question
2 points
How many days/weeks does an auditee should respond after receiving a draft report from the auditor at the �nal phase of the audit?
2 points
For a security of�cer, what is the best approach to explain a technical topic to the CEO?
Quiz 6
Purpose
This assignment is intended to assess your ability to manage and measure the security effectiveness of controls.
Overview
This quiz covers Module 6 concepts. It will take about 60 minutes. This is an individual assignment. Make sure to complete all of the module’s reading and preparation before taking the quiz.
2-3 weeks
5 to 10 business days
1-2 business days
3-4 weeks
Escalate the topic to the CSO.
Explain verbally as fast as possible and then send the details by e-mail.
Translate it by using analogies, stories, and relating to common everyday language.
Allow her to ask questions, and so that try to understand the gaps.
1
2
2 points
Which of the following is a must-have component of a successful security awareness campaign?
2 points
Which is not requested by an external auditor in a pre-on-site meeting?
2 points
Your company wants to deliver information security messages to all of its employees monthly. Your company also has a limited budget to do this. Which of the following is the best delivery method of the content?
How to access computers
What end-users should do if they recognize or suspect that a security incident has occurred
The conditions in which passwords should be shared
The importance fusing badges
Entrance, exit, and status meeting locations
Area hotels and restaurants
Access control policy
Internet access
Online
Hybrid
Outsourced
Face-to-face
3
4
5
2 points
Audit execution begins _____________
2 points
Which is not true?
2 points
In the most recent audit process, an auditor discovered that one end user within the organization wrote his password to a post-it and placed it in his cubicle where others could see it. Similar �ndings had been reported in the previous audits. Which one is the best approach?
after on-site arrival
after audit planning
before audit planning
before on-site arrival
Training is more formal than awareness.
In awareness, the learner is the recipient of the information.
Awareness is not training.
The purpose of awareness is to build knowledge and skills to facilitate job performance.
DO nothing, because the number of the cases is limited
Urge user to change his password
Inform the managers of the users
Include/emphasize clean desktop policy in the next security awareness training
6
7
8
2 points
What is the role of the audit coordinator?
2 points
Which one is not done in the audit planning phase?
2 points
Which one is correct with the exit conference?
All of them
Perform external audit
Perform internal audit
Respond to requests of auditors
Sending the list of documents to the auditors they requested
Determining scope
Reserving the conference room for the �rst meeting
Designation of an audit coordinator for the IT portion of the audit
All of them are wrong.
It may have lots of potential surprises for the company being audited.
A �nal report has been issued with �ndings.
The external auditor should present all of the �ndings.
9
10
11
2 points
Which one is not a typical end-user awareness vehicle?
2 points
What is the best way to convey your message to a CEO, if time is minimal?
2 points
Which one is wrong for an audit process?
Online quizzes
TV commercials
Security contests
Company newsletter
Elevator speech
Sending a written note
Sending an e-mail
Doing a presentation
It can be done internally or externally.
It is more like a process rather than a project.
It will probably cover the company policies and procedures.
It has �ve phases.
12
13
14
2 points
What does event analysis mean?
2 points
Which one is a good presentation strategy?
2 points
Which of the following is less likely done by an external auditor?
The starting point of incident response
Analysis of the Incident response activities within a year
Analysis of the logs created by computers
Synonym of incident analysis
Don't mix presentation with audio or video artifacts.
Focus on a few main objectives for the presentation.
Don't let the audience interrupt the presentation by asking questions.
Read the presentation slide by slide.
Interviewing with an end-user about password hygiene practices
Using a password cracker to check the strength of the passwords
Asking security manager about password policies
Reviewing password policies
15
16
17
2 points
Which is not a desired communication skill for a security of�cer?
2 points
What is the primary purpose of an external audit?
2 points
A security audit interview has three potential areas: Managerial, Technical, and Operational. Which is a correct assignment of areas to the processes within these areas:
Written communication skills
Negotiating skills
Presentation skills
Mind-reading skills
help internal audit department
maintain customer retention
gain an advantage among competitors
maintain compliance with a regulation
Network monitoring: Technical / Annual assessments: Operational / Risk assessment: Managerial
Network monitoring: Technical / Asset management: Operational / Annual assessments: Managerial
Logical access: Technical / Annual assessments: Operational / Security Awareness: Managerial
Human resources procedure: Technical / Asset management: Operational / Annual assessments: Managerial
18
19
20