CISSP - Information Security Governance & Risk Management ||
100% Exact Answers.
Who has the primary responsibility of determining the classification level for information?
A. The functional manager
B. Senior management
C. The owner
D. The user correct answers C. A company can have one specific data owner or different data
owners who have been delegated the responsibility of protecting specific sets of data. One of the
responsibilities that goes into protecting this information is properly classifying it.
If different user groups with different security access levels need to access the same information,
which of the following actions should management take?
A. Decrease the security level on the information to ensure accessibility and usability of the
information.
B. Require specific written approval each time an individual needs to access the information.
C. Increase the security controls on the information.
D. Decrease the classification label on the information. correct answers C. If data is going to be
available to a wide range of people, more granular security should be implemented to ensure that
only the necessary people access the data and that the operations they carry out are controlled.
The security
implemented can come in the form of authentication and authorization technologies, encryption,
and specific access control mechanisms.
What should management consider the most when classifying data?
A. The type of employees, contractors, and customers who will be accessing the data
B. Availability, integrity, and confidentiality
C. Assessing the risk level and disabling countermeasures
D. The access controls that will be protecting the data correct answers B. The best answer to this
question is B, because to properly classify data, the data owner must evaluate the availability,
, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate
which
employees, contractors, and users can access the data, which is expressed in answer A. This
assessment will also help determine the controls that should be put into place.
Who is ultimately responsible for making sure data is classified and protected?
A. Data owners
B. Users
C. Administrators
D. Management correct answers D. The key to this question is the use of the word "ultimately."
Though management can delegate tasks to others, it is ultimately responsible for everything that
takes place within a company. Therefore, it must continually
ensure that data and resources are being properly protected.
Which factor is the most important item when it comes to ensuring security is successful in an
organization?
A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees correct answers A. Without senior management's
support, a security program will not receive the necessary attention, funds, resources, and
enforcement capabilities.
When is it acceptable to not take action on an identified risk?
A. Never. Good security addresses and reduces all risks.
B. When political issues prevent this type of risk from being addressed.
C. When the necessary countermeasure is complex.
D. When the cost of the countermeasure outweighs the value of the asset and potential loss.
correct answers D. Companies may decide to live with specific risks they are faced with if the
100% Exact Answers.
Who has the primary responsibility of determining the classification level for information?
A. The functional manager
B. Senior management
C. The owner
D. The user correct answers C. A company can have one specific data owner or different data
owners who have been delegated the responsibility of protecting specific sets of data. One of the
responsibilities that goes into protecting this information is properly classifying it.
If different user groups with different security access levels need to access the same information,
which of the following actions should management take?
A. Decrease the security level on the information to ensure accessibility and usability of the
information.
B. Require specific written approval each time an individual needs to access the information.
C. Increase the security controls on the information.
D. Decrease the classification label on the information. correct answers C. If data is going to be
available to a wide range of people, more granular security should be implemented to ensure that
only the necessary people access the data and that the operations they carry out are controlled.
The security
implemented can come in the form of authentication and authorization technologies, encryption,
and specific access control mechanisms.
What should management consider the most when classifying data?
A. The type of employees, contractors, and customers who will be accessing the data
B. Availability, integrity, and confidentiality
C. Assessing the risk level and disabling countermeasures
D. The access controls that will be protecting the data correct answers B. The best answer to this
question is B, because to properly classify data, the data owner must evaluate the availability,
, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate
which
employees, contractors, and users can access the data, which is expressed in answer A. This
assessment will also help determine the controls that should be put into place.
Who is ultimately responsible for making sure data is classified and protected?
A. Data owners
B. Users
C. Administrators
D. Management correct answers D. The key to this question is the use of the word "ultimately."
Though management can delegate tasks to others, it is ultimately responsible for everything that
takes place within a company. Therefore, it must continually
ensure that data and resources are being properly protected.
Which factor is the most important item when it comes to ensuring security is successful in an
organization?
A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees correct answers A. Without senior management's
support, a security program will not receive the necessary attention, funds, resources, and
enforcement capabilities.
When is it acceptable to not take action on an identified risk?
A. Never. Good security addresses and reduces all risks.
B. When political issues prevent this type of risk from being addressed.
C. When the necessary countermeasure is complex.
D. When the cost of the countermeasure outweighs the value of the asset and potential loss.
correct answers D. Companies may decide to live with specific risks they are faced with if the
