Eccouncil 712-50 CCISO Exam Practice Test Instant Access

Question 1

An organization information security policy serves to

Aestablish budgetary input in order to meet compliance requirements

Bestablish acceptable systems and user behavior

Cdefine security configurations for systems

Ddefine relationships with external law enforcement agencies

Answer : B

Purpose of Information Security Policies: Security policies provide guidelines for acceptable use of systems and behavior to safeguard organizational assets and ensure compliance with regulations.

Key Objectives of Security Policies:

Establish accountability.

Define expected behaviors and prohibited actions.

Support the organization's risk management and governance frameworks.

Why Other Options Are Incorrect:

A . Establish budgetary input: Budgets are influenced by policies but aren't their primary focus.

C . Define system configurations: Addressed by standards, not policies.

D . Define external relationships: Falls under incident response and external engagement policies, not general policy.

Reference: EC-Council highlights that policies aim to manage user behavior and system use as a cornerstone of organizational security.

Question 2

What is the BEST way to achieve on-going compliance monitoring in an organization?

AOnly check compliance right before the auditors are scheduled to arrive onsite.

BOutsource compliance to a 3rd party vendor and let them manage the program.

CHave Compliance and Information Security partner to correct issues as they arise.

DHave Compliance direct Information Security to fix issues after the auditors report.

Answer : C

Ongoing Compliance Monitoring:

Collaboration between Compliance and Information Security teams ensures continuous monitoring and remediation of compliance gaps as they emerge.

Proactive Partnership:

This partnership aligns compliance efforts with security policies, enabling organizations to maintain compliance without waiting for external audits.

Supporting Reference:

CCISO emphasizes the integration of compliance and security functions to maintain operational alignment and ensure consistent compliance monitoring.

Question 3

You have been hired as the Information System Security Officer (ISSO) for a US federal government agency. Your role is to ensure the security posture of the system is maintained. One of your tasks is to develop and maintain the system security plan (SSP) and supporting documentation.

Which of the following is NOT documented in the SSP?

AThe controls in place to secure the system

BName of the connected system

CThe results of a third-party audits and recommendations

DType of information used in the system

Answer : C

System Security Plan (SSP) Overview:

Documents the controls in place to secure a system, the type of information handled, and system interconnections.

Focuses on describing the system's security posture, not external audit results.

Why Not Other Options:

A: Controls are a core part of the SSP.

B: Connected systems must be documented for interconnection security.

D: The type of information processed is required to determine security requirements.

EC-Council CISO Material on SSP Requirements.

Question 4

How often should the SSAE16 report of your vendors be reviewed?

AQuarterly

BSemi-annually

CAnnually

DBi-annually

Answer : C

SSAE 16 Report Overview: SSAE 16 (Statement on Standards for Attestation Engagements) reports are used to assess a vendor's control environment and its alignment with security and compliance requirements.

Annual Review as Best Practice:

Most vendors update their SSAE 16 reports annually, which reflects a complete cycle of operational and security practices.

Reviewing the report annually ensures that the organization evaluates updated controls and addresses any identified risks.

Why Not Other Options:

Quarterly (A) or semi-annual (B) reviews are excessive unless dictated by a high-risk environment.

Bi-annual (D) review intervals may result in oversight of critical updates.

EC-Council Guidance: Annual review aligns with standard compliance practices and maintains oversight of vendor security controls.

Question 5

What is the definition of Risk in Information Security?

ARisk = Probability x Impact

BRisk = Threat x Probability

CRisk = Financial Impact x Probability

DRisk = Impact x Threat

Answer : A

Definition of Risk in Information Security:

Risk is a measure of the potential loss and the likelihood of that loss occurring. It is typically calculated using the formula: Risk = Probability x Impact

Components Explained:

Probability: The likelihood of a threat materializing.

Impact: The magnitude of the potential harm or loss if the threat materializes.

Supporting Reference:

EC-Council CCISO materials use this formula to guide risk assessments and decision-making processes, aligning with industry standards such as NIST SP 800-30.

Question 6

Which of the following backup sites takes the longest recovery time?

ACold site

BHot site

CWarm site

DMobile backup site

Answer : A

A cold site is a backup facility that provides minimal infrastructure and requires significant time to become operational after a disaster. It typically includes only basic physical space, utilities, and possibly some hardware.

Definition of Backup Sites:

Cold Site: Minimal or no IT infrastructure; requires setting up systems, installing software, and restoring data, leading to the longest recovery time.

Hot Site: Fully equipped with operational IT infrastructure; minimal setup time required for recovery.

Warm Site: Partially equipped with essential systems but requires additional setup and restoration before becoming fully operational.

Mobile Backup Site: Portable and flexible backup sites with quicker setup times but still slower than hot sites.

Recovery Time Comparison:

Cold sites are cost-effective but slowest for recovery.

They are suitable for organizations with lower criticality needs or budget constraints.

Use Cases:

Best for non-critical applications or organizations willing to tolerate extended downtime.

EC-Council CISO Reference:

Disaster Recovery Planning: EC-Council outlines the use of backup sites as part of a comprehensive disaster recovery plan, emphasizing the trade-offs between cost and recovery time.

Risk Management Framework: The importance of selecting backup sites based on organizational risk tolerance and business continuity needs is stressed.

Question 7

Which of the following functions MUST your Information Security Governance program include for formal organizational reporting?

AAudit and Legal

BBudget and Compliance

CHuman Resources and Budget

DLegal and Human Resources

Answer : A

Formal Reporting Requirements:

Information Security Governance programs must report to key organizational functions like Audit and Legal to ensure compliance, accountability, and alignment with regulatory requirements.

Role of Audit and Legal:

Audit ensures program effectiveness, while Legal ensures compliance with applicable laws and manages risks of non-compliance.

Supporting Reference:

CCISO training outlines these roles as critical stakeholders in formal reporting processes within governance frameworks.

Eccouncil EC-Council Certified CISO 712-50 CCISO Exam Practice Test