The correct guideline from OECD for Personally Identifiable Information (PII) protection is: c. Notify users about data collection This aligns with principles of transparency and accountability in data protection.

The ISO standard for Information Security Management is **b. ISO/IEC 27001**.

The correct answer is b. Personally Identifiable Information.

The correct answer is **b. Polymorphic virus**. Polymorphic viruses have the ability to change their code or signature each time they infect a new file or system, which helps them evade detection by antivirus software.

'Discoverability' is generally associated with the **STRIDE** threat modeling framework. STRIDE is used to categorize various types of security threats, including Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Discoverability relates to the ability of an attacker to find and exploit these threats, typically under the category of Information Disclosure. So the correct answer is: **a.

The document type that provides high-level security policy is c. Policy. Policies outline the overall intentions and direction of an organization regarding security, serving as a framework for the establishment of standards and procedures.

In quantitative risk analysis, ARO stands for **Annual Rate of Occurrence**. Therefore, the correct answer is: b. Annual Rate of Occurrence

The correct answer is: c. Residual risk. Residual risk refers to the amount of risk that remains after risk management measures have been applied.

c. Transfer Transferring risk involves shifting the responsibility or impact of the risk to a third party, often through means like insurance or outsourcing.

The organization that provides COBIT 5 standards is **b. ISACA**.

a. Trojan Horse A Trojan Horse is a type of malware that disguises itself as legitimate software to deceive users into executing it. Once activated, it can perform various malicious actions on the infected system.

d. Network Segmentation While network segmentation can be an important aspect of IT infrastructure and security, it is not typically a direct component of a Business Continuity Plan (BCP). The other options (IT Contingency Plan, Risk Assessment, and Vital Records Program) are commonly included in a BCP to ensure that an organization can continue to operate during and after a disruptive event.

In qualitative risk assessment, 'E' typically stands for **Extreme**. This indicates a high level of risk that requires immediate attention and action. So the correct answer is: c. Extreme

The main goal of 'Defense in Depth' is **b. Provide multiple layers of security**. This approach involves implementing various security measures at different levels to protect information and systems more effectively.

c. Online installations A 'Click-through license' is commonly found in online installations, where users must agree to the terms of the license by clicking a button before they can proceed with the installation or use of the software.

The first step in threat modeling is **c. Identify scope**. This involves determining what assets, systems, or applications you are focusing on, which is crucial for identifying potential threats and vulnerabilities later in the process.

The correct answer is: **c. Align security with business objectives**. The Chief Information Security Officer (CISO) is responsible for the overall security strategy and implementation within an organization, ensuring that security measures align with business goals and objectives, managing risks, and leading efforts to protect the company’s information assets.

The correct answer is **c. Shrink-wrap license**. This type of license is associated with software that is packaged in a way that indicates agreement to the license terms is granted when the package is opened.