5.5

Question 1

internal security audit

Answer 1

operates by
attesting that all organizational information
systems are adhering to a set of internal or
external criteria regulating data security,
network security, and infrastructure security

Question 2

Internal criteria include:

Answer 2

the company’s IT
policies, procedures, and security controls

Question 3

Internal audit should objectively assess what?

Answer 3

the organization’s overall strategy for handling emerging threats from a governance,
architectural, operational, and technology standpoint

Question 4

audit committee

Answer 4

is responsible for assisting
independent auditors to examine the organization’s
security reporting system

Question 5

how does the audit committee examine?

Answer 5

• Offering critical oversight of the corporation’s reporting
  processes, internal controls, and independent auditing
• Providing checks and balances
• Allowing a forum for discussing security concerns candidly
  and objectively

Question 6

self-assessment with independent validation
(SAIV)

Answer 6

approach is a more cost-effective
assessment solution

Question 7

self-assessment with independent validation
(SAIV) goal?

Answer 7

to deliver an independent validation of the internal audit activity’s self-assessment

Question 8

assessment

Answer 8

An assessment could be seen as an “audit
plus”
* Assessments compare with both standards
and industry practices, the auditor’s
knowledge and experience, etc.

Question 9

external audit

Answer 9

an organization compares itself to an
established standard

*ISO 27001 is an example of a compliance audit with a
certification as the result

Question 10

assessment example

Answer 10

Payment Card Industry Data
Security Standard (PCI DSS) is an audit, but
organizations are required to go through a penetration test as well, which is an
assessment
* Therefore, PCI DSS can also be called an assessment

Question 11

Security examinations

Answer 11

used to certify security
professionals at various experience levels to
participate in auditing and assessments

Question 12

Common examples of security examinations are:

Answer 12

• CompTIA Security+
• CompTIA Advanced Security Practitioner (CASP+)
• Certified Information Systems Security Professional (CISSP)
  from ISC2
• Certified Information Security Manager (CISM) from ISACA

Question 13

Independent third-party audit

Answer 13

The audit of information security is a comprehensive assessment that evaluates, often
with gap analysis, the current state of security
controls in the organization

Question 14

When applied to DevSecOps, a third-party security
audit is:

Answer 14

an exhaustive assessment of all code,
documentation, and processes related to a software
system by an independent security firm

Question 15

The goal of an audit is:

Answer 15

to uncover potential security
risks which can then be patched by the software’s
developer

Question 16

Penetration testing

Answer 16

a process used to collect
information and actively expose vulnerabilities in a
system or application by conducting actual exploits
and red team attacks

Question 17

Penetration testing is conducted as a:

Answer 17

known
environment, partially known environment, or
unknown environment, where the tester assumes
the attacker role to discover vulnerabilities and
weaknesses

Question 18

Penetration testing can also be useful for determining:

Answer 18

• How well the system tolerates real world-style attack
  patterns
• The likely level of sophistication an attacker needs to
  successfully compromise the system
• Additional countermeasures that could mitigate
  threats against the system
• The defenders’ ability to detect attacks and respond
  appropriately

Question 19

SSAF

Answer 19

framework provided by Open Information Systems
Security Group (OISSG); a not-for-profit organization based
in London

Question 20

OSSTMM

Answer 20

open-source security testing created by
Institute for Security and Open Methodologies (ISECOM)

Question 21

OWASP

Answer 21

– popular methodology used widely by security
professionals, created by a non-profit organization focused
on advancing software security

Question 22

PTES

Answer 22

Penetration Testing Execution Standard
methodology was developed to cover the key parts of a
penetration test

Question 23

NIST

Answer 23

National Institute of Standards and Technology
provides a manual that is best suited to improve the
overall cybersecurity of an organization

Question 24

phishing campaign

Answer 24

an email hoax designed to replicate a real attack against employees as part of security awareness training

Question 25

The phishing campaign goal is not to:

Answer 25

entrap and punish employees but
rather raise awareness and instruct

Question 26

Security training monitoring and reporting must be
scoped to the specific audience to deliver different types of security training:

Answer 26

• Basic security awareness training
• Technical security training
• Security management training
• Compliance training

Question 27

The Net Promoter Score (NPS)

Answer 27

gold standard customer experience metric

NPS score measures participant loyalty by looking at their probability of
recommending a given security training experience