712-50 : EC-Council Certified CISO : Part 04

  1. Your IT auditor is reviewing significant events from the previous year and has identified some procedural oversights.

    Which of the following would be the MOST concerning?

    • Failure to notify police of an attempted intrusion
    • Lack of reporting of a successful denial of service attack on the network.
    • Lack of periodic examination of access rights
    • Lack of notification to the public of disclosure of confidential information
  2. Which of the following best represents a calculation for Annual Loss Expectancy (ALE)?

    • Value of the asset multiplied by the loss expectancy
    • Replacement cost multiplied by the single loss expectancy
    • Single loss expectancy multiplied by the annual rate of occurrence
    • Total loss expectancy multiplied by the total loss frequency
  3. The Information Security Management program MUST protect:

    • Audit schedules and findings
    • Intellectual property released into the public domain
    • all organizational assets
    • critical business processes and revenue streams
  4. Dataflow diagrams are used by IT auditors to:

    • Graphically summarize data paths and storage processes.
    • Order data hierarchically
    • Highlight high-level data definitions
    • Portray step-by-step details of data generation.
  5. When measuring the effectiveness of an Information Security Management System which one of the following would be MOST LIKELY used as a metric framework?

    • ISO 27001
    • ISO 27004
    • PRINCE2
    • ITILv3
  6. The purpose of NIST SP 800-53 as part of the NIST System Certification and Accreditation Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for:

    • Integrity and Availability
    • Assurance, Compliance and Availability
    • International Compliance
    • Confidentiality, Integrity and Availability
  7. An organization is required to implement background checks on all employees with access to databases containing credit card information. This is considered a security___________.

    • Technical control
    • Management control
    • Procedural control
    • Administrative control
  8. Information security policies should be reviewed _____________________.

    • by the internal audit semiannually
    • by the CISO when new systems are brought online
    • by the Incident Response team after an audit
    • by stakeholders at least annually
  9. Risk is defined as:

    • Quantitative plus qualitative impact
    • Asset loss times likelihood of event
    • Advisory plus capability plus vulnerability
    • Threat times vulnerability divided by control
  10. In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?

    • The organization uses exclusively a qualitative process to measure risk
    • The organization’s risk tolerance is low
    • The organization uses exclusively a quantitative process to measure risk
    • The organization’s risk tolerance is high
  11. The regular review of a firewall ruleset is considered a _______________________.

    • Procedural control
    • Organization control
    • Management control
    • Technical control
  12. The exposure factor of a threat to your organization is defined by?

    • Annual loss expectancy minus current cost of controls
    • Percentage of loss experienced due to a realized threat event
    • Asset value times exposure factor
    • Annual rate of occurrence
  13. The Information Security Governance program MUST:

    • integrate with other organizational governance processes
    • show a return on investment for the organization
    • integrate with other organizational governance processes
    • support user choice for Bring Your Own Device (BYOD)
  14. You have recently drafted a revised information security policy. From whom should you seek endorsement in order to have the GREATEST chance for adoption and implementation throughout the entire organization?

    • Chief Executive Officer
    • Chief Information Officer
    • Chief Information Security Officer
    • Chief Information Officer
  15. Which of the following is a benefit of a risk-based approach to audit planning?

    • Resources are allocated to the areas of the highest concern
    • Scheduling may be performed months in advance
    • Budgets are more likely to be met by the IT audit staff
    • Staff will be exposed to a variety of technologies
  16. Which of the following are the MOST important factors for proactively determining system vulnerabilities?

    • Subscribe to vendor mailing lists and distribute notifications of system requirements
    • Configure firewall, perimeter router and Intrusion Prevention System (IPS)
    • Conduct security testing, vulnerability scanning, and penetration testing
    • Deploy Intrusion Detection System (IDS) and install anti-virus on systems
  17. When choosing a risk mitigation method what is the MOST important factor?

    • Approval from the board of directors
    • Metrics of mitigation method success
    • Cost of the mitigation is less than a risk
    • Mitigation method complies with PCI regulations
  18. Payment Card Industry (PCI) compliance requirements are based on what criteria?

    • The size of the organization processing credit card data
    • The types of cardholder data retained
    • The duration card holder data is retained
    • The number of transactions performed per year by an organization
  19. What role should the CISO play in properly scoping a PCI environment?

    • Complete the self-assessment questionnaire and work with an Approved Scanning Vendor (ASV) to determine scope
    • Work with a Qualified Security Assessor (QSA) to determine the scope of the PCI environment
    • Validate the business units’ suggestions as to what should be included in the scoping process
    • Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data
  20. Which of the following reports should you as an IT auditor use to check on compliance with a Service Level Agreement (SLA) requirement for uptime?

    • Systems logs
    • Hardware error reports
    • Availability reports
    • Utilization reports