Domain 3 Flashcards

1
Q

Which of the following methods are used to define contractual obligations that force a vendor to meet customer expectations?
A. Terms and Conditions
B. Service Level Agreements (SLA)
C. Statement of Work
D. Key Performance Indicators (KPI)

A

Answer : Service Level Agreements (SLA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following represents the best method of ensuring business unit alignment with security program requirements?
A. Provide clear communication of security requirements throughout the organization
B. Demonstrate executive support with written mandates for security policy adherence
C. Create collaborative risk management approaches within the organization
D. Perform increased audits of security processes and procedures

A

Answer : Create collaborative risk management approaches within the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is MOST beneficial in determining an appropriate balance between uncontrolled innovation and excessive caution in an organization?
A. Define the risk appetite
B. Determine budget constraints
C. Review project charters
D. Collaborate security projects

A

Answer : Define the risk appetite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A CISO has recently joined an organization with a poorly implemented security program.
The desire is to base the security program on a risk management approach. Which of the
following is a foundational requirement in order to initiate this type of program?
A. A security organization that is adequately staffed to apply required mitigation strategies and regulatory compliance solutions
B. A clear set of security policies and procedures that are more concept-based than controls-based
C. A complete inventory of Information Technology assets including infrastructure, networks, applications and data
D. A clearly identified executive sponsor who will champion the effort to ensure organizational buy-in

A

Answer : A clearly identified executive sponsor who will champion the effort to ensure organizational buy-in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When selecting a security solution with reoccurring maintenance costs after the first year
(choose the BEST answer):
A. The CISO should cut other essential programs to ensure the new solutions continued use
B. Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solutions continued use
C. Defer selection until the market improves and cash flow is positive
D. Implement the solution and ask for the increased operating cost budget when it is time

A

Answer : Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solutions continued use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An organization has a stated requirement to block certain traffic on networks. The
implementation of controls will disrupt a manufacturing process and cause unacceptable
delays, resulting in sever revenue disruptions. Which of the following is MOST likely to be
responsible for accepting the risk until mitigating controls can be implemented?
A. The CISO
B. Audit and Compliance
C. The CFO
D. The business owner

A

The business owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A CISO implements smart cards for credential management, and as a result has reduced
costs associated with help desk operations supporting password resets. This demonstrates
which of the following principles?
A. Security alignment to business goals
B. Regulatory compliance effectiveness
C. Increased security program presence
D. Proper organizational policy enforcement

A

Answer : Security alignment to business goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Knowing the potential financial loss an organization is willing to suffer if a system fails is a determination of which of the following?
A. Cost benefit
B. Risk appetite
C. Business continuity
D. Likelihood of impact

A

Answer : Risk appetite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk appetite is typically determined by which of the following organizational functions?
A. Security
B. Business units
C. Board of Directors
D. Audit and compliance

A

Answer : Business units

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following can the company implement in order to avoid this type of security issue in the future?
A. Network based intrusion detection systems
B. A security training program for developers
C. A risk management process
D. A audit management process

A

Answer : A security training program for developers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

To get an Information Security project back on schedule, which of the following will provide the MOST help?
A. Upper management support
B. More frequent project milestone meetings
C. Stakeholder support
D. Extend work hours

A

Answer : Upper management support

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An application vulnerability assessment has identified a security flaw in an application. This is a flaw that was previously identified and remediated on a prior release of the application. Which of the following is MOST likely the reason for this recurring issue?
A. Ineffective configuration management controls
B. Lack of change management controls
C. Lack of version/source controls
D. High turnover in the application development department

A

Answer : Lack of version/source controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following best summarizes the primary goal of a security program?
A. Provide security reporting to all levels of an organization
B. Create effective security awareness to employees
C. Manage risk within the organization
D. Assure regulatory compliance

A

Answer : Manage risk within the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An international organization is planning a project to implement encryption technologies to protect company confidential information. This organization has data centers on three continents. Which of the following would be considered a MAJOR constraint for the project?
A. Time zone differences
B. Compliance to local hiring laws
C. Encryption import/export regulations
D. Local customer privacy laws

A

Answer : Encryption import/export regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When considering using a vendor to help support your security devices remotely, what is
the BEST choice for allowing access?
A. Vendors uses their own laptop and logins with same admin credentials your security team uses
B. Vendor uses a company supplied laptop and logins using two factor authentication with same admin credentials your security team uses
C. Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials
D. Vendor uses their own laptop and logins using two factor authentication with their own unique credentials

A

Answer : Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your incident response plan should include which of the following?
A. Procedures for litigation
B. Procedures for reclamation
C. Procedures for classification
D. Procedures for charge-back

A

Answer : Procedures for classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which one of the following BEST describes which member of the management team is
accountable for the day-to-day operation of the information security program?
A. Security administrators
B. Security mangers
C. Security technicians
D. Security analysts

A

Answer : Security mangers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How often should the Statements of Standards for Attestation Engagements-16
(SSAE16)/International Standard on Assurance Engagements 3402 (ISAE3402) report of
your vendors be reviewed?
A. Quarterly
B. Semi-annually
C. Bi-annually
D. Annually

A

Answer : Annually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A newly appointed security officer finds data leakage software licenses that had never been used. The officer decides to implement a project to ensure it gets installed, but the project gets a great deal of resistance across the organization. Which of the following represents the MOST likely reason for this situation?
A. The software license expiration is probably out of synchronization with other software licenses
B. The project was initiated without an effort to get support from impacted business units in the organization
C. The software is out of date and does not provide for a scalable solution across the enterprise
D. The security officer should allow time for the organization to get accustomed to her presence before initiating security projects

A

Answer : The project was initiated without an effort to get support from impacted business units in the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A stakeholder is a person or group:
A. Vested in the success and/or failure of a project or initiative regardless of budget implications. B. Vested in the success and/or failure of a project or initiative and is tied to the project budget. C. That has budget authority.
D. That will ultimately use the system.

A

Answer : Vested in the success and/or failure of a project or initiative regardless of budget implications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

As the CISO for your company you are accountable for the protection of information resources commensurate with:
A. Customer demand
B. Cost and time to replace
C. Insurability tables
D. Risk of exposure

A

Answer : Risk of exposure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

In effort to save your company money which of the following methods of training results in the lowest cost for the organization?
A. Distance learning/Web seminars
B. Formal Class
C. One-One Training
D. Self –Study (non computerized)

A

Answer : Self –Study (non computerized)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A system was hardened at the Operating System level and placed into the production environment. Months later an audit was performed and it identified insecure configuration different from the original hardened state. Which of the following security issues is the MOST likely reason leading to the audit findings?
A. Lack of asset management processes
B. Lack of change management processes
C. Lack of hardening standards
D. Lack of proper access controls

A

Answer : Lack of change management processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following is a major benefit of applying risk levels?
A. Risk management governance becomes easier since most risks remain low once mitigated B. Resources are not wasted on risks that are already managed to an acceptable level
C. Risk budgets are more easily managed due to fewer identified risks as a result of using a methodology
D. Risk appetite can increase within the organization once the levels are understood

A

Answer : Resources are not wasted on risks that are already managed to an acceptable level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

When entering into a third party vendor agreement for security services, at what point in the process is it BEST to understand and validate the security posture and compliance level of the vendor?
A. At the time the security services are being performed and the vendor needs access to the network
B. Once the agreement has been signed and the security vendor states that they will need access to the network
C. Once the vendor is on premise and before they perform security services
D. Prior to signing the agreement and before any security services are being performed

A

Answer : Prior to signing the agreement and before any security services are being performed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following is considered a project versus a managed process?
A. monitoring external and internal environment during incident response
B. ongoing risk assessments of routine operations
C. continuous vulnerability assessment and vulnerability repair
D. installation of a new firewall system

A

Answer : installation of a new firewall system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

When should IT security project management be outsourced?
A. When organizational resources are limited
B. When the benefits of outsourcing outweigh the inherent risks of outsourcing
C. On new, enterprise-wide security initiatives
D. On projects not forecasted in the yearly budget

A

Answer : When the benefits of outsourcing outweigh the inherent risks of outsourcing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is considered one of the most frequent failures in project management?
A. Overly restrictive management
B. Excessive personnel on project
C. Failure to meet project deadlines
D. Insufficient resources

A

Answer : Failure to meet project deadlines

29
Q

You currently cannot provide for 24/7 coverage of your security monitoring and incident response duties and your company is resistant to the idea of adding more full-time employees to the payroll. Which combination of solutions would help to provide the coverage needed without the addition of more dedicated staff? (choose the best answer):
A. Deploy a SEIM solution and have current staff review incidents first thing in the morning
B. Contract with a managed security provider and have current staff on recall for incident response
C. Configure your syslog to send SMS messages to current staff when target events are triggered
D. Employ an assumption of breach protocol and defend only essential information resources

A

Answer : Contract with a managed security provider and have current staff on recall for incident response

30
Q

When managing the critical path of an IT security project, which of the following is MOST important?
A. Knowing who all the stakeholders are.
B. Knowing the people on the data center team.
C. Knowing the threats to the organization.
D. Knowing the milestones and timelines of deliverables.

A

Answer : Knowing the milestones and timelines of deliverables.

31
Q

The ultimate goal of an IT security projects is:
A. Increase stock value
B. Complete security
C. Support business requirements
D. Implement information security policies

A

Answer : Support business requirements

32
Q

Information Security is often considered an excessive, after-the-fact cost when a project or initiative is completed. What can be done to ensure that security is addressed cost effectively?
A. User awareness training for all employees
B. Installation of new firewalls and intrusion detection systems
C. Launch an internal awareness campaign
D. Integrate security requirements into project inception

A

Answer : Integrate security requirements into project inception

33
Q

A severe security threat has been detected on your corporate network. As CISO you
quickly assemble key members of the Information Technology team and business
operations to determine a modification to security controls in response to the threat. This is
an example of:
A. Change management
B. Business continuity planning
C. Security Incident Response
D. Thought leadership

A

Answer : Security Incident Response

34
Q

Which of the following represents the BEST method of ensuring security program
alignment to business needs?
A. Create a comprehensive security awareness program and provide success metrics to business units
B. Create security consortiums, such as strategic security planning groups, that include business unit participation
C. Ensure security implementations include business unit testing and functional validation prior to production rollout
D. Ensure the organization has strong executive-level security representation through clear sponsorship or the creation of a CISO role

A

Answer : Create security consortiums, such as strategic security planning groups, that include business unit participation

35
Q

The company decides to release the application without remediating the high-risk
vulnerabilities. Which of the following is the MOST likely reason for the company to release
the application?
A. The company lacks a risk management process
B. The company does not believe the security vulnerabilities to be real
C. The company has a high risk tolerance
D. The company lacks the tools to perform a vulnerability assessment

A

Answer : The company has a high risk tolerance

36
Q

When operating under severe budget constraints a CISO will have to be creative to maintain a strong security organization. Which example below is the MOST creative way to maintain a strong security posture during these difficult times?
A. Download open source security tools and deploy them on your production network
B. Download trial versions of commercially available security tools and deploy on your production network
C. Download open source security tools from a trusted site, test, and then deploy on production network
D. Download security tools from a trusted source and deploy to production network

A

Answer : Download open source security tools from a trusted site, test, and then deploy on production network

37
Q

A department within your company has proposed a third party vendor solution to address an urgent, critical business need. As the CISO you have been asked to accelerate
screening of their security control claims. Which of the following vendor provided documents is BEST to make your decision:
A. Vendor’s client list of reputable organizations currently using their solution
B. Vendor provided attestation of the detailed security controls from a reputable accounting firm C. Vendor provided reference from an existing reputable client detailing their implementation
D. Vendor provided internal risk assessment and security control documentation

A

Answer : Vendor provided attestation of the detailed security controls from a reputable accounting firm

38
Q

Which of the following functions implements and oversees the use of controls to reduce risk when creating an information security program?
A. Risk Assessment
B. Incident Response
C. Risk Management
D. Network Security administration

A

Answer : Risk Management

39
Q

A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the concepts of how hardware and software is implemented and managed within the organization. Which of the following principles does this best demonstrate?
A. Alignment with the business
B. Effective use of existing technologies
C. Leveraging existing implementations
D. Proper budget management

A

Answer : Alignment with the business

40
Q

Which of the following will be MOST helpful for getting an Information Security project that
is behind schedule back on schedule?
A. Upper management support
B. More frequent project milestone meetings
C. More training of staff members
D. Involve internal audit

A

Answer : Upper management support

41
Q

When gathering security requirements for an automated business process improvement
program, which of the following is MOST important?
A. Type of data contained in the process/system
B. Type of connection/protocol used to transfer the data
C. Type of encryption required for the data once it is at rest
D. Type of computer the data is processed on

A

Answer : Type of data contained in the process/system

42
Q

The Security Operations Center (SOC) just purchased a new intrusion prevention system
(IPS) that needs to be deployed in-line for best defense. The IT group is concerned about
putting the new IPS in-line because it might negatively impact network availability. What
would be the BEST approach for the CISO to reassure the IT group?
A. Work with the IT group and tell them to put IPS in-line and say it wont cause any network impact
B. Explain to the IT group that the IPS wont cause any network impact because it will fail open
C. Explain to the IT group that this is a business need and the IPS will fail open however, if there is a network failure the CISO will accept responsibility
D. Explain to the IT group that the IPS will fail open once in-line however it will be deployed in monitor mode for a set period of time to ensure that it doesnt block any legitimate traffic

A

Answer : Explain to the IT group that the IPS will fail open once in-line however it will be deployed in monitor mode for a set period of time to ensure that it doesnt block any legitimate traffic

43
Q

Which of the following information may be found in table top exercises for incident
response?
A. Security budget augmentation
B. Process improvements
C. Real-time to remediate
D. Security control selection

A

Answer : Process improvements

44
Q

A CISO decides to analyze the IT infrastructure to ensure security solutions adhere to the
concepts of how hardware and software is implemented and managed within the
organization. Which of the following principles does this best demonstrate?
A. Alignment with the business
B. Effective use of existing technologies
C. Leveraging existing implementations
D. Proper budget management

A

Answer : Alignment with the business

45
Q

A person in your security team calls you at night and informs you that one of your web
applications is potentially under attack from a cross-site scripting vulnerability. What do you do?
A. tell him to shut down the server
B. tell him to call the police
C. tell him to invoke the incident response process
D. tell him to analyze the problem, preserve the evidence and provide a full analysis and report

A

Answer : tell him to invoke the incident response process

46
Q

When is an application security development project complete?
A. When the application is retired.
B. When the application turned over to production.
C. When the application reaches the maintenance phase.
D. After one year.

A

Answer : When the application is retired.

47
Q

Which of the following functions evaluates patches used to close software vulnerabilities of new systems to assure compliance with policy when implementing an information security program?
A. System testing
B. Risk assessment
C. Incident response
D. Planning

A

Answer : System testing

48
Q

Which of the following is the MOST important component of any change management process?
A. Scheduling
B. Back-out procedures
C. Outage planning
D. Management approval

A

Answer : Management approval

49
Q

The security team has investigated the theft/loss of several unencrypted laptop computers containing sensitive corporate information. To prevent the loss of any additional corporate data it is unilaterally decided by the CISO that all existing and future laptop computers will
be encrypted. Soon, the help desk is flooded with complaints about the slow performance of the laptops and users are upset. What did the CISO do wrong? (choose the BEST answer):
A. Failed to identify all stakeholders and their needs
B. Deployed the encryption solution in an inadequate manner
C. Used 1024 bit encryption when 256 bit would have sufficed
D. Used hardware encryption instead of software encryption

A

Answer : Failed to identify all stakeholders and their needs

50
Q

You are the CISO of a commercial social media organization. The leadership wants to rapidly create new methods of sharing customer data through creative linkages with mobile devices. You have voiced concern about privacy regulations but the velocity of the business is given priority. Which of the following BEST describes this organization?
A. Risk averse
B. Risk tolerant
C. Risk conditional
D. Risk minimal

A

Answer : Risk tolerant

51
Q

An example of professional unethical behavior is:
A. Gaining access to an affiliated employees work email account as part of an officially sanctioned internal investigation
B. Sharing copyrighted material with other members of a professional organization where all members have legitimate access to the material
C. Copying documents from an employers server which you assert that you have an intellectual property claim to possess, but the company disputes
D. Storing client lists and other sensitive corporate internal documents on a removable thumb drive

A

Answer : Copying documents from an employers server which you assert that you have an intellectual property claim to possess, but the company disputes

52
Q

Which of the following represents the BEST method for obtaining business unit acceptance
of security controls within an organization?
A. Allow the business units to decide which controls apply to their systems, such as the encryption of sensitive data
B. Create separate controls for the business units based on the types of business and functions they perform
C. Ensure business units are involved in the creation of controls and defining conditions under which they must be applied
D. Provide the business units with control mandates and schedules of audits for compliance validation

A

Answer : Ensure business units are involved in the creation of controls and defining conditions under which they must be applied

53
Q

You manage a newly created Security Operations Center (SOC), your team is being
inundated with security alerts and dont know what to do. What is the BEST approach to
handle this situation?
A. Tell the team to do their best and respond to each alert
B. Tune the sensors to help reduce false positives so the team can react better
C. Request additional resources to handle the workload
D. Tell the team to only respond to the critical and high alerts

A

Answer : Tune the sensors to help reduce false positives so the team can react better

54
Q

The organization does not have the time to remediate the vulnerability; however it is critical to release the application. Which of the following needs to be further evaluated to help mitigate the risks?
A. Provide developer security training
B. Deploy Intrusion Detection Systems
C. Provide security testing tools
D. Implement Compensating Controls

A

Answer : Implement Compensating Controls

55
Q

Which business stakeholder is accountable for the integrity of a new information system?
A. CISO
B. Compliance Officer
C. Project manager
D. Board of directors

A

Answer : CISO

56
Q

In order for a CISO to have true situational awareness there is a need to deploy technology that can give a real-time view of security events across the enterprise. Which tool selection represents the BEST choice to achieve situational awareness?
A. Vmware, router, switch, firewall, syslog, vulnerability management system (VMS)
B. Intrusion Detection System (IDS), firewall, switch, syslog
C. Security Incident Event Management (SIEM), IDS, router, syslog
D. SIEM, IDS, firewall, VMS

A

Answer : SIEM, IDS, firewall, VMS

57
Q

How often should the SSAE16 report of your vendors be reviewed?
A. Quarterly
B. Semi-annually
C. Annually
D. Bi-annually

A

Answer : Annually

58
Q

Which of the following are not stakeholders of IT security projects?
A. Board of directors
B. Third party vendors
C. CISO
D. Help Desk

A

Answer : Third party vendors

59
Q

Which of the following is the BEST indicator of a successful project?
A. it is completed on time or early as compared to the baseline project plan
B. it meets most of the specifications as outlined in the approved project definition
C. it comes in at or below the expenditures planned for in the baseline budget
D. the deliverables are accepted by the key stakeholders

A

Answer : the deliverables are accepted by the key stakeholders

60
Q

A recommended method to document the respective roles of groups and individuals for a
given process is to:
A. Develop a detailed internal organization chart
B. Develop a telephone call tree for emergency response
C. Develop an isolinear response matrix with cost benefit analysis projections
D. Develop a Responsible, Accountable, Consulted, Informed (RACI) chart

A

Answer : Develop a Responsible, Accountable, Consulted, Informed (RACI) chart

61
Q

What oversight should the information security team have in the change management
process for application security?
A. Information security should be informed of changes to applications only
B. Development team should tell the information security team about any application security flaws
C. Information security should be aware of any significant application security changes and work with developer to test for vulnerabilities before changes are deployed in production
D. Information security should be aware of all application changes and work with developers before changes are deployed in production

A

Answer : Information security should be aware of any significant application security changes and work with developer to test for vulnerabilities before changes are deployed in production

62
Q

A CISO sees abnormally high volumes of exceptions to security requirements and constant pressure from business units to change security processes. Which of the following represents the MOST LIKELY cause of this situation?
A. Poor audit support for the security program
B. A lack of executive presence within the security program
C. Poor alignment of the security program to business needs
D. This is normal since business units typically resist security requirements

A

Answer : Poor alignment of the security program to business needs

63
Q

Which of the following is critical in creating a security program aligned with an
organizations goals?
A. Ensure security budgets enable technical acquisition and resource allocation based on internal compliance requirements
B. Develop a culture in which users, managers and IT professionals all make good decisions about information risk
C. Provide clear communication of security program support requirements and audit schedules D. Create security awareness programs that include clear definition of security program goals and charters

A

Answer : Develop a culture in which users, managers and IT professionals all make good decisions about information risk

64
Q

Your company has a no right to privacy notice on all logon screens for your information systems and users sign an Acceptable Use Policy informing them of this condition. A peer group member and friend comes to you and requests access to one of her employees email account. What should you do? (choose the BEST answer):
A. Grant her access, the employee has been adequately warned through the AUP.
B. Assist her with the request, but only after her supervisor signs off on the action.
C. Reset the employee’s password and give it to the supervisor.
D. Deny the request citing national privacy laws.

A

Answer : Assist her with the request, but only after her supervisor signs off on the action.

65
Q

Which of the following methodologies references the recommended industry standard that Information security project managers should follow?
A. The Security Systems Development Life Cycle
B. The Security Project And Management Methodology
C. Project Management System Methodology
D. Project Management Body of Knowledge

A

Answer : Project Management Body of Knowledge

66
Q

This occurs when the quantity or quality of project deliverables is expanded from the
original project plan.
A. Scope creep
B. Deadline extension
C. Scope modification
D. Deliverable expansion

A

Answer : Scope creep

67
Q

Acme Inc. has engaged a third party vendor to provide 99.999% up-time for their online
web presence and had them contractually agree to this service level agreement. What type
of risk tolerance is Acme exhibiting? (choose the BEST answer):
A. low risk-tolerance
B. high risk-tolerance
C. moderate risk-tolerance
D. medium-high risk-tolerance

A

Answer : low risk-tolerance

68
Q

Which of the following functions evaluates risk present in IT initiatives and/or systems when implementing an information security program?
A. Risk Management
B. Risk Assessment
C. System Testing
D. Vulnerability Assessment

A

Answer : Risk Assessment