3. Information Security Program Development & Management

Question 1

Name the two common Enterprise Architecture Framework

Answer 1

The Open Group Architecture Framework (TOGAF) and the Zachman Framework

Question 2

What are the key elements of TOGAF

Answer 2

Business-driven, life-cycle management framework for enterprise architecture

Multiple phases starting with Preliminary, Vision Business Architecture, Technology Architecture, Oppurtunites and solutions, migration planning, governance, etc.

Question 3

What is unique about Zachman Framwork

Answer 3

Similar to office building architecture. Starts with high-level and then increasingly detail.

Does not convey the relationship between IT Systems. Data Flow diagrams are used instead.

Question 4

What are the components of ISACA’s Risk-IT Framework

Answer 4

Risk Governance - includes integrating with organizations ERM

Risk Evaluation

Risk Response

Question 5

T or F a vulnerability ranking is influenced by probability of that threat will be realized and the asset value

Answer 5

False - a vulnerability ranking should depend on whether the threat will actually bring about harm to the asset.

Question 6

T or F that Asset Value is always the replacement value

Answer 6

False - usually but now always

Question 7

What is the financial loss that results from the realization of a threat expressed in percentage of the assets totals value

Answer 7

Exposure Factor (EF)

Most threats do not completely eliminate the asset value but instead reduce it.

Question 8

SLE represents what?

Answer 8

Single loss expectancy is the value when the threat is realized one time.

AV X EF - SLE

Question 9

What is the term for the estimate of the number of times that a threat will occur per year

Answer 9

Annual Rate of Occurrence

1 in 10 is 10%
1 in 50 is 2%

Question 10

ALE is ?

Answer 10

Annualized loss expectancy

SLE X ARO = ALE

Question 11

What is some Risk Analysis Standards

Answer 11

NIST 800-30
ISO/IEC 27005

Question 12

Who is the best person (s) to make a decision on risk treatment

Answer 12

Security steering commitee

Question 13

T or F being compliant is the same as being secure

Answer 13

False
Compliance is a checkbox starting point

Question 14

What is another name for span port

Answer 14

Network Tap

Question 15

What are the 3 types of controls

Answer 15

Physical
Technical
Administrative

Question 16

What are some examples of Preventative Controls

Answer 16

Login Screens
Keycard screens
Encryption

Question 17

What are some examples of Detective Controls

Answer 17

Video Surveillance
Event Logs

Question 18

What are some examples of Deterrent Controls

Answer 18

Guard Dogs
Warning Signs
Visible Video Surveillance

Note: Deterrent controls only work if they are known by potential vioalator

Question 19

What are some examples of corrective controls

Answer 19

any act of improving an process when found defective

Question 20

An example of a compensating control

Answer 20

Guest Sign in register when there is no stronger detective control such as surveillance

Question 21

An example of a recovery control

Answer 21

use of a tool to remove malware or backup software to recover lost or corrupted files

Question 22

What is the purpose of Security Governance

Answer 22

Provide management with visibility and control of security program

Question 23

What is a key difference between IPS and Firewalls from an inspection standpoint?

Answer 23

IPS inspect full packet while firewalls inspect headers

Question 24

What should be developed first:
Procedures
Standards
Processes
or Policies

Answer 24

Policies since they govern behavior in an organization and should be developed first. Then process and procedures that align with policies can be developed. Standards which specific how policies can be implemented can be developed in conjunction

Question 25

What is CISA Cert recognized for

Answer 25

Certified Information System Auditor

Experience in Information System Audit and information system protection

Question 26

What is CGEIT

Answer 26

Certified in the Governance of Enterprise IT

Question 27

What is CRISC

Answer 27

Certified in Risk and Information System control and focused on Risk Management

Question 28

What is CISSP

Answer 28

Certified Information System Security Professional is a well known general purpose security cert

Question 29

What is the most effective way to confirm overall compliance with security policies

Answer 29

Interview process owners and examine business records

Question 30

What is the primary reason why one-time passwords sent via SMS do not provide physical possession of a trusted device

Answer 30

Not as secure as they used to be with the cellular carrier website, and services such as Google Voice.

Question 31

What is CASB specifically designed for?

Answer 31

Provide visibility and control into the use of cloud-based services

Question 32

Is the ideal VMP based on scanning first and then patching or ?

Answer 32

Best VMP is when system and device patching and hardening are proactively performed according to established SLA’s and security scanning is a QA function

Question 33

What would be a important security related consideration to be included in advance planning for the SSO Portal

Answer 33

SAML Integration with applications

the point of SSO is to make authentication to a large number of application and SAML will be required

Question 34

How often does an organization have to verify status of a service provider for PCI DSS

Answer 34

annually

Status only no need to audit or verify compliance.

Question 35

How many personnel is needed to cover a 24x7x365 shop with vacation and sick time factored in.

Answer 35

12

Question 36

Is it acceptable to allows users to “Test out” of SAT?

Answer 36

Yes

Question 37

What is the best method for keeping a program aligned with long term strategy

Answer 37

Track and report on milestones

Controls Gap or Risk Analysis is too narrow

IT Steering committee is not the body the security leader is accountable to.

Question 38

Is it an option for a third party to send logs to the larger client if they have deficient log storage and even visability.

Answer 38

Yes. known as intrusive monitoring and is an acceptable business practice

Question 39

For PCI-DSS in relation to POS do you need to examine all systems for hardening to be compliant

Answer 39

No. You can perform a reasonable sample

Question 40

What is adaptive MFA

Answer 40

Using specific critical business or not requiring MFA from known locations

Question 41

If an organization is considering an acquisition of a security tool such as a SIEM what parties will provide functional requirements

Answer 41

Security Governance to ensure it meets objective

Security Operation s

IT Operations

Internal Audit

Question 42

Does a SIEM provide any remediation of events

Answer 42

No. Correlates events and produces alerts for personnel to investigate and take action

Question 43

What does the term “Identity is the new perimeter”

Answer 43

Due to IaaS, SaaS, PaaS, etc firewalls are no longer able to protect resources so tech such as MFA and Biometrics are essential

Question 44

What is the best way a CISO estimate the resources required to support security operations

Answer 44

Consult with Industry Analyst and experts to get the best initial estimate.