need detailed answer for each question

Which of the following provides the BEST assurance that security policies are applied across business operations?

• A. Organizational standards are enforced by technical controls.
• B. Organizational standards are included in awareness training.
• C. Organizational standards are required to be formally accepted.
• D. Organizational standards are documented in operational procedures.

Of the following, who is in the BEST position to evaluate business impacts?

• A. Senior management
• B. Information security manager
• C. Process manager
• D. IT manager

Which of the following is the BEST way to help ensure an organization's risk appetite will be considered as part of the risk treatment process?

• A. Establish key risk indicators (KRIs).
• B. Provide regular reporting on risk treatment to senior management.
• C. Require steering committee approval of risk treatment plans.
• D. Use quantitative risk assessment methods.

Which of the following is the BEST tool to monitor the effectiveness of information security governance?

• A. Balanced scorecard
• B. Risk profile
• C. Business impact analysis (BIA)
• D. Key performance indicators (KPIs)

Which of the following change management procedures is MOST likely to cause concern to the information security manager?

• A. Users are not notified of scheduled system changes.
• B. Fallback processes are tested the weekend before changes are made.
• C. The development manager migrates programs into production.
• D. A manual rather than an automated process is used to compare program versions.

Which of the following sources is MOST useful when planning a business-aligned information security program?

• A. Business impact analysis (BIA)
• B. Information security policy
• C. Security risk register
• D. Enterprise architecture (EA)

Which of the following is MOST important to ensuring information stored by an organization is protected appropriately?

• A. Defining security asset categorization
• B. Assigning information asset ownership
• C. Developing a records retention schedule
• D. Defining information stewardship roles

Which of the following is the FIRST step to establishing an effective information security program?

• A. Assign accountability
• B. Perform a business impact analysis (BIA)
• C. Create a business case
• D. Conduct a compliance review

Which of the following BEST supports the incident management process for attacks on an organization's supply chain?

• A. Requiring security awareness training for vendor staff
• B. Including service level agreements (SLAs) in vendor contracts
• C. Performing integration testing with vendor systems
• D. Establishing communication paths with vendors

When remote access to confidential information is granted to a vendor for analytic purposes, which of the following is the MOST important security consideration?

• A. The vendor must be able to amend data
• B. The vendor must agree to the organization's information security policy
• C. Data is encrypted in transit and at rest at the vendor site
• D. Data is subject to regular access log review

Which of the following is the BEST evidence of alignment between corporate and information security governance?

• A. Security key performance indicators (KPIs)
• B. Senior management sponsorship
• C. Regular security policy reviews
• D. Project resource optimization

Which of the following is the MOST critical factor for information security program success?

• A. A comprehensive risk assessment program for information security
• B. The information security manager's knowledge of the business
• C. Ongoing audits and addressing open items
• D. Security staff with appropriate training and adequate resources

An incident management team is alerted to a suspected security event. Before classifying the suspected event as a security incident it is MOST important for the security manager to:

• A. follow the incident response plan
• B. follow the business continuity plan (BCP)
• C. conduct an incident forensic analysis
• D. notify the business process owner

Which of the following is the BEST way to ensure the capability to restore clean data after a ransomware attack?

• A. Purchase cyber insurance
• B. Encrypt sensitive production data
• C. Maintain multiple offline backups
• D. Perform integrity checks on backups

Which of the following will BEST enable an effective information asset classification process?

• A. Reviewing the recovery time objective (RTO) requirements of the asset
• B. Assigning ownership
• C. Including security requirements in the classification process
• D. Analyzing audit findings

A user reports a stolen personal mobile device that stores sensitive corporate data. Which of the following will BEST minimize the risk of data exposure?

• A. Wipe the device remotely
• B. Remove user's access to corporate data
• C. Prevent the user from using personal mobile devices
• D. Report the incident to the police

Which of the following is a desired outcome of information security governance?

• A. Penetration test
• B. A maturity model
• C. Improved risk management
• D. Business agility

An information security manager is concerned with continued security policy violations in a particular business unit despite recent efforts to rectify the situation. What is the BEST course of action?

• A. Review the business units function against the policy
• B. Revise the policy to accommodate the business unit
• C. Report the business unit for policy noncompliance
• D. Enforce sanctions on the business unit

Which of the following BEST facilitates an information security managers efforts to obtain senior management commitment for an information security program?

• A. Presenting evidence of inherent risk
• B. Reporting the security maturity level
• C. Presenting compliance requirements
• D. Communicating the residual risk

Which of the following is MOST helpful for aligning security operations with the IT governance framework?

• A. Business impact analysis (BIA)
• B. Security operations program
• C. Information security policy
• D. Security risk assessment

Which of the following is BEST suited to provide regular reporting to the board regarding the status of compliance to a global security standard?

• A. Legal counsel
• B. Quality assurance (QA)
• C. Information security
• D. Internal audit

Which of the following is a PRIMARY objective of an information security governance framework?

• A. To provide the basis for action plans to achieve information security objectives organization-wide
• B. To achieve the desired information security state as defined by business unit management
• C. To align the relationships of stakeholders involved in developing and executing an information security strategy
• D. To provide assurance that information assets are provided a level of protection proportionate to their inherent risk

Which of the following is the BEST way to reduce the risk associated with a bring your own device (BYOD) program?

• A. Implement a mobile device policy and standard.
• B. Provide employee training on secure mobile device practices.
• C. Implement a mobile device management (MDM) solution.
• D. Require employees to install an effective anti-malware app.