CISO-Topic-1
Question #: 25
Topic #: 1
From an information security perspective, information that no longer supports the main purpose of the business should be:
A. protected under the information classification policy
B. analyzed under the data ownership policy
C. assessed by a business impact analysis.
D. analyzed under the retention policy.
Selected Answer: A
Question #: 457
Topic #: 1
From the CISO’s perspective in looking at financial statements, the statement of retained earnings of an organization:
A. Has a direct correlation with the CISO’s budget
B. Represents, in part, the savings generated by the proper acquisition and implementation of security controls
C. Represents the sum of all capital expenditures
D. Represents the percentage of earnings that could in part be used to finance future security controls
Selected Answer: D
Question #: 449
Topic #: 1
You have been hired as the CISO for a hospital. The hospital currently deploys a hybrid cloud model using a Software as a Service (SaaS) product for healthcare clearinghouse services. The Health Insurance Portability and Accountability Act (HIPAA) require an agreement between Cloud Service Providers (CSP) and the covered entity. Based on HIPAA, once the agreement between the covered entity and the CSP signed, the CSP is ____________?
A. Partially liable for compliance with the applicable requirements of the HIPAA Rules
B. Directly liable for compliance with the applicable requirements of the HIPAA Rules
C. Not liable for compliance with the applicable requirements of the HIPAA Rules
D. Indirectly liable for compliance with the applicable requirements of the HIPAA Rules
Selected Answer: B
Question #: 440
Topic #: 1
As the CISO, you are the project sponsor for a highly visible log management project. The objective of the project is to centralize all the enterprise logs into a security information and event management (SIEM) system. You requested the results of the performance quality audits activity.
The performance quality audit activity is done in what project management process group?
A. Executing
B. Controlling
C. Planning
D. Closing
Selected Answer: B
Question #: 417
Topic #: 1
To make sure that the actions of all employees, applications, and systems follow the organization’s rules and regulations can BEST be described as which of the following?
A. Compliance management
B. Asset management
C. Risk management
D. Security management
Selected Answer: A
Question #: 415
Topic #: 1
A key cybersecurity feature of a Personal Identification Verification (PIV) Card is:
A. Inability to export the private certificate/key
B. It can double as physical identification at the DMV
C. It has the user’s photograph to help ID them
D. It can be used as a secure flash drive
Selected Answer: A
Question #: 384
Topic #: 1
Michael starts a new job and discovers that he has unnecessary access to a variety of systems. Which of the following best describes the problem he has encountered?
A. Rights collision
B. Excessive privileges
C. Privilege creep
D. Least privileges
Selected Answer: C
Question #: 373
Topic #: 1
Which of the following defines the boundaries and scope of a risk assessment?
A. The risk assessment schedule
B. The risk assessment framework
C. The risk assessment charter
D. The assessment context
Selected Answer: D
Question #: 371
Topic #: 1
A newly-hired CISO needs to understand the organization’s financial management standards for business units and operations. Which of the following would be the best source of this information?
A. The internal accounting department
B. The Chief Financial Officer (CFO)
C. The external financial audit service
D. The managers of the accounts payables and accounts receivables teams
Selected Answer: B
Question #: 370
Topic #: 1
Which of the following is an accurate statement regarding capital expenses?
A. They are easily reduced through the elimination of usage, such as reducing power for lighting of work areas during off-hours
B. Capital expenses can never be replaced by operational expenses
C. Capital expenses are typically long-term investments with value being realized through their use
D. The organization is typically able to regain the initial cost by selling this type of asset
Selected Answer: C
Question #: 367
Topic #: 1
What is meant by password aging?
A. An expiration date set for passwords
B. A Single Sign-On requirement
C. Time in seconds a user is allocated to change a password
D. The amount of time it takes for a password to activate
Selected Answer: A
Question #: 363
Topic #: 1
During the 3rd quarter of a budget cycle, the CISO noticed she spent more than was originally planned in her annual budget. What is the condition of her current budgetary posture?
A. The budget is in a temporary state of imbalance
B. The budget is operating at a deficit
C. She can realign the budget through moderate capital expense (CAPEX) allocation
D. She has a surplus of operational expenses (OPEX)
Selected Answer: B
Question #: 360
Topic #: 1
Which of the following best describes revenue?
A. Non-operating financial liabilities minus expenses
B. The true profit-making potential of an organization
C. The sum value of all assets and cash flow into the business
D. The economic benefit derived by operating a business
Selected Answer: D
Question #: 359
Topic #: 1
Where does bottom-up financial planning primarily gain information for creating budgets?
A. By adding all capital and operational costs from the prior budgetary cycle, and determining potential financial shortages
B. By reviewing last year’s program-level costs and adding a percentage of expected additional portfolio costs
C. By adding the cost of all known individual tasks and projects that are planned for the next budgetary cycle
D. By adding all planned operational expenses per quarter then summarizing them in a budget request
Selected Answer: C
Question #: 357
Topic #: 1
Which of the following is the MOST logical method of deploying security controls within an organization?
A. Obtain funding for all desired controls and then create project plans for implementation
B. Apply the simpler controls as quickly as possible and use a risk-based approach for the more difficult and costly controls
C. Apply the least costly controls to demonstrate positive program activity
D. Obtain business unit buy-in through close communication and coordination
Selected Answer: D
Question #: 356
Topic #: 1
The network administrator wants to strengthen physical security in the organization. Specifically, to implement a solution stopping people from entering certain restricted zones without proper credentials. Which of following physical security measures should the administrator use?
A. Video surveillance
B. Mantrap
C. Bollards
D. Fence
Selected Answer: B
Question #: 376
Topic #: 1
At what level of governance are individual projects monitored and managed?
A. Program
B. Milestone
C. Enterprise
D. Portfolio
Selected Answer: D
Question #: 326
Topic #: 1
Scenario: Most industries require compliance with multiple government regulations and/or industry standards to meet data protection and privacy mandates.
When multiple regulations or standards apply to your industry you should set controls to meet the___________________________.
A. Most complex standard
B. Recommendations of your Legal Staff
C. Easiest regulation or standard to implement
D. Stricter regulation or standard
Selected Answer: D
Question #: 322
Topic #: 1
Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget. Using the best business practices for project management, you determine that the project correctly aligns with the organization goals.
What should be verified next?
A. Scope
B. Constraints
C. Resources
D. Budget
Selected Answer: A
Question #: 305
Topic #: 1
Scenario: Your program is developed around minimizing risk to information by focusing on people, technology, and operations. You have decided to deal with risk to information from people first.
How can you minimize risk to your most sensitive information before granting access?
A. Set your firewall permissions aggressively and monitor logs regularly.
B. Develop an Information Security Awareness program
C. Conduct background checks on individuals before hiring them
D. Monitor employee drowsing and surfing habits
Selected Answer: C
Question #: 304
Topic #: 1
Scenario: Most industries require compliance with multiple government regulations and/or industry standards to meet data protection and privacy mandates.
What is one proven method to account for common elements found within separate regulations and/or standards?
A. Design your program to meet the strictest government standards
B. Develop a crosswalk
C. Hire a GRC expert
D. Use the Find function of your word processor
Selected Answer: B
Question #: 297
Topic #: 1
What is the FIRST step in developing the vulnerability management program?
A. Baseline the Environment
B. Define policy
C. Maintain and Monitor
D. Organization Vulnerability
Selected Answer: B
Question #: 264
Topic #: 1
The process for identifying, collecting, and producing digital information in support of legal proceedings is called _____________________________.
A. chain of custody
B. electronic review
C. evidence tampering
D. electronic discovery
Selected Answer: D
Question #: 262
Topic #: 1
A system is designed to dynamically block offending Internet IP-addresses from requesting services from a secure website.
This type of control is considered______________________.
A. Preventive detection control
B. Corrective security control
C. Zero-day attack mitigation
D. Dynamic blocking control
Selected Answer: B
Question #: 261
Topic #: 1
Your incident handling manager detects a virus attack in the network of your company. You develop a signature based on the characteristics of the detected virus.
Which of the following phases in the incident handling process will utilize the signature to resolve this incident?
A. Eradication
B. Containment
C. Recovery
D. Identification
Selected Answer: A
Question #: 255
Topic #: 1
Acceptable levels of information security risk tolerance in an organization should be determined by?
A. Corporate compliance committee
B. CEO and board of director
C. CISO with reference to the company goals
D. Corporate legal counsel
Selected Answer: B
Question #: 251
Topic #: 1
What is the BEST reason for having a formal request for proposal process?
A. Creates a timeline for purchasing and budgeting
B. Informs suppliers a company is going to make a purchase
C. Clearly identifies risks and benefits before funding is spent
D. Allows small companies to compete with larger companies
Selected Answer: C
Question #: 246
Topic #: 1
One of your executives needs to send an important and confidential email. You want to ensure that the message cannot be read by anyone but the recipient.
Which of the following keys should be used to encrypt the message?
A. Certificate authority key
B. The recipient’s private key
C. The recipient’s public key
D. Your public key
Selected Answer: C
Question #: 238
Topic #: 1
Which of the following functions evaluates patches used to close software vulnerabilities and perform validation of new systems to assure compliance with security?
A. Incident response
B. Risk management
C. System security administration
D. System testing
Selected Answer: C
Question #: 236
Topic #: 1
Which of the following methods are used to define contractual obligations that force a vendor to meet customer expectations?
A. Terms and Conditions
B. Statements of Work
C. Service Level Agreements (SLA)
D. Key Performance Indicators (KPI)
Selected Answer: C
Question #: 234
Topic #: 1
Which of the following can the company implement in order to avoid this type of security issue in the future?
A. Network based intrusion detection systems
B. An audit management process
C. A security training program for developers
D. A risk management process
Selected Answer: C
Question #: 232
Topic #: 1
A CISO implements smart cards for credential management, and as a result has reduced costs associated with help desk operations supporting password resets.
This demonstrates which of the following principles?
A. Increased security program presence
B. Regulatory compliance effectiveness
C. Security organizational policy enforcement
D. Proper organizational policy enforcement
Selected Answer: D
Question #: 211
Topic #: 1
Risk appetite is typically determined by which of the following organizational functions?
A. Business units
B. Board of Directors
C. Audit and compliance
D. Security
Selected Answer: B
Question #: 403
Topic #: 1
An organization recently acquired a Data Loss Prevention (DLP) solution, and two months after the implementation, it was found that sensitive data was posted to numerous Dark Web sites. The DLP application was checked, and there are no apparent malfunctions and no errors.
What is the MOST likely reason why the sensitive data was posted?
A. The DLP Solution was not integrated with mobile device anti-malware
B. Data classification was not properly performed on the assets
C. The sensitive data was not encrypted while at rest
D. A risk assessment was not performed after purchasing the DLP solution
Selected Answer: D
Question #: 382
Topic #: 1
Which of the following best describes an access control process that confirms the identity of the entity seeking access to a logical or physical area?
A. Identification
B. Authorization
C. Authentication
D. Accountability
Selected Answer: C
Question #: 204
Topic #: 1
Which of the following is the MOST important component of any change management process?
A. Outage planning
B. Scheduling
C. Approval tracking
D. Back-out procedures
Selected Answer: C
Question #: 195
Topic #: 1
Which business stakeholder is accountable for the integrity of a new information system?
A. Compliance Officer
B. CISO
C. Project manager
D. Board of directors
Selected Answer: B
Question #: 123
Topic #: 1
Creating a secondary authentication process for network access would be an example of?
A. Defense in depth cost enumerated costs
B. Nonlinearities in physical security performance metrics
C. System hardening and patching requirements
D. Anti-virus for mobile devices
Selected Answer: A
Question #: 312
Topic #: 1
Scenario: Your corporate systems have been under constant probing and attack from foreign IP addresses for more than a week. Your security team and security infrastructure have performed well under the stress. You are confident that your defenses have held up under the test, but rumors are spreading that sensitive customer data has been stolen and is now being sold on the Internet by criminal elements.
During your investigation of the rumored compromise, you discover that data has been breached and that the repository of stolen data is on a server located in a foreign country. Your team now has full access to the data on the foreign server.
What action should you take FIRST?
A. Consult with other executives to develop an action plan
B. Contract with a credit reporting company for paid monitoring services for affected customers
C. Contact your local law enforcement agency
D. Destroy the repository of stolen data
Selected Answer: C
Question #: 157
Topic #: 1
An information security department is required to remediate system vulnerabilities when they are discovered. Please select the three primary remediation methods that can be used on an affected system.
A. Install software patch, configuration adjustment, software removal
B. Install software patch, operate system, maintain system
C. Discover software, remove affected software, apply software patch
D. Software removal, install software patch, maintain system
Selected Answer: A
Question #: 325
Topic #: 1
The new CISO was informed of all the Information Security projects that the organization has in progress. Two projects are over a year behind schedule and over budget. Using best business practices for project management you determine that the project correctly aligns with the company goals.
Which of the following needs to be performed NEXT?
A. Verify technical resources
B. Verify capacity constraints
C. Verify the scope of the project
D. Verify the regulatory requirements
Selected Answer: C
Question #: 11
Topic #: 1
The PRIMARY objective of security awareness is to:
A. Encourage security-conscious employee behavior
B. Put employees on notice in case follow-up action for noncompliance is necessary
C. Ensure that security policies are read
D. Meet legal and regulatory requirements
Selected Answer: A
Question #: 400
Topic #: 1
Which of the following statements below regarding Key Performance indicators (KPIs) are true?
A. Development of KPI’s are most useful when done independently
B. They are a strictly quantitative measure of success
C. They should be standard throughout the organization versus domain-specific so they are more easily correlated
D. They are a strictly qualitative measure of success
Selected Answer: B
Question #: 26
Topic #: 1
A global retail company is creating a new compliance management process.
Which of the following regulations is of MOST importance to be tracked and managed by this process?
A. Information Technology Infrastructure Library (ITIL)
B. National Institute for Standards and technology (NIST) standard
C. International Organization for Standardization (ISO) standards
D. Payment Card Industry Data Security Standards (PCI-DSS)
Selected Answer: D
Question #: 309
Topic #: 1
Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
Which of the following is the FIRST action the CISO will perform after receiving the audit report?
A. Inform peer executives of the audit results
B. Validate gaps and accepts or dispute the audit findings
C. Create remediation plans to address program gaps
D. Determine if security policies and procedures are adequate
Selected Answer: A
Question #: 31
Topic #: 1
An organization has defined a set of standard security controls. This organization has also defined the circumstances and conditions in which they must be applied.
What is the NEXT logical step in applying the controls in the organization?
A. Determine the risk tolerance
B. Perform an asset classification
C. Analyze existing controls on systems
D. Create an architecture gap analysis
Selected Answer: C
Question #: 441
Topic #: 1
A CISO must conduct risk assessments using a method where the Chief Financial Officer (CFO) receives impact data in financial terms to use as input to select the proper level of coverage in a new cybersecurity insurance policy.
What is the MOST effective method of risk analysis to provide the CFO with the information required?
A. Conduct a quantitative risk assessment
B. Conduct a hybrid risk assessment
C. Conduct a subjective risk assessment
D. Conduct a qualitative risk assessment
Selected Answer: A
Question #: 166
Topic #: 1
An employee successfully avoids becoming a victim of a sophisticated spear phishing attack due to knowledge gained through the corporate information security awareness program.
What type of control has been effectively utilized?
A. Technical Control
B. Management Control
C. Operational Control
D. Training Control
Selected Answer: C
