01. You have implemented the new controls. What is the next step?
a) Document the process for the stakeholders
b) Monitor the effectiveness of the controls
c) Update the audit findings report
d) Perform a risk assessment
02. In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?
a) The organization uses exclusively a quantitative process to measure risk
b) The organization uses exclusively a qualitative process to measure risk
c) The organization’s risk tolerance is high
d) The organization’s risk tolerance is low
03. Risk appetite directly affects what part of a vulnerability management program?
a) Staff
b) Scope
c) Schedule
d) Scan tools
04. When creating an information security budget, which of the following is the least important factor to consider?
a) Ensuring the budget grows each year so the security department can continue to grow
b) What your boss’s perception is about security
c) The costs of labor to staff all the streams of work
d) How much the organization spent on security last year
05. A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
After determining the audit findings are accurate, which of the following is the MOST logical next activity?
a) Create a briefing of the findings for executive management
b) Review the security organization’s charter
c) Begin initial gap remediation analyses
d) Validate gaps with the Information Technology team
06. You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program.
Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry / sector neutral information security control framework for implementation.
Your Corporate Information Security Policy should include which of the following?
a) Roles and responsibilities
b) Incident response contacts
c) Desktop configuration standards
d) Information security theory
07. The exposure factor of a threat to your organization is defined by?
a) Asset value times exposure factor
b) Annual rate of occurrence
c) Annual loss expectancy minus current cost of controls
d) Percentage of loss experienced due to a realized threat event
08. Your company has many encrypted telecommunications links for their world-wide operations. Physically distributing symmetric keys to all locations has proven to be administratively burdensome, but symmetric keys are preferred to other alternatives.
How can you reduce the administrative burden of distributing symmetric keys for your employer?
a) Use certificate authority to distribute private keys
b) Symmetrically encrypt the key and then use asymmetric encryption to unencrypt it
c) Use asymmetric encryption for the automated distribution of the symmetric key
d) Use a self-generated key on both ends to eliminate the need for distribution
09. An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda.
Which of the following is the MAIN reason the CISO has not been able to advance the security agenda in this organization?
a) Lack of a security awareness program
b) Lack of identification of technology stake holders
c) Lack of business continuity process
d) Lack of influence with leaders outside IT
10. NIST SP 800-53 outlines management, operational, and technical classes. Which of the following NIST control families is an example of a management control class?
a) Risk Assessment
b) Awareness and Training
c) Physical and Environmental Protection
d) Personnel Security
The purpose of this Sample Question Set is to provide you with information about the EC-Council Chief Information Security Officer exam. These sample questions will make you very familiar with both the type and the difficulty level of the questions on the 712-50 certification test. To get familiar with real exam environment, we suggest you try our Sample EC-Council CCISO Certification Practice Exam. This sample practice exam gives you the feeling of reality and is a clue to the questions asked in the actual EC-Council Certified Chief Information Security Officer (CCISO) certification exam.