712-50 : EC-Council Certified CISO : Part 03

Which of the following is considered the MOST effective tool against social engineering?
- Effective Security Vulnerability Management Program
- Anti-malware tools
- Effective Security awareness program
- Anti-phishing tools
When managing the security architecture for your company you must consider:
- Budget
- Security and IT Staff size
- Company values
- All of the above
The PRIMARY objective for information security program development should be:
- Reducing the impact of the risk to the business.
- Establishing incident response programs.
- Establishing strategic alignment with business continuity requirements.
- Identifying and implementing the best security solutions.
After a risk assessment is performed, a particular risk is considered to have the potential of costing the organization 1.2 Million USD.

This is an example of____________.
- Qualitative risk analysis
- Risk Appetite
- Quantitative risk analysis
- Risk Tolerance
Quantitative Risk Assessments have the following advantages over qualitative risk assessments:
- They are subjective and can be completed more quickly
- They are objective and express risk / cost in approximates
- They are subjective and can express risk / cost in real numbers
- They are objective and can express risk / cost in real numbers
Which of the following most commonly falls within the scope of an information security governance steering committee?
- Vetting information security policies
- Approving access to critical financial systems
- Interviewing candidates for information security specialist positions
- Developing content for security awareness programs
A company wants to fill a Chief Information Security Officer position in the organization. They need to define and implement a more holistic security program.

Which of the following qualifications and experience would be MOST desirable to find in a candidate?
- Industry certifications, technical knowledge and program management skills
- Multiple references, strong background check and industry certifications
- Multiple certifications, strong technical capabilities and lengthy resume
- College degree, audit capabilities and complex project management
Which of the following intellectual Property components is focused on maintaining brand recognition?
- Trademark
- Research Logs
- Copyright
- Patent
Credit card information, medical data, and government records are all examples of:
- None
- Communications Information
- Bodily Information
- Confidential/Protected Information
- Territorial Information
You have implemented a new security control. Which of the following risk strategy options have you engaged in?
- Risk Transfer
- Risk Mitigation
- Risk Avoidance
- Risk Acceptance
What is a difference from the list below between quantitative and qualitative Risk Assessment?
- Quantitative risk assessments result in an exact number (in monetary terms)
- Quantitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)
- Qualitative risk assessments map to business objectives
- Qualitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)
You have purchased a new insurance policy as part of your risk strategy. Which of the following risk strategy options have you engaged in?
- Risk Mitigation
- Risk Acceptance
- Risk Avoidance
- Risk Transfer
What is the definition of Risk in Information Security?
- Risk = Probability x Impact
- Risk = Impact x Threat
- Risk = Threat x Probability
- Risk = Financial Impact x Probability
A business unit within your organization intends to deploy a new technology in a manner that places it in violation of existing information security standards.

What immediate action should the information security manager take?
- Enforce the existing security standards and do not allow the deployment of the new technology.
- If the risks associated with that technology are not already identified, perform a risk analysis to quantify the risk, and allow the business unit to proceed based on the identified risk level.
- Amend the standard to permit the deployment.
- Permit a 90-day window to see if an issue occurs and then amend the standard if there are no issues.
The establishment of a formal risk management framework and system authorization program is essential.

The LAST step of the system authorization process is:
- Getting authority to operate the system from executive management
- Contacting the Internet Service Provider for an IP scope
- Changing the default passwords
- Conducting a final scan of the live system and mitigating all high and medium level vulnerabilities
An organization’s firewall technology needs replaced. A specific technology has been selected that is less costly than others and lacking in some important capabilities. The security officer has voiced concerns about sensitive data breaches but the decision is made to purchase.

What does this selection indicate?
- A high threat environment
- A low vulnerability environment
- A high risk tolerance environment
- A low risk tolerance environment
Which of the following is MOST important when dealing with an Information Security Steering committee?
- Ensure that security policies and procedures have been vetted and approved.
- Review all past audit and compliance reports.
- Include a mix of members from different departments and staff levels.
- Be briefed about new trends and products at each meeting by a vendor.
Risk that remains after risk mitigation is known as_____________.
- Accepted risk
- Residual risk
- Non-tolerated risk
- Persistent risk
An organization is looking for a framework to measure the efficiency and effectiveness of their Information Security Management System.

Which of the following international standards can BEST assist this organization?
- Payment Card Industry Data Security Standards (PCI-DSS)
- International Organization for Standardizations – 27005 (ISO-27005)
- International Organization for Standardizations – 27004 (ISO-27004)
- Control Objectives for Information Technology (COBIT)
When would it be more desirable to develop a set of decentralized security policies and procedures within an enterprise environment?
- When there is a variety of technologies deployed in the infrastructure.
- When it results in an overall lower cost of operating the security program.
- When there is a need to develop a more unified incident response capability.
- When the enterprise is made up of many business units with diverse business activities, risks profiles and regulatory requirements.

712-50 : EC-Council Certified CISO : All Parts
712-50 Part 01	712-50 Part 06	712-50 Part 11	712-50 Part 16
712-50 Part 02	712-50 Part 07	712-50 Part 12	712-50 Part 17
712-50 Part 03	712-50 Part 08	712-50 Part 13	712-50 Part 18
712-50 Part 04	712-50 Part 09	712-50 Part 14	712-50 Part 19
712-50 Part 05	712-50 Part 10	712-50 Part 15	712-50 Part 20

712-50 : EC-Council Certified CISO : All Parts
712-50 Part 01	712-50 Part 06	712-50 Part 11	712-50 Part 16
712-50 Part 02	712-50 Part 07	712-50 Part 12	712-50 Part 17
712-50 Part 03	712-50 Part 08	712-50 Part 13	712-50 Part 18
712-50 Part 04	712-50 Part 09	712-50 Part 14	712-50 Part 19
712-50 Part 05	712-50 Part 10	712-50 Part 15	712-50 Part 20

712-50 : EC-Council Certified CISO : Part 03

Which of the following is considered the MOST effective tool against social engineering?

When managing the security architecture for your company you must consider:

The PRIMARY objective for information security program development should be:

After a risk assessment is performed, a particular risk is considered to have the potential of costing the organization 1.2 Million USD.

This is an example of____________.

Quantitative Risk Assessments have the following advantages over qualitative risk assessments:

Which of the following most commonly falls within the scope of an information security governance steering committee?

A company wants to fill a Chief Information Security Officer position in the organization. They need to define and implement a more holistic security program.

Which of the following qualifications and experience would be MOST desirable to find in a candidate?

Which of the following intellectual Property components is focused on maintaining brand recognition?

Credit card information, medical data, and government records are all examples of:

You have implemented a new security control. Which of the following risk strategy options have you engaged in?

What is a difference from the list below between quantitative and qualitative Risk Assessment?

You have purchased a new insurance policy as part of your risk strategy. Which of the following risk strategy options have you engaged in?

What is the definition of Risk in Information Security?

A business unit within your organization intends to deploy a new technology in a manner that places it in violation of existing information security standards.

What immediate action should the information security manager take?

The establishment of a formal risk management framework and system authorization program is essential.

The LAST step of the system authorization process is:

An organization’s firewall technology needs replaced. A specific technology has been selected that is less costly than others and lacking in some important capabilities. The security officer has voiced concerns about sensitive data breaches but the decision is made to purchase.

What does this selection indicate?

Which of the following is MOST important when dealing with an Information Security Steering committee?

Risk that remains after risk mitigation is known as_____________.

An organization is looking for a framework to measure the efficiency and effectiveness of their Information Security Management System.

Which of the following international standards can BEST assist this organization?

When would it be more desirable to develop a set of decentralized security policies and procedures within an enterprise environment?