Exam Misses Flashcards
An organization experienced a breach of credit card data, how should it respond?
notify affected card brands immediately. They are required to notify all affected credit card brands
An organization experienced a breach of credit card data, how should it respond?
Notify affected credit card brands immediately (it’s a requirement)
When should executives be made aware of changes in applicable cybersecurity laws?
during a routine monthly risk update
The classification of an incident is an indication of what 3 things?
data, application or system involved (incident classification can also be tied to the location)
A CISO noticed that dwell time metrics aren’t improving, what should be done?
improve incident detection capabilities
Does an executive level security council include allocating security budgets to business units?
no.
It’s a good way to get executives talking about cyber risk and business risk, and making risk decisions
In a quantitative risk analysis, how is risk expressed in terms of the partial loss of functionality of an asset?
Exposure Factor (EF)
A risk assessment of an organization’s SDLC might compel the organization to do what?
Introduce secure coding standards
not update coding standards, because that may not address security specifically
The purpose of a security incident tabletop exercise includes all of the following except which one?
Maintain familiarity with incident response procedures
Ensure that procedures are still correct and relevant
Ensure that internal and external communications are established
Ensure that an organization will be able to detect an incident
D. Ensure that an organization will be able to detect an incident
What elements should be included in a business case document template?
Current State Desired End State Requirements Approach Plan
A basic security incident response has how many steps, and what are they?
8
detect initiate evaluate eradicate recovery remediate closure review
True or False?
In addition to documenting roles and responsibilities, an incident response program should include detailed procedures for responding to common incidents
True
What activity helps ensure a security program is aligned with a security strategy?
Periodic Management Review
What is the best indicator of effectiveness?
The trend line for the number of critical and high vulnerabilities found in application penetration tests
How does the percentage of effective controls show value (how is it a value delivery metric?)
By illustrating how well the security program is ensuring control effectiveness
Who is included in a directory of parties to notify in an emergency?
regulators offsite media storage companies contract personnel services suppliers law enforcement insurance company agents
What is the problem with the following control statement, “Endpoints are protected from malware with McAfee Antivirus”
It’s overly specific. If they switched to Symantec, they would technically be out of compliance
Note that it is also unambiguous, but that’s not the best answer.
How will a security manager determine the actions needed to achieve the desired end state for a new security program?
Perform a gap analysis
That will help understand the present state and the actions needed to move from the present to the desired state
How can a CISO best understand the organization’s risk tolerance?
Interview board members and senior executives.
Examining the risk ledger or other artifacts or capabilities may not accurately reflect the organization’s current risk tolerance.
A control’s effectiveness can be tested with a review. True or False?
False.
A self-assessment, internal or external audit are all ok but a review is less rigorous
What does this describe?
A document describing the need for a mobile device management program that describes required resources, benefits, and a high-level plan
Business case
not a proposal
If an organization has a nonstandard IT governance framework, should the security governance framework be built to resemble it?
Yes
An organization’s security governance framework should be similar to other frameworks, especially that of IT
(don’t build it around industry standards)
If an auditor examines a business activity for which there is no control and scores the control as ineffective, what’s the best response?
To treat the activity as though a control should exist - develop a control and ensure it’s effective
Can organizations ever opt out of PCI DSS controls?
no
Compare leading vs trailing indicators
trailing indicators show past events
leading indicators show future risks
Is it common to require project managers to earn security certifications?
no
Security related improvements to project management would not include getting the PM certified in security
Is a control self-assessment the most effective way to determine compliance with internal policies?
yes
What does a qualified opinion mean?
That the audit has failed in one or more of its high-level control objectives. This is cause for concern and further inquiry
What’s the next step after a security policy has been reviewed and update?
Publish it and inform workers where to find it
not require them to sign it
not include changes in security awareness training
not simply publishing it
What’s the purpose of a security addendum in a legal contract?
To specific security-related terms and conditions
Is PCI-DSS an example of:
data privacy regulation
data protection regulation
a security standard
a security protocol
A security standard
Which is the most effective technique to determine compliance with internal policies?
control self-assessment
vulnerability assessment
risk assessment
threat assessment
control self-assessment
Requirements classified as “addressable” in HIPAA are?
optional if the organization has performed a risk assessment
document marking
“Restricted. For Limited Distribution”
procedure
describes step by step instructions to perform a task
it can be part of a process
one disadvantage of preventive controls compared to detective controls?
preventive take longer to certify
preventive requires more training
detective are easier to implement
preventive sometimes prevent desired outcomes
preventive controls sometimes prevent desired outcomes.
for example, blocking legitimate email as spam, or an IPS that prevents legitimate downloads
business record consisting of identified security issues is a?
risk assessment
risk ledger
vulnerability assessment
penetration test
Risk Ledger
not a risk assessment because that only identifies some but not all issues
What information will an external pen tester need to plan a pen test of an organization’s externally facing applications?
URL’s (not IP ranges)
time of day to test
emergency contact information
An auditor examines an activity for which no control exists and scores it as ineffective. What is the best response?
Develop a written control and ensure it’s effective
not perform a risk analysis to determine if a control should be developed
A developer informs the CISO that the organization is out of compliance with PCI-DSS. How should the CISO proceed?
Create an entry in the risk ledger and look into the matter.
not conduct an investigation, it’s good but not the best initial reaction
Document that describes the need for a business capability, including costs and benefits is a what?
business case
file integrity monitoring
Periodically scan file systems and report on any changes that occur.
Changes may be due to maintenance but also indicate compromise
file activity monitoring
Monitor directories and files to detect unusual activities that may indicate compromise.
do not use this for help with making sure servers are consistently configured
RACI Chart
Responsible
Accountable
Consulted
Informed
Assigns levels of responsibility to individuals and groups.
Helps personnel determine roles for various business activities
How often should incident escalation procedures be updated?
Once per year, or when executive personnel changes
If a risk register has grown too large, what is the best remedy?
Implement a GRC (Governance, Risk, Compliance) platform with management module.
Automating through a risk management module in a GRC platform is best.
After a security policy has been reviewed and updated, what are the next steps?
Publish and inform workers
What’s the best way to introduce security into the hiring process?
perform background checks, use NDA’s, verify licenses and certifications, verify prior employment
Not require candidates to complete security awareness training
What’s special about leading indicators?
they’re potential indicators of future attacks / events
ie a percentage of critical servers that are not patched in 30 days
An auditor examines a business activity for which no written control exists and scores it as ineffective. What’s the best response?
Develop a written control and ensure it is effective. Generally, if an auditor examines a business activity as though a control exists, but does not, the organization should formally develop the control.
Not - perform risk analysis to determine whether a control should be developed
Process (Process Document)
Document that describes the overall activities to take place on a particular activity
Process (Process Document)
Document that describes the overall activities to take place on a particular activity
Describes all of the actions to take place regarding vulnerability management
Minimum standards for securing the technical infrastructure should be defined in:
security strategy
security architecture
security guidelines
security model
architecture
The security architecture defines how components are secured and the security services that should be in place.
When developing an information security program, what’s the most useful source of information for determining available resources?
organization chart
skills inventory
job descriptions
skills inventory
Who should drive risk analysis for an organization?
senior management
security manager
security manager
senior management should support and sponsor it, but the security manager will have the know-how and management of it.
The most complete business case for security solutions is one that…
includes appropriate justification
When implementing effective security governance within the requirements of the company’s security strategy, which is the most important factor to consider?
preserving confidentiality of sensitive data
adhering to corporate privacy standards
establishing system manager responsibility for information security
preserving confidentiality of sensitive data
The goal of information security is to protect the organization’s information assets.
Information security policy enforcement is the responsibility of the:
security steering committee
CIO
CISO
CISO
The primary concern of an information security manager documenting a formal data retention policy would be
business requirements
legislative and regulatory requirements
business requirements
The primary concern will be to comply with legislation and regulation but only if they are genuine business requirments
What should be fixed first to ensure successful infosec governance in an organization?
CIO approves security policy changes
infosec oversight committee only meets quarterly
data center manager has final signify on all security projects
data center manager has final signify on all security projects
The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization
It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer (CIO) approve the security policy due to the size of the organization and frequency of updates
Which is the best reason to perform a BIA?
to help determine current state of risk
to analyze the effect on the business
to help determine current state of risk
Which is the best method to improve accountability for a system administrator who has security functions?
include security responsibilities in the job description
require them to obtain security certifications
train them on pen testing and vulnerability assessment
include security responsibilities in the job description
What is the primary role of the information security manager in the process of information classification within an organization?
defining and ratifying the classification structure of information assets
A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?
composition of the board
cultures of the different countries
cultures of the different countries
The impact of an incident is an indication of:
Incident severity
The severity of an incident is directly tied to its effect on the organization, whether a single person, group, department, or entire organization
An organization experiencing a malware-related incident is unable to isolate the malware. What should they do next?
get help from trained personnel with forensics analysis tools
wipe hard drives of affected systems and reinstall the OS
Obtain advanced anti-malware tools to identify malware
shut down affected systems and rebuild them on alternate hardware or VMs
get help from trained personnel with forensics analysis tools
What metric would be an indicator of improving discipline among control owners?
Trend line in the number of control self assessments completed
Trend line in the number of process documents not reviewed within 13 months of prior review
Trend line in the number of control exceptions in external audits
Trend line in the number of external control tests completed
Trend line in the number of control exceptions in external audits
Which document defines specific configuration details for compliance?
policy
procedure
standard
guideline
Standard
A standard is a detailed document that defines configurations, protocols or products to be used in the organization
An executive has delegated responsibility for granting access requests to the IT department. The IT department in this role is functioning as the:
owner
custodian
custodian
Types of controls
preventive - prevent unwanted event. ie keycards, login screens
detective - records good and bad events. ie cctv, event logs
deterrent - convinces people to avoid an activity. ie dogs, warning signs, cctv
corrective - activated after unwanted event happens. ie improving a process that didn’t work as well as desired
compensating - used if other direct control can’t be used. ie a sign-in register if you can’t use video surveillance.
recovery - restores state of a system. ie backup software
acceptable risk is achieved when:
residual risk is minimized
control risk is minimized
residual risk is minimized
