- (Exam Topic 1)
A security professional has been promoted to be the CISO of an organization. The first task is to create a security policy for this organization. The CISO creates and publishes the security policy. This policy however, is ignored and not enforced consistently. Which of the following is the MOST likely reason for the policy shortcomings?

1. A. Lack of a formal security awareness program
2. B. Lack of a formal security policy governance process
3. C. Lack of formal definition of roles and responsibilities
4. D. Lack of a formal risk management policy

Correct Answer: B

- (Exam Topic 1)
A security manager has created a risk program. Which of the following is a critical part of ensuring the program is successful?

1. A. Providing a risk program governance structure
2. B. Ensuring developers include risk control comments in code
3. C. Creating risk assessment templates based on specific threats
4. D. Allowing for the acceptance of risk for regulatory compliance requirements

Correct Answer: A

- (Exam Topic 5)
Which of the following is an accurate description of a balance sheet?

1. A. The percentage of earnings that are retained by the organization for reinvestment in the business
2. B. The details of expenses and revenue over a long period of time
3. C. A summarized statement of all assets and liabilities at a specific point in time
4. D. A review of regulations and requirements impacting the business from a financial perspective

Correct Answer: C

- (Exam Topic 2)
To have accurate and effective information security policies how often should the CISO review the organization policies?

1. A. Every 6 months
2. B. Quarterly
3. C. Before an audit
4. D. At least once a year

Correct Answer: D