The board of directors and senior management are always ultimately responsible (and liable). The steering committee would be the ones who chose which Information Security measures we implement, the CISO and CLC may also responsible, but the board/senior management is MORE correct.

Our control objectives relate to our business objectives, making then the best metric. Everything we do should tie back to our business vision, mission and objectives.

How many controls we have implemented, the percentage of our policy compliance and reduction in incidences are all indicators, but control objectives achieved is the better answer.

=> C is correct.

Our security policies should be clear and easy to understand, they should be available to our entire staff. We would NOT have network vulnerabilities in our policies, and we do NOT want our entire organization to know about them.

The process for communication would be in our DRP (Disaster Recovery Plan) or CCP (Crisis Communication Plan). The security policies are high level and vague, we would never want to have tailored versions for each business unit. The security policies are built from the vision and mission of the business, they should be consistent across the organization.

If we move our BCP to an automated solution it is critical we are able to access it during a disaster. If we place it on our intranet it may not be available during a disaster.

The other options are important, but not as critical as the availability of the plans during a disaster. We would want the correct versioning, if we do not have correct versioning staff may use old information making the disaster even worse.

If the plan has web links, they should be accessible through alternative means, but again if we can't access the plan at all the web links are less important. Integrating the plan with an user authentication system with content-based access control is smart, users gets access to exactly what they need and no more, and we would want the system to give user access when new users join and remove access when employees leave our organization; all this is still secondary to the availability of the plan.

When our risk management process is successful, we are able to align our risk reduction with the cost of the countermeasure. We can never eliminate or transfer all organizational risks or man-made risks. We can also not budget with risk losses with any degree of certainty.

We need our Information Security objectives to be clearly defined, so we can measure how effective they are. If our objectives are vague, we will have no clue how good or bad we are doing. We do need to clearly understand the objectives but measuring the effectiveness of them is more important. The objectives being clearly defined will help with getting the buy-in from our staff, but again those are secondary objectives.

Information Security should always be aligned to the organizational needs, a clear understanding of what those needs are is critical for a new CISO. They should also know the technologies, the regulatory requirements and be able to effective lead their team, but MOST important is understanding our mission, vision and goals.

The BEST option would be to limit the number of drives on the workstations. Users can insert the USB drives, but they would not be registered as a drive. We would not want to disable all USB ports; they are also used for mice and keyboards. Training should be conducted, but it is more efficient to lock down the workstations. Mandatory Access Control would do nothing in this scenario.

The best protection against data loss on a stolen laptop would be if we had the drives encrypted. Strong passwords can be bypassed if a skilled hacker, and multifactor authentication can often be bypassed if we remove the drives and add them to another computer. Backups would do nothing to protect the data, it would just give us a copy of it.

The PRIMARY goal of our risk management program is to ensure the business objectives are achievable. We are there to make sure the business is successful and reaches its objectives, by having an efficient and effective risk management program. Part of that could be protecting our critical IT assets, having IT systems always available and us having preventative controls for the business risks we face. They are however not the PRIMARY goal.