, not just contractual performance targets. Option B is wrong because technical expertise and certifications, while valuable for vendor selection, are operational or tactical concerns that do not address the governance requirement for the organization to retain control over security outcomes. Option C is wrong because cost savings, though a common business driver, are a financial consideration that must be balanced against risk; prioritizing cost over governance can lead to loss of control and increased residual risk, which is a governance failure.

77
MCQmedium

A multinational corporation is implementing an information security governance framework. The board has requested a mechanism to ensure that security investments align with business objectives. Which of the following is the BEST approach to achieve this alignment?

A.Minimize security spending to maximize ROI.
B.Adopt a best-practice framework such as NIST CSF and implement all controls.
C.Focus on regulatory compliance to ensure legal requirements are met.
D.Develop a risk-based prioritization framework linking security initiatives to business risk appetite.
AnswerD

Directly aligns security investments with business objectives through risk management.

Why this answer

Option D is correct because a risk-based prioritization framework directly maps security initiatives to the organization's risk appetite, ensuring that investments target the most critical business risks. This aligns with the CISM principle that governance must link security activities to business objectives through risk management, not through arbitrary cost-cutting or blanket compliance.

Exam trap

The trap here is that candidates often confuse 'adopting a best-practice framework' (Option B) with proper governance, but CISM emphasizes that frameworks must be tailored to the organization's risk appetite, not implemented wholesale.

How to eliminate wrong answers

Option A is wrong because minimizing security spending to maximize ROI ignores the need to address actual risks; it assumes all spending is waste, which can leave critical assets unprotected and misalign with business objectives that require risk mitigation. Option B is wrong because adopting a best-practice framework like NIST CSF and implementing all controls without tailoring to the organization's specific risk profile leads to inefficient resource allocation and may over-invest in low-priority areas, failing to align with business goals. Option C is wrong because focusing solely on regulatory compliance ensures only legal minimums are met, which may not address the unique risk landscape or strategic business objectives, leaving the organization exposed to non-compliance-related threats.

78
Multi-Selectmedium

Which TWO of the following are essential components of an effective information security governance framework? (Select exactly two.)

Select 2 answers
A.Implementation of a SIEM system
B.Automated patch management system
C.Process for aligning security strategy with business strategy
D.Intrusion prevention system (IPS)
E.Defined roles and responsibilities for security decisions
AnswersC, E

Ensures security supports business.

Why this answer

Options A and C are correct. A governance framework must include defined roles and responsibilities (A) and a process to align security with business objectives (C). B is operational, not governance.

D is tactical. E is a control, not governance component.

79
MCQhard

A global company is establishing an information security governance committee. Which membership composition BEST ensures alignment between security and business strategy?

A.IT operations managers and the CISO
B.Chief Information Security Officer (CISO) and IT directors only
C.Senior leaders from each business unit, the CISO, and the Chief Risk Officer
D.Chief Financial Officer (CFO), General Counsel, and CISO
AnswerC

Ensures business alignment and risk integration.

Why this answer

Option D is correct because cross-functional representation from business units ensures diverse perspectives and stakeholder buy-in. Option A is wrong due to lack of business input. Option B is wrong as finance and legal alone are insufficient.

Option C is wrong as IT operations lacks governance authority.

80
Multi-Selecthard

Which THREE of the following are essential roles in an effective information security governance structure? (Choose three.)

Select 3 answers
A.Help desk manager.
B.Board of directors.
C.Network administrator.
D.Security steering committee.
E.Chief information security officer (CISO).
AnswersB, D, E

Provides strategic oversight and direction.

Why this answer

The board of directors is essential because it holds ultimate accountability for the organization's risk posture and must approve the information security strategy, policies, and resource allocation. Without board-level oversight, security governance lacks the authority to enforce compliance and align security objectives with business goals. This aligns with the CISM framework's emphasis on top-down governance, where the board provides strategic direction and ensures adequate funding for security initiatives.

Exam trap

The trap here is that candidates confuse operational or technical roles (help desk manager, network administrator) with governance roles, failing to recognize that governance requires strategic oversight and accountability, not hands-on technical execution.

81
MCQmedium

A company has recently adopted COBIT 2019 as its governance framework. The board is requesting a concise report on the effectiveness of the security program. Which reporting structure best aligns with COBIT's guidance?

A.List of all security incidents and their impacts
B.Dashboard showing alignment of security goals with enterprise goals, using KRIs and KPIs
C.Compliance status with all applicable regulations
D.Detailed technical vulnerabilities discovered during penetration tests
AnswerB

This directly addresses COBIT's governance objectives.

Why this answer

Option C is correct because COBIT emphasizes linking security goals to enterprise goals and using KRIs and KPIs. Option A lists incidents but does not show alignment. Option B is too technical.

Option D is compliance-focused, not governance.

82
MCQmedium

A company's security steering committee includes representatives from Human Resources, Legal, and Risk Management, but not from Business Operations. What is the most likely consequence of this membership gap?

A.Data breaches will occur more frequently
B.Security policies may not align with operational processes
C.Security spending will increase unexpectedly
D.The company will face regulatory fines
AnswerB

Operations provides insight into how security controls affect business workflows.

Why this answer

Without operations, security policies may not align with day-to-day business processes, leading to inefficiencies or resistance. Option B (increased costs) could occur but is not the most direct consequence. Option C (data breaches) is less likely.

Option D (regulatory non-compliance) is possible but secondary.

83
Multi-Selecthard

Which THREE of the following are key indicators of a mature information security governance process? (Select exactly three.)

Select 3 answers
A.Security risk appetite is defined and reported to the board
B.Mean time to patch critical vulnerabilities is under 48 hours
C.Security performance metrics are linked to business outcomes
D.Security strategy is reviewed and updated annually based on business changes
E.Number of security incidents decreased by 20% year-over-year
AnswersA, C, D

Key governance element.

Why this answer

Options A, C, and E are correct. A mature governance process includes business-aligned metrics (A), board-level risk reporting (C), and regular strategy review (E). B is operational metrics.

D is a reactive metric.

84
Multi-Selecthard

Which TWO of the following are key indicators that an organization's information security governance is inadequate?

Select 2 answers
A.Low budget for security awareness
B.Frequent changes to security policies without approval
C.High number of security incidents
D.Use of multiple antivirus solutions
E.Absence of a risk appetite statement
AnswersB, E

Indicates lack of governance process over policy changes.

Why this answer

Frequent policy changes without approval (B) and absence of a risk appetite statement (D) directly indicate governance failures. High incident count (A) and low budget (C) may be symptoms but not definitive; multiple antivirus (E) is operational.

85
Multi-Selectmedium

Which TWO of the following are key indicators that an organization's information security governance is effective?

Select 2 answers
A.Low variance between the approved security budget and actual spending.
B.The number of security policies that have been published.
C.High percentage of risk treatment plans implemented on time.
D.Regular reporting of security performance metrics to the board.
E.High completion rate for security awareness training.
AnswersC, D

This shows that governance decisions are being executed.

Why this answer

Options B and D are correct. A high percentage of risk treatment plan implementation (B) shows governance execution, and board-level security dashboards (D) indicate oversight. Option A is wrong because the number of policies is not a measure of effectiveness.

Option C is wrong because low budget variance does not equal good governance. Option E is wrong because awareness training completion is operational.

86
MCQeasy

A company's information security manager is tasked with ensuring that security initiatives align with business goals. Which of the following best demonstrates this alignment?

A.Prioritizing security projects based solely on technical risk assessment.
B.Implementing all security controls required by regulatory standards.
C.Creating a security budget that allocates funds equally across departments.
D.Establishing security metrics that are linked to key business performance indicators.
AnswerD

This directly ties security outcomes to business success, demonstrating alignment.

Why this answer

Option D is correct because linking security metrics to business KPIs directly shows how security supports business objectives. Option A is wrong because compliance alone does not guarantee alignment with business goals. Option B is wrong because focusing only on technical risks ignores business context.

Option C is wrong because budget allocation should be based on risk and business value, not just equal distribution.

87
MCQhard

A global financial services firm with 15,000 employees has recently experienced a significant data breach due to inadequate oversight of third-party vendors. The breach originated from a cloud service provider that had been granted elevated access without a formal risk assessment or contract review. The board has directed the CISO to overhaul the information security governance framework to prevent recurrence. Currently, the organization has a decentralized security model where each business unit manages its own vendor relationships. The CISO proposes a centralized governance body. Which of the following is the BEST course of action to establish effective governance over third-party risk?

A.Establish a central third-party risk management program with a defined policy and vendor assessment process
B.Conduct quarterly penetration tests on all third-party systems
C.Provide annual security awareness training for employees managing vendors
D.Mandate that all vendor contracts include data protection clauses
AnswerA

Centralized program ensures consistent governance and oversight of all vendor relationships.

Why this answer

Option C is correct because it directly addresses the root cause: lack of oversight. A formal third-party risk management (TPRM) program with centralized policies and vendor assessments provides consistent governance. Option A (contract clauses) is reactive and not comprehensive; Option B (training) addresses awareness but not process; Option D (penetration testing) is a technical control, not governance.

88
MCQmedium

An organization has decided to adopt a risk-based approach to information security. What is the FIRST step the information security manager should take to implement this approach?

A.Identify and assess information assets and their associated threats and vulnerabilities.
B.Define the organization's risk appetite and risk tolerance levels.
C.Implement security controls based on industry best practices.
D.Select a risk management framework such as ISO 31000 or NIST RMF.
AnswerA

Risk identification and assessment form the foundation.

Why this answer

The first step in implementing a risk-based approach is to identify and assess information assets along with their associated threats and vulnerabilities. This foundational activity provides the necessary context for all subsequent risk management decisions, including defining risk appetite, selecting a framework, and implementing controls. Without a clear understanding of what assets exist and what risks they face, any further steps would be based on assumptions rather than evidence.

Exam trap

The trap here is that candidates often confuse the sequence of risk management activities, mistakenly believing that defining risk appetite or selecting a framework should come first, when in fact asset identification and risk assessment are the prerequisite steps that inform all other decisions.

How to eliminate wrong answers

Option B is wrong because defining risk appetite and risk tolerance levels requires prior knowledge of the assets and risks; without asset identification, risk appetite cannot be meaningfully set. Option C is wrong because implementing controls based on industry best practices without first understanding the specific risks can lead to misallocated resources and ineffective security, violating the core principle of a risk-based approach. Option D is wrong because selecting a risk management framework (e.g., ISO 31000 or NIST RMF) is a tactical decision that should follow the initial identification and assessment of assets and risks to ensure the framework is applied to the correct scope.

89
MCQhard

An organization's governance framework requires regular reporting to the board. Which reporting frequency and format is MOST effective for a board with limited security expertise?

A.Monthly dashboard of technical control effectiveness metrics
B.Quarterly report summarizing key risk indicators and business impact
C.Annual presentation of the overall security risk register
D.Weekly technical briefings on incidents and vulnerabilities
AnswerB

Balanced frequency and business context.

Why this answer

Option C is correct because quarterly reports with business impact language and risk trends are tailored for board understanding. Option A is wrong because weekly is too frequent and technical. Option B is wrong because annual is too infrequent.

Option D is wrong because technical depth is inappropriate.

90
MCQmedium

After a security incident, the board holds the CISO accountable. The CISO argues that the incident was caused by a failure in the third-party risk management process. Which of the following governance deficiencies is most likely the root cause?

A.There was no board-approved policy for assessing and monitoring third-party risk.
B.The third-party contract did not specify security requirements.
C.The organization did not implement technical controls to monitor third-party access.
D.The incident response plan did not cover third-party related incidents.
AnswerA

Governance requires board-level policies to define expectations and oversight.

Why this answer

Option D is correct because without board-level oversight of third-party risk, governance cannot ensure proper management. Option A is wrong because technical failures are not governance deficiencies. Option B is wrong because vendor selection is operational, not governance.

Option C is wrong because incident response is post-event; the root cause is lack of governance oversight.

91
MCQeasy

An information security manager is asked to report on the effectiveness of the security program. Which metric would BEST indicate governance effectiveness?

A.Percentage of security initiatives directly linked to business strategy
B.Number of critical vulnerabilities identified
C.Number of audit findings per quarter
D.Mean time to detect and respond to incidents
AnswerA

Directly measures governance alignment.

Why this answer

Option A is correct because governance effectiveness is best measured by the percentage of security projects aligned with business strategy. Option B is wrong as mean time to respond is operational. Option C is wrong as vulnerability count is technical.

Option D is wrong as audit findings are compliance focused.

92
MCQeasy

Which of the following is the PRIMARY role of the board of directors in information security governance?

A.Managing the day-to-day security operations.
B.Implementing security controls and technologies.
C.Providing strategic direction and oversight of the security program.
D.Developing detailed security policies and procedures.
AnswerC

The board ensures security aligns with business strategy.

Why this answer

The board of directors holds the ultimate fiduciary responsibility for the organization, including its information security posture. Their primary role is to provide strategic direction and oversight, ensuring that the security program aligns with business objectives, risk appetite, and regulatory requirements. This includes approving the overall security strategy, reviewing key risk indicators, and holding management accountable for security performance, not executing tactical tasks.

Exam trap

ISACA often tests the distinction between governance (board) and management (CISO/IT) roles, and the trap here is that candidates mistakenly assign tactical implementation duties to the board because they confuse oversight with execution.

How to eliminate wrong answers

Option A is wrong because managing day-to-day security operations is the responsibility of the security operations center (SOC) and operational staff, not the board. Option B is wrong because implementing security controls and technologies is a tactical function performed by security engineers and IT teams, not the board. Option D is wrong because developing detailed security policies and procedures is a management-level task typically handled by the CISO and security team, while the board provides high-level approval and oversight of the policy framework.

← PreviousPage 2 of 2 · 92 questions total

Ready to test yourself?

Try a timed practice session using only Information Security Governance questions.