Last Updated on July 24, 2021 by Admin 2

712-50 : EC-Council Certified CISO : Part 17

  1. Scenario: As you begin to develop the program for your organization, you assess the corporate culture and determine that there is a pervasive opinion that the security program only slows things down and limits the performance of the “real workers.”

    Which group of people should be consulted when developing your security program?

    • Peers
    • End Users
    • All of the above
    • Executive Management
  2. Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget. Using the best business practices for project management, you determine that the project correctly aligns with the organization goals.

    What should be verified next?

    • Scope
    • Constraints
    • Resources
    • Budget
  3. Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget.

    Which of the following will be most helpful for getting an Information Security project that is behind schedule back on schedule?

    • Upper management support
    • Involve internal audit
    • More frequent project milestone meetings
    • More training of staff members
  4. You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget. Using the best business practices for project management you determine that the project correct aligns with the company goals.

    What needs to be verified FIRST?

    • Training of the personnel on the project
    • Timeline of the project milestones
    • Vendor for the project
    • Scope of the project
  5. The new CISO was informed of all the Information Security projects that the organization has in progress. Two projects are over a year behind schedule and over budget. Using best business practices for project management you determine that the project correctly aligns with the company goals.

    Which of the following needs to be performed NEXT?

    • Verify technical resources
    • Verify capacity constraints
    • Verify the scope of the project
    • Verify the regulatory requirements
  6. Scenario: Most industries require compliance with multiple government regulations and/or industry standards to meet data protection and privacy mandates.

    When multiple regulations or standards apply to your industry you should set controls to meet the___________________________.

    • Most complex standard
    • Recommendations of your Legal Staff
    • Easiest regulation or standard to implement
    • Stricter regulation or standard
  7. Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.

    After determining the audit findings are accurate, which of the following is the MOST logical next activity?

    • Validate gaps with the Information Technology team
    • Begin initial gap remediation analyses
    • Review the security organization’s charter
    • Create a briefing of the findings for executive management
  8. Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs. You have identified potential solutions for all of your risks that do not have security controls.

    What is the NEXT step?

    • Create a risk metrics for all unmitigated risks
    • Get approval from the board of directors
    • Verify that the cost of mitigation is less than the risk
    • Screen potential vendor solutions
  9. You are just hired as the new CISO and are being briefed on all the Information Security projects that your section has on going. You discover that most projects are behind schedule and over budget. Using the best business practices for project management you determine that the project correctly aligns with the company goals and the scope of the project is correct.

    What is the NEXT step?

    • Verify resources
    • Review time schedules
    • Verify budget
    • Verify constraints
  10. Scenario: Critical servers show signs of erratic behavior within your organization’s intranet. Initial information indicates the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team.

    What phase of the response provides measures to reduce the likelihood of an incident from recurring?

    • Recovery
    • Follow-up
    • Response
    • Investigation
  11. Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.

    When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?

    • Never
    • Quarterly
    • Annually
    • Semi-annually
  12. Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified. The CISO has implemented remediation activities.

    Which of the following is the MOST logical next step?

    • Validate the effectiveness of applied controls
    • Report the audit findings and remediation status to business stake holders
    • Validate security program resource requirements
    • Review security procedures to determine if they need modified according to findings
  13. Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda. The CISO has been able to implement a number of technical controls and is able to influence the Information Technology teams but has not been able to influence the rest of the organization.

    From an organizational perspective, which of the following is the LIKELY reason for this?

    • The CISO reports to the IT organization
    • The CISO has not implemented a policy management framework
    • The CISO does not report directly to the CEO of the organization
    • The CISO has not implemented a security awareness program
  14. Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN. Recently, members of your organization have been targeted through a number of sophisticated phishing attempts, resulting in compromised credentials.

    What action can you take to prevent external misuse of compromised credentials while still allowing employees to manage their bank information?

    • Turn off VPN access for users originating from outside the country
    • Remove VPN access for all employees except for senior management
    • Enable monitoring on the VPN for suspicious activity
    • Block access to the Employee-Self Service application via VPN
  15. Scenario: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the organization’s needs. The CISO is unsure of the information provided and orders a vendor proof of concept to validate the system’s scalability.

    This demonstrates which of the following?

    • A methodology-based approach to ensure authentication mechanism functions
    • An approach providing minimum time impact to the implementation schedules
    • An approach that allows for minimum budget impact if the solution is unsuitable
    • A risk-based approach to determine if the solution is suitable for investment
  16. Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN.

    What type of control is being implemented by supervisors and data owners?

    • Management
    • Technical
    • Operational
    • Administrative
  17. Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years. This global retail company is expected to accept credit card payments.

    Which of the following is of MOST concern when defining a security program for this organization?

    • Adherence to local data breach notification laws
    • Compliance to Payment Card Industry (PCI) data security standards.
    • Compliance with local government privacy laws
    • International encryption restrictions
  18. Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant, but it is expected to grow to a global customer base of many millions of customers in just a few years.

    Which of the following would be the FIRST step when addressing Information Security formally and consistently in this organization?

    • Define formal roles and responsibilities for Information Security
    • Define formal roles and responsibilities for Internal audit functions
    • Create an executive security steering committee
    • Contract a third party to perform a security risk assessment
  19. Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda.

    Which of the following is the reason the CISO has not been able to advance the security agenda in this organization?

    • Lack of business continuity process
    • Lack of identification of technology stake holders
    • Lack of a security awareness program
    • Lack of influence with leaders outside IT
  20. Scenario: Your company has many encrypted telecommunications links for their world-wide operations. Physically distributing symmetric keys to all locations has proven to be administratively burdensome, but symmetric keys are preferred to other alternatives.

    Symmetric encryption in general is preferable to asymmetric encryption when:

    • The number of unique communication links is large
    • The distance to the end node is farthest away
    • The volume of data being transmitted is small
    • The speed of the encryption / deciphering process is essential