# Topic 1, Governance (Policy, Legal & Compliance)
A security professional has been promoted to be the CISO of an organization. The first task is to
create a security policy for this organization. The CISO creates and publishes the security
policy. This policy however, is ignored and not enforced consistently. Which of the following is
the MOST likely reason for the policy shortcomings?
A. Lack of a formal security awareness program
B. Lack of a formal security policy governance process
C. Lack of formal definition of roles and responsibilities
D. Lack of a formal risk management policy
A global retail company is creating a new compliance management process. Which of the
following regulations is of MOST importance to be tracked and managed by this process?
A. Information Technology Infrastructure Library (ITIL)
B. International Organization for Standardization (ISO) standards
C. Payment Card Industry Data Security Standards (PCI-DSS)
D. National Institute for Standards and Technology (NIST) standard
What is a difference from the list below between quantitative and qualitative Risk Assessment?
A. Quantitative risk assessments result in an exact number (in monetary terms)
B. Qualitative risk assessments result in a quantitative assessment (high, medium, low, red,
C. Qualitative risk assessments map to business objectives
D. Quantitative risk assessments result in a quantitative assessment (high, medium, low, red,
An organization is looking for a framework to measure the efficiency and effectiveness of their
Information Security Management System. Which of the following international standards can
BEST assist this organization?
A. International Organization for Standardizations - 27004 (ISO-27004)
B. Payment Card Industry Data Security Standards (PCI-DSS)
C. Control Objectives for Information Technology (COBIT)
D. International Organization for Standardizations - 27005 (ISO-27005)