A Chief Information Security Officer (CISO) is establishing a new cybersecurity program. Which of the following should be developed FIRST to provide the overall direction, scope, and tone for the organization's security efforts?

An organization has identified a vulnerability in a legacy system. The cost to fix the vulnerability is estimated to be 150,000$. The cybersecurity team′s analysis shows the maximum potential loss from this vulnerability is only 5,000$ , with a low probability of occurrence. The leadership team decides not to apply a patch or implement any new controls. What risk management strategy is being applied?

A security manager installs a firewall to block unauthorized network traffic from entering the company's internal network. What type of control is a firewall?

To reduce the potential for successful cyberattacks, a security team is tasked with identifying and eliminating all non-essential services, open ports, and unnecessary user accounts on its public-facing servers. This practice is a core component of:

A software vendor has just released a critical security update for a zero-day vulnerability that is being actively exploited. Which of the following is the MOST appropriate immediate action for a cybersecurity leader to direct?

A system administrator is hardening a new server before it is deployed to the production environment. The administrator uses a standardized checklist to ensure all security settings are configured to a specific, secure state. This standardized state is known as a:

A company has a policy that all employees must complete mandatory security awareness training annually. From a governance perspective, what type of control is this training?