Exam 2: Certified Network Defender

A) Alignment with the business
B) Budgeting for unforeseen data compromises
C) Establishing your authority as the Security Executive
D) Streaming for efficiency

A) Obtain senior level sponsorship
B) Conduct a workshop for all end users.
C) Conduct a risk assessment.
D) Prepare a security budget.

A) It defines a process to meet compliance requirements
B) It establishes a framework to protect confidential information
C) It communicates management's commitment to protecting information resources
D) It is formally acknowledged by all employees and vendors

A) Compliance management
B) Audit validation
C) Physical control testing
D) Security awareness training

A) Consumer right disclosure
B) Data breach disclosure
C) Special circumstance disclosure
D) Security incident disclosure

A) Eradication
B) Escalation
C) Containment
D) Recovery

A) knowledge required to analyze each issue
B) information security metrics
C) linkage to business area objectives
D) baseline against which metrics are evaluated

A) Compliance with local privacy regulations
B) An independent Governance, Risk and Compliance organization
C) Support Legal and HR teams
D) Alignment of security goals with business goals

A) Need to comply with breach disclosure laws
B) Fiduciary responsibility to safeguard credit information
C) Need to transfer the risk associated with hosting PII data
D) Need to better understand the risk associated with using PII data

A) That all information in an organization must be protected equally.
B) The information required to be protected by regulatory mandate does not have to be identified in the organizations data classification policy.
C) There is no relationship between the two.
D) That the protection of some information such as National ID information is mandated by regulation and other information such as trade secrets are protected based on business need.

A) Every 18 months
B) Every 12 months
C) High risk environments 6 months, low risk environments 12 months
D) Every 6 months

A) Threat identification
B) Risk treatment
C) Risk monitoring
D) Risk tolerance

A) Direct involvement of senior management in developing control processes
B) Reduction of the potential for civil and legal liability
C) Questioning the trust in vendor relationships
D) Increasing the risk of decisions based on incomplete management information

A) Ensure all infrastructure and applications are available in the event of a disaster
B) Assign responsibilities to the technical teams responsible for the recovery of all data
C) Provide step by step plans to recover business processes in the event of a disaster
D) Allow all technical first-responders to understand their roles in the event of a disaster.

A) Compliance officer
B) Legal department
C) Data Owner
D) Information security officer

A) Determine the risk tolerance
B) Perform an asset classification
C) Analyze existing controls on systems
D) Create an architecture gap analysis

A) Organizational objectives and risk tolerance
B) Enterprise disaster recovery plans
C) Risk assessment criteria
D) IT architecture complexity

A) Implement redundancy
B) Move operations to another region
C) Alignment with business operations
D) Purchase breach insurance

A) Encourage security-conscious behavior
B) Put employees on notice in case follow-up action for noncompliance is necessary
C) Ensure that security policies are read.

A) Getting authority to operate the system from executive management
B) Contacting the Internet Service Provider for an IP scope
C) Changing the default passwords
D) Conducting a final scan of the live system and mitigating all high and medium level vulnerabilities

A) Effective Security Vulnerability Management Program
B) Anti-malware tools
C) Effective Security awareness program
D) Anti-phishing tools

A) Risk Transfer
B) Risk Mitigation
C) Risk Avoidance
D) Risk Acceptance

A) A high threat environment
B) I low vulnerability environment
C) A high risk tolerance environment
D) A low risk tolerance environment

A) Industry certifications, technical knowledge and program management skills
B) Multiple references, strong background check and industry certifications
C) Multiple certifications, strong technical capabilities and lengthy resume
D) College degree, audit capabilities and complex project management

A) Vetting information security policies
B) Approving access to critical financial systems
C) Interviewing candidates for information security specialist positions
D) Developing content for security awareness programs

A) Subscribe to vendor mailing list to get notification of system vulnerabilities
B) Configure firewall, perimeter router and Intrusion Prevention System (IPS)
C) Conduct security testing, vulnerability scanning, and penetration testing
D) Deploy Intrusion Detection System (IDS) and install anti-virus on systems

A) Risk Mitigation
B) Risk Acceptance
C) Risk Avoidance
D) Risk Transfer

A) Quantitative plus qualitative impact
B) Asset loss times likelihood of event
C) Advisory plus capability plus vulnerability
D) Threat times vulnerability divided by control

A) Value of the asset multiplied by the loss expectancy
B) Replacement cost multiplied by the single loss expectancy
C) Single loss expectancy multiplied by the annual rate of occurrence
D) Total loss expectancy multiplied by the total loss frequency

A) Trademark
B) Research Logs
C) Copyright
D) Patent

A) Against distributed denial of service attacks
B) Intellectual property released into the public domain
C) all organizational assets
D) critical business processes and/or revenue streams

A) Accepted risk
B) Residual risk
C) Non-tolerated risk
D) Persistent risk

A) The organization uses exclusively a qualitative process to measure risk
B) The organization's risk tolerance is low
C) The organization uses exclusively a quantitative process to measure risk
D) The organization's risk tolerance is high

A) Due Compromise
B) Due process
C) Due Care
D) Due Protection

A) Graphically summarize data paths and storage processes.
B) Order data hierarchically
C) Highlight high-level data definitions
D) Portray step-by-step details of data generation.

A) Budget
B) Security and IT Staff size
C) Company values
D) All of the above

A) Technology and Vendor Management
B) Operations and Regulations
C) Risk Management and Operations
D) Corporate Culture and Job Expectations

A) Resources are allocated to the areas of the highest concern
B) Scheduling may be performed months in advance
C) Budgets are more likely to be met by the IT audit staff
D) Staff will be exposed to a variety of technologies

A) ISO 27001
B) ISO 27004
C) PRINCE2
D) ITILv3

A) Governance
B) Compliance
C) Awareness
D) Management

A) Scope
B) Schedule
C) Staff
D) Scan tools

A) Communicate details of information security incidents
B) Create effective policies detailing program activities
C) Ensure efficient recovery and reinstate repaired systems
D) Provide current employee awareness programs

A) Risk mitigation
B) Estimate activity duration
C) Quantitative analysis
D) Qualitative analysis

A) Approval from the board of directors
B) Metrics of mitigation method success
C) Cost of the mitigation is less than a risk
D) Mitigation method complies with PCI regulations

A) Control Objectives for IT (COBIT)
B) International Organization Standard (ISO) 27002
C) Payment Card Industry -Data Security Standard (PCI-DSS)
D) National Institute of Standards and technology (NIST) SP 800-30

A) Post a guard at the door to maintain physical security
B) Close and chain the door shut and send a company-wide memo banning the practice
C) Have a risk assessment performed
D) Nothing, this falls outside your area of influence

A) Finding economic balance between the impact of the risk and the cost of the control
B) Identifying the victim of any potential exploits
C) Identifying the risk
D) Assessing the impact of potential threats

A) Identify and assess the risk assessment process used by management.
B) Identify and evaluate existing controls.
C) Identify information assets and the underlying systems.
D) Disclose the threats and impacts to management.

A) Mitigate risk
B) Perform a risk assessment
C) Determine appetite
D) Evaluate risk avoidance criteria

A) The size of the organization processing credit card data
B) The types of cardholder data retained
C) The duration card holder data is retained
D) The number of transactions performed per year by an organization

A) Names and phone numbers of those who conducted the audit
B) Executive summary
C) Penetration test agreement
D) Business charter

A) The asset manager
B) The project manager
C) The asset owner
D) The data custodian

A) The audit control checklist
B) Technique for securing information
C) Desired results or purpose of implementing specific control procedures.
D) Security policy

A) risk transfer
B) risk mitigation
C) risk acceptance
D) risk tolerance

A) The effective implementation of security controls can be viewed as an inhibitor to rapid Information technology implementations.
B) Technology Governance is focused on process risks whereas Security Governance is focused on business risk.
C) Technology governance defines technology policies and standards while security governance does not.
D) Security governance defines technology best practices and Information Technology governance does not.

A) Substantive test of program library controls
B) A compliance test of the program compiler controls
C) A compliance test of program library controls
D) A substantive test of the program compiler controls

A) Improper use of information resources
B) Reduction of budget
C) Decreased security awareness
D) Fines for regulatory non-compliance

A) define security configurations for systems
B) establish budgetary input in order to meet compliance requirements
C) establish acceptable systems and user behavior
D) define relationship with external law enforcement agencies

A) Monthly program tests to ensure resource allocation is sufficient for supporting the needs of the organization.
B) Weekly program budget reviews to ensure the percentage of program funding remains constant.
C) Annual review of program charters, policies, procedures and organizational agreements.
D) Daily monitoring of vulnerability advisories relating to your organization's deployed technologies.

A) Decrease the vulnerabilities within the scan tool settings
B) Scan a representative sample of systems
C) Filter the scan output so only pertinent data is analyzed
D) Perform the scans only during off-business hours

A) Schedule an emergency meeting and request the finding to fix the issue
B) Take the system off line until budget is available
C) Transfer financial resources from other critical programs
D) Deploy countermeasures and compensation controls until the budget is available

A) Internal Audit
B) Information Security
C) Compliance
D) Database Administration

A) Review the recommendations and follow up to see if audit implemented the changes
B) Meet with audit team to determine a timeline for corrections
C) Have internal audit conduct another audit to see what has changed.
D) Contract with an external audit company to conduct an unbiased audit

A) In-lie and turn on alert mode to stop malicious traffic.
B) In promiscuous mode and block malicious traffic.
C) In promiscuous mode and only detect malicious traffic.
D) In-line and turn on blocking mode to stop malicious traffic.

A) Vulnerability
B) Threat
C) Exploitation
D) Attack vector

A) On projects not forecasted in the yearly budget
B) When organizational resources are limited
C) When the benefits of outsourcing outweigh the inherent risks of outsourcing
D) On new, enterprise-wide security initiatives

A) Detective Controls
B) Proactive Controls
C) Organizational Controls
D) Preemptive Controls

A) Decide how to manage risk
B) Define Information Security Policy
C) Identify threats, risks, impacts and vulnerabilities
D) Define the budget of the Information Security Management System

A) Compliance to local hiring laws
B) Encryption import/export regulations
C) Local customer privacy laws
D) Time zone differences

A) Creating an inventory of information assets
B) Calculating the risks to which assets are exposed in their current setting
C) Classifying and organizing information assets into meaningful groups
D) Assigning value to each information asset

A) Conduct a Disaster Recovery (RD) exercise every year to test the plan
B) Conduct periodic tabletop exercises to refine the BC plan
C) Test every three years to ensure that things work as planned
D) Outsource the creation and execution of the BC plan to a third party vendor

A) Total Risk
B) Transferred Risk
C) Residual Risk
D) Post Implementation Risk

A) Defense in depth cost enumerated costs
B) Nonlinearities in physical security performance metrics
C) System hardening and patching requirements
D) Anti-virus for mobile devices

A) Number of successful social engineering attempts on the call center
B) Number of callers who abandon the call before speaking with a representative
C) Number of callers who report a lack of customer service from the call center
D) Number of callers who report security issues.

A) Perform a vulnerability scan of the network
B) Internal Firewall ruleset reviews
C) Implement network intrusion prevention systems
D) External penetration testing by a qualified third party

A) Risk Management Program
B) Anti-Spam controls
C) Identity and Access Management Program
D) Security Awareness Program

A) Determine program ownership to implement compensating controls
B) Send a report to executive peers and business unit owners detailing your suspicions
C) Validate that security awareness program content includes information about the potential vulnerability
D) Conduct a throughout risk assessment against the current implementation to determine system functions

A) Information Security (IS) procedures often require augmentation with other standards
B) Implementation of it eases an organization's auditing and compliance burden
C) It provides for a consistent and repeatable staffing model for technology organizations
D) It allows executives to more effectively monitor IT implementation costs

A) National Institute of Standards and technology Special Publication SP 800-12
B) Request for Comment 2196
C) International Organization for Standardization 27001
D) National Institute of Standards and technology Special Publication SP 800-26