1
Q
Front
A
Back
2
Q
Which is the MOST effective way to resolve noncompliance with information security standards?
A
Report noncompliance to the audit committee. This creates accountability at the highest governance level and compels corrective action.
3
Q
Senior management commitment to information security is BEST obtained by presentations that:
A
Tie security risk directly to key business objectives so leadership understands business impact.
4
Q
The MOST appropriate role for senior management in supporting information security is:
A
Approval of policy statements and funding, as policies express management intent and direction.
5
Q
The BEST indicator of effective information security governance is:
A
A steering committee that approves security projects, ensuring alignment with business objectives.
6
Q
Information security governance is PRIMARILY driven by:
A
Business strategy, because security must align with enterprise objectives.
7
Q
The BEST evidence of a mature information security program is:
A
An effective information security strategy defining scope, responsibilities, and implementation.
8
Q
Investments in information security technologies should be based on:
A
Value analysis supported by a sound business case showing risk mitigation vs cost.
9
Q
The GREATEST success factor for effectively managing information security is:
A
Effective business relationships that secure executive and stakeholder support.
10
Q
Centralized information security management is characterized by:
A
Better adherence to security policies due to consistency and centralized control.
11
Q
Successful implementation of information security governance FIRST requires:
A
Updated security policies aligned with business objectives.
12
Q
Front
A
Back
13
Q
The PRIMARY objective of information risk management is to:
A
Ensure that information-related risks are identified, assessed, and managed within the enterprise’s risk appetite.
14
Q
Risk appetite is BEST defined as:
A
The amount and type of risk an enterprise is willing to accept in pursuit of its objectives.
15
Q
Which activity should occur FIRST in the risk management process?
A
Identification of information assets and associated risks.
16
Q
The MOST important factor in determining risk treatment options is:
A
Alignment with business objectives and the enterprise risk appetite.
17
Q
Which risk response option transfers risk to another party?
A
Risk transfer, typically achieved through insurance or outsourcing.
18
Q
Residual risk is BEST described as:
A
The remaining level of risk after controls have been implemented.
19
Q
Which metric BEST helps management understand information security risk?
A
Metrics that express risk in business impact terms such as financial loss or service disruption.
20
Q
Threat modeling is MOST useful for:
A
Identifying potential threat scenarios and attack paths against critical assets.
21
Q
Which scenario requires a formal risk reassessment?
A
Major changes to systems, business processes, or the threat environment.
22
Q
The BEST way to communicate risk to senior management is by:
A
Presenting risk in terms of likelihood and impact on business objectives.
23
Q
Front
A
Back
24
Q
Which is the MOST effective way to resolve noncompliance with information security standards?
A
Report noncompliance to the audit committee. This creates accountability at the highest governance level and compels corrective action.
25
Senior management commitment to information security is BEST obtained by presentations that:
Tie security risk directly to key business objectives so leadership understands business impact.
26
The MOST appropriate role for senior management in supporting information security is:
Approval of policy statements and funding, as policies express management intent and direction.
27
The BEST indicator of effective information security governance is:
A steering committee that approves security projects, ensuring alignment with business objectives.
28
Information security governance is PRIMARILY driven by:
Business strategy, because security must align with enterprise objectives.
29
The BEST evidence of a mature information security program is:
An effective information security strategy defining scope, responsibilities, and implementation.
30
Investments in information security technologies should be based on:
Value analysis supported by a sound business case showing risk mitigation vs cost.
31
The GREATEST success factor for effectively managing information security is:
Effective business relationships that secure executive and stakeholder support.
32
Centralized information security management is characterized by:
Better adherence to security policies due to consistency and centralized control.
33
Successful implementation of information security governance FIRST requires:
Updated security policies aligned with business objectives.
34
What is an information security incident?
An event that compromises confidentiality
35
What is incident response?
Structured approach to managing incidents.
36
What is the FIRST step in incident handling?
Detection and reporting.
37
What is containment?
Limiting incident impact.
38
What is eradication?
Removing root cause of incident.
39
What is recovery?
Restoring systems to normal operations.
40
What is post-incident review?
Lessons learned analysis.
41
What is an incident response plan?
Documented procedures for handling incidents.
42
Who approves incident response plans?
Senior management.
43
What is forensic readiness?
Preparedness to collect admissible evidence.
44
What is chain of custody?
Documented control of evidence.
45
What is root cause analysis?
Identifying underlying cause of incident.
46
What is escalation?
Notifying appropriate management levels.
47
What is a Computer Security Incident Response Team (CSIRT)?
Dedicated team managing incidents.
48
What is crisis communication?
Coordinated stakeholder messaging during incidents.
49
What is breach notification?
Legal requirement to inform affected parties.
50
What is a tabletop exercise?
Simulated incident scenario discussion.
51
What is business impact assessment in incidents?
Evaluating operational disruption.
52
What is threat intelligence?
Information about potential threats.
53
What is monitoring?
Continuous surveillance of systems.
54
What is SIEM?
Security Information and Event Management system.
55
What is incident severity rating?
Classification based on impact and urgency.
56
What is disaster recovery?
Restoration of IT infrastructure after disruption.
57
What is business continuity?
Maintaining critical operations during disruption.
58
What is cyber insurance?
Financial risk transfer for cyber events.
59
What is evidence preservation?
Protecting data for legal use.
60
What is mean time to detect (MTTD)?
Average time to identify incident.
61
What is mean time to respond (MTTR)?
Average time to contain and remediate.
62
What is threat hunting?
Proactive search for hidden threats.
63
What is playbook?
Predefined steps for specific incident types.
64
What is the purpose of a security program?
Implement the security strategy effectively.
65
What is a security framework?
Structured approach to managing security controls.
66
What is a control objective?
Desired outcome of a control activity.
67
What is defense in depth?
Layered security controls across systems.
68
What is segregation of duties?
Dividing responsibilities to reduce fraud risk.
69
What is least privilege?
Granting minimum access required.
70
What is need-to-know?
Access limited to necessary information.
71
What is a baseline configuration?
Standard secure system configuration.
72
What is change management?
Controlled process for system changes.
73
Why is patch management important?
Remediates known vulnerabilities.
74
What is configuration management?
Maintaining system integrity over time.
75
What is capacity planning?
Ensuring systems meet performance demands.
76
What is security awareness training?
Educating employees about security responsibilities.
77
What is a KPI?
Key Performance Indicator measuring effectiveness.
78
What is a KRI?
Key Risk Indicator measuring exposure.
79
What is logging?
Recording system activity events.
80
Why are logs important?
Support monitoring and incident investigation.
81
What is encryption?
Protecting data confidentiality via cryptography.
82
What is data classification?
Categorizing data based on sensitivity.
83
What is data owner responsibility?
Classify and approve access.
84
What is data custodian responsibility?
Protect data per classification.
85
What is vendor risk management?
Managing security risks from suppliers.
86
What is cloud security governance?
Ensuring cloud aligns with policy and compliance.
87
What is business continuity integration?
Aligning security with resilience planning.
88
What is security architecture?
Structured design of security controls.
89
What is secure SDLC?
Integrating security into system development.
90
What is vulnerability management?
Identifying and remediating weaknesses.
91
What is policy exception management?
Formal approval of deviations.
92
What is continuous improvement?
Ongoing enhancement of controls.
93
What is risk?
The combination of likelihood and impact of a threat exploiting a vulnerability.
94
What is inherent risk?
Risk before controls are applied.
95
What is residual risk?
Risk remaining after controls are implemented.
96
What is risk appetite?
The amount of risk an enterprise is willing to accept.
97
What is risk tolerance?
Acceptable deviation from risk objectives.
98
What is risk treatment?
Selecting and implementing measures to modify risk.
99
What are the four primary risk responses?
Avoid
100
What is risk avoidance?
Eliminating activities that create risk.
101
What is risk mitigation?
Reducing likelihood or impact through controls.
102
What is risk transfer?
Shifting risk to a third party (e.g.
103
What is risk acceptance?
Acknowledging risk without additional action.
104
What is a key output of a risk assessment?
Prioritized risk register.
105
What is qualitative risk analysis?
Subjective evaluation using categories (High/Medium/Low).
106
What is quantitative risk analysis?
Numeric estimation of loss (e.g.
107
What is Single Loss Expectancy (SLE)?
Asset Value × Exposure Factor.
108
What is Annualized Rate of Occurrence (ARO)?
Estimated frequency of a threat per year.
109
What is Annualized Loss Expectancy (ALE)?
SLE × ARO.
110
What is a vulnerability?
A weakness that can be exploited.
111
What is a threat?
Anything capable of exploiting a vulnerability.
112
What is control effectiveness?
Degree to which a control reduces risk.
113
What is risk ownership?
Accountability for managing a specific risk.
114
Who owns business risk?
Business management.
115
What is third-party risk?
Risk arising from vendors or external partners.
116
What should trigger a risk reassessment?
Major business or technology change.
117
What is control gap analysis?
Identifying missing or ineffective controls.
118
What is due diligence?
Reasonable steps taken to identify and manage risk.
119
What is due care?
Maintaining established controls responsibly.
120
What is the primary purpose of risk reporting?
Support informed business decisions.
121
What is risk aggregation?
Combining risks to assess overall exposure.
122
What is scenario analysis?
Evaluating potential future events and impacts.
123
What is the MOST effective way to resolve noncompliance with information security standards?
Regular reporting of noncompliance to the audit committee.
124
How can senior management commitment to information security BEST be obtained?
Tie security risk to key business objectives.
125
What is senior management’s MOST appropriate role in information security?
Approve policy statements and provide funding.
126
What BEST indicates effective information security governance?
A steering committee that approves security projects.
127
What PRIMARILY drives information security governance?
Business strategy.
128
What is the BEST evidence of a mature information security program?
An effective information security strategy.
129
Security technology investments should be based on what?
Value analysis and sound business case.
130
What is the GREATEST success factor for managing information security effectively?
Effective business relationships and senior management support.
131
What is a key characteristic of centralized information security management?
Better adherence to policies.
132
What is required FIRST for successful implementation of security governance?
Updated security policies aligned to business objectives.
133
Who is BEST positioned to sponsor an information security steering group?
Chief Operating Officer (COO).
134
What MOST determines an enterprise’s risk appetite?
Organizational culture.
135
When should a Request for Proposal (RFP) be issued?
Prior to developing a project budget.
136
What is MOST appropriate in an information security strategy?
Security processes
137
How can an information security manager BEST gain senior management support?
Emphasize organizational risk.
138
What would represent a conflict of interest for an information security manager?
Final approval of information security policies.
139
What governance issue must be corrected FIRST?
Data center manager having final sign-off on all security projects.
140
Which requirement typically has the LOWEST priority in security?
Technical requirements.
141
Where should security resource requirements FIRST be identified?
In the security strategy.
142
Security technologies should be selected PRIMARILY based on what?
Overall value relative to cost (risk mitigation).
143
After discovering weak compliance
what should be done FIRST?
144
What must change management ensure from a risk perspective?
Changes do not exceed acceptable risk levels.
145
What is characteristic of decentralized security management?
Better alignment with business unit needs.
146
Who should sponsor a new global security infrastructure?
Chief Operating Officer.
147
What is MOST important in a business case?
Feasibility and value proposition.
148
What is MOST critical when redefining security requirements?
Business strategy.
149
What is the PRIMARY goal of an information security strategy?
Support enterprise business objectives.
150
How can senior management support be enhanced long term?
Periodic review of security alignment with business goals.
151
What is the steering committee’s primary role?
Prioritize information security initiatives.
152
What is MOST important in security architecture design?
Stakeholder requirements.
153
What does senior management support FIRST determine?
The security program charter.
154
What is the MOST appropriate task for a CISO?
Develop the information security strategy.
155
Security strategic plan timelines should align with what?
Business strategy.
156
What is MOST important in a strategic security plan?
Current state vs desired future state (gap analysis).
157
Security projects should be prioritized based on what?
Impact on the enterprise.
158
How should an organization prepare for regulatory reviews?
Perform self-assessments using regulatory guidelines.
159
What is the immediate benefit of defined roles and responsibilities?
Better accountability.
160
Who holds ultimate legal/regulatory liability for security failures?
Board of Directors and Senior Management.
161
What should be implemented FIRST in security governance?
Information security strategy.
162
What is the MOST basic requirement of security governance?
Alignment with corporate business strategy.
163
Who is responsible for enforcing security policy?
Chief Information Security Officer (CISO).
164
A global enterprise must comply FIRST with what data privacy law?
Local country data privacy law where data is collected.
165
What is required for effective strategic alignment?
Regular interaction with business owners.
166
What must a website privacy statement include?
How collected information will be used.
167
Security goals should be derived from what?
Business goals.
168
To gain executive commitment
link security threats to what?
169
What is PRIMARY when developing a data retention policy?
Legislative and regulatory requirements.
170
Who is responsible for classifying information?
Data owner.
171
What is the primary role of the security manager in classification?
Define and ratify classification structure.
172
What is MOST important when developing a security strategy?
Understanding key business objectives.
173
Who is ultimately responsible for enterprise information?
Board of Directors.
174
What should the board do when new legislation requires safeguards?
Require management compliance reporting.
175
What is the MOST important prerequisite for security management?
Senior management commitment.
176
What has the HIGHEST impact on security governance models?
Organizational structure complexity.
177
What is inherent risk?
Risk before controls.
178
What is residual risk?
Risk after controls.
179
What is risk appetite?
Amount of risk willing to accept.
180
What is risk tolerance?
Acceptable deviation from objectives.
181
What are four risk responses?
Avoid
182
What is ALE?
SLE × ARO.
183
What is SLE?
Asset Value × Exposure Factor.
184
What is ARO?
Estimated annual frequency of loss.
185
Who owns business risk?
Business management.
186
When reassess risk?
After major change.
187
What is qualitative risk?
Subjective High/Medium/Low.
188
What is quantitative risk?
Numeric loss estimation.
189
What is due diligence?
Identify and assess risk.
190
What is due care?
Maintain proper controls.
191
What is control gap analysis?
Identify missing/weak controls.
192
What is third-party risk?
Risk from vendors.
193
Primary purpose of risk reporting?
Support business decisions.
194
What is risk register?
Documented list of risks.
195
What drives security requirements?
Business strategy.
196
What is defense in depth?
Layered security controls.
197
What is least privilege?
Minimum necessary access.
198
What is segregation of duties?
Split responsibilities to reduce fraud.
199
What is baseline configuration?
Secure standard system setup.
200
Purpose of change management?
Control system modifications.
201
Why patch management?
Fix known vulnerabilities.
202
What is data classification?
Categorize by sensitivity.
203
Who classifies data?
Data owner.
204
Who protects data operationally?
Data custodian.
205
What is secure SDLC?
Security integrated in development.
206
What is KPI?
Performance measurement.
207
What is KRI?
Risk exposure indicator.
208
What is logging?
Recording system activity.
209
Purpose of logs?
Monitoring and investigation.
210
What is encryption?
Protect data confidentiality.
211
What is vulnerability management?
Identify and fix weaknesses.
212
What is policy exception?
Formal deviation approval.
213
What is continuous improvement?
Ongoing security enhancement.
214
What is an incident?
Event harming CIA.
215
First step in incident response?
Detection.
216
What is containment?
Limit impact.
217
What is eradication?
Remove root cause.
218
What is recovery?
Restore operations.
219
What is lessons learned?
Post-incident review.
220
What is CSIRT?
Incident response team.
221
What is chain of custody?
Evidence tracking documentation.
222
What is breach notification?
Inform affected parties legally.
223
What is severity rating?
Incident impact classification.
224
What is SIEM?
Centralized log analysis tool.
225
What is MTTD?
Mean time to detect.
226
What is MTTR?
Mean time to respond.
227
What is threat intelligence?
Information on potential threats.
228
What is tabletop exercise?
Simulated response discussion.
229
What is disaster recovery?
Restore IT systems.
230
What is business continuity?
Maintain critical operations.
231
What is risk aggregation?
Combined risk exposure view.
232
What is scenario analysis?
Evaluate hypothetical events.
233
What ensures governance success?
Senior management commitment.
234
What defines risk appetite most?
Organizational culture.
235
What is primary governance goal?
Align with business strategy.
236
Who is ultimately accountable for security?
Board of Directors.
237
What is steering committee role?
Prioritize security initiatives.
238
What is security strategy purpose?
Support business objectives.
239
What determines security architecture?
Stakeholder requirements.
240
What is root cause analysis?
Identify underlying issue.
241
What is escalation?
Notify higher authority.
242
What is forensic readiness?
Prepared for evidence collection.
243
What is crisis communication?
Structured incident messaging.
244
What is cyber insurance?
Risk financial transfer.
245
What is threat hunting?
Proactive threat search.
246
What is a playbook?
Predefined incident steps.
OUM
flashcards
Decks in class (124)
# Cards
-
Pulmonary - Week 1 - Notes59
-
Pulmonary - Week 1 - Flashcards112
-
Pulmonary - Week 1 - Quiz74
-
Pulmonary - Week 2 - Notes33
-
Pulmonary - Week 2 - Flashcards78
-
Pulmonary - Week 2 - Quiz99
-
Pulmonary - Exam 1 - Workshops Clinical Cases - Flashcards54
-
Pulmonary - Exam 1 - Workshops Clinical Cases - Quiz96
-
Pulmonary - Exam 1 - Notes19
-
Pulmonary - Exam 1 - Simple Explanations118
-
Pulmonary - Week 3 - Notes38
-
Pulmonary - Week 3 - Flashcards40
-
Pulmonary - Week 3 - Quiz85
-
Pulmonary - Week 3 - Workshop10
-
Pulmonary - Week 3 - Clinical Cases12
-
Pulmonary - Week 4 - Notes109
-
Pulmonary - Week 4 - Flashcards50
-
Pulmonary - Week 4 - Quiz120
-
Pulmonary - Exam 2 - Flashcards357
-
Pulmonary - Exam 2 - Quiz45
-
Pulmonary - Week 6 - Notes50
-
Pulmonary - Week 6 - Flashcards50
-
Pulmonary - Week 6 - Quiz164
-
Pulmonary - Week 6 - Flashcards Basic50
-
Pulmonary - Week 6 - Cases and Workshop86
-
Pulmonary - Week 7 - Flashcards97
-
Pulmonary - Week 7 - Notes52
-
Pulmonary - Week 7 - Quiz36
-
Pulmondary - Exam 3 - Notes - ANKI45
-
Pulmonary - Exam 3 - Quiz - ANKI24
-
Pulmonary - Week 7 - Workshop and Cases34
-
Pulmonary - Exam 3 - DT31
-
Pulmonary - Exam 3 - Cram45
-
Pulmonary - Exam 3 - All50
-
Pulmonary - Exam 3 - On The Day50
-
Pulmonary - Week 8 - Notes30
-
Pulmonary - Week 8 - Flashcards26
-
Pulmonary - Week 8 - Quiz9
-
Pulmonary - Week 9 - Notes30
-
Pulmonary - Week 9 - Flashcards29
-
Pulmonary - Week 9 - Quiz9
-
Pulmonary - Workshop Cases60
-
Pulmonary - Final Exam 4 - All Weeks Flashcards37
-
Pulmonary - Exam 4 - Previous Exam 151
-
Pulmonary - Exam 4 - Previous Exam 3 ANKI74
-
Pulmonary - Exam 4 - Previous Exam 2213
-
Pulmonary - Final Exam 4 - All Weeks MCQs231
-
Pulmonary - Exam 4 - All Weeks Flashcards414
-
Ethics - Exam ANKI66
-
Ethics - TLO ANKI72
-
Ethics - COPILOT ANKI81
-
Endo Week 1 and Week 2 Notes132
-
Endo Week 1 and Week 2 Flashcards115
-
Endo Week 1 and Week 2 MCQs300
-
Endo Week 1 and Week 2 High Yield W1132
-
Endo Week 1 and Week 2 High Yield W2141
-
Endo Week 1 and Week 2 High Yield W3163
-
Endo Week 1 DT50
-
Endo Week 1 and Week 2 Notes FULL75
-
Endo Week 1 and Week 2 Workshop/Clinical54
-
Endo Exam 1 Flashcards174
-
Endo Exam 1 Quiz Final15
-
Endo Exam 1 Notes Final224
-
Endo Week 3 Notes213
-
Endo Week 3 TLO70
-
Endo Week 3 Workshop/Case/PBL35
-
Endo Week 4 Notes85
-
Endo Week 4 Flash104
-
Endo Exam 2 Notes Final68
-
Endo Exam 2 Notes DT72
-
Endo Exam 2 Quiz DT56
-
Endo Exam 2 Notes DT Final56
-
Endo Exam 2 Quiz DT Final72
-
Endo Exam 2 Rapid92
-
Endo Exam 2 Rapid Final35
-
Endo Exam 2 Rapid Final DT Comments43
-
Endo Week 5 Notes85
-
Endo Week 5 Flashcards71
-
Endo Week 6 Notes120
-
Endo Week 6 Flashcards153
-
Endo Week 5 Flashcards Final116
-
Endo Exam 3 Notes59
-
Endo Exam 3 Flashcards Final92
-
Endo Exam 3 Final90
-
Endo Week 7 Notes81
-
Endo Week 7 Flashcards87
-
Endo Week 7 Content38
-
Endo Week 7 Extract52
-
Endo Week 7 TLOs88
-
Endo Exam 3 Previous Exam Results240
-
Endo Exam 4 - Class noted Notepad41
-
Endo Exam 4 All Class Notes74
-
Endo Exam 4 All TLOs64
-
Endo Exam 4 - Extra Quiz62
-
Endo Exam 4 Last Notes61
-
CISM246
-
NRV Week 1 Notes66
-
NRV Week 1 High-Yield Clinical Correlation56
-
NRV Week 1 Board-style trick questions42
-
NRV Week 1 TLOs71
-
NRV Week 1 Full Deck156
-
NRV Week 1 OUM64
-
NRV Week 1 Workshop & Clinical Case103
-
NRV Week 2 Notes56
-
NRV Week 2 TLOs80
-
NRV Week 2 Workshop and Cases83
-
NRV Week 2 OUM Notes61
-
NRV Week 2 OSMOSIS92
-
NRV Exam 1 - TLOs88
-
NRV Exam 1 - Final108
-
NRV Week 3 Notes GEM20
-
NRV Week 3 TLOs24
-
NRV Week 3 Notes CGPT70
-
NRV Week 3 Workshop Cases78
-
NRV Week 3 OUM OSMOSIS54
-
NRV Week 4 TLOs73
-
NRV Week 4 TLOs Gemini/CoPilot93
-
NRV Week 4 OUM Notes57
-
NRV Week 4 Knowledge Check OUM61
-
NRV Week 4 Workshop Cases73
-
NRV Exam 2 - PBL91
-
NRV Exam 2 - SAQ77
-
NRV Exam 2 TLOs95
-
NRV Exam 2 TLOs CoPilot166
