Work Flashcards

Question 1

Q

When analyzing and forecasting a capital expense budget what are not included?

Network connectivity costs
New datacenter to operate from
Upgrade of mainframe
Purchase of new mobile devices to improve operations

Answer

A

Network connectivity costs

Question 2

Q

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified

The CISO has implemented remediation activities. Which of the following is the MOST logical next step?

Validate the effectiveness of applied controls
Validate security program resource requirements
Report the audit findings and remediation status to business stake holders
Review security procedures to determine if they need modified according to findings

Answer

A

Validate the effectiveness of applied controls

Question 3

Q

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?

Annually
Semi-annually
Quarterly
Never

Question 4

Q

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and dat Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN.

Once supervisors and data owners have approved requests, information system administrators will implement

Technical control(s)
Management control(s)
Policy control(s)
Operational control(s)

Answer

A

Technical control(s)

Question 5

Q

Scenario: You are the CISO and are required to brief the C-level executive team on your information security audit for the year. During your review of the audit findings you discover that many of the controls that were put in place the previous year to correct some of the findings are not performing as neede You have thirty days until the briefing. To formulate a remediation plan for the non-performing controls what other document do you need to review before adjusting the controls?

Business Impact Analysis
Business Continuity plan
Security roadmap
Annual report to shareholders

Answer

A

Business Impact Analysis

Question 6

Q

The process to evaluate the technical and non-technical security controls of an IT system to validate that a given design and implementation meet a specific set of security requirements is called

Security certification
Security system analysis
Security accreditation
Alignment with business practices and goals.

Answer

A

Security certification

Question 7

Q

When creating contractual agreements and procurement processes why should security requirements be included?

To make sure they are added on after the process is completed
To make sure the costs of security is included and understood
To make sure the security process aligns with the vendor’s security process
To make sure the patching process is included with the costs

Answer

A

To make sure the costs of security is included and understood

Question 8

Q

What is the primary reason for performing vendor management?

To understand the risk coverage that are being mitigated by the vendor
To establish a vendor selection process
To document the relationship between the company and the vendor
To define the partnership for long-term success

Answer

A

To understand the risk coverage that are being mitigated by the vendor

Question 9

Q

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. Which of the following is the reason the CISO has not been able to advance the security agenda in this organization?

Lack of identification of technology stake holders
Lack of business continuity process
Lack of influence with leaders outside IT
Lack of a security awareness program

Answer

A

Lack of influence with leaders outside IT

Question 10

Q

The new CISO was informed of all the Information Security projects that the organization has in progress. Two projects are over a year behind schedule and over budget. Using best business practices for project management you determine that the project correctly aligns with the company goals.

Which of the following needs to be performed NEXT?

Verify the scope of the project
Verify the regulatory requirements
Verify technical resources
Verify capacity constraints

Answer

A

Verify technical resources

Question 11

Q

You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget.

Using the best business practices for project management you determine that the project correctly aligns with the company goals and the scope of the project is correct. What is the NEXT step?

Review time schedules
Verify budget
Verify resources
Verify constraints

Answer

A

Verify resources

Question 12

Q

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified

After determining the audit findings are accurate, which of the following is the MOST logical next activity?

Begin initial gap remediation analyses
Review the security organization’s charter
Validate gaps with the Information Technology team
Create a briefing of the findings for executive management

Answer

A

Begin initial gap remediation analyses

Question 13

Q

SCENARIO: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the organizations needs.

The CISO is unsure of the information provided and orders a vendor proof of concept to validate the systems scalability. This demonstrates which of the following?

An approach that allows for minimum budget impact if the solution is unsuitable
A methodology-based approach to ensure authentication mechanism functions
An approach providing minimum time impact to the implementation schedules
A risk-based approach to determine if the solution is suitable for investment

Answer

A

A risk-based approach to determine if the solution is suitable for investment

Question 14

Q

Involvement of senior management is MOST important in the development of:

IT security implementation plans.
Standards and guidelines.
IT security policies.
IT security procedures.

Answer

A

IT security policies.

Question 15

Q

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and dat Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN.

What type of control is being implemented by supervisors and data owners?

Management
Operational
Technical
Administrative

Answer

A

Operational

Question 16

Q

Which of the following provides an independent assessment of a vendors internal security controls and overall posture?

Alignment with business goals
ISO27000 accreditation
PCI attestation of compliance
Financial statements

Answer

A

ISO27000 accreditation

Question 17

Q

Scenario: Your program is developed around minimizing risk to information by focusing on people, technology, and operations.

You have decided to deal with risk to information from people first. How can you minimize risk to your most sensitive information before granting access?

Conduct background checks on individuals before hiring them
Develop an Information Security Awareness program
Monitor employee browsing and surfing habits
Set your firewall permissions aggressively and monitor logs regularly.

Answer

A

Conduct background checks on individuals before hiring them

Question 18

Q

SCENARIO: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

Which of the following is the FIRST action the CISO will perform after receiving the audit report?

Inform peer executives of the audit results
Validate gaps and accept or dispute the audit findings
Create remediation plans to address program gaps
Determine if security policies and procedures are adequate

Answer

A

Validate gaps and accept or dispute the audit findings

Question 19

Q

Scenario: Most industries require compliance with multiple government regulations and/or industry standards to meet data protection and privacy mandates.

When multiple regulations or standards apply to your industry you should set controls to meet the:

Easiest regulation or standard to implement
Stricter regulation or standard
Most complex standard to implement
Recommendations of your Legal Staff

Answer

A

Easiest regulation or standard to implement

Question 20

Q

Human resource planning for security professionals in your organization is a:

Simple and easy task because the threats are getting easier to find and correct.
Training requirement that is met through once every year user training.
Training requirement that is on-going and always changing.
Not needed because automation and anti-virus software has eliminated the threats.

Answer

A

Training requirement that is on-going and always changing.

Question 21

Q

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agend The CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization. From an organizational perspective, which of the following is the LIKELY reason for this?

The CISO does not report directly to the CEO of the organization
The CISO reports to the IT organization
The CISO has not implemented a policy management framework
The CISO has not implemented a security awareness program

Answer

A

The CISO reports to the IT organization

Question 22

Q

As the CISO you need to write the IT security strategic plan. Which of the following is the MOST important to review before you start writing the plan?

The existing IT environment.
The company business plan.
The present IT budget.
Other corporate technology trends.

Answer

A

The company business plan.

Question 23

Q

CENARIO: Critical servers show signs of erratic behavior within your organizations intranet. Initial information indicates the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team.

In what phase of the response will the team extract information from the affected systems without altering original data?

Response
Investigation
Recovery
Follow-up

Answer

A

Investigation

Question 24

Q

Scenario: Your company has many encrypted telecommunications links for their world-wide operations. Physically distributing symmetric keys to all locations has proven to be administratively burdensome, but symmetric keys are preferred to other alternatives.

How can you reduce the administrative burden of distributing symmetric keys for your employer?

Use asymmetric encryption for the automated distribution of the symmetric key
Use a self-generated key on both ends to eliminate the need for distribution
Use certificate authority to distribute private keys
Symmetrically encrypt the key and then use asymmetric encryption to unencrypt it

Answer

A

Use asymmetric encryption for the automated distribution of the symmetric key

Question 25

Q

The process for management approval of the security certification process which states the risks and mitigation of such risks of a given IT system is called

Security certification
Security system analysis
Security accreditation
Alignment with business practices and goals.

Answer

A

Security accreditation

Question 26

Q

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and dat Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN.

Recently, members of your organization have been targeted through a number of sophisticated phishing attempts and have compromised their system credentials. What action can you take to prevent the misuse of compromised credentials to change bank account information from outside your organization while still allowing employees to manage their bank information?

Turn off VPN access for users originating from outside the country
Enable monitoring on the VPN for suspicious activity
Force a change of all passwords
Block access to the Employee-Self Service application via VPN

Answer

A

Block access to the Employee-Self Service application via VPN

Question 27

Q

Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation. Your Corporate Information Security Policy should include which of the following?

Information security theory
Roles and responsibilities
Incident response contacts
Desktop configuration standards

Answer

A

Roles and responsibilities

Question 28

Q

Which of the following is MOST important when tuning an Intrusion Detection System (IDS)?

Trusted and untrusted networks
Type of authentication
Storage encryption
Log retention

Answer

A

Trusted and untrusted networks

Question 29

Q

What is the term describing the act of inspecting all real-time Internet traffic (i.e., packets) traversing a major Internet backbone without introducing any apparent latency?

Traffic Analysis
Deep-Packet inspection
Packet sampling
Heuristic analysis

Answer

A

Deep-Packet inspection

Question 30

Q

When should IT security project management be outsourced?

When organizational resources are limited
When the benefits of outsourcing outweigh the inherent risks of outsourcing
On new, enterprise-wide security initiatives
On projects not forecasted in the yearly budget

Answer

A

When the benefits of outsourcing outweigh the inherent risks of outsourcing

Question 31

Q

Which of the following is considered one of the most frequent failures in project management?

Overly restrictive management
Excessive personnel on project
Failure to meet project deadlines
Insufficient resources

Answer

A

Failure to meet project deadlines

Question 32

Q

Which of the following represents the best method of ensuring business unit alignment with security program requirements?

Provide clear communication of security requirements throughout the organization
Demonstrate executive support with written mandates for security policy adherence
Create collaborative risk management approaches within the organization
Perform increased audits of security processes and procedures

Answer

A

Create collaborative risk management approaches within the organization

Question 33

Q

Risk appetite is typically determined by which of the following organizational functions?

Security
Business units
Board of Directors
Audit and compliance

Answer

A

Business units

Question 34

Q

An application vulnerability assessment has identified a security flaw in an application. This is a flaw that was previously identified and remediated on a prior release of the application. Which of the following is MOST likely the reason for this recurring issue?

Ineffective configuration management controls
Lack of change management controls
Lack of version/source controls
High turnover in the application development department

Answer

A

Lack of version/source controls

Question 35

Q

When managing the critical path of an IT security project, which of the following is MOST important?

Knowing who all the stakeholders are.
Knowing the people on the data center team.
Knowing the threats to the organization.
Knowing the milestones and timelines of deliverables.

Answer

A

Knowing the milestones and timelines of deliverables.

Question 36

Q

You currently cannot provide for 24/7 coverage of your security monitoring and incident response duties and your company is resistant to the idea of adding more full-time employees to the payroll. Which combination of solutions would help to provide the coverage needed without the addition of more dedicated staff? (choose the best answer):

Deploy a SEIM solution and have current staff review incidents first thing in the morning
Contract with a managed security provider and have current staff on recall for incident response
Configure your syslog to send SMS messages to current staff when target events are triggered
Employ an assumption of breach protocol and defend only essential information resources

Answer

A

Contract with a managed security provider and have current staff on recall for incident response

Question 37

Q

The ultimate goal of an IT security projects is:

Increase stock value
Complete security
Support business requirements
Implement information security policies

Answer

A

Support business requirements

Question 38

Q

A department within your company has proposed a third party vendor solution to address an urgent, critical business nee As the CISO you have been asked to accelerate screening of their security control claims. Which of the following vendor provided documents is BEST to make your decision:

Vendor’s client list of reputable organizations currently using their solution
Vendor provided attestation of the detailed security controls from a reputable accounting firm
Vendor provided reference from an existing reputable client detailing their implementation
Vendor provided internal risk assessment and security control documentation

Answer

A

Vendor provided attestation of the detailed security controls from a reputable accounting firm

Question 39

Q

Which of the following represents the BEST reason for an organization to use the Control Objectives for Information and Related Technology (COBIT) as an Information Technology (IT) framework?

It allows executives to more effectively monitor IT implementation costs
Implementation of it eases an organization’s auditing and compliance burden
Information Security (IS) procedures often require augmentation with other standards
It provides for a consistent and repeatable staffing model for technology organizations

Answer

A

Implementation of it eases an organization’s auditing and compliance burden

Question 40

Q

Which of the following activities must be completed BEFORE you can calculate risk?

Determining the likelihood that vulnerable systems will be attacked by specific threats
Calculating the risks to which assets are exposed in their current setting
Assigning a value to each information asset
Assessing the relative risk facing the organization’s information assets

Answer

A

Assigning a value to each information asset

Question 41

Q

When measuring the effectiveness of an Information Security Management System which one of the following would be MOST LIKELY used as a metric framework?

ISO 27001
PRINCE2
ISO 27004
ITILv3

Answer

A

ISO 27004

Question 42

Q

Which of the following organizations is typically in charge of validating the implementation and effectiveness of security controls?

Security Administrators
Internal/External Audit
Risk Management
Security Operations

Answer

A

Internal/External Audit

Question 43

Q

The mean time to patch, number of virus outbreaks prevented, and number of vulnerabilities mitigated are examples of what type of performance metrics?

Risk metrics
Management metrics
Operational metrics
Compliance metrics

Answer

A

Operational metrics

Question 44

Q

A missing/ineffective security control is identifie Which of the following should be the NEXT step?

Perform an audit to measure the control formally
Escalate the issue to the IT organization
Perform a risk assessment to measure risk
Establish Key Risk Indicators

Answer

A

Perform a risk assessment to measure risk

Question 45

Q

During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:

Identify and evaluate the existing controls.
Disclose the threats and impacts to management.
Identify information assets and the underlying systems.
Identify and assess the risk assessment process used by management.

Answer

A

Identify and evaluate the existing controls.

Question 46

Q

When you develop your audit remediation plan what is the MOST important criteria?

To remediate half of the findings before the next audit.
To remediate all of the findings before the next audit.
To validate that the cost of the remediation is less than the risk of the finding.
To validate the remediation process with the auditor.

Answer

A

To validate that the cost of the remediation is less than the risk of the finding.

Question 47

Q

Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?

Single loss expectancy multiplied by the annual rate of occurrence
Total loss expectancy multiplied by the total loss frequency
Value of the asset multiplied by the loss expectancy
Replacement cost multiplied by the single loss expectancy

Answer

A

Single loss expectancy multiplied by the annual rate of occurrence

Question 48

Q

An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator. The most appropriate course of action for the IT auditor is to:

Inform senior management of the risk involve
Agree to work with the security officer on these shifts as a form of preventative control.
Develop a computer assisted audit technique to detect instances of abuses of the arrangement.
Review the system log for each of the late night shifts to determine whether any irregular actions occurre

Answer

A

Inform senior management of the risk involve

Question 49

Q

Which of the following reports should you as an IT auditor use to check on compliance with a service level agreements requirement for uptime?

Systems logs
Hardware error reports
Utilization reports
Availability reports

Answer

A

Availability reports

Question 50

Q

The remediation of a specific audit finding is deemed too expensive and will not be implemented. Which of the following is a TRUE statement?

The asset is more expensive than the remediation
The audit finding is incorrect
The asset being protected is less valuable than the remediation costs
The remediation costs are irrelevant; it must be implemented regardless of cost.

Answer

A

The asset being protected is less valuable than the remediation costs

Question 51

Q

As the new CISO at the company you are reviewing the audit reporting process and notice that it includes only detailed technical diagrams. What else should be in the reporting process?

Executive summary
Penetration test agreement
Names and phone numbers of those who conducted the audit
Business charter

Answer

A

Executive summary

Question 52

Q

An audit was conducted and many critical applications were found to have no disaster recovery plans in place. You conduct a Business Impact Analysis (BIA) to determine impact to the company for each application. What should be the NEXT step?

Determine the annual loss expectancy (ALE)
Create a crisis management plan
Create technology recovery plans
Build a secondary hot site

Answer

A

Create technology recovery plans

Question 53

Q

The regular review of a firewall ruleset is considered a

Procedural control
Organization control
Technical control
Management control

Answer

A

Procedural control

Question 54

Q

Which of the following is the PRIMARY purpose of International Organization for Standardization (ISO) 27001?

Use within an organization to formulate security requirements and objectives
Implementation of business-enabling information security
Use within an organization to ensure compliance with laws and regulations
To enable organizations that adopt it to obtain certifications

Answer

A

Implementation of business-enabling information security

Question 55

Q

An organization is required to implement background checks on all employees with access to databases containing credit card information. This is considered a security

Procedural control
Management control
Technical control
Administrative control

Answer

A

Management control

Question 56

Q

Assigning the role and responsibility of Information Assurance to a dedicated and independent security group is an example of:

Detective Controls
Proactive Controls
Preemptive Controls
Organizational Controls

Answer

A

Organizational Controls

Question 57

Q

The amount of risk an organization is willing to accept in pursuit of its mission is known as

Risk mitigation
Risk transfer
Risk tolerance
Risk acceptance

Answer

A

Risk tolerance

Question 58

Q

Which of the following activities results in change requests?

Preventive actions
Inspection
Defect repair
Corrective actions

Answer

A

Preventive actions

Question 59

Q

Which of the following is the MOST important goal of risk management?

Identifying the risk
Finding economic balance between the impact of the risk and the cost of the control
Identifying the victim of any potential exploits.
Assessing the impact of potential threats

Answer

A

Finding economic balance between the impact of the risk and the cost of the control

Question 60

Q

Creating good security metrics is essential for a CISO. What would be the BEST sources for creating security metrics for baseline defenses coverage?

Servers, routers, switches, modem
Firewall, exchange, web server, intrusion detection system (IDS)
Firewall, anti-virus console, IDS, syslog
IDS, syslog, router, switches

Answer

A

Firewall, anti-virus console, IDS, syslog

Question 61

Q

Providing oversight of a comprehensive information security program for the entire organization is the primary responsibility of which group under the InfoSec governance framework?

Senior Executives
Office of the Auditor
Office of the General Counsel
All employees and users

Answer

A

Senior Executives

Question 62

Q

When dealing with a risk management process, asset classification is important because it will impact the overall:

A. Threat identification
B. Risk monitoring
C. Risk treatment
D. Risk tolerance

Answer

A

C. Risk treatment

Question 63

Q

Which of the following is the MAIN reason to follow a formal risk management process in an organization that hosts and uses privately identifiable information (PII) as part of their business models and processes?

A. Need to comply with breach disclosure laws
B. Need to transfer the risk associated with hosting PII data
C. Need to better understand the risk associated with using PII data
D. Fiduciary responsibility to safeguard credit card information

Answer

A

C. Need to better understand the risk associated with using PII data

Question 64

Q

What is the MAIN reason for conflicts between Information Technology and Information Security programs?

A. Technology governance defines technology policies and standards while security governance does not.
B. Security governance defines technology best practices and Information Technology governance does not.
C. Technology Governance is focused on process risks whereas Security Governance is focused on business risk.
D. The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

Answer

A

D. The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

Answer 64

A

C. integrate with other organizational governance processes

Answer 65

A

C. development of relationships with organization executives

Answer 66

A

A. Risk = Probability x Impact

Answer 67

A

C. Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data

Answer 68

A

A. security threat and vulnerability management process

Answer 69

A

A. International Organization for Standardizations – 27004 (ISO-27004)

Answer 70

A

How vulnerabilities can potentially be exploited in systems that impact the organization

Answer 71

A

Containment

Answer 72

A

Percentage of loss experienced due to a realized threat event

Answer 73

A

ISO 27005

Answer 74

A

Information Security

Answer 75

A

acknowledge

Answer 76

A

Security detective control

Answer 77

A

CEO and board of director

Answer 78

A

Corrective security control

Answer 79

A

Define formal roles and responsibilities for Information Security

Brainscape's Knowledge GenomeTM

Work Flashcards

Brainscape's Knowledge Genome^TM