712-50 Dumps
712-50 Braindumps
712-50 Real Questions
712-50 Practice Test
Actual Questions
EC-Council Certified CISO (CCISO)
https://killexams.com/pass4sure/exam-detail/712-50
QUESTION: 330
Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation. Which of the following industry / sector neutral information security control frameworks should you recommend for implementation?
National Institute of Standards and Technology (NIST) Special Publication 800-53
Payment Card Industry Digital Security Standard (PCI DSS)
International Organization for Standardization – ISO 27001/2
British Standard 7799 (BS7799)
Answer: C
QUESTION: 331
Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs. You have identified potential solutions for all of your risks that do not have security controls. What is the NEXT step?
Get approval from the board of directors
Screen potential vendor solutions
Verify that the cost of mitigation is less than the risk
Create a risk metrics for all unmitigated risks
Answer: C
QUESTION: 332
Access Control lists (ACLs), Firewalls, and Intrusion Prevention Systems are examples of
Network based security preventative controls
Software segmentation controls
Network based security detective controls
User segmentation controls
Answer: A
QUESTION: 333
Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation. Your Corporate Information Security Policy should include which of the following?
Information security theory
Roles and responsibilities
Incident response contacts
Desktop configuration standards
Answer: B
QUESTION: 334
Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs. When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?
Annually
Semi-annually
Quarterly
Never
Answer: D
QUESTION: 335
The process for management approval of the security certification process which states the risks and mitigation of such risks of a given IT system is called
Security certification
Security system analysis
Security accreditation
Alignment with business practices and goals.
Answer: C
QUESTION: 336
Scenario: Your program is developed around minimizing risk to information by focusing on people, technology, and operations. You have decided to deal with risk to information from people first. How can you minimize risk to your most sensitive information before granting access?
Conduct background checks on individuals before hiring them
Develop an Information Security Awareness program
Monitor employee browsing and surfing habits
Set your firewall permissions aggressively and monitor logs regularly.
Answer: A
QUESTION: 337
Scenario: The new CISO was informed of all the Information Security projects that the section has in progress. Two projects are over a year behind schedule and way over budget. Using the best business practices for project management, you determine that the project correctly aligns with the organization goals. What should be verified next?
Scope
Budget
Resources
Constraints
Answer: A
QUESTION: 338
What are the primary reasons for the development of a business case for a security project?
To estimate risk and negate liability to the company
To understand the attack vectors and attack sources
To communicate risk and forecast resource needs
To forecast usage and cost per software licensing
Answer: C
QUESTION: 339
File Integrity Monitoring (FIM) is considered a
Network based security preventative control
Software segmentation control
Security detective control
User segmentation control
Answer: C
QUESTION: 340
Scenario: As you begin to develop the program for your organization, you assess the corporate culture and determine that there is a pervasive opinion that the security program only slows things down and limits the performance of the “real workers.” What must you do first in order to shift the prevailing opinion and reshape corporate culture to understand the value of information security to the organization?
Cite compliance with laws, statutes, and regulations – explaining the financial implications for the company for non-compliance
Understand the business and focus your efforts on enabling operations securely
Draw from your experience and recount stories of how other companies have been compromised
Cite corporate policy and insist on compliance with audit findings
Answer: B
QUESTION: 341
Acceptable levels of information security risk tolerance in an organization should be determined by?
Corporate legal counsel
CISO with reference to the company goals
CEO and board of director
Corporate compliance committee
Answer: C
QUESTION: 342
When dealing with risk, the information security practitioner may choose to:
assign
transfer
acknowledge
defer
Answer: C
QUESTION: 343
Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information. All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN. What type of control is being implemented by supervisors and data owners?
Management
Operational
Technical
Administrative
Answer: B
6$03/( 48(67,216
7KHVH TXHVWLRQV DUH IRU GHPR SXUSRVH RQO\ )XOO YHUVLRQ LV XS WR GDWH DQG FRQWDLQV DFWXDO TXHVWLRQV DQG DQVZHUV
.LOOH[DPV FRP LV DQ RQOLQH SODWIRUP WKDW RIIHUV D ZLGH UDQJH RI VHUYLFHV UHODWHG WR FHUWLILFDWLRQ H[DP SUHSDUDWLRQ 7KH SODWIRUP SURYLGHV DFWXDO TXHVWLRQV H[DP GXPSV DQG SUDFWLFH WHVWV WR KHOS LQGLYLGXDOV SUHSDUH IRU YDULRXV FHUWLILFDWLRQ H[DPV ZLWK FRQILGHQFH +HUH DUH VRPH NH\ IHDWXUHV DQG VHUYLFHV RIIHUHG E\ .LOOH[DPV FRP
'PS .PSF FYBNT WJTJU IUUQT LJMMFYBNT DPN WFOEPST FYBN MJTU
.LOO \RXU H[DP DW )LUVW $WWHPSW *XDUDQWHHG