Practice Free 512-50 EC-Council Information Security Manager (E|ISM) Exam Questions Answers With Explanation

assign the responsibility to the information security team.

assign the responsibility to the team responsible for the management of the controls.

create operational reports on the effectiveness of the controls.

perform an independent audit of the security controls.

Asset value times exposure factor

Annual rate of occurrence

Annual loss expectancy minus current cost of controls

Percentage of loss experienced due to a realized threat event

Enforce the existing security standards and do not allow the deployment of the new technology.

Amend the standard to permit the deployment.

If the risks associated with that technology are not already identified, perform a risk analysis to quantify the risk, and allow the business unit to proceed based on the identified risk level.

Permit a 90-day window to see if an issue occurs and then amend the standard if there are no issues.

Document the process for the stakeholders

Monitor the effectiveness of the controls

Update the audit findings report

Perform a risk assessment

Detective Controls

Proactive Controls

Preemptive Controls

Organizational Controls

Residual Risk

Total Risk

Post implementation risk

Transferred risk

Subscribe to vendor mailing list to get notification of system vulnerabilities

Deploy Intrusion Detection System (IDS) and install anti-virus on systems

Configure firewall, perimeter router and Intrusion Prevention System (IPS)

Conduct security testing, vulnerability scanning, and penetration testing

Legal department

Compliance officer

Data Owner

Information security officer

Internal Audit, Management, and Technical Staff

Internal Audit, Budget Authority, Management

Technical Staff, Budget Authority, Management

Technical Staff, Internal Audit, Budget Authority

A substantive test of program library controls

A compliance test of program library controls

A compliance test of the program compiler controls

A substantive test of the program compiler controls

Security Administrators

Internal/External Audit

Risk Management

Security Operations

Plan-Check-Do-Act

Plan-Do-Check-Act

Plan-Select-Implement-Evaluate

SCORE (Security Consensus Operational Readiness Evaluation)

information security metrics.

knowledge required to analyze each issue.

baseline against which metrics are evaluated.

linkage to business area objectives.

Control Objectives for IT (COBIT)

Payment Card Industry-Data Security Standard (PCI-DSS)

International Organization Standard (ISO) 27002

National Institute of Standards and Technology (NIST) SP 800-30

National Institute of Standards and Technology (NIST) Special Publication 800-53

Payment Card Industry Digital Security Standard (PCI DSS)

International Organization for Standardization – ISO 27001/2

British Standard 7799 (BS7799)

Annual Rate of Occurrence and Asset Value

Single Loss Expectancy and Exposure Factor

Safeguard Value and Annual Rate of Occurrence

Annual Rate of Occurrence and Single Loss Expectancy

Corporate legal counsel

CISO with reference to the company goals

CEO and board of director

Corporate compliance committee

Business Impact Analysis

Business Continuity plan

Security roadmap

Annual report to shareholders

Response

Investigation

Recovery

Follow-up

IT security implementation plans.

Standards and guidelines.

IT security policies.

IT security procedures.

Post a sign that states, “no tailgating” next to the special card reader adjacent to the secure door

Issue special cards to access secure doors at the company and provide a one-time only brief description of

use of the special card

Educate and enforce physical security policies of the company to all the employees on a regular basis

Setup a mock video camera next to the special card reader adjacent to the secure door

Network based security preventative control

Software segmentation control

Security detective control

User segmentation control

Rights collision

Excessive privileges

Privilege creep

Least privileges

Shoulder surfing

Tailgating

Social engineering

Mantrap

Creates a timeline for purchasing and budgeting

Allows small companies to compete with larger companies

Clearly identifies risks and benefits before funding is spent

Informs suppliers a company is going to make a purchase

Alignment with the business goals and the vision of the CIO

The risk tolerance of the company and the company mission statement

The executive summary and vision of the board of directors

The alignment with the business goals and the risk tolerance

Smoke

Thermal

Air-aspirating

Photo electric

Centralized log management

Encrypted log files in transit

Each node set to local time

Log aggregation agent each node

Capital expenditures are never taxable

Operating expenditures are for acquiring assets, capital expenditures are for support costs of that asset

Capital expenditures are used to define depreciation tables of intangible assets

Capital expenditures are for acquiring assets, whereas operating expenditures are for support costs of that

asset

Security certification

Security system analysis

Security accreditation

Alignment with business practices and goals.

Susceptibility to attack, mitigation response time, and cost

Attack vectors, controls cost, and investigation staffing needs

Vulnerability exploitation, attack recovery, and mean time to repair

Susceptibility to attack, expected duration of attack, and mitigation availability

Daily

Hourly

Weekly

Monthly

Organization control

Procedural control

Management control

Technical control

ISO 27001

PRINCE2

ISO 27004

ITILv3

Desired results or purpose of implementing specific control procedures.

The audit control checklist.

Techniques for securing information.

Security policy

To give information security management recommendations to those who are responsible for initiating, implementing, or maintaining security in their organization.

To provide a common basis for developing organizational security standards

To provide effective security management practice and to provide confidence in inter-organizational dealings

To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization

All vulnerabilities found on servers and desktops

Only critical and high vulnerabilities on servers and desktops

Only critical and high vulnerabilities that impact important production servers

All vulnerabilities that impact important production servers

Weekly

Monthly

Quarterly

Daily

Transfer financial resources from other critical programs

Take the system off line until the budget is available

Deploy countermeasures and compensating controls until the budget is available

Schedule an emergency meeting and request the funding to fix the issue

Determining the likelihood that vulnerable systems will be attacked by specific threats

Calculating the risks to which assets are exposed in their current setting

Assigning a value to each information asset

Assessing the relative risk facing the organization’s information assets

International Organization for Standardization 27001

National Institute of Standards and Technology Special Publication SP 800-12

Request For Comment 2196

National Institute of Standards and Technology Special Publication SP 800-26

Incident response plan

Business Continuity plan

Disaster recovery plan

Damage control plan

Install software patch, Operate system, Maintain system

Discover software, Remove affected software, Apply software patch

Install software patch, configuration adjustment, Software Removal

Software removal, install software patch, maintain system

Nonlinearities in physical security performance metrics

Defense in depth cost enumerated costs

System hardening and patching requirements

Anti-virus for mobile devices

Lack of a formal security awareness program

Lack of a formal security policy governance process

Lack of formal definition of roles and responsibilities

Lack of a formal risk management policy

Providing a risk program governance structure

Ensuring developers include risk control comments in code

Creating risk assessment templates based on specific threats

Allowing for the acceptance of risk for regulatory compliance requirements

Escalation

Recovery

Eradication

Containment

Compliance to the Payment Card Industry (PCI) regulations.

Alignment with financial reporting regulations for each country where they operate.

Alignment with International Organization for Standardization (ISO) standards.

Compliance with patient data protection regulations for each country where they operate.

Mandatory controls

Discretionary controls

Optional controls

Financial controls

Technology governance defines technology policies and standards while security governance does not.

Security governance defines technology best practices and Information Technology governance does not.

Technology Governance is focused on process risks whereas Security Governance is focused on business risk.

The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

Metrics tracking security milestones, understanding criticality of information and information security, visibility into the types of information and how it is used, endorsement by the board of directors

Annual security training for all employees, continual budget reviews, endorsement of the development and implementation of a security program, metrics to track the program

Understanding criticality of information and information security, review investment in information security, endorse development and implementation of a security program, and require regular reports on adequacy and effectiveness

Endorsement by the board of directors for security program, metrics of security program milestones, annual budget review, report on integration and acceptance of program

High risk environments 6 months, low risk environments 12 months

Every 12 months

Every 18 months

Every six months

They are objective and can express risk / cost in real numbers

They are subjective and can be completed more quickly

They are objective and express risk / cost in approximates

They are subjective and can express risk /cost in real numbers

Reducing the impact of the risk to the business.

Establishing strategic alignment with business continuity requirements

Establishing incident response programs.

Identifying and implementing the best security solutions.

Quantitative risk assessments result in an exact number (in monetary terms)

Qualitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)

Qualitative risk assessments map to business objectives

Quantitative risk assessments result in a quantitative assessment (high, medium, low, red, yellow, green)

Only check compliance right before the auditors are scheduled to arrive onsite.

Outsource compliance to a 3rd party vendor and let them manage the program.

Have Compliance and Information Security partner to correct issues as they arise.

Have Compliance direct Information Security to fix issues after the auditors report.

it communicates management’s commitment to protecting information resources

it is formally acknowledged by all employees and vendors

it defines a process to meet compliance requirements

it establishes a framework to protect confidential information

Risk Avoidance

Risk Acceptance

Risk Transfer

Risk Mitigation

Determine the risk tolerance

Perform an asset classification

Create an architecture gap analysis

Analyze existing controls on systems

How many credit card records are stored?

How many servers do you have?

What is the scope of the certification?

What is the value of the assets at risk?

Implement redundancy

move operations to another region

purchase breach insurance

Alignment with business operations

all organizational assets

critical business processes and /or revenue streams

intellectual property released into the public domain

against distributed denial of service attacks

Physical, Technical, Operational

Technical, Strong Password, Operational

Operational, Biometric, Physical

Strong password, Biometric, Common Access Card

Session encryption

Removing all stored procedures

Input sanitization

Library control

Wireless Application Protocol (WAP)

Wifi Protected Access version 2 (WPA2)

Wireless Equivalence Protocol (WEP)

Extensible Authentication Protocol (EAP)

Well established and defined digital forensics process

Establishing Enterprise-owned Botnets for preemptive attacks

Be able to retaliate under the framework of Active Defense

Collaboration with law enforcement

Traffic Analysis

Deep-Packet inspection

Packet sampling

Heuristic analysis

non-repudiation

conflict resolution

strong authentication

digital rights management

chain of custody.

electronic discovery.

evidence tampering.

electronic review.

In-line hardware keyloggers don’t require physical access

In-line hardware keyloggers don’t comply to industry regulations

In-line hardware keyloggers are undetectable by software

In-line hardware keyloggers are relatively inexpensive

Shared key

Asynchronous

Open

None

security coding

data security system

data classification

privacy protection

Covert government networks

War driving maps

Government networks in Tora

Virtual network tunnels

Execute

Read

Administrator

Public

Configure logging on each access point

Install a firewall software on each wireless access point.

Provide IP and MAC address

Disable SSID Broadcast and enable MAC address filtering on all wireless access points.

4, 2, 5, 3, 1

2, 5, 3, 1, 4

4, 5, 2, 3, 1

4, 3, 5, 2, 1

3DES

MD5

ECC

RSA

Baseline the Environment

Maintain and Monitor

Organization Vulnerability

Define Policy

War driving

Operating system attacks

Social engineering

Shrink wrap attack

The need to change accounting periods on a regular basis.

The requirement to post entries for a closed accounting period.

The need to create and modify the chart of accounts and its allocations.

The lack of policies and procedures for the proper segregation of duties.

Secure the area and shut-down the computer until investigators arrive

Secure the area and attempt to maintain power until investigators arrive

Immediately place hard drive and other components in an anti-static bag

Secure the area.

Threat analysis process

Asset configuration management process

Business Impact Analysis

Disaster Recovery plan

Enterprise Risk Assessment

Disaster recovery strategic plan

Business continuity plan

Application mapping document

Your public key

The recipient's private key

The recipient's public key

Certificate authority key

Containment

Recovery

Identification

Eradication

Real-time off-site replication

Daily incremental backup

Daily full backup

Daily differential backup

Comprehensive Log-Files from all servers and network devices affected during the attack

Fully trained network forensic experts to analyze all data right after the attack

Uninterrupted Chain of Custody

Expert forensics witness

Information security should be informed of changes to applications only

Development team should tell the information security team about any application security flaws

Information security should be aware of any significant application security changes and work with developer to test for vulnerabilities before changes are deployed in production

Information security should be aware of all application changes and work with developers before changes are deployed in production

tell him to shut down the server

tell him to call the police

tell him to invoke the incident response process

tell him to analyze the problem, preserve the evidence and provide a full analysis and report

Provide clear communication of security requirements throughout the organization

Demonstrate executive support with written mandates for security policy adherence

Create collaborative risk management approaches within the organization

Perform increased audits of security processes and procedures

Vested in the success and/or failure of a project or initiative regardless of budget implications.

Vested in the success and/or failure of a project or initiative and is tied to the project budget.

That has budget authority.

That will ultimately use the system.

The software license expiration is probably out of synchronization with other software licenses

The project was initiated without an effort to get support from impacted business units in the organization

The software is out of date and does not provide for a scalable solution across the enterprise

The security officer should allow time for the organization to get accustomed to her presence before initiating security projects

When the application is retired.

When the application turned over to production.

When the application reaches the maintenance phase.

After one year.

Risk averse

Risk tolerant

Risk conditional

Risk minimal

Security

Business units

Board of Directors

Audit and compliance

Deploy a SEIM solution and have current staff review incidents first thing in the morning

Contract with a managed security provider and have current staff on recall for incident response

Configure your syslog to send SMS messages to current staff when target events are triggered

Employ an assumption of breach protocol and defend only essential information resources

Work with the IT group and tell them to put IPS in-line and say it won’t cause any network impact

Explain to the IT group that the IPS won’t cause any network impact because it will fail open

Explain to the IT group that this is a business need and the IPS will fail open however, if there is a network failure the CISO will accept responsibility

Explain to the IT group that the IPS will fail open once in-line however it will be deployed in monitor mode for a set period of time to ensure that it doesn’t block any legitimate traffic

Change management

Business continuity planning

Security Incident Response

Thought leadership

Time zone differences

Compliance to local hiring laws

Encryption import/export regulations

Local customer privacy laws

Allow the business units to decide which controls apply to their systems, such as the encryption of sensitive data

Create separate controls for the business units based on the types of business and functions they perform

Ensure business units are involved in the creation of controls and defining conditions under which they must be applied

Provide the business units with control mandates and schedules of audits for compliance validation

Terms and Conditions

Service Level Agreements (SLA)

Statement of Work

Key Performance Indicators (KPI)

it is completed on time or early as compared to the baseline project plan

it meets most of the specifications as outlined in the approved project definition

it comes in at or below the expenditures planned for in the baseline budget

the deliverables are accepted by the key stakeholders

Network based intrusion detection systems

A security training program for developers

A risk management process

A audit management process

System testing

Risk assessment

Incident response

Planning

Failed to identify all stakeholders and their needs

Deployed the encryption solution in an inadequate manner

Used 1024 bit encryption when 256 bit would have sufficed

Used hardware encryption instead of software encryption

Ensure security budgets enable technical acquisition and resource allocation based on internal compliance requirements

Develop a culture in which users, managers and IT professionals all make good decisions about information risk

Provide clear communication of security program support requirements and audit schedules

Create security awareness programs that include clear definition of security program goals and charters

Increase stock value

Complete security

Support business requirements

Implement information security policies

Gaining access to an affiliated employee’s work email account as part of an officially sanctioned internal investigation

Sharing copyrighted material with other members of a professional organization where all members have legitimate access to the material

Copying documents from an employer’s server which you assert that you have an intellectual property claim to possess, but the company disputes

Storing client lists and other sensitive corporate internal documents on a removable thumb drive

Create a comprehensive security awareness program and provide success metrics to business units

Create security consortiums, such as strategic security planning groups, that include business unit participation

Ensure security implementations include business unit testing and functional validation prior to production rollout

Ensure the organization has strong executive-level security representation through clear sponsorship or the creation of a CISO role

At the time the security services are being performed and the vendor needs access to the network

Once the agreement has been signed and the security vendor states that they will need access to the network

Once the vendor is on premise and before they perform security services

Prior to signing the agreement and before any security services are being performed

Tell the team to do their best and respond to each alert

Tune the sensors to help reduce false positives so the team can react better

Request additional resources to handle the workload

Tell the team to only respond to the critical and high alerts

Upper management support

More frequent project milestone meetings

Stakeholder support

Extend work hours

Review time schedules

Verify budget

Verify resources

Verify constraints

Lack of risk management process

Lack of sponsorship from executive management

IT security centric agenda

Compliance centric agenda

Safeguard Value

Cost Benefit Analysis

Single Loss Expectancy

Life Cycle Loss Expectancy

Compliance centric agenda

IT security centric agenda

Lack of risk management process

Lack of sponsorship from executive management