services that should be in place. A strategy is a broad, high-level document. A guideline is
advisory in nature, while a security model shows the relationships between components.
Which of the following is MOST appropriate for inclusion in an information security strategy?
A. Business controls designated as key controls
B. Security processes, methods, tools and techniques
C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings
D. Budget estimates to acquire specific security tools
A set of security objectives, processes, methods, tools and techniques together constitute a
security strategy. Although IT and business governance are intertwined, business controls may
not be included in a security strategy. Budgets wil generally not be included in an information
security strategy. Additionally, until information security strategy is formulated and implemented,
specific tools will not be identified and specific cost estimates wil not be available. Firewall rule
sets, network defaults and intrusion detection system (IDS) settings are technical details subject
to periodic change, and are not appropriate content for a strategy document.
Senior management commitment and support for information security will BEST be attained by
an information security manager by emphasizing:
A. organizational risk.
B. organization wide metrics.
C. security needs.
D. the responsibilities of organizational units.
Information security exists to help the organization meet its objectives. The information security
manager should identify information security needs based on organizational needs.
Organizational or business risk should always take precedence. Involving each organizational
unit in information security and establishing metrics to measure success will be viewed
favorably by senior management after the overall organizational risk is identified.
Which of the following roles would represent a conflict of interest for an information security
A. Evaluation of third parties requesting connectivity
B. Assessment of the adequacy of disaster recovery plans
C. Final approval of information security policies
D. Monitoring adherence to physical security controls