Domain 1 Flashcards
Who in the organization determines access to information?
A. Legal department
B. Compliance officer
C. Data Owner
D. Information security officer
Data Owner
What is the BEST way to achieve on-going compliance monitoring in an organization?
A. Only check compliance right before the auditors are scheduled to arrive onsite.
B. Outsource compliance to a 3rd party vendor and let them manage the program.
C. Have Compliance and Information Security partner to correct issues as they arise.
D. Have Compliance direct Information Security to fix issues after the auditors report.
Have Compliance and Information Security partner to correct issues as they arise.
When dealing with a risk management process, asset classification is important because it will impact the overall:
A. Threat identification
B. Risk monitoring
C. Risk treatment
D. Risk tolerance
Risk treatment
Ensuring that the actions of a set of people, applications and systems follow the organization’s rules is BEST described as:
A. Risk management
B. Security management
C. Mitigation management
D. Compliance management
Compliance management
Which of the following is a MAJOR consideration when an organization retains sensitive customer data and uses this data to better target the organizations products and services?
A. Strong authentication technologies
B. Financial reporting regulations
C. Credit card compliance and regulations
D. Local privacy laws
Local privacy laws
Which of the following is a benefit of information security governance?
A. Questioning the trust in vendor relationships.
B. Increasing the risk of decisions based on incomplete management information.
C. Direct involvement of senior management in developing control processes
D. Reduction of the potential for civil and legal liability
Reduction of the potential for civil and legal liability
In accordance with best practices and international standards, how often is security awareness training provided to employees of an organization?
A. High risk environments 6 months, low risk environments 12 months
B. Every 12 months
C. Every 18 months
D. Every six months
Every 12 months
Which of the following is of MOST importance when security leaders of an organization are required to align security to influence the culture of an organization?
A. Poses a strong technical background
B. Understand all regulations affecting the organization
C. Understand the business goals of the organization
D. Poses a strong auditing background
Understand the business goals of the organization
Which of the following is used to establish and maintain a framework to provide assurance that information security strategies are aligned with organizational objectives?
A. Awareness
B. Compliance
C. Governance
D. Management
Governance
Which of the following provides an audit framework?
A. Control Objectives for IT (COBIT)
B. Payment Card Industry-Data Security Standard (PCI-DSS)
C. International Organization Standard (ISO) 27002
D. National Institute of Standards and Technology (NIST) SP 800-30
Control Objectives for IT (COBIT)
The PRIMARY objective of security awareness is to:
A. Ensure that security policies are read.
B. Encourage security-conscious employee behavior.
C. Meet legal and regulatory requirements.
D. Put employees on notice in case follow-up action for noncompliance is necessary
Encourage security-conscious employee behavior.
When deploying an Intrusion Prevention System (IPS) the BEST way to get maximum protection from the system is to deploy it
A. In promiscuous mode and only detect malicious traffic.
B. In-line and turn on blocking mode to stop malicious traffic.
C. In promiscuous mode and block malicious traffic.
D. In-line and turn on alert mode to stop malicious traffic.
In-line and turn on blocking mode to stop malicious traffic.
Risk is defined as:
A. Threat times vulnerability divided by control
B. Advisory plus capability plus vulnerability
C. Asset loss times likelihood of event
D. Quantitative plus qualitative impact
Threat times vulnerability divided by control
Which of the following are the MOST important factors for proactively determining system vulnerabilities?
A. Subscribe to vendor mailing list to get notification of system vulnerabilities
B. Deploy Intrusion Detection System (IDS) and install anti-virus on systems
C. Configure firewall, perimeter router and Intrusion Prevention System (IPS)
D. Conduct security testing, vulnerability scanning, and penetration testing
Conduct security testing, vulnerability scanning, and penetration testing
What is the first thing that needs to be completed in order to create a security program for your organization?
A. Risk assessment
B. Security program budget
C. Business continuity plan
D. Compliance and regulatory analysis
Risk assessment
According to ISO 27001, of the steps for establishing an Information Security Governance program listed below, which comes first?
A. Identify threats, risks, impacts and vulnerabilities
B. Decide how to manage risk
C. Define the budget of the Information Security Management System
D. Define Information Security Policy
Define Information Security Policy
The framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve is referred to as a standard of:
A. Due Protection
B. Due Care
C. Due Compromise
D. Due process
Due Care
Developing effective security controls is a balance between:
A. Risk Management and Operations
B. Corporate Culture and Job Expectations
C. Operations and Regulations
D. Technology and Vendor Management
Risk Management and Operations
According to the National Institute of Standards and Technology (NIST) SP 800-40, which of the following considerations are MOST important when creating a vulnerability management program?
A. Susceptibility to attack, mitigation response time, and cost
B. Attack vectors, controls cost, and investigation staffing needs
C. Vulnerability exploitation, attack recovery, and mean time to repair
D. Susceptibility to attack, expected duration of attack, and mitigation availability
Susceptibility to attack, mitigation response time, and cost
The Information Security Management program MUST protect:
A. all organizational assets
B. critical business processes and /or revenue streams
C. intellectual property released into the public domain
D. against distributed denial of service attacks
critical business processes and /or revenue streams
A company wants to fill a Chief Information Security Officer position in the organization. They need to define and implement a more holistic security program. Which of the following qualifications and experience would be MOST desirable to find in a candidate?
A. Multiple certifications, strong technical capabilities and lengthy resume
B. Industry certifications, technical knowledge and program management skills
C. College degree, audit capabilities and complex project management
D. Multiple references, strong background check and industry certifications
Industry certifications, technical knowledge and program management skills
In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?
A. The organization uses exclusively a quantitative process to measure risk
B. The organization uses exclusively a qualitative process to measure risk
C. The organization’s risk tolerance is high
D. The organization’s risk tolerance is low
The organization’s risk tolerance is high
Within an organizations vulnerability management program, who has the responsibility to implement remediation actions?
A. Security officer
B. Data owner
C. Vulnerability engineer
D. System administrator
System administrator
An organization information security policy serves to
A. establish budgetary input in order to meet compliance requirements
B. establish acceptable systems and user behavior
C. define security configurations for systems
D. define relationships with external law enforcement agencies
establish acceptable systems and user behavior
You have recently drafted a revised information security policy. From whom should you seek endorsement in order to have the GREATEST chance for adoption and implementation throughout the entire organization?
A. Chief Information Security Officer
B. Chief Executive Officer
C. Chief Information Officer
D. Chief Legal Counsel
Chief Executive Officer
What is the relationship between information protection and regulatory compliance?
A. That all information in an organization must be protected equally.
B. The information required to be protected by regulatory mandate does not have to be identified in the organizations data classification policy.
C. That the protection of some information such as National ID information is mandated by regulation and other information such as trade secrets are protected based on business need.
D. There is no relationship between the two.
That the protection of some information such as National ID information is mandated by regulation and other information such as trade secrets are protected based on business need.
Which of the following is the MAIN reason to follow a formal risk management process in
an organization that hosts and uses privately identifiable information (PII) as part of their
business models and processes?
A. Need to comply with breach disclosure laws
B. Need to transfer the risk associated with hosting PII data
C. Need to better understand the risk associated with using PII data
D. Fiduciary responsibility to safeguard credit card information
Need to better understand the risk associated with using PII data
What should an organization do to ensure that they have a sound Business Continuity (BC)
Plan?
A. Test every three years to ensure that things work as planned
B. Conduct periodic tabletop exercises to refine the BC plan
C. Outsource the creation and execution of the BC plan to a third party vendor
D. Conduct a Disaster Recovery (DR) exercise every year to test the plan
Conduct periodic tabletop exercises to refine the BC plan
What is the MAIN reason for conflicts between Information Technology and Information
Security programs?
A. Technology governance defines technology policies and standards while security governance does not.
B. Security governance defines technology best practices and Information Technology governance does not.
C. Technology Governance is focused on process risks whereas Security Governance is focused on business risk.
D. The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.
The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.
If your organization operates under a model of “assumption of breach”, you should:
A. Protect all information resource assets equally
B. Establish active firewall monitoring protocols
C. Purchase insurance for your compliance liability
D. Focus your security efforts on high value assets
Purchase insurance for your compliance liability
A global retail company is creating a new compliance management process. Which of the following regulations is of MOST importance to be tracked and managed by this process?
A. Information Technology Infrastructure Library (ITIL)
B. International Organization for Standardization (ISO) standards
C. Payment Card Industry Data Security Standards (PCI-DSS)
D. National Institute for Standards and Technology (NIST) standard
Payment Card Industry Data Security Standards (PCI-DSS)
When an organization claims it is secure because it is PCI-DSS certified, what is a good first question to ask towards assessing the effectiveness of their security program?
A. How many credit card records are stored?
B. How many servers do you have?
C. What is the scope of the certification?
D. What is the value of the assets at risk?
What is the scope of the certification?
When managing the security architecture for your company you must consider:
A. Security and IT Staff size
B. Company Values
C. Budget
D. All of the above
All of the above
A method to transfer risk is to:
A. Implement redundancy
B. move operations to another region
C. purchase breach insurance
D. Alignment with business operations
purchase breach insurance
Why is it vitally important that senior management endorse a security policy?
A. So that they will accept ownership for security within the organization.
B. So that employees will follow the policy directives.
C. So that external bodies will recognize the organizations commitment to security.
D. So that they can be held legally accountable.
So that they will accept ownership for security within the organization.
Risk that remains after risk mitigation is known as
A. Persistent risk
B. Residual risk
C. Accepted risk
D. Non-tolerated risk
Residual risk
A Security Operations Centre (SOC) manager is informed that a database containing highly sensitive corporate strategy information is under attack. Information has been stolen and the database server was disconnected. Who must be informed of this incident?
A. Internal audit
B. The data owner
C. All executive staff
D. Government regulators
The data owner
What two methods are used to assess risk impact?
A. Cost and annual rate of expectance
B. Subjective and Objective
C. Qualitative and percent of loss realized
D. Quantitative and qualitative
Quantitative and qualitative
Which of the following is a critical operational component of an Incident Response Program (IRP)?
A. Weekly program budget reviews to ensure the percentage of program funding remains constant.
B. Annual review of program charters, policies, procedures and organizational agreements.
C. Daily monitoring of vulnerability advisories relating to your organizations deployed technologies.
D. Monthly program tests to ensure resource allocation is sufficient for supporting the needs of the organization
Daily monitoring of vulnerability advisories relating to your organizations deployed technologies.