Last Updated on July 23, 2021 by InfraExam
712-50 : EC-Council Certified CISO : Part 05
You work as a project manager for TYU project. You are planning for risk mitigation. You need to quickly identify high-level risks that will need a more in-depth analysis.
Which one of the following approaches would you use?
- Risk mitigation
- Estimate activity duration
- Quantitative analysis
- Qualitative analysis
A global health insurance company is concerned about protecting confidential information.
Which of the following is of MOST concern to this organization?
- Alignment with International Organization for Standardization (ISO) standards.
- Alignment with financial reporting regulations for each country where they operate.
- Compliance to the payment Card Industry (PCI) regulations.
- Compliance with patient data protection regulations for each country where they operate.
Which of the following represents the MOST negative impact resulting from an ineffective security governance program?
- Improper use of information resources
- Reduction of budget
- Decreased security awareness
- Fines for regulatory non-compliance
Within an organization’s vulnerability management program, who has the responsibility to implement remediation actions?
- Data owner
- Data center manager
- Network architect
- System administrator
The amount of risk an organization is willing to accept in pursuit of its mission is known as______________.
- risk transfer
- risk mitigation
- risk acceptance
- risk tolerance
Which of the following is a critical operational component of an Incident Response Program (IRP)?
- Monthly program tests to ensure resource allocation is sufficient for supporting the needs of the organization.
- Weekly program budget reviews to ensure the percentage of program funding remains constant.
- Annual review of program charters, policies, procedures and organizational agreements.
- Daily monitoring of vulnerability advisories relating to your organization’s deployed technologies.
What is the first thing that needs to be completed in order to create a security program for your organization?
- Security program budget
- Compliance and regulatory analysis
- Risk assessment
- Business continuity plan
As a new CISO at a large healthcare company you are told that everyone has to badge in to get in the building. Below your office window you notice a door that is normally propped open during the day for groups of people to take breaks outside. Upon looking closer, you see there is no badge reader.
What should you do?
- Post a guard at the door to maintain physical security
- Close and chain the door shut and send a company-wide memo banning the practice
- A physical risk assessment on the facility
- Nothing, this falls outside your area of influence
As the new CISO at the company you are reviewing the audit reporting process and notice that it includes only detailed technical diagrams.
What else should be in the reporting process?
- Names and phone numbers of those who conducted the audit
- Executive summary
- Penetration test agreement
- Business charter
Which of the following provides an audit framework?
- Control Objectives for IT (COBIT)
- International Organization Standard (ISO) 27002
- Payment Card Industry –Data Security Standard (PCI-DSS)
- National Institute of Standards and technology (NIST) SP 800-30
Which of the following is used to establish and maintain a framework to provide assurance that information security strategies are aligned with organizational objectives?
Which of the following is the MOST important goal of risk management?
- Finding economic balance between the impact of the risk and the cost of the control
- Identifying the victim of any potential exploits
- Identifying the risk
- Assessing the impact of potential threats
What is the SECOND step to creating a risk management methodology according to the National Institute of Standards and Technology (NIST) SP 800-30 standard?
- Mitigate risk
- Perform a risk assessment
- Determine appetite
- Evaluate risk avoidance criteria
Which of the following tests is performed by an Information Systems (IS) auditor when a sample of programs is selected to determine if the source and object versions are the same?
- Substantive test of program library controls
- A compliance test of the program compiler controls
- A compliance test of program library controls
- A substantive test of the program compiler controls
When creating a vulnerability scan schedule, who is the MOST critical person to communicate with in order to ensure impact of the scan is minimized?
- The asset manager
- The project manager
- The asset owner
- The data custodian
What two methods are used to assess risk impact?
- Quantitative and qualitative
- Qualitative and percent of loss realized
- Subjective and Objective
- Cost and annual rate of expectance
An organization information security policy serves to___________________.
- define security configurations for systems
- establish budgetary input in order to meet compliance requirements
- establish acceptable systems and user behavior
- define relationships with external law enforcement agencies
An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator.
The most appropriate course of action for the IT auditor is to:
- Review the system log for each of the late night shifts to determine whether any irregular actions occurred.
- Inform senior management of the risk involved.
- Develop a computer-assisted audit technique to detect instances of abuses of the arrangement.
- Agree to work with the security officer on these shifts as a form of preventative control.
The patching and monitoring of systems on a consistent schedule is required by?
- Industry best practices
- Audit best practices
- Risk Management framework
- Local privacy laws
IT control objectives are useful to IT auditors as they provide the basis for understanding the:
- The audit control checklist
- Technique for securing information
- Desired results or purpose of implementing specific control procedures.
- Security policy