Last Updated on July 23, 2021 by InfraExam
712-50 : EC-Council Certified CISO : Part 04
-
Your IT auditor is reviewing significant events from the previous year and has identified some procedural oversights.
Which of the following would be the MOST concerning?
- Failure to notify police of an attempted intrusion
- Lack of reporting of a successful denial of service attack on the network.
- Lack of periodic examination of access rights
- Lack of notification to the public of disclosure of confidential information
-
Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?
- Value of the asset multiplied by the loss expectancy
- Replacement cost multiplied by the single loss expectancy
- Single loss expectancy multiplied by the annual rate of occurrence
- Total loss expectancy multiplied by the total loss frequency
-
The Information Security Management program MUST protect:
- Audit schedules and findings
- Intellectual property released into the public domain
- all organizational assets
- critical business processes and revenue streams
-
Dataflow diagrams are used by IT auditors to:
- Graphically summarize data paths and storage processes.
- Order data hierarchically
- Highlight high-level data definitions
- Portray step-by-step details of data generation.
-
When measuring the effectiveness of an Information Security Management System which one of the following would be MOST LIKELY used as a metric framework?
- ISO 27001
- ISO 27004
- PRINCE2
- ITILv3
-
The purpose of NIST SP 800-53 as part of the NIST System Certification and Accreditation Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for:
- Integrity and Availability
- Assurance, Compliance and Availability
- International Compliance
- Confidentiality, Integrity and Availability
-
An organization is required to implement background checks on all employees with access to databases containing credit card information. This is considered a security___________.
- Technical control
- Management control
- Procedural control
- Administrative control
-
Information security policies should be reviewed _____________________.
- by the internal audit semiannually
- by the CISO when new systems are brought online
- by the Incident Response team after an audit
- by stakeholders at least annually
-
Risk is defined as:
- Quantitative plus qualitative impact
- Asset loss times likelihood of event
- Advisory plus capability plus vulnerability
- Threat times vulnerability divided by control
-
In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?
- The organization uses exclusively a qualitative process to measure risk
- The organization’s risk tolerance is low
- The organization uses exclusively a quantitative process to measure risk
- The organization’s risk tolerance is high
-
The regular review of a firewall ruleset is considered a _______________________.
- Procedural control
- Organization control
- Management control
- Technical control
-
The exposure factor of a threat to your organization is defined by?
- Annual loss expectancy minus current cost of controls
- Percentage of loss experienced due to a realized threat event
- Asset value times exposure factor
- Annual rate of occurrence
-
The Information Security Governance program MUST:
- integrate with other organizational governance processes
- show a return on investment for the organization
- integrate with other organizational governance processes
- support user choice for Bring Your Own Device (BYOD)
-
You have recently drafted a revised information security policy. From whom should you seek endorsement in order to have the GREATEST chance for adoption and implementation throughout the entire organization?
- Chief Executive Officer
- Chief Information Officer
- Chief Information Security Officer
- Chief Information Officer
-
Which of the following is a benefit of a risk-based approach to audit planning?
- Resources are allocated to the areas of the highest concern
- Scheduling may be performed months in advance
- Budgets are more likely to be met by the IT audit staff
- Staff will be exposed to a variety of technologies
-
Which of the following are the MOST important factors for proactively determining system vulnerabilities?
- Subscribe to vendor mailing lists and distribute notifications of system requirements
- Configure firewall, perimeter router and Intrusion Prevention System (IPS)
- Conduct security testing, vulnerability scanning, and penetration testing
- Deploy Intrusion Detection System (IDS) and install anti-virus on systems
-
When choosing a risk mitigation method what is the MOST important factor?
- Approval from the board of directors
- Metrics of mitigation method success
- Cost of the mitigation is less than a risk
- Mitigation method complies with PCI regulations
-
Payment Card Industry (PCI) compliance requirements are based on what criteria?
- The size of the organization processing credit card data
- The types of cardholder data retained
- The duration card holder data is retained
- The number of transactions performed per year by an organization
-
What role should the CISO play in properly scoping a PCI environment?
- Complete the self-assessment questionnaire and work with an Approved Scanning Vendor (ASV) to determine scope
- Work with a Qualified Security Assessor (QSA) to determine the scope of the PCI environment
- Validate the business units’ suggestions as to what should be included in the scoping process
- Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data
-
Which of the following reports should you as an IT auditor use to check on compliance with a Service Level Agreement (SLA) requirement for uptime?
- Systems logs
- Hardware error reports
- Availability reports
- Utilization reports