ISSAP - Information Systems Security Architecture Professional Governance, Risk, and Compliance Questions and Answers

Question 1

A security architect is designing a system for a financial institution that must comply with the Sarbanes-Oxley Act (SOX).
A primary objective is to align IT processes with business goals and ensure robust internal controls over financial reporting.
Which of the following governance frameworks is MOST suitable for achieving this objective?

Accepted Answer

COBIT (Control Objectives for Information and Related Technologies)

Answer

ISO/IEC 27001

Answer

NIST Cybersecurity Framework (CSF)

Answer

ITIL (Information Technology Infrastructure Library)

Question 2

As part of the NIST Risk Management Framework (RMF), a security architect is responsible for defining the initial set of security controls for a new information system. This selection is based on the system's security categorization. Which step of the RMF is being performed?

Accepted Answer

Select Controls

Answer

Categorize System

Answer

Assess Controls

Answer

Authorize System

Question 3

A global e-commerce company is developing a comprehensive risk management strategy. They want to adopt a set of high-level principles to guide the integration of risk management into all organizational activities, ensuring it is dynamic, customized, and structured. Which international standard provides such principles for risk management?

Accepted Answer

ISO 31000

Answer

ISO 9001

Answer

ISO/IEC 27005

Answer

SABSA

Question 4

A security architect is embedding compliance requirements into the technology infrastructure from the initial design phase. This proactive approach ensures that controls for data protection, access management, and privacy are built-in rather than added later, significantly reducing the cost and effort of retrofitting. This practice is best described as which of the following?

Accepted Answer

Security by Design

Answer

Compliance as Code

Answer

Risk Transference

Answer

Defense in Depth

Question 5

Which of the following is a primary role of a security architect in the context of Governance, Risk, and Compliance (GRC)?

Accepted Answer

Designing and developing security solutions that align with business strategy, policies, and regulatory requirements.

Answer

Performing daily security operations and incident response.

Answer

Configuring and managing firewall rules and intrusion detection systems.

Answer

Conducting forensic analysis of compromised systems after a security breach.

Question 6

A security architect at a multinational corporation is tasked with designing a security architecture that can adapt to a complex and constantly changing regulatory landscape. The architecture must provide a consistent set of reusable security services, such as identity management and network segmentation, across all business units. What is the main benefit of this architectural approach?

Accepted Answer

It provides standardization that simplifies demonstrating compliance across multiple regulations.

Answer

It eliminates the need for all future security testing.

Answer

It completely outsources all security risks to third-party vendors.

Answer

It reduces the initial cost of security implementation to near zero.