712-50 Questions and Answers

Provide developer security training

Deploy Intrusion Detection Systems

Provide security testing tools

Implement Compensating Controls

Change management

Business continuity planning

Security Incident Response

Thought leadership

Failed to identify all stakeholders and their needs

Deployed the encryption solution in an inadequate manner

Used 1024 bit encryption when 256 bit would have sufficed

Used hardware encryption instead of software encryption

The CISO should cut other essential programs to ensure the new solution’s continued use

Communicate future operating costs to the CIO/CFO and seek commitment from them to ensure the new solution’s continued use

Defer selection until the market improves and cash flow is positive

Implement the solution and ask for the increased operating cost budget when it is time

Vendors uses their own laptop and logins with same admin credentials your security team uses

Vendor uses a company supplied laptop and logins using two factor authentication with same admin credentials your security team uses

Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials

Vendor uses their own laptop and logins using two factor authentication with their own unique credentials

The software license expiration is probably out of synchronization with other software licenses

The project was initiated without an effort to get support from impacted business units in the organization

The software is out of date and does not provide for a scalable solution across the enterprise

The security officer should allow time for the organization to get accustomed to her presence before initiating security projects

Provide security reporting to all levels of an organization

Create effective security awareness to employees

Manage risk within the organization

Assure regulatory compliance

Alignment with the business

Effective use of existing technologies

Leveraging existing implementations

Proper budget management

Provide clear communication of security requirements throughout the organization

Demonstrate executive support with written mandates for security policy adherence

Create collaborative risk management approaches within the organization

Perform increased audits of security processes and procedures

Vendor’s client list of reputable organizations currently using their solution

Vendor provided attestation of the detailed security controls from a reputable accounting firm

Vendor provided reference from an existing reputable client detailing their implementation

Vendor provided internal risk assessment and security control documentation

it is completed on time or early as compared to the baseline project plan

it meets most of the specifications as outlined in the approved project definition

it comes in at or below the expenditures planned for in the baseline budget

the deliverables are accepted by the key stakeholders

Procedures for litigation

Procedures for reclamation

Procedures for classification

Procedures for charge-back

Define the risk appetite

Determine budget constraints

Review project charters

Collaborate security projects

Grant her access, the employee has been adequately warned through the AUP.

Assist her with the request, but only after her supervisor signs off on the action.

Reset the employee’s password and give it to the supervisor.

Deny the request citing national privacy laws.

Lack of asset management processes

Lack of change management processes

Lack of hardening standards

Lack of proper access controls

Type of data contained in the process/system

Type of connection/protocol used to transfer the data

Type of encryption required for the data once it is at rest

Type of computer the data is processed on

Security

Business units

Board of Directors

Audit and compliance

CISO

Compliance Officer

Project manager

Board of directors

low risk-tolerance

high risk-tolerance

moderate risk-tolerance

medium-high risk-tolerance

Cost benefit

Risk appetite

Business continuity

Likelihood of impact

Deploy a SEIM solution and have current staff review incidents first thing in the morning

Contract with a managed security provider and have current staff on recall for incident response

Configure your syslog to send SMS messages to current staff when target events are triggered

Employ an assumption of breach protocol and defend only essential information resources

Anti-phishing tools

Anti-malware tools

Effective Security Vulnerability Management Program

Effective Security awareness program

Determine appetite

Evaluate risk avoidance criteria

Perform a risk assessment

Mitigate risk

Confidential/Protected Information

Bodily Information

Territorial Information

Communications Information

Cost and annual rate of expectance

Subjective and Objective

Qualitative and percent of loss realized

Quantitative and qualitative

Approval from the board of directors

Cost of the mitigation is less than the risk

Metrics of mitigation method success

Mitigation method complies with PCI regulations

favorable audit findings

following the recommendations of consultants and contractors

development of relationships with organization executives

raising awareness of security issues with end users

Control Objectives for IT (COBIT)

Payment Card Industry-Data Security Standard (PCI-DSS)

International Organization Standard (ISO) 27002

National Institute of Standards and Technology (NIST) SP 800-30

Mandatory controls

Discretionary controls

Optional controls

Financial controls

establish budgetary input in order to meet compliance requirements

establish acceptable systems and user behavior

define security configurations for systems

define relationships with external law enforcement agencies

Risk Avoidance

Risk Acceptance

Risk Transfer

Risk Mitigation

security threat and vulnerability management process

risk assessment process

risk management process

governance, risk, and compliance tools

The organization uses exclusively a quantitative process to measure risk

The organization uses exclusively a qualitative process to measure risk

The organization’s risk tolerance is high

The organization’s risk tolerance is lo

Threat identification

Risk monitoring

Risk treatment

Risk tolerance

The asset owner

The asset manager

The data custodian

The project manager

They are objective and can express risk / cost in real numbers

They are subjective and can be completed more quickly

They are objective and express risk / cost in approximates

They are subjective and can express risk /cost in real numbers

Technology governance defines technology policies and standards while security governance does not.

Security governance defines technology best practices and Information Technology governance does not.

Technology Governance is focused on process risks whereas Security Governance is focused on business risk.

The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

Risk Management and Operations

Corporate Culture and Job Expectations

Operations and Regulations

Technology and Vendor Management

Lack of a formal security awareness program

Lack of a formal security policy governance process

Lack of formal definition of roles and responsibilities

Lack of a formal risk management policy

Compliance to the Payment Card Industry (PCI) regulations.

Alignment with financial reporting regulations for each country where they operate.

Alignment with International Organization for Standardization (ISO) standards.

Compliance with patient data protection regulations for each country where they operate.

The types of cardholder data retained

The duration card holder data is retained

The size of the organization processing credit card data

The number of transactions performed per year by an organization

Risk Tolerance

Qualitative risk analysis

Risk Appetite

Quantitative risk analysis

Only check compliance right before the auditors are scheduled to arrive onsite.

Outsource compliance to a 3rd party vendor and let them manage the program.

Have Compliance and Information Security partner to correct issues as they arise.

Have Compliance direct Information Security to fix issues after the auditors report.

Trademark

Patent

Research Logs

Copyright

Trusted and untrusted networks

Type of authentication

Storage encryption

Log retention

non-repudiation

conflict resolution

strong authentication

digital rights management

Execute

Read

Administrator

Public

Unable to control physical access to the servers

Unable to track log on activity

Unable to run anti-virus scans

Unable to patch systems as needed

‘ o 1=1 - -

/../../../../

“DROPTABLE USERNAME”

NOPS

Physical, Technical, Operational

Technical, Strong Password, Operational

Operational, Biometric, Physical

Strong password, Biometric, Common Access Card

Configure logging on each access point

Install a firewall software on each wireless access point.

Provide IP and MAC address

Disable SSID Broadcast and enable MAC address filtering on all wireless access points.

In-line hardware keyloggers don’t require physical access

In-line hardware keyloggers don’t comply to industry regulations

In-line hardware keyloggers are undetectable by software

In-line hardware keyloggers are relatively inexpensive

Your public key

The recipient's private key

The recipient's public key

Certificate authority key

Session encryption

Removing all stored procedures

Input sanitization

Library control

The need to change accounting periods on a regular basis.

The requirement to post entries for a closed accounting period.

The need to create and modify the chart of accounts and its allocations.

The lack of policies and procedures for the proper segregation of duties.

Shared key

Asynchronous

Open

None

Wireless Application Protocol (WAP)

Wifi Protected Access version 2 (WPA2)

Wireless Equivalence Protocol (WEP)

Extensible Authentication Protocol (EAP)

Secure the area and shut-down the computer until investigators arrive

Secure the area and attempt to maintain power until investigators arrive

Immediately place hard drive and other components in an anti-static bag

Secure the area.

Well established and defined digital forensics process

Establishing Enterprise-owned Botnets for preemptive attacks

Be able to retaliate under the framework of Active Defense

Collaboration with law enforcement

3DES

MD5

ECC

RSA

Threat analysis process

Asset configuration management process

Business Impact Analysis

Disaster Recovery plan

Covert government networks

War driving maps

Government networks in Tora

Virtual network tunnels

Traffic Analysis

Deep-Packet inspection

Packet sampling

Heuristic analysis

War driving

Operating system attacks

Social engineering

Shrink wrap attack

chain of custody.

electronic discovery.

evidence tampering.

electronic review.

Baseline the Environment

Maintain and Monitor

Organization Vulnerability

Define Policy

It is an IPSec protocol.

It is a text-based communication protocol.

It uses TCP port 22 as the default port and operates at the application layer.

It uses UDP port 22

System scanning trends and results as they pertain to insider and external threat sources

The capabilities of a security program in terms of staffing support

Significant risks and security incidents that have been discovered since the last assembly of the

membership

The numbers and types of cyberattacks experienced by the organization since the last assembly of the

membership

Moderate investment

Passive monitoring

Integrated security controls

Dynamic deception

The CISO does not report directly to the CEO of the organization

The CISO reports to the IT organization

The CISO has not implemented a policy management framework

The CISO has not implemented a security awareness program

To estimate risk and negate liability to the company

To understand the attack vectors and attack sources

To communicate risk and forecast resource needs

To forecast usage and cost per software licensing

Centralized log management

Encrypted log files in transit

Each node set to local time

Log aggregation agent each node

The percentage of earnings that are retained by the organization for reinvestment in the business

The details of expenses and revenue over a long period of time

A summarized statement of all assets and liabilities at a specific point in time

A review of regulations and requirements impacting the business from a financial perspective

Easiest regulation or standard to implement

Stricter regulation or standard

Most complex standard to implement

Recommendations of your Legal Staff

To understand the risk coverage that are being mitigated by the vendor

To establish a vendor selection process

To document the relationship between the company and the vendor

To define the partnership for long-term success

Response

Investigation

Recovery

Follow-up

File Transfer Protocol (FTP)

Virtual Local Area Network (VLAN)

Simple Mail Transfer Protocol

Virtual Private Network (VPN)

Lack of compliance to the Payment Card Industry (PCI) standards

Ineffective security awareness program

Security practices not in alignment with ISO 27000 frameworks

Lack of technical controls when dealing with credit card data

Segmentation controls.

Shadow applications.

Deception technology.

Vulnerability management.

The portfolio is used to manage and track individual projects

The portfolio is used to manage incidents and events

A portfolio typically consists of several programs

A portfolio delivers one specific service or program to the business

Reviewing system administrator logs

Auditing configuration templates

Checking vendor product releases

Performing system scans

Outsourcing the IT functions.

Understanding user requirements.

Hiring personnel with leading edge skills.

Implementing and enforcing good processes.

By adding all capital and operational costs from the prior budgetary cycle, and determining potential

financial shortages

By reviewing last year’s program-level costs and adding a percentage of expected additional portfolio costs

By adding the cost of all known individual tasks and projects that are planned for the next budgetary cycle

By adding all planned operational expenses per quarter then summarizing them in a budget request

Technical control(s)

Management control(s)

Policy control(s)

Operational control(s)

National Institute of Standards and Technology (NIST) Special Publication 800-53

Payment Card Industry Digital Security Standard (PCI DSS)

International Organization for Standardization – ISO 27001/2

British Standard 7799 (BS7799)

Regular communication of incident status to executives

Eradication of malware and system restoration

Determination of the attack source

Preservation of information

Alignment with the business goals and the vision of the CIO

The risk tolerance of the company and the company mission statement

The executive summary and vision of the board of directors

The alignment with the business goals and the risk tolerance

To give information security management recommendations to those who are responsible for initiating, implementing, or maintaining security in their organization.

To provide a common basis for developing organizational security standards

To provide effective security management practice and to provide confidence in inter-organizational dealings

To established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization

Validate that security awareness program content includes information about the potential vulnerability

Conduct a thorough risk assessment against the current implementation to determine system functions

Determine program ownership to implement compensating controls

Send a report to executive peers and business unit owners detailing your suspicions

Risk metrics

Management metrics

Operational metrics

Compliance metrics

Procedural control

Organization control

Technical control

Management control

Control Objective for Information Technology (COBIT)

Committee of Sponsoring Organizations (COSO)

Payment Card Industry (PCI)

Information Technology Infrastructure Library (ITIL)

Determine the annual loss expectancy (ALE)

Create a crisis management plan

Create technology recovery plans

Build a secondary hot site

Internal Audit

Database Administration

Information Security

Compliance

Classifying an information system as part of a risk assessment

Installing an appropriate fire suppression system in the data center

Conducting an audit of the configuration management process

Establishing procurement standards for cloud vendors

Penetration testers

External Audit

Internal Audit

Forensic experts

Resources are allocated to the areas of the highest concern

Scheduling may be performed months in advance

Budgets are more likely to be met by the IT audit staff

Staff will be exposed to a variety of technologies

assign the responsibility to the information security team.

assign the responsibility to the team responsible for the management of the controls.

create operational reports on the effectiveness of the controls.

perform an independent audit of the security controls.

Single loss expectancy multiplied by the annual rate of occurrence

Total loss expectancy multiplied by the total loss frequency

Value of the asset multiplied by the loss expectancy

Replacement cost multiplied by the single loss expectancy

Management Control

Technical Control

Training Control

Operational Control

Every 6 months

Quarterly

Before an audit

At least once a year

Nonlinearities in physical security performance metrics

Defense in depth cost enumerated costs

System hardening and patching requirements

Anti-virus for mobile devices

To remediate half of the findings before the next audit.

To remediate all of the findings before the next audit.

To validate that the cost of the remediation is less than the risk of the finding.

To validate the remediation process with the auditor.

Document the process for the stakeholders

Monitor the effectiveness of the controls

Update the audit findings report

Perform a risk assessment

It allows executives to more effectively monitor IT implementation costs

Implementation of it eases an organization’s auditing and compliance burden

Information Security (IS) procedures often require augmentation with other standards

It provides for a consistent and repeatable staffing model for technology organizations

Number of change orders rejected

Number and length of planned outages

Number of unplanned outages

Number of change orders processed

Senior Executives

Office of the Auditor

Office of the General Counsel

All employees and users

Servers, routers, switches, modem

Firewall, exchange, web server, intrusion detection system (IDS)

Firewall, anti-virus console, IDS, syslog

IDS, syslog, router, switches

Local privacy laws

Industry best practices

Risk Management frameworks

Audit best practices

Identifying the risk

Finding economic balance between the impact of the risk and the cost of the control

Identifying the victim of any potential exploits.

Assessing the impact of potential threats

Phishing Attacks

Misconfigurations

All of these

Social engineering

Compliance management

Asset management

Risk management

Security management

Inability to export the private certificate/key

It can double as physical identification at the DMV

It has the user’s photograph to help ID them

It can be used as a secure flash drive

Recovery Point Objective (RPO)

Mean Time to Delivery (MTD)

Recovery Time Objective (RTO)

Maximum Tolerable Downtime (MTD)

Account management policy

Training policy

Acceptable Use policy

Remote Access policy

Chief Financial Officer (CFO)

Chief Software Architect (CIO)

CISO

Chief Executive Officer (CEO)

An organization which provides Tier 1 support for technology issues and provides escalation when needed

A distributed organization which provides intelligence to governments and private sectors on cyber-criminal activities

The coordination of personnel, processes and technology to identify information security events and provide timely response and remediation

A device which consolidates event logs and provides real-time analysis of security alerts generated by applications and network hardware

Executing

Controlling

Planning

Closing

Phishing Attacks

Misconfigurations

Social engineering

All of these

Include a mix of members from different departments and staff levels

Review audit and compliance reports

Ensure that security policies and procedures have been vetted and approved

Be briefed about new trends and products at each meeting by a vendor

A section of a contract that defines tasks to be performed under said contract

An outline of what the military will do during war

A document that outlines specific desired outcomes as part of a request for proposal

Business guidance provided by the CEO

Phishing exercises

Use immutable data storage

Blocking use of wireless networks

Application of multiple endpoint anti-malware solutions

Improve discovery of valid detected events

Enhance tuning of automated tools to detect and prevent attacks

Replace existing threat detection strategies

Validate patterns of behavior related to an attack

Unallocated space and masking

Website defacement and log manipulation

Disabled Logging and admin elevation

Encryption, Steganography, and Changing Metadata/Timestamps

CISO

Data owner

Chief Information Officer (CIO)

Security system administrator

Has a direct correlation with the CISO’s budget

Represents, in part, the savings generated by the proper acquisition and implementation of security controls

Represents the sum of all capital expenditures

Represents the percentage of earnings that could in part be used to finance future security controls

The Federal Risk and Authorization Management Program (FedRAMP)

ISO 27002

NIST Cybersecurity Framework

Payment Card Industry (PCI) Data Security Standard (DSS)

This makes sure the files you exchange aren’t unnecessarily flagged by the Data Loss Prevention (DLP) system

Contracting rules typically require you to have conversations with two or more groups

Discussing decisions with a very large group of people always provides a better outcome

It helps to avoid regulatory or internal compliance issues

User awareness and training

Host based Intrusion Detection System (IPS)

Acceptable use guide signed by all system users

Antispam solution

Business unit leaders, CIO, CEO

Business Unite Leaders, CISO, CIO and CEO

All employees

CFO, CEO, CIO

It represents the sum of all capital expenditures

It represents the percentage of earnings that could in part be used to finance future security controls

It represents the savings generated by the proper acquisition and implementation of security controls

It has a direct correlation with the CISO’s budget

SaaS provider’s website certifications and representations (certs and reps)

SOC-2 Report

Metasploit Audit Report

Statement from SaaS provider attesting their ability to secure your data

The project is over budget

The project budget has reserves

The project cost is in alignment with the budget

The project is under budget