The FIRST step in establishing a security governance program is to?
B
Explanation:
First Step: Senior Management Buy-In:
CCISO guidance stresses that obtaining sponsorship from senior management is critical to the
success of a security governance program.
This sponsorship ensures adequate resources, authority, and prioritization of security initiatives.
Foundation for Governance:
Without leadership support, it is challenging to enforce policies, allocate budgets, and foster an
organizational culture that values security.
Supporting Reference:
The CCISO framework positions senior-level sponsorship as the cornerstone of any governance
program, enabling alignment with organizational strategy and goals.
Which of the following has the GREATEST impact on the implementation of an information security
governance model?
D
Explanation:
Impact of Organizational Complexity:
The complexity of an organization’s structure directly affects how governance models are
implemented and managed. Complex structures often require more tailored and decentralized
governance approaches.
Governance Challenges in Complex Structures:
CCISO materials highlight that factors such as interdepartmental coordination, diverse regulatory
requirements, and multiple stakeholders can complicate governance implementation.
Supporting Reference:
CCISO emphasizes understanding organizational intricacies as a key factor for tailoring governance
models to ensure effective control and oversight mechanisms.
From an information security perspective, information that no longer supports the main purpose of
the business should be:
D
Explanation:
Retention Policy Importance:
Information that no longer serves a business purpose should be managed according to the
organization’s data retention policy. This ensures that obsolete data is appropriately archived or
disposed of while maintaining compliance with legal and regulatory requirements.
Key Considerations:
Legal Compliance: Retention policies often stipulate the minimum and maximum durations for
retaining various data types.
Cost Efficiency: Managing outdated data can become a cost burden if retention policies are not
enforced.
Risk Mitigation: Retention policies help prevent unnecessary data exposure or breaches.
Why Other Options Are Incorrect:
A . Business Impact Analysis: This is for assessing the impact of disruptions, not managing outdated
information.
B . Classification Policy: Only ensures data protection according to its sensitivity, not relevance.
C . Data Ownership Policy: Focuses on accountability for data, not its lifecycle.
Reference:
EC-Council emphasizes the role of data retention policies in managing the lifecycle of information
effectively within an information security framework.
When briefing senior management on the creation of a governance process, the MOST important
aspect should be:
D
Explanation:
Governance Process Creation:
Senior management prioritizes governance processes that align with organizational goals.
Demonstrating how governance supports business objectives ensures buy-in and relevance.
Linkage to Business Objectives:
Governance frameworks must demonstrate their value in enabling operational efficiency, risk
reduction, and compliance. Aligning these with business goals fosters a shared understanding of the
importance of governance.
Why Other Options Are Incorrect:
A . Information Security Metrics: Metrics are important but secondary to alignment with business
goals.
B . Knowledge to Analyze Issues: Relevant but insufficient without a strategic connection to
objectives.
C . Baseline Metrics: Critical for measurement but less impactful without linkage to business
priorities.
Reference:
EC-Council emphasizes that effective governance processes should reflect and support the
organization’s mission and objectives.
Which of the following most commonly falls within the scope of an information security governance
steering committee?
D
Explanation:
Role of Governance Steering Committees:
Information security governance steering committees oversee the creation, approval, and
maintenance of security policies. They ensure that policies align with organizational objectives and
regulatory requirements.
Policy Vetting as a Core Function:
Ensures policies are comprehensive, relevant, and enforceable.
Addresses the balance between security and operational efficiency.
Why Other Options Are Incorrect:
A . Approving Access: This is typically handled by access control processes or data owners.
B . Security Awareness Programs: Content development is operational, not governance.
C . Interviewing Candidates: Staffing decisions are usually outside the committee's scope.
Reference:
EC-Council underscores policy governance as a fundamental responsibility of information security
steering committees
A security professional has been promoted to be the CISO of an organization. The first task is to
create a security policy for this organization. The CISO creates and publishes the security policy. This
policy however, is ignored and not enforced consistently. Which of the following is the MOST likely
reason for the policy shortcomings?
B
Explanation:
Policy Governance Framework:
A formal governance process ensures that security policies are reviewed, approved, communicated,
and enforced consistently across the organization.
Key Factors in Policy Effectiveness:
Oversight: Ensuring policies are maintained and updated.
Accountability: Assigning responsibility for implementation and enforcement.
Adoption: Integrating policies into daily operations through awareness and training.
Why Other Options Are Incorrect:
A . Security Awareness Program: Necessary but does not address governance shortcomings.
C . Roles and Responsibilities: Important but not the root cause of policy inconsistencies here.
D . Risk Management Policy: Related but focuses on risk, not governance of the policy lifecycle.
Reference:
EC-Council highlights governance processes as essential for ensuring the successful implementation
and enforcement of security policies.
Which of the following is the MAIN reason to follow a formal risk management process in an
organization that hosts and uses privately identifiable information (PII) as part of their business
models and processes?
C
Explanation:
Importance of Risk Management with PII:
Privately Identifiable Information (PII) is sensitive data that, if mishandled, could lead to legal,
financial, and reputational harm.
The formal risk management process is critical to identifying, evaluating, and mitigating risks
associated with storing and processing PII.
Purpose of Risk Understanding:
CCISO materials emphasize that understanding risks helps organizations implement effective
controls, comply with legal requirements, and safeguard PII.
Supporting Reference:
The CCISO framework highlights risk assessment as the foundation for managing sensitive data
securely, enabling informed decision-making and compliance with standards like GDPR and CCPA.
The alerting, monitoring and life-cycle management of security related events is typically handled by
the
A
Explanation:
Role of Threat and Vulnerability Management:
This process focuses on detecting, assessing, and addressing threats and vulnerabilities in real-time,
ensuring timely response to security events.
It includes continuous monitoring, alerting, and incident lifecycle management.
Alerting and Monitoring:
The CCISO program outlines how threat and vulnerability management tools integrate with security
monitoring systems to provide situational awareness and proactive defense mechanisms.
Supporting Reference:
CCISO materials explain the lifecycle approach to security event management, where threat
management processes play a pivotal role in incident detection and remediation.
One of the MAIN goals of a Business Continuity Plan is to
C
Explanation:
Purpose of a Business Continuity Plan (BCP):
The primary goal of a BCP is to ensure the continuity of critical business operations during and after a
disaster.
CCISO materials emphasize the importance of documented, actionable recovery plans that outline
procedures for maintaining essential services.
Focus on Process Recovery:
While infrastructure and applications are important, BCPs prioritize restoring business processes to
maintain operational resilience.
Supporting Reference:
CCISO highlights the step-by-step recovery plans as a core component of a BCP, ensuring all
stakeholders understand their roles and responsibilities.
When managing an Information Security Program, which of the following is of MOST importance in
order to influence the culture of an organization?
B
Explanation:
Influence on Organizational Culture:
Aligning security objectives with business goals ensures that security is perceived as an enabler
rather than a barrier.
CCISO emphasizes that this alignment fosters collaboration and integrates security into the
organization's culture.
Cultural Impact of Alignment:
A security program that supports business objectives gains leadership support and employee buy-in,
creating a culture of shared responsibility.
Supporting Reference:
According to the CCISO framework, influencing organizational culture is a key outcome of aligning
security and business strategies, driving adoption and compliance across all levels.