Читаем CISSP Practice полностью

219. Which of the following information security governance structures provides the creation of interorganizational and intra-organizational communication mechanisms in establishing the appropriate policies, procedures, and processes dealing with risk management and information security strategies?

a. Centralized governance

b. Decentralized governance

c. Hybrid governance

d. Virtual governance

219. a. The information security governance model should be aligned with the IT governance model and the corporate governance model. A centralized approach to governance requires strong, well-informed central leadership and provides consistency throughout the organization. Centralized governance structures also provide less autonomy for subordinate (sector) organizations that are part of the parent organization. To achieve the centralized governance, interorganizational and intra-organizational communication mechanisms are created.

Decentralized governance is the opposite of the centralized governance, hybrid governance is a combination of centralized and decentralized governance, and virtual governance does not and should not exist.

220. Which of the following outcomes of information security governance, a part of information technology (IT) governance, relates to investments in risk management?

a. Strategic alignment

b. Risk management processes

c. Risk management resources

d. Delivered value

220. d. The information security governance model should be aligned with the IT governance model and the corporate governance model. Delivered value means optimizing risk management investments in support of organizational objectives (i.e., demanding value from the investments).

Strategic alignment means risk management decisions made in business functions should be consistent with organizational goals and objectives. Risk management processes frame, assess, respond to, and monitor risk to organizational operations and assets, individuals, and other organizations. Risk management resources deal with effective and efficient allocation of given resources.

221. Which of the following information security governance structures establish the appropriate policies, procedures, and processes dealing with risk management and information security strategies at the cost of consistency throughout the organization as a whole?

a. Centralized governance

b. Decentralized governance

c. Hybrid governance

d. Virtual governance

221. b. The information security governance model should be aligned with the IT governance model and the corporate governance model. A decentralized approach accommodates subordinate (sector) organizations with divergent business needs and operating unit environments at the cost of consistency throughout the organization as a whole. The effectiveness of this approach is greatly increased by the sharing of risk-related information among subordinate units so that no subordinate sector is able to transfer risk to another without the latter’s informed consent. The sector also shares risk-related information with parent organization to determine its impact on the organization as a whole.

Centralized governance is the opposite of the decentralized governance, hybrid governance is a combination of centralized and decentralized governance, and virtual governance does not and should not exist.

222. Which of the following is not an example of issue-specific policies?

a. Use of unauthorized software

b. Operational security rules

c. Acquisition of software

d. Doing computer work at home

222. b. Operational security rules are part of system-specific security policy, whereas the other three choices are part of issue-specific policies.

223. Which of the following IT security metrics focuses on effectiveness?

a. Average frequency of audit records reviewed and analyzed for inappropriate activity

b. Percentage of security incidents caused by improperly configured access controls

c. Percentage of audit log findings reported to appropriate officials

d. Percentage of systems using automated mechanisms to conduct analysis and reporting of inappropriate activities