Quiz: Building a Complete Security Program
A 26-question self-check synthesizing the capstone and the book. Because Chapter 38 integrates everything, several questions reach back into earlier material. Questions tagged [Sec+] map to CompTIA Security+ domains and [CISSP] to (ISC)² CISSP domains (especially Security & Risk Management and Security Architecture). Answers and one-line explanations are at the end — try the whole quiz first.
Section 1 — Multiple choice (1 pt each)
1. [CISSP] What primarily distinguishes a security program from a collection of security controls? A. the number of tools B. coherence — a spine, structure, and strategy tying the parts together C. the size of the budget D. having a CISO
2. [Sec+] Meridian organizes its program around the six functions Govern, Identify, Protect, Detect, Respond, Recover. This structure comes from: A. ISO 27001 B. the NIST Cybersecurity Framework (CSF) 2.0 C. PCI-DSS D. MITRE ATT&CK
3. The "spine" of Meridian's security program — the organizing logic everything hangs from — is: A. the firewall ruleset B. compliance C. risk D. the org chart
4. [CISSP] A roadmap should sequence initiatives primarily by: A. raw risk score, highest first B. lowest cost first C. risk-reduction per cost, adjusted for dependencies and obligations D. vendor recommendation
5. Which can legitimately override the risk-per-cost ranking when prioritizing a roadmap? A. a hard dependency or a non-negotiable compliance obligation B. a louder stakeholder C. a newer technology D. nothing — the ratio is absolute
6. [Sec+] ALE, the engine of the business case, is computed as: A. likelihood × impact B. SLE × ARO C. CVSS × EPSS D. MTTD × MTTR
7. A board presentation should lead with: A. the network architecture B. the threat-intelligence feed C. the ask (the decision requested) D. a list of tools deployed
8. [CISSP] A board of directors provides __, not management, of the security program. A. funding only B. oversight C. engineering D. incident response
9. Presenting the program's gaps and residual risk to the board tends to: A. erode confidence and should be avoided B. build confidence by proving clear sight and honest management C. trigger an audit D. violate policy
10. [Sec+] Which metric belongs on a board (executive) slide rather than an operational SOC dashboard? A. alerts per analyst per day B. SIEM rule false-positive rate C. mean time to detect (MTTD) trend D. raw count of brute-force alerts
11. The capstone's program_dashboard(state) integrates outputs from which modules?
A. only riskcalc B. riskcalc (risk/ALE) and metrics (MTTD/MTTR/coverage) C. netfilter and
siem D. none — it is standalone
12. [CISSP] "The board wants to know if the plane will land, not how the engine works" is a principle about: A. encryption B. translating technical work into executive risk language C. aircraft security D. availability
13. The original Meridian phishing attack is now met by defense in depth. Which set best illustrates the independent layers involved? A. one firewall B. email auth + awareness + phishing-resistant MFA + least privilege + segmentation + detection/response C. antivirus only D. a longer password policy
14. [Sec+] A compliance obligation such as PCI-DSS CDE segmentation is best described in the business case as: A. optional risk reduction B. the non-negotiable floor the organization is legally required to meet C. a vanity metric D. a Phase 3 nice-to-have
Section 2 — True / False with justification (1 pt each)
For each, mark T or F and give a one-sentence reason.
15. "A program that has every control in this book is, by definition, a mature security program."
16. [Sec+] "The scariest, highest-impact risk should always be the first item on the roadmap."
17. "Inflating risk numbers to win a budget is a reasonable tactic if the program genuinely needs the money."
18. [CISSP] "Owning the program's gaps in front of the board undermines the CISO's credibility."
19. "Operational SOC metrics, such as alert volume and tuning rates, are important and therefore belong in the board deck."
20. "Every roadmap item should trace to a specific risk-register entry."
Section 3 — Fill in the blank (1 pt each)
21. A multi-year, sequenced, costed plan from current state to target state is the security __.
22. [Sec+] The four parts of a business case are: the cost of the _ _, the investment and the risk it buys down, the compliance _, and the alternatives ending in a specific _.
23. The three capstone tracks are SOC (Detect–Respond–Recover), Engineer (_ architecture and sequencing), and _ (Govern–Identify and the full synthesis).
Section 4 — Short answer (2 pts each)
24. [CISSP] Explain why "always do the highest-risk item next" is a flawed prioritization rule, and name the ranking that fixes it.
25. A board asks, "Are we spending the right amount on security?" Describe, in two or three sentences, how the Govern layer (risk appetite + risk assessment) answers this question.
Section 5 — Applied scenario (5 pts)
26. [Sec+] Meridian carries roughly $6M in annualized cyber risk (from its top three untreated risks). A proposed $1.7M investment in Phases 1–2 is projected to reduce this to ~$0.9M; the board's risk appetite is $1.0M. (a) State the business case in one sentence in the board's language. (b) Is the projected residual within appetite, and what does that let the CISO tell the board? (c) Name two of the four things a board cares about that this case addresses, and the deck slide that carries each.