Your company decides to invest in solutions, in the coming year, to support salespeople as road warriors and boost sales. Laptops, mobile phones, VPN, wireless networks, and customer relationship management (CRM) systems are parts of the selected solution. As a CISO, which of the following is the least concern when developing a risk management strategy? A. Foreign ownership, control, or influence over suppliers
B. Investment strategies
C. The impact of the solution upon business processes
D. Laws and regulations Continue reading →
You are considering solutions to connect multiple branches to the headquarters. You select MPLS and RIP as the solution in the end. Which layers are the protocols between in terms of the ISO OSI model? A. Data Link, Network
B. Transport, Physical
C. Data Link, Internet
D. Network, Transport Continue reading →
Today is the first workday after the Chinese lunar new year. One of the certificates for private use expired on the customer’s web server. Because the Chrome browser requires Subject Alternative Names, the certificate request file needs more attributes to add. If not, Chrome will pop up an insecure web site warning as follows:
This server could not prove that it is elux.crm.tw; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.
Use the Certificate (for Computer) snap-in in Microsoft Management Console
Create custom requests (PKCS #10 Request file and Subject Alternative Names: DNS)
Request X.509 Certificate from Microsoft Certificate Services
As a security professional, you are attending the risk management meeting. A member points out a maintenance service provider for the ERP system is suffering financial problems that might hinder the service level. Which of the following should be conducted first? A. Escalate this problem to the management and suggest sourcing a backup provider
B. Activate the information system contingency plan (ISCP)
C. Train in-house team members to support the system as a backup solution
D. Identify affected business processes and related resources Continue reading →
Wentz’s Governance Model is a generic governance model derived from the concept of GRC (Governance, Risk Management, and Compliance). It highlights the philosophy of governance for values and introduces sevenrisk-aware governance practices reorganized per the definition of governance by the IT Governance Institute.
Sound governance achieves the ultimate goals of creating and delivering values while considers risk and compliance. That relies on three crucial factors: risk-aware governance practices, well-crafted strategy and well-structured organization, which can be examined from the perspectives of the static organizational structure and dynamic organizational processes and the holistic view of enterprise architecture.
The seven risk-aware governance practices derived from the definition of governance by the IT Governance Institute and the discipline of GRC are listed as follows:
Institute the organization to support the mission
Communicate the vision to guide the strategic direction for value delivery
Derive goals and intended outcomes to align strategies
Allocate and optimize resources to maximize values
Measure and monitor performance to achieve objectives
Manage risks to respond to changes and ensure success
Behave responsibly to maintain integrity and compliance
You are the manger authorized to make decisions on the acceptance of risk. After risk treatment, you are considering a case that the cost of handling the residual risk is much higher than the risk acceptance criteria. Even though quantitive economic benefits cannot justify it, you deeply believe the risk with low likelihood is not urgent but brings a significant impact on the organization and should be handled. Which of the following decisions best meets the risk acceptance principles? A. No further treatment because it doesn’t meet the risk acceptance criteria
B. No further treatment because subjective judgment is not reliable
C. Revise the risk acceptance criteria if possible, and implement risk treatment
D. Implement exception risk treatment but comment and justify your decision. Continue reading →
To address security concerns, you align the software development life cycle to ISO 15288, which consists of four families or groups of system life cycle processes: agreement, organizational project-enabling, technical management, and technical processes. Which of the following belongs to the process family, Technical Processes? A. Configuration Management
B. Life Cycle Model Management
C. Quality Assurance
D. Business or Mission Analysis Continue reading →
Your organization adopts the NIST FARM risk management approach to frame, assess, respond to, and monitor risks that arise from a variety of sources or tiers such as information systems, business processes, or the organization. As a CISO, you are considering the governance structures from the organizational perspective to address risk. Which of the following is not your primary concern? A. Strategies for internal development and external acquisition of IT products
B. Risk management strategy
C. Approaches to replacing legacy information systems
D. Enterprise Architecture Continue reading →
According to NIST SP 800-30 R1, risk assessment is the process of identifying, estimating, and prioritizing information security risks. This definition matches the one in ISO 31000; estimating refers to the analysis, while prioritizing refers to evaluation.
However, the guideline uses two terms in the risk assessment process that may confuse people: assessment approach and analysis approach.
Assessment approach: e.g., quantitative, qualitative, or semi-qualitative
Analysis approach: e.g., threat-oriented, asset/impact-oriented, or vulnerability-oriented
Risk Framing Components
The assessment approach defined in the Frame stage should apply to the “risk assessment process” as a whole, while the analysis approach should refer to the approach used to “estimate” risk as a part of the risk assessment process.
You learned from the news that the World Health Organization (WHO) is closely monitoring a novel deadly coronavirus under spreading. As a CISO, which of the following will you do first? A. Implement emergent update for latest antivirus signatures
B. Conduct the exercise of the Occupant Emergency Plan (OEP)
C. Enable the incident response plan and security incident response team
D. Review and test the business continuity plan (BCP) Continue reading →