512-50 EC-Council Information Security Manager (E|ISM) Questions and Answers

Baseline the Environment

Maintain and Monitor

Organization Vulnerability

Define Policy

Real-time off-site replication

Daily incremental backup

Daily full backup

Daily differential backup

Enterprise Risk Assessment

Disaster recovery strategic plan

Business continuity plan

Application mapping document

Execute

Read

Administrator

Public

Shared key

Asynchronous

Open

None

3DES

MD5

ECC

RSA

Session encryption

Removing all stored procedures

Input sanitization

Library control

Secure the area and shut-down the computer until investigators arrive

Secure the area and attempt to maintain power until investigators arrive

Immediately place hard drive and other components in an anti-static bag

Secure the area.

It is an IPSec protocol.

It is a text-based communication protocol.

It uses TCP port 22 as the default port and operates at the application layer.

It uses UDP port 22

Systems logs

Hardware error reports

Utilization reports

Availability reports

Determine the annual loss expectancy (ALE)

Create a crisis management plan

Create technology recovery plans

Build a secondary hot site

Number of change orders rejected

Number and length of planned outages

Number of unplanned outages

Number of change orders processed

Internal Audit, Management, and Technical Staff

Internal Audit, Budget Authority, Management

Technical Staff, Budget Authority, Management

Technical Staff, Internal Audit, Budget Authority

All vulnerabilities found on servers and desktops

Only critical and high vulnerabilities on servers and desktops

Only critical and high vulnerabilities that impact important production servers

All vulnerabilities that impact important production servers

The number of actionable items in the recommendations

How it exposes the risk tolerance of the company

How the recommendations directly support the goals of the company

The number of security controls the company has in use

International Organization for Standardization 27001

National Institute of Standards and Technology Special Publication SP 800-12

Request For Comment 2196

National Institute of Standards and Technology Special Publication SP 800-26

Order data hierarchically.

Highlight high-level data definitions.

Graphically summarize data paths and storage processes.

Portray step-by-step details of data generation.

Resources are allocated to the areas of the highest concern

Scheduling may be performed months in advance

Budgets are more likely to be met by the IT audit staff

Staff will be exposed to a variety of technologies

At the end of the day once the employee is off site

During the monthly review cycle

Immediately so the employee account(s) can be disabled

Before an audit

A substantive test of program library controls

A compliance test of program library controls

A compliance test of the program compiler controls

A substantive test of the program compiler controls

Risk metrics

Management metrics

Operational metrics

Compliance metrics

Only check compliance right before the auditors are scheduled to arrive onsite.

Outsource compliance to a 3rd party vendor and let them manage the program.

Have Compliance and Information Security partner to correct issues as they arise.

Have Compliance direct Information Security to fix issues after the auditors report.

Weekly program budget reviews to ensure the percentage of program funding remains constant.

Annual review of program charters, policies, procedures and organizational agreements.

Daily monitoring of vulnerability advisories relating to your organization’s deployed technologies.

Monthly program tests to ensure resource allocation is sufficient for supporting the needs of the organization

Compliance to the Payment Card Industry (PCI) regulations.

Alignment with financial reporting regulations for each country where they operate.

Alignment with International Organization for Standardization (ISO) standards.

Compliance with patient data protection regulations for each country where they operate.

Multiple certifications, strong technical capabilities and lengthy resume

Industry certifications, technical knowledge and program management skills

College degree, audit capabilities and complex project management

Multiple references, strong background check and industry certifications

They are objective and can express risk / cost in real numbers

They are subjective and can be completed more quickly

They are objective and express risk / cost in approximates

They are subjective and can express risk /cost in real numbers

How many credit card records are stored?

How many servers do you have?

What is the scope of the certification?

What is the value of the assets at risk?

Staff

Scope

Schedule

Scan tools

Subscribe to vendor mailing list to get notification of system vulnerabilities

Deploy Intrusion Detection System (IDS) and install anti-virus on systems

Configure firewall, perimeter router and Intrusion Prevention System (IPS)

Conduct security testing, vulnerability scanning, and penetration testing

When there is a need to develop a more unified incident response capability.

When the enterprise is made up of many business units with diverse business activities, risks profiles and regulatory requirements.

When there is a variety of technologies deployed in the infrastructure.

When it results in an overall lower cost of operating the security program.

Information Technology Infrastructure Library (ITIL)

International Organization for Standardization (ISO) standards

Payment Card Industry Data Security Standards (PCI-DSS)

National Institute for Standards and Technology (NIST) standard

Questioning the trust in vendor relationships.

Increasing the risk of decisions based on incomplete management information.

Direct involvement of senior management in developing control processes

Reduction of the potential for civil and legal liability

Compliance Risk

Reputation Risk

Operational Risk

Strategic Risk

Provide developer security training

Deploy Intrusion Detection Systems

Provide security testing tools

Implement Compensating Controls

Ensure security budgets enable technical acquisition and resource allocation based on internal compliance requirements

Develop a culture in which users, managers and IT professionals all make good decisions about information risk

Provide clear communication of security program support requirements and audit schedules

Create security awareness programs that include clear definition of security program goals and charters

Change management

Business continuity planning

Security Incident Response

Thought leadership

The software license expiration is probably out of synchronization with other software licenses

The project was initiated without an effort to get support from impacted business units in the organization

The software is out of date and does not provide for a scalable solution across the enterprise

The security officer should allow time for the organization to get accustomed to her presence before initiating security projects

When organizational resources are limited

When the benefits of outsourcing outweigh the inherent risks of outsourcing

On new, enterprise-wide security initiatives

On projects not forecasted in the yearly budget

The CISO

Audit and Compliance

The CFO

The business owner

Risk averse

Risk tolerant

Risk conditional

Risk minimal

Alignment with the business

Effective use of existing technologies

Leveraging existing implementations

Proper budget management

Overly restrictive management

Excessive personnel on project

Failure to meet project deadlines

Insufficient resources

Lack of asset management processes

Lack of change management processes

Lack of hardening standards

Lack of proper access controls

Develop a detailed internal organization chart

Develop a telephone call tree for emergency response

Develop an isolinear response matrix with cost benefit analysis projections

Develop a Responsible, Accountable, Consulted, Informed (RACI) chart

Scheduling

Back-out procedures

Outage planning

Management approval

Conduct thorough background checks before you engage them

Hire the people through third-party job agencies who will vet them for you

Investigate their social networking profiles

It is impossible to block these attacks

Tokenization combined with hashing is always better than encryption

Encryption can be mathematically reversed to provide the original information

The token contains the all original information

Tokenization can be mathematically reversed to provide the original information

To decide between multiple vendors

To decide is the solution costs less than the risk it is mitigating

To determine the current present value of a project

To determine the annual rate of loss

The Net Present Value (NPV) of the project is positive

The NPV of the project is negative

The Return on Investment (ROI) is larger than 10 months

The ROI is lower than 10 months

ITIL

Privacy Act

Sarbanes Oxley

PCI-DSS

An expiration date set for passwords

A Single Sign-On requirement

Time in seconds a user is allocated to change a password

The amount of time it takes for a password to activate

Mainframe server

Virtual Desktop

Thin client

Virtual Local Area Network

Rights collision

Excessive privileges

Privilege creep

Least privileges

Lack of identification of technology stake holders

Lack of business continuity process

Lack of influence with leaders outside IT

Lack of a security awareness program

Message alteration

Message copying

Message theft

Unauthorized reading

Safeguard Value

Cost Benefit Analysis

Single Loss Expectancy

Life Cycle Loss Expectancy

Security frameworks

Security policies

Security awareness

Security controls