Which of the following is the MOST effective way to measure the effectiveness of security controls on a perimeter network?

A.

Perform a vulnerability scan of the network

B.

External penetration testing by a qualified third party

C.

Internal Firewall ruleset reviews

D.

Implement network intrusion prevention systems

An organization has implemented a change management process for all changes to the IT production environment. This change management process follows best practices and is expected to help stabilize the availability and integrity of the organization’s IT environment. Which of the following can be used to measure the effectiveness of this newly implemented process:

A.

Number of change orders rejected

B.

Number and length of planned outages

C.

Number of unplanned outages

D.

Number of change orders processed

Which of the following represents the BEST reason for an organization to use the Control Objectives for Information and Related Technology (COBIT) as an Information Technology (IT) framework?

A.

It allows executives to more effectively monitor IT implementation costs

B.

Implementation of it eases an organization’s auditing and compliance burden

C.

Information Security (IS) procedures often require augmentation with other standards

D.

It provides for a consistent and repeatable staffing model for technology organizations

The risk found after a control has been fully implemented is called:

A.

Residual Risk

B.

Total Risk

C.

Post implementation risk

D.

Transferred risk

In MOST organizations which group periodically reviews network intrusion detection system logs for all systems as part of their daily tasks?

A.

Internal Audit

B.

Database Administration

C.

Information Security

D.

Compliance

Dataflow diagrams are used by IT auditors to:

A.

Order data hierarchically

B.

Highlight high-level data definitions.

C.

Graphically summarize data paths and storage processes.

D.

Portray step-by-step details of data generation.

When you develop your audit remediation plan what is the MOST important criteria?

A.

To remediate half of the findings before the next audit.

B.

To remediate all of the findings before the next audit.

C.

To validate that the cost of the remediation is less than the risk of the finding.

D.

To validate the remediation process with the auditor.

A new CISO just started with a company and on the CISO's desk is the last complete Information Security Management audit report. The audit report is over two years old. After reading it, what should be the CISO's FIRST priority?

A.

Have internal audit conduct another audit to see what has changed.

B.

Contract with an external audit company to conduct an unbiased audit

C.

Review the recommendations and follow up to see if audit implemented the changes

D.

Meet with audit team to determine a timeline for corrections

The patching and monitoring of systems on a consistent schedule is required by?

A.

Local privacy laws

B.

Industry best practices

C.

Risk Management frameworks

D.

Audit best practices

As the new CISO at the company you are reviewing the audit reporting process and notice that it includes only detailed technical diagrams. What else should be in the reporting process?

A.

Executive summary

B.

Penetration test agreement

C.

Names and phone numbers of those who conducted the audit

D.

Business charter