CSIA 485 – All Quizzes 1-5: CCISO Domains 1-5 Answers Updated_2025/26.

CSIA 485 – All Quizzes 1-5: CCISO Domains 1-5 Answers Updated_2025/26. Quiz Submissions - Quiz #1: CCISO Domain #1 Attempt 1 Submission View Question 1 4 / 4 points Risk is a confluence of Assets, Vulnerabilities and . Question options: Lack of Experience Lack of Training Threats New Equipment Question 2 4 / 4 points Residual risk is defined as Question options: Risk that remains after controls are implemented The total risk that exists Risk from a 3rd party vendor Risk that is harmless Question 3 4 / 4 points The risk treatment option of applying controls to reduce risk is known as: Question options: Risk Sharing or Transfer Risk Avoidance or Elimination Risk Retention or Acceptance Risk Modification or Mitigation View Feedback Question 4 4 / 4 points How long should a security policy be? Question options: No longer than absolutely necessary No longer than 10 pages One page All policies are 5 pages Question 5 4 / 4 points Controls are implemented to: Question options: Develop Processes Change Policies Provide Data Mitigate Risks Question 6 4 / 4 points These are created by various third-party organizations and are designed to provide a framework to assist organizations in building their information security program Question options: Laws Standards Policies Procedures Question 7 4 / 4 points is a central repository where risks and risk treatments are stored and regularly reviewed. Question options: Risk Treatment Plan Quantitative Assessment Qualitative Assessment Risk Registry Question 8 4 / 4 points These exist to guide the processes of identifying, treating, and monitoring information security risks in an organization. Question options: Threat Intelligence Feeds Security Policies Risk Management Frameworks Security Operations Centers Question 9 4 / 4 points Compliance is the act of conforming to: Question options: All stated requirements Policies Laws Contracts Question 10 4 / 4 points Inherent risk is defined as Question options: Risk everyone must assume Risk that is normal for an industry Risk that exists before controls are implemented Risk that cannot be avoided Question 11 6 / 6 points If a risk would cause $800,000 in damages and $200,000 in clean-up costs and the likelihood of the risk manifesting is 5%, what would be the Annual Loss Expectation? Question options: $800,000 $1 million $200,000 $50,000 Question 12 6 / 6 points What financial tool would a CISO use to ensure that the cost of security controls cannot exceed the value of the information or assets being protected? Question options: Cost Benefit Analysis (CBA) Internal Rate of Return (IRR) Return on Investment (ROI) Net Present Value (NPV) Question 13 6 / 6 points Risk managers will need to learn how to balance threats, vulnerabilities and assets to ensure investments in risk treatments do not: Question options: Become obsolete None of the listed choices are correct. Exceed the budget Exceed the value of the assets being protected Question 14 6 / 6 points Business drivers affect the decisions made in an organization. Which of the following is not a key information security driver? Question options: Privacy Alignment with the business Compliance Training Question 15 0 / 6 points Which of the following would be considered the greatest business driver for a CISO in the banking industry? Question options: Authentication Regulations and Audits? Market conditions Privacy Question 16 10 / 10 points In the case of business leadership choosing an alternate risk treatment than what the CISO recommended, what position does the CISO take? Question options: The CISO should conduct another risk analysis to ensure the risk treatment recommended is the most appropriate. The CISO should support the decision and ensure the risk treatment is implemented. The CISO should refuse to implement the alternate risk treatment The CISO should shif t from being an advisor to advocate for the recommended risk treatment. Question 17 10 / 10 points The maturity of an organization influences governance which influences the governance of the information security program. What size company would be more likely to have a higher level of maturity? Question options: None of the listed choices are correct. Large Medium Small Question 18 10 / 10 points How would you demonstrate an organization's commitment to adhere to legal and regulatory requirements? Question options: Develop appropriate security procedures. Implementing controls to mitigate risk. Audit findings. A properly written security policy. Attempt Score: 94 / 100 - 94 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #1: CCISO Domain #1 Attempt 2 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points is a set of practices for IT service management that focuses on aligning IT services with the needs of a business. Question options: COSO NIST ITIL FAIR Question 2 4 / 4 points The risk treatment option of deliberately operating without applying one of the other treatment options available is known as Question options: Risk Avoidance or Elimination Risk Modification or Mitigation Risk Retention or Acceptance Risk Sharing or Transfer Question 3 4 / 4 points This is the overall strategy for how your company will implement information security principles and technologies. Question options: A Framework A Procedure A Process Security Policies Question 4 4 / 4 points How often should higher risk-rated applications be reviewed? Question options: Annually Every Other Year Quarterly Every 36 Months Question 5 4 / 4 points The risk treatment option of making changes to an activity or forgoing the activity to remove the risk and eliminate its effect is known as Question options: Risk Sharing or Transfer Risk Avoidance or Elimination Risk Retention or Acceptance Risk Modification or Mitigation Question 6 4 / 4 points The risk treatment option of reassigning accountability for a risk to another entity or organization is known as Question options: Risk Sharing or Transfer Risk Retention or Acceptance Risk Avoidance or Elimination Risk Modification or Mitigation Question 7 4 / 4 points Risk management begins at the level of an organization, but the CISO has significant responsibilities concerning the implementation and execution of an organization's risk management strategy. Question options: CISO Corporate Governance CIO Employee Question 8 4 / 4 points A security policy must be so written that it can be understood by Question options: The Security Team The CISO The CEO Its Target Audience Question 9 4 / 4 points Where does the CISO fit within the organizational structure? Question options: Directly under the CIO Directly under the CEO There is no standard Directly under the VP of Operations Question 10 4 / 4 points Whose job is it to shepherd the organization through the process of understanding the risks and then providing options for appropriate treatment? Question options: CISO CEO CIO The Security Team Question 11 6 / 6 points If you were CISO of a company that primarily does business with the U.S. government and had to design an information security program which framework would be most appropriate? Question options: PCI DSS HITRUST Common Security Framework (CSF) ISO 27001 NIST 800 series Question 12 6 / 6 points Which of the following articles has the least impact on the development of an organization’s information security policies, standards, and procedures? Question options: Laws Regulations Standards Best practices Question 13 6 / 6 points Governance, Risk, and are the 3 things that account for nearly half of a CISO's time. Question options: Audits Training Compliance Vendor Management Question 14 6 / 6 points Risk management requires the identification of all assets that have value including: Question options: Business processes and activities Information Hardware and software All listed choices are correct. Question 15 6 / 6 points Who has ultimate responsibility for risk treatment and risk ownership? Question options: The information security group Senior leadership and possibly even the board of directors The CISO Project managers Question 16 10 / 10 points A is a measure that is modifying risk? Question options: Risk Retention Security Control Risk Modification Risk Sharing Question 17 10 / 10 points How would you demonstrate an organization's commitment to adhere to legal and regulatory requirements? Question options: A properly written security policy. Audit findings. Develop appropriate security procedures. Implementing controls to mitigate risk. 10 / 10 points Question 18 The maturity of an organization influences governance which influences the governance of the information security program. What size company would be more likely to have a higher level of maturity? Question options: Small Medium None of the listed choices are correct. Large Attempt Score: 100 / 100 - 100 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #2: CCISO Domain #2 Attempt 1 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points Designing an IS control requires a balance between effectiveness and . Question options: Ease of implementation Training Cost Data Collection Question 2 4 / 4 points Which area of security concerns how an organization identifies legal and regulatory statutes it must adhere to and monitors and reports on the adherence to each applicable law, regulation, or standard? Question options: Audit Management Change Management Asset Management Compliance Management Question 3 4 / 4 points Hashing algorithms are a key processes in providing . Question options: Integrity Confidentiality None of the listed choices are correct Availability Question 4 4 / 4 points What is the emphasis of an external audit? Question options: Review Controls Test Controls Find Faults and Failures Improve Processes Question 5 4 / 4 points What is the approach of an external audit? Question options: Test Controls Improve Processes Find Faults and Failures Review Controls Question 6 4 / 4 points The purpose of a is to evaluate the effectiveness of controls used to mitigate risk in an organization or to measure alignment to a framework, internal compliance requirement, or regulatory requirement. Question options: Information Systems Audit Security Skills Assessment Risk Assessment Risk Catalog Question 7 4 / 4 points What is the emphasis of an internal audit? Question options: Test Controls Improve Processes Review Controls Find Faults and Failures Question 8 4 / 4 points Which NIST minimum security controls baseline would be used where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an organization? Question options: Moderate-Impact Baseline High-Impact Baseline No-Impact Baseline Low-Impact Baseline Question 9 4 / 4 points The foundation of an information security program is the used to protect information and assets from cyberattacks. Question options: Policy Process Guidelines Controls Question 10 4 / 4 points User Ids and passwords, access control lists (ACL), and policy-based security are some of the tools through which is achieved. Question options: Integrity None of the listed choices are correct Confidentiality Availability Question 11 6 / 6 points After an audit, how long do you have to respond to a finding? Question options: 30 days 3 business days 10 business days 14 business days Question 12 6 / 6 points A Policy is what control type? Question options: All listed choices are correct. Manual Control Technical Control Compensating Control Question 13 6 / 6 points Which of the following is not a goal of an Information security audit? Question options: To evaluate the effectiveness of controls used to mitigate risk To ensure compliance or regulatory requirements To identify new threats and vulnerabilities To measure alignment to a framework Question 14 6 / 6 points In the COSO PDC Defense-in-Depth model an intrusion detection system (IDS) functions as what type of control? Question options: Deterrent control Corrective Control Detective control Preventive control Question 15 6 / 6 points Awareness and training, Configuration management, and Incident Response are all examples of what NIST class of security control type? Question options: Technical Controls None of the listed choices are correct. Operational controls Management controls Question 16 10 / 10 points What control type is being used when security patching cannot be performed and the server is air- gapped or otherwise isolated from threat vectors that could introduce an exploit, which would otherwise have been mitigated by a patching control. Question options: Manual Control All of the listed choices are correct. Compensating Control Technical Control Question 17 0 / 10 points The General Data Protection Regulation (GDPR) is a regulation that applies to: Question options: All nations that collect, process, store, and transmit data about citizens of the European Union. European Union, Canada and the United States European Union (EU) only European Union and the European Economic Area (EEA) Question 18 10 / 10 points From a shareholder perspective, what confirms that information technology is safeguarded adequately to prevent compromises or interruptions from materially affecting an organization's finances? Question options: CISO Guidance Information security audit CFO guidance CEO Guidance Attempt Score: 90 / 100 - 90 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #2: CCISO Domain #2 Attempt 2 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points Which category of controls instruct users of information and assets to behave in a manner that does no harm to an organization via policies and directives? Question options: Manual None of the listed choices are correct Compensating Technical View Feedback Question 2 4 / 4 points Which category of controls are products or services that work in an automated fashion to protect information and assets? Question options: Compensating Manual None of the listed choices are correct Technical View Feedback Question 3 4 / 4 points Which NIST minimum security controls baseline would be used where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals? Question options: Low-Impact Baseline No-Impact Baseline High-Impact Baseline Moderate-Impact Baseline View Feedback Question 4 4 / 4 points A document established by consensus and approved by a recognized body that provides requirements and specifications is known as a: Question options: Regulation Guideline Standard Law View Feedback Question 5 4 / 4 points Recommended good or best practices created by consensus, which can be voluntarily followed are known as a: Question options: Regulations Frameworks Laws Guidelines View Feedback Question 6 4 / 4 points What is the approach of an internal audit? Question options: Improve Processes Review Controls Find Faults and Failures Test Controls View Feedback Question 7 4 / 4 points When an audit reveals control deficiencies what should be the priority for remediation? Question options: The highest risk items Those that will be replaced with new controls The most easily accomplished The category with the most deficiencies View Feedback Question 8 4 / 4 points Which NIST minimum security controls baseline would be used where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an organization's operations, assets, or individuals? Question options: Low-Impact Baseline High-Impact Baseline Moderate-Impact Baseline No-Impact Baseline View Feedback Question 9 4 / 4 points A general structure of something that represents a result or goal is known as a: Question options: Law Guideline Framework Standard View Feedback Question 10 4 / 4 points Hardware maintenance, software patching/upgrading, data backup, and network failover ensure . Question options: Availability Integrity Confidentiality None of the listed choices are correct View Feedback Question 11 6 / 6 points The purpose of an IS audit is to evaluate the effectiveness of controls used to mitigate risk in an organization or to measure alignment to: Question options: regulatory requirements All listed choices are correct. A framework Internal compliance requirements View Feedback Question 12 0 / 6 points In the COSO PDC Defense-in-Depth model an intrusion prevention system (IPS) functions as what type of control? Question options: Detective control Corrective Control Deterrent control Preventive control View Feedback Question 13 6 / 6 points To whom does an external auditor owe allegiance? Question options: Business Shareholders None of the listed choices are correct. State Government Senior business management View Feedback Question 14 6 / 6 points A is where an auditor notes a condition that is out of the normal boundaries of a standard. Question options: Finding Recommendation Audit report Detailed summary View Feedback Question 15 6 / 6 points Which governing authority is tasked with defining industry-wide what are good or best practices? Question options: None of the listed choices are correct. Open Web Application Security Project (OWASP) National Institute of Standards and Technology (NIST) Center for Internet Security's (CIS) View Feedback Question 16 10 / 10 points The series of Special Publications are the U.S. National Institute of Standards and Technology's primary mode of publishing security guidelines, recommendations, and reference materials. Question options: 800 27000 53 8000 View Feedback Question 17 10 / 10 points What control type is being used when security patching cannot be performed and the server is air-gapped or otherwise isolated from threat vectors that could introduce an exploit, which would otherwise have been mitigated by a patching control. Question options: Manual Control Technical Control All of the listed choices are correct. Compensating Control View Feedback Question 18 10 / 10 points The General Data Protection Regulation (GDPR) is a regulation that applies to: Question options: European Union and the European Economic Area (EEA) European Union (EU) only European Union, Canada and the United States All nations that collect, process, store, and transmit data about citizens of the European Union. View Feedback Attempt Score: 94 / 100 - 94 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #2: CCISO Domain #2 Attempt 3 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points Which category of controls are alternative safeguards used when business or technical constraints prevent an original control from being used? Question options: Compensating Manual None of the listed choices are correct Technical View Feedback Question 2 4 / 4 points What is the emphasis of an internal audit? Question options: Find Faults and Failures Improve Processes Review Controls Test Controls View Feedback Question 3 4 / 4 points Which NIST minimum security controls baseline would be used where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals? Question options: Moderate-Impact Baseline Low-Impact Baseline No-Impact Baseline High-Impact Baseline View Feedback Question 4 4 / 4 points When an audit reveals control deficiencies what should be the priority for remediation? Question options: The most easily accomplished The highest risk items The category with the most deficiencies Those that will be replaced with new controls View Feedback Question 5 4 / 4 points Which NIST minimum security controls baseline would be used where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an organization's operations, assets, or individuals? Question options: High-Impact Baseline Moderate-Impact Baseline Low-Impact Baseline No-Impact Baseline View Feedback Question 6 4 / 4 points Designing an IS control requires a balance between effectiveness and . Question options: Data Collection Cost Ease of implementation Training View Feedback Question 7 4 / 4 points What is the approach of an external audit? Question options: Review Controls Test Controls Find Faults and Failures Improve Processes View Feedback Question 8 4 / 4 points A general structure of something that represents a result or goal is known as a: Question options: Law Guideline Standard Framework View Feedback Question 9 4 / 4 points Which NIST minimum security controls baseline would be used where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an organization? Question options: Moderate-Impact Baseline No-Impact Baseline Low-Impact Baseline High-Impact Baseline View Feedback Question 10 4 / 4 points A document established by consensus and approved by a recognized body that provides requirements and specifications is known as a: Question options: Regulation Standard Guideline Law View Feedback Question 11 6 / 6 points Which control type is define as: products or services that work in an automated fashion to protect information and assets? Question options: All listed choices are correct. Manual Control Compensating Control Technical Control View Feedback Question 12 6 / 6 points A Policy is what control type? Question options: Compensating Control Technical Control Manual Control All listed choices are correct. View Feedback Question 13 6 / 6 points Awareness and training, Configuration management, and Incident Response are all examples of what NIST class of security control type? Question options: None of the listed choices are correct. Technical Controls Management controls Operational controls View Feedback Question 14 6 / 6 points In the COSO PDC Defense-in-Depth model an intrusion detection system (IDS) functions as what type of control? Question options: Preventive control Deterrent control Detective control Corrective Control View Feedback Question 15 6 / 6 points Which of the following is not a goal of an Information security audit? Question options: To ensure compliance or regulatory requirements To evaluate the effectiveness of controls used to mitigate risk To identify new threats and vulnerabilities To measure alignment to a framework View Feedback Question 16 10 / 10 points The series of Special Publications are the U.S. National Institute of Standards and Technology's primary mode of publishing security guidelines, recommendations, and reference materials. Question options: 27000 8000 800 53 View Feedback Question 17 10 / 10 points From a shareholder perspective, what confirms that information technology is safeguarded adequately to prevent compromises or interruptions from materially affecting an organization's finances? Question options: CEO Guidance CISO Guidance CFO guidance Information security audit View Feedback Question 18 10 / 10 points The General Data Protection Regulation (GDPR) is a regulation that applies to: Question options: European Union, Canada and the United States All nations that collect, process, store, and transmit data about citizens of the European Union. European Union (EU) only European Union and the European Economic Area (EEA) View Feedback Attempt Score: 100 / 100 - 100 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #3: CCISO Domain #3 Attempt 1 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points How often should you update the security program's strategic plan? Question options: When directed by corporate leadership Annually When all goals are achieved Continuously View Feedback Question 2 4 / 4 points To determine the value of information and assets if impacted by a breach of security or data loss you would conduct a: Question options: None of the listed choices are correct Risk Assessment Business Impact Assessment Profit/loss Analysis View Feedback Question 3 4 / 4 points What is the last phase of the Project Management Life Cycle? Question options: Implement Changes Project Execution Report Project Performance Project Closure View Feedback Question 4 4 / 4 points Information security programs are only as strong as their weakest link and that is generally . Question options: The User Community New Hires from College New CISO's Junior Security Personnel View Feedback Question 5 4 / 4 points During the time that IT operations or the cybersecurity program is in recovery mode, the organization must continue to provide critical business functions, this is known as: Question options: Business Continuity Management Recovery Point Objective Disaster Recovery Planning Supply Chain Continuity View Feedback Question 6 4 / 4 points The overall design of an information security program, depicting its structural components, interrelationships, and design principles and guidelines, is . Question options: An Architecture A Process Map A Network Diagram A Framework View Feedback Question 7 4 / 4 points Which is the most important phase of the digital forensic investigation process? Question options: Evidence Collection Investigations Reporting Evidence Analysis Evidence Examination View Feedback Question 8 4 / 4 points Every organization must have a in place to ensure employees are aware of the importance of protecting sensitive information as well as how to identify and avoid social engineering attacks. Question options: security awareness program CISO Email Security Policy Employee Handbook View Feedback Question 9 4 / 4 points What defines the response priority for a security incident within the context of other events and incidents the security operations team is managing? Question options: Business Impact Regulations Security Guidelines Security Frameworks View Feedback Question 10 4 / 4 points Money for all ongoing costs related to running a product, business, or system is known as: Question options: Capital Expenditure (CapEx) Operating Expenditure (OpEx) The annual budget Liabilities View Feedback Question 11 6 / 6 points Which of the following is not a common approach used to support the vulnerability management program? Question options: Penetration Testing Threat Intelligence Vulnerability Assessment Patch Management View Feedback Question 12 6 / 6 points What is the purpose of the security program charter? Question options: To allow the CISO to specify the objectives to accomplish To identify program requirements that ensure smooth operations To identify key stakeholders and allow the CISO to set pragmatic strategies To define the security program in such a way as to clearly define success and to determine the programs effectiveness View Feedback Question 13 6 / 6 points Incident forms the basis of an organization's ability to respond effectively to computer security incidents. Question options: Analysis Recovery Containment Response View Feedback Question 14 0 / 6 points What formally creates a project? Question options: Creating a project charter Project planning Project Execution Project feasibility assessment View Feedback Question 15 6 / 6 points Which of the following is not a proactive approach to security? Question options: Threat Hunting Event Management Vulnerability Scanning Penetration Testing View Feedback Question 16 10 / 10 points When testing incident response procedures what is not a recommended method? Question options: Ensure members of the incident response team only use procedures documented in the incident response plan. Add as much realism as possible to the test. Mildly interrupt business processes to ad realism and involve non IT personnel. Select a scenario that poses the greatest risk to the organization. View Feedback Question 17 10 / 10 points A CISO would use this to extend the capability of a SIEM for a specific purpose or to identify a specific outcome: Question options: Correlation Normalization DNS logs Use case View Feedback Question 18 10 / 10 points For the CISO, the security budget measures what? Question options: The degree of controls that can be implemented. The effectiveness of the information security program. The exchange of financial allocations for the security products and services supporting the organization. The maximum amount of money the CISO has to work with. View Feedback Attempt Score: 94 / 100 - 94 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #3: CCISO Domain #3 Attempt 2 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points The should identify people within the organization who have authorization to declare a disaster. Question options: Crisis Management Plan Disaster Recovery Plan None of the listed choices are correct Business Continuity Management Plan View Feedback Question 2 4 / 4 points is money invested by a company to acquire or upgrade fixed, physical, non-consumable assets such as buildings, equipment, or a new business. Question options: Capital Expenditure (CapEx) Liabilities The annual budget Operating Expenditure (OpEx) View Feedback Question 3 4 / 4 points The processes of planning, organizing, directing, and controlling the monetary activities of an organization and the use of its funds is known as: Question options: Financial Management Management Accounting Budgeting None of the listed choices are correct View Feedback Question 4 4 / 4 points Alternate processing sites that allow the restoration of systems to an alternate processing site constitute a common strategy that supports . Question options: Recovery Point Objective Supply Chain Continuity Business Continuity Management Disaster Recovery Planning View Feedback Question 5 0 / 4 points describes the efforts of an organization to coordinate related projects and activities to achieve a specific goal or outcome. Question options: None of the listed choices are correct Change Management Project Management Program Management View Feedback Question 6 4 / 4 points focuses on the sequence of activities required to restore systems to an operational state after a contingency event occurs. Question options: Disaster Recovery Planning Business Continuity Management Recovery Point Objective Supply Chain Continuity View Feedback Question 7 4 / 4 points The first step in designing a successful information assurance program is to develop a . Question options: Security Policy None of the listed choices are correct Governance Hierarchy Security Program Charter View Feedback Question 8 4 / 4 points The documentation of a methodical investigation and preservation of evidence with an appropriate chain of custody is known as: Question options: Incident Response Management Internal Response Communications Post-Incident Analysis Digital Forensics View Feedback Question 9 4 / 4 points The measurement of the rate at which the cash flows out of the business is known as: Question options: Burn Rate Cost Management Budgeting Expense Charting View Feedback Question 10 4 / 4 points What is the most important activity in stakeholder management? Question options: Communication with stakeholders Identification of stakeholders Achieving time goals Establishing stakeholder needs and concerns View Feedback Question 11 6 / 6 points The forensic investigation process must demonstrate that information handling procedures and actions performed did not alter the original data throughout the custody chain. This does not necessarily include: Question options: Sealing the evidence with evidence tape Recording the name and contact information of those charged with maintaining a chain of custody Traditional forensic processes on media (for example, DNA and latent prints) Identification of evidence through recording of serial numbers and other details View Feedback Question 12 6 / 6 points When preparing a Disaster Recovery Plan there are several alternate recovery site configurations available for the CISO to select from, which of the following are ranked in order from the fastest to slowest to begin processing data? Question options: warm site, redundant site, hot site Redundant site, hot site, warm site Hot site, redundant site, warm site Hot site, warm site, redundant site View Feedback Question 13 6 / 6 points During an Incident response, how should the CISO, technical personnel, legal counsel, and public relations conduct external communications with the media? Question options: Each should speak to his or her specialty by providing input to a single representative of the organization Each speaks only to his or her specialty No one should speak to the media Only the CISO speaks to the media View Feedback Question 14 6 / 6 points A CISO would use this to extend the capability of a SIEM for a specific purpose or to identify a specific outcome: Question options: Correlation DNS logs Normalization Use case View Feedback Question 15 6 / 6 points The most important aspect of internal incident communication is to: Question options: Reinforce policies and standards for external communication Reduce stress related to the incident None of the listed choices are correct. Keep personnel informed View Feedback Question 16 10 / 10 points Business Impact Analysis (BIA) determines your company has a process with a Recovery Point Object (RPO) of 10 minutes and has a Recovery Time Object (RTO) of 2 minutes. This requires a backup schedule of ? Question options: 8 minutes 12 minutes 2 minutes 10 minutes View Feedback Question 17 10 / 10 points When testing incident response procedures what is not a recommended method? Question options: Add as much realism as possible to the test. Mildly interrupt business processes to ad realism and involve non IT personnel. Select a scenario that poses the greatest risk to the organization. Ensure members of the incident response team only use procedures documented in the incident response plan. View Feedback Question 18 10 / 10 points For the CISO, the security budget measures what? Question options: The exchange of financial allocations for the security products and services supporting the organization. The degree of controls that can be implemented. The effectiveness of the information security program. The maximum amount of money the CISO has to work with. View Feedback Attempt Score: 96 / 100 - 96 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #3: CCISO Domain #3 Attempt 3 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points describes the efforts of an organization to coordinate related projects and activities to achieve a specific goal or outcome. Question options: Program Management Change Management Project Management None of the listed choices are correct View Feedback Question 2 4 / 4 points Information security programs are only as strong as their weakest link and that is generally . Question options: The User Community New CISO's Junior Security Personnel New Hires from College View Feedback Question 3 4 / 4 points is money invested by a company to acquire or upgrade fixed, physical, non-consumable assets such as buildings, equipment, or a new business. Question options: The annual budget Capital Expenditure (CapEx) Liabilities Operating Expenditure (OpEx) View Feedback Question 4 4 / 4 points To determine the value of information and assets if impacted by a breach of security or data loss you would conduct a: Question options: Profit/loss Analysis Risk Assessment None of the listed choices are correct Business Impact Assessment View Feedback Question 5 4 / 4 points Which is the most important phase of the digital forensic investigation process? Question options: Evidence Analysis Evidence Examination Investigations Reporting Evidence Collection View Feedback Question 6 4 / 4 points What is the most important activity in stakeholder management? Question options: Establishing stakeholder needs and concerns Communication with stakeholders Identification of stakeholders Achieving time goals View Feedback Question 7 4 / 4 points What is the last phase of the Project Management Life Cycle? Question options: Project Closure Implement Changes Report Project Performance Project Execution View Feedback Question 8 4 / 4 points How often should you update the security program's strategic plan? Question options: Annually When all goals are achieved When directed by corporate leadership Continuously View Feedback Question 9 4 / 4 points The should identify people within the organization who have authorization to declare a disaster. Question options: None of the listed choices are correct Disaster Recovery Plan Business Continuity Management Plan Crisis Management Plan View Feedback Question 10 4 / 4 points The first step in designing a successful information assurance program is to develop a . Question options: Security Program Charter Governance Hierarchy Security Policy None of the listed choices are correct View Feedback Question 11 6 / 6 points discovers information system flaws that might not be identified by vulnerability scans and assessments. Question options: Threat hunting Penetration tests Credentialed vulnerability scans Enterprise patch management View Feedback Question 12 6 / 6 points In a forensic investigation why is collection the most important phase? Question options: The forensic investigation process requires collection of information as broadly as it makes sense, more is better. All listed choices are correct. The data is refined to find what is most relevant while moving through the rest of the process. The investigation cannot be improved at later phases if there are problems with the collection of evidence. Question 13 6 / 6 points When preparing a Disaster Recovery Plan there are several alternate recovery site configurations available for the CISO to select from, which of the following are ranked in order from the fastest to slowest to begin processing data? Question options: Hot site, redundant site, warm site Hot site, warm site, redundant site warm site, redundant site, hot site Redundant site, hot site, warm site View Feedback Question 14 6 / 6 points The most important aspect of internal incident communication is to: Question options: None of the listed choices are correct. Keep personnel informed Reduce stress related to the incident Reinforce policies and standards for external communication View Feedback Question 15 6 / 6 points Incident forms the basis of an organization's ability to respond effectively to computer security incidents. Question options: Response Recovery Containment Analysis View Feedback Question 16 10 / 10 points A CISO would use this to extend the capability of a SIEM for a specific purpose or to identify a specific outcome: Question options: Use case Correlation Normalization DNS logs View Feedback Question 17 10 / 10 points Business Impact Analysis (BIA) determines your company has a process with a Recovery Point Object (RPO) of 10 minutes and has a Recovery Time Object (RTO) of 2 minutes. This requires a backup schedule of ? Question options: 12 minutes 8 minutes 10 minutes 2 minutes View Feedback Question 18 10 / 10 points When testing incident response procedures what is not a recommended method? Question options: Mildly interrupt business processes to ad realism and involve non IT personnel. Ensure members of the incident response team only use procedures documented in the incident response plan. Select a scenario that poses the greatest risk to the organization. Add as much realism as possible to the test. View Feedback Attempt Score: 100 / 100 - 100 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #4: CCISO Domain #4 Attempt 1 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points What is the most important data security measure you can take for mobile devices? Question options: Two factor authentication Use of a VPN Data backup Full hard drive encryption View Feedback Question 2 4 / 4 points This strategy combines something you have, something you know, or something you are in the authentication process. Question options: Identity Management Multifactor Authentication Least Privilege Principle Authenticator Management View Feedback Question 3 4 / 4 points This defines the process of granting permission to a user or object to perform or obtain something? Question options: Access Control Restrictions Auditing Authentication Authorization View Feedback Question 4 4 / 4 points What is the most difficult aspect of security in a virtualized environment? Question options: Lack of visibility into the virtual network Data confidentiality Securing the hardware VM sprawl View Feedback Question 5 4 / 4 points This access control model does not permit the user to pass privileges onto other users. Question options: Role-based Access Control Attribute-based Access Control Discretionary Access Control Mandatory Access Control View Feedback Question 6 4 / 4 points This access control model assigns access privileges based on the allowed actions of the user and is independent of the user's identity. Question options: Discretionary Access Control Mandatory Access Control Attribute-based Access Control Role-based Access Control View Feedback Question 7 4 / 4 points This is a mechanism to verify that a message came from the sender, providing nonrepudiation. Question options: Authentication Attribute-based Access Control Digital Signatures and Certificates Role-based Access Control View Feedback Question 8 4 / 4 points This access control model permits the user to decide how to protect the information and level of sharing. Question options: Role-based Access Control Discretionary Access Control Mandatory Access Control Attribute-based Access Control View Feedback Question 9 4 / 4 points With a , all hardware, software, and other supporting infrastructure are owned and managed by the cloud provider. Question options: Public Cloud Community Cloud Hybrid Cloud Private Cloud View Feedback Question 10 4 / 4 points This defines the process used by a system to verify the identity of a user, process, or service before granting access. Question options: None of the listed choices are correct Authorization Auditing Authentication View Feedback Question 11 6 / 6 points A cryptosystem is a suite of cryptographic algorithms needed to implement a security service, most commonly for achieving confidentiality (encryption). Typically, a cryptosystem consists of three algorithms: one for decryption, one for encryption and one for: Question options: Key generation Nonrepudiation Digital Signatures and certificates Generating ciphertext View Feedback Question 12 6 / 6 points Which access control model is the least restrictive model, popular in situations where resource owners need to allow access and privileges OnDemand? Question options: Attribute-based Access Control Discretionary Access Control Mandatory Access Control Role-based Access Control View Feedback Question 13 6 / 6 points Which access control model provides access control based on the position or responsibility an individual fills within an organization? Question options: Attribute-based Access Control Mandatory Access Control Discretionary Access Control Role-based Access Control View Feedback Question 14 6 / 6 points Which of the following is a symmetric encryption algorithm? Question options: Diffie-Hellman algorithm Advanced Encryption Standard (AES) Message-Digest algorithm version 5 (MD5) RSA algorithm View Feedback Question 15 6 / 6 points At which layer of the OSI model are the topologies of bus, star, ring, and mesh implemented? Question options: Layer 1: Physical layer Layer 4: Transport layer Layer 3: Network layer Layer 2: Data-link layer View Feedback Question 16 10 / 10 points Of the following, which is least important for a CISO to be knowledgeable in? Question options: Network Security Controls Digital Forensics Networking Protocols Security Standards View Feedback Question 17 10 / 10 points You are analyzing a packet and see that it was being routed using a media access control (MAC) address. At which layer of the OSI model was the packet captured? Question options: Data-link layer Session layer Network layer Transport layer View Feedback Question 18 10 / 10 points VPNs operate at which layer of the OSI Model? Question options: Layer 4: Transport layer Layer 5: Session layer Layer 3: Network layer Layer 2: Data-link layer View Feedback Attempt Score: 100 / 100 - 100 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #5: CCISO Domain #5 Attempt 1 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points This document shows changes in the interests of the company's shareholders over time. Question options: Income Statement Balance sheet Cash flow statement Statement of shareholders' equity View Feedback Question 2 4 / 4 points Of the three roles that CISOs must understand and interact with to build support for their information security program, which has the highest level of input? Question options: Sponsors Stakeholders Influencers User View Feedback Question 3 4 / 4 points This is a process where a select group of companies are invited to bid for products or services. Question options: Bid Requirements Procurement Authority Formal bidding Informal bidding View Feedback Question 4 4 / 4 points The CISO's primary goal is alignment of the information security strategy with the organization's . Question options: Security policy Budget Business strategy Security framework View Feedback Question 5 4 / 4 points Introduction of new security technologies or control packages is an example of: Question options: None of the listed choices are correct short term goals Long term goals Medium term goals View Feedback Question 6 4 / 4 points Money owed to suppliers for materials is called a: Question options: Asset Liability Cash flow statement Investment View Feedback Question 7 4 / 4 points Significant changes or upgrades in IS Program framework or architecture is an example of: Question options: Medium term goals Short term goals Long term goals None of the listed choices are correct Question 8 4 / 4 points This document is beneficial because it facilitates a bidding process that may drive down prices or increase value as vendors compete to win the bid. Question options: Request for Proposal (RFP) Service Level Agreement (SLA) Request for Information (RFI) Total Cost of Ownership (TCO) View Feedback Question 9 4 / 4 points When developing an information security program a is someone within the organization with a respected opinion. Question options: Influencers User Stakeholders Sponsors View Feedback Question 10 4 / 4 points This is the process where an organization issues a tender or bid to anyone to purchase a product or service. Question options: Formal bidding Procurement Authority Informal bidding Bid Requirements View Feedback Question 11 6 / 6 points A scorecard is part of an information security strategic plan. It is divided into the following areas: Question options: All listed choices are correct. key risk indicators (KRIs) Financial accounting of the IS program's budget key performance indicators (KPIs) View Feedback Question 12 0 / 6 points Each financial metric conveys a unique message about a body of economic data. What two financial metrics define the successfulness of a security program? Question options: Revenue and expenses Budget and expenses Budget and cost savings Revenue and cost savings View Feedback Question 13 6 / 6 points When managing a budget what must a CISO be cognizant of in case the budget is cut? Question options: Revenue CapEx Discretionary spending OpEx View Feedback Question 14 6 / 6 points How would vendor financing be accounted for in the information security budget? Question options: Asset OpEx CapEx Liability View Feedback Question 15 6 / 6 points When a CISO is justifying the budget to executives who do not understand cybersecurity risks what is the focus of the CISOs argument? Question options: Cost avoidance Profitability Revenue Risk Mitigation View Feedback Question 16 0 / 10 points What is the most difficult aspect of getting additional funding for an information security program? Question options: Senior managements concern with pulling funds from the organizational operating budget. Time to mitigation. Justifying the cost savings. Explaining the risk to senior management. View Feedback Question 17 10 / 10 points Which financial statement would tell you how much money a company received from selling additional units of it's own stock? Question options: Balance Sheet Statements of shareholders' equity Income statement Cash flow statement View Feedback Question 18 10 / 10 points What is the purpose of contract administration? Question options: To ensure the contact meets your requirements. To ensure effective delivery and adherence to contractual terms. To get the best possible pricing. To ensure those with signature approval are involved. View Feedback Attempt Score: 84 / 100 - 84 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #5: CCISO Domain #5 Attempt 2 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points When developing an information security program a is anyone who has an interest in the outcome of the information security program. Question options: Stakeholders Influencers User Sponsors View Feedback Question 2 4 / 4 points This document provides detailed information about a company's assets, liabilities, and shareholders' equity at a point in time. Question options: Income Statement Balance sheet Statement of shareholders' equity Cash flow statement View Feedback Question 3 4 / 4 points In contract negotiation, the agreement about which party assumes responsibility for security incidents and penalties related to such an event is known as: Question options: Performance management Audit Indemnity Security View Feedback Question 4 4 / 4 points This is a situation where the organization does not require multiple companies to bid. Question options: Sole Source Procurement Authority Informal bidding Formal bidding View Feedback Question 5 4 / 4 points When developing an information security program a is someone who can essentially make or break the program, they benefit directly and typical authorize or fund the program. Question options: Stakeholder Influencer Sponsor User View Feedback Question 6 4 / 4 points A cybersecurity architecture uses views or layers of the whole design to represent areas of the design specific to certain stakeholders. Which view answers the question "why are we doing this?" Question options: Technical view Functional view Implementation view Question 7 Business view 4 / 4 points Purchases of long-term operational assets are known as: Question options: Capital investments None of the listed choices are correct Operational expenses Liabilities View Feedback Question 8 4 / 4 points This document defines the scope of a project, specific deliverables, scheduling, and additional responsibilities as required by the purchasing company. Question options: Service Level Agreement (SLA) Statement of Work (SOW) Request for Information (RFI) Total Cost of Ownership (TCO) View Feedback Question 9 4 / 4 points Improvements in policies, procedures or processes that can resolve gaps in control strategies is an example of: Question options: Short term goals None of the listed choices are correct Medium term goals Long term goals View Feedback Question 10 4 / 4 points This financial statement is broken into 3 sections consisting of operating activities, investing activities, financing activities. Question options: Question 11 Income Statement Statement of shareholders' equity Balance sheet Cash flow statement 6 / 6 points What part of a vendor contract should a CISO be most concerned with? Question options: Language pertaining to data or security breaches Vendor requirements Piggyback contracts Uniform Commercial Code (UCC) View Feedback Question 12 6 / 6 points To be a successful CISO within an organization and work with senior management you must have considerable understanding in information security and ? Question options: Accounting Operations management People skills Financial management View Feedback Question 13 6 / 6 points Earnings per share (EPS) are reported on which financial statement? Question options: Income statement Cash flow statement Statements of shareholders' equity Balance Sheet View Feedback Question 14 0 / 6 points When determining the total cost of a contract a CISO must take into account the cost of the contract and . Question options: Travel expenses Financing costs None of the listed choices are correct. In-house resources used View Feedback Question 15 6 / 6 points Which of the following is not considered a key element of vendor contract negotiation? Question options: Indemnity Contract closure Audit Security View Feedback Question 16 10 / 10 points Which financial statement would include the value of patents and trademarks? Question options: Balance Sheet Statements of shareholders' equity Cash flow statement Income statement View Feedback Question 17 10 / 10 points What is the purpose of contract administration? Question options: To ensure the contact meets your requirements. To get the best possible pricing. To ensure effective delivery and adherence to contractual terms. To ensure those with signature approval are involved. View Feedback Question 18 10 / 10 points Which financial statement would tell you how much money a company received from selling additional units of it's own stock? Question options: Cash flow statement Income statement Statements of shareholders' equity Balance Sheet View Feedback Attempt Score: 94 / 100 - 94 % Overall Grade (highest attempt): 100 / 100 - 100 % Quiz Submissions - Quiz #5: CCISO Domain #5 Attempt 3 Submission View Your quiz has been submitted successfully. Question 1 4 / 4 points The CISO's primary goal is alignment of the information security strategy with the organization's . Question options: Security framework Business strategy Budget Security policy View Feedback Question 2 4 / 4 points When developing an information security program a is someone within the organization with a respected opinion. Question options: Influencers Sponsors Stakeholders User View Feedback Question 3 4 / 4 points In contract negotiation, the agreement about which party assumes responsibility for security incidents and penalties related to such an event is known as: Question options: Security Audit Performance management Indemnity View Feedback Question 4 4 / 4 points Money owed to suppliers for materials is called a: Question options: Cash flow statement Asset Investment Liability View Feedback Question 5 4 / 4 points When developing an information security program a is anyone who has an interest in the outcome of the information security program. Question options: Sponsors Influencers Stakeholders User View Feedback Question 6 4 / 4 points This document defines the scope of a project, specific deliverables, scheduling, and additional responsibilities as required by the purchasing company. Question options: Statement of Work (SOW) Service Level Agreement (SLA) Request for Information (RFI) Total Cost of Ownership (TCO) View Feedback Question 7 4 / 4 points Significant changes or upgrades in IS Program framework or architecture is an example of: Question options: Short term goals Medium term goals Long term goals Question 8 None of the listed choices are correct 4 / 4 points Improvements in policies, procedures or processes that can resolve gaps in control strategies is an example of: Question options: Medium term goals Long term goals Short term goals None of the listed choices are correct View Feedback Question 9 4 / 4 points When developing an information security program a is someone who can essentially make or break the program, they benefit directly and typical authorize or fund the program. Question options: Sponsor Stakeholder Influencer User View Feedback Question 10 4 / 4 points This financial statement is broken into 3 sections consisting of operating activities, investing activities, financing activities. Question options: Statement of shareholders' equity Cash flow statement Question 11 Income Statement Balance sheet 6 / 6 points Earnings per share (EPS) are reported on which financial statement? Question options: Statements of shareholders' equity Income statement Balance Sheet Cash flow statement View Feedback Question 12 6 / 6 points Which of the following is not considered a key element of vendor contract negotiation? Question options: Audit Security Indemnity Contract closure View Feedback Question 13 6 / 6 points Each financial metric conveys a unique message about a body of economic data. What two financial metrics define the successfulness of a security program? Question options: Revenue and cost savings Revenue and expenses Budget and expenses Budget and cost savings View Feedback Question 14 6 / 6 points When a CISO is justifying the budget to executives who do not understand cybersecurity risks what is the focus of the CISOs argument? Question options: Cost avoidance Revenue Profitability Risk Mitigation View Feedback Question 15 6 / 6 points A scorecard is part of an information security strategic plan. It is divided into the following areas: Question options: All listed choices are correct. Financial accounting of the IS program's budget key risk indicators (KRIs) key performance indicators (KPIs) View Feedback Question 16 10 / 10 points What is the most difficult aspect of getting additional funding for an information security program? Question options: Explaining the risk to senior management. Justifying the cost savings. Senior managements concern with pulling funds from the organizational operating budget. Time to mitigation. View Feedback Question 17 10 / 10 points Which financial statement would include the value of patents and trademarks? Question options: Statements of shareholders' equity Balance Sheet Cash flow statement Income statement View Feedback Question 18 10 / 10 points Which financial statement would tell you how much money a company received from selling additional units of it's own stock? Question options: Income statement Balance Sheet Statements of shareholders' equity Cash flow statement View Feedback Attempt Score: 100 / 100 - 100 % Overall Grade (highest attempt): 100 / 100 - 100 %