Domain 2 Flashcards

Question 1

Q

Which of the following is considered to be an IT governance framework and a supporting toolset that allows for managers to bridge the gap between control requirements, technical issues, and business risks?
A. Control Objective for Information Technology (COBIT)
B. Committee of Sponsoring Organizations (COSO)
C. Payment Card Industry (PCI)
D. Information Technology Infrastructure Library (ITIL)

Answer

A

Control Objective for Information Technology (COBIT)

Question 2

Q

Which of the following are primary concerns for management with regard to assessing internal control objectives?
A. Confidentiality, Availability, Integrity
B. Compliance, Effectiveness, Efficiency
C. Communication, Reliability, Cost
D. Confidentiality, Compliance, Cost

Answer

A

Compliance, Effectiveness, Efficiency

Question 3

Q

Which of the following activities must be completed BEFORE you can calculate risk?
A. Determining the likelihood that vulnerable systems will be attacked by specific threats
B. Calculating the risks to which assets are exposed in their current setting
C. Assigning a value to each information asset
D. Assessing the relative risk facing the organization’s information assets

Answer

A

Assigning a value to each information asset

Question 4

Q

Which of the following set of processes is considered to be one of the cornerstone cycles of the International Organization for Standardization (ISO) 27001 standard?
A. Plan-Check-Do-Act
B. Plan-Do-Check-Act
C. Plan-Select-Implement-Evaluate
D. SCORE (Security Consensus Operational Readiness Evaluation)

Answer

A

Plan-Do-Check-Act

Question 5

Q

Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls

Answer

A

A compliance test of program library controls

Question 6

Q

The effectiveness of an audit is measured by?
A. The number of actionable items in the recommendations
B. How it exposes the risk tolerance of the company
C. How the recommendations directly support the goals of the company
D. The number of security controls the company has in use

Answer

A

How the recommendations directly support the goals of the company

Question 7

Q

Which of the following is the MOST effective way to measure the effectiveness of security controls on a perimeter network?
A. Perform a vulnerability scan of the network
B. External penetration testing by a qualified third party
C. Internal Firewall ruleset reviews
D. Implement network intrusion prevention systems

Answer

A

External penetration testing by a qualified third party

Question 8

Q

Which of the following best describes the purpose of the International Organization for
Standardization (ISO) 27002 standard?
A. To give information security management recommendations to those who are responsible for initiating, implementing, or maintaining security in their organization.
B. To provide a common basis for developing organizational security standards
C. To provide effective security management practice and to provide confidence in inter- organizational dealings
D. To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization

Answer

A

To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization

Question 9

Q

In MOST organizations which group periodically reviews network intrusion detection system logs for all systems as part of their daily tasks?
A. Internal Audit
B. Database Administration
C. Information Security
D. Compliance

Answer

A

Information Security

Question 10

Q

When measuring the effectiveness of an Information Security Management System which
one of the following would be MOST LIKELY used as a metric framework?
A. ISO 27001
B. PRINCE2
C. ISO 27004
D. ITILv3

Answer

A

ISO 27004

Question 11

Q

The MOST common method to get an unbiased measurement of the effectiveness of an Information Security Management System (ISMS) is to
A. assign the responsibility to the information security team.
B. assign the responsibility to the team responsible for the management of the controls.
C. create operational reports on the effectiveness of the controls.
D. perform an independent audit of the security controls.

Answer

A

perform an independent audit of the security controls.

Question 12

Q

Which of the following organizations is typically in charge of validating the implementation and effectiveness of security controls?
A. Security Administrators
B. Internal/External Audit
C. Risk Management
D. Security Operations

Answer

A

Internal/External Audit

Question 13

Q

The mean time to patch, number of virus outbreaks prevented, and number of vulnerabilities mitigated are examples of what type of performance metrics?
A. Risk metrics
B. Management metrics
C. Operational metrics
D. Compliance metrics

Answer

A

Operational metrics

Question 14

Q

You have implemented the new controls. What is the next step?
A. Document the process for the stakeholders
B. Monitor the effectiveness of the controls
C. Update the audit findings report
D. Perform a risk assessment

Answer

A

Monitor the effectiveness of the controls

Question 15

Q

Creating a secondary authentication process for network access would be an example of?
A. Nonlinearities in physical security performance metrics
B. Defense in depth cost enumerated costs
C. System hardening and patching requirements
D. Anti-virus for mobile devices

Answer

A

Nonlinearities in physical security performance metrics

Question 16

Q

A missing/ineffective security control is identified. Which of the following should be the NEXT step?
A. Perform an audit to measure the control formally
B. Escalate the issue to the IT organization
C. Perform a risk assessment to measure risk
D. Establish Key Risk Indicators

Answer

A

Perform a risk assessment to measure risk

Question 17

Q

An organization has implemented a change management process for all changes to the IT production environment. This change management process follows best practices and is expected to help stabilize the availability and integrity of the organizations IT environment. Which of the following can be used to measure the effectiveness of this newly implemented process:
A. Number of change orders rejected
B. Number and length of planned outages
C. Number of unplanned outages
D. Number of change orders processed

Answer

A

Number of unplanned outages

Question 18

Q

When working in the Payment Card Industry (PCI), how often should security logs be review to comply with the standards?
A. Daily
B. Hourly
C. Weekly
D. Monthly

Question 19

Q

Which of the following is a benefit of a risk-based approach to audit planning?
A. Resources are allocated to the areas of the highest concern
B. Scheduling may be performed months in advance
C. Budgets are more likely to be met by the IT audit staff
D. Staff will be exposed to a variety of technologies

Answer

A

Resources are allocated to the areas of the highest concern

Question 20

Q

The executive board has requested that the CISO of an organization define and Key Performance Indicators (KPI) to measure the effectiveness of the security awareness program provided to call center employees. Which of the following can be used as a KPI?
A. Number of callers who report security issues.
B. Number of callers who report a lack of customer service from the call center
C. Number of successful social engineering attempts on the call center
D. Number of callers who abandon the call before speaking with a representative

Answer

A

Number of successful social engineering attempts on the call center

Question 21

Q

When a CISO considers delaying or not remediating system vulnerabilities, which of the following are MOST important to take into account?
A. Threat Level, Risk of Compromise, and Consequences of Compromise
B. Risk Avoidance, Threat Level, and Consequences of Compromise
C. Risk Transfer, Reputational Impact, and Consequences of Compromise
D. Reputational Impact, Financial Impact, and Risk of Compromise

Answer

A

Threat Level, Risk of Compromise, and Consequences of Compromise

Question 22

Q

During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:
A. Identify and evaluate the existing controls.
B. Disclose the threats and impacts to management.
C. Identify information assets and the underlying systems.
D. Identify and assess the risk assessment process used by management.

Answer

A

Identify and evaluate the existing controls.

Question 23

Q

When you develop your audit remediation plan what is the MOST important criteria?
A. To remediate half of the findings before the next audit.
B. To remediate all of the findings before the next audit.
C. To validate that the cost of the remediation is less than the risk of the finding.
D. To validate the remediation process with the auditor.

Answer

A

To validate that the cost of the remediation is less than the risk of the finding.

Question 24

Q

The implementation of anti-malware and anti-phishing controls on centralized email servers is an example of what type of security control?
A. Organization control
B. Procedural control
C. Management control
D. Technical control

Answer

A

Technical control

Question 25

Q

The effectiveness of social engineering penetration testing using phishing can be used as a Key Performance Indicator (KPI) for the effectiveness of an organizations
A. Risk Management Program.
B. Anti-Spam controls.
C. Security Awareness Program.
D. Identity and Access Management Program.

Answer

A

Security Awareness Program.

Question 26

Q

When a critical vulnerability has been discovered on production systems and needs to be fixed immediately, what is the BEST approach for a CISO to mitigate the vulnerability under tight budget constraints?
A. Transfer financial resources from other critical programs
B. Take the system off line until the budget is available
C. Deploy countermeasures and compensating controls until the budget is available
D. Schedule an emergency meeting and request the funding to fix the issue

Answer

A

Deploy countermeasures and compensating controls until the budget is available

Question 27

Q

Which of the following activities is the MAIN purpose of the risk assessment process?
A. Creating an inventory of information assets
B. Classifying and organizing information assets into meaningful groups
C. Assigning value to each information asset
D. Calculating the risks to which assets are exposed in their current setting

Answer

A

Calculating the risks to which assets are exposed in their current setting

Question 28

Q

Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?
A. Single loss expectancy multiplied by the annual rate of occurrence
B. Total loss expectancy multiplied by the total loss frequency
C. Value of the asset multiplied by the loss expectancy
D. Replacement cost multiplied by the single loss expectancy

Answer

A

Single loss expectancy multiplied by the annual rate of occurrence

Question 29

Q

You are the Chief Information Security Officer of a large, multinational bank and you suspect there is a flaw in a two factor authentication token management process. Which of the following represents your BEST course of action?
A. Validate that security awareness program content includes information about the potential vulnerability
B. Conduct a thorough risk assessment against the current implementation to determine system functions
C. Determine program ownership to implement compensating controls
D. Send a report to executive peers and business unit owners detailing your suspicions

Answer

A

Conduct a thorough risk assessment against the current implementation to determine system functions

Question 30

Q

Which is the BEST solution to monitor, measure, and report changes to critical data in a system?
A. Application logs
B. File integrity monitoring
C. SNMP traps
D. Syslog

Answer

A

File integrity monitoring

Question 31

Q

An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator. The most appropriate course of action for the IT auditor is to:
A. Inform senior management of the risk involved.
B. Agree to work with the security officer on these shifts as a form of preventative control.
C. Develop a computer assisted audit technique to detect instances of abuses of the arrangement.
D. Review the system log for each of the late night shifts to determine whether any irregular actions occurred

Answer

A

Inform senior management of the risk involved.

Question 32

Q

You work as a project manager for TYU project. You are planning for risk mitigation. You need to quickly identify high-level risks that will need a more in-depth analysis. Which of the following activities will help you in this?
A. Qualitative analysis
B. Quantitative analysis
C. Risk mitigation
D. Estimate activity duration

Answer

A

Qualitative analysis

Question 33

Q

An information security department is required to remediate system vulnerabilities when they are discovered. Please select the three primary remediation methods that can be used on an affected system.
A. Install software patch, Operate system, Maintain system
B. Discover software, Remove affected software, Apply software patch
C. Install software patch, configuration adjustment, Software Removal
D. Software removal, install software patch, maintain system

Answer

A

Install software patch, configuration adjustment, Software Removal

Question 34

Q

With respect to the audit management process, management response serves what function?
A. placing underperforming units on notice for failing to meet standards
B. determining whether or not resources will be allocated to remediate a finding
C. adding controls to ensure that proper oversight is achieved by management
D. revealing the root cause of the process failure and mitigating for all internal and external units

Answer

A

determining whether or not resources will be allocated to remediate a finding

Question 35

Q

Which of the following reports should you as an IT auditor use to check on compliance with a service level agreements requirement for uptime?
A. Systems logs
B. Hardware error reports
C. Utilization reports
D. Availability reports

Answer

A

Availability reports

Question 36

Q

The remediation of a specific audit finding is deemed too expensive and will not be implemented. Which of the following is a TRUE statement?
A. The asset is more expensive than the remediation
B. The audit finding is incorrect
C. The asset being protected is less valuable than the remediation costs
D. The remediation costs are irrelevant; it must be implemented regardless of cost.

Answer

A

The asset being protected is less valuable than the remediation costs

Question 37

Q

As the new CISO at the company you are reviewing the audit reporting process and notice that it includes only detailed technical diagrams. What else should be in the reporting process?
A. Executive summary
B. Penetration test agreement
C. Names and phone numbers of those who conducted the audit
D. Business charter

Answer

A

Executive summary

Question 38

Q

Control Objectives for Information and Related Technology (COBIT) is which of the following?
A. An Information Security audit standard
B. An audit guideline for certifying secure systems and controls
C. A framework for Information Technology management and governance
D. A set of international regulations for Information Technology governance

Answer

A

A framework for Information Technology management and governance

Question 39

Q

An audit was conducted and many critical applications were found to have no disaster recovery plans in place. You conduct a Business Impact Analysis (BIA) to determine impact to the company for each application. What should be the NEXT step?
A. Determine the annual loss expectancy (ALE)
B. Create a crisis management plan
C. Create technology recovery plans
D. Build a secondary hot site

Answer

A

Create technology recovery plans

Question 40

Q

Which of the following is a term related to risk management that represents the estimated frequency at which a threat is expected to transpire?
A. Single Loss Expectancy (SLE)
B. Exposure Factor (EF)
C. Annualized Rate of Occurrence (ARO)
D. Temporal Probability (TP)

Answer

A

Annualized Rate of Occurrence (ARO)

Question 41

Q

Which represents PROPER separation of duties in the corporate environment?
A. Information Security and Identity Access Management teams perform two distinct functions B. Developers and Network teams both have admin rights on servers
C. Finance has access to Human Resources data
D. Information Security and Network teams perform two distinct functions

Answer

A

Information Security and Network teams perform two distinct functions

Question 42

Q

Many times a CISO may have to speak to the Board of Directors (BOD) about their cyber security posture. What would be the BEST choice of security metrics to present to the BOD?
A. All vulnerabilities found on servers and desktops
B. Only critical and high vulnerabilities on servers and desktops
C. Only critical and high vulnerabilities that impact important production servers
D. All vulnerabilities that impact important production servers

Answer

A

Only critical and high vulnerabilities that impact important production servers

Question 43

Q

A new CISO just started with a company and on the CISO’s desk is the last complete Information Security Management audit report. The audit report is over two years old. After reading it, what should be the CISO’s FIRST priority?
A. Have internal audit conduct another audit to see what has changed.
B. Contract with an external audit company to conduct an unbiased audit
C. Review the recommendations and follow up to see if audit implemented the changes
D. Meet with audit team to determine a timeline for corrections

Answer

A

Review the recommendations and follow up to see if audit implemented the changes

Question 44

Q

IT control objectives are useful to IT auditors as they provide the basis for understanding the:
A. Desired results or purpose of implementing specific control procedures.
B. The audit control checklist.
C. Techniques for securing information.
D. Security policy

Answer

A

Desired results or purpose of implementing specific control procedures.

Question 45

Q

The regular review of a firewall ruleset is considered a
A. Procedural control
B. Organization control
C. Technical control
D. Management control

Answer

A

Procedural control

Question 46

Q

Which of the following is the PRIMARY purpose of International Organization for Standardization (ISO) 27001?
A. Use within an organization to formulate security requirements and objectives
B. Implementation of business-enabling information security
C. Use within an organization to ensure compliance with laws and regulations
D. To enable organizations that adopt it to obtain certifications

Answer

A

Implementation of business-enabling information security

Question 47

Q

An organization is required to implement background checks on all employees with access to databases containing credit card information. This is considered a security
A. Procedural control
B. Management control
C. Technical control
D. Administrative control

Answer

A

Management control

Question 48

Q

Dataflow diagrams are used by IT auditors to:
A. Order data hierarchically.
B. Highlight high-level data definitions.
C. Graphically summarize data paths and storage processes.
D. Portray step-by-step details of data generation.

Answer

A

Graphically summarize data paths and storage processes.

Question 49

Q

The BEST organization to provide a comprehensive, independent and certifiable perspective on established security controls in an environment is
A. Penetration testers
B. External Audit
C. Internal Audit
D. Forensic experts

Answer

A

External Audit

Question 50

Q

An employee successfully avoids becoming a victim of a sophisticated spear phishing attack due to knowledge gained through the corporate information security awareness program. What type of control has been effectively utilized?
A. Management Control
B. Technical Control
C. Training Control
D. Operational Control

Answer

A

Operational Control

Question 51

Q

Assigning the role and responsibility of Information Assurance to a dedicated and independent security group is an example of:
A. Detective Controls
B. Proactive Controls
C. Preemptive Controls
D. Organizational Controls

Answer

A

Organizational Controls

Question 52

Q

Which of the following is a fundamental component of an audit record?
A. Date and time of the event
B. Failure of the event
C. Originating IP-Address
D. Authentication type

Answer

A

Date and time of the event

Question 53

Q

As a new CISO at a large healthcare company you are told that everyone has to badge in
to get in the building. Below your office window you notice a door that is normally propped
open during the day for groups of people to take breaks outside. Upon looking closer you
see there is no badge reader. What should you do?
A. Nothing, this falls outside your area of influence.
B. Close and chain the door shut and send a company-wide memo banning the practice.
C. Have a risk assessment performed.
D. Post a guard at the door to maintain physical security

Answer

A

Have a risk assessment performed.

Question 54

Q

The amount of risk an organization is willing to accept in pursuit of its mission is known as
A. Risk mitigation
B. Risk transfer
C. Risk tolerance
D. Risk acceptance

Answer

A

Risk tolerance

Question 55

Q

A Chief Information Security Officer received a list of high, medium, and low impact audit
findings. Which of the following represents the BEST course of action?
A. If the findings impact regulatory compliance, try to apply remediation that will address the most findings for the least cost.
B. If the findings do not impact regulatory compliance, remediate only the high and medium risk findings.
C. If the findings impact regulatory compliance, remediate the high findings as quickly as possible.
D. If the findings do not impact regulatory compliance, review current security controls.

Answer

A

If the findings impact regulatory compliance, remediate the high findings as quickly as possible.

Question 56

Q

At which point should the identity access management team be notified of the termination of an employee?
A. At the end of the day once the employee is off site
B. During the monthly review cycle
C. Immediately so the employee account(s) can be disabled
D. Before an audit

Answer

A

Immediately so the employee account(s) can be disabled

Question 57

Q

Which of the following is the MOST important reason to measure the effectiveness of an Information Security Management System (ISMS)?
A. Meet regulatory compliance requirements
B. Better understand the threats and vulnerabilities affecting the environment
C. Better understand strengths and weaknesses of the program
D. Meet legal requirements

Answer

A

Better understand strengths and weaknesses of the program

Question 58

Q

Your IT auditor is reviewing significant events from the previous year and has identified some procedural oversights. Which of the following would be the MOST concerning?
A. Lack of notification to the public of disclosure of confidential information.
B. Lack of periodic examination of access rights
C. Failure to notify police of an attempted intrusion
D. Lack of reporting of a successful denial of service attack on the network.

Answer

A

Lack of notification to the public of disclosure of confidential information.

Question 59

Q

Which of the following are necessary to formulate responses to external audit findings?
A. Internal Audit, Management, and Technical Staff
B. Internal Audit, Budget Authority, Management
C. Technical Staff, Budget Authority, Management
D. Technical Staff, Internal Audit, Budget Authority

Answer

A

Technical Staff, Budget Authority, Management

Question 60

Q

Step-by-step procedures to regain normalcy in the event of a major earthquake is PRIMARILY covered by which of the following plans?
A. Incident response plan
B. Business Continuity plan
C. Disaster recovery plan
D. Damage control plan

Answer

A

Disaster recovery plan

Question 61

Q

Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.
A. ISO 27001
B. ISO 27002
C. ISO 27004
D. ISO 27005

Answer

A

ISO 27005

Question 62

Q

Which of the following activities results in change requests?
A. Preventive actions
B. Inspection
C. Defect repair
D. Corrective actions

Answer

A

Preventive actions

Question 63

Q

Which of the following is the MOST important goal of risk management?
A. Identifying the risk
B. Finding economic balance between the impact of the risk and the cost of the control
C. Identifying the victim of any potential exploits.
D. Assessing the impact of potential threats

Answer

A

Finding economic balance between the impact of the risk and the cost of the control

Question 64

Q

To have accurate and effective information security policies how often should the CISO review the organization policies?
A. Every 6 months
B. Quarterly
C. Before an audit
D. At least once a year

Answer

A

At least once a year

Answer 64

A

This represents a conflict of interest

Answer 65

A

Risk Management frameworks

Answer 66

A

Firewall, anti-virus console, IDS, syslog

Answer 67

A

Installing an appropriate fire suppression system in the data center

Answer 68

A

Supporting the concept of layered security

Answer 69

A

Senior Executives

Answer 70

A

Implementation of it eases an organization’s auditing and compliance burden

Answer 71

A

Residual Risk

Answer 72

A

The risk tolerance of the organization permits this risk

Answer 73

A

International Organization for Standardization 27001

Answer 74

A

Deploying multi-factor authentication so accounts are better protected.

Answer 75

A

Key risk indicators (KRI)

Answer 76

A

Reset passwords for suspected compromised accounts.

Answer 77

A

International Organization for Standardization (ISO) 27001.

Answer 78

A

Insurance cost

Brainscape's Knowledge GenomeTM

Domain 2 Flashcards

Brainscape's Knowledge Genome^TM