512-50 Practice Exam Questions and Answers

A.  

Providing a risk program governance structure

B.  

Ensuring developers include risk control comments in code

C.  

Creating risk assessment templates based on specific threats

D.  

Allowing for the acceptance of risk for regulatory compliance requirements

A.  

Need to comply with breach disclosure laws

B.  

Need to transfer the risk associated with hosting PII data

C.  

Need to better understand the risk associated with using PII data

D.  

Fiduciary responsibility to safeguard credit card information

A.  

Risk management

B.  

Security management

C.  

Mitigation management

D.  

Compliance management

A.  

Control Objectives for IT (COBIT)

B.  

Payment Card Industry-Data Security Standard (PCI-DSS)

C.  

International Organization Standard (ISO) 27002

D.  

National Institute of Standards and Technology (NIST) SP 800-30

A.  

Risk Avoidance

B.  

Risk Acceptance

C.  

Risk Transfer

D.  

Risk Mitigation

A.  

Subscribe to vendor mailing list to get notification of system vulnerabilities

B.  

Deploy Intrusion Detection System (IDS) and install anti-virus on systems

C.  

Configure firewall, perimeter router and Intrusion Prevention System (IPS)

D.  

Conduct security testing, vulnerability scanning, and penetration testing

A.  

International Organization for Standardizations – 27004 (ISO-27004)

B.  

Payment Card Industry Data Security Standards (PCI-DSS)

C.  

Control Objectives for Information Technology (COBIT)

D.  

International Organization for Standardizations – 27005 (ISO-27005)

A.  

Multiple certifications, strong technical capabilities and lengthy resume

B.  

Industry certifications, technical knowledge and program management skills

C.  

College degree, audit capabilities and complex project management

D.  

Multiple references, strong background check and industry certifications

A.  

Risk Avoidance

B.  

Risk Acceptance

C.  

Risk Transfer

D.  

Risk Mitigation

A.  

Conduct a risk assessment.

B.  

Obtain senior level sponsorship.

C.  

Conduct a workshop for all end users.

D.  

Prepare a security budget.

A.  

Scan a representative sample of systems

B.  

Perform the scans only during off-business hours

C.  

Decrease the vulnerabilities within the scan tool settings

D.  

Filter the scan output so only pertinent data is analyzed

A.  

Staff

B.  

Scope

C.  

Schedule

D.  

Scan tools

A.  

Easiest regulation or standard to implement

B.  

Stricter regulation or standard

C.  

Most complex standard to implement

D.  

Recommendations of your Legal Staff

A.  

Software and hardware license fees

B.  

Utilities and power costs

C.  

Network connectivity costs

D.  

New datacenter to operate from

A.  

Audits

B.  

Administration

C.  

Patching

D.  

Templates

A.  

Lack of risk management process

B.  

Lack of sponsorship from executive management

C.  

IT security centric agenda

D.  

Compliance centric agenda

A.  

Rights collision

B.  

Excessive privileges

C.  

Privilege creep

D.  

Least privileges

A.  

Internal Audit

B.  

Corporate governance

C.  

Risk Oversight

D.  

Key Performance Indicators

A.  

Tokenization combined with hashing is always better than encryption

B.  

Encryption can be mathematically reversed to provide the original information

C.  

The token contains the all original information

D.  

Tokenization can be mathematically reversed to provide the original information

A.  

Data is more portable due to the increased use of smartphones and tablets

B.  

The move from centralized computing to decentralized computing

C.  

Camera systems have become more economical and expanded in their use

D.  

The internet of Things allows easy compromise of cloud-based systems

A.  

Refer the vendor to the Service Level Agreement (SLA) and insist that they make the changes.

B.  

Review the Request for Proposal (RFP) for guidance.

C.  

Withhold the vendor’s payments until the issue is resolved.

D.  

Refer to the contract agreement for direction.

A.  

An approach that allows for minimum budget impact if the solution is unsuitable

B.  

A methodology-based approach to ensure authentication mechanism functions

C.  

An approach providing minimum time impact to the implementation schedules

D.  

A risk-based approach to determine if the solution is suitable for investment

A.  

International encryption restrictions

B.  

Compliance to Payment Card Industry (PCI) data security standards

C.  

Compliance with local government privacy laws

D.  

Adherence to local data breach notification laws

A.  

Reviewing system administrator logs

B.  

Auditing configuration templates

C.  

Checking vendor product releases

D.  

Performing system scans

A.  

Confidentiality, Availability, Integrity

B.  

Compliance, Effectiveness, Efficiency

C.  

Communication, Reliability, Cost

D.  

Confidentiality, Compliance, Cost

A.  

Have internal audit conduct another audit to see what has changed.

B.  

Contract with an external audit company to conduct an unbiased audit

C.  

Review the recommendations and follow up to see if audit implemented the changes

D.  

Meet with audit team to determine a timeline for corrections

A.  

Preventive actions

B.  

Inspection

C.  

Defect repair

D.  

Corrective actions

A.  

All vulnerabilities found on servers and desktops

B.  

Only critical and high vulnerabilities on servers and desktops

C.  

Only critical and high vulnerabilities that impact important production servers

D.  

All vulnerabilities that impact important production servers

A.  

Determining the likelihood that vulnerable systems will be attacked by specific threats

B.  

Calculating the risks to which assets are exposed in their current setting

C.  

Assigning a value to each information asset

D.  

Assessing the relative risk facing the organization’s information assets

A.  

Single loss expectancy multiplied by the annual rate of occurrence

B.  

Total loss expectancy multiplied by the total loss frequency

C.  

Value of the asset multiplied by the loss expectancy

D.  

Replacement cost multiplied by the single loss expectancy

A.  

Local privacy laws

B.  

Industry best practices

C.  

Risk Management frameworks

D.  

Audit best practices

A.  

Lack of notification to the public of disclosure of confidential information.

B.  

Lack of periodic examination of access rights

C.  

Failure to notify police of an attempted intrusion

D.  

Lack of reporting of a successful denial of service attack on the network.

A.  

Management Control

B.  

Technical Control

C.  

Training Control

D.  

Operational Control

A.  

Meet regulatory compliance requirements

B.  

Better understand the threats and vulnerabilities affecting the environment

C.  

Better understand strengths and weaknesses of the program

D.  

Meet legal requirements

A.  

A substantive test of program library controls

B.  

A compliance test of program library controls

C.  

A compliance test of the program compiler controls

D.  

A substantive test of the program compiler controls

A.  

Order data hierarchically.

B.  

Highlight high-level data definitions.

C.  

Graphically summarize data paths and storage processes.

D.  

Portray step-by-step details of data generation.

A.  

Cost benefit

B.  

Risk appetite

C.  

Business continuity

D.  

Likelihood of impact

A.  

Security alignment to business goals

B.  

Regulatory compliance effectiveness

C.  

Increased security program presence

D.  

Proper organizational policy enforcement

A.  

At the time the security services are being performed and the vendor needs access to the network

B.  

Once the agreement has been signed and the security vendor states that they will need access to the network

C.  

Once the vendor is on premise and before they perform security services

D.  

Prior to signing the agreement and before any security services are being performed

A.  

Define the risk appetite

B.  

Determine budget constraints

C.  

Review project charters

D.  

Collaborate security projects

A.  

Time zone differences

B.  

Compliance to local hiring laws

C.  

Encryption import/export regulations

D.  

Local customer privacy laws

A.  

Quarterly

B.  

Semi-annually

C.  

Annually

D.  

Bi-annually

A.  

Information security should be informed of changes to applications only

B.  

Development team should tell the information security team about any application security flaws

C.  

Information security should be aware of any significant application security changes and work with developer to test for vulnerabilities before changes are deployed in production

D.  

Information security should be aware of all application changes and work with developers before changes are deployed in production

A.  

Upper management support

B.  

More frequent project milestone meetings

C.  

Stakeholder support

D.  

Extend work hours

A.  

Knowing who all the stakeholders are.

B.  

Knowing the people on the data center team.

C.  

Knowing the threats to the organization.

D.  

Knowing the milestones and timelines of deliverables.

A.  

Scheduling

B.  

Back-out procedures

C.  

Outage planning

D.  

Management approval

A.  

Time, quality, and scope

B.  

Cost, quality, and time

C.  

Scope, time, and cost

D.  

Quality, scope, and cost

A.  

Vendor’s client list of reputable organizations currently using their solution

B.  

Vendor provided attestation of the detailed security controls from a reputable accounting firm

C.  

Vendor provided reference from an existing reputable client detailing their implementation

D.  

Vendor provided internal risk assessment and security control documentation

A.  

Physical, Technical, Operational

B.  

Technical, Strong Password, Operational

C.  

Operational, Biometric, Physical

D.  

Strong password, Biometric, Common Access Card

A.  

The IT support team.

B.  

A forensic analysis.

C.  

Incident response

D.  

Physical security team.

A.  

Enterprise Risk Assessment

B.  

Disaster recovery strategic plan

C.  

Business continuity plan

D.  

Application mapping document

A.  

Unable to control physical access to the servers

B.  

Unable to track log on activity

C.  

Unable to run anti-virus scans

D.  

Unable to patch systems as needed

A.  

Wireless Application Protocol (WAP)

B.  

Wifi Protected Access version 2 (WPA2)

C.  

Wireless Equivalence Protocol (WEP)

D.  

Extensible Authentication Protocol (EAP)

A.  

Real-time off-site replication

B.  

Daily incremental backup

C.  

Daily full backup

D.  

Daily differential backup

A.  

Cold site

B.  

Hot site

C.  

Warm site

D.  

Mobile backup site

A.  

War driving

B.  

Operating system attacks

C.  

Social engineering

D.  

Shrink wrap attack

A.  

4, 2, 5, 3, 1

B.  

2, 5, 3, 1, 4

C.  

4, 5, 2, 3, 1

D.  

4, 3, 5, 2, 1

A.  

It is an IPSec protocol.

B.  

It is a text-based communication protocol.

C.  

It uses TCP port 22 as the default port and operates at the application layer.

D.  

It uses UDP port 22

A.  

3DES

B.  

MD5

C.  

ECC

D.  

RSA

A.  

Session encryption

B.  

Removing all stored procedures

C.  

Input sanitization

D.  

Library control