Michael is charged with developing a classification program for his company. Which of the following should he do first?

Which of the following is not a characteristic of a company with a security governance program in place?

Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks?

Jared plays a role in his company’s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared’s role?

Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role?

For what purpose was the COSO framework developed?

Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?

As his company’s CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?

Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?

A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset?