712-50 EC-Council Certified CISO (CCISO) Questions and Answers

Procedural control

Management control

Technical control

Administrative control

Nonlinearities in physical security performance metrics

Defense in depth cost enumerated costs

System hardening and patching requirements

Anti-virus for mobile devices

Control Objective for Information Technology (COBIT)

Committee of Sponsoring Organizations (COSO)

Payment Card Industry (PCI)

Information Technology Infrastructure Library (ITIL)

Daily

Hourly

Weekly

Monthly

Have internal audit conduct another audit to see what has changed.

Contract with an external audit company to conduct an unbiased audit

Review the recommendations and follow up to see if audit implemented the changes

Meet with audit team to determine a timeline for corrections

assign the responsibility to the information security team.

assign the responsibility to the team responsible for the management of the controls.

create operational reports on the effectiveness of the controls.

perform an independent audit of the security controls.

Number of change orders rejected

Number and length of planned outages

Number of unplanned outages

Number of change orders processed

Determining the likelihood that vulnerable systems will be attacked by specific threats

Calculating the risks to which assets are exposed in their current setting

Assigning a value to each information asset

Assessing the relative risk facing the organization’s information assets

Servers, routers, switches, modem

Firewall, exchange, web server, intrusion detection system (IDS)

Firewall, anti-virus console, IDS, syslog

IDS, syslog, router, switches

The IT team is not familiar in IT audit practices

This represents a bad implementation of the Least Privilege principle

This represents a conflict of interest

The IT team is not certified to perform audits

Nothing, this falls outside your area of influence.

Close and chain the door shut and send a company-wide memo banning the practice.

Have a risk assessment performed.

Post a guard at the door to maintain physical security

Gigamon

Intrusion Prevention System

Port Security

Anti-virus

1) Information technology strategic planning, 2) Enterprise strategic planning, 3) Cybersecurity or

information security strategic planning

1) Cybersecurity or information security strategic planning, 2) Enterprise strategic planning, 3) Information

technology strategic planning

1) Enterprise strategic planning, 2) Information technology strategic planning, 3) Cybersecurity or

information security strategic planning

1) Enterprise strategic planning, 2) Cybersecurity or information security strategic planning, 3) Information

technology strategic planning

Lack of compliance to the Payment Card Industry (PCI) standards

Ineffective security awareness program

Security practices not in alignment with ISO 27000 frameworks

Lack of technical controls when dealing with credit card data

Security frameworks

Security policies

Security awareness

Security controls

The risk assessment schedule

The risk assessment framework

The risk assessment charter

The assessment context

Internal Audit

Corporate governance

Risk Oversight

Key Performance Indicators

Maintain a log of discovered risks

Track individual risk assessments

Develop plans for mitigating identified risks

Coordinate the timing of scheduled risk assessments

Facial recognition scan

Iris scan

Signature kinetics scan

Retinal scan

Peers

End Users

Executive Management

All of the above

Board of directors

Risk assessment

Patching history

Latest virus definitions file

Alignment with business goals

ISO27000 accreditation

PCI attestation of compliance

Financial statements

Begin initial gap remediation analyses

Review the security organization’s charter

Validate gaps with the Information Technology team

Create a briefing of the findings for executive management

Program

Milestone

Enterprise

Portfolio

ITIL

Privacy Act

Sarbanes Oxley

PCI-DSS

The existing IT environment.

The company business plan.

The present IT budget.

Other corporate technology trends.

Inform peer executives of the audit results

Validate gaps and accept or dispute the audit findings

Create remediation plans to address program gaps

Determine if security policies and procedures are adequate

They need to use Nessus.

They can implement Wireshark.

Snort is the best tool for their situation.

They could use Tripwire.

Operating expense cannot be written off while Capital expense can

Operating expenses can be depreciated over time and Capital expenses cannot

Capital expenses cannot include salaries and Operating expenses can

Capital expenditures allow for the cost to be depreciated over time and Operating does not

Cost/benefit adjustments

Scope creep

Prototype issues

Expectations management

Evaluating, describing, testing and authorizing

Evaluating, purchasing, testing, authorizing

Auditing, documenting, verifying, certifying

Discovery, testing, authorizing, certifying

Software and hardware license fees

Utilities and power costs

Network connectivity costs

New datacenter to operate from

Segmentation controls.

Shadow applications.

Deception technology.

Vulnerability management.

Outsourcing the IT functions.

Understanding user requirements.

Hiring personnel with leading edge skills.

Implementing and enforcing good processes.

Glaucoma or cataracts

Two different colored eyes (heterochromia iridium)

Contact lens

Malaria

Chief Financial Officer (CFO)

Chief Software Architect (CIO)

CISO

Chief Executive Officer (CEO)

The project is over budget

The project budget has reserves

The project cost is in alignment with the budget

The project is under budget

Reach out to a business similar to yours and ask for their plan

Set goals that are difficult to attain to drive more productivity

Review business acquisitions for the past 3 years

Analyze the broader organizational strategic plan

Compliance management

Asset management

Risk management

Security management

An organization which provides Tier 1 support for technology issues and provides escalation when needed

A distributed organization which provides intelligence to governments and private sectors on cyber-criminal activities

The coordination of personnel, processes and technology to identify information security events and provide timely response and remediation

A device which consolidates event logs and provides real-time analysis of security alerts generated by applications and network hardware

Virtual

Dedicated

Fusion

Command

Conduct a quantitative risk assessment

Conduct a hybrid risk assessment

Conduct a subjective risk assessment

Conduct a qualitative risk assessment

Metrics tracking security milestones, understanding criticality of information and information security, visibility into the types of information and how it is used, endorsement by the board of directors

Annual security training for all employees, continual budget reviews, endorsement of the development and implementation of a security program, metrics to track the program

Understanding criticality of information and information security, review investment in information security, endorse development and implementation of a security program, and require regular reports on adequacy and effectiveness

Endorsement by the board of directors for security program, metrics of security program milestones, annual budget review, report on integration and acceptance of program

Performing

Norming

Storming

Forming

To force stakeholders to commit ample resources to support the project

To facilitate proper communication regarding outcomes

To assure stakeholders commit to the project start and end dates in writing

To finalize detailed scope of the project at project initiation

Business Impact Analysis

Economic Impact analysis

Return on Investment

Cost-benefit analysis

Business unit leaders, CIO, CEO

Business Unite Leaders, CISO, CIO and CEO

All employees

CFO, CEO, CIO

CISO

Data owner

Chief Information Officer (CIO)

Security system administrator

Patch management

Network monitoring

Ability to provide security services tailored to the business’ needs

24/7 tollfree number

Business Impact Analysis

Cost-benefit analysis

Economic impact analysis

Return on Investment

User awareness and training

Host based Intrusion Detection System (IPS)

Acceptable use guide signed by all system users

Antispam solution

Development of KPI’s are most useful when done independently

They are a strictly quantitative measure of success

They should be standard throughout the organization versus domain-specific so they are more easily correlated

They are a strictly qualitative measure of success

A section of a contract that defines tasks to be performed under said contract

An outline of what the military will do during war

A document that outlines specific desired outcomes as part of a request for proposal

Business guidance provided by the CEO

This makes sure the files you exchange aren’t unnecessarily flagged by the Data Loss Prevention (DLP) system

Contracting rules typically require you to have conversations with two or more groups

Discussing decisions with a very large group of people always provides a better outcome

It helps to avoid regulatory or internal compliance issues

Phishing Attacks

Misconfigurations

Social engineering

All of these

RAM and unallocated space

Unallocated space and RAM

Slack space and browser cache

Persistent and volatile data

Phishing exercises

Use immutable data storage

Blocking use of wireless networks

Application of multiple endpoint anti-malware solutions

Security Administrators

Internal/External Audit

Risk Management

Security Operations

Penetration testers

External Audit

Internal Audit

Forensic experts

placing underperforming units on notice for failing to meet standards

determining whether or not resources will be allocated to remediate a finding

adding controls to ensure that proper oversight is achieved by management

revealing the “root cause” of the process failure and mitigating for all internal and external units

Resources are allocated to the areas of the highest concern

Scheduling may be performed months in advance

Budgets are more likely to be met by the IT audit staff

Staff will be exposed to a variety of technologies

Perform a vulnerability scan of the network

External penetration testing by a qualified third party

Internal Firewall ruleset reviews

Implement network intrusion prevention systems

Weekly

Monthly

Quarterly

Daily

An Information Security audit standard

An audit guideline for certifying secure systems and controls

A framework for Information Technology management and governance

A set of international regulations for Information Technology governance

Preventive actions

Inspection

Defect repair

Corrective actions

Risk Management Program.

Anti-Spam controls.

Security Awareness Program.

Identity and Access Management Program.

Secure the area and shut-down the computer until investigators arrive

Secure the area and attempt to maintain power until investigators arrive

Immediately place hard drive and other components in an anti-static bag

Secure the area.

War driving

Operating system attacks

Social engineering

Shrink wrap attack

4, 2, 5, 3, 1

2, 5, 3, 1, 4

4, 5, 2, 3, 1

4, 3, 5, 2, 1

Covert government networks

War driving maps

Government networks in Tora

Virtual network tunnels

In-line hardware keyloggers don’t require physical access

In-line hardware keyloggers don’t comply to industry regulations

In-line hardware keyloggers are undetectable by software

In-line hardware keyloggers are relatively inexpensive

non-repudiation

conflict resolution

strong authentication

digital rights management

The IT support team.

A forensic analysis.

Incident response

Physical security team.

Configure logging on each access point

Install a firewall software on each wireless access point.

Provide IP and MAC address

Disable SSID Broadcast and enable MAC address filtering on all wireless access points.

Session encryption

Removing all stored procedures

Input sanitization

Library control

Baseline the Environment

Maintain and Monitor

Organization Vulnerability

Define Policy

‘ o 1=1 - -

/../../../../

“DROPTABLE USERNAME”

NOPS

Execute

Read

Administrator

Public

Unable to control physical access to the servers

Unable to track log on activity

Unable to run anti-virus scans

Unable to patch systems as needed

Containment

Recovery

Identification

Eradication

chain of custody.

electronic discovery.

evidence tampering.

electronic review.

Physical, Technical, Operational

Technical, Strong Password, Operational

Operational, Biometric, Physical

Strong password, Biometric, Common Access Card

Traffic Analysis

Deep-Packet inspection

Packet sampling

Heuristic analysis

The need to change accounting periods on a regular basis.

The requirement to post entries for a closed accounting period.

The need to create and modify the chart of accounts and its allocations.

The lack of policies and procedures for the proper segregation of duties.

Your public key

The recipient's private key

The recipient's public key

Certificate authority key

Threat analysis process

Asset configuration management process

Business Impact Analysis

Disaster Recovery plan

Trusted and untrusted networks

Type of authentication

Storage encryption

Log retention

security coding

data security system

data classification

privacy protection

3DES

MD5

ECC

RSA

Allow the business units to decide which controls apply to their systems, such as the encryption of sensitive data

Create separate controls for the business units based on the types of business and functions they perform

Ensure business units are involved in the creation of controls and defining conditions under which they must be applied

Provide the business units with control mandates and schedules of audits for compliance validation

Provide clear communication of security requirements throughout the organization

Demonstrate executive support with written mandates for security policy adherence

Create collaborative risk management approaches within the organization

Perform increased audits of security processes and procedures

Procedures for litigation

Procedures for reclamation

Procedures for classification

Procedures for charge-back

Gaining access to an affiliated employee’s work email account as part of an officially sanctioned internal investigation

Sharing copyrighted material with other members of a professional organization where all members have legitimate access to the material

Copying documents from an employer’s server which you assert that you have an intellectual property claim to possess, but the company disputes

Storing client lists and other sensitive corporate internal documents on a removable thumb drive

Upper management support

More frequent project milestone meetings

More training of staff members

Involve internal audit

Ensure security budgets enable technical acquisition and resource allocation based on internal compliance requirements

Develop a culture in which users, managers and IT professionals all make good decisions about information risk

Provide clear communication of security program support requirements and audit schedules

Create security awareness programs that include clear definition of security program goals and charters

Overly restrictive management

Excessive personnel on project

Failure to meet project deadlines

Insufficient resources

Risk Assessment

Incident Response

Risk Management

Network Security administration

When organizational resources are limited

When the benefits of outsourcing outweigh the inherent risks of outsourcing

On new, enterprise-wide security initiatives

On projects not forecasted in the yearly budget

Provide developer security training

Deploy Intrusion Detection Systems

Provide security testing tools

Implement Compensating Controls

it is completed on time or early as compared to the baseline project plan

it meets most of the specifications as outlined in the approved project definition

it comes in at or below the expenditures planned for in the baseline budget

the deliverables are accepted by the key stakeholders

Alignment with the business

Effective use of existing technologies

Leveraging existing implementations

Proper budget management

Quarterly

Semi-annually

Bi-annually

Annually

Upper management support

More frequent project milestone meetings

Stakeholder support

Extend work hours

Increase stock value

Complete security

Support business requirements

Implement information security policies

Customer demand

Cost and time to replace

Insurability tables

Risk of exposure

Define the risk appetite

Determine budget constraints

Review project charters

Collaborate security projects

The Security Systems Development Life Cycle

The Security Project And Management Methodology

Project Management System Methodology

Project Management Body of Knowledge

The CISO

Audit and Compliance

The CFO

The business owner

Change management

Business continuity planning

Security Incident Response

Thought leadership

Terms and Conditions

Service Level Agreements (SLA)

Statement of Work

Key Performance Indicators (KPI)

Time zone differences

Compliance to local hiring laws

Encryption import/export regulations

Local customer privacy laws

At the time the security services are being performed and the vendor needs access to the network

Once the agreement has been signed and the security vendor states that they will need access to the network

Once the vendor is on premise and before they perform security services

Prior to signing the agreement and before any security services are being performed

Threat

Vulnerability

Attack vector

Exploitation

So that they will accept ownership for security within the organization.

So that employees will follow the policy directives.

So that external bodies will recognize the organizations commitment to security.

So that they can be held legally accountable.

Escalation

Recovery

Eradication

Containment

The organization uses exclusively a quantitative process to measure risk

The organization uses exclusively a qualitative process to measure risk

The organization’s risk tolerance is high

The organization’s risk tolerance is lo

Risk Tolerance

Qualitative risk analysis

Risk Appetite

Quantitative risk analysis

They are objective and can express risk / cost in real numbers

They are subjective and can be completed more quickly

They are objective and express risk / cost in approximates

They are subjective and can express risk /cost in real numbers

Identify threats, risks, impacts and vulnerabilities

Decide how to manage risk

Define the budget of the Information Security Management System

Define Information Security Policy

Protect all information resource assets equally

Establish active firewall monitoring protocols

Purchase insurance for your compliance liability

Focus your security efforts on high value assets

integrate with other organizational governance processes

support user choice for Bring Your Own Device (BYOD)

integrate with other organizational governance processes

show a return on investment for the organization

Threat identification

Risk monitoring

Risk treatment

Risk tolerance

Risk assessment

Security program budget

Business continuity plan

Compliance and regulatory analysis

Only check compliance right before the auditors are scheduled to arrive onsite.

Outsource compliance to a 3rd party vendor and let them manage the program.

Have Compliance and Information Security partner to correct issues as they arise.

Have Compliance direct Information Security to fix issues after the auditors report.

Data breach disclosure

Consumer right disclosure

Security incident disclosure

Special circumstance disclosure

Enforce the existing security standards and do not allow the deployment of the new technology.

Amend the standard to permit the deployment.

If the risks associated with that technology are not already identified, perform a risk analysis to quantify the risk, and allow the business unit to proceed based on the identified risk level.

Permit a 90-day window to see if an issue occurs and then amend the standard if there are no issues.

Risk Avoidance

Risk Acceptance

Risk Transfer

Risk Mitigation

Organizational budget

Distance between physical locations

Number of employees

Complexity of organizational structure

Cost and annual rate of expectance

Subjective and Objective

Qualitative and percent of loss realized

Quantitative and qualitative

Include a mix of members from different departments and staff levels.

Ensure that security policies and procedures have been vetted and approved.

Review all past audit and compliance reports.

Be briefed about new trends and products at each meeting by a vendor.

Need to comply with breach disclosure laws

Need to transfer the risk associated with hosting PII data

Need to better understand the risk associated with using PII data

Fiduciary responsibility to safeguard credit card information

National Institute for Standards and Technology 800-50 (NIST 800-50)

International Organization for Standardizations – 27005 (ISO-27005)

Payment Card Industry Data Security Standards (PCI-DSS)

International Organization for Standardizations – 27004 (ISO-27004)

Risk Management and Operations

Corporate Culture and Job Expectations

Operations and Regulations

Technology and Vendor Management

Audit and Legal

Budget and Compliance

Human Resources and Budget

Legal and Human Resources

Quantitative risk assessments result in an exact number (in monetary terms)

Qualitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)

Qualitative risk assessments map to business objectives

Quantitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)