1. The PRIMARY purpose of implementing information security governance metrics is to:

• A. measure alignment with best practices.
• B. assess operational and program metrics.
• C. refine control operations,
• D. guide security towards the desired state.

4. Which of the following is the information security manager's PRIMARY role in the information assets classification process?

• A. Assigning asset ownership
• B. Assigning the asset classification level
• C. Securing assets in accordance with their classification
• D. Developing an asset classification model

2. Which of the following is the BEST control to minimize the risk associated with loss of information as a result of ransomware exploiting a zero-day vulnerability?

• A. A security operation center
• B. A patch management process
• C. A public key infrastructure
• D. A data recovery process

3. The MOST likely reason to use qualitative security risk assessments instead of quantitative methods is when:

• A. an organization provides services instead of hard goods.
• B. a security program requires independent expression of risks.
• C. available data is too subjective.
• D. a mature security program is in place.