712-50 EC-Council Certified CISO (CCISO) Questions and Answers

The IT team is not familiar in IT audit practices

This represents a bad implementation of the Least Privilege principle

This represents a conflict of interest

The IT team is not certified to perform audits

Business Impact Analysis

Economic Impact analysis

Return on Investment

Cost-benefit analysis

Reasonable, Actionable, Controlled, and Implemented

Responsible, Actors, Consult, and Instigate

Responsible, Accountable, Consulted, and Informed

Review, Act, Communicate, and Inform

The project is over budget

The project budget has reserves

The project cost is in alignment with the budget

The project is under budget

Development of KPI’s are most useful when done independently

They are a strictly quantitative measure of success

They should be standard throughout the organization versus domain-specific so they are more easily correlated

They are a strictly qualitative measure of success

Compliance management

Asset management

Risk management

Security management

Metrics tracking security milestones, understanding criticality of information and information security, visibility into the types of information and how it is used, endorsement by the board of directors

Annual security training for all employees, continual budget reviews, endorsement of the development and implementation of a security program, metrics to track the program

Understanding criticality of information and information security, review investment in information security, endorse development and implementation of a security program, and require regular reports on adequacy and effectiveness

Endorsement by the board of directors for security program, metrics of security program milestones, annual budget review, report on integration and acceptance of program

A section of a contract that defines tasks to be performed under said contract

An outline of what the military will do during war

A document that outlines specific desired outcomes as part of a request for proposal

Business guidance provided by the CEO

Conduct a quantitative risk assessment

Conduct a hybrid risk assessment

Conduct a subjective risk assessment

Conduct a qualitative risk assessment

Governance and compliance

Auditing and security

Budget and risk tolerance

Threats and vulnerabilities

Determine appetite

Evaluate risk avoidance criteria

Perform a risk assessment

Mitigate risk

Ensure efficient recovery and reinstate repaired systems

Create effective policies detailing program activities

Communicate details of information security incidents

Provide current employee awareness programs

Internal audit

The data owner

All executive staff

Government regulators

Risk = Probability x Impact

Risk = Threat x Probability

Risk = Financial Impact x Probability

Risk = Impact x Threat

Organizational objectives and risk tolerance

Risk assessment criteria

IT architecture complexity

Enterprise disaster recovery plans

The budget is in a temporary state of imbalance

The budget is operating at a deficit

She can realign the budget through moderate capital expense (CAPEX) allocation

She has a surplus of operational expenses (OPEX)

Non-operating financial liabilities minus expenses

The true profit-making potential of an organization

The sum value of all assets and cash flow into the business

The economic benefit derived by operating a business

Closed circuit television

Open circuit television

Blocked video

Local video

System scanning trends and results as they pertain to insider and external threat sources

The capabilities of a security program in terms of staffing support

Significant risks and security incidents that have been discovered since the last assembly of the

membership

The numbers and types of cyberattacks experienced by the organization since the last assembly of the

membership

Peers

End Users

Executive Management

All of the above

Service

Program

Portfolio

Cost center

Controlled mitigation effort

Risk impact comparison

Relative likelihood of event

Comparative threat analysis

Threat

Vulnerability

Attack vector

Exploitation

The types of cardholder data retained

The duration card holder data is retained

The size of the organization processing credit card data

The number of transactions performed per year by an organization

Confidential/Protected Information

Bodily Information

Territorial Information

Communications Information

So that they will accept ownership for security within the organization.

So that employees will follow the policy directives.

So that external bodies will recognize the organizations commitment to security.

So that they can be held legally accountable.

Lack of a formal security awareness program

Lack of a formal security policy governance process

Lack of formal definition of roles and responsibilities

Lack of a formal risk management policy

The asset owner

The asset manager

The data custodian

The project manager

Reach out to a business similar to yours and ask for their plan

Set goals that are difficult to attain to drive more productivity

Review business acquisitions for the past 3 years

Analyze the broader organizational strategic plan

Chief Financial Officer (CFO)

Chief Software Architect (CIO)

CISO

Chief Executive Officer (CEO)

RAM and unallocated space

Unallocated space and RAM

Slack space and browser cache

Persistent and volatile data

International Organization for Standardization 27001

National Institute of Standards and Technology Special Publication SP 800-12

Request For Comment 2196

National Institute of Standards and Technology Special Publication SP 800-26

Confidentiality, Availability, Integrity

Compliance, Effectiveness, Efficiency

Communication, Reliability, Cost

Confidentiality, Compliance, Cost

Incident response plan

Business Continuity plan

Disaster recovery plan

Damage control plan

assign the responsibility to the information security team.

assign the responsibility to the team responsible for the management of the controls.

create operational reports on the effectiveness of the controls.

perform an independent audit of the security controls.

The auditors have not followed proper auditing processes

The CIO of the organization disagrees with the finding

The risk tolerance of the organization permits this risk

The organization has purchased cyber insurance

Information Security and Identity Access Management teams perform two distinct functions

Developers and Network teams both have admin rights on servers

Finance has access to Human Resources data

Information Security and Network teams perform two distinct functions

Procedural control

Management control

Technical control

Administrative control

Senior Executives

Office of the Auditor

Office of the General Counsel

All employees and users

Terms and Conditions

Service Level Agreements (SLA)

Statement of Work

Key Performance Indicators (KPI)

Quarterly

Semi-annually

Bi-annually

Annually

Tell the team to do their best and respond to each alert

Tune the sensors to help reduce false positives so the team can react better

Request additional resources to handle the workload

Tell the team to only respond to the critical and high alerts

Poor audit support for the security program

A lack of executive presence within the security program

Poor alignment of the security program to business needs

This is normal since business units typically resist security requirements

Board of directors

Third party vendors

CISO

Help Desk

System testing

Risk assessment

Incident response

Planning

The company lacks a risk management process

The company does not believe the security vulnerabilities to be real

The company has a high risk tolerance

The company lacks the tools to perform a vulnerability assessment

When organizational resources are limited

When the benefits of outsourcing outweigh the inherent risks of outsourcing

On new, enterprise-wide security initiatives

On projects not forecasted in the yearly budget

A security organization that is adequately staffed to apply required mitigation strategies and regulatory compliance solutions

A clear set of security policies and procedures that are more concept-based than controls-based

A complete inventory of Information Technology assets including infrastructure, networks, applications and data

A clearly identified executive sponsor who will champion the effort to ensure organizational buy-in

Type of data contained in the process/system

Type of connection/protocol used to transfer the data

Type of encryption required for the data once it is at rest

Type of computer the data is processed on

Knowing who all the stakeholders are.

Knowing the people on the data center team.

Knowing the threats to the organization.

Knowing the milestones and timelines of deliverables.

Time zone differences

Compliance to local hiring laws

Encryption import/export regulations

Local customer privacy laws

security coding

data security system

data classification

privacy protection

Wireless Application Protocol (WAP)

Wifi Protected Access version 2 (WPA2)

Wireless Equivalence Protocol (WEP)

Extensible Authentication Protocol (EAP)

‘ o 1=1 - -

/../../../../

“DROPTABLE USERNAME”

NOPS

Well established and defined digital forensics process

Establishing Enterprise-owned Botnets for preemptive attacks

Be able to retaliate under the framework of Active Defense

Collaboration with law enforcement

The need to change accounting periods on a regular basis.

The requirement to post entries for a closed accounting period.

The need to create and modify the chart of accounts and its allocations.

The lack of policies and procedures for the proper segregation of duties.

Comprehensive Log-Files from all servers and network devices affected during the attack

Fully trained network forensic experts to analyze all data right after the attack

Uninterrupted Chain of Custody

Expert forensics witness

Baseline the Environment

Maintain and Monitor

Organization Vulnerability

Define Policy

War driving

Operating system attacks

Social engineering

Shrink wrap attack

Trusted and untrusted networks

Type of authentication

Storage encryption

Log retention

Session encryption

Removing all stored procedures

Input sanitization

Library control

Traffic Analysis

Deep-Packet inspection

Packet sampling

Heuristic analysis

Threat analysis process

Asset configuration management process

Business Impact Analysis

Disaster Recovery plan

Inform peer executives of the audit results

Validate gaps and accept or dispute the audit findings

Create remediation plans to address program gaps

Determine if security policies and procedures are adequate