According to the ISACA's Information Security Governance Guidance for Boards of Directors and Executive Management, the highest level of maturity of an information security program is Level 5: Optimized, which means that the program is aligned with the business objectives and strategy, and continuously monitors and improves its performance and effectiveness. A framework is in place to measure risks and track effectiveness, and the program is proactive, adaptive, and innovative.
The other options represent lower levels of maturity:
* A training program is in place to promote information security awareness. This is Level 2: Repeatable, which means that the program has some basic policies and procedures, and provides awareness training to employees.
* Information security policies and procedures are established. This is Level 3: Defined, which means that the program has formalized policies and procedures, and assigns roles and responsibilities for information security.
* The program meets regulatory and compliance requirements. This is Level 4: Managed, which means that the program has established metrics and reporting mechanisms, and complies with relevant laws and regulations.
References: : ISACA. (2001). Information Security Governance Guidance for B

Explanation/Reference:
Explanation:
Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDOS attacks that affect computers that access the same Internet site at the same moment, resulting in overloaded site servers that may no longer be able to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a specific time in the future.
Phishing is an attack, normally via e-mail, pretending to be an authorized person or organization requesting information. Spyware is a program that picks up information from PC drives by making copies of their contents.

Section: Protection of Information Assets
Explanation/Reference:https://www.computerweekly.com/tip/Segregation-of-duties-Small-business-best-practices

Explanation/Reference:
Explanation:
Information Leakage Detection and Prevention (ILD&P) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. Network ILD&P are gateway-based systems installed on the organization's internet network connection and analyze network traffic to search for unauthorized information transmissions. Host Based ILD&P systems run on end-user workstations to monitor and control access to physical devices and access information before it has been encrypted.

Section: Protection of Information Assets
Explanation:
When implementing continuous-monitoring systems, an IS auditor's first step is to identify high-risk areas
within the organization.