512-50 Online Practice Questions and Answers

Who in the organization determines access to information?

A. Legal department

B. Compliance officer

C. Data Owner

D. Information security officer

Which of the following is a weakness of an asset or group of assets that can be exploited by one or more threats?

A. Threat

B. Vulnerability

C. Attack vector

D. Exploitation

The PRIMARY objective for information security program development should be:

A. Reducing the impact of the risk to the business.

B. Establishing strategic alignment with business continuity requirements

C. Establishing incident response programs.

D. Identifying and implementing the best security solutions.

Information Security is often considered an excessive, after-the-fact cost when a project or initiative is completed. What can be done to ensure that security is addressed cost effectively?

A. User awareness training for all employees

B. Installation of new firewalls and intrusion detection systems

C. Launch an internal awareness campaign

D. Integrate security requirements into project inception

An international organization is planning a project to implement encryption technologies to protect company confidential information. This organization has data centers on three continents. Which of the following would be considered a MAJOR constraint for the project?

A. Time zone differences

B. Compliance to local hiring laws

C. Encryption import/export regulations

D. Local customer privacy laws

Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation.

Your Corporate Information Security Policy should include which of the following?

A. Information security theory

B. Roles and responsibilities

C. Incident response contacts

D. Desktop configuration standards

Which technology can provide a computing environment without requiring a dedicated hardware backend?

A. Mainframe server

B. Virtual Desktop

C. Thin client

D. Virtual Local Area Network

Which of the following provides an independent assessment of a vendor's internal security controls and overall posture?

A. Alignment with business goals

B. ISO27000 accreditation

C. PCI attestation of compliance

D. Financial statements

Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust

existing security controls to ensure they are adequate for risk mitigation needs.

When formulating the remediation plan, what is a required input?

A. Board of directors

B. Risk assessment

C. Patching history

D. Latest virus definitions file

Scenario: Your corporate systems have been under constant probing and attack from foreign IP addresses for more than a week. Your security team and security infrastructure have performed well under the stress. You are confident that your defenses have held up under the test, but rumors are spreading that sensitive customer data has been stolen and is now being sold on the Internet by criminal elements. During your investigation of the rumored compromise you discover that data has been breached and you have discovered the repository of stolen data on a server located in a foreign country. Your team now has full access to the data on the foreign server.

Your defenses did not hold up to the test as originally thought. As you investigate how the data was compromised through log analysis you discover that a hardworking, but misguided business intelligence analyst posted the data to an obfuscated URL on a popular cloud storage service so they could work on it from home during their off-time.

Which technology or solution could you deploy to prevent employees from removing corporate data from your network? Choose the BEST answer.

A. Security Guards posted outside the Data Center

B. Data Loss Prevention (DLP)

C. Rigorous syslog reviews

D. Intrusion Detection Systems (IDS)