712-50 : EC-Council Certified CISO : Part 01

  1. When briefing senior management on the creation of a governance process, the MOST important aspect should be:

    • knowledge required to analyze each issue
    • information security metrics
    • linkage to business area objectives
    • baseline against which metrics are evaluated
  2. Which of the following should be determined while defining risk management strategies?

    • Organizational objectives and risk tolerance
    • Enterprise disaster recovery plans
    • Risk assessment criteria
    • IT architecture complexity
  3. Which of the following is the MOST important benefit of an effective security governance process?

    • Senior management participation in the incident response process
    • Better vendor management
    • Reduction of security breaches
    • Reduction of liability and overall risk to the organization
  4. A global retail organization is looking to implement a consistent Disaster Recovery and Business Continuity Process across all of its business units.

    Which of the following standards and guidelines can BEST address this organization’s need?

    • International Organization for Standardizations – 22301 (ISO-22301)
    • Information Technology Infrastructure Library (ITIL)
    • Payment Card Industry Data Security Standards (PCI-DSS)
    • International Organization for Standardizations – 27005 (ISO-27005)
  5. A security manager regularly checks work areas after business hours for security violations; such as unsecured files or unattended computers with active sessions.

    This activity BEST demonstrates what part of a security program?

    • Compliance management
    • Audit validation
    • Physical control testing
    • Security awareness training
  6. Which of the following is the MAIN reason to follow a formal risk management process in an organization that hosts and uses privately identifiable information (PII) as part of their business models and processes?

    • Need to comply with breach disclosure laws
    • Fiduciary responsibility to safeguard credit information
    • Need to transfer the risk associated with hosting PII data
    • Need to better understand the risk associated with using PII data
  7. A method to transfer risk is to______________.

    • Implement redundancy
    • Move operations to another region
    • Align to business operations
    • Purchase breach insurance
  8. An organization licenses and uses personal information for business operations, and a server containing that information has been compromised.

    What kind of law would require notifying the owner or licensee of this incident?

    • Consumer right disclosure
    • Data breach disclosure
    • Special circumstance disclosure
    • Security incident disclosure
  9. Why is it vitally important that senior management endorse a security policy?

    • So that employees will follow the policy directives.
    • So that they can be held legally accountable.
    • So that external bodies will recognize the organizations commitment to security.
    • So that they will accept ownership for security within the organization.
  10. Which of the following is of MOST importance when security leaders of an organization are required to align security to influence the culture of an organization?

    • Understand the business goals of the organization
    • Poses a strong technical background
    • Poses a strong auditing background
    • Understand all regulations affecting the organization
  11. The PRIMARY objective of security awareness is to:

    • Encourage security-conscious employee behavior
    • Put employees on notice in case follow-up action for noncompliance is necessary
    • Ensure that security policies are read
    • Meet legal and regulatory requirements
  12. Which of the following is MOST likely to be discretionary?

    • Policies
    • Procedures
    • Guidelines
    • Standards
  13. Which of the following has the GREATEST impact on the implementation of an information security governance model?

    • Complexity of organizational structure
    • Distance between physical locations
    • Organizational budget
    • Number of employees
  14. When dealing with Security Incident Response procedures, which of the following steps come FIRST when reacting to an incident?

    • Eradication
    • Escalation
    • Containment
    • Recovery
  15. What is the relationship between information protection and regulatory compliance?

    • That all information in an organization must be protected equally.
    • The information required to be protected by regulatory mandate does not have to be identified in the organizations data classification policy.
    • There is no relationship between the two.
    • That the protection of some information such as National ID information is mandated by regulation and other information such as trade secrets are protected based on business need.
  16. Who in the organization determines access to information?

    • Compliance officer
    • Legal department
    • Data Owner
    • Information security officer
  17. When managing an Information Security Program, which of the following is of MOST importance in order to influence the culture of an organization?

    • Compliance with local privacy regulations
    • An independent Governance, Risk and Compliance organization
    • Support Legal and HR teams
    • Alignment of security goals with business goals
  18. The FIRST step in establishing a security governance program is to?

    • Obtain senior level sponsorship
    • Conduct a workshop for all end users.
    • Conduct a risk assessment.
    • Prepare a security budget.
  19. When an organization claims it is secure because it is PCI-DSS certified, what is a good first question to ask towards assessing the effectiveness of their security program?

    • How many credit records are stored?
    • What is the value of the assets at risk?
    • What is the scope of the certification?
    • How many servers do you have?
  20. A security manager has created a risk program. Which of the following is a critical part of ensuring the program is successful?

    • Ensuring developers include risk control comments in code
    • Creating risk assessment templates based on specific threats
    • Providing a risk program governance structure
    • Allowing for the acceptance of risk for regulatory compliance requirements