Domain 3 Flashcards
Which of the following methods are used to define contractual obligations that force a vendor to meet customer expectations?
A. Terms and Conditions
B. Service Level Agreements (SLA)
C. Statement of Work
D. Key Performance Indicators (KPI)
Answer : Service Level Agreements (SLA)
Which of the following represents the best method of ensuring business unit alignment with security program requirements?
A. Provide clear communication of security requirements throughout the organization
B. Demonstrate executive support with written mandates for security policy adherence
C. Create collaborative risk management approaches within the organization
D. Perform increased audits of security processes and procedures
Answer : Create collaborative risk management approaches within the organization
Which of the following is MOST beneficial in determining an appropriate balance between uncontrolled innovation and excessive caution in an organization?
A. Define the risk appetite
B. Determine budget constraints
C. Review project charters
D. Collaborate security projects
Answer : Define the risk appetite
A CISO has recently joined an organization with a poorly implemented security program.
The desire is to base the security program on a risk management approach. Which of the
following is a foundational requirement in order to initiate this type of program?
A. A security organization that is adequately staffed to apply required mitigation strategies and regulatory compliance solutions
B. A clear set of security policies and procedures that are more concept-based than controls-based
C. A complete inventory of Information Technology assets including infrastructure, networks, applications and data
D. A clearly identified executive sponsor who will champion the effort to ensure organizational buy-in
Answer : A clearly identified executive sponsor who will champion the effort to ensure organizational buy-in
When selecting a security solution with reoccurring maintenance costs after the first year
(choose the BEST answer):
A. The CISO should cut other essential programs to ensure the new solutions continued use
B. Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solutions continued use
C. Defer selection until the market improves and cash flow is positive
D. Implement the solution and ask for the increased operating cost budget when it is time
Answer : Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solutions continued use
An organization has a stated requirement to block certain traffic on networks. The
implementation of controls will disrupt a manufacturing process and cause unacceptable
delays, resulting in sever revenue disruptions. Which of the following is MOST likely to be
responsible for accepting the risk until mitigating controls can be implemented?
A. The CISO
B. Audit and Compliance
C. The CFO
D. The business owner
The business owner
A CISO implements smart cards for credential management, and as a result has reduced
costs associated with help desk operations supporting password resets. This demonstrates
which of the following principles?
A. Security alignment to business goals
B. Regulatory compliance effectiveness
C. Increased security program presence
D. Proper organizational policy enforcement
Answer : Security alignment to business goals
Knowing the potential financial loss an organization is willing to suffer if a system fails is a determination of which of the following?
A. Cost benefit
B. Risk appetite
C. Business continuity
D. Likelihood of impact
Answer : Risk appetite
Risk appetite is typically determined by which of the following organizational functions?
A. Security
B. Business units
C. Board of Directors
D. Audit and compliance
Answer : Business units
Which of the following can the company implement in order to avoid this type of security issue in the future?
A. Network based intrusion detection systems
B. A security training program for developers
C. A risk management process
D. A audit management process
Answer : A security training program for developers
To get an Information Security project back on schedule, which of the following will provide the MOST help?
A. Upper management support
B. More frequent project milestone meetings
C. Stakeholder support
D. Extend work hours
Answer : Upper management support
An application vulnerability assessment has identified a security flaw in an application. This is a flaw that was previously identified and remediated on a prior release of the application. Which of the following is MOST likely the reason for this recurring issue?
A. Ineffective configuration management controls
B. Lack of change management controls
C. Lack of version/source controls
D. High turnover in the application development department
Answer : Lack of version/source controls
Which of the following best summarizes the primary goal of a security program?
A. Provide security reporting to all levels of an organization
B. Create effective security awareness to employees
C. Manage risk within the organization
D. Assure regulatory compliance
Answer : Manage risk within the organization
An international organization is planning a project to implement encryption technologies to protect company confidential information. This organization has data centers on three continents. Which of the following would be considered a MAJOR constraint for the project?
A. Time zone differences
B. Compliance to local hiring laws
C. Encryption import/export regulations
D. Local customer privacy laws
Answer : Encryption import/export regulations
When considering using a vendor to help support your security devices remotely, what is
the BEST choice for allowing access?
A. Vendors uses their own laptop and logins with same admin credentials your security team uses
B. Vendor uses a company supplied laptop and logins using two factor authentication with same admin credentials your security team uses
C. Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials
D. Vendor uses their own laptop and logins using two factor authentication with their own unique credentials
Answer : Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials
Your incident response plan should include which of the following?
A. Procedures for litigation
B. Procedures for reclamation
C. Procedures for classification
D. Procedures for charge-back
Answer : Procedures for classification
Which one of the following BEST describes which member of the management team is
accountable for the day-to-day operation of the information security program?
A. Security administrators
B. Security mangers
C. Security technicians
D. Security analysts
Answer : Security mangers
How often should the Statements of Standards for Attestation Engagements-16
(SSAE16)/International Standard on Assurance Engagements 3402 (ISAE3402) report of
your vendors be reviewed?
A. Quarterly
B. Semi-annually
C. Bi-annually
D. Annually
Answer : Annually
A newly appointed security officer finds data leakage software licenses that had never been used. The officer decides to implement a project to ensure it gets installed, but the project gets a great deal of resistance across the organization. Which of the following represents the MOST likely reason for this situation?
A. The software license expiration is probably out of synchronization with other software licenses
B. The project was initiated without an effort to get support from impacted business units in the organization
C. The software is out of date and does not provide for a scalable solution across the enterprise
D. The security officer should allow time for the organization to get accustomed to her presence before initiating security projects
Answer : The project was initiated without an effort to get support from impacted business units in the organization
A stakeholder is a person or group:
A. Vested in the success and/or failure of a project or initiative regardless of budget implications. B. Vested in the success and/or failure of a project or initiative and is tied to the project budget. C. That has budget authority.
D. That will ultimately use the system.
Answer : Vested in the success and/or failure of a project or initiative regardless of budget implications.
As the CISO for your company you are accountable for the protection of information resources commensurate with:
A. Customer demand
B. Cost and time to replace
C. Insurability tables
D. Risk of exposure
Answer : Risk of exposure
In effort to save your company money which of the following methods of training results in the lowest cost for the organization?
A. Distance learning/Web seminars
B. Formal Class
C. One-One Training
D. Self –Study (non computerized)
Answer : Self –Study (non computerized)
A system was hardened at the Operating System level and placed into the production environment. Months later an audit was performed and it identified insecure configuration different from the original hardened state. Which of the following security issues is the MOST likely reason leading to the audit findings?
A. Lack of asset management processes
B. Lack of change management processes
C. Lack of hardening standards
D. Lack of proper access controls
Answer : Lack of change management processes
Which of the following is a major benefit of applying risk levels?
A. Risk management governance becomes easier since most risks remain low once mitigated B. Resources are not wasted on risks that are already managed to an acceptable level
C. Risk budgets are more easily managed due to fewer identified risks as a result of using a methodology
D. Risk appetite can increase within the organization once the levels are understood
Answer : Resources are not wasted on risks that are already managed to an acceptable level
When entering into a third party vendor agreement for security services, at what point in the process is it BEST to understand and validate the security posture and compliance level of the vendor?
A. At the time the security services are being performed and the vendor needs access to the network
B. Once the agreement has been signed and the security vendor states that they will need access to the network
C. Once the vendor is on premise and before they perform security services
D. Prior to signing the agreement and before any security services are being performed
Answer : Prior to signing the agreement and before any security services are being performed
Which of the following is considered a project versus a managed process?
A. monitoring external and internal environment during incident response
B. ongoing risk assessments of routine operations
C. continuous vulnerability assessment and vulnerability repair
D. installation of a new firewall system
Answer : installation of a new firewall system
When should IT security project management be outsourced?
A. When organizational resources are limited
B. When the benefits of outsourcing outweigh the inherent risks of outsourcing
C. On new, enterprise-wide security initiatives
D. On projects not forecasted in the yearly budget
Answer : When the benefits of outsourcing outweigh the inherent risks of outsourcing