Domain 5 Flashcards
Scenario: Your corporate systems have been under constant probing and attack from foreign IP addresses for more than a week. Your security team and security infrastructure have performed well under the stress. You are confident that your defenses have held up under the test, but rumors are spreading that sensitive customer data has been stolen and is now being sold on the Internet by criminal elements. During your investigation of the rumored compromise you discover that data has been breached and you have discovered the repository of stolen data on a server located in a foreign country. Your team now has full access to the data on the foreign server.
Your defenses did not hold up to the test as originally thought. As you investigate how the data was compromised through log analysis you discover that a hardworking, but misguided business intelligence analyst posted the data to an obfuscated URL on a popular cloud storage service so they could work on it from home during their off-time. Which technology or solution could you deploy to prevent employees from removing corporate data from your network? Choose the BEST answer.
A. Security Guards posted outside the Data Center
B. Data Loss Prevention (DLP)
C. Rigorous syslog reviews
D. Intrusion Detection Systems (IDS)
Data Loss Prevention (DLP)
Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.
Which of the following would be the FIRST step when addressing Information Security formally and consistently in this organization?
A. Contract a third party to perform a security risk assessment
B. Define formal roles and responsibilities for Internal audit functions
C. Define formal roles and responsibilities for Information Security
D. Create an executive security steering committee
Define formal roles and responsibilities for Information Security
The rate of change in technology increases the importance of:
A. Outsourcing the IT functions.
B. Understanding user requirements.
C. Hiring personnel with leading edge skills.
D. Implementing and enforcing good processes.
Implementing and enforcing good processes.
When analyzing and forecasting a capital expense budget what are not included?
A. Network connectivity costs
B. New datacenter to operate from
C. Upgrade of mainframe
D. Purchase of new mobile devices to improve operations
Network connectivity costs
Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
You have identified potential solutions for all of your risks that do not have security controls. What is the NEXT step?
A. Get approval from the board of directors
B. Screen potential vendor solutions
C. Verify that the cost of mitigation is less than the risk
D. Create a risk metrics for all unmitigated risks
Verify that the cost of mitigation is less than the risk
SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
The CISO has implemented remediation activities. Which of the following is the MOST logical next step?
A. Validate the effectiveness of applied controls
B. Validate security program resource requirements
C. Report the audit findings and remediation status to business stake holders
D. Review security procedures to determine if they need modified according to findings
Validate the effectiveness of applied controls
Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?
A. Annually
B. Semi-annually
C. Quarterly
D. Never
Never
SCENARIO: Critical servers show signs of erratic behavior within your organizations intranet. Initial information indicates the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team.
What phase of the response provides measures to reduce the likelihood of an incident from recurring?
A. Response
B. Investigation
C. Recovery
D. Follow-up
Follow Up
Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.
The organization has already been subject to a significant amount of credit card fraud. Which of the following is the MOST likely reason for this fraud?
A. Lack of compliance to the Payment Card Industry (PCI) standards
B. Ineffective security awareness program
C. Security practices not in alignment with ISO 27000 frameworks
D. Lack of technical controls when dealing with credit card data
Lack of compliance to the Payment Card Industry (PCI) standards
When analyzing and forecasting an operating expense budget what are not included?
A. Software and hardware license fees
B. Utilities and power costs
C. Network connectivity costs
D. New datacenter to operate from
New datacenter to operate from
Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the
organizational VPN.
Once supervisors and data owners have approved requests, information system administrators will implement
A. Technical control(s)
B. Management control(s)
C. Policy control(s)
D. Operational control(s)
Technical control(s)
When updating the security strategic planning document what two items must be included?
A. Alignment with the business goals and the vision of the CIO
B. The risk tolerance of the company and the company mission statement
C. The executive summary and vision of the board of directors
D. The alignment with the business goals and the risk tolerance
The alignment with the business goals and the risk tolerance
Scenario: You are the CISO and are required to brief the C-level executive team on your information security audit for the year. During your review of the audit findings you discover that many of the controls that were put in place the previous year to correct some of the findings are not performing as needed. You have thirty days until the briefing. To formulate a remediation plan for the non-performing controls what other document do you need to review before adjusting the controls?
A. Business Impact Analysis
B. Business Continuity plan
C. Security roadmap
D. Annual report to shareholders
Business Impact Analysis
The ability to demand the implementation and management of security controls on third parties providing services to an organization is
A. Security Governance
B. Compliance management
C. Vendor management
D. Disaster recovery
Vendor management
John is the project manager for a large project in his organization. A new change request has been proposed that will affect several areas of the project. One area of the project change impact is on work that a vendor has already completed. The vendor is refusing to make the changes as theyve already completed the project work they were contracted to do. What can John do in this instance?
A. Refer the vendor to the Service Level Agreement (SLA) and insist that they make the changes.
B. Review the Request for Proposal (RFP) for guidance.
C. Withhold the vendor’s payments until the issue is resolved.
D. Refer to the contract agreement for direction.
Refer to the contract agreement for direction.
The process to evaluate the technical and non-technical security controls of an IT system to validate that a given design and implementation meet a specific set of security requirements is called
A. Security certification
B. Security system analysis
C. Security accreditation
D. Alignment with business practices and goals.
Security certification
The total cost of security controls should:
A. Be equal to the value of the information resource being protected
B. Be greater than the value of the information resource being protected
C. Be less than the value of the information resource being protected
D. Should not matter, as long as the information resource is protected
Be less than the value of the information resource being protected
When creating contractual agreements and procurement processes why should security requirements be included?
A. To make sure they are added on after the process is completed
B. To make sure the costs of security is included and understood
C. To make sure the security process aligns with the vendor’s security process
D. To make sure the patching process is included with the costs
To make sure the costs of security is included and understood
Your company has limited resources to spend on security initiatives. The Chief Financial Officer asks you to prioritize the protection of information resources based on their value to the company. It is essential that you be able to communicate in language that your fellow executives will understand. You should:
A. Create timelines for mitigation
B. Develop a cost-benefit analysis
C. Calculate annual loss expectancy
D. Create a detailed technical executive summary
Develop a cost-benefit analysis
Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.
This global retail company is expected to accept credit card payments. Which of the following is of MOST concern when defining a security program for this organization?
A. International encryption restrictions
B. Compliance to Payment Card Industry (PCI) data security standards
C. Compliance with local government privacy laws
D. Adherence to local data breach notification laws
Compliance to Payment Card Industry (PCI) data security standards
Annual Loss Expectancy is derived from the function of which two factors?
A. Annual Rate of Occurrence and Asset Value
B. Single Loss Expectancy and Exposure Factor
C. Safeguard Value and Annual Rate of Occurrence
D. Annual Rate of Occurrence and Single Loss Expectancy
Annual Rate of Occurrence and Single Loss Expectancy
What is the primary reason for performing vendor management?
A. To understand the risk coverage that are being mitigated by the vendor
B. To establish a vendor selection process
C. To document the relationship between the company and the vendor
D. To define the partnership for long-term success
To understand the risk coverage that are being mitigated by the vendor
Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. Which of the following is the reason the CISO has not been able to advance the security agenda in this organization?
A. Lack of identification of technology stake holders
B. Lack of business continuity process
C. Lack of influence with leaders outside IT
D. Lack of a security awareness program
Lack of influence with leaders outside IT
SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning. Which of the following is the MOST logical next step?
A. Validate the effectiveness of current controls
B. Create detailed remediation funding and staffing plans
C. Report the audit findings and remediation status to business stake holders
D. Review security procedures to determine if they need modified according to findings
Report the audit findings and remediation status to business stake holders
Scenario: As you begin to develop the program for your organization, you assess the
corporate culture and determine that there is a pervasive opinion that the security program
only slows things down and limits the performance of the real workers.
What must you do first in order to shift the prevailing opinion and reshape corporate culture
to understand the value of information security to the organization?
A. Cite compliance with laws, statutes, and regulations explaining the financial implications for the company for non-compliance
B. Understand the business and focus your efforts on enabling operations securely
C. Draw from your experience and recount stories of how other companies have been compromised
D. Cite corporate policy and insist on compliance with audit findings
Understand the business and focus your efforts on enabling operations securely
The newly appointed CISO of an organization is reviewing the IT security strategic plan.
Which of the following is the MOST important component of the strategic plan?
A. There is integration between IT security and business staffing.
B. There is a clear definition of the IT security mission and vision.
C. There is an auditing methodology in place.
D. The plan requires return on investment for all security projects.
There is a clear definition of the IT security mission and vision.
The new CISO was informed of all the Information Security projects that the organization
has in progress. Two projects are over a year behind schedule and over budget. Using best
business practices for project management you determine that the project correctly aligns
with the company goals.
Which of the following needs to be performed NEXT?
A. Verify the scope of the project
B. Verify the regulatory requirements
C. Verify technical resources
D. Verify capacity constraints
Verify technical resources
Scenario: An organization has recently appointed a CISO. This is a new role in the
organization and it signals the increasing need to address security consistently at the
enterprise level. This new CISO, while confident with skills and experience, is constantly on
the defensive and is unable to advance the IT security centric agenda.
From an Information Security Leadership perspective, which of the following is a MAJOR
concern about the CISOs approach to security?
A. Lack of risk management process
B. Lack of sponsorship from executive management
C. IT security centric agenda
D. Compliance centric agenda
IT security centric agenda
You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget.
Using the best business practices for project management you determine that the project correctly aligns with the company goals and the scope of the project is correct. What is the NEXT step?
A. Review time schedules
B. Verify budget
C. Verify resources
D. Verify constraints
Verify resources