Information Security Governance Practice Question

InformationSecurityGovernance

You are the new CISO of an international trading company and just got onboard recently. Which of the following is the first and most concern for you?

A. Salary and benefits package
B. The role and responsibility (R&R) of CISO
C. To develop and implement an information security strategy
D. To elicit business and security requirements, and develop an information security program and supporting policies

 

This post, Security Function, states the justification.

Business Continuity Practice Question

MTD-RTP-RPO

In an executive meeting, the vice president (VP) of manufacturing, the data owner of the material requirement planning (MRP), and the VP of sales, the data owner of the online shopping website, are justifying the criticality of the underlying information systems that process their data and support their business processes. Both of them believe their business processes are more critical and should be recovered first in case of a disaster. As a CISO, how should you do?

A. Facilitate the process for the determination of the maximum tolerable downtime, and invite the VP of information technology to commit to the recovery time objective and recovery point objective.
B. Take importance and urgency into consideration, and implement a hot site for the business processes with higher priority while a code site for the ones with lower priority.
C. Prepare a disaster recovery plan (DRP) based on the recovery time objective and recovery point objective.
D. Prepare a business continuity plan (BCP) and a business case with alternatives to implement a hot site to support both MRP and the online shopping website.

 

This post, The Concept of Business Continuity, states the justification.

Common Criteria – Evaluation Assurance Level

CommonCriteria-EAL

  • The Target of Evaluation (TOE) under the Common Criteria provides a different level of assurance. The most crucial factor is whether it is engineered based on a design.
  • If a TOE is lack of design, its EAL will be under 3, while a TOE with a design will be methodically reviewed.
  • The EAL of a TOE with a design depends on the condition that it is semi-formally or formally designed. Formal design is usually based on a mathematical model.

Informed Decisions

This post is the justification of the Business Mindset Sample Question. The recommended answer is D.

Decisions shouldn’t be biased, and shouldn’t be made without the risk or any other assessment. In other words, managers should conduct a risk assessment or appropriate analysis and evaluation to make informed decisions. Doing so demonstrates their due diligence as well.

Policies are documented management intent; they are relatively stable compared with standards or procedures. However, exceptions to policies are not uncommon to cope with the business. They are subject to change with the external context (e.g., threats, and opportunities). As security is a business enabler, the security policy should adapt to the business context and be aligned with business goals, strategy, and objectives.

Any action or initiative should be justified. Alternatives with cost/benefit analysis documented in a business case are the most persuasive. The suggested security controls with cost/benefit consideration are the result of risk assessment. Doing nothing (an implicit rejection in nature) is one of the alternatives in the business case.

The position and authority of the security function (the role and responsibility of a CISO) depend on the organizational structure and security requirements, that determine the CISO’s reporting line, power, and job description.

The board of directors and the senior management (especially CEO and CFO) are usually held accountable for the business and legal result. Since customer privacy is related to legal compliance, submitting a business case for the CEO’s final approval is a good practice.

CISSP Practice Questions

question-mark2

1. A covert timing channel hinders which of the following security objective?

A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation

2. When you are concerned with the issue of data loss and error when transmission between applications on your industrial control systems (ICS) network, you are considering issues in which layer of the ISO Open System Interconnection (OSI) Reference Model?

A. Logic Link Control (LLC) Layer
B. Transport Layer
C. Network Layer
D. Internet Layer

3. When you are considering the issue of identifying and numbering networks and hosts, and the transmission path between two hosts, you are considering issues in which layer of the ISO Open System Interconnection (OSI) Reference Model?

A. Logic Link Control (LLC) Layer
B. Transport Layer
C. Network Layer
D. Internet Layer

4. When you are considering the issue of identifying and numbering networks and hosts, and the transmission path between two hosts, you are considering issues in which layer of the TCP/IP Model?

A. Logic Link Control (LLC) Layer
B. Transport Layer
C. Network Layer
D. Internet Layer

5. You are the CISO of an IC design house and report to the CEO directly; confidentiality of customer privacy, and research and development data is the most concern. Use of any USB devices violates the acceptable usage policy (AUP). A customer account manager reports that many crucial customers are complaining about the efficiency of uploading files to the company’s file server. He suggests that the data can be transferred using a USB flash drive to streamline the collaboration process. As a CISO, what should you do FIRST?

A. Add an exception to the acceptable usage policy (AUP) to allow the use of USB flash drive as security is a business enabler. To help the business deliver value is the ultimate responsibility of a CISO.
B. Reject the suggestion because it violates the acceptable usage policy (AUP), and the use of USB flash drive is highly risky.
C. Side with the account manager and submit a proposal in favor of the suggestion to the CEO.
D. Prepare a business case and submit it to the CEO for final approval.

6. You are the CISO of a multinational trading company. Your company implements a large scale web site selling products to global consumers. A network intrusion detection system (IDS) is implemented to detect abnormal traffic and potential attacks. Your incident response (IR) team receives a report from users that the web site is not available and shows HTTP error 404. An IR team member suspects that it’s a distributed denial of service (DDOS) attack, but the IDS didn’t trigger any alert. What action should the IR team take FIRST?

A. Document the incident in the incident management system.
B. Inform and ask the contracted internet service provider to mitigate the DDOS traffic
C. Analyze the incident report from the end user and notify the senior management
D. Ask for more details from the end user to realize the real situation

7. In an executive meeting, the vice president (VP) of manufacturing, the data owner of the material requirement planning (MRP), and the VP of sales, the data owner of the online shopping website, are justifying the criticality of the underlying information systems that process their data and support their business processes. Both of them believe their business processes are more critical and should be recovered first in case of a disaster. As a CISO, how should you do?

A. Facilitate the process for the determination of the maximum tolerable downtime, and invite the VP of information technology to commit to the recovery time objective and recovery point objective.
B. Take importance and urgency into consideration, and implement a hot site for the business processes with higher priority while a code site for the ones with lower priority.
C. Prepare a disaster recovery plan (DRP) based on the recovery time objective and recovery point objective.
D. Prepare a business continuity plan (BCP) and a business case with alternatives to implement a hot site to support both MRP and the online shopping website.

8. You are the new CISO of an international trading company and just got onboard recently. Which of the following is the first and most concern for you?

A. Salary and benefits package
B. The role and responsibility (R&R) of CISO
C. To develop and implement an information security strategy
D. To elicit business and security requirements, and develop an information security program and supporting policies

9. Jack logged into an online book store, amazz-books.com, using his Google Account. Which of the following refers to the client in terms of federated identity?

A. Jack
B. amazz-books.com
C. Google
D. The browser Jack is using

10. Which of the following provides the most flexible access control?

A. A subject asserting unmarried
B. A subject with the Top Secret clearance
C. A subject with need-to-know
D. A subject assigned to the Admin role

Continue reading