Pool of 300, 200 Random

A security manager frequently checks work areas after business hours for security infringements; for instance unprotected documents or unguarded computers with functioning sessions. This action MOST SUITABLE exhibits which feature of a security set­ up?
Compliance management
Audit validation
Physical control testing
Security awareness training
Which of the given is the CHIEF cause to follow a formal risk management procedure in a corporation that hosts and uses privately recognizable information (PlI} as part of their business models and courses?
Need to comply with breach disclosure laws
Fiduciary responsibility to safeguard creditinformation
Need to transmit the risk associated with hosting PII information
Need to better understand the risk associated with using PII information
A method to transmit / transfer threat is to___________
Implement redundancy
Move operations to another region
Alignment with business operations
Purchase breach insurance
Why is it extremely essential that senior management endorse a security policy?
So that employees will follow the policy directives.
So that they can be held legally accountable.
So that external bodies will recognize the corporation's commitment to security.
So that they will accept ownership for security within the corporation.
Which of the given is of MOST essential when security leaders of a corporation are needed to align security to impact the culture of a corporation?
Understand the business aims of the corporation
Poses a strong technical background
Poses a strong auditing background
Understand all regulations affecting the corporation
The PRIME purpose of security awareness is to:
Encourage security-conscious employee behavior
Put employees on notice in case follow-up action for noncompliance is necessary
Ensure that security policies are read
Meet legal and regulatory requirements
Which of the given is MOST expected to be discretionary?
Policies
Methods
Guidelines
Standards
Which of the given has the UTMOST impact on the application of an information security governance model?
Complexity of corporational structure
Distance between physical locations
Corporational budget
Number of employees
When dealing with Security Incident Response methods, which of the given stages come FIRST when responding to an incident?
Eradication
Escalation
Containment
Recovery
The FIRST move in starting a security governance set-up is to?
Obtain senior level sponsorship
Conduct a workshop for all end users
Conduct a risk assessment.
Prepare a security budget.
When a corporation claims it is guarded since it is PCI-DSS certified, what is a decent first question to ask towards measuring the efficiency of their security set-up?
How many credit records are stored?
What is the value of the assets at risk?
What is the scope of the certification?
How many servers do you have?
Ensuring that the actions of a set of people, applications and systems follow the corporation's rules is MOST SUITABLE described as:
Compliance management
Security management
Risk management
Mitigation management
Which of the given international standards can be MOST SUITABLE used to describe a Risk Management procedure in a corporation?
International Corporation for Standardizations- 27005 (ISO-27005)
National Institute for Standards and Technology 800-50 (NIST 800- 50)
Payment Card Industry Information Security Standards (PCI-DSS)
International Corporation for Standardizations - 27004 (ISO-27004)
A global retail company is forming a new compliance management procedure.
 
Which of the given regulations is of MOST important to be tracked and managed by this procedure?
Information Technology Infrastructure Library (ITIL)
National Institute for Standards and technology (NIST) standard
International Corporation for Standardization (ISO) standards
Payment Card Industry Information Security Standards (PCI-DSS)
One of the CHIEF aims of a Business Continuity Plan is To ___________
Ensure all infrastructure and applications are available in the event of a disaster
Assign responsibilities to the technical teams responsible for the recovery of allinformation
Provide move by move plans to recover business courses in the event of a disaster
Allow all technical first-responders to understand their roles in the event of a disaster.
The warning, monitoring and life-cycle management of security related events is characteristically controlled by the __________
risk management procedure
risk assessment procedure
governance, risk, and compliance tools
security threat and vulnerability management procedure
A corporation has described a collection of standard security controls. This corporation has also described the circumstances and circumstances in which they should be operated. What is the NEXT rational move in operating the controls in the corporation?
Determine the risk tolerance
Perform an asset classification
Analyze existing controls on systems
Create an architecture gap analysis
Which of the given is a MAJOR concern when a corporation holds vulnerable customer information and uses this information to better direct the corporation's products and services?
Strong authentication technologies
Financial reporting regulations
Credit card compliance and regulations
Local privacy laws
If your corporation functions under a model of "assumption of breach", you should:
Establish functioning firewall monitoring protocols
Purchase insurance for your compliance liability
Focus your security efforts on high value assets
Protect all information resource assets equally
Which of the given is a use of information security governance?
Direct involvement of senior management in developing control courses
Reduction of the capability for civil and legal liability
Questioning the trust in vendor relationships
Increasing the risk of decisions based on incomplete management information
The framework that benefits to describe a minimum standard of security that business stakeholders must try to attain is denoted to as a standard of:
Due Compromise
Due procedure
Due Care
Due Security
Which of the given is believed the MOST operative tool in contradiction to social engineering?
Operative Security Vulnerability Management Set-up
Anti-malware tools
Operative Security awareness set-up
Anti-phishing tools
After a risk assessment is done, a certain risk is believed to have the capability of costing the corporation 1.2 Million US This is an instance of.
Qualitative risk analysis
Risk Appetite
Quantitative risk analysis
Risk Tolerance
A company would like to fill a Chief Information Security Officer position in the corporation. They want to describe and apply a more holistic security set-up. Which of the given credentials and skill would be MOST needed to find in a candidate?
Industry certifications, technical knowledge and set-up management skills
Multiple references, strong background check and industry certifications
Multiple certifications, strong technical capabilities and lengthy resume
College degree, audit capabilities and complex project management
Credit card data, medical information, and government records are all examples of:
None
Communications Information
Bodily Information
Private/Protected Information
Territorial Information
You have bought a new insurance policy as part of your risk tacti Which of the given risk strategy choices have you involved in?
Risk Mitigation
Risk Acceptance
Risk Avoidance
Risk Transmit
What is the explanation of Risk in Information Security?
Risk= Probability x Impact
Risk = Impact x Threat
Risk= Threat x Probability
Risk= Financial Impact x Probability
The formation of a formal risk management framework and system authorization set-up is crucial. The FINAL move of the system authorization procedure is:
Getting authority to operate the system from executive management
Contacting the Internet Service Provider for an IP scope
Changing the default passwords
Conducting a final scan of the live system and mitigating all high and medium level vulnerabilities
A corporation's firewall technology needs to be change A precise technology has been picked that is less expensive than others and missing in few essential abilities. The security officer has expressed concerns regarding vulnerable information violations but the decision is made to purchase.
A high threat environment
A low vulnerability environment
A high risk tolerance environment
A low risk tolerance environment
Which of the given is MOST essential when dealing with an Information Security Steering committee?
Ensure that security policies and methods have been vetted and permitted.
Review all past audit and compliance reports.
Include a mix of members from different departments and staff levels.
Review all past audit and compliance reports.
A corporation is exploring for a framework to compute the competence and efficiency of their Information Security Management System. Which of the given international standards can MOST PROPERLY support this corporation?
Payment Card Industry Information Security Standards (PCI-DSS)
International Corporation for Standardizations -27005 (ISO-27005)
International Corporation for Standardizations- 27004 (ISO-27004)
Control Purposes for Information Technology (COBIT)
Which of the given most suitably signifies a calculation for Annual Loss Expectancy (ALE)?
Value of the asset multiplied by the loss expectancy
Replacement cost multiplied by the single loss expectancy
Single loss expectancy multiplied by the annual rate of occurrence
Total loss expectancy multiplied by the total loss frequency
The Information Security Management set-up MUST guard:
In contradiction to distributed denial of service attacks
Intellectual property released into the public dochief
all corporational assets
critical business courses and/or revenue streams
Information flow illustrations are used by IT auditors to:
Graphically summarize information paths and storage courses.
Order information hierarchically
Highlight high-level information explanations
Portray move-by-move details of information generation.
The function of NIST SP 800-53 as part of the NIST System Certification and Accreditation Project is to form a set of consistent, minimum security controls for IT systems addressing low, moderate, and high levels of concern for:
Integrity and Availability
Assurance, Compliance and Availability
International Compliance
Confidentiality, Integrity and Availability
A corporation is needed to implement background checks on all employees with access to information bases comprising credit card information. This is supposed as a security_________
Technical control
Management control
Procedural control
Administrative control
Information security policies should be reexamined__________
By the internal audit semiannually
By the CISO when new systems are brought online
By the Incident Response team after an audit
By stakeholders at least annually
The exposure element of a threat to your corporation is described by?
Annual loss expectancy minus current cost of controls
Percentage of loss experienced due to a realized threat event
Asset value times exposure factor
Annual rate of occurrence
You have not long ago drafted a revised information security policy. From whom should you pursue validation in order to have the EXTREME chance for implementation and application all through the entire corporation?
Chief Executive Officer
Chief Information Officer
Chief Information Security Officer
Chief Information Officer
Which of the given are the MOST essential elements for proactively determining system weaknesses?
Subscribe to vendor mailing list to get notification of system vulnerabilities
Configure firewall, perimeter router and Intrusion Prevention System (IPS)
Conduct security testing, vulnerability scanning, and penetration testing
Deploy Intrusion Detection System (IDS) and install anti-virus on systems
When selecting a risk mitigation method what is the MOST essential feature?
Approval from the board of directors
Metrics of mitigation method success
Cost of the mitigation is less than a risk
Mitigation method complies with PCI regulations
What part should the CISO play in correctly scoping a PCI environment?
Complete the self-assessment questionnaire and work with an Permitted Scanning Vendor (ASV) to determine scope
Work with a Qualified Security Assessor (QSA) to determine the scope of the PCIenvironment
Validate the business units' suggestions as to what should be included in the scoping procedure
Ensure internal scope validation is completed and that an assessment has been done to discover all credit card information
Which of the given reports should you as an IT auditor use to check on compliance with a service level settlement's requirement for uptime?
Systems logs
Hardware error reports
Availability reports
Utilization reports
You work as a project supervisor for TYU project. You are projecting for risk mitigation. You must rapidly detect high-level risks that will need a additional in-depth analysis.
 
Which of the given activities will help you in this?
Risk mitigation
Estimate action duration
Quantitative analysis
Qualitative analysis
A global health insurance company is bothered about guarding private information. Which of the given is of MOST apprehension to this corporation?
Alignment with International Corporation for Standardization (ISO) standards.
Alignment with financial reporting regulations for each country where they operate.
Compliance to the payment Card Industry (PCI) regulations.
Compliance with patient information security regulations for each country where they operate.
Which of the given signifies the HIGHEST harmful effect resulting from an inoperative security governance set-up?
Improper use of information resources
Reduction of budget
Decreased security awareness
Fines for regulatory non-compliance
Which of the given offers an audit framework?
Control Purposes for IT (COBIT)
International Corporation Standard (ISO) 27002
Payment Card Industry -Information Security Standard (PCI-DSS)
National Institute of Standards and technology (NIST) SP800-30
What is the SUBSEQUENT move to forming a risk management procedure according to the National Institute of Standards and Technology (NIST) SP 800-30 standard?
Mitigate risk
Perform a risk assessment
Determine appetite
Evaluate risk avoidance criteria
Which of the given tests is an IS auditor performing when a model of programs is picked to decide if the source and object versions are the same?
Substantive test of set-up library controls
A compliance test of the set-up compiler controls
A compliance test of set-up library controls
A substantive test of the set-up compiler controls
When forming a vulnerability scan program, who is the MOST critical individual to converse with in order to guarantee impact of the scan is reduced?
The asset manager
The project manager
The asset owner
The information custodian
What two approaches are used to evaluate risk impact?
Quantitative and qualitative
Qualitative and percent of loss realized
Subjective and Purpose
Cost and annual rate of expectance
The patching and monitoring of systems on a reliable program is needed by?
Industry most suitable practices
Audit most suitable practices
Risk Management framework
Local privacy laws
IT control purposes are useful to IT auditors as they give the source for understanding the:
The audit control checklist
Technique for securing information
Desired results or purpose of implementing precise control methods.
Security policy
Which of the given activities results in change requests?
Corrective actions
Defect repair
Preventive actions
Inspection
What is the CHIEF reason for clashes among Information Technology and Information Security set-ups?
The operative application of security controls can be viewed as an inhibitor to rapid Information technology applications.
Technology Governance is focused on procedure risks whereas Security Governance is focused on business risk.
Technology governance describes technology policies and standards while security governance doesnot.
Security governance describes technology most suitable practices and Information Technology governance doesnot.
The accomplishment of the Chief Information Security Officer is MOST reliant upon:
given the recommendations of consultants and contractors
raising awareness of security concerns with endusers
favorable audit findings
development of relationships with corporation executives
During the course of a risk analysis your IT auditor recognized threats and capability impacts. Then, your IT auditor should:
Identify and assess the risk assessment procedure used by management.
Identify and evaluate existing controls.
Identify information assets and the underlying systems.
Disclose the threats and impacts to management.
What is the principal object of the Incident Response Team?
Communicate details of information security incidents
Create operative policies detailing set-up activities
Ensure efficient recovery and reinstate repaired systems
Provide current employee awareness set-ups
Forming a subordinate confirmation procedure for network access would be an instance of?
An administrator with too much time on their hands
Supporting the concept of layered security
Network segmentation
Putting undue time commitment on the system administrator
According to ISO 27001, of the phases for starting an Information Security Governance set-up listed below, which comes first?
Decide how to manage risk
Describe Information Security Policy
Identify threats, risks, impacts and vulnerabilities
Describe the budget of the Information Security Management System
Which of the given functions MUST your Information Security Governance set-up include for formal corporational reporting?
Human Resources and Budget
Audit and Legal
Budget and Compliance
Legal and Human Resources
Which of the given is a term linked to risk management that signifies the expected frequency at which a threat is expected to emerge?
Temporal Probability (TP)
Annualized Rate of Occurrence (ARO)
Single Loss Expectancy (SLE)
Exposure Factor (EF)

A security officer intends to implement a vulnerability scanning set-up. The officer is unsure of the state of vulnerability strength within the corporation's huge IT infrastructure

What would be the MOST SUITABLE tactic to reduce scan information output while retaining an accurate interpretation of system vulnerability?

Decrease the vulnerabilities within the scan tool settings
Scan a representative sample of systems
Filter the scan output so only pertinent information is analyzed
Perform the scans only during off-business hours
According to the National Institute of Standards and Technology (NIST) SP 800-40, which of the given points are MOST essential when forming a vulnerability management set-up?
Susceptibility to attack, expected duration of attack, and mitigation availability
Attack vectors, controls cost, and investigation staffing needs
Susceptibility to attack, mitigation response time, and cost
Vulnerability exploitation, attack recovery, and mean time to repair
When deploying an Intrusion Prevention System (IPS) the MOST SUITABLE method to get extreme security from the system is to deploy it
and turn on alert mode to stop malicious traffic
In promiscuous mode and block malicious traffic
In promiscuous mode and only detect malicious traffic
In-line and turn on blocking mode to stop malicious traffic
Which of the given is a weakness of an asset or group of assets that can be exploited by one or more threats?
Vulnerability
Threat
Exploitation
Attack vector

Countless times a CISO may have to speak to the Board of Directors (BOD) about their cyber security position.

What would be the MOST SUITABLE option of security metrics to give to the BOD?

All vulnerabilities found on servers and desktops
Only critical and high vulnerabilities on servers
Only critical and high vulnerabilities on servers and desktops
All vulnerabilities that impact essential production servers
Which of the given MOST SUITABLE describes an international standard framework that is based on the security model Information Technology-Code of Practice for Information Security Management?
National Institute of Standards and technology Special Publication SP800-12
Request for Comment 2196
International Corporation for Standardization 27001
National Institute of Standards and technology Special Publication SP800-26
When a dangerous vulnerability has been revealed on production systems and needs to be fixed instantly, what is the MOST SUITABLE method for a CISO to mitigate the vulnerability under tight budget restraints?
Schedule an emergency meeting and request the finding to fix the issue
Take the system off line until budget is available
Transmit financial resources from other critical set-ups
Deploy countermeasures and compensation controls until the budget is available
Which of the given is the MOST functioning way to measure the effectiveness of security controls on a perimeter network?
Perform a vulnerability scan of the network
Internal Firewall ruleset reviews
Implement network intrusion prevention systems
External penetration testing by a qualified third party
The CIO of a corporation has agreed to assign the responsibility of internal IT audit to the IT team. This is considering a bad practice CHIEFLY as___________
The IT team is not familiar in IT audit practices
This signifies a bad application of the Least Privilege principle
The IT team is not certified to perform audits
This signifies a conflict of interest
Which is the MOST SUITABLE solution to monitor, measure, and report variations to critical information in a system?
SNMP traps
Syslog
File integrity monitoring
Application logs
When should IT security project management be outsourced?
On projects not forecasted in the yearly budget
When corporational resources are limited
When the benefits of outsourcing outweigh the inherent risks of outsourcing
On new, enterprise-wide security initiatives
A new CISO just began initiated with a company and on the CISO's desk is the very last complete Information Security Management audit report. The audit report is over two years old.
 

After studying it, what should be the CISO's FOREMOST priority?

Review the recommendations and follow up to see if audit implemented the changes
Meet with audit team to determine a timeline for corrections
Have internal audit conduct another audit to see what has change
Contract with an external audit company to conduct an unbiased audit
When you develop your audit remediation plan what is the MOST crucial standards?
To validate the remediation procedure with the auditor.
To validate that the cost of the remediation is less than risk of the finding.
To remediate half of the findings before the next audit.
To remediate all of the findings before the next audit.
To have exact and operative information security policies how frequently should the CISO review the corporation policies?
Before an audit
At least once a year
Quarterly
Every 6 months
When a CISO considers postponing or not remediating system vulnerabilities which of the given are MOST important to take into account?
Threat Level, Risk of Compromise, and Consequences of Compromise
Risk Avoidance, Threat Level, and Consequences of Compromise
Reputational Impact, Financial impact, and Risk of Compromise
Risk transmit, reputational Impact, and Consequences of Compromise
At which point should the identity access management team be reported of the termination of an employee?
Immediately so the employee account(s) can be disabled
During the monthly review cycle
At the end of the day once the employee is off site
Before an audit
Provided that oversight of a complete information security set-up for the entire corporation is the primary responsibility of which group under the lnfoSec governance framework?
Office of the General Counsel
Office of the Auditor
Senior Executives
All employees and users
With respect to the audit management process, management response serves what function?
revealing the "root cause" of the procedure failure and mitigating for all internal and external units
adding controls to ensure that proper oversight is attained by management
determining whether or not resources will be allocated to remediate a finding
placing underperforming units on notice for failing to meet standards
The remediation of a detailed audit finding is believed to be too expensive and will not be execute Which of the given is a TRUE statement?
The audit findings is incorrect
The asset is more expensive than the remediation
The asset being protected is less valuable than the remediation costs
The remediation costs are irrelevant; it must be implemented regardless of cost
Which of the given corporations is normally in charge of authorizing the application and proficiency of security controls?
Security Operations
Internal/External Audit
Risk Management
Security Administrators
Which signifies PROPER division of duties in the corporate environment?
Information Security and Network teams perform two distinct functions
Information Security and Identity Access Management teams perform two distinct functions
Finance has access to Human Resources information
Developers and Network teams both have admin rights on servers
A corporation has implemented a change management process for all changes to the IT production surroundings. This change management process follows most suitable practices and is expected to help stabilize the accessibility and integrity of the corporation's IT environment.

Which of the given can be used to measure the efficiency of this newly implemented procedure?

Number and length of planned outages
Number of change orders procedured
Number of change orders rejected
Number of unplanned outages
You have implemented the new controls. What is the subsequent action?
Perform a risk assessment
Monitor the efficiency of the controls
Document the procedure for the stakeholders
Update the audit findings report

A system was hardened at the Operating System level and placed into the production environment. Months later an audit was done and it identified unprotected configuration different from the original hardened state.

Which of the given security concerns is the MOST expected cause leading to the audit findings?

Lack of asset management courses
Lack of hardening standards
Lack of proper access controls
Lack of change management courses

An audit was conducted and many serious applications were found to have no disaster recovery plans in place. You conduct a Business Impact Analysis (BIA) to control impact to the company for each application.

What should be the NEXT move?

Create technology recovery plans
Determine the annual loss expectancy (ALE)
Build a secondary hot site
Create a crisis management plan
Which of the given are main concerns for management with respect to measuring internal control purposes?
Privateity, Availability, Integrity
Compliance, Efficiency, Efficiency
Communication, Reliability, Cost
Privateity, Compliance, Cost
The competence of an audit is measured by?
The number of security controls the company has in use
How it exposes the risk tolerance of the company
The number of actionable items in the recommendations
How the recommendations directly support the aims of the company
Which of the given is the MOST vital reason to measure the efficiency of an Information Security Management System (ISMS)?
Better understand the threats and vulnerabilities affecting the environment
Better understand strengths and weakness of the set-up
Meet regulatory compliance requirements
Meet legal requirements
Control Purposes for Information and Related Technology (COBIT) is which of the given?
An audit guideline for certifying protected systems and controls
An information Security audit standard
A framework for Information Technology management and governance
A set of international regulations for Information Technology governance
Which of the given are essential to prepare responses to external audit findings?
Technical Staff, Budget Authority, Management
Technical Staff, Internal Audit, Budget Authority
Internal Audit, Budget Authority, Management
Internal Audit, management, and Technical Staff

Acme Inc. has involved a third party vendor to provide 99.999% up-time for their online web presence and had them contractually agree to this service level agreement.

What type of risk tolerance is Acme exhibiting?

medium-high risk-tolerance
low risk-tolerance
high risk-tolerance
moderate risk-tolerance

You at present cannot offer for 24/7 coverage of your security monitoring and incident response duties and your company is unwilling to the idea of adding more full-time employees to the payroll.

Which combination of solutions would help to provide the coverage needed without the addition of more devoted staff?

Employ an assumption of breach protocol and defend only essential information resources.
Deploy a SEIM solution and have current staff review incidents first in the morning
Configure your syslog to send SMS messages to current staff when direct events are triggered.
Contract with a managed security provider and have current staff on recall for incident response

A department within your company has suggested a third party vendor solution to address a pressing, critical business need. As the CISO you have been required to accelerate screening of their security control claims.

Which of the given vendor provided documents is MOST SUITABLE to make your decision?

Vendor provided reference from an existing reputable client detailing their application
Vendor's client list of reputable corporations currently using their solution
Vendor provided internal risk assessment and security control documentation
Vendor provided attestation of the detailed security controls from a reputable accounting firm

A serious security threat has been identified on your corporate network. As CISO you rapidly assemble key members of the Information Technology team and business operations to control a modification to security controls in response to the threat.

 

This is an instance of:

Change management
Thought leadership
Business continuity planning
Security Incident Response
When functioning under severe budget limitations a CISO will have to be creative to chieftain a strong security corporation. Which example below is the MOST imaginative way to chieftain a strong security posture during these tough times?
Download security tools from a trusted source and deploy to production network
Download open source security tools from a trusted site, test, and then deploy on productionnetwork
Download trial versions of commercially available security tools and deploy on your productionnetwork
Download open source security tools and deploy them on your production network
Which of the given will be MOST helpful for acquiring an Information Security project that is behind schedule back on schedule?
More frequent project milestone meetings
Involve internal audit
Upper management support
More training of staff members
The corporation does not have the time to remediate the vulnerability; nevertheless it is dangerous to release the application. Which of the given needs to be more assessed to help mitigate the risks?
Provide security testing tools
Provide developer security training
Deploy Intrusion Detection Systems
Implement Compensating Controls
Which of the given is a major advantage of operating risk levels?
Resources are not wasted on risks that are already managed to an acceptable level
Risk appetite increase within the corporation once the levels are understood
Risk budgets are more easily managed due to fewer due to fewer identified risks as a result of using amethodology
Risk management governance becomes easier since most risks rechief low once mitigated
Which business stakeholder is responsible for the integrity of a new information system?
Compliance Officer
CISO
Project manager
Board of directors

A CISO chooses to examine the IT infrastructure to guarantee security solutions stick to the conceptions of how hardware and software is implemented and managed within the corporation.

Which of the given values does this most appropriately demonstrate?

Proper budget management
Operative use of existing technologies
Alignment with the business
Leveraging existing applications
When collecting security requirements tor an automatic business process enhancement set-up, which of the given is MOST important?
Type of information contained in the procedure/system
Type of encryption needed for the information once it is at rest
Type of computer the information is procedured on
Type of connection/protocol used to transmit the information

You manage a newly formed Security Operations Center (SOC), your team is being flooded with security alerts and don't know what to do.

What is the MOST SUITABLE method to control this situation?

Tune the sensors to help reduce false positives so the team can reactbetter
Request additional resources to handle the workload
Tell the team to do their most suitable and respond to each alert
Tell the team to only respond to the critical and high alerts
Information Security is frequently believed an excessive, after-the-fact cost when a project or initiative is accomplished. What can be done to guarantee that security is addressed cost operatively?
Launch an internal awareness campaign
Installation of new firewalls and intrusion detection systems
Integrate security requirements into project inception
User awareness training for all employees
Which of the given is the MOST SUITABLE indicator of a successful project?
it comes in at or below the expenditures planned for in the baseline budget
it meets most of the specifications as outlined in the permitted project explanation
it is completed on time or early as compared to the baseline project plan
the deliverables are accepted by the key stakeholders
Which of the given is the MOST important element of any change management procedure?
Outage planning
Scheduling
Management approval
Back-out methods
When choosing a security solution with reoccurring maintenance costs after the first year
Implement the solution and ask for the increased operating cost budget when it is time
Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solution's continued use
Defer selection until the market improves and cash flow is positive
The CISO should cut other essential set-ups to ensure the new solution's continued use
What oversight should the information security team have in the change management process for application security?
Information security should be aware of any significant application security changes and work with developer to test for vulnerabilities before changes are deployed in production
Information security should be aware of all application changes and work with developers before changes and deployed in production
Information security should be informed of changes to applications only
Development team should tell the information security team about any application security flaws

An application vulnerability assessment has recognized a security fault in an application. This is a fault that was formerly recognized and remediated on a previous release of the application.

Which of the given is MOST expected the reason for this recurring issue?

Lack of version/source controls
Lack of change management controls
Inoperative configuration management controls
High turnover in the application development department
In effort to save your company money which of the given approaches of training results in the lowest cost for the corporation?
One-One Training
Self-Study (non computerized)
Distance learning/Web seminars
Formal Class
Which of the given signifies the MOST SUITABLE way for attaining business unit approval of security controls within a corporation?
Allow the business units to decide which controls apply to their systems, for instance the encryption of vulnerable information
Ensure business units are involved in the creation of controls and defining circumstances under which they must beoperated
Provide the business units with control mandates and schedules of audits for compliance validation
Create separate controls for the business based on the types of business and functions they perform
Risk appetite is normally determined by which of the given corporational functions?
Business units
Board of Directors
Audit and compliance
Security
How frequently should the Statements of Standards for Attestation Engagements-16 (SSAE16)/lnternational Standard on Assurance Engagements 3402 (ISAE3402) report of your vendors be studied?
Annually
Quarterly
Bi-annually
Semi-annually
Which of the given signifies the MOST SUITABLE way of certifying security set-up alignment to business needs?
Ensure the corporation has strong executive-level security representation through clear sponsorship or the creation of a CISO role
Create a comprehensive security awareness set-up and provide success metrics to business units
Create security consortiums, for instance strategic security planning groups, that include business unitparticipation
Ensure security applications include business unit testing and functional validation prior to production rollout
A suggested way to document the individual roles of groups and individuals for a given procedure is to:
Develop a detailed internal corporation chart
Develop an isolinear response matrix with cost benefit analysis projections
Develop a Responsible. Accountable, Consulted, Informed (RACI) chart
Develop a telephone call tree for emergency response
This happens when the quantity or quality of project deliverables is extended from the original project plan.
Scope creep
Deadline extension
Deliverable expansion
Scope modification

The security team has investigated the theft/loss of numerous unencrypted laptop computers comprising vulnerable corporate information. To avert the loss of any additional corporate information it is individually decided by the CISO that all present and future laptop computers will be encrypted. Soon, the help desk is flooded with complaints about the slow performance of the laptops and users are upset.

What did the CISO do incorrect?

Failed to identify all stakeholders and their needs
Deployed the encryption solution in an inadequate manner
Used 1024 bit encryption when 256 bit would have sufficed
Used hardware encryption instead of software encryption
An instance of professional unethical behavior is:
Sharing copyrighted material with other members of a professional corporation where all members have legitimate access to the material
Copying documents from an employer's server which you assert that you have an intellectual property claim to possess. but the company disputes
Storing client lists and other vulnerable corporate internal documents on a removable thumb drive
Gaining access to an affiliated employee's work email account as part of an officially sanctioned internal investigation
When considering using a vendor to help support your security devices slightly, what is the MOST SUITABLE option for permitting access?
Vendor uses their own laptop and logins using two factor authentication with their own unique credentials
Vendor uses a company supplied laptop and logins using two factor authentication wit same admin credentials your security team uses
Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials
Vendors uses their own laptop and logins with same admin credentials your security team uses
Which of the given is serious in making a security set-up aligned with a corporation's purposes?
Develop a culture in which users, managers and IT professionals all make decent decisions about information risk
Provide clear communication of security set-up support requirements and audit schedules
Create security awareness set-ups that include clear explanation of security set-up aims and charters
Ensure security budgets enable technical acquisition and resource allocation based in internal compliance requirements
The company chooses to release the application without remediating the high-risk vulnerabilities. Which of the given is the MOST predictable reason for the company to release the application?
The company does not believe the security vulnerabilities to be real
The company lacks the tools to perform a vulnerability assessment
The company lacks a risk management procedure
The company has a high risk tolerance
Which of the given is a strong post designed to stop a car?
Fence
Bollard
Reinforced rebar
Gate
Which of the given items of a computer system will an anti-virus set-up scan for viruses?
Boot Sector
Password Protected Documents
Windows Procedure List
Deleted Documents

A CISO has just joined a corporation with a poorly implemented security set up. The need is to base the security set-up on a risk management approach.

Which of the given is a initial requirement in order to start this sort of set up?

A complete inventory of Information technology assets including infrastructure, networks, applications andinformation
A security corporation that is adequately staffed to apply needed mitigation strategies and regulatory compliance solutions
A clear set of security policies and methods that are more concept­ based than controls-based thancontrols•based
A clearly identified executive sponsor who will champion the effort to ensure corporational buy-in
Which of the given methodologies references the suggested industry standard that Information security project managers should follow?
The Security Systems Development Life Cycle
Project Management System Methodology
Project Management Body of Knowledge
The Security Project and Management Methodology
Knowing the capability financial loss a corporation is willing to suffer if a system fails is a determination of which of the given?
Cost benefit
Risk appetite
Business continuity
Likelihood of impact
Which of the given approaches are used to describe predetermined obligations that force a vendor to meet customer expectations?
Terms and Circumstances
Statements of Work
Service Level Agreements (SLA)
Key Performance Indicators (KPI)
Which of the given functions assesses patches used to close software vulnerabilities of new systems to guarantee compliance with policy when implementing an information security set-up?
Incident response
Risk assessment
Planning
System testing
Which of the given functions implements and oversees the use of controls to decrease risk when making an information security set-up?
Risk Assessment
Risk Management
Incident Response
Network Security administration
The procedure of recognizing and classifying assets is characteristically counted in the_
Threat analysis procedure
Business Impact Analysis
Asset configuration management procedure
Disaster Recovery plan
What are the principal reasons for the development of a business case for a security project?
To forecast usage and cost per software licensing
To understand the attack vectors and attack sources
To communicate risk and forecast resource needs
To estimate risk and negate liability to the company
John is the project manager for a large project in his corporation. A new variation request has been propositioned that will affect numerous parts of the project. One part of the project variation impact is on work that a vendor has already finished The vendor is declining to make the variations as they've already finished the project work they were contracted to do. What can John do in this case?
Withhold the vendor's payments until the issue is resolved.
Refer to the contract agreement for direction.
Refer the vendor to the Service Level Agreement (SLA) and insist that they make the changes.
Review the Request for proposal (RFP) for guidance.
One of your administrators needs to send an important and private email. You want to make certain that the message cannot be read by anyone but the recipient. Which of the given keys should be used to encrypt the message?
Certificate authority key
The recipient's private key
The recipient's public key
Your public key
When dealing with risk, the information security practitioner may select to:
acknowledge
transmit
assign
defer
The Annualized Loss Expectancy (Before) minus Annualized Loss Expectancy (After) minus Annual Safeguard Cost is the formula for determining:
Single Loss Expectancy
Life Cycle Loss Expectancy
Safeguard Value
Cost Benefit Analysis
Human resource planning for security professionals in your corporation is a:
Training requirement that is on-going and always changing.
Simple and easy task since the threats are getting easier to find and correct.
Training requirement that is met through once every year user training.
Not needed since automation and anti-virus software has eliminated the threats.

Your company has incomplete resources to spend on security initiatives. The Chief Financial Officer asks you to arrange the security of information resources based on their value to the company. It is important that you be able to communicate in language that your fellow executives will understand.

You should:

Create a detailed technical executive summary
Create timelines for mitigation
Calculate annual loss expectancy
Develop a cost-benefit analysis
What is the MOST SUITABLE reason for having a formal request for proposal technique?
Creates a timeline for purchasing and budgeting
Informs suppliers a company is going to make a purchase
Informs suppliers a company is going to make apurchase
Allows small companies to compete with larger companies

You are having a penetration test done on your company network and the leader of the team says they learnt all the network devices since no one had changed the Simple Network Management Protocol (SNMP) community strings from the defaults.

Which of the given is a default community string?

Public
Administrator
Execute
Read

As the CISO you need to write the IT security strategic plan.

Which of the given is the MOST important to review before you start writing the plan?

The existing IT environment
Other corporate technology trends
The company business plan
The present IT budget
The rate of change in technology rises the significance of:
Hiring personnel with leading edge skills.
Understanding user requirements.
Outsourcing the IT functions.
Implementing and enforcing decent courses.
Your corporation offers open guest wireless access with no captive portals. What can you do to assist with law enforcement investigations if one of your guests is alleged of committing an illegal act using your network?
Provide IP and MAC address
Disable SSID Broadcast and enable MAC address filtering on all wireless access points.
Install a firewall software on each wireless access point.
Configure logging on each access point
The total cost of security controls should:
Be equal to the value information resource being protected
Should not matter, as long as the information resource is protected
Be greater than the value of the information resource being protected
Be less than the value of the information resource being protected
Which of the given is supposed the foundation for the Enterprise Information Security Architecture (EISA)?
Information classification
Security regulations
Information security policy
Asset classification
Which of the given is the FOREMOST security distress for public cloud computing?
Unable to control physical access to the servers
Unable to patch systems as needed
Unable to run anti-virus scans
Unable to track log on action
When updating the security strategic planning document what two items must be counted in?
Alignment with the business aims and the vision of the CIO
The risk tolerance of the company and the company mission statement
The alignment with the business aims and the risk tolerance
The executive summary and vision of the board of directors

Your incident handling manager notices a virus attack in the network of your company.

You change a signature based on the characteristics of the identified virus.

Which of the given stages in the incident handling process will utilize the signature to resolve this incident?

Eradication
Containment
Recovery
Identification

A system is intended to enthusiastically block offending Internet IP­ addresses from requesting services from a secure website.

This kind of control is believed_____________________

A. Preventive detection control
B. Corrective security control
C. Zero-day attack mitigation
D. Dynamic blocking control
Which of the given is a countermeasure to avert unauthorized information base access from web applications?
A. Removing all stored methods
B. Library control
C. Input sanitization
D. Session encryption
The procedure for detecting, gathering, and producing digital information in support of legal proceedings is called___________
chain of custody
electronic review
evidence tampering
electronic discovery
An anonymity network is a series of?
A. Covert government networks
B. Virtual network tunnels
C. Government networks in Tora
D. War driving maps
The freshly employed CISO of a corporation is studying the IT security strategic plan. Which of the given is the MOST important element of the strategic plan?
There is a clear explanation of the IT security mission and vision.
The plan requires return on investment for all security projects.
There is integration between IT security and business staffing
There is an auditing methodology in place.
Access Control lists (ACLs), Firewalls, and Intrusion Prevention Systems are instances of __________
User segmentation controls
Software segmentation controls
Network based security detective controls
Network based security preventative controls
While designing a secondary information center for your company what document necessitates to be analyzed to determine to how much should be spent on building the information center?
Business continuity plan
Application mapping document
Disaster recovery strategic plan
Enterprise Risk Assessment
What is the leading reason for performing a return on investment analysis?
To determine the current present value of a project
To determine the annual rate of loss
To decide between multiple vendors
To decide is the solution costs less than the risk it is mitigating
Physical security measures normally contain which of the given components?
A. Strong password, Biometric, Common Access Card
B. Technical. Strong Password, Operational
C. Operational, Biometric, Physical
D. Physical, Technical, Operational
Which of the given is MOST important when tuning an Intrusion Detection System (IDS)?
Log retention
Storage encryption
Type of authentication
Trusted and untrusted networks
Which of the given situations would be the MOST possible reason for a security project to be rejected by the executive board of a corporation?
The NPV of the project is negative
The return on Investment (ROI) is larger than 10 months
The Net Present value (NPV) of the project is positive
The ROI is lower than 10 months

A customer of a bank has placed a dispute on a payment for a credit card account The banking system uses digital signatures to safeguard the integrity of their transactions.

The bank claims that the system shows proof that the customer in fact made the payment.

What is this system capability generally identified as?

conflict resolution
strong authentication
non-repudiation
digital rights management
What is the term describing the act of inspecting all real-time Internet traffic (i.e., packets) traversing a chief Internet backbone without presenting any apparent latency?
Deep-Packet inspection
Traffic Analysis
Heuristic analysis
Packet sampling
Which wireless encryption technology makes use of temporal keys?
Wi-Fi Protected Access version 2 (WPA2)
Wireless Equivalence Protocol (WEP)
Wireless Application Protocol (WAP)
Extensible Authentication Protocol (EAP)
The ability to demand the application and management of security controls on third parties providing services to a corporation is__________.
Disaster recovery
Security Governance
Vendor management
Compliance management
Security linked breaks are assessed and controlled through which of the given?
The IT support team
A forensic analysis
Physical security team
Incident response
Involvement of senior management is MOST important in the progress of:
IT security methods
IT security application plans
Standards and guidelines
IT security policies

The general ledger setup function in an enterprise resource package allows for setting accounting periods. Access to this function has been allowed to users in finance, the shipping department, and production scheduling.

What is the most predictable reason for such wide access?

The need to change accounting periods on a regular basis.
The need to create and modify the chart of accounts and its allocations.
The requirement to post entries for closed accounting period.
The lack of policies and methods for the proper segregation of duties
In terms of supporting a forensic investigation, it is now imperative that managers, first responders, etc., complete the given actions to the computer under investigation:
Immediately place hard drive and other components in an anti-static bag
Protected the area and try to chieftain power until investigators arrive
Protected the area and shut down the computer until investigators arrive
Protected the area
What sort of attack involves the least sum of technical equipment and has the highest success rate?
Social engineering
Shrink wrap attacks
Operating system attacks
War driving
The process of establishing a system which distributes documents based on their security level to manage access to private information is identified as_
security coding
Privacy security
information security system
information classification
What is the FIRST move in developing the vulnerability management set-up?
Baseline the Environment
Describe policy
Chieftain and Monitor
Corporation Vulnerability
Which of the given statements about Encapsulating Security Payload (ESP) is correct?
It is an IPSec protocol
it is a text-based communication protocol
It uses UDP port 22
It uses TCP port 22 as the default port and functions at the application layer
Which of the given is a symmetric encryption algorithm?
3DES
RSA
ECC
MD5
When analyzing and predicting an operating expenditure budget what are not counted in?
New information center to operate from
Network connectivity costs
Software and hardware license fees
Utilities and power costs

Situation: You are the CISO and have just accomplished your first risk assessment for your corporation. You find many risks with no security controls, and few risks with insufficient controls. You assign work to your staff to make or regulate existing security controls to guarantee they are satisfactory for risk mitigation needs.

When formulating the remediation plan, what is a required input?

Board of directors
Latest virus explanations file
Patching history
Risk assessment

Situation: You are the freshly appointed Chief Information Security Officer for a company that has not before had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Set-up. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and suggest an industry/sector neutral information security control framework for application.

Your Corporate Information Security Policy should contain which of the given?

Roles and responsibilities
Information security theory
Incident response contacts
Desktop configuration standards

Situation: Most industries involve compliance with multiple government regulations and/or industry standards to meet information security and privacy mandates. What is one recognized way to account for common elements found within separate regulations and/or standards?

Design your set-up to meet the strictest government standards
Develop a crosswalk
Hire a GRC expert
Use the Find function of your word processor

Situation: Your set-up is developed around minimizing risk to information by focusing on people, technology, and operations. You have decided to deal with risk to information from people first.

 

How can you diminish risk to your most vulnerable information before allowing access?

Set your firewall permissions aggressively and monitor logs frequently.
Develop an Information Security Awareness set-up
Conduct background checks on individuals before hiring them
Monitor employee drowsing and surfing habits

Situation: A Chief Information Security Officer (CISO) just had a third party conduct an audit of the security set-up. Internal policies and international standards were used as audit baselines. The audit report was offered to the CISO and a variety of high, medium and low rated gaps were recognized. The CISO has authenticated audit findings, determined if compensating controls exist, and started initial remediation planning.

Which of the given is the MOST rational next move?

Create detailed remediation funding and staffing plans
Report the audit findings and remediation status to business stake holders
Validate the efficiency of current controls
Review security methods to determine if they need modified according to findings

Situation: A corporation has made a decision to address Information Security properly and consistently by adopting established most suitable practices and industry standards. The corporation is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

Which of the given frameworks and standards will MOST SUITABLE fit the corporation as a baseline for their security set-up?

NIST and Privacy Regulations
NIST and information breach notification laws
ISO 27000 and Payment Card Industry Information Security Standards
ISO 27000 and Human resources most suitable practices

Situation: A CISO has numerous two-factor verification systems under review and chooses the one that is most adequate and least costly. The application project planning is finalized and the teams are ready to implement the solution. The CISO then determines that the product it is not as scalable as in the beginning thought and will not fit the corporation's requirements

 

What is the MOST rational course of action the CISO should take?

Cancel the project if the business need was based on internal requirements versus regulatory compliance requirements
Review the original solution set to determine if another system would fit the corporation's risk appetite and budget regulatory compliance requirements
Continue with the project until the scalability issue is validated by others, for instance an auditor or third party assessor.
Continue with the application and submit change requests to the vendor in order to ensure needed functionality will be proved when needed

Situation: Your corporate systems have been under constant probing and attack from foreign IP addresses for more than a week. Your security team and security infrastructure have done well under the stress. You are confident that your defenses have held up under the test, but rumors are spreading that vulnerable customer information has been stolen and is now being sold on the Internet by criminal elements.

 

During your investigation of the believed compromise you determine that information has been breached and you have exposed the repository of stolen information on a server located in a foreign country. Your team now has full access to the information on the foreign server.

What action should you take EARLIEST?

Consult with other C-Level executives to develop an action plan
Contract with a credit reporting company for paid monitoring services for affected customers
Contact your local law enforcement agency
Destroy the repository of stolen information

Situation: Your corporation employs single sign-on (user name and password only) as a convenience to your employees to access corporalional systems and information. Permission to individual systems and information nbasesis vetted and permitted through supervisors and information owners to ensure that only permitted personnel can use certain applications or retrieve information.

All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self­ Service application. All employees have access to the corporational VPN. The corporation wants a more permanent solution to the threat to user credential compromise through phishing.

What technical solution would MOST SUITABLE address this matter?

Multi-factor authentication employing hard tokens
Forcing password changes every 90 days
Decreasing the number of employees with administrator privileges
Professional user education on phishing conducted by a reputable vendor

Situation: You are the freshly appointed Chief Information Security Officer for a company that has not formerly had a senior level security practitioner. The company lacks a described security policy and framework for their Information Security Set-up. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for a application.

Which of the given industry/ sector neutral information security control frameworks should you mention for application?

Payment Card Industry Digital Security Standard (PCI DSS)
National Institute of Standards and Technology (NIST) Special Publication 800-53
International Corporation for Standardization - ISO 27001/2
British Standard 7799 (BS7799)

Situation: You are the CISO and are wanted to brief the C-level executive team on your information security audit for the year. During your review of the audit findings you determine that many of the controls that were put in place the preceding year to correct few of the findings are not performing as required. You have thirty days until the briefing.

To formulate a remediation plan for the non-performing controls what other document do you need to review before adjusting the controls?

Business Continuity plan
Security roadmap
Business Impact Analysis
Annual report to shareholders

Situation: A corporation has only just appointed a CISO. This is a new role in the corporation and it signals the growing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to progress the IT security centric agenda.

From an Information Security Leadership perspective, which of the given is a MAJOR distress about the CISO's methodology to security?

IT security centric agenda
Lack of risk management procedure
Lack of risk management procedure
Compliance centric agenda

Situation: Your corporation employs single sign-on (user name and password only) as a convenience to your employees to access corporational systems and information. Permission to individual systems and information bases is vetted and permitted through supervisors and information owners to ensure that only permitted personnel can use certain applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the corporational VPN.

Once supervisors and information owners have permitted requests, information system administrators will implement:

Management control(s)
Technical control(s)
Operational control(s)
Policy controls(s)

Situation: Critical servers show signs of erratic behavior within your corporation's Intranet. Preliminary information shows the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO). you decide to organize the Incident Response Team (IRT) to determine the particulars of this incident and take action according to the information available to the team. During early investigation, the team suspects criminal action but cannot originally prove or disprove illegal actions.

What is the MOST serious aspect of the team's activities?

Regular communication of incident status to executives
Preservation of information
Eradication of malware and system restoration
Determination of the attack source
Situation: As you begin to progress the set-up for your corporation, you assess the corporate culture and determine that there is a persistent opinion that the security set-up only slows things down and confines the performance of the "real workers." Which group of people should be consulted when developing your security set-up?
Peers
End Users
Executive Management
All of the above

 

Situation: Numerous industries entail compliance with multiple government regulations and/or industry standards to meet information security and privacy mandates. When multiple regulations or standards

apply to your industry you should set controls to meet the                                 

A. Most complex standard
Recommendations of your Legal Staff
Easiest regulation or standard to implement
Stricter regulation or standard

Situation: You are the CISO and have just accomplished your first risk assessment for your corporation. You find many risks with no security


controls, and few risks with insufficient controls. You assign work to your staff to generate or regulate existing security controls to guarantee they are satisfactory for risk mitigation needs. You have identified capability solutions for all of your risks that do not have security controls.

What is the NEXT move?

Create a risk metrics for all unmitigated risks
Get approval from the board of directors
Verify that the cost of mitigation is less than the risk
Screen capability vendor solutions

You are just appointed as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget. Using the most suitable business practices for project management you determine that the project correctly aligns with the company aims and the scope of the project is correct

What is the NEXT move?

A. Verify resources
B. Review time schedules
C. Verify budget
D. Verify constraints

Situation: Critical servers show signs of erratic performance within your corporation's intranet. Primary information shows the systems are under

 

attack from an outside entity. As the Chief Information Security Officer (CISO), you choose to organize the Incident Response Team (IRT) to determine the particulars of this incident and take action according to the information accessible to the team.

What phase of the response provides measures to reduce the likelihood of an incident from recurring?

Recovery
Follow-up
Response
Investigation

Situation: A Chief Information Security Officer (CISO) in recent times had a third party conduct an audit of the security set-up. Internal policies and international standards were used as audit baselines. The audit report was offered to the CISO and a variety of high, medium and low rated gaps were identified. The CISO has implemented remediation activities.

Which of the given is the MOST rational next move?

Validate the efficiency of operated controls
Report the audit findings and remediation status to business stake holders
Validate security set-up resource requirements
Review security methods to determine if they need modified according to findings

Situation: Your corporation employs single sign-on (user name and


password only) as a convenience to your employees to access corporational systems and information. Permission to individual systems and information bases is vetted and accepted through supervisors and information owners to guarantee that only appropriate personnel can use certain applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the corporational VPN. Recently, members of your corporation have been directed through a number of sophisticated phishing tries and have compromised their system credentials

 

What action can you take to prevent the misuse of compromised credentials to change bank account information from outside your corporation while still allowing employees to manage their bank information?

Turn off VPN access for users originating from outside the country
Force a change of all passwords
Enable monitoring on the VPN for suspicious action
Block access to the Employee-Self Service application via VPN

Situation: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The application project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the corporation's needs. The CISO is unsure of the information provided and orders a vendor proof of concept to validate the system's scalability.

This exhibits which of the given?

A methodology-based approach to ensure authentication mechanism functions
An approach providing minimum time impact to the application schedules
An approach that allows for minimum budget impact if the solution is unsuitable
A risk-based approach to determine if the solution is suitable for investment

Sitluation: Your corporation employs single sign-on (user name and password only) as a convenience to your employees to access corporational systems and information. Permission to individual systems and information bases is vetted and permitted through supervisors and information owners to ensure that only permitted personnel can use certain applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. Alt employees have access to the corporational VPN.

 

What type of control is being implemented by supervisors and information owners?

Management
Technical
Operational
Administrative

Situation: A corporation has made a decision to address Information Security formally and consistently by adopting established most suitable practices and industry standards. The corporation is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years. This global retail company is expected to accept credit card payments.

Which of the given is of MOST concern when defining a security set-up for this corporation?

Adherence to local information breach notification laws
Compliance to Payment Card Industry (PCI) information security standards
Compliance with local government privacy laws
International encryption restrictions

Situation: A corporation has made a decision to address Information Security properly and reliably by accepting recognized most suitable practices and industry standards. The corporation is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

Which of the given would be the FIRST move when addressing Information Security properly and reliably in this corporation?

Describe formal roles and responsibilities for Information Security
Describe formal roles and responsibilities for Internal audit functions
Create an executive security steering committee
Contract a third party to perform a security risk assessment

Situation: A corporation has just employed a CISO. This is a new role in the corporation and it signals the growing need to address security reliably at the enterprise level. This new CISO, though confident with skills and experience, is continually on the defensive and is incapable to advance the IT security centric agenda.

Which of the given is the cause the CISO has not been able to advance the security agenda in this corporation?

Lack of business continuity procedure
Lack of identification of technology stake holders
Lack of a security awareness set-up
Lack of impact with leaders outside IT

Situation: Your company has numerous encrypted telecommunications links for their world-wide operations. Actually distributing symmetric keys to all locations has verified to be administratively burden few, but symmetric keys are favored to other alternatives.

Symmetric encryption in general is preferable to asymmetric encryption when:

The number of unique communication links is large
The distance to the end node is farthest away
The volume of information being transmitted is small
The speed of the encryption/ deciphering procedure is essential

Situation: A CISO has quite a few two-factor verification systems under review and chooses the one that is most adequate and least costly. The application project planning is completed and the teams are ready to implement the solution. The CISO then determines that the product it is not as scalable as formerly thought and will not fit the corporation's requirements. The CISO discovers the scalability matter will only impact a small number of network segments.

What is the subsequent balanced move to guarantee the correct application of risk management methodology within the two-factor application project?

Decide to accept the risk on behalf of the impacted business units
Create new use cases for operational use of the solution
Report the deficiency to the audit team and create procedure exceptions
Determine if sufficient mitigating controls can be operated

Situation: Your company has many encrypted telecommunications links for their world-wide operations. Actually distributing symmetric keys to all locations has proven to be administratively burden few, but symmetric keys are chosen to otheralternatives.

How can you decrease the administrative burden of distributing symmetric keys for your employer?

Use certificate authority to distribute private keys
Symmetrically encrypt the key and then use asymmetric encryption to unencrypt it
Use a self-generated key on both ends to eliminate the need for distribution
Use asymmetric encryption for the automated distribution of symmetric key

Situation: Critical servers show signs of erratic behavior within your corporation's intranet. Initial information shows the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team.

In what phase of the response will the team extract information from the affected systems without altering original information?

A. Follow-up
B. Recovery
C. Response
D. Investigation
When establishing contractual agreements and procurement courses why should security wants be counted in?
To make sure the security procedure aligns with the vendor's security procedure
To make sure they are added on after the procedure is completed
To make sure the costs of security is included and understood
To make sure the patching procedure is counted in with the costs

Bob waits near a secure door, holding a box. He waits until an employee walks up to the secure door and uses the distinctive card in order to access the limited area of the direct company. Just as the employee opens the door, Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so that he can enter. What is the most appropriate manner to undermine the social engineering action of tailgating?

Post a sign that states, "no tailgating" next to the special card reader adjacent to the protected door
Issue special cards to access protected doors at the company and provide a one-time only brief description of use of the special card
Educate and enforce physical security policies of the company to all the employees on a regular basis
Setup a mock video camera next to the special card reader adjacent to the protected door
Which sort of scan is used on the eye to measure the layer of blood vessels?
Facial recognition scan
Iris scan
Signature kinetics scan
Retinal scan

A consultant is appointed to do physical penetration testing at a huge financial company. In the first day of his assessment, the consultant goes to the company's building dressed like an electrician and waits in the lobby for an employee to pass through the chief access gate, then the consultant follows the employee behind to get into the restricted area. Which kind of attack did the consultant perform?

Shoulder surfing
Tailgating
Social engineering
Mantrap
If the result of an NPV is positive, then the project should be picked. The net present value shows the present value of the project, based on the decisions taken for its selection. What is the net present value equal to?
Net profit - per capita income
Total Investment - Discounted cash
Average profit - Annual investment
Initial investment - Future value
If a competitor wants to cause damage to your corporation, steal critical secrets, or put you out of business, they just have to find a job opening, prepare few one to pass the interview, have that person hired, and they will be in the corporation. How would you prevent such type of attacks?
Conduct thorough background checks before you engage them
Hire the people through third-party job agencies who will let them for you
Investigate their social networking profiles
It is impossible to block these attacks

A CISO chooses to analyze the IT infrastructure to guarantee security solutions stand by to the conceptions of how hardware and software is implemented and managed within the corporation. Which of the given values does this most appropriately determine?

Operative use of existing technologies
Create a comprehensive security awareness set-up and provide success metrics to business units
Proper budget management
Leveraging existing applications
A virus that hides both its presence and its nefarious actions is called what kind of virus?
Compression
Macro
Stealth
Obscure
The host identifier and the network identifier are two parts of which of the following?
MAC address
House address
IP address
Subnet
Quid pro quo, baiting, and pretexting are all examples of what type of information security attack?
Social security
Social networking
Social engineering
Social economics
An organization has elected to build out a cloud environment in its datacenter for exclusive use by its employees. Which of the following cloud deployment models is this an example of?
Public
Private
Community
Hybrid
Which of the following types of data backups backs up all files on the system?
Full
Incremental
Differential
DRaaS
When planning a software development project, of the choices listed, which is the best source for the organization to find guidance on secure coding practices?
US-CERT
CIS
OWASP
None of the above
The BCP coordinator is reviewing alternate site options. The organization's primary concern is the quickest recovery time, regardless of the cost. Which of the following alternate site options would best satisfy the organization's requirements?
Cold site
Warm site
Hot site
Slow site
In which of the following types of DRP tests is the original processing site shut down and all processing moved to the offsite alternate facility?
Parallel test
Tabletop exercise
Simulation test
Full interruption test
Which of the following cannot be detected through a vulnerability scan?
Open ports
Vulnerable software
Misconfigurations
Susceptibility to phishing
CIDR notation is used for what purpose?
To route classified data
To define firewall rulesets
To enable devices to be used on both 1Pv4 and 1Pv6 networks
To indicate the network and the host portion of an IP address
A department within a large organization regularly handles sensitive data. Who is responsible for the classification of the data?
CISO
Data custodian
Data user
Data owner
What is the cryptographic operation called that transforms ciphertext to plaintext?
Hashing
Encryption
Decryption
Steganography
Which of the following is a symmetric algorithm?
AES
RSA
ECC
Diffie-Hellman
A door lock that has a PIN keypad and a fingerprint reader is an example of what type of access control?
Overly complicated
The right balance of function and complexity
Dual-factor authentication
Single-factor authentication
An organization is utilizing a third-party hosted customer relationship management (CRM) tool. Which of the following types of cloud service models is being utilized?
IaaS
Saas
PaaS
On-prem
Which of the following access control models provides the owner, usually the creator, full control of the object (resource) to determine which subjects (users and groups) can access and share that object?
MAC
DAC
ABAC
RBAC
Which of the following is a characteristic of hash algorithms?
One-way function
Provide confidentiality
Require keys
Do not provide integrity
User behavior analytics tools are most often used to detect what types of threats?
Insider threats
Malware
Conditional threats
Natural threats
Which of the following would not typically be included as part of a physical vulnerability assessment?
Simulated phishing
Reviewing facility and perimeter security
Reviewing server room security
Evaluating the risk of dumpster diving
What is the most common root cause of security not being properly addressed as part of a software development effort?
The people planning and scoping the project lack security awareness.
It is a common risk management decision.
Addressing security increases development costs.
Compensating controls can easily be used to offset poor security engineering.
Sarah runs the IT department in her organization. The IT department manages access control for critical resources such as Active Directory, while systems belonging to individual departments, such as the sales team CRM, are managed by individual departments. What type of access control administration is being deployed?
Centralized
Decentralized
Hybrid
RBAC
A department within a large organization regularly handles sensitive data. Who is responsible for implementing security controls to protect the data?
CISO
Data Custodian
Data User
Data Owner
Upon inspecting the datacenter's fire suppression system, the CISO discovers that the pipes that deploy water to put out a fire are empty until a fire is detected. Once a fire is detected, the pipes fill with water and then deploy. This is an example of what type of fire suppression system?
Wet pipe
Pre-Action
Gaseous
Ineffective. The pipes should always have water in them, ready to be deployed.
An organization selects a cloud service model where the cloud service provider manages the underlying infrastructure and the organization manages the platforms and software such as OS, development tools, and applications. Which of the following cloud service models is being utilized?
IaaS
SaaS
PaaS
On-Premises
Which protocol is used by computers to learn which MAC address corresponds to which IP address, enabling proper delivery of traffic on the network?
ARP
NAT
PPP
IGMP
When designing a datacenter, a CISO should choose which location for the datacenter's HVAC system?
The datacenter HVAC system should be located separately from the rest of the facility.
The datacenter HVAC system should be part of the HVAC system of the rest of the facility.
The datacenter does not need an HVAC system.
The datacenter should use a shared HVAC system.
The application security team performs regular source code scanning to identify vulnerabilities before the code is compiled. What type of testing is being performed?
SAST
DAST
Fuzz Testing
Black box testing
Which of the following actions is not usually included in planning a response to a ransomware attack?
Deciding when and under what conditions to contact a law enforcement agency
Business continuity planning
Asset valuation
CMMI
Which of the following does not contribute to an employee's susceptibility to social engineering attacks?
Technical controls
Human nature
Workplace culture
Job priority
Which of the following techniques is used to protect data at rest?
IPSec
TLS
Disk Encryption
VPN Encryption
How is data routed from the Internet to hosts in a private network?
By using subnets
By using NAT
By using point-to-point protocols
By using a DMZ with a proxy
Which of the following is a reason that short training modules tend to be better than longer ones for employee security training?
It's easier to integrate short courses into an employee's work schedule.
Short modules are easier to write.
Good pedagogy requires short training modules.
Short training modules require less trainee attention.
The CISO of a large organization is coordinating an external penetration test. Which of the following is the most critical consideration when planning a penetration test?
Comprehensive testing
Minimizing business disruption
Notifying the entire organization ahead of time
Allowing the penetration testing company through the firewall
A CISO is working with the software development team to integrate security into the development life cycle. Which of the following would be the best resource to use to begin this effort?
OWASP
SOX
PCIDSS
NERC CIP
An organization is structuring its identity and access management program such that users will be assigned permissions based on the department they belong to. Specific permission sets will be developed for each department {such as IT, Sales, HR, etc.) and users will be assigned to those corresponding groups. Which of the following access control models is being implemented?
MAC
DAC
RBAC
ABAC
An organization is utilizing a public cloud service provider's offering that allows the organization to use the CSP's platform to build and deploy custom applications while the CSP manages the underlying infrastructure. Which of the following cloud service models is being utilized?
IaaS
SaaS
PaaS
On-Premises
What is it called when a hash algorithm produces the same output for two different messages?
Salt
Collision
Rainbow Table
Digital Signature
An organization utilizes Active Directory for managing access to systems and resources. What type of access control administration is being employed?
Centralized
Decentralized
Hybrid
RBAC
Which of the following is not a characteristic of cloud computing?
On demand
Resource pooling
Measured service
Limited network access
Which of the following is an asymmetric algorithm?
DES
3DES
AES
RSA
John is an IT administrator at a small company. He started out as the Windows admin, was later promoted to DBA, and is now the network administrator. Because the organization lacks a comprehensive identity and access management program, John has retained the permissions and credentials for all of his old roles, including those that are no longer relevant to his job as a network administrator. Which of the following describes the issue that this company is facing?
Scope creep
Privilege creep
Requirements creep
Least privilege
Which of the following types of assessments would best be able to detect an XSS vulnerability?
Physical vulnerability assessment
Application vulnerability assessment
Network architecture assessment
Human-based vulnerability assessment
Which of the following technologies is the most expensive but provides the best redundancy and flexibility for load balancing and performance optimization?
Point-to-point
Hub and spoke
Full mesh
Single homed
An organization is hosting applications in a cloud environment built in its own datacenter. In addition, the organization also makes use of Amazon Web Services (AWS) to load balance the traffic for the applications. Which of the following cloud deployment models is this an example of?
Public
Private
Community
Hybrid
Which of the following best describes the category or categories of physical security controls applicable to an 8-foot-high fence installed at the perimeter of a facility?
Deterrent
Delaying
Deterrent and/or delaying
Neither deterrent nor delaying
Which of the following best describes a proxy firewall?
Processes ACLs
Enables network address translation
Makes it harder for cybercriminals to discover information about what is on the other side of the firewall
Keeps track of the state of each conversation
The CISO of a large organization wants a penetration test performed of the organization's network. To simulate an external adversary, the assessors are being given no prior information about the target network. Which of the following methodologies is being utilized for this assessment?
Black box testing
Gray box testing
White box testing
Pink box testing
What action should always be taken before performing social engineering tests that target employees?
Obtain law enforcement approval
Obtain employee approval
Obtain management approval
Obtain employee PHI
In a large organization, the software development team is not able to publish code to production. This task is handled by the DevOps team to ensure that no one person is writing and publishing their own code, the purpose of which is to reduce the risk of fraudulent or malicious code or data being promoted. Which of the security principles is being employed?
Separation of duties
Need to know
Least privilege
Scope creep
The CISO of a large organization is looking to have a security assessmenVtest conducted for a new system to see if an unauthorized user can successfully access sensitive information. Which of the following types of assessments would be most appropriate?
Penetration test
Vulnerability scan
System scan
Log review
An attacker has compromised a system's hashed password database. To identify the plaintext passwords, the attacker is using a precomputed list of plaintext input and corresponding hashed values and comparing them to the hash values in the password database. What type of password attack is being performed?
Dictionary attack
Rainbow table attack
Brute-force attack
Brute-text attack
Two kinds of cross-site scripting attacks are______________and______________.
Forward and backward
Persistent and nonpersistent
Client and server
Verification and validation
The BCP coordinator is reviewing alternate site options for the organization. The organization's leadership has requested that the alternate site provide a balance of recovery time and price. The BCP coordinator plans to select a partially equipped alternate site to provide quicker recovery while minimizing cost. Which of the following alternate site options would be most appropriate?
Cold site
Warm site
Hot site
Mirrored site
What is the impact of ARP poisoning?
Slow death.
Data is misrouted on the network.
Access controls are rendered useless.
Access controls are difficult to implement.
To increase the security of the datacenter, an entry area is being built with two doors so the first door must be closed before the second door can be opened. This will require the visitor to go through two doors and open two locks in order to gain access to the secure area. What is the name for this type of door system?
Secure door
Mantrap
Holding area
Man-in-the-middle
A security analyst calls the CISO to notify her that there is a suspected SQL injection attack being launched against one of the critical organization systems. How should the CISO direct the security analyst to respond?
Unplug the server
Invoke the incident handling plan
Call the COO
Contact the police
Which of the following will best ensure that the BCP is effective?
Regularly conduct tabletop exercises
Regularly update the date on the SCP
Ensure all staff have read the SCP
Ensure the BCP is secured
Which of the following human resource activities is not necessary to perform upon termination of an employee?
Disable the terminated employee's user accounts
Collect the terminated employee's ID badges, keys, and company assets
Get the terminated employee to sign a nondisclosure agreement
Escort the terminated employee out of the office/facility
An organization uses a web server to make information about its products available to users on the Internet. In which portion of the network architecture should such a server be installed?
Directly at the connection to the Internet service provider
At the wireless access point
In the DMZ
Behind a firewall that is connected to the Internet service provider
The CISO of an organization must decide on the implementation of physical security controls in the organization's datacenter. One such decision is whether to program the doors to stay locked in the event of fire to maintain security or to program the doors to unlock to prevent people from being trapped inside. Which is the best approach to use?
The doors should be locked to prevent unauthorized access until the fire is extinguished.
The doors should be unlocked to prevent people from being trapped inside.
There is not enough information provided to make a decision regarding whether the doors should be locked or unlocked.
The doors should be unlocked so the individual employees in the datacenter can decide whether they should be locked or unlocked.
Of the choices listed, which type of malware is most likely to make its presence difficult to detect?
Ransomware
Multipartite
Rootkit
Worm
What is the cryptographic operation called that transforms plaintext to ciphertext?
Hashing
Encryption
Decryption
Steganography
Which of the following cryptographic services prevents a sender from legitimately denying that they sent a message?
Confidentiality
Integrity
Availability
Nonrepudiation
Which of the following techniques is used to mitigate the risk of rainbow table attacks?
Salting
Hash algorithm
Digital signature
Collision
Security awareness training should focus more on __________than on _____________ .
knowledge, skills
skills, knowledge
audio, video
video, audio
__________________is a term that refers to a group of infected systems that are remotely controlled and work together to perform an attack.
Trojan
Botnet
Worm
Malnet
Mike is using a tool to hide a secret message inside an image file. What type of technique is he using?
Steganography
Hashing
Cryptography
Digital signature
Which of the following is the best approach to defending against social engineering attacks?
Training
Punishment
A comprehensive program including training, practice, drills, exercises, and operational monitoring
Security controls
What is the name of a network device that routes data between network segments?
An Internet
A router
A network interface card
A 10baseT
The datacenter manager needs to securely dispose of several hard drives for decommissioned systems. The manager consults the security team to determine the recommended method of disposition. Which of the following techniques is not sufficient to ensure that the data is unrecoverable?
Shredding
Zeroization
Erasure
Purging
During an audit of the production environment, the auditor discovered that a server was patched without an approved request, in violation of company policy. What is this an example of?
Not following patch management procedures
Lack of testing
Lack of asset inventory
Infrequent auditing
What are the basic categories of physical security controls?
Confidentiality, integrity, availability
Centralized, decentralized, hybrid
Deterrent, delaying, detective
Mantraps, fences, lighting
Which of the following access control models uses a central authority that regulates access based on the clearance of subjects and classification of objects where a subject's clearance must be greater than or equal to the object's clearance?
MAC
DAC
ABAC
RBAC
The CISO of a large organization wants a penetration test performed on the organization's network. To simulate a real attack, the operations staff, including the IT and security teams, is not aware of the test so that the incident response process may be tested. Which of the following methodologies is being utilized for this assessment?
Black box testing
Gray box testing
White box testing
Double blind testing
As part of continuity planning, an organization is determining how far back data must be recoverable after an outage or disruption to ensure critical organization functions and processes can be recovered. Which of the following is being identified?
MTD
RPO
RTO
BIA
The CISO of a large organization wants a penetration test performed on the organization's network. To get the most out of the test, it has been decided that the assessors will be given complete knowledge of the target environment, including network maps, asset inventory, system names, IP addresses, and so on. Which of the following methodologies is being utilized for this assessment?
Black box testing
Gray box testing
White box testing
Double blind testing
Which of the following best describes the general phases of the data life cycle?
Classification and marking -> Acquisition -> Use and archival -> Destruction
Acquisition -> Classification and marking -> Use and archival -> Destruction
Acquisition -> Use and archival -> Classification and marking -> Destruction
Use and archival -> Acquisition -> Classification and marking -> Destruction
A virus that changes itself each time it is run is called what type of virus?
Morphic virus
Polymorphic virus
Stealth virus
Multipartite virus
Which of the following protocols is considered a secure protocol?
Telnet
FTP
SSH
HTTP
Which of the following terms describes a method whereby an unauthorized user can bypass security controls to gain access to a system or program?
Secret access
Dis-authorization
Cross-site scripting
Backdoor
The application security team performs regular scans and assessments of running applications in the development environment to identify vulnerabilities before the applications are moved into production. What type of testing is being performed?
SAST
DAST
White box testing
Source code review
When a buffer overflow occurs, what happens to the data that exceeds the size of the buffer?
The data flows into adjacent memory.
The data is routed into the system's data drain.
The data forces the buffer to expand.
The data is recycled for future use.
Which of the following models correctly describes the general identity and access management life cycle?
Provisioning-> Review-> Revocation
Revocation -> Provisioning -> Review
Review -> Provisioning -> Revocation
Provisioning-> Revocation-> Review
Which of the following statements is the most accurate?
A LAN enables communication between devices within an office or campus, and a WAN enables communication between LANs.
A LAN is usually provided by an external service provider.
A LAN uses networking protocols such as TCP/IP, whereas a WAN does not.
The most popular LAN technology used today is X.25.
Which of the following is an example of dual-factor authentication?
Fingerprint scan and palm scan
Password and pin
Smart card and token
Fingerprint scan and pin
Which of the following is the correct formula used to calculate the number of keys needed for symmetric encryption based on the number of users (denoted as N)?
N(N-1)/2
N(N)/2
N(N -1)
Nx2
For evidence to be admissible, what characteristic or characteristics must it have?
Relevant and reliable
Proper chain of custody
Relevant, reliable, and retrievable (RRR)
Relevant, reliable, and recoverable (RRR)
Which of the following is an example of a hash algorithm?
MD5
AES
RSA
ECC
Which of the following is the best definition of malware?
Software designed to infiltrate and gain unauthorized access to computer systems
Software that contains errors in the code
Software that replicates itself and infects other systems
Which of the following types of data backups backs up all files that have changed since the last backup?
Full
Incremental
Differential
DRaaS
{"name":"Pool of 300, 200 Random", "url":"https://www.quiz-maker.com/QBQGKVOOY","txt":"A security manager frequently checks work areas after business hours for security infringements; for instance unprotected documents or unguarded computers with functioning sessions. This action MOST SUITABLE exhibits which feature of a security set­ up?, Which of the given is the CHIEF cause to follow a formal risk management procedure in a corporation that hosts and uses privately recognizable information (PlI} as part of their business models and courses?, A method to transmit \/ transfer threat is to___________","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}
Quiz Maker Logo Make your own Quiz
Powered by: Quiz Maker