Last Updated on July 23, 2021 by InfraExam
712-50 : EC-Council Certified CISO : Part 01
-
When briefing senior management on the creation of a governance process, the MOST important aspect should be:
- knowledge required to analyze each issue
- information security metrics
- linkage to business area objectives
- baseline against which metrics are evaluated
-
Which of the following should be determined while defining risk management strategies?
- Organizational objectives and risk tolerance
- Enterprise disaster recovery plans
- Risk assessment criteria
- IT architecture complexity
-
Which of the following is the MOST important benefit of an effective security governance process?
- Senior management participation in the incident response process
- Better vendor management
- Reduction of security breaches
- Reduction of liability and overall risk to the organization
-
A global retail organization is looking to implement a consistent Disaster Recovery and Business Continuity Process across all of its business units.
Which of the following standards and guidelines can BEST address this organization’s need?
- International Organization for Standardizations – 22301 (ISO-22301)
- Information Technology Infrastructure Library (ITIL)
- Payment Card Industry Data Security Standards (PCI-DSS)
- International Organization for Standardizations – 27005 (ISO-27005)
-
A security manager regularly checks work areas after business hours for security violations; such as unsecured files or unattended computers with active sessions.
This activity BEST demonstrates what part of a security program?
- Compliance management
- Audit validation
- Physical control testing
- Security awareness training
-
Which of the following is the MAIN reason to follow a formal risk management process in an organization that hosts and uses privately identifiable information (PII) as part of their business models and processes?
- Need to comply with breach disclosure laws
- Fiduciary responsibility to safeguard credit information
- Need to transfer the risk associated with hosting PII data
- Need to better understand the risk associated with using PII data
-
A method to transfer risk is to______________.
- Implement redundancy
- Move operations to another region
- Align to business operations
- Purchase breach insurance
-
An organization licenses and uses personal information for business operations, and a server containing that information has been compromised.
What kind of law would require notifying the owner or licensee of this incident?
- Consumer right disclosure
- Data breach disclosure
- Special circumstance disclosure
- Security incident disclosure
-
Why is it vitally important that senior management endorse a security policy?
- So that employees will follow the policy directives.
- So that they can be held legally accountable.
- So that external bodies will recognize the organizations commitment to security.
- So that they will accept ownership for security within the organization.
-
Which of the following is of MOST importance when security leaders of an organization are required to align security to influence the culture of an organization?
- Understand the business goals of the organization
- Poses a strong technical background
- Poses a strong auditing background
- Understand all regulations affecting the organization
-
The PRIMARY objective of security awareness is to:
- Encourage security-conscious employee behavior
- Put employees on notice in case follow-up action for noncompliance is necessary
- Ensure that security policies are read
- Meet legal and regulatory requirements
-
Which of the following is MOST likely to be discretionary?
- Policies
- Procedures
- Guidelines
- Standards
-
Which of the following has the GREATEST impact on the implementation of an information security governance model?
- Complexity of organizational structure
- Distance between physical locations
- Organizational budget
- Number of employees
-
When dealing with Security Incident Response procedures, which of the following steps come FIRST when reacting to an incident?
- Eradication
- Escalation
- Containment
- Recovery
-
What is the relationship between information protection and regulatory compliance?
- That all information in an organization must be protected equally.
- The information required to be protected by regulatory mandate does not have to be identified in the organizations data classification policy.
- There is no relationship between the two.
- That the protection of some information such as National ID information is mandated by regulation and other information such as trade secrets are protected based on business need.
-
Who in the organization determines access to information?
- Compliance officer
- Legal department
- Data Owner
- Information security officer
-
When managing an Information Security Program, which of the following is of MOST importance in order to influence the culture of an organization?
- Compliance with local privacy regulations
- An independent Governance, Risk and Compliance organization
- Support Legal and HR teams
- Alignment of security goals with business goals
-
The FIRST step in establishing a security governance program is to?
- Obtain senior level sponsorship
- Conduct a workshop for all end users.
- Conduct a risk assessment.
- Prepare a security budget.
-
When an organization claims it is secure because it is PCI-DSS certified, what is a good first question to ask towards assessing the effectiveness of their security program?
- How many credit records are stored?
- What is the value of the assets at risk?
- What is the scope of the certification?
- How many servers do you have?
-
A security manager has created a risk program. Which of the following is a critical part of ensuring the program is successful?
- Ensuring developers include risk control comments in code
- Creating risk assessment templates based on specific threats
- Providing a risk program governance structure
- Allowing for the acceptance of risk for regulatory compliance requirements