300

Correct Answer: A Explanation/Reference:The principal risk focus is the connection procedures to maintain continuity in case of any contingency. Although an information security manager may be interested in the service level agreement (SLA), code escrow is not a concern. A business impact analysis (BIA) refers to contingency planning and not to systemaccess. Third-party certification does not provide any assurance of controls over connectivity to maintain continuity.

A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is: A. an effective control over connectivity and continuity. B. a service level agreement (SLA) including code escrow. C. a business impact analysis (BIA). D. a third-party certification.

Correct Answer: A Explanation/Reference:If an organization is unable to take measurements that will improve the level of its safety program. then continuous improvement is not possible. Although desirable, developing a service level agreement (SLA) for security, tying corporate security standards to a recognized international standard and ensuringregulatory compliance are not critical components for a continuous improvement program

A critical component of a continuous improvement program for information security is: A. measuring processes and providing feedback. B. developing a service level agreement (SLA) for security. C. tying corporate security standards to a recognized international standard. D. ensuring regulatory compliance.

Correct Answer: A Explanation/Reference:An impact assessment report needs to be prepared first by providing the justification for the change, analysis of the changes to be made, the impact if the change does not work as expected, priority of the change and urgency of the change request. ChoicesB. C and D could be important steps, but the impactassessment report should be performed before the other steps.

A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes? A. Prepare an impact assessment report. B. Conduct a penetration test. C. Obtain approval from senior management. D. Back up the firewall configuration and policy files.

Correct Answer: B Explanation/Reference:Security' code reviews for the entire application is the best measure and will involve reviewing the entire source code to detect all instances of back doors.System monitoring for traffic on network ports would not be able to detect all instances of back doors and is time consuming and would take a lot of effort.Reverse engineering the application binaries may not provide any definite clues. Back doors will not surface by running the application on high-privilegedaccounts since back doors are usually hidden accounts in the applications.

A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors? A. System monitoring for traffic on network ports B. Security code reviews for the entire application C. Reverse engineering the application binaries D. Running the application from a high-privileged account on a test system

Correct Answer: B Explanation/Reference:

An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager's FIRST course of action? A. Report the noncompliance to the board of directors. B. Inform respective risk owners of the impact of exceptions C. Design mitigating controls for the exceptions. D. Prioritize the risk and implement treatment options.

Correct Answer: A Explanation/Reference:Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Logging all usage of the account, suspending the account and activating only when needed, and requiring that a change request be submitted for each download will not reduce the exposure created by this excessive level of access. Restricting the account to read only access will ensure thatthe integrity can be maintained while permitting access.

An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. The information security manager should recommend which of the following? A. Restrict account access to read only B. Log all usage of this account C. Suspend the account and activate only when needed D. Require that a change request be submitted for each download

Correct Answer: A Explanation/Reference:SQL injection vulnerability arises when crafted or malformed user inputs are substituted directly in SQL queries, resulting into information leakage. Hardening the database listener does enhance the security of the database; however, it is unrelated to the SQL injection vulnerability. Normalization is related to the effectiveness and efficiency of the database but not to SQL injection vulnerability. SQL injections may also be observed in normalized databases. SQL injectionvulnerability exploits the SQL query design, not the operating system.

An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to: A. validate and sanitize client side inputs. B. harden the database listener component. C. normalize the database schema to the third normal form. D. ensure that the security patches are updated on operating systems.

Correct Answer: B Explanation/Reference:

An external security audit has reported multiple instances of control noncompliance. Which of the following is MOST important for the information security manager to communicate to senior management? A. Control owner responses based on a root cause analysis B. The impact of noncompliance on the organization's risk profile C. An accountability report to initiate remediation activities D. A plan for mitigating the risk due to noncompliance

Correct Answer: C Explanation/Reference:An information security manager must understand the business needs that motivated the change prior to taking any unilateral action. Following this, all otherchoices could be correct depending on the priorities set by the business unit.

An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST? A. Review the procedures for granting access B. Establish procedures for granting emergency access C. Meet with data owners to understand business needs D. Redefine and implement proper access rights

Correct Answer: A Explanation/Reference:If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) IP addresses of the organization. Broadcastpropagation, unregistered ports and nonstandard protocols do not create a significant security exposure.

An information security manager reviewing firewall rules will be MOST concerned if the firewall allows: A. source routing. B. broadcast propagation. C. unregistered ports. D. nonstandard protocols.

Correct Answer: B Explanation/Reference:While including appropriate measurements in the system development life cycle may indicate a security baseline practice; these are wider in scope and, thus, implementing security baselines to establish information security best practices is the appropriate answer. Implementing security baselines to fulfill laws and applicable regulations in different jurisdictions, and leveraging information security as a competitive advantage may be supplementary benefits of using security baselines.

An information security manager wishing to establish security baselines would: A. include appropriate measurements in the system development life cycle. B. implement the security baselines to establish information security best practices. C. implement the security baselines to fulfill laws and applicable regulations in different jurisdictions. D. leverage information security as a competitive advantage.

Correct Answer: C Explanation/Reference:Risk assessment identifies the appropriate controls to mitigate identified business risks that the program should implement to protect the business. Peer industry best practices, international standards and continued process improvement can be used to support the program, but these cannot be blindly implemented withoutthe consideration of business risk.

An information security program should focus on: A. best practices also in place at peer companies. B. solutions codified in international standards. C. key controls identified in risk assessments. D. continued process improvement.

Correct Answer: D Explanation/Reference:

An organization has implemented a new customer relationship management (CRM) system. Who should be responsible for enforcing authorized and controlled access to the CRM data? A. The data owner B. Internal IT audit C. The data custodian D. The information security manager

Correct Answer: D Explanation/Reference:Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles. Rule-based access control needs to define the access rules, which is troublesome and error prone in large organizations. In mandatory access control, the individual's access to information resources needs to be defined, which is troublesome in large organizations. In discretionary access control, users have access to resources based on predefined sets of principles, which is an inherentlyinsecure approach.

An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate? A. Rule-based B. Mandatory C. Discretionary D. Role-based

Correct Answer: C Explanation/Reference:The key requirement is that the information security manager ensures that the third party is contractually bound to follow the appropriate security requirementsfor the process being outsourced. This protects both organizations. All other steps are contributory to the contractual agreement, but are not key.

An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform? A. A due diligence security review of the business partner's security controls B. Ensuring that the business partner has an effective business continuity program C. Ensuring that the third party is contractually obligated to all relevant security requirements D. Talking to other clients of the business partner to check references for performance

Correct Answer: C Explanation/Reference:It is critical to include the security requirements in the contract based ON the company's security policy to ensure that the necessary security controls are implemented by the service provider. The audit is normally a one-time effort and cannot provide ongoing assurance of the security. A nondisclosure agreement (NDA) should be part of the contract; however, it is not critical to the security of the web site. Penetration testing alone would not provide total security to the website; there are lots of controls that cannot be tested through penetration testing.

An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that: A. an audit of the service provider uncovers no significant weakness. B. the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property. C. the contract should mandate that the service provider will comply with security policies. D. the third-party service provider conducts regular penetration testing.

Correct Answer: B Explanation/Reference:An internal risk assessment should be performed to identify the risk and determine needed controls. A background check should be a standard requirement forthe service provider. Audit objectives should be determined from the risk assessment results. Security assessment does not cover the operational risks.

An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST? A. Request that the third-party provider perform background checks on their employees. B. Perform an internal risk assessment to determine needed controls. C. Audit the third-party provider to evaluate their security controls. D. Perform a security assessment to detect security vulnerabilities.

Correct Answer: A Explanation/Reference:Right to audit would be the most useful requirement since this would provide the company the ability to perform a security audit/assessment whenever there is a business need to examine whether the controls are working effectively at the third party. Options B, C and D are important requirements and can be examinedduring the audit. A dedicated security manager would be a costly solution and not always feasible for most situations.

An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements.Which of the following is the MOST useful requirement to include in the contract? A. Right to audit B. Nondisclosure agreement C. Proper firewall implementation D. Dedicated security manager for monitoring compliance

Correct Answer: C Explanation/Reference:

An organization wants to ensure its confidential data is isolated in a multi-tenanted environment at a well-known cloud service provider. Which of the following is the BEST way to ensure the data is adequately protected? A. Obtain documentation of the encryption management practices. B. Verify the provider follows a cloud service framework standard. C. Ensure an audit of the provider is conducted to identify control gaps. D. Review the provider's information security policies and procedures.

Correct Answer: D Explanation/Reference:Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverables only tell how the assessment ispresented, not the process.

An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. The MOST important element of the request for proposal (RIP) is the: A. references from other organizations. B. past experience of the engagement team. C. sample deliverable. D. methodology used in the assessment.

Correct Answer: B Explanation/Reference:

An organization's information security manager has learned that similar organizations have become increasingly susceptible to spear phishing attacks. What is the BEST way to address this concern? A. Update data loss prevention (DLP) rules for email. B. Include tips to identify threats in awareness training. C. Conduct a business impact analysis (BIA) of the threat. D. Create a new security policy that staff must read and sign.

Correct Answer: D Explanation/Reference:The most effective mechanism to ensure that the organization's security standards are met by a third party, would be a legal agreement. ChoicesA. B and C areacceptable options, but not as comprehensive or as binding as a legal contract.

Before engaging outsourced providers, an information security manager should ensure that the organization's data classification requirements: A. are compatible with the provider's own classification. B. are communicated to the provider. C. exceed those of the outsourcer. D. are stated in the contract.

Correct Answer: D Explanation/Reference:Information security should be an integral component of the development cycle; thus, it should be included at the process level. Choices A, B and C are good mechanisms to ensure compliance, but would not be nearly as timely in ensuring that the plans are always up-to-date. Choice D is a preventive control, whilechoices A, B and C are detective controls.

Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following? A. Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans B. Periodic audits of the disaster recovery/business continuity plans C. Comprehensive walk-through testing D. Inclusion as a required step in the system life cycle process

Correct Answer: A Explanation/Reference:

Cold sites for disaster recovery events are MOST helpful in situations in which a company: A. has a limited budget for coverage. B. uses highly specialized equipment that must be custom manufactured. C. is located in close proximity to the cold site. D. does not require any telecommunications connectivity

Correct Answer: D Explanation/Reference:Access and authorizations should be based on business needs. Data custodians implement the decisions made by data owners. Access and authorizations are not to be assigned by cloning existing user accounts or determining hierarchical preferences. By cloning, users may obtain more access rights and privilegesthan is required to do their job. Hierarchical preferences may be based on individual preferences and not on business needs.

Data owners will determine what access and authorizations users will have by: A. delegating authority to data custodian. B. cloning existing user accounts. C. determining hierarchical preferences. D. mapping to business needs.

Correct Answer: B Explanation/Reference:

In a large organization, which of the following is the BEST source for identifying ownership of a PC? A. User ID register B. Asset management register C. Domain name server (DNS) records D. Identity management system

Correct Answer: B Explanation/Reference:A data owner is in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy. An information security manager will coordinate and execute the implementation of the role-based access control. A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the datacustodian's responsibility to assign access rights. Business management is not. in all cases, the owner of the data.

In business-critical applications, user access should be approved by the: A. information security manager. B. data owner. C. data custodian. D. business management.

Correct Answer: A Explanation/Reference:Having the patch tested prior to implementation on critical systems is an absolute prerequisite where availability is a primary concern because deploying patches that could cause a system to fail could be worse than the vulnerability corrected by the patch. It makes no sense to deploy patches on every system. Vulnerablesystems should be the only candidate for patching. Patching skills are not required since patches are more often applied via automated tools.

In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the: A. testing time window prior to deployment. B. technical skills of the team responsible .C. certification of validity for deployment. D. automated deployment to all the servers.

Correct Answer: B Explanation/Reference:

Inadvertent disclosure of internal business information on social media is BEST minimized by which of the following? A. Developing social media guidelines B. Educating users on social media risks C. Limiting access to social media sites D. Implementing data loss prevention (DLP) solutions

Correct Answer: D Explanation/Reference:Digital certificates must be managed by an independent trusted source in order to maintain trust in their authenticity. The other options are not necessarilyentrusted with this capability.

Managing the life cycle of a digital certificate is a role of a(n): A. system administrator. B. security administrator. C. system developer. D. independent trusted source.

Correct Answer: B Explanation/Reference:Retention of business records is a business requirement that must consider regulatory and legal requirements based on geographic location and industry.Options A and C are important elements for making the decision, but the primary driver is the legal and regulatory requirements that need to be followed by allcompanies. Record retention may take into consideration past litigation, but it should not be the primary decision factor.

Of the following, retention of business records should be PRIMARILY based on: A. periodic vulnerability assessment. B. regulatory and legal requirements. C. device storage capacity and longevity. D. past litigation.

Correct Answer: A Explanation/Reference:A security policy is a general statement to define management objectives with respect to security. The security strategy addresses higher level issues.Guidelines are optional actions and operational tasks. A security baseline is a set of minimum requirements that is acceptable to an organization.

Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security: A. policy. B. strategy. C. guideline D. baseline.

Correct Answer: A Explanation/Reference:Assessing the problems and instituting rollback procedures as needed would be the best course of action. Choices B and C would not identify where the problemwas, and may in fact make the problem worse. Choice D is part of the assessment.

Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to: A. assess the problems and institute rollback procedures, if needed. B. disconnect the systems from the network until the problems are corrected. C. immediately uninstall the patches from these systems. D. immediately contact the vendor regarding the problems that occurred.

Correct Answer: D Explanation/Reference:

The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to: A. map the business process to supporting IT and other corporate resources. B. obtain the support of executive management .C. document the disaster recovery process. D. identify critical processes and the degree of reliance on support services.

Correct Answer: C Explanation/Reference:A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them bythe data owner.

The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)? A. Data owner B. Data custodian C. Systems programmer D. Security administrator

Correct Answer: A Explanation/Reference:

The BEST defense against phishing attempts within an organization is: A. filtering of e-mail. B. an intrusion protection system (IPS). C. strengthening of firewall rules. D. an intrusion detection system (IDS).

Correct Answer: B Explanation/Reference:

The BEST way to obtain funding from senior management for a security awareness program is to: A. meet regulatory requirements. B. produce an impact analysis report of potential breaches. C. produce a report of organizational risks. D. demonstrate that the program will adequately reduce risk

Correct Answer: D Explanation/Reference:

The MOST important reason for an information security manager to be involved in the change management process is to ensure that: A. security controls are updated regularly. B. potential vulnerabilities are identified. C. risks have been evaluated. D. security controls drive technology changes.

Correct Answer: A Explanation/Reference:Without formal documentation, it would be difficult to ensure that security processes are performed in the proper manner every time that they are performed.Alignment with business objectives is not a function of formally documenting security procedures. Processes should not be formally documented merely to satisfy an audit requirement. Although potentially useful in the development of metrics, creating formal documentation to assist in the creation of metrics is asecondary objective.

The MOST important reason for formally documenting security procedures is to ensure: A. processes are repeatable and sustainable. B. alignment with business objectives. C. auditability by regulatory agencies. D. objective criteria for the application of metrics.

Correct Answer: D Explanation/Reference:

The PRIMARY purpose of a security information and event management (SIEM) system is to: A. resolve incidents. B. track ongoing incidents. C. provide status of incidents. D. identify potential incidents.

Correct Answer: B Explanation/Reference:It is important to maintain the organization's security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security inthe systems development life cycle (SDLC).

The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for: A. identifying vulnerabilities in the system. B. sustaining the organization's security posture. C. the existing systems that will be affected. D. complying with segregation of duties.

Correct Answer: D Explanation/Reference:Although business process owners, an information security manager and the security steering committee may provide input regarding a configurationmanagement plan, its final approval is the primary responsibility of IT senior management.

The configuration management plan should PRIMARILY be based upon input from: A. business process owners. B. the information security manager. C. the security steering committee. D. IT senior management.

Correct Answer: A Explanation/Reference:Continuous monitoring control initiatives are expensive, so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence. Regulations and legislations that require tight IT security measures focus on requiring organizations to establish an IT security governance structure that manages IT security with a risk-based approach, so each organization decides which kinds of controls are implemented.Continuous monitoring is not necessarily a requirement. Measures such as contingency planning are commonly used when incidents rarely happen but have a high impact each time they happen. Continuous monitoring is unlikely to be necessary. Continuous control monitoring initiatives are not needed in all electronic commerce environments. There are some electronic commerce environments where the impact of incidents is not high enough to support the implementation ofthis kind of initiative.

The implementation of continuous monitoring controls is the BEST option where: A. incidents may have a high impact and frequency B. legislation requires strong information security controls C. incidents may have a high impact but low frequency D. Electronic commerce is a primary business driver

Correct Answer: C Explanation/Reference:The IT manager needs to report the security risks in the environment pursuant to the security review, including risks in the IT implementation. Choices A, B andD are important, but not the main responsibilities or job requirements.

The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager A. report risks in other departments. B. obtain support from other departments. C. report significant security risks. D. have knowledge of security standards.

Correct Answer: B Explanation/Reference:XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. XSRF is related to an authentication mechanism, not to redirection. Option C is related to intellectual property rights, not to XSRF vulnerability. Merely hosting multipleapplications on the same server is not the root cause of this vulnerability.

The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application: A. uses multiple redirects for completing a data commit transaction. B. has implemented cookies as the sole authentication mechanism. C. has been installed with a non-legitimate license key. D. is hosted on a server along with other applications.

Correct Answer: C Explanation/Reference:Procedures at the operational level must be developed by or with the involvement of operational units that will use them. This will ensure that they are functional and accurate. End users and legal counsel are normally not involved in procedure development. Audit management generally oversees information securityoperations but does not get involved at the procedural level.

To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of: A. end users. B. legal counsel. C. operational units. D. audit management.

Correct Answer: B Explanation/Reference:

To minimize security exposure introduced by changes to the IT environment, which of the following is MOST important to implement as part of change management? A. Requiring approval by senior management B. Performing a business impact analysis (BIA) prior to implementation C. Performing post-change reviews before closing change tickets D. Conducting a security risk assessment prior to go-live

Correct Answer: B Explanation/Reference:It is not always possible to provide adequate segregation of duties between programming and operations in order to meet certain business requirements. A mitigating control is to record all of the programmers' actions for later review by their supervisor, which would reduce the likelihood of any inappropriate action onthe part of the programmer. Choices A, C and D do not solve the problem.

To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to. A. create a separate account for the programmer as a power user. B. log all of the programmers' activity for review by supervisor. C. have the programmer sign a letter accepting full responsibility. D. perform regular audits of the application.

Correct Answer: A Explanation/Reference:Service level agreements (SLA) will be most effective in ensuring that Internet service providers (ISPs) comply with expectations for service availability.Intrusion detection system (IDS) and spam filtering services would not mitigate (as directly) the potential for service interruptions. A right-to-audit clause wouldnot be effective in mitigating the likelihood of a service interruption.

To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include? A. Service level agreements (SLAs) B. Right to audit clause C. Intrusion detection system (IDS) services D. Spam filtering services

Correct Answer: C Explanation/Reference:While hiring an indirect resource that will not be part of headcount will help to add an extra resource, it usually costs more than a direct employee; thus, it is not cost efficient. Outsourcing may be a more expensive option and can add complexities to the service delivery. Competent security staff can be recruited from other departments e.g., IT. product development, research and development (R&D). By leveraging existing resources, there is a nominal additional cost. It is also a strategic option since the staff may join the team as full members in the future (internal transfer). Development of staff is often a budget drain and, if notmanaged carefully, these resources may move away from the company and leave the team with a bigger resource gap.

What is the BEST way to alleviate security team understaffing while retaining the capability in-house? A. Hire a contractor that would not be included in the permanent headcount B. Outsource with a security services provider while retaining the control internally C. Establish a virtual security team from competent employees across the company D. Provide cross training to minimize the existing resources gap

Correct Answer: D Explanation/Reference:Ensuring all logical access is removed will guarantee that the former employee will not be able to access company data and that the employee's credentials will not be misused. Retrieving identification badge and card keys would only reduce the capability to enter the building. Retrieving the personal computer equipmentand the employee's folders are necessary tasks, but that should be done as a second step.

What is the BEST way to ensure data protection upon termination of employment? A. Retrieve identification badge and card keys B. Retrieve all personal computer equipment C. Erase all of the employee's folders D. Ensure all logical access is removed

Correct Answer: B Explanation/Reference:Developing procedures and guidelines to ensure that business processes address information security risk is critical to the management of an informationsecurity program. Developing procedures and guidelines establishes a baseline for security program performance and consistency of security activities.

What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective? A. Provide detailed instructions on how to carry out different types of tasks B. Ensure consistency of activities to provide a more stable environment C. Ensure compliance to security standards and regulatory requirements D. Ensure reusability to meet compliance to quality requirements

Correct Answer: A Explanation/Reference:If there are many firewall rules, there is a chance that a particular rule may allow an external connection although other associated rules are overridden. Due tothe increasing number of rules, it becomes complex to test them and. over time, a loophole may occur.

What is the GREATEST risk when there is an excessive number of firewall rules? A. One rule may override another rule in the chain and create a loophole B. Performance degradation of the whole network C. The firewall may not support the increasing number of rules due to limitations D. The firewall may show abnormal behavior and may crash or automatically shut down

Correct Answer: B Explanation/Reference:User education and training is the most cost-effective means of influencing staff to improve security since personnel are the weakest link in security. Incentives perform poorly without user education and training. A zero-tolerance security policy would not be as good as education and training. Users would not have theknowledge to accurately interpret and report violations without user education and training.

What is the MOS T cost-effective means of improving security awareness of staff personnel? A. Employee monetary incentives B. User education and training C. A zero-tolerance security policy D. Reporting of security infractions

Correct Answer: A Explanation/Reference:External vulnerability sources are going to be the most cost-effective method of identifying these vulnerabilities. The cost involved in choices B and C would be much higher, especially if performed at regular intervals. Honeypots would not identify all vendor vulnerabilities. In addition, honeypots located in the DMZ cancreate a security risk if the production network is not well protected from traffic from compromised honey pots.

What is the MOST cost-effective method of identifying new vendor vulnerabilities? A. External vulnerability reporting sources B. Periodic vulnerability assessments performed by consultants C. Intrusion prevention software D. honey pots located in the DMZ

Correct Answer: D Explanation/Reference:Making security awareness material easy and compelling to read is the most important success factor. Users must be able to understand, in easy terms, complex security concepts in a way that makes compliance more accessible. Choice A would also be important but it needs to be presented in an adequate format.Detailed security policies might not necessarily be included in the training materials. Senior management endorsement is important for the security program as awhole and not necessarily for the awareness training material.

What is the MOST important element to include when developing user security awareness material? A. Information regarding social engineering B. Detailed security policies C. Senior management endorsement D. Easy-to-read and compelling information

Correct Answer: C Explanation/Reference:Senior management support will provide enough resources and will focus attention to the program: training should start at the top levels to gain support and sponsorship. Funding is not a primary concern. Centralized management does not provide sufficient support. Trainer experience, while important, is not theprimary success factor.

What is the MOST important success factor in launching a corporate information security awareness program? A. Adequate budgetary support B. Centralized program management C. Top-down approach D. Experience of the awareness trainers

Correct Answer: C Explanation/Reference:

What should an information security team do FIRST when notified by the help desk that an employee's computer has been infected with malware? A. Take a forensic copy of the hard drive. B. Restore the files from a secure backup. C. Isolate the computer from the network. D. Use anti-malware software to clean the infected computer.

Correct Answer: D Explanation/Reference:The key requirement is to preserve availability of business operations. Choice A is a correct compliance requirement, but is not the main objective in this case.Choices B and C are supplementary requirements for business continuity/ disaster recovery planning.

When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/ disaster recovery plans is because: A. this is a requirement of the security policy. B. software licenses may expire in the future without warning. C. the asset inventory must be maintained. D. service level agreements may not otherwise be met.

Correct Answer: A Explanation/Reference:The access control matrix is the best indicator of the level of compliance with the service level agreement (SLA) data confidentiality clauses. Encryptionstrength, authentication mechanism and data repository might be defined in the SLA but are not confidentiality compliance indicators.

When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the: A. access control matrix. B. encryption strength. C. authentication mechanism. D. data repository.

Correct Answer: C Explanation/Reference:

When multiple Internet intrusions on a server are detected, the PRIMARY concern of the information security manager should be to ensure that the: A. server is backed up to the network. B. server is unplugged from power. C. integrity of evidence is preserved. D. forensic investigation software is loaded on the server.

Correct Answer: A Explanation/Reference

When preparing a strategy for protection from SQL injection attacks, it is MOST important for the information security manager to involve: A. senior management B. the security operations center. C. business owners. D. application developers.

Correct Answer: C Explanation/Reference:When security policies are strictly enforced, more resources are initially required, thereby increasing, the total cost of security. There would be less need forfrequent modification. Challenges would be rare and the need for compliance reviews would not necessarily be less.

When security policies are strictly enforced, the initial impact is that: A. they may have to be modified more frequently. B. they will be less subject to challenge. C. the total cost of security is increased. D. the need for compliance reviews is decreased.

Correct Answer: C Explanation/Reference:

Which of the following is the BEST way to ensure information security metrics are meaningful? A. Using a dashboard to present the information security metrics B. Requiring information security metrics to be approved by senior management C. Aligning information security metrics with business drivers D. Correlating information security metrics to industry best practices

Correct Answer: B Explanation/Reference:

Which item would be the BEST to include in the information security awareness training program for new general staff employees? A. Review of various security models B. Discussion of how to construct strong passwords C. Review of roles that have privileged access D. Discussion of vulnerability assessment results

Correct Answer: C Explanation/Reference:

Which of the following BEST demonstrates the maturity of an information security monitoring program? A. Senior management regularly reviews security standards. B. The information security program was introduced with a thorough business case. C. Information security key risk indicators (KRIs) are tied to business operations. D. Risk scenarios are regularly entered into a risk register.

Correct Answer: B Explanation/Reference:Merging with or acquiring another organization causes a major impact on an information security management function because new vulnerabilities and risks are inherited. Opening a new office, moving the data center to a new site, or rewiring a network may have information security risks, but generally comply withcorporate security policy and are easier to secure.

Which of the following events generally has the highest information security impact? A. Opening a new office B. Merging with another organization C. Relocating the data center D. Rewiring the network

Correct Answer: C Explanation/Reference:

Which of the following features of a library control software package would protect against unauthorized updating of source code? A. Required approvals at each life cycle step B. Date and time stamping of source and object code C. Access controls for source libraries D. Release-to-release comparison of source code

Correct Answer: D Explanation/Reference:Security awareness regarding intellectual property policy will not prevent violations of this policy. Requiring all employees to sign a nondisclosure agreement andpromptly removing all access when an employee leaves the organization are good controls, but not as effective as restricting access to a need-to- know basis.

Which of the following is the BEST approach for an organization desiring to protect its intellectual property? A. Conduct awareness sessions on intellectual property policy B. Require all employees to sign a nondisclosure agreement C. Promptly remove all access when an employee leaves the organization D. Restrict access to a need-to-know basis

Correct Answer: C Explanation/Reference:Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify an opportunity for improvement. This is a systematic and structured approach to process improvement. Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement.Penetration testing will only uncover technical vulnerabilities, and cannot provide a holistic picture of information security management, feedback is subjectiveand not necessarily reflective of true performance.

Which of the following is the BEST approach for improving information security management processes? A. Conduct periodic security audits. B. Perform periodic penetration testing. C. Define and monitor security metrics. D. Survey business units for feedback.

Correct Answer: A Explanation/Reference:The best indicator of effective security control is the evidence of little disruption to business operations. Choices B, C and D can support this evidence, but aresupplemental to choice A.

Which of the following is the BEST indicator that an effective security control is built into an organization? A. The monthly service level statistics indicate a minimal impact from security issues. B. The cost of implementing a security control is less than the value of the assets. C. The percentage of systems that is compliant with security standards. D. The audit reports do not reflect any significant findings on security.

Correct Answer: A Explanation/Reference:While choices B, C and D will all assist the currency and coverage of the program, its governance oversight mechanisms are the best method.

Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization? A. The program's governance oversight mechanisms B. Information security periodicals and manuals C. The program's security architecture and design D. Training and certification of the information security team

Correct Answer: C Explanation/Reference:

Which of the following is the BEST way for an organization that outsources many business processes to gain assurance that services provided are adequately secured? A. Review the service providers' information security policies and procedures. B. Conduct regular vulnerability assessments on the service providers' IT systems. C. Perform regular audits on the service providers' applicable controls. D. Provide information security awareness training to service provider staff.

Correct Answer: A Explanation/Reference:

Which of the following processes would BEST aid an information security manager in resolving systemic security issues? A. Root cause analysis B. Business impact analysis (BIA) C. Reinforced security controls D. Security reviews

Correct Answer: C Explanation/Reference:Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure. Mitigating technical risks is not a direct result of a penetration test. A penetration test would not providecertification of network security nor provide a complete list of vulnerabilities.

Which of the following is the MAIN objective in contracting with an external company to perform penetration testing? A. To mitigate technical risks B. To have an independent certification of network security C. To receive an independent view of security exposures D. To identify a complete list of vulnerabilities

Correct Answer: D Explanation/Reference:Reviewing general security settings on each platform will be the most efficient method for determining password strength while not compromising the integrity of the passwords. Attempting to reset several passwords to weaker values may not highlight certain weaknesses. Installing code to capture passwords for periodicaudit, and sampling a subset of users and requesting their passwords for review, would compromise the integrity of the passwords.

Which of the following is the MOST appropriate method of ensuring password strength in a large organization? A. Attempt to reset several passwords to weaker values B. Install code to capture passwords for periodic audit C. Sample a subset of users and request their passwords for review D. Review general security settings on each platform

Correct Answer: C Explanation/Reference:

Which of the following is the MOST challenging aspect of securing Internet of Things (IoT) devices? A. Training staff on IoT architecture B. Updating policies to include IoT devices C. Managing the diversity of IoT architecture D. Evaluating the reputations of IoT vendors

Correct Answer: B Explanation/Reference:Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced services. Depending on the type of services outsourced, security awareness may not be necessary. Security requirements should be included in the contract, but what is most important is verifying that the requirements are met by the provider. It is not necessary to require the provider to fully comply with the policy if onlysome of the policy is related and applicable.

Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services? A. Provide security awareness training to the third-party provider's employees B. Conduct regular security reviews of the third-party provider C. Include security requirements in the service contract D. Request that the third-party provider comply with the organization's information security policy

Correct Answer: D Explanation/Reference:Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee. The other choices are physical controlswhich by themselves would not be effective against tailgating.

Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)? A. Card-key door locks B. Photo identification C. Biometric scanners D. Awareness training

Correct Answer: A Explanation/Reference:

Which of the following is the MOST effective method to help ensure information security incidents are reported? A. Providing information security awareness training to employees B. Integrating information security language in conditions of employment C. Integrating information security language in corporate compliance rules D. Implementing an incident management system

Correct Answer: A Explanation/Reference:Competitions and rewards are a positive encouragement to user participation in the security program. Merely locking users out for forgetting their passwordsdoes not enhance user awareness. Enforcement of password formats and disciplinary actions do not positively promote awareness.

Which of the following is the MOST effective, positive method to promote security awareness? A. Competitions and rewards for compliance B. Lock-out after three incorrect password attempts C. Strict enforcement of password formats D. Disciplinary action for noncompliance

Correct Answer: D Explanation/Reference:

Which of the following is the MOST important outcome of testing incident response plans? A. Staff is educated about current threats. B. An action plan is available for senior management. C. Areas requiring investment are identified. D. Internal procedures are improved.

Correct Answer: D Explanation/Reference:

Which of the following is the MOST important security consideration when using Infrastructure as a Service (IaaS)? A. Backup and recovery strategy B. Compliance with internal standards C. User access management D. Segmentation among tenants

Correct Answer: A Explanation/Reference:A well-organized information security awareness course informs all employees of existing security policies, the importance of following safe practices for data security anil the need to report any possible security incidents to the appropriate individuals in the organization. The other choices would not be the likelyoutcomes.

Which of the following is the MOST likely outcome of a well-designed information security awareness course? A. Increased reporting of security incidents to the incident response function B. Decreased reporting of security incidents to the incident response function C. Decrease in the number of password resets D. Increase in the number of identified system vulnerabilities

Correct Answer: C Explanation/Reference:

Which of the following is the STRONGEST indication that senior management commitment to information security is lacking within an organization? A. A high level of information security risk acceptance B. The information security manager reports to the chief risk officer C. Inconsistent enforcement of information security policies D. A reduction in information security investment

Correct Answer: B Explanation/Reference:

Which of the following metrics would provide management with the MOST useful information about the effectiveness of a security awareness program? A. Increased number of downloads of the organization's security policy B. Decreased number of security incidents C. Increased number of reported security incidents D. Decreased number of phishing attacks

Correct Answer: C Explanation/Reference:

Which of the following presents the GREATEST information security concern when deploying an identity and access management solution? A. Complying with the human resource policy B. Supporting multiple user repositories C. Supporting legacy applications D. Gaining end user acceptance

Correct Answer: D Explanation/Reference:

Which of the following provides the BEST evidence that the information security program is aligned to the business strategy? A. The information security program manages risk within the business's risk tolerance. B. The information security team is able to provide key performance indicators (KPIs) to senior management. C. Business senior management supports the information security policies. D. Information security initiatives are directly correlated to business processes.

Correct Answer: C Explanation/Reference:Having a clearly stated definition of scope is most important to ensure a proper understanding of risk as well as success criteria, IT management approval may not be required based on senior management decisions. Communication, awareness and an incident response plan are not a necessary requirement. In fact, apenetration test could help promote the creation and execution of the incident response plan.

Which of the following should be in place before a black box penetration test begins? A. IT management approval B. Proper communication and awareness training C. A clearly stated definition of scope D. An incident response plan

Correct Answer: D Explanation/Reference:

Which of the following should be of GREATEST concern to a newly hired information security manager regarding security compliance? A. Lack of risk assessments B. Lack of standard operating procedures C. Lack of security audits D. Lack of executive support

Correct Answer: D Explanation/Reference:

Which of the following statements indicates that a previously failing security program is becoming successful? A. The number of threats has been reduced. B. More employees and stakeholders are attending security awareness programs. C. The number of vulnerability false positives is decreasing. D. Management's attention and budget are now focused on risk reduction.

Correct Answer: A Explanation/Reference:

Which of the following will BEST facilitate the understanding of information security responsibilities by users across the organization? A. Conducting security awareness training with performance incentives B. Communicating security responsibilities as an acceptable usage policy C. Warning users that disciplinary action will be taken for violations D. Incorporating information security into the organization's code of conduct

Correct Answer: C Explanation/Reference:The capability maturity model (CMM) grades each defined area of security processes on a scale of 0 to 5 based on their maturity, and is commonly used by entities to measure their existing state and then determine the desired one. Security audit reports offer a limited view of the current state of security. Balanced scorecard is a document that enables management to measure the implementation of their strategy and assists in its translation into action. Systems and business security architecture explain the security architecture of an entity in terms of business strategy, objectives, relationships, risks, constraints and enablers,and provides a business-driven and business-focused view of security architecture.

Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state? A. Security audit reports B. Balanced scorecard C. Capability maturity model (CMM) D. Systems and business security architecture

Correct Answer: C Explanation/Reference:End users may react differently to the implementation, and may have specific preferences. The information security manager should be aware that what is viewed as reasonable in one culture may not be acceptable in another culture. Budget allocation will have a lesser impact since what is rejected as a result of culture cannot be successfully implemented regardless of budgetary considerations. Technical skills of staff will have a lesser impact since new staff can berecruited or existing staff can be trained. Although important, password requirements would be less likely to guarantee the success of the implementation.

Which of the following would be MOST critical to the successful implementation of a biometric authentication system? A. Budget allocation B. Technical skills of staff C. User acceptance D. Password requirements

Correct Answer: B Explanation/Reference:A biometric device will ensure that only the authorized user can access the data center. A mantrap, by itself, would not be effective. Closed-circuit television(CCTV) and a security guard provide a detective control, but would not be as effective in authenticating the access rights of each individual.

Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center"? A. Mantrap B. Biometric lock C. Closed-circuit television (CCTV) D. Security guard

Correct Answer: D Explanation/Reference:The research and development department is usually the most sensitive area of the pharmaceutical organization, Theft of a laptop from this area could result in the disclosure of sensitive formulas and other intellectual property which could represent the greatest security breach. A pharmaceutical organization does not normally have direct contact with end customers and their transactions are not time critical: therefore, compromised customer information and unavailability ofonline transactions are not the most significant security risks. Theft of security tokens would not be as significant since a pin would still be required for their use.

Which of the following would be the MOST significant security risk in a pharmaceutical institution? A. Compromised customer information B. Unavailability of online transactions C. Theft of security tokens D. Theft of a Research and Development laptop

Correct Answer: D Explanation/Reference:Employees must be continually made aware of the policy and expectations of their behavior. Choice A would have little relevant bearing on the employee'sbehavior. Choice B does not involve the employees. Choice C could be an aspect of continual reinforcement of the security policy.

Which of the following would raise security awareness among an organization's employees? A. Distributing industry statistics about security incidents B. Monitoring the magnitude of incidents C. Encouraging employees to behave in a more conscious manner D. Continually reinforcing the security policy

Correct Answer: B Explanation/Reference:Customers of the organization are the target of phishing attacks. Installing security software or training the organization's staff will be useless. The effort shouldbe put on the customer side.

Which would be the BEST recommendation to protect against phishing attacks? A. Install an antispam system B. Publish security guidance for customers C. Provide security awareness to the organization's staff D. Install an application-level firewall

Correct Answer: C Explanation/Reference:The information security manager is responsible for raising awareness of the need for adequate funding for risk-related action plans. Even though the chief information officer (CIO), chief financial officer (CFO) and business unit management are involved in the final approval of fund expenditure, it is the informationsecurity manager who has the ultimate responsibility for raising awareness.

Who is responsible for raising awareness of the need for adequate funding for risk action plans? A. Chief information officer (CIO) B. Chief financial officer (CFO) C. Information security manager D. Business unit management

Correct Answer: B Explanation/Reference:Data owners are responsible for determining data classification; in this case, management of the finance department would be the owners of accounting ledger data. The database administrator (DBA) and IT management are the custodians of the data who would apply the appropriate security levels for the classification,while the security manager would act as an advisor and enforcer.

Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department? A. Database administrator (DBA) B. Finance department management C. Information security manager D. IT department management