Domain 5 Flashcards

1
Q

Scenario: Your corporate systems have been under constant probing and attack from foreign IP addresses for more than a week. Your security team and security infrastructure have performed well under the stress. You are confident that your defenses have held up under the test, but rumors are spreading that sensitive customer data has been stolen and is now being sold on the Internet by criminal elements. During your investigation of the rumored compromise you discover that data has been breached and you have discovered the repository of stolen data on a server located in a foreign country. Your team now has full access to the data on the foreign server.

Your defenses did not hold up to the test as originally thought. As you investigate how the data was compromised through log analysis you discover that a hardworking, but misguided business intelligence analyst posted the data to an obfuscated URL on a popular cloud storage service so they could work on it from home during their off-time. Which technology or solution could you deploy to prevent employees from removing corporate data from your network? Choose the BEST answer.
A. Security Guards posted outside the Data Center
B. Data Loss Prevention (DLP)
C. Rigorous syslog reviews
D. Intrusion Detection Systems (IDS)

A

Data Loss Prevention (DLP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

Which of the following would be the FIRST step when addressing Information Security formally and consistently in this organization?
A. Contract a third party to perform a security risk assessment
B. Define formal roles and responsibilities for Internal audit functions
C. Define formal roles and responsibilities for Information Security
D. Create an executive security steering committee

A

Define formal roles and responsibilities for Information Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The rate of change in technology increases the importance of:
A. Outsourcing the IT functions.
B. Understanding user requirements.
C. Hiring personnel with leading edge skills.
D. Implementing and enforcing good processes.

A

Implementing and enforcing good processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When analyzing and forecasting a capital expense budget what are not included?
A. Network connectivity costs
B. New datacenter to operate from
C. Upgrade of mainframe
D. Purchase of new mobile devices to improve operations

A

Network connectivity costs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

You have identified potential solutions for all of your risks that do not have security controls. What is the NEXT step?
A. Get approval from the board of directors
B. Screen potential vendor solutions
C. Verify that the cost of mitigation is less than the risk
D. Create a risk metrics for all unmitigated risks

A

Verify that the cost of mitigation is less than the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

The CISO has implemented remediation activities. Which of the following is the MOST logical next step?
A. Validate the effectiveness of applied controls
B. Validate security program resource requirements
C. Report the audit findings and remediation status to business stake holders
D. Review security procedures to determine if they need modified according to findings

A

Validate the effectiveness of applied controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?
A. Annually
B. Semi-annually
C. Quarterly
D. Never

A

Never

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SCENARIO: Critical servers show signs of erratic behavior within your organizations intranet. Initial information indicates the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team.

What phase of the response provides measures to reduce the likelihood of an incident from recurring?
A. Response
B. Investigation
C. Recovery
D. Follow-up

A

Follow Up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

The organization has already been subject to a significant amount of credit card fraud. Which of the following is the MOST likely reason for this fraud?
A. Lack of compliance to the Payment Card Industry (PCI) standards
B. Ineffective security awareness program
C. Security practices not in alignment with ISO 27000 frameworks
D. Lack of technical controls when dealing with credit card data

A

Lack of compliance to the Payment Card Industry (PCI) standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When analyzing and forecasting an operating expense budget what are not included?
A. Software and hardware license fees
B. Utilities and power costs
C. Network connectivity costs
D. New datacenter to operate from

A

New datacenter to operate from

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the
organizational VPN.

Once supervisors and data owners have approved requests, information system administrators will implement
A. Technical control(s)
B. Management control(s)
C. Policy control(s)
D. Operational control(s)

A

Technical control(s)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When updating the security strategic planning document what two items must be included?
A. Alignment with the business goals and the vision of the CIO
B. The risk tolerance of the company and the company mission statement
C. The executive summary and vision of the board of directors
D. The alignment with the business goals and the risk tolerance

A

The alignment with the business goals and the risk tolerance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Scenario: You are the CISO and are required to brief the C-level executive team on your information security audit for the year. During your review of the audit findings you discover that many of the controls that were put in place the previous year to correct some of the findings are not performing as needed. You have thirty days until the briefing. To formulate a remediation plan for the non-performing controls what other document do you need to review before adjusting the controls?
A. Business Impact Analysis
B. Business Continuity plan
C. Security roadmap
D. Annual report to shareholders

A

Business Impact Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The ability to demand the implementation and management of security controls on third parties providing services to an organization is
A. Security Governance
B. Compliance management
C. Vendor management
D. Disaster recovery

A

Vendor management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

John is the project manager for a large project in his organization. A new change request has been proposed that will affect several areas of the project. One area of the project change impact is on work that a vendor has already completed. The vendor is refusing to make the changes as theyve already completed the project work they were contracted to do. What can John do in this instance?
A. Refer the vendor to the Service Level Agreement (SLA) and insist that they make the changes.
B. Review the Request for Proposal (RFP) for guidance.
C. Withhold the vendor’s payments until the issue is resolved.
D. Refer to the contract agreement for direction.

A

Refer to the contract agreement for direction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The process to evaluate the technical and non-technical security controls of an IT system to validate that a given design and implementation meet a specific set of security requirements is called
A. Security certification
B. Security system analysis
C. Security accreditation
D. Alignment with business practices and goals.

A

Security certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The total cost of security controls should:
A. Be equal to the value of the information resource being protected
B. Be greater than the value of the information resource being protected
C. Be less than the value of the information resource being protected
D. Should not matter, as long as the information resource is protected

A

Be less than the value of the information resource being protected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

When creating contractual agreements and procurement processes why should security requirements be included?
A. To make sure they are added on after the process is completed
B. To make sure the costs of security is included and understood
C. To make sure the security process aligns with the vendor’s security process
D. To make sure the patching process is included with the costs

A

To make sure the costs of security is included and understood

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A system is designed to dynamically block offending Internet IP-addresses from requesting services from a secure website. This type of control is considered
A. Zero-day attack mitigation
B. Preventive detection control
C. Corrective security control
D. Dynamic blocking control

A

Corrective security control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Your company has limited resources to spend on security initiatives. The Chief Financial Officer asks you to prioritize the protection of information resources based on their value to the company. It is essential that you be able to communicate in language that your fellow executives will understand. You should:
A. Create timelines for mitigation
B. Develop a cost-benefit analysis
C. Calculate annual loss expectancy
D. Create a detailed technical executive summary

A

Develop a cost-benefit analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

This global retail company is expected to accept credit card payments. Which of the following is of MOST concern when defining a security program for this organization?
A. International encryption restrictions
B. Compliance to Payment Card Industry (PCI) data security standards
C. Compliance with local government privacy laws
D. Adherence to local data breach notification laws

A

Compliance to Payment Card Industry (PCI) data security standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Annual Loss Expectancy is derived from the function of which two factors?
A. Annual Rate of Occurrence and Asset Value
B. Single Loss Expectancy and Exposure Factor
C. Safeguard Value and Annual Rate of Occurrence
D. Annual Rate of Occurrence and Single Loss Expectancy

A

Annual Rate of Occurrence and Single Loss Expectancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the primary reason for performing vendor management?
A. To understand the risk coverage that are being mitigated by the vendor
B. To establish a vendor selection process
C. To document the relationship between the company and the vendor
D. To define the partnership for long-term success

A

To understand the risk coverage that are being mitigated by the vendor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. Which of the following is the reason the CISO has not been able to advance the security agenda in this organization?
A. Lack of identification of technology stake holders
B. Lack of business continuity process
C. Lack of influence with leaders outside IT
D. Lack of a security awareness program

A

Lack of influence with leaders outside IT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning. Which of the following is the MOST logical next step?
A. Validate the effectiveness of current controls
B. Create detailed remediation funding and staffing plans
C. Report the audit findings and remediation status to business stake holders
D. Review security procedures to determine if they need modified according to findings

A

Report the audit findings and remediation status to business stake holders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Scenario: As you begin to develop the program for your organization, you assess the
corporate culture and determine that there is a pervasive opinion that the security program
only slows things down and limits the performance of the real workers.
What must you do first in order to shift the prevailing opinion and reshape corporate culture
to understand the value of information security to the organization?
A. Cite compliance with laws, statutes, and regulations explaining the financial implications for the company for non-compliance
B. Understand the business and focus your efforts on enabling operations securely
C. Draw from your experience and recount stories of how other companies have been compromised
D. Cite corporate policy and insist on compliance with audit findings

A

Understand the business and focus your efforts on enabling operations securely

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The newly appointed CISO of an organization is reviewing the IT security strategic plan.
Which of the following is the MOST important component of the strategic plan?
A. There is integration between IT security and business staffing.
B. There is a clear definition of the IT security mission and vision.
C. There is an auditing methodology in place.
D. The plan requires return on investment for all security projects.

A

There is a clear definition of the IT security mission and vision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The new CISO was informed of all the Information Security projects that the organization
has in progress. Two projects are over a year behind schedule and over budget. Using best
business practices for project management you determine that the project correctly aligns
with the company goals.

Which of the following needs to be performed NEXT?
A. Verify the scope of the project
B. Verify the regulatory requirements
C. Verify technical resources
D. Verify capacity constraints

A

Verify technical resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Scenario: An organization has recently appointed a CISO. This is a new role in the
organization and it signals the increasing need to address security consistently at the
enterprise level. This new CISO, while confident with skills and experience, is constantly on
the defensive and is unable to advance the IT security centric agenda.
From an Information Security Leadership perspective, which of the following is a MAJOR
concern about the CISOs approach to security?
A. Lack of risk management process
B. Lack of sponsorship from executive management
C. IT security centric agenda
D. Compliance centric agenda

A

IT security centric agenda

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget.

Using the best business practices for project management you determine that the project correctly aligns with the company goals and the scope of the project is correct. What is the NEXT step?
A. Review time schedules
B. Verify budget
C. Verify resources
D. Verify constraints

A

Verify resources

30
Q

You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget.

Using the best business practices for project management you determine that the project correct aligns with the company goals. What needs to be verified FIRST?
A. Scope of the project
B. Training of the personnel on the project
C. Timeline of the project milestones
D. Vendor for the project

A

Scope of the project

31
Q

Which of the following conditions would be the MOST probable reason for a security project to be rejected by the executive board of an organization?
A. The Net Present Value (NPV) of the project is positive
B. The NPV of the project is negative
C. The Return on Investment (ROI) is larger than 10 months
D. The ROI is lower than 10 months

A

The NPV of the project is negative

32
Q

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

After determining the audit findings are accurate, which of the following is the MOST logical next activity?
A. Begin initial gap remediation analyses
B. Review the security organization’s charter
C. Validate gaps with the Information Technology team
D. Create a briefing of the findings for executive management

A

Begin initial gap remediation analyses

33
Q

Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget.
Using the best business practices for project management, you determine that the project correctly aligns with the organization goals. What should be verified next?
A. Scope
B. Budget
C. Resources
D. Constraints

A

Scope

34
Q

SCENARIO: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the organizations needs.
The CISO is unsure of the information provided and orders a vendor proof of concept to validate the systems scalability. This demonstrates which of the following?
A. An approach that allows for minimum budget impact if the solution is unsuitable
B. A methodology-based approach to ensure authentication mechanism functions
C. An approach providing minimum time impact to the implementation schedules
D. A risk-based approach to determine if the solution is suitable for investment

A

A risk-based approach to determine if the solution is suitable for investment

35
Q

SCENARIO: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers
that the product it is not as scalable as originally thought and will not fit the organizations
needs.

What is the MOST logical course of action the CISO should take?
A. Review the original solution set to determine if another system would fit the organizations risk appetite and budget regulatory compliance requirements
B. Continue with the implementation and submit change requests to the vendor in order to ensure required functionality will be provided when needed
C. Continue with the project until the scalability issue is validated by others, such as an auditor or third party assessor
D. Cancel the project if the business need was based on internal requirements versus regulatory compliance requirements

A

Review the original solution set to determine if another system would fit the organizations risk appetite and budget regulatory compliance requirements

36
Q

Involvement of senior management is MOST important in the development of:
A. IT security implementation plans.
B. Standards and guidelines.
C. IT security policies.
D. IT security procedures.

A

IT security policies.

37
Q

Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve
information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.
The organization wants a more permanent solution to the threat to user credential
compromise through phishing. What technical solution would BEST address this issue?
A. Professional user education on phishing conducted by a reputable vendor
B. Multi-factor authentication employing hard tokens
C. Forcing password changes every 90 days
D. Decreasing the number of employees with administrator privileges

A

Multi-factor authentication employing hard tokens

38
Q

Access Control lists (ACLs), Firewalls, and Intrusion Prevention Systems are examples of
A. Network based security preventative controls
B. Software segmentation controls
C. Network based security detective controls
D. User segmentation controls

A

Network based security preventative controls

39
Q

What is the BEST reason for having a formal request for proposal process?
A. Creates a timeline for purchasing and budgeting
B. Allows small companies to compete with larger companies
C. Clearly identifies risks and benefits before funding is spent
D. Informs suppliers a company is going to make a purchase

A

Clearly identifies risks and benefits before funding is spent

40
Q

Which of the following is MOST useful when developing a business case for security initiatives?
A. Budget forecasts
B. Request for proposals
C. Cost/benefit analysis
D. Vendor management

A

Cost/benefit analysis

41
Q

Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation.
Which of the following industry / sector neutral information security control frameworks should you recommend for implementation?
A. National Institute of Standards and Technology (NIST) Special Publication 800-53
B. Payment Card Industry Digital Security Standard (PCI DSS)
C. International Organization for Standardization – ISO 27001/2
D. British Standard 7799 (BS7799)

A

International Organization for Standardization – ISO 27001/2

42
Q

Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve

information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.
What type of control is being implemented by supervisors and data owners?
A. Management
B. Operational
C. Technical
D. Administrative

A

Operational

43
Q

Acceptable levels of information security risk tolerance in an organization should be
determined by?
A. Corporate legal counsel
B. CISO with reference to the company goals
C. CEO and board of director
D. Corporate compliance committee

A

CEO and board of director

44
Q

What is the primary reason for performing a return on investment analysis?
A. To decide between multiple vendors
B. To decide is the solution costs less than the risk it is mitigating
C. To determine the current present value of a project
D. To determine the annual rate of loss

A

To decide is the solution costs less than the risk it is mitigating

45
Q

Which of the following provides an independent assessment of a vendors internal security
controls and overall posture?
A. Alignment with business goals
B. ISO27000 accreditation
C. PCI attestation of compliance
D. Financial statements

A

ISO27000 accreditation

46
Q

Scenario: You are the CISO and have just completed your first risk assessment for your
organization. You find many risks with no security controls, and some risks with inadequate
controls. You assign work to your staff to create or adjust existing security controls to
ensure they are adequate for risk mitigation needs.
When formulating the remediation plan, what is a required input?
A. Board of directors
B. Risk assessment
C. Patching history
D. Latest virus definitions file

A

Risk assessment

47
Q

Which of the following is considered the foundation for the Enterprise Information Security
Architecture (EISA)?
A. Security regulations
B. Asset classification
C. Information security policy
D. Data classification

A

Information security policy

48
Q

Scenario: Your company has many encrypted telecommunications links for their world-wide
operations. Physically distributing symmetric keys to all locations has proven to be
administratively burdensome, but symmetric keys are preferred to other alternatives.
Symmetric encryption in general is preferable to asymmetric encryption when:
A. The number of unique communication links is large
B. The volume of data being transmitted is small
C. The speed of the encryption / deciphering process is essential
D. The distance to the end node is farthest away

A

The speed of the encryption / deciphering process is essential

49
Q

The Annualized Loss Expectancy (Before) minus Annualized Loss Expectancy (After)
minus Annual Safeguard Cost is the formula for determining:
A. Safeguard Value
B. Cost Benefit Analysis
C. Single Loss Expectancy
D. Life Cycle Loss Expectancy

A

Cost Benefit Analysis

50
Q

Scenario: As you begin to develop the program for your organization, you assess the
corporate culture and determine that there is a pervasive opinion that the security program
only slows things down and limits the performance of the real workers.
Which group of people should be consulted when developing your security program?
A. Peers
B. End Users
C. Executive Management
D. All of the above

A

All of the above

51
Q

Scenario: Most industries require compliance with multiple government regulations and/or
industry standards to meet data protection and privacy mandates.
What is one proven method to account for common elements found within separate
regulations and/or standards?
A. Hire a GRC expert
B. Use the Find function of your word processor
C. Design your program to meet the strictest government standards
D. Develop a crosswalk

A

Develop a crosswalk

52
Q

SCENARIO: A CISO has several two-factor authentication systems under review and
selects the one that is most sufficient and least costly. The implementation project planning
is completed and the teams are ready to implement the solution. The CISO then discovers
that the product it is not as scalable as originally thought and will not fit the organizations
needs.

The CISO discovers the scalability issue will only impact a small number of network
segments. What is the next logical step to ensure the proper application of risk
management methodology within the two-facto implementation project?
A. Create new use cases for operational use of the solution
B. Determine if sufficient mitigating controls can be applied
C. Decide to accept the risk on behalf of the impacted business units
D. Report the deficiency to the audit team and create process exceptions

A

Determine if sufficient mitigating controls can be applied

53
Q

Scenario: Your program is developed around minimizing risk to information by focusing on
people, technology, and operations.
You have decided to deal with risk to information from people first. How can you minimize
risk to your most sensitive information before granting access?
A. Conduct background checks on individuals before hiring them
B. Develop an Information Security Awareness program
C. Monitor employee browsing and surfing habits
D. Set your firewall permissions aggressively and monitor logs regularly.

A

Conduct background checks on individuals before hiring them

54
Q

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct
an audit of the security program. Internal policies and international standards were used as
audit baselines. The audit report was presented to the CISO and a variety of high, medium
and low rated gaps were identified.
Which of the following is the FIRST action the CISO will perform after receiving the audit
report?
A. Inform peer executives of the audit results
B. Validate gaps and accept or dispute the audit findings
C. Create remediation plans to address program gaps
D. Determine if security policies and procedures are adequate

A

Validate gaps and accept or dispute the audit findings

55
Q

Scenario: Most industries require compliance with multiple government regulations and/or
industry standards to meet data protection and privacy mandates.
When multiple regulations or standards apply to your industry you should set controls to
meet the:
A. Easiest regulation or standard to implement
B. Stricter regulation or standard
C. Most complex standard to implement
D. Recommendations of your Legal Staff

A

Easiest regulation or standard to implement

56
Q

File Integrity Monitoring (FIM) is considered a
A. Network based security preventative control
B. Software segmentation control
C. Security detective control
D. User segmentation control

A

Security detective control

57
Q

Human resource planning for security professionals in your organization is a:
A. Simple and easy task because the threats are getting easier to find and correct.
B. Training requirement that is met through once every year user training.
C. Training requirement that is on-going and always changing.
D. Not needed because automation and anti-virus software has eliminated the threats.

A

Training requirement that is on-going and always changing.

58
Q

The formal certification and accreditation process has four primary steps, what are they?
A. Evaluating, describing, testing and authorizing
B. Evaluating, purchasing, testing, authorizing
C. Auditing, documenting, verifying, certifying
D. Discovery, testing, authorizing, certifying

A

Evaluating, describing, testing and authorizing

59
Q

SCENARIO: Critical servers show signs of erratic behavior within your organizations
intranet. Initial information indicates the systems are under attack from an outside entity. As
the Chief Information Security Officer (CISO), you decide to deploy the Incident Response
Team (IRT) to determine the details of this incident and take action according to the
information available to the team.
In what phase of the response will the team extract information from the affected systems
without altering original data?
A. Response
B. Investigation
C. Recovery
D. Follow-up

A

Investigation

60
Q

SCENARIO: Critical servers show signs of erratic behavior within your organizations
intranet. Initial information indicates the systems are under attack from an outside entity. As
the Chief Information Security Officer (CISO), you decide to deploy the Incident Response
Team (IRT) to determine the details of this incident and take action according to the
information available to the team.

During initial investigation, the team suspects criminal activity but cannot initially prove or
disprove illegal actions. What is the MOST critical aspect of the teams activities?
A. Regular communication of incident status to executives
B. Eradication of malware and system restoration
C. Determination of the attack source
D. Preservation of information

A

Preservation of information

61
Q

Scenario: Your corporate systems have been under constant probing and attack from
foreign IP addresses for more than a week. Your security team and security infrastructure
have performed well under the stress. You are confident that your defenses have held up
under the test, but rumors are spreading that sensitive customer data has been stolen and
is now being sold on the Internet by criminal elements. During your investigation of the
rumored compromise you discover that data has been breached and you have discovered
the repository of stolen data on a server located in a foreign country. Your team now has
full access to the data on the foreign server.
What action should you take FIRST?
A. Destroy the repository of stolen data
B. Contact your local law enforcement agency
C. Consult with other C-Level executives to develop an action plan
D. Contract with a credit reporting company for paid monitoring services for affected customers

A

Consult with other C-Level executives to develop an action plan

62
Q

When dealing with risk, the information security practitioner may choose to:
A. assign
B. transfer
C. acknowledge
D. defer

A

acknowledge

63
Q

Scenario: An organization has recently appointed a CISO. This is a new role in the
organization and it signals the increasing need to address security consistently at the
enterprise level. This new CISO, while confident with skills and experience, is constantly on
the defensive and is unable to advance the IT security centric agenda.
The CISO has been able to implement a number of technical controls and is able to
influence the Information Technology teams but has not been able to influence the rest of
the organization. From an organizational perspective, which of the following is the LIKELY
reason for this?
A. The CISO does not report directly to the CEO of the organization
B. The CISO reports to the IT organization
C. The CISO has not implemented a policy management framework
D. The CISO has not implemented a security awareness program

A

The CISO reports to the IT organization

64
Q

As the CISO you need to write the IT security strategic plan. Which of the following is the
MOST important to review before you start writing the plan?
A. The existing IT environment.
B. The company business plan.
C. The present IT budget.
D. Other corporate technology trends.

A

The company business plan.

65
Q

Scenario: The new CISO was informed of all the Information Security projects that the
section has in progress. Two projects are over a year behind schedule and way over
budget.
Which of the following will be most helpful for getting an Information Security project that is
behind schedule back on schedule?
A. Upper management support
B. More frequent project milestone meetings
C. More training of staff members
D. Involve internal audit

A

Upper management support

66
Q

Scenario: Your company has many encrypted telecommunications links for their world-wide
operations. Physically distributing symmetric keys to all locations has proven to be
administratively burdensome, but symmetric keys are preferred to other alternatives.
How can you reduce the administrative burden of distributing symmetric keys for your
employer?
A. Use asymmetric encryption for the automated distribution of the symmetric key
B. Use a self-generated key on both ends to eliminate the need for distribution
C. Use certificate authority to distribute private keys
D. Symmetrically encrypt the key and then use asymmetric encryption to unencrypt it

A

Use asymmetric encryption for the automated distribution of the symmetric key

67
Q

Scenario: An organization has made a decision to address Information Security formally
and consistently by adopting established best practices and industry standards. The
organization is a small retail merchant but it is expected to grow to a global customer base
of many millions of customers in just a few years.
Which of the following frameworks and standards will BEST fit the organization as a
baseline for their security program?
A. NIST and Privacy Regulations
B. ISO 27000 and Payment Card Industry Data Security Standards
C. NIST and data breach notification laws
D. ISO 27000 and Human resources best practices

A

ISO 27000 and Payment Card Industry Data Security Standards

68
Q

The process for management approval of the security certification process which states the
risks and mitigation of such risks of a given IT system is called
A. Security certification
B. Security system analysis
C. Security accreditation
D. Alignment with business practices and goals.

A

Security accreditation

69
Q

What are the primary reasons for the development of a business case for a security
project?
A. To estimate risk and negate liability to the company
B. To understand the attack vectors and attack sources
C. To communicate risk and forecast resource needs
D. To forecast usage and cost per software licensing

A

To communicate risk and forecast resource needs

70
Q

Scenario: Your organization employs single sign-on (user name and password only) as a
convenience to your employees to access organizational systems and data. Permission to
individual systems and databases is vetted and approved through supervisors and data
owners to ensure that only approved personnel can use particular applications or retrieve
information. All employees have access to their own human resource information, including
the ability to change their bank routing and account information and other personal details
through the Employee Self-Service application. All employees have access to the
organizational VPN.

Recently, members of your organization have been targeted through a number of
sophisticated phishing attempts and have compromised their system credentials. What
action can you take to prevent the misuse of compromised credentials to change bank
account information from outside your organization while still allowing employees to
manage their bank information?
A. Turn off VPN access for users originating from outside the country
B. Enable monitoring on the VPN for suspicious activity
C. Force a change of all passwords
D. Block access to the Employee-Self Service application via VPN

A

Block access to the Employee-Self Service application via VPN

71
Q

Scenario: Your program is developed around minimizing risk to information by focusing on
people, technology, and operations.
An effective way to evaluate the effectiveness of an information security awareness
program for end users, especially senior executives, is to conduct periodic:
A. Controlled spear phishing campaigns
B. Password changes
C. Baselining of computer systems
D. Scanning for viruses

A

Controlled spear phishing campaigns

72
Q

Scenario: You are the newly hired Chief Information Security Officer for a company that
has not previously had a senior level security practitioner. The company lacks a defined
security policy and framework for their Information Security Program. Your new boss, the
Chief Financial Officer, has asked you to draft an outline of a security policy and
recommend an industry/sector neutral information security control framework for
implementation.
Your Corporate Information Security Policy should include which of the following?
A. Information security theory
B. Roles and responsibilities
C. Incident response contacts
D. Desktop configuration standards

A

Roles and responsibilities