Information Security Program

An information security program's objectives should be derived PRIMARILY from which of the following?

• A The most recent security conference recommendations
• B The latest security product features available on the market
• C The information security strategy and business requirements ✓
• D The preferences of the network administration team

Answer: Program objectives flow from the security strategy and business requirements so the program delivers outcomes the organisation actually needs.

What is the MOST important success factor when implementing a security awareness training program?

• A Testing employees only once at the time of hiring
• B Using the most expensive e-learning platform available
• C Tailoring the content to the audience and reinforcing it regularly ✓
• D Delivering all training in a single annual session

Answer: Awareness is most effective when content is tailored to the audience and reinforced regularly, sustaining behaviour change rather than a one-off event.

When selecting security controls for the information security program, what should be the PRIMARY consideration?

• A The number of controls that can be deployed quickly
• B The controls used by the largest competitor
• C The level of risk the controls are intended to reduce ✓
• D The vendor offering the largest discount

Answer: Controls should be selected based on the risk they reduce, ensuring effort and spend are aligned to the organisation's actual exposure.

What is the PRIMARY purpose of defining roles and responsibilities within an information security program?

• A To reduce the number of policies required
• B To eliminate the need for security training
• C To increase the size of the organisational chart
• D To ensure accountability and clear ownership of security tasks ✓

Answer: Clearly defined roles and responsibilities establish accountability and ownership, which are essential for security activities to be performed reliably.

An information security manager is integrating security into the system development life cycle (SDLC). At which stage should security requirements FIRST be considered?

• A During the requirements and design stage ✓
• B During post-deployment maintenance
• C Only after the first security incident
• D During the testing stage

Answer: Building security into the requirements and design stage is most effective and economical, avoiding costly remediation later in the life cycle.

Which of the following BEST measures the effectiveness of an information security program?

• A The number of security policies published
• B The number of vendors engaged by the security team
• C The total amount of money spent on security tools
• D The degree to which the program achieves its defined objectives and reduces risk ✓

Answer: Effectiveness is measured by how well the program meets its objectives and reduces risk, not by inputs such as spend or document counts.