Domain 2 Flashcards
Which of the following is considered to be an IT governance framework and a supporting toolset that allows for managers to bridge the gap between control requirements, technical issues, and business risks?
A. Control Objective for Information Technology (COBIT)
B. Committee of Sponsoring Organizations (COSO)
C. Payment Card Industry (PCI)
D. Information Technology Infrastructure Library (ITIL)
Control Objective for Information Technology (COBIT)
Which of the following are primary concerns for management with regard to assessing internal control objectives?
A. Confidentiality, Availability, Integrity
B. Compliance, Effectiveness, Efficiency
C. Communication, Reliability, Cost
D. Confidentiality, Compliance, Cost
Compliance, Effectiveness, Efficiency
Which of the following activities must be completed BEFORE you can calculate risk?
A. Determining the likelihood that vulnerable systems will be attacked by specific threats
B. Calculating the risks to which assets are exposed in their current setting
C. Assigning a value to each information asset
D. Assessing the relative risk facing the organization’s information assets
Assigning a value to each information asset
Which of the following set of processes is considered to be one of the cornerstone cycles of the International Organization for Standardization (ISO) 27001 standard?
A. Plan-Check-Do-Act
B. Plan-Do-Check-Act
C. Plan-Select-Implement-Evaluate
D. SCORE (Security Consensus Operational Readiness Evaluation)
Plan-Do-Check-Act
Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls
A compliance test of program library controls
The effectiveness of an audit is measured by?
A. The number of actionable items in the recommendations
B. How it exposes the risk tolerance of the company
C. How the recommendations directly support the goals of the company
D. The number of security controls the company has in use
How the recommendations directly support the goals of the company
Which of the following is the MOST effective way to measure the effectiveness of security controls on a perimeter network?
A. Perform a vulnerability scan of the network
B. External penetration testing by a qualified third party
C. Internal Firewall ruleset reviews
D. Implement network intrusion prevention systems
External penetration testing by a qualified third party
In MOST organizations which group periodically reviews network intrusion detection system logs for all systems as part of their daily tasks?
A. Internal Audit
B. Database Administration
C. Information Security
D. Compliance
Information Security
When measuring the effectiveness of an Information Security Management System which
one of the following would be MOST LIKELY used as a metric framework?
A. ISO 27001
B. PRINCE2
C. ISO 27004
D. ITILv3
ISO 27004
Which of the following organizations is typically in charge of validating the implementation and effectiveness of security controls?
A. Security Administrators
B. Internal/External Audit
C. Risk Management
D. Security Operations
Internal/External Audit
The mean time to patch, number of virus outbreaks prevented, and number of vulnerabilities mitigated are examples of what type of performance metrics?
A. Risk metrics
B. Management metrics
C. Operational metrics
D. Compliance metrics
Operational metrics
You have implemented the new controls. What is the next step?
A. Document the process for the stakeholders
B. Monitor the effectiveness of the controls
C. Update the audit findings report
D. Perform a risk assessment
Monitor the effectiveness of the controls
Creating a secondary authentication process for network access would be an example of?
A. Nonlinearities in physical security performance metrics
B. Defense in depth cost enumerated costs
C. System hardening and patching requirements
D. Anti-virus for mobile devices
Nonlinearities in physical security performance metrics
A missing/ineffective security control is identified. Which of the following should be the NEXT step?
A. Perform an audit to measure the control formally
B. Escalate the issue to the IT organization
C. Perform a risk assessment to measure risk
D. Establish Key Risk Indicators
Perform a risk assessment to measure risk
An organization has implemented a change management process for all changes to the IT production environment. This change management process follows best practices and is expected to help stabilize the availability and integrity of the organizations IT environment. Which of the following can be used to measure the effectiveness of this newly implemented process:
A. Number of change orders rejected
B. Number and length of planned outages
C. Number of unplanned outages
D. Number of change orders processed
Number of unplanned outages
Which of the following is a benefit of a risk-based approach to audit planning?
A. Resources are allocated to the areas of the highest concern
B. Scheduling may be performed months in advance
C. Budgets are more likely to be met by the IT audit staff
D. Staff will be exposed to a variety of technologies
Resources are allocated to the areas of the highest concern
When a CISO considers delaying or not remediating system vulnerabilities, which of the following are MOST important to take into account?
A. Threat Level, Risk of Compromise, and Consequences of Compromise
B. Risk Avoidance, Threat Level, and Consequences of Compromise
C. Risk Transfer, Reputational Impact, and Consequences of Compromise
D. Reputational Impact, Financial Impact, and Risk of Compromise
Threat Level, Risk of Compromise, and Consequences of Compromise
When you develop your audit remediation plan what is the MOST important criteria?
A. To remediate half of the findings before the next audit.
B. To remediate all of the findings before the next audit.
C. To validate that the cost of the remediation is less than the risk of the finding.
D. To validate the remediation process with the auditor.
To validate that the cost of the remediation is less than the risk of the finding.
The implementation of anti-malware and anti-phishing controls on centralized email servers is an example of what type of security control?
A. Organization control
B. Procedural control
C. Management control
D. Technical control
Technical control
The effectiveness of social engineering penetration testing using phishing can be used as a Key Performance Indicator (KPI) for the effectiveness of an organizations
A. Risk Management Program.
B. Anti-Spam controls.
C. Security Awareness Program.
D. Identity and Access Management Program.
Security Awareness Program.
Which of the following activities is the MAIN purpose of the risk assessment process?
A. Creating an inventory of information assets
B. Classifying and organizing information assets into meaningful groups
C. Assigning value to each information asset
D. Calculating the risks to which assets are exposed in their current setting
Calculating the risks to which assets are exposed in their current setting
Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?
A. Single loss expectancy multiplied by the annual rate of occurrence
B. Total loss expectancy multiplied by the total loss frequency
C. Value of the asset multiplied by the loss expectancy
D. Replacement cost multiplied by the single loss expectancy
Single loss expectancy multiplied by the annual rate of occurrence
You are the Chief Information Security Officer of a large, multinational bank and you suspect there is a flaw in a two factor authentication token management process. Which of the following represents your BEST course of action?
A. Validate that security awareness program content includes information about the potential vulnerability
B. Conduct a thorough risk assessment against the current implementation to determine system functions
C. Determine program ownership to implement compensating controls
D. Send a report to executive peers and business unit owners detailing your suspicions
Conduct a thorough risk assessment against the current implementation to determine system functions
Which is the BEST solution to monitor, measure, and report changes to critical data in a system?
A. Application logs
B. File integrity monitoring
C. SNMP traps
D. Syslog
File integrity monitoring
An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator. The most appropriate course of action for the IT auditor is to:
A. Inform senior management of the risk involved.
B. Agree to work with the security officer on these shifts as a form of preventative control.
C. Develop a computer assisted audit technique to detect instances of abuses of the arrangement.
D. Review the system log for each of the late night shifts to determine whether any irregular actions occurred
Inform senior management of the risk involved.
An information security department is required to remediate system vulnerabilities when they are discovered. Please select the three primary remediation methods that can be used on an affected system.
A. Install software patch, Operate system, Maintain system
B. Discover software, Remove affected software, Apply software patch
C. Install software patch, configuration adjustment, Software Removal
D. Software removal, install software patch, maintain system
Install software patch, configuration adjustment, Software Removal
With respect to the audit management process, management response serves what function?
A. placing underperforming units on notice for failing to meet standards
B. determining whether or not resources will be allocated to remediate a finding
C. adding controls to ensure that proper oversight is achieved by management
D. revealing the root cause of the process failure and mitigating for all internal and external units
determining whether or not resources will be allocated to remediate a finding
Which of the following reports should you as an IT auditor use to check on compliance with a service level agreements requirement for uptime?
A. Systems logs
B. Hardware error reports
C. Utilization reports
D. Availability reports
Availability reports
The remediation of a specific audit finding is deemed too expensive and will not be implemented. Which of the following is a TRUE statement?
A. The asset is more expensive than the remediation
B. The audit finding is incorrect
C. The asset being protected is less valuable than the remediation costs
D. The remediation costs are irrelevant; it must be implemented regardless of cost.
The asset being protected is less valuable than the remediation costs
As the new CISO at the company you are reviewing the audit reporting process and notice that it includes only detailed technical diagrams. What else should be in the reporting process?
A. Executive summary
B. Penetration test agreement
C. Names and phone numbers of those who conducted the audit
D. Business charter
Executive summary
Control Objectives for Information and Related Technology (COBIT) is which of the following?
A. An Information Security audit standard
B. An audit guideline for certifying secure systems and controls
C. A framework for Information Technology management and governance
D. A set of international regulations for Information Technology governance
A framework for Information Technology management and governance
Which represents PROPER separation of duties in the corporate environment?
A. Information Security and Identity Access Management teams perform two distinct functions B. Developers and Network teams both have admin rights on servers
C. Finance has access to Human Resources data
D. Information Security and Network teams perform two distinct functions
Information Security and Network teams perform two distinct functions
Many times a CISO may have to speak to the Board of Directors (BOD) about their cyber security posture. What would be the BEST choice of security metrics to present to the BOD?
A. All vulnerabilities found on servers and desktops
B. Only critical and high vulnerabilities on servers and desktops
C. Only critical and high vulnerabilities that impact important production servers
D. All vulnerabilities that impact important production servers
Only critical and high vulnerabilities that impact important production servers
A new CISO just started with a company and on the CISO’s desk is the last complete Information Security Management audit report. The audit report is over two years old. After reading it, what should be the CISO’s FIRST priority?
A. Have internal audit conduct another audit to see what has changed.
B. Contract with an external audit company to conduct an unbiased audit
C. Review the recommendations and follow up to see if audit implemented the changes
D. Meet with audit team to determine a timeline for corrections
Review the recommendations and follow up to see if audit implemented the changes
IT control objectives are useful to IT auditors as they provide the basis for understanding the:
A. Desired results or purpose of implementing specific control procedures.
B. The audit control checklist.
C. Techniques for securing information.
D. Security policy
Desired results or purpose of implementing specific control procedures.
The regular review of a firewall ruleset is considered a
A. Procedural control
B. Organization control
C. Technical control
D. Management control
Procedural control
Which of the following is the PRIMARY purpose of International Organization for Standardization (ISO) 27001?
A. Use within an organization to formulate security requirements and objectives
B. Implementation of business-enabling information security
C. Use within an organization to ensure compliance with laws and regulations
D. To enable organizations that adopt it to obtain certifications
Implementation of business-enabling information security
An organization is required to implement background checks on all employees with access to databases containing credit card information. This is considered a security
A. Procedural control
B. Management control
C. Technical control
D. Administrative control
Management control
Dataflow diagrams are used by IT auditors to:
A. Order data hierarchically.
B. Highlight high-level data definitions.
C. Graphically summarize data paths and storage processes.
D. Portray step-by-step details of data generation.
Graphically summarize data paths and storage processes.
The BEST organization to provide a comprehensive, independent and certifiable perspective on established security controls in an environment is
A. Penetration testers
B. External Audit
C. Internal Audit
D. Forensic experts
External Audit
An employee successfully avoids becoming a victim of a sophisticated spear phishing attack due to knowledge gained through the corporate information security awareness program. What type of control has been effectively utilized?
A. Management Control
B. Technical Control
C. Training Control
D. Operational Control
Operational Control
Assigning the role and responsibility of Information Assurance to a dedicated and independent security group is an example of:
A. Detective Controls
B. Proactive Controls
C. Preemptive Controls
D. Organizational Controls
Organizational Controls
Which of the following is a fundamental component of an audit record?
A. Date and time of the event
B. Failure of the event
C. Originating IP-Address
D. Authentication type
Date and time of the event
As a new CISO at a large healthcare company you are told that everyone has to badge in
to get in the building. Below your office window you notice a door that is normally propped
open during the day for groups of people to take breaks outside. Upon looking closer you
see there is no badge reader. What should you do?
A. Nothing, this falls outside your area of influence.
B. Close and chain the door shut and send a company-wide memo banning the practice.
C. Have a risk assessment performed.
D. Post a guard at the door to maintain physical security
Have a risk assessment performed.
The amount of risk an organization is willing to accept in pursuit of its mission is known as
A. Risk mitigation
B. Risk transfer
C. Risk tolerance
D. Risk acceptance
Risk tolerance
At which point should the identity access management team be notified of the termination of an employee?
A. At the end of the day once the employee is off site
B. During the monthly review cycle
C. Immediately so the employee account(s) can be disabled
D. Before an audit
Immediately so the employee account(s) can be disabled
Which of the following is the MOST important reason to measure the effectiveness of an Information Security Management System (ISMS)?
A. Meet regulatory compliance requirements
B. Better understand the threats and vulnerabilities affecting the environment
C. Better understand strengths and weaknesses of the program
D. Meet legal requirements
Better understand strengths and weaknesses of the program
Your IT auditor is reviewing significant events from the previous year and has identified some procedural oversights. Which of the following would be the MOST concerning?
A. Lack of notification to the public of disclosure of confidential information.
B. Lack of periodic examination of access rights
C. Failure to notify police of an attempted intrusion
D. Lack of reporting of a successful denial of service attack on the network.
Lack of notification to the public of disclosure of confidential information.
Which of the following are necessary to formulate responses to external audit findings?
A. Internal Audit, Management, and Technical Staff
B. Internal Audit, Budget Authority, Management
C. Technical Staff, Budget Authority, Management
D. Technical Staff, Internal Audit, Budget Authority
Technical Staff, Budget Authority, Management
Step-by-step procedures to regain normalcy in the event of a major earthquake is PRIMARILY covered by which of the following plans?
A. Incident response plan
B. Business Continuity plan
C. Disaster recovery plan
D. Damage control plan
Disaster recovery plan
Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.
A. ISO 27001
B. ISO 27002
C. ISO 27004
D. ISO 27005
ISO 27005
Which of the following activities results in change requests?
A. Preventive actions
B. Inspection
C. Defect repair
D. Corrective actions
Preventive actions
Which of the following is the MOST important goal of risk management?
A. Identifying the risk
B. Finding economic balance between the impact of the risk and the cost of the control
C. Identifying the victim of any potential exploits.
D. Assessing the impact of potential threats
Finding economic balance between the impact of the risk and the cost of the control
The CIO of an organization has decided to assign the responsibility of internal IT audit to the IT team. This is consider a bad practice MAINLY because
A. The IT team is not familiar in IT audit practices
B. This represents a bad implementation of the Least Privilege principle
C. This represents a conflict of interest
D. The IT team is not certified to perform audits
This represents a conflict of interest
The patching and monitoring of systems on a consistent schedule is required by?
A. Local privacy laws
B. Industry best practices
C. Risk Management frameworks
D. Audit best practices
Risk Management frameworks
Creating good security metrics is essential for a CISO. What would be the BEST sources for creating security metrics for baseline defenses coverage?
A. Servers, routers, switches, modem
B. Firewall, exchange, web server, intrusion detection system (IDS)
C. Firewall, anti-virus console, IDS, syslog
D. IDS, syslog, router, switches
Firewall, anti-virus console, IDS, syslog
Creating a secondary authentication process for network access would be an example of?
A. An administrator with too much time on their hands.
B. Putting undue time commitment on the system administrator.
C. Supporting the concept of layered security
D. Network segmentation.
Supporting the concept of layered security
Providing oversight of a comprehensive information security program for the entire organization is the primary responsibility of which group under the InfoSec governance framework?
A. Senior Executives
B. Office of the Auditor
C. Office of the General Counsel
D. All employees and users
Senior Executives
How often should an environment be monitored for cyber threats, risks, and exposures?
A. Weekly
B. Monthly
C. Quarterly
D. Daily
Daily
Which of the following represents the BEST reason for an organization to use the Control Objectives for Information and Related Technology (COBIT) as an Information Technology (IT) framework?
A. It allows executives to more effectively monitor IT implementation costs
B. Implementation of it eases an organization’s auditing and compliance burden
C. Information Security (IS) procedures often require augmentation with other standards
D. It provides for a consistent and repeatable staffing model for technology organizations
Implementation of it eases an organization’s auditing and compliance burden
The risk found after a control has been fully implemented is called:
A. Residual Risk
B. Total Risk
C. Post implementation risk
D. Transferred risk
Residual Risk
A recent audit has identified a few control exceptions and is recommending the implementation of technology and processes to address the finding. Which of the following is the MOST likely reason for the organization to reject the implementation of the recommended technology and processes?
A. The auditors have not followed proper auditing processes
B. The CIO of the organization disagrees with the finding
C. The risk tolerance of the organization permits this risk
D. The organization has purchased cyber insurance
The risk tolerance of the organization permits this risk
Which of the following BEST describes an international standard framework that is based on the security model Information Technology Code of Practice for Information Security Management?
A. International Organization for Standardization 27001
B. National Institute of Standards and Technology Special Publication SP 800-12
C. Request For Comment 2196
D. National Institute of Standards and Technology Special Publication SP 800-26
International Organization for Standardization 27001
An effective method for reducing the impact of credential theft is:
Deploying multi-factor authentication so accounts are better protected.
Metrics capable of demonstrating that an organization is susceptible to, or has a high probability of being susceptible to, a risk that exceeds the acceptable risk appetite are known as:
Key risk indicators (KRI)
A primary consideration when selecting to transfer risk as a risk treatment option is which of the following?
Insurance cost
The Information Technology Infrastructure Library Version 4 (ITIL® 4) Information Security Management Practice is based on which standard?
International Organization for Standardization (ISO) 27001.
Your information-security program is technically well provisioned; however, you observe employee data and financial information exposed through compromised account credentials. From the choices provided, what should you do FIRST to minimize this threat?
Reset passwords for suspected compromised accounts.
Which of the following illustrates an operational control process:
A. Classifying an information system as part of a risk assessment
B. Installing an appropriate fire suppression system in the data center
C. Conducting an audit of the configuration management process
D. Establishing procurement standards for cloud vendors
Installing an appropriate fire suppression system in the data center
To have accurate and effective information security policies how often should the CISO review the organization policies?
A. Every 6 months
B. Quarterly
C. Before an audit
D. At least once a year
At least once a year
A Chief Information Security Officer received a list of high, medium, and low impact audit
findings. Which of the following represents the BEST course of action?
A. If the findings impact regulatory compliance, try to apply remediation that will address the most findings for the least cost.
B. If the findings do not impact regulatory compliance, remediate only the high and medium risk findings.
C. If the findings impact regulatory compliance, remediate the high findings as quickly as possible.
D. If the findings do not impact regulatory compliance, review current security controls.
If the findings impact regulatory compliance, remediate the high findings as quickly as possible.
Which of the following is a term related to risk management that represents the estimated frequency at which a threat is expected to transpire?
A. Single Loss Expectancy (SLE)
B. Exposure Factor (EF)
C. Annualized Rate of Occurrence (ARO)
D. Temporal Probability (TP)
Annualized Rate of Occurrence (ARO)
An audit was conducted and many critical applications were found to have no disaster recovery plans in place. You conduct a Business Impact Analysis (BIA) to determine impact to the company for each application. What should be the NEXT step?
A. Determine the annual loss expectancy (ALE)
B. Create a crisis management plan
C. Create technology recovery plans
D. Build a secondary hot site
Create technology recovery plans
You work as a project manager for TYU project. You are planning for risk mitigation. You need to quickly identify high-level risks that will need a more in-depth analysis. Which of the following activities will help you in this?
A. Qualitative analysis
B. Quantitative analysis
C. Risk mitigation
D. Estimate activity duration
Qualitative analysis
When a critical vulnerability has been discovered on production systems and needs to be fixed immediately, what is the BEST approach for a CISO to mitigate the vulnerability under tight budget constraints?
A. Transfer financial resources from other critical programs
B. Take the system off line until the budget is available
C. Deploy countermeasures and compensating controls until the budget is available
D. Schedule an emergency meeting and request the funding to fix the issue
Deploy countermeasures and compensating controls until the budget is available
During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:
A. Identify and evaluate the existing controls.
B. Disclose the threats and impacts to management.
C. Identify information assets and the underlying systems.
D. Identify and assess the risk assessment process used by management.
Identify and evaluate the existing controls.
The executive board has requested that the CISO of an organization define and Key Performance Indicators (KPI) to measure the effectiveness of the security awareness program provided to call center employees. Which of the following can be used as a KPI?
A. Number of callers who report security issues.
B. Number of callers who report a lack of customer service from the call center
C. Number of successful social engineering attempts on the call center
D. Number of callers who abandon the call before speaking with a representative
Number of successful social engineering attempts on the call center
When working in the Payment Card Industry (PCI), how often should security logs be review to comply with the standards?
A. Daily
B. Hourly
C. Weekly
D. Monthly
Daily
The MOST common method to get an unbiased measurement of the effectiveness of an Information Security Management System (ISMS) is to
A. assign the responsibility to the information security team.
B. assign the responsibility to the team responsible for the management of the controls.
C. create operational reports on the effectiveness of the controls.
D. perform an independent audit of the security controls.
perform an independent audit of the security controls.
Which of the following best describes the purpose of the International Organization for
Standardization (ISO) 27002 standard?
A. To give information security management recommendations to those who are responsible for initiating, implementing, or maintaining security in their organization.
B. To provide a common basis for developing organizational security standards
C. To provide effective security management practice and to provide confidence in inter- organizational dealings
D. To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization
To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization
