Work Flashcards by Rania Salem

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

Which of the following would be the FIRST step when addressing Information Security formally and consistently in this organization?

Contract a third party to perform a security risk assessment
Define formal roles and responsibilities for Internal audit functions
Define formal roles and responsibilities for Information Security
Create an executive security steering committee

Define formal roles and responsibilities for Information Security

How well did you know this?

Not at all

Perfectly

When analyzing and forecasting a capital expense budget what are not included?

Network connectivity costs
New datacenter to operate from
Upgrade of mainframe
Purchase of new mobile devices to improve operations

Network connectivity costs

How well did you know this?

Not at all

Perfectly

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified

The CISO has implemented remediation activities. Which of the following is the MOST logical next step?

Validate the effectiveness of applied controls
Validate security program resource requirements
Report the audit findings and remediation status to business stake holders
Review security procedures to determine if they need modified according to findings

Validate the effectiveness of applied controls

How well did you know this?

Not at all

Perfectly

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?

Annually
Semi-annually
Quarterly
Never

Never

How well did you know this?

Not at all

Perfectly

Once supervisors and data owners have approved requests, information system administrators will implement

Technical control(s)
Management control(s)
Policy control(s)
Operational control(s)

Technical control(s)

How well did you know this?

Not at all

Perfectly

Scenario: You are the CISO and are required to brief the C-level executive team on your information security audit for the year. During your review of the audit findings you discover that many of the controls that were put in place the previous year to correct some of the findings are not performing as neede You have thirty days until the briefing. To formulate a remediation plan for the non-performing controls what other document do you need to review before adjusting the controls?

Business Impact Analysis
Business Continuity plan
Security roadmap
Annual report to shareholders

Business Impact Analysis

How well did you know this?

Not at all

Perfectly

The process to evaluate the technical and non-technical security controls of an IT system to validate that a given design and implementation meet a specific set of security requirements is called

Security certification
Security system analysis
Security accreditation
Alignment with business practices and goals.

Security certification

How well did you know this?

Not at all

Perfectly

When creating contractual agreements and procurement processes why should security requirements be included?

To make sure they are added on after the process is completed
To make sure the costs of security is included and understood
To make sure the security process aligns with the vendor’s security process
To make sure the patching process is included with the costs

To make sure the costs of security is included and understood

How well did you know this?

Not at all

Perfectly

A system is designed to dynamically block offending Internet IP-addresses from requesting services from a secure website. This type of control is considered

Zero-day attack mitigation
Preventive detection control
Corrective security control
Dynamic blocking control

Corrective security control

How well did you know this?

Not at all

Perfectly

What is the primary reason for performing vendor management?

To understand the risk coverage that are being mitigated by the vendor
To establish a vendor selection process
To document the relationship between the company and the vendor
To define the partnership for long-term success

To understand the risk coverage that are being mitigated by the vendor

How well did you know this?

Not at all

Perfectly

Lack of identification of technology stake holders
Lack of business continuity process
Lack of influence with leaders outside IT
Lack of a security awareness program

Lack of influence with leaders outside IT

How well did you know this?

Not at all

Perfectly

The new CISO was informed of all the Information Security projects that the organization has in progress. Two projects are over a year behind schedule and over budget. Using best business practices for project management you determine that the project correctly aligns with the company goals.

Which of the following needs to be performed NEXT?

Verify the scope of the project
Verify the regulatory requirements
Verify technical resources
Verify capacity constraints

Verify technical resources

How well did you know this?

Not at all

Perfectly

You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget.

Using the best business practices for project management you determine that the project correctly aligns with the company goals and the scope of the project is correct. What is the NEXT step?

Review time schedules
Verify budget
Verify resources
Verify constraints

Verify resources

How well did you know this?

Not at all

Perfectly

After determining the audit findings are accurate, which of the following is the MOST logical next activity?

Begin initial gap remediation analyses
Review the security organization’s charter
Validate gaps with the Information Technology team
Create a briefing of the findings for executive management

Begin initial gap remediation analyses

How well did you know this?

Not at all

Perfectly

SCENARIO: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the organizations needs.

The CISO is unsure of the information provided and orders a vendor proof of concept to validate the systems scalability. This demonstrates which of the following?

An approach that allows for minimum budget impact if the solution is unsuitable
A methodology-based approach to ensure authentication mechanism functions
An approach providing minimum time impact to the implementation schedules
A risk-based approach to determine if the solution is suitable for investment

A risk-based approach to determine if the solution is suitable for investment

How well did you know this?

Not at all

Perfectly

Involvement of senior management is MOST important in the development of:

IT security implementation plans.
Standards and guidelines.
IT security policies.
IT security procedures.

IT security policies.

How well did you know this?

Not at all

Perfectly

What type of control is being implemented by supervisors and data owners?

Management
Operational
Technical
Administrative

Operational

How well did you know this?

Not at all

Perfectly

Which of the following provides an independent assessment of a vendors internal security controls and overall posture?

Alignment with business goals
ISO27000 accreditation
PCI attestation of compliance
Financial statements

ISO27000 accreditation

How well did you know this?

Not at all

Perfectly

Acceptable levels of information security risk tolerance in an organization should be determined by?

Corporate legal counsel
CISO with reference to the company goals
CEO and board of director
Corporate compliance committee

CEO and board of director

How well did you know this?

Not at all

Perfectly

Scenario: Your program is developed around minimizing risk to information by focusing on people, technology, and operations.

You have decided to deal with risk to information from people first. How can you minimize risk to your most sensitive information before granting access?

Conduct background checks on individuals before hiring them
Develop an Information Security Awareness program
Monitor employee browsing and surfing habits
Set your firewall permissions aggressively and monitor logs regularly.

Conduct background checks on individuals before hiring them

How well did you know this?

Not at all

Perfectly

Which of the following is the FIRST action the CISO will perform after receiving the audit report?

Inform peer executives of the audit results
Validate gaps and accept or dispute the audit findings
Create remediation plans to address program gaps
Determine if security policies and procedures are adequate

Validate gaps and accept or dispute the audit findings

How well did you know this?

Not at all

Perfectly

Scenario: Most industries require compliance with multiple government regulations and/or industry standards to meet data protection and privacy mandates.

When multiple regulations or standards apply to your industry you should set controls to meet the:

Easiest regulation or standard to implement
Stricter regulation or standard
Most complex standard to implement
Recommendations of your Legal Staff

Easiest regulation or standard to implement

How well did you know this?

Not at all

Perfectly

File Integrity Monitoring (FIM) is considered a

Network based security preventative control
Software segmentation control
Security detective control
User segmentation control

Security detective control

How well did you know this?

Not at all

Perfectly

Human resource planning for security professionals in your organization is a:

Simple and easy task because the threats are getting easier to find and correct.
Training requirement that is met through once every year user training.
Training requirement that is on-going and always changing.
Not needed because automation and anti-virus software has eliminated the threats.

Training requirement that is on-going and always changing.

How well did you know this?

Not at all

Perfectly

When dealing with risk, the information security practitioner may choose to: assign transfer acknowledge defer

acknowledge

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agend The CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization. From an organizational perspective, which of the following is the LIKELY reason for this? The CISO does not report directly to the CEO of the organization The CISO reports to the IT organization The CISO has not implemented a policy management framework The CISO has not implemented a security awareness program

The CISO reports to the IT organization

As the CISO you need to write the IT security strategic plan. Which of the following is the MOST important to review before you start writing the plan? The existing IT environment. The company business plan. The present IT budget. Other corporate technology trends.

The company business plan.

CENARIO: Critical servers show signs of erratic behavior within your organizations intranet. Initial information indicates the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team. In what phase of the response will the team extract information from the affected systems without altering original data? Response Investigation Recovery Follow-up

Investigation

Scenario: Your company has many encrypted telecommunications links for their world-wide operations. Physically distributing symmetric keys to all locations has proven to be administratively burdensome, but symmetric keys are preferred to other alternatives. How can you reduce the administrative burden of distributing symmetric keys for your employer? Use asymmetric encryption for the automated distribution of the symmetric key Use a self-generated key on both ends to eliminate the need for distribution Use certificate authority to distribute private keys Symmetrically encrypt the key and then use asymmetric encryption to unencrypt it

Use asymmetric encryption for the automated distribution of the symmetric key

The process for management approval of the security certification process which states the risks and mitigation of such risks of a given IT system is called Security certification Security system analysis Security accreditation Alignment with business practices and goals.

Security accreditation

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and dat Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN. Recently, members of your organization have been targeted through a number of sophisticated phishing attempts and have compromised their system credentials. What action can you take to prevent the misuse of compromised credentials to change bank account information from outside your organization while still allowing employees to manage their bank information? Turn off VPN access for users originating from outside the country Enable monitoring on the VPN for suspicious activity Force a change of all passwords Block access to the Employee-Self Service application via VPN

Block access to the Employee-Self Service application via VPN

Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation. Your Corporate Information Security Policy should include which of the following? Information security theory Roles and responsibilities Incident response contacts Desktop configuration standards

Roles and responsibilities

Which of the following is MOST important when tuning an Intrusion Detection System (IDS)? Trusted and untrusted networks Type of authentication Storage encryption Log retention

Trusted and untrusted networks

What is the term describing the act of inspecting all real-time Internet traffic (i.e., packets) traversing a major Internet backbone without introducing any apparent latency? Traffic Analysis Deep-Packet inspection Packet sampling Heuristic analysis

Deep-Packet inspection

When should IT security project management be outsourced? When organizational resources are limited When the benefits of outsourcing outweigh the inherent risks of outsourcing On new, enterprise-wide security initiatives On projects not forecasted in the yearly budget

When the benefits of outsourcing outweigh the inherent risks of outsourcing

Which of the following is considered one of the most frequent failures in project management? Overly restrictive management Excessive personnel on project Failure to meet project deadlines Insufficient resources

Failure to meet project deadlines

Which of the following represents the best method of ensuring business unit alignment with security program requirements? Provide clear communication of security requirements throughout the organization Demonstrate executive support with written mandates for security policy adherence Create collaborative risk management approaches within the organization Perform increased audits of security processes and procedures

Create collaborative risk management approaches within the organization

Risk appetite is typically determined by which of the following organizational functions? Security Business units Board of Directors Audit and compliance

Business units

An application vulnerability assessment has identified a security flaw in an application. This is a flaw that was previously identified and remediated on a prior release of the application. Which of the following is MOST likely the reason for this recurring issue? Ineffective configuration management controls Lack of change management controls Lack of version/source controls High turnover in the application development department

Lack of version/source controls

When managing the critical path of an IT security project, which of the following is MOST important? Knowing who all the stakeholders are. Knowing the people on the data center team. Knowing the threats to the organization. Knowing the milestones and timelines of deliverables.

Knowing the milestones and timelines of deliverables.

You currently cannot provide for 24/7 coverage of your security monitoring and incident response duties and your company is resistant to the idea of adding more full-time employees to the payroll. Which combination of solutions would help to provide the coverage needed without the addition of more dedicated staff? (choose the best answer): Deploy a SEIM solution and have current staff review incidents first thing in the morning Contract with a managed security provider and have current staff on recall for incident response Configure your syslog to send SMS messages to current staff when target events are triggered Employ an assumption of breach protocol and defend only essential information resources

Contract with a managed security provider and have current staff on recall for incident response

The ultimate goal of an IT security projects is: Increase stock value Complete security Support business requirements Implement information security policies

Support business requirements

A department within your company has proposed a third party vendor solution to address an urgent, critical business nee As the CISO you have been asked to accelerate screening of their security control claims. Which of the following vendor provided documents is BEST to make your decision: Vendor’s client list of reputable organizations currently using their solution Vendor provided attestation of the detailed security controls from a reputable accounting firm Vendor provided reference from an existing reputable client detailing their implementation Vendor provided internal risk assessment and security control documentation

Vendor provided attestation of the detailed security controls from a reputable accounting firm

Which of the following represents the BEST reason for an organization to use the Control Objectives for Information and Related Technology (COBIT) as an Information Technology (IT) framework? It allows executives to more effectively monitor IT implementation costs Implementation of it eases an organization’s auditing and compliance burden Information Security (IS) procedures often require augmentation with other standards It provides for a consistent and repeatable staffing model for technology organizations

Implementation of it eases an organization’s auditing and compliance burden

Which of the following activities must be completed BEFORE you can calculate risk? Determining the likelihood that vulnerable systems will be attacked by specific threats Calculating the risks to which assets are exposed in their current setting Assigning a value to each information asset Assessing the relative risk facing the organization’s information assets

Assigning a value to each information asset

When measuring the effectiveness of an Information Security Management System which one of the following would be MOST LIKELY used as a metric framework? ISO 27001 PRINCE2 ISO 27004 ITILv3

ISO 27004

In MOST organizations which group periodically reviews network intrusion detection system logs for all systems as part of their daily tasks? Internal Audit Database Administration Information Security Compliance

Information Security

Which of the following organizations is typically in charge of validating the implementation and effectiveness of security controls? Security Administrators Internal/External Audit Risk Management Security Operations

Internal/External Audit

The mean time to patch, number of virus outbreaks prevented, and number of vulnerabilities mitigated are examples of what type of performance metrics? Risk metrics Management metrics Operational metrics Compliance metrics

Operational metrics

A missing/ineffective security control is identifie Which of the following should be the NEXT step? Perform an audit to measure the control formally Escalate the issue to the IT organization Perform a risk assessment to measure risk Establish Key Risk Indicators

Perform a risk assessment to measure risk

During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should: Identify and evaluate the existing controls. Disclose the threats and impacts to management. Identify information assets and the underlying systems. Identify and assess the risk assessment process used by management.

Identify and evaluate the existing controls.

When you develop your audit remediation plan what is the MOST important criteria? To remediate half of the findings before the next audit. To remediate all of the findings before the next audit. To validate that the cost of the remediation is less than the risk of the finding. To validate the remediation process with the auditor.

To validate that the cost of the remediation is less than the risk of the finding.

Which of the following best represents a calculation for Annual Loss Expectancy (ALE)? Single loss expectancy multiplied by the annual rate of occurrence Total loss expectancy multiplied by the total loss frequency Value of the asset multiplied by the loss expectancy Replacement cost multiplied by the single loss expectancy

Single loss expectancy multiplied by the annual rate of occurrence

An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator. The most appropriate course of action for the IT auditor is to: Inform senior management of the risk involve Agree to work with the security officer on these shifts as a form of preventative control. Develop a computer assisted audit technique to detect instances of abuses of the arrangement. Review the system log for each of the late night shifts to determine whether any irregular actions occurre

Inform senior management of the risk involve

Which of the following reports should you as an IT auditor use to check on compliance with a service level agreements requirement for uptime? Systems logs Hardware error reports Utilization reports Availability reports

Availability reports

The remediation of a specific audit finding is deemed too expensive and will not be implemented. Which of the following is a TRUE statement? The asset is more expensive than the remediation The audit finding is incorrect The asset being protected is less valuable than the remediation costs The remediation costs are irrelevant; it must be implemented regardless of cost.

The asset being protected is less valuable than the remediation costs

As the new CISO at the company you are reviewing the audit reporting process and notice that it includes only detailed technical diagrams. What else should be in the reporting process? Executive summary Penetration test agreement Names and phone numbers of those who conducted the audit Business charter

Executive summary

An audit was conducted and many critical applications were found to have no disaster recovery plans in place. You conduct a Business Impact Analysis (BIA) to determine impact to the company for each application. What should be the NEXT step? Determine the annual loss expectancy (ALE) Create a crisis management plan Create technology recovery plans Build a secondary hot site

Create technology recovery plans

The regular review of a firewall ruleset is considered a Procedural control Organization control Technical control Management control

Procedural control

Which of the following is the PRIMARY purpose of International Organization for Standardization (ISO) 27001? Use within an organization to formulate security requirements and objectives Implementation of business-enabling information security Use within an organization to ensure compliance with laws and regulations To enable organizations that adopt it to obtain certifications

Implementation of business-enabling information security

An organization is required to implement background checks on all employees with access to databases containing credit card information. This is considered a security Procedural control Management control Technical control Administrative control

Management control

Assigning the role and responsibility of Information Assurance to a dedicated and independent security group is an example of: Detective Controls Proactive Controls Preemptive Controls Organizational Controls

Organizational Controls

The amount of risk an organization is willing to accept in pursuit of its mission is known as Risk mitigation Risk transfer Risk tolerance Risk acceptance

Risk tolerance

Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology. ISO 27001 ISO 27002 ISO 27004 ISO 27005

ISO 27005

Which of the following activities results in change requests? Preventive actions Inspection Defect repair Corrective actions

Preventive actions

Which of the following is the MOST important goal of risk management? Identifying the risk Finding economic balance between the impact of the risk and the cost of the control Identifying the victim of any potential exploits. Assessing the impact of potential threats

Finding economic balance between the impact of the risk and the cost of the control

Creating good security metrics is essential for a CISO. What would be the BEST sources for creating security metrics for baseline defenses coverage? Servers, routers, switches, modem Firewall, exchange, web server, intrusion detection system (IDS) Firewall, anti-virus console, IDS, syslog IDS, syslog, router, switches

Firewall, anti-virus console, IDS, syslog

Providing oversight of a comprehensive information security program for the entire organization is the primary responsibility of which group under the InfoSec governance framework? Senior Executives Office of the Auditor Office of the General Counsel All employees and users

Senior Executives

When dealing with a risk management process, asset classification is important because it will impact the overall: A. Threat identification B. Risk monitoring C. Risk treatment D. Risk tolerance

C. Risk treatment

Which of the following is the MAIN reason to follow a formal risk management process in an organization that hosts and uses privately identifiable information (PII) as part of their business models and processes? A. Need to comply with breach disclosure laws B. Need to transfer the risk associated with hosting PII data C. Need to better understand the risk associated with using PII data D. Fiduciary responsibility to safeguard credit card information

C. Need to better understand the risk associated with using PII data

What is the MAIN reason for conflicts between Information Technology and Information Security programs? A. Technology governance defines technology policies and standards while security governance does not. B. Security governance defines technology best practices and Information Technology governance does not. C. Technology Governance is focused on process risks whereas Security Governance is focused on business risk. D. The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

D. The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

The Information Security Governance program MUST: A. integrate with other organizational governance processes B. support user choice for Bring Your Own Device (BYOD) C. integrate with other organizational governance processes D. show a return on investment for the organization

C. integrate with other organizational governance processes

The success of the Chief Information Security Officer is MOST dependent upon: A. favorable audit findings B. following the recommendations of consultants and contractors C. development of relationships with organization executives D. raising awareness of security issues with end users

C. development of relationships with organization executives

What is the definition of Risk in Information Security? A. Risk = Probability x Impact B. Risk = Threat x Probability C. Risk = Financial Impact x Probability D. Risk = Impact x Threat

A. Risk = Probability x Impact

What role should the CISO play in properly scoping a PCI environment? A. Validate the business units suggestions as to what should be included in the scoping process B. Work with a Qualified Security Assessor (QSA) to determine the scope of the PCI environment C. Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data D. Complete the self-assessment questionnaire and work with an Approved Scanning Vendor (ASV) to determine scope

C. Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data

The alerting, monitoring and life-cycle management of security related events is typically handled by the A. security threat and vulnerability management process B. risk assessment process C. risk management process D. governance, risk, and compliance tool

A. security threat and vulnerability management process

An organization is looking for a framework to measure the efficiency and effectiveness of their Information Security Management System. Which of the following international standards can BEST assist this organization? A. International Organization for Standardizations – 27004 (ISO-27004) B. Payment Card Industry Data Security Standards (PCI-DSS) C. Control Objectives for Information Technology (COBIT) D. International Organization for Standardizations – 27005 (ISO-27005)

A. International Organization for Standardizations – 27004 (ISO-27004)

Which of the following is the MOST important for a CISO to understand when identifying threats? How vulnerabilities can potentially be exploited in systems that impact the organization How the security operations team will behave to reported incidents How the firewall and other security devices are configured to prevent attacks How the incident management team prepares to handle an attack

How vulnerabilities can potentially be exploited in systems that impact the organization

When dealing with Security Incident Response procedures, which of the following steps come FIRST when reacting to an incident? Escalation Recovery Eradication Containment

Containment

he exposure factor of a threat to your organization is defined by? Asset value times exposure factor Annual rate of occurrence Annual loss expectancy minus current cost of controls Percentage of loss experienced due to a realized threat event

Percentage of loss experienced due to a realized threat event