Exam Misses

Question 1

An organization experienced a breach of credit card data, how should it respond?

Answer 1

notify affected card brands immediately. They are required to notify all affected credit card brands

Question 2

An organization experienced a breach of credit card data, how should it respond?

Answer 2

Notify affected credit card brands immediately (it’s a requirement)

Question 3

When should executives be made aware of changes in applicable cybersecurity laws?

Answer 3

during a routine monthly risk update

Question 4

The classification of an incident is an indication of what 3 things?

Answer 4

data, application or system involved (incident classification can also be tied to the location)

Question 5

A CISO noticed that dwell time metrics aren’t improving, what should be done?

Answer 5

improve incident detection capabilities

Question 6

Does an executive level security council include allocating security budgets to business units?

Answer 6

no.

It’s a good way to get executives talking about cyber risk and business risk, and making risk decisions

Question 7

In a quantitative risk analysis, how is risk expressed in terms of the partial loss of functionality of an asset?

Answer 7

Exposure Factor (EF)

Question 8

A risk assessment of an organization’s SDLC might compel the organization to do what?

Answer 8

Introduce secure coding standards

not update coding standards, because that may not address security specifically

Question 9

The purpose of a security incident tabletop exercise includes all of the following except which one?

Maintain familiarity with incident response procedures

Ensure that procedures are still correct and relevant

Ensure that internal and external communications are established

Ensure that an organization will be able to detect an incident

Answer 9

D. Ensure that an organization will be able to detect an incident

Question 10

What elements should be included in a business case document template?

Answer 10

Current State
Desired End State
Requirements
Approach
Plan

Question 11

A basic security incident response has how many steps, and what are they?

Answer 11

8

detect
initiate
evaluate
eradicate
recovery
remediate
closure
review

Question 12

True or False?
In addition to documenting roles and responsibilities, an incident response program should include detailed procedures for responding to common incidents

Answer 12

True

Question 13

What activity helps ensure a security program is aligned with a security strategy?

Answer 13

Periodic Management Review

Question 14

What is the best indicator of effectiveness?

Answer 14

The trend line for the number of critical and high vulnerabilities found in application penetration tests

Question 15

How does the percentage of effective controls show value (how is it a value delivery metric?)

Answer 15

By illustrating how well the security program is ensuring control effectiveness

Question 16

Who is included in a directory of parties to notify in an emergency?

Answer 16

regulators
offsite media storage companies 
contract personnel services
suppliers
law enforcement
insurance company agents

Question 17

What is the problem with the following control statement, “Endpoints are protected from malware with McAfee Antivirus”

Answer 17

It’s overly specific. If they switched to Symantec, they would technically be out of compliance

Note that it is also unambiguous, but that’s not the best answer.

Question 18

How will a security manager determine the actions needed to achieve the desired end state for a new security program?

Answer 18

Perform a gap analysis

That will help understand the present state and the actions needed to move from the present to the desired state

Question 19

How can a CISO best understand the organization’s risk tolerance?

Answer 19

Interview board members and senior executives.

Examining the risk ledger or other artifacts or capabilities may not accurately reflect the organization’s current risk tolerance.

Question 20

A control’s effectiveness can be tested with a review. True or False?

Answer 20

False.

A self-assessment, internal or external audit are all ok but a review is less rigorous

Question 21

What does this describe?

A document describing the need for a mobile device management program that describes required resources, benefits, and a high-level plan

Answer 21

Business case

not a proposal

Question 22

If an organization has a nonstandard IT governance framework, should the security governance framework be built to resemble it?

Answer 22

Yes

An organization’s security governance framework should be similar to other frameworks, especially that of IT

(don’t build it around industry standards)

Question 23

If an auditor examines a business activity for which there is no control and scores the control as ineffective, what’s the best response?

Answer 23

To treat the activity as though a control should exist - develop a control and ensure it’s effective

Question 24

Can organizations ever opt out of PCI DSS controls?

Answer 24

no

Question 25

Compare leading vs trailing indicators

Answer 25

trailing indicators show past events

leading indicators show future risks

Question 26

Is it common to require project managers to earn security certifications?

Answer 26

no

Security related improvements to project management would not include getting the PM certified in security

Question 27

Is a control self-assessment the most effective way to determine compliance with internal policies?

Answer 27

yes

Question 28

What does a qualified opinion mean?

Answer 28

That the audit has failed in one or more of its high-level control objectives. This is cause for concern and further inquiry

Question 29

What’s the next step after a security policy has been reviewed and update?

Answer 29

Publish it and inform workers where to find it

not require them to sign it
not include changes in security awareness training
not simply publishing it

Question 30

What’s the purpose of a security addendum in a legal contract?

Answer 30

To specific security-related terms and conditions

Question 31

Is PCI-DSS an example of:

data privacy regulation
data protection regulation
a security standard
a security protocol

Answer 31

A security standard

Question 32

Which is the most effective technique to determine compliance with internal policies?

control self-assessment
vulnerability assessment
risk assessment
threat assessment

Answer 32

control self-assessment

Question 33

Requirements classified as “addressable” in HIPAA are?

Answer 33

optional if the organization has performed a risk assessment

Question 34

document marking

Answer 34

“Restricted. For Limited Distribution”

Question 35

procedure

Answer 35

describes step by step instructions to perform a task

it can be part of a process

Question 36

one disadvantage of preventive controls compared to detective controls?

preventive take longer to certify
preventive requires more training
detective are easier to implement
preventive sometimes prevent desired outcomes

Answer 36

preventive controls sometimes prevent desired outcomes.

for example, blocking legitimate email as spam, or an IPS that prevents legitimate downloads

Question 37

business record consisting of identified security issues is a?

risk assessment
risk ledger
vulnerability assessment
penetration test

Answer 37

Risk Ledger

not a risk assessment because that only identifies some but not all issues

Question 38

What information will an external pen tester need to plan a pen test of an organization’s externally facing applications?

Answer 38

URL’s (not IP ranges)
time of day to test
emergency contact information

Question 39

An auditor examines an activity for which no control exists and scores it as ineffective. What is the best response?

Answer 39

Develop a written control and ensure it’s effective

not perform a risk analysis to determine if a control should be developed

Question 40

A developer informs the CISO that the organization is out of compliance with PCI-DSS. How should the CISO proceed?

Answer 40

Create an entry in the risk ledger and look into the matter.

not conduct an investigation, it’s good but not the best initial reaction

Question 41

Document that describes the need for a business capability, including costs and benefits is a what?

Answer 41

business case

Question 42

file integrity monitoring

Answer 42

Periodically scan file systems and report on any changes that occur.

Changes may be due to maintenance but also indicate compromise

Question 43

file activity monitoring

Answer 43

Monitor directories and files to detect unusual activities that may indicate compromise.

do not use this for help with making sure servers are consistently configured

Question 44

RACI Chart

Answer 44

Responsible
Accountable
Consulted
Informed

Assigns levels of responsibility to individuals and groups.

Helps personnel determine roles for various business activities

Question 45

How often should incident escalation procedures be updated?

Answer 45

Once per year, or when executive personnel changes

Question 46

If a risk register has grown too large, what is the best remedy?

Answer 46

Implement a GRC (Governance, Risk, Compliance) platform with management module.

Automating through a risk management module in a GRC platform is best.

Question 47

After a security policy has been reviewed and updated, what are the next steps?

Answer 47

Publish and inform workers

Question 48

What’s the best way to introduce security into the hiring process?

Answer 48

perform background checks, use NDA’s, verify licenses and certifications, verify prior employment

Not require candidates to complete security awareness training

Question 49

What’s special about leading indicators?

Answer 49

they’re potential indicators of future attacks / events

ie a percentage of critical servers that are not patched in 30 days

Question 50

An auditor examines a business activity for which no written control exists and scores it as ineffective. What’s the best response?

Answer 50

Develop a written control and ensure it is effective. Generally, if an auditor examines a business activity as though a control exists, but does not, the organization should formally develop the control.

Not - perform risk analysis to determine whether a control should be developed

Question 51

Process (Process Document)

Answer 51

Document that describes the overall activities to take place on a particular activity

Question 52

Process (Process Document)

Answer 52

Document that describes the overall activities to take place on a particular activity

Describes all of the actions to take place regarding vulnerability management

Question 53

Minimum standards for securing the technical infrastructure should be defined in:

security strategy
security architecture
security guidelines
security model

Answer 53

architecture

The security architecture defines how components are secured and the security services that should be in place.

Question 54

When developing an information security program, what’s the most useful source of information for determining available resources?

organization chart
skills inventory
job descriptions

Answer 54

skills inventory

Question 55

Who should drive risk analysis for an organization?

senior management
security manager

Answer 55

security manager

senior management should support and sponsor it, but the security manager will have the know-how and management of it.

Question 56

The most complete business case for security solutions is one that…

Answer 56

includes appropriate justification

Question 57

When implementing effective security governance within the requirements of the company’s security strategy, which is the most important factor to consider?

preserving confidentiality of sensitive data
adhering to corporate privacy standards
establishing system manager responsibility for information security

Answer 57

preserving confidentiality of sensitive data

The goal of information security is to protect the organization’s information assets.

Question 58

Information security policy enforcement is the responsibility of the:

security steering committee
CIO
CISO

Answer 58

CISO

Question 59

The primary concern of an information security manager documenting a formal data retention policy would be

business requirements
legislative and regulatory requirements

Answer 59

business requirements

The primary concern will be to comply with legislation and regulation but only if they are genuine business requirments

Question 60

What should be fixed first to ensure successful infosec governance in an organization?

CIO approves security policy changes

infosec oversight committee only meets quarterly

data center manager has final signify on all security projects

Answer 60

data center manager has final signify on all security projects

The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization

It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer (CIO) approve the security policy due to the size of the organization and frequency of updates

Question 61

Which is the best reason to perform a BIA?

to help determine current state of risk
to analyze the effect on the business

Answer 61

to help determine current state of risk

Question 62

Which is the best method to improve accountability for a system administrator who has security functions?

include security responsibilities in the job description

require them to obtain security certifications

train them on pen testing and vulnerability assessment

Answer 62

include security responsibilities in the job description

Question 63

What is the primary role of the information security manager in the process of information classification within an organization?

Answer 63

defining and ratifying the classification structure of information assets

Question 64

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?

composition of the board

cultures of the different countries

Answer 64

cultures of the different countries

Question 65

The impact of an incident is an indication of:

Answer 65

Incident severity

The severity of an incident is directly tied to its effect on the organization, whether a single person, group, department, or entire organization

Question 66

An organization experiencing a malware-related incident is unable to isolate the malware. What should they do next?

get help from trained personnel with forensics analysis tools

wipe hard drives of affected systems and reinstall the OS

Obtain advanced anti-malware tools to identify malware

shut down affected systems and rebuild them on alternate hardware or VMs

Answer 66

get help from trained personnel with forensics analysis tools

Question 67

What metric would be an indicator of improving discipline among control owners?

Trend line in the number of control self assessments completed

Trend line in the number of process documents not reviewed within 13 months of prior review

Trend line in the number of control exceptions in external audits

Trend line in the number of external control tests completed

Answer 67

Trend line in the number of control exceptions in external audits

Question 68

Which document defines specific configuration details for compliance?

policy

procedure

standard

guideline

Answer 68

Standard

A standard is a detailed document that defines configurations, protocols or products to be used in the organization

Question 69

An executive has delegated responsibility for granting access requests to the IT department. The IT department in this role is functioning as the:

owner
custodian

Answer 69

custodian

Question 70

Types of controls

Answer 70

preventive - prevent unwanted event. ie keycards, login screens

detective - records good and bad events. ie cctv, event logs

deterrent - convinces people to avoid an activity. ie dogs, warning signs, cctv

corrective - activated after unwanted event happens. ie improving a process that didn’t work as well as desired

compensating - used if other direct control can’t be used. ie a sign-in register if you can’t use video surveillance.

recovery - restores state of a system. ie backup software

Question 71

acceptable risk is achieved when:

residual risk is minimized
control risk is minimized

Answer 71

residual risk is minimized