Last Updated on July 23, 2021 by InfraExam
712-50 : EC-Council Certified CISO : Part 02
Ensuring that the actions of a set of people, applications and systems follow the organization’s rules is BEST described as:
- Compliance management
- Security management
- Risk management
- Mitigation management
Which of the following international standards can be BEST used to define a Risk Management process in an organization?
- International Organization for Standardizations – 27005 (ISO-27005)
- National Institute for Standards and Technology 800-50 (NIST 800-50)
- Payment Card Industry Data Security Standards (PCI-DSS)
- International Organization for Standardizations – 27004 (ISO-27004)
A security professional has been promoted to be the CISO of an organization. The first task is to create a security policy for this organization. The CISO creates and publishes the security policy.
This policy, however, is ignored and not enforced consistently. Which of the following is the MOST likely reason for the policy shortcomings?
- Lack of a formal risk management policy
- Lack of a formal security policy governance process
- Lack of formal definition of roles and responsibilities
- Lack of a formal security awareness program
Regulatory requirements typically force organizations to implement ____________.
- Financial controls
- Mandatory controls
- Discretionary controls
- Optional controls
From an information security perspective, information that no longer supports the main purpose of the business should be:
- protected under the information classification policy
- analyzed under the data ownership policy
- assessed by a business impact analysis.
- analyzed under the retention policy.
A global retail company is creating a new compliance management process.
Which of the following regulations is of MOST importance to be tracked and managed by this process?
- Information Technology Infrastructure Library (ITIL)
- National Institute for Standards and technology (NIST) standard
- International Organization for Standardization (ISO) standards
- Payment Card Industry Data Security Standards (PCI-DSS)
One of the MAIN goals of a Business Continuity Plan is to_______________.
- Ensure all infrastructure and applications are available in the event of a disaster
- Assign responsibilities to the technical teams responsible for the recovery of all data
- Provide step by step plans to recover business processes in the event of a disaster
- Allow all technical first-responders to understand their roles in the event of a disaster.
An organization’s Information Security Policy is of MOST importance because_____________.
- It defines a process to meet compliance requirements
- It establishes a framework to protect confidential information
- It communicates management’s commitment to protecting information resources
- It is formally acknowledged by all employees and vendors
The alerting, monitoring and life-cycle management of security related events is typically handled by the_________________.
- risk management process
- risk assessment process
- governance, risk, and compliance tools
- security threat and vulnerability management process
A Security Operations Centre (SOC) manager is informed that a database containing highly sensitive corporate strategy information is under attack. Information has been stolen, and the database server was disconnected.
Who must be informed of this incident?
- Internal audit
- The data owner
- All executive staff
- Government regulators
An organization has defined a set of standard security controls. This organization has also defined the circumstances and conditions in which they must be applied.
What is the NEXT logical step in applying the controls in the organization?
- Determine the risk tolerance
- Perform an asset classification
- Analyze existing controls on systems
- Create an architecture gap analysis
The single most important consideration to make when developing your security program, policies, and processes is:
- Alignment with the business
- Budgeting for unforeseen data compromises
- Establishing your authority as the Security Executive
- Streaming for efficiency
In accordance with best practices and international standards, how often is security awareness training provided to employees of an organization?
- Every 18 months
- Every 12 months
- High risk environments 6 months, low-risk environments 12 months
- Every 6 months
Which of the following is a MAJOR consideration when an organization retains sensitive customer data and uses this data to better target the organization’s products and services?
- Strong authentication technologies
- Financial reporting regulations
- Credit card compliance and regulations
- Local privacy laws
If your organization operates under a model of “assumption of breach”, you should:
- Establish active firewall monitoring protocols
- Purchase insurance for your compliance liability
- Focus your security efforts on high value assets
- Protect all information resource assets equally
When dealing with a risk management process, asset classification is important because it will impact the overall:
- Threat identification
- Risk treatment
- Risk monitoring
- Risk tolerance
You have a system with 2 identified risks. You determine the probability of one risk occurring is higher than the
- Relative likelihood of event
- Controlled mitigation effort
- Risk impact comparison
- Comparative threat analysis
Which of the following is a benefit of information security governance?
- Direct involvement of senior management in developing control processes
- Reduction of the potential for civil and legal liability
- Questioning the trust in vendor relationships
- Increasing the risk of decisions based on incomplete management information
Developing effective security controls is a balance between:
- Technology and Vendor Management
- Operations and Regulations
- Risk Management and Operations
- Corporate Culture and Job Expectations
The framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve is referred to as a standard of:
- Due Compromise
- Due process
- Due Care
- Due Protection