Last Updated on July 23, 2021 by InfraExam

712-50 : EC-Council Certified CISO : Part 03

  1. Which of the following is considered the MOST effective tool against social engineering?

    • Effective Security Vulnerability Management Program
    • Anti-malware tools
    • Effective Security awareness program
    • Anti-phishing tools
  2. When managing the security architecture for your company you must consider:

    • Budget
    • Security and IT Staff size
    • Company values
    • All of the above
  3. The PRIMARY objective for information security program development should be:

    • Reducing the impact of the risk to the business.
    • Establishing incident response programs.
    • Establishing strategic alignment with business continuity requirements.
    • Identifying and implementing the best security solutions.
  4. After a risk assessment is performed, a particular risk is considered to have the potential of costing the organization 1.2 Million USD.

    This is an example of____________.

    • Qualitative risk analysis
    • Risk Appetite
    • Quantitative risk analysis
    • Risk Tolerance
  5. Quantitative Risk Assessments have the following advantages over qualitative risk assessments:

    • They are subjective and can be completed more quickly
    • They are objective and express risk / cost in approximates
    • They are subjective and can express risk / cost in real numbers
    • They are objective and can express risk / cost in real numbers
  6. Which of the following most commonly falls within the scope of an information security governance steering committee?

    • Vetting information security policies
    • Approving access to critical financial systems
    • Interviewing candidates for information security specialist positions
    • Developing content for security awareness programs
  7. A company wants to fill a Chief Information Security Officer position in the organization. They need to define and implement a more holistic security program.

    Which of the following qualifications and experience would be MOST desirable to find in a candidate?

    • Industry certifications, technical knowledge and program management skills
    • Multiple references, strong background check and industry certifications
    • Multiple certifications, strong technical capabilities and lengthy resume
    • College degree, audit capabilities and complex project management
  8. Which of the following intellectual Property components is focused on maintaining brand recognition?

    • Trademark
    • Research Logs
    • Copyright
    • Patent
  9. Credit card information, medical data, and government records are all examples of:

    • None
    • Communications Information
    • Bodily Information
    • Confidential/Protected Information
    • Territorial Information
  10. You have implemented a new security control. Which of the following risk strategy options have you engaged in?

    • Risk Transfer
    • Risk Mitigation
    • Risk Avoidance
    • Risk Acceptance
  11. What is a difference from the list below between quantitative and qualitative Risk Assessment?

    • Quantitative risk assessments result in an exact number (in monetary terms)
    • Quantitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)
    • Qualitative risk assessments map to business objectives
    • Qualitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)
  12. You have purchased a new insurance policy as part of your risk strategy. Which of the following risk strategy options have you engaged in?

    • Risk Mitigation
    • Risk Acceptance
    • Risk Avoidance
    • Risk Transfer
  13. What is the definition of Risk in Information Security?

    • Risk = Probability x Impact
    • Risk = Impact x Threat
    • Risk = Threat x Probability
    • Risk = Financial Impact x Probability
  14. A business unit within your organization intends to deploy a new technology in a manner that places it in violation of existing information security standards.

    What immediate action should the information security manager take?

    • Enforce the existing security standards and do not allow the deployment of the new technology.
    • If the risks associated with that technology are not already identified, perform a risk analysis to quantify the risk, and allow the business unit to proceed based on the identified risk level.
    • Amend the standard to permit the deployment.
    • Permit a 90-day window to see if an issue occurs and then amend the standard if there are no issues.
  15. The establishment of a formal risk management framework and system authorization program is essential.

    The LAST step of the system authorization process is:

    • Getting authority to operate the system from executive management
    • Contacting the Internet Service Provider for an IP scope
    • Changing the default passwords
    • Conducting a final scan of the live system and mitigating all high and medium level vulnerabilities
  16. An organization’s firewall technology needs replaced. A specific technology has been selected that is less costly than others and lacking in some important capabilities. The security officer has voiced concerns about sensitive data breaches but the decision is made to purchase.

    What does this selection indicate?

    • A high threat environment
    • A low vulnerability environment
    • A high risk tolerance environment
    • A low risk tolerance environment
  17. Which of the following is MOST important when dealing with an Information Security Steering committee?

    • Ensure that security policies and procedures have been vetted and approved.
    • Review all past audit and compliance reports.
    • Include a mix of members from different departments and staff levels.
    • Be briefed about new trends and products at each meeting by a vendor.
  18. Risk that remains after risk mitigation is known as_____________.

    • Accepted risk
    • Residual risk
    • Non-tolerated risk
    • Persistent risk
  19. An organization is looking for a framework to measure the efficiency and effectiveness of their Information Security Management System.

    Which of the following international standards can BEST assist this organization?

    • Payment Card Industry Data Security Standards (PCI-DSS)
    • International Organization for Standardizations – 27005 (ISO-27005)
    • International Organization for Standardizations – 27004 (ISO-27004)
    • Control Objectives for Information Technology (COBIT)
  20. When would it be more desirable to develop a set of decentralized security policies and procedures within an enterprise environment?

    • When there is a variety of technologies deployed in the infrastructure.
    • When it results in an overall lower cost of operating the security program.
    • When there is a need to develop a more unified incident response capability.
    • When the enterprise is made up of many business units with diverse business activities, risks profiles and regulatory requirements.