Question 1

Which of the following methodologies references the recommended industry standard that Information security project managers should follow?

Accepted Answer

The Project Management Body of Knowledge (PMBOK) is a recognized standard for project management, including information security projects, providing guidelines and best practices.

Question 2

This occurs when the quantity or quality of project deliverables is expanded from the original project plan.

Accepted Answer

Scope creep refers to the gradual expansion of project deliverables beyond the original plan, often without formal approval, leading to potential project delays and increased costs.

Question 3

How often should the Statements of Standards for Attestation Engagements-16 (SSAE16)/International Standard on Assurance Engagements 3402 (ISAE3402) report of your vendors be reviewed?

Accepted Answer

The SSAE16/ISAE3402 report should be reviewed annually to ensure that the vendor's controls are effective and up-to-date.

Question 4

When gathering security requirements for an automated business process improvement program, which of the following is MOST important?

Accepted Answer

Understanding the type of data contained in the process/system is crucial as it determines the sensitivity and classification of the data, which in turn influences the security requirements needed to protect it.

Question 5

Acme Inc. has engaged a third party vendor to provide 99.999% up-time for their online web presence and had them contractually agree to this service level agreement. What type of risk tolerance is Acme exhibiting? (choose the BEST answer):

Accepted Answer

Acme Inc. is exhibiting low risk-tolerance by requiring a very high level of uptime (99.999%) from a third-party vendor, indicating they are not willing to accept much risk of downtime.

Question 6

The company decides to release the application without remediating the high-risk vulnerabilities.  Which of the following is the MOST likely reason for the company to release the application?

Accepted Answer

The company has a high risk tolerance, meaning they are willing to accept the potential risks associated with the vulnerabilities in order to meet other business objectives, such as time-to-market.

Question 7

Information Security is often considered an excessive, after-the-fact cost when a project or initiative is completed. What can be done to ensure that security is addressed cost effectively?

Accepted Answer

Integrating security requirements into project inception ensures that security is considered from the beginning, reducing the need for costly retrofits and ensuring a more comprehensive security posture.

Question 8

Which of the following methods are used to define contractual obligations that force a vendor to meet customer expectations?

Accepted Answer

Service Level Agreements (SLA) are specifically designed to define the level of service expected from a vendor, including metrics and obligations, ensuring they meet customer expectations.

Question 9

Which of the following can the company implement in order to avoid this type of security issue in the future?

Accepted Answer

Implementing a security training program for developers can help prevent security issues by educating them on best practices and common vulnerabilities, enabling them to write more secure code.

Question 10

Your incident response plan should include which of the following?

Accepted Answer

An incident response plan should include procedures for classification to properly identify and categorize incidents for appropriate handling and response.

Question 11

To get an Information Security project back on schedule, which of the following will provide the MOST help?

Accepted Answer

Upper management support is the most important factor in getting an Information Security project back on schedule. They can provide the resources and authority needed to make changes and get the project back on track.

Question 12

The organization does not have the time to remediate the vulnerability; however it is critical to release the application.  Which of the following needs to be further evaluated to help mitigate the risks?

Accepted Answer

Implementing compensating controls can help mitigate the risks associated with the vulnerability by providing alternative measures to protect the application when it cannot be remediated immediately.

Question 13

Which of the following information may be found in table top exercises for incident response?

Accepted Answer

Tabletop exercises for incident response often focus on identifying process improvements to enhance the effectiveness of the response plan.

Question 14

When selecting a security solution with reoccurring maintenance costs after the first year (choose the BEST answer):

Accepted Answer

Communicating future operating costs to the CIO/CFO and seeking their commitment ensures that the organization is prepared for ongoing expenses, aligning with strategic financial planning and avoiding future budgetary issues.

Question 15

Which of the following is considered a project versus a managed process?

Accepted Answer

A project is a temporary endeavor with a specific start and end, such as installing a new firewall system, whereas the other options are ongoing processes.

Question 16

Which of the following is the BEST indicator of a successful project?

Accepted Answer

The best indicator of a successful project is that the deliverables are accepted by the key stakeholders, as this means the project has met the expectations and requirements of those who have a vested interest in its outcome.

Question 17

An application vulnerability assessment has identified a security flaw in an application.  This is a flaw that was previously identified and remediated on a prior release of the application.  Which of the following is MOST likely the reason for this recurring issue?

Accepted Answer

The recurring issue is most likely due to a lack of version/source controls, which would ensure that changes and fixes are properly tracked and maintained across different versions of the application.

Question 18

You currently cannot provide for 24/7 coverage of your security monitoring and incident response duties and your company is resistant to the idea of adding more full-time employees to the payroll. Which combination of solutions would help to provide the coverage needed without the addition of more dedicated staff? (choose the best answer):

Accepted Answer

Contracting with a managed security provider can offer 24/7 monitoring and incident response capabilities without needing to hire additional full-time employees.

Question 19

Which of the following is the MOST important component of any change management process?

Accepted Answer

Management approval is crucial as it ensures that the change aligns with organizational goals and has the necessary support and resources.

Question 20

Your company has a "no right to privacy" notice on all logon screens for your information systems and users sign an Acceptable Use Policy informing them of this condition. A peer group member and friend comes to you and requests access to one of her employee's email account. What should you do? (choose the BEST answer):

Accepted Answer

Assist her with the request, but only after her supervisor signs off on the action.The Acceptable Use Policy (AUP) informs users that they have no right to privacy, but it does not give other employees the right to access their accounts. The supervisor should be the one to approve such a request.

Exam 3: EC-Council Information Security Manager (E|ISM)

Which of the following methodologies references the recommended industry standard that Information security project managers should follow?

This occurs when the quantity or quality of project deliverables is expanded from the original project plan.

How often should the Statements of Standards for Attestation Engagements-16 (SSAE16) /International Standard on Assurance Engagements 3402 (ISAE3402) report of your vendors be reviewed?

When gathering security requirements for an automated business process improvement program, which of the following is MOST important?

Acme Inc. has engaged a third party vendor to provide 99.999% up-time for their online web presence and had them contractually agree to this service level agreement. What type of risk tolerance is Acme exhibiting? (choose the BEST answer) :

The company decides to release the application without remediating the high-risk vulnerabilities. Which of the following is the MOST likely reason for the company to release the application?