512-50 Online Practice Questions and Answers

The exposure factor of a threat to your organization is defined by?

A. Asset value times exposure factor

B. Annual rate of occurrence

C. Annual loss expectancy minus current cost of controls

D. Percentage of loss experienced due to a realized threat event

A company wants to fill a Chief Information Security Officer position in the organization. They need to define and implement a more holistic security program. Which of the following qualifications and experience would be MOST desirable to find in a candidate?

A. Multiple certifications, strong technical capabilities and lengthy resume

B. Industry certifications, technical knowledge and program management skills

C. College degree, audit capabilities and complex project management

D. Multiple references, strong background check and industry certifications

The Information Security Governance program MUST:

A. integrate with other organizational governance processes

B. support user choice for Bring Your Own Device (BYOD)

C. integrate with other organizational governance processes

D. show a return on investment for the organization

When entering into a third party vendor agreement for security services, at what point in the process is it BEST to understand and validate the security posture and compliance level of the vendor?

A. At the time the security services are being performed and the vendor needs access to the network

B. Once the agreement has been signed and the security vendor states that they will need access to the network

C. Once the vendor is on premise and before they perform security services

D. Prior to signing the agreement and before any security services are being performed

How often should the SSAE16 report of your vendors be reviewed?

A. Quarterly

B. Semi-annually

C. Annually

D. Bi-annually

SCENARIO: Critical servers show signs of erratic behavior within your organization's intranet. Initial information indicates the systems are under attack from an outside entity. As the Chief Information Security Officer (CISO), you decide to deploy the Incident Response Team (IRT) to determine the details of this incident and take action according to the information available to the team.

What phase of the response provides measures to reduce the likelihood of an incident from recurring?

A. Response

B. Investigation

C. Recovery

D. Follow-up

A CISO wants to change the defense strategy to ward off attackers. To accomplish this the CISO is looking to a strategy where attackers are lured into a zone of a safe network where attackers can be monitored, controlled, quarantined, or eradicated.

A. Moderate investment

B. Passive monitoring

C. Integrated security controls

D. Dynamic deception

If the result of an NPV is positive, then the project should be selected. The net present value shows the present value of the project, based on the decisions taken for its selection. What is the net present value equal to?

A. Net profit ?per capita income

B. Total investment ?Discounted cash

C. Average profit ?Annual investment

D. Initial investment ?Future value

Scenario: Most industries require compliance with multiple government regulations and/or industry standards to meet data protection and privacy mandates.

What is one proven method to account for common elements found within separate regulations and/or standards?

A. Hire a GRC expert

B. Use the Find function of your word processor

C. Design your program to meet the strictest government standards

D. Develop a crosswalk

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.

The organization has already been subject to a significant amount of credit card fraud. Which of the following is the MOST likely reason for this fraud?

A. Lack of compliance to the Payment Card Industry (PCI) standards

B. Ineffective security awareness program

C. Security practices not in alignment with ISO 27000 frameworks

D. Lack of technical controls when dealing with credit card data