1. Which of the following should be an information security manager's PRIMARY role when an organization initiates a data classification process?

• A. Verify that assets have been appropriately classified.
• B. Apply security in accordance with specific classification.
• C. Define the classification structure to be implemented.
• D. Assign the asset classification level.

2. Which of the following is BEST to include in a business case when the return on investment (ROI) for an information security initiative is difficult to calculate?

• A. Estimated reduction in risk
• B. Estimated increase in efficiency
• C. Projected costs over time
• D. Projected increase in maturity level

3. Which of the following should be an information security manager's FIRST course of action following a decision to implement a new technology?

• A. Determine security controls needed to support the new technology.
• B. Perform a business impact analysis (BIA) on the new technology.
• C. Perform a return-on-investment (ROI) analysis for the new technology.
• D. Determine whether the new technology will comply with regulatory requirements.