Domain 2 Flashcards
Which of the following is considered to be an IT governance framework and a supporting toolset that allows for managers to bridge the gap between control requirements, technical issues, and business risks?
A. Control Objective for Information Technology (COBIT)
B. Committee of Sponsoring Organizations (COSO)
C. Payment Card Industry (PCI)
D. Information Technology Infrastructure Library (ITIL)
Control Objective for Information Technology (COBIT)
Which of the following are primary concerns for management with regard to assessing internal control objectives?
A. Confidentiality, Availability, Integrity
B. Compliance, Effectiveness, Efficiency
C. Communication, Reliability, Cost
D. Confidentiality, Compliance, Cost
Compliance, Effectiveness, Efficiency
Which of the following activities must be completed BEFORE you can calculate risk?
A. Determining the likelihood that vulnerable systems will be attacked by specific threats
B. Calculating the risks to which assets are exposed in their current setting
C. Assigning a value to each information asset
D. Assessing the relative risk facing the organization’s information assets
Assigning a value to each information asset
Which of the following set of processes is considered to be one of the cornerstone cycles of the International Organization for Standardization (ISO) 27001 standard?
A. Plan-Check-Do-Act
B. Plan-Do-Check-Act
C. Plan-Select-Implement-Evaluate
D. SCORE (Security Consensus Operational Readiness Evaluation)
Plan-Do-Check-Act
Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls
A compliance test of program library controls
The effectiveness of an audit is measured by?
A. The number of actionable items in the recommendations
B. How it exposes the risk tolerance of the company
C. How the recommendations directly support the goals of the company
D. The number of security controls the company has in use
How the recommendations directly support the goals of the company
Which of the following is the MOST effective way to measure the effectiveness of security controls on a perimeter network?
A. Perform a vulnerability scan of the network
B. External penetration testing by a qualified third party
C. Internal Firewall ruleset reviews
D. Implement network intrusion prevention systems
External penetration testing by a qualified third party
Which of the following best describes the purpose of the International Organization for
Standardization (ISO) 27002 standard?
A. To give information security management recommendations to those who are responsible for initiating, implementing, or maintaining security in their organization.
B. To provide a common basis for developing organizational security standards
C. To provide effective security management practice and to provide confidence in inter- organizational dealings
D. To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization
To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization
In MOST organizations which group periodically reviews network intrusion detection system logs for all systems as part of their daily tasks?
A. Internal Audit
B. Database Administration
C. Information Security
D. Compliance
Information Security
When measuring the effectiveness of an Information Security Management System which
one of the following would be MOST LIKELY used as a metric framework?
A. ISO 27001
B. PRINCE2
C. ISO 27004
D. ITILv3
ISO 27004
The MOST common method to get an unbiased measurement of the effectiveness of an Information Security Management System (ISMS) is to
A. assign the responsibility to the information security team.
B. assign the responsibility to the team responsible for the management of the controls.
C. create operational reports on the effectiveness of the controls.
D. perform an independent audit of the security controls.
perform an independent audit of the security controls.
Which of the following organizations is typically in charge of validating the implementation and effectiveness of security controls?
A. Security Administrators
B. Internal/External Audit
C. Risk Management
D. Security Operations
Internal/External Audit
The mean time to patch, number of virus outbreaks prevented, and number of vulnerabilities mitigated are examples of what type of performance metrics?
A. Risk metrics
B. Management metrics
C. Operational metrics
D. Compliance metrics
Operational metrics
You have implemented the new controls. What is the next step?
A. Document the process for the stakeholders
B. Monitor the effectiveness of the controls
C. Update the audit findings report
D. Perform a risk assessment
Monitor the effectiveness of the controls
Creating a secondary authentication process for network access would be an example of?
A. Nonlinearities in physical security performance metrics
B. Defense in depth cost enumerated costs
C. System hardening and patching requirements
D. Anti-virus for mobile devices
Nonlinearities in physical security performance metrics
A missing/ineffective security control is identified. Which of the following should be the NEXT step?
A. Perform an audit to measure the control formally
B. Escalate the issue to the IT organization
C. Perform a risk assessment to measure risk
D. Establish Key Risk Indicators
Perform a risk assessment to measure risk
An organization has implemented a change management process for all changes to the IT production environment. This change management process follows best practices and is expected to help stabilize the availability and integrity of the organizations IT environment. Which of the following can be used to measure the effectiveness of this newly implemented process:
A. Number of change orders rejected
B. Number and length of planned outages
C. Number of unplanned outages
D. Number of change orders processed
Number of unplanned outages
When working in the Payment Card Industry (PCI), how often should security logs be review to comply with the standards?
A. Daily
B. Hourly
C. Weekly
D. Monthly
Daily
Which of the following is a benefit of a risk-based approach to audit planning?
A. Resources are allocated to the areas of the highest concern
B. Scheduling may be performed months in advance
C. Budgets are more likely to be met by the IT audit staff
D. Staff will be exposed to a variety of technologies
Resources are allocated to the areas of the highest concern
The executive board has requested that the CISO of an organization define and Key Performance Indicators (KPI) to measure the effectiveness of the security awareness program provided to call center employees. Which of the following can be used as a KPI?
A. Number of callers who report security issues.
B. Number of callers who report a lack of customer service from the call center
C. Number of successful social engineering attempts on the call center
D. Number of callers who abandon the call before speaking with a representative
Number of successful social engineering attempts on the call center
When a CISO considers delaying or not remediating system vulnerabilities, which of the following are MOST important to take into account?
A. Threat Level, Risk of Compromise, and Consequences of Compromise
B. Risk Avoidance, Threat Level, and Consequences of Compromise
C. Risk Transfer, Reputational Impact, and Consequences of Compromise
D. Reputational Impact, Financial Impact, and Risk of Compromise
Threat Level, Risk of Compromise, and Consequences of Compromise
During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:
A. Identify and evaluate the existing controls.
B. Disclose the threats and impacts to management.
C. Identify information assets and the underlying systems.
D. Identify and assess the risk assessment process used by management.
Identify and evaluate the existing controls.
When you develop your audit remediation plan what is the MOST important criteria?
A. To remediate half of the findings before the next audit.
B. To remediate all of the findings before the next audit.
C. To validate that the cost of the remediation is less than the risk of the finding.
D. To validate the remediation process with the auditor.
To validate that the cost of the remediation is less than the risk of the finding.
The implementation of anti-malware and anti-phishing controls on centralized email servers is an example of what type of security control?
A. Organization control
B. Procedural control
C. Management control
D. Technical control
Technical control
The effectiveness of social engineering penetration testing using phishing can be used as a Key Performance Indicator (KPI) for the effectiveness of an organizations
A. Risk Management Program.
B. Anti-Spam controls.
C. Security Awareness Program.
D. Identity and Access Management Program.
Security Awareness Program.
When a critical vulnerability has been discovered on production systems and needs to be fixed immediately, what is the BEST approach for a CISO to mitigate the vulnerability under tight budget constraints?
A. Transfer financial resources from other critical programs
B. Take the system off line until the budget is available
C. Deploy countermeasures and compensating controls until the budget is available
D. Schedule an emergency meeting and request the funding to fix the issue
Deploy countermeasures and compensating controls until the budget is available
Which of the following activities is the MAIN purpose of the risk assessment process?
A. Creating an inventory of information assets
B. Classifying and organizing information assets into meaningful groups
C. Assigning value to each information asset
D. Calculating the risks to which assets are exposed in their current setting
Calculating the risks to which assets are exposed in their current setting
Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?
A. Single loss expectancy multiplied by the annual rate of occurrence
B. Total loss expectancy multiplied by the total loss frequency
C. Value of the asset multiplied by the loss expectancy
D. Replacement cost multiplied by the single loss expectancy
Single loss expectancy multiplied by the annual rate of occurrence
You are the Chief Information Security Officer of a large, multinational bank and you suspect there is a flaw in a two factor authentication token management process. Which of the following represents your BEST course of action?
A. Validate that security awareness program content includes information about the potential vulnerability
B. Conduct a thorough risk assessment against the current implementation to determine system functions
C. Determine program ownership to implement compensating controls
D. Send a report to executive peers and business unit owners detailing your suspicions
Conduct a thorough risk assessment against the current implementation to determine system functions
Which is the BEST solution to monitor, measure, and report changes to critical data in a system?
A. Application logs
B. File integrity monitoring
C. SNMP traps
D. Syslog
File integrity monitoring
An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator. The most appropriate course of action for the IT auditor is to:
A. Inform senior management of the risk involved.
B. Agree to work with the security officer on these shifts as a form of preventative control.
C. Develop a computer assisted audit technique to detect instances of abuses of the arrangement.
D. Review the system log for each of the late night shifts to determine whether any irregular actions occurred
Inform senior management of the risk involved.
You work as a project manager for TYU project. You are planning for risk mitigation. You need to quickly identify high-level risks that will need a more in-depth analysis. Which of the following activities will help you in this?
A. Qualitative analysis
B. Quantitative analysis
C. Risk mitigation
D. Estimate activity duration
Qualitative analysis