712-50 EC-Council Certified CISO (CCISO) Questions and Answers

Management

Operational

Technical

Administrative

Reviewing system administrator logs

Auditing configuration templates

Checking vendor product releases

Performing system scans

The internal accounting department

The Chief Financial Officer (CFO)

The external financial audit service

The managers of the accounts payables and accounts receivables teams

Use asymmetric encryption for the automated distribution of the symmetric key

Use a self-generated key on both ends to eliminate the need for distribution

Use certificate authority to distribute private keys

Symmetrically encrypt the key and then use asymmetric encryption to unencrypt it

Virtual

Dedicated

Fusion

Command

Traditional

Composite

Project

Matrix

Inside the DMZ

In-line with the data center firewall

Beyond the outer perimeter firewall

As the gatekeeper to the organization’s honeynet

SaaS provider’s website certifications and representations (certs and reps)

SOC-2 Report

Metasploit Audit Report

Statement from SaaS provider attesting their ability to secure your data

Improve discovery of valid detected events

Enhance tuning of automated tools to detect and prevent attacks

Replace existing threat detection strategies

Validate patterns of behavior related to an attack

RAM and unallocated space

Unallocated space and RAM

Slack space and browser cache

Persistent and volatile data

Business unit leaders, CIO, CEO

Business Unite Leaders, CISO, CIO and CEO

All employees

CFO, CEO, CIO

Time, quality, and scope

Cost, quality, and time

Scope, time, and cost

Quality, scope, and cost

Unallocated space and masking

Website defacement and log manipulation

Disabled Logging and admin elevation

Encryption, Steganography, and Changing Metadata/Timestamps

Reasonable, Actionable, Controlled, and Implemented

Responsible, Actors, Consult, and Instigate

Responsible, Accountable, Consulted, and Informed

Review, Act, Communicate, and Inform

Oversees the organization’s day-to-day operations, creating the policies and strategies that govern operations

Enlisting support from key executives the information security program budget and policies

Charged with developing and implementing policies designed to protect employees and customers’ data from unauthorized access

Responsible for the success or failure of the IT organization and setting strategic direction

Account management policy

Training policy

Acceptable Use policy

Remote Access policy

Your public key

The recipient's private key

The recipient's public key

Certificate authority key

Configure logging on each access point

Install a firewall software on each wireless access point.

Provide IP and MAC address

Disable SSID Broadcast and enable MAC address filtering on all wireless access points.

Physical, Technical, Operational

Technical, Strong Password, Operational

Operational, Biometric, Physical

Strong password, Biometric, Common Access Card

In-line hardware keyloggers don’t require physical access

In-line hardware keyloggers don’t comply to industry regulations

In-line hardware keyloggers are undetectable by software

In-line hardware keyloggers are relatively inexpensive

security coding

data security system

data classification

privacy protection

Enterprise Risk Assessment

Disaster recovery strategic plan

Business continuity plan

Application mapping document

Threat analysis process

Asset configuration management process

Business Impact Analysis

Disaster Recovery plan

chain of custody.

electronic discovery.

evidence tampering.

electronic review.

Cold site

Hot site

Warm site

Mobile backup site

‘ o 1=1 - -

/../../../../

“DROPTABLE USERNAME”

NOPS

Execute

Read

Administrator

Public

The need to change accounting periods on a regular basis.

The requirement to post entries for a closed accounting period.

The need to create and modify the chart of accounts and its allocations.

The lack of policies and procedures for the proper segregation of duties.

Vested in the success and/or failure of a project or initiative regardless of budget implications.

Vested in the success and/or failure of a project or initiative and is tied to the project budget.

That has budget authority.

That will ultimately use the system.

The Security Systems Development Life Cycle

The Security Project And Management Methodology

Project Management System Methodology

Project Management Body of Knowledge

Risk management governance becomes easier since most risks remain low once mitigated

Resources are not wasted on risks that are already managed to an acceptable level

Risk budgets are more easily managed due to fewer identified risks as a result of using a methodology

Risk appetite can increase within the organization once the levels are understood

Upper management support

More frequent project milestone meetings

More training of staff members

Involve internal audit

The CISO

Audit and Compliance

The CFO

The business owner

Deploy a SEIM solution and have current staff review incidents first thing in the morning

Contract with a managed security provider and have current staff on recall for incident response

Configure your syslog to send SMS messages to current staff when target events are triggered

Employ an assumption of breach protocol and defend only essential information resources

Cost benefit

Risk appetite

Business continuity

Likelihood of impact

The software license expiration is probably out of synchronization with other software licenses

The project was initiated without an effort to get support from impacted business units in the organization

The software is out of date and does not provide for a scalable solution across the enterprise

The security officer should allow time for the organization to get accustomed to her presence before initiating security projects

Upper management support

More frequent project milestone meetings

Stakeholder support

Extend work hours

tell him to shut down the server

tell him to call the police

tell him to invoke the incident response process

tell him to analyze the problem, preserve the evidence and provide a full analysis and report

Scope creep

Deadline extension

Scope modification

Deliverable expansion

System testing

Risk assessment

Incident response

Planning

Ensure efficient recovery and reinstate repaired systems

Create effective policies detailing program activities

Communicate details of information security incidents

Provide current employee awareness programs

Quantitative risk assessments result in an exact number (in monetary terms)

Qualitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)

Qualitative risk assessments map to business objectives

Quantitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)

Threat times vulnerability divided by control

Advisory plus capability plus vulnerability

Asset loss times likelihood of event

Quantitative plus qualitative impact

Audit and Legal

Budget and Compliance

Human Resources and Budget

Legal and Human Resources

Lack of a formal security awareness program

Lack of a formal security policy governance process

Lack of formal definition of roles and responsibilities

Lack of a formal risk management policy

Questioning the trust in vendor relationships.

Increasing the risk of decisions based on incomplete management information.

Direct involvement of senior management in developing control processes

Reduction of the potential for civil and legal liability

Risk = Probability x Impact

Risk = Threat x Probability

Risk = Financial Impact x Probability

Risk = Impact x Threat

Organizational budget

Distance between physical locations

Number of employees

Complexity of organizational structure

Test every three years to ensure that things work as planned

Conduct periodic tabletop exercises to refine the BC plan

Outsource the creation and execution of the BC plan to a third party vendor

Conduct a Disaster Recovery (DR) exercise every year to test the plan

The asset owner

The asset manager

The data custodian

The project manager

Security officer

Data owner

Vulnerability engineer

System administrator

Ensure all infrastructure and applications are available in the event of a disaster

Allow all technical first-responders to understand their roles in the event of a disaster

Provide step by step plans to recover business processes in the event of a disaster

Assign responsibilities to the technical teams responsible for the recovery of all data.

Provided with a digital signature

Assured of the server’s identity

Identified by a network

Registered by the server

Network based security preventative control

Software segmentation control

Security detective control

User segmentation control

Program

Milestone

Enterprise

Portfolio

By adding all capital and operational costs from the prior budgetary cycle, and determining potential

financial shortages

By reviewing last year’s program-level costs and adding a percentage of expected additional portfolio costs

By adding the cost of all known individual tasks and projects that are planned for the next budgetary cycle

By adding all planned operational expenses per quarter then summarizing them in a budget request

Poorly configured firewalls

Malware

Advanced Persistent Threat (APT)

An insider

Single loss expectancy multiplied by the annual rate of occurrence

Total loss expectancy multiplied by the total loss frequency

Value of the asset multiplied by the loss expectancy

Replacement cost multiplied by the single loss expectancy

Validate that security awareness program content includes information about the potential vulnerability

Conduct a thorough risk assessment against the current implementation to determine system functions

Determine program ownership to implement compensating controls

Send a report to executive peers and business unit owners detailing your suspicions

The auditors have not followed proper auditing processes

The CIO of the organization disagrees with the finding

The risk tolerance of the organization permits this risk

The organization has purchased cyber insurance

Single Loss Expectancy (SLE)

Exposure Factor (EF)

Annualized Rate of Occurrence (ARO)

Temporal Probability (TP)

Meet regulatory compliance requirements

Better understand the threats and vulnerabilities affecting the environment

Better understand strengths and weaknesses of the program

Meet legal requirements

An administrator with too much time on their hands.

Putting undue time commitment on the system administrator.

Supporting the concept of layered security

Network segmentation.

The IT team is not familiar in IT audit practices

This represents a bad implementation of the Least Privilege principle

This represents a conflict of interest

The IT team is not certified to perform audits