1. Which of the following is the STRONGEST indication that senior management commitment to information security is lacking within an organization?

• A. A high level of information security risk acceptance
• B. The information security manager reports to the chief risk officer
• C. Inconsistent enforcement of information security policies
• D. A reduction in information security investment

2. Which of the following BEST demonstrates the maturity of an information security monitoring program?

• A. Senior management regularly reviews security standards.
• B. The information security program was introduced with a thorough business case.
• C. Information security key risk indicators (KRIs) are tied to business operations.
• D. Risk scenarios are regularly entered into a risk register.

3. Which of the following statements indicates that a previously failing security program is becoming successful?

• A. The number of threats has been reduced.
• B. More employees and stakeholders are attending security awareness programs.
• C. The number of vulnerability false positives is decreasing.
• D. Management's attention and budget are now focused on risk reduction.