Last Updated on July 23, 2021 by InfraExam
712-50 : EC-Council Certified CISO : Part 09
The MOST common method to get an unbiased measurement of the effectiveness of an Information Security Management System (ISMS) is to_________________________.
- assign the responsibility to the information security team
- assign the responsibility to the team responsible for the management of the controls
- perform an independent audit of the security controls
- create operational reports on the effectiveness of the controls.
The ultimate goal of an IT security projects is:
- Support business requirements
- Implement information security policies
- Increase stock value
- Complete security
An organization has implemented a change management process for all changes to the IT production environment. This change management process follows best practices and is expected to help stabilize the availability and integrity of the organization’s IT environment.
Which of the following can be used to measure the effectiveness of this newly implemented process?
- Number and length of planned outages
- Number of change orders processed
- Number of change orders rejected
- Number of unplanned outages
You have implemented the new controls. What is the next step?
- Perform a risk assessment
- Monitor the effectiveness of the controls
- Document the process for the stakeholders
- Update the audit findings report
Step-by-step procedures to regain normalcy in the event of a major earthquake is PRIMARILY covered by which of the following plans?
- Damage control plan
- Disaster recovery plan
- Business Continuity plan
- Incident response plan
An employee successfully avoids becoming a victim of a sophisticated spear phishing attack due to knowledge gained through the corporate information security awareness program.
What type of control has been effectively utilized?
- Technical Control
- Management Control
- Operational Control
- Training Control
A system was hardened at the Operating System level and placed into the production environment. Months later an audit was performed and it identified insecure configuration different from the original hardened state.
Which of the following security issues is the MOST likely reason leading to the audit findings?
- Lack of asset management processes
- Lack of hardening standards
- Lack of proper access controls
- Lack of change management processes
When is an application security development project complete?
- When the application turned over to production.
- After one year
- When the application reaches the maintenance phase.
- When the application is retired.
An audit was conducted and many critical applications were found to have no disaster recovery plans in place. You conduct a Business Impact Analysis (BIA) to determine impact to the company for each application.
What should be the NEXT step?
- Create technology recovery plans
- Determine the annual loss expectancy (ALE)
- Build a secondary hot site
- Create a crisis management plan
Which of the following activities must be completed BEFORE you can calculate risk?
- Assigning a value to each information asset
- Assessing the relative risk facing the organization’s information assets
- Determining the likelihood that vulnerable systems will be attacked by specific threats
- Calculating the risks to which assets are exposed in their current setting
Which of the following are primary concerns for management with regard to assessing internal control objectives?
- Confidentiality, Availability, Integrity
- Compliance, Effectiveness, Efficiency
- Communication, Reliability, Cost
- Confidentiality, Compliance, Cost
The effectiveness of an audit is measured by?
- The number of security controls the company has in use
- How it exposes the risk tolerance of the company
- The number of actionable items in the recommendations
- How the recommendations directly support the goals of the company
Which of the following is the MOST important reason to measure the effectiveness of an Information Security Management System (ISMS)?
- Better understand the threats and vulnerabilities affecting the environment
- Better understand strengths and weakness of the program
- Meet regulatory compliance requirements
- Meet legal requirements
Control Objectives for Information and Related Technology (COBIT) is which of the following?
- An audit guideline for certifying secure systems and controls
- An information Security audit standard
- A framework for Information Technology management and governance
- A set of international regulations for Information Technology governance
Which of the following are not stakeholders of IT security projects?
- Board of directors
- Help Desk
- Third party vendors
Which of the following illustrates an operational control process:
- Classifying an information system as part of a risk assessment
- Conducting an audit of the configuration management process
- Installing an appropriate fire suppression system in the data center
- Establishing procurement standards for cloud vendors
A person in your security team calls you at night and informs you that one of your web applications is potentially under attack from a cross-site scripting vulnerability.
What do you do?
- tell him to shut down the server
- tell him to call the police
- tell him to invoke the incident response process
- tell him to analyze the problem, preserve the evidence and provide a full analysis and report.
Which of the following are necessary to formulate responses to external audit findings?
- Technical Staff, Budget Authority, Management
- Technical Staff, Internal Audit, Budget Authority
- Internal Audit, Budget Authority, Management
- Internal Audit, management, and Technical Staff
Which of the following is the PRIMARY purpose of International Organization for Standardization (ISO) 27001?
- Implementation of business-enabling information security
- Use within an organization to ensure compliance with laws and regulations
- To enable organizations that adopt it to obtain certifications
- Use within an organization to formulate security requirements and objectives
A missing/ineffective security control is identified.
Which of the following should be the NEXT step?
- Perform an audit to measure the control formally
- Escalate the issue to the IT organization
- Perform a risk assessment to measure risk
- Establish Key Risk Indicators