CISM Practice Test Questions
Which of the following actions should be taken when an online trading company discovers a network attack in progress? A. Shut off all network access points B. Dump all event logs to removable media C. Isolate the affected network segment D. Enable trace logging on all events
Isolate the affected network segment Justification Shutting off all network access points would create a denial of service that could result in loss of revenue. Dumping event logs, while useful, would not mitigate the immediate threat posed by the network attack. Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing. Enabling trace logging, while useful, would not mitigate the immediate threat posed by the network attack.
Which of the following represents a PRIMARY area of interest when conducting a penetration test? A. Data mining B. Network mapping C. Intrusion detection system D. Customer data
Network mapping Justification Data mining is associated with ad hoc reporting and is a potential target after the network is penetrated. Network mapping is the process of determining the topology of the network one wishes to penetrate. It is one of the first steps toward determining points of attack in a network. The intrusion detection mechanism in place is not an area of focus because one of the objectives is to determine how effectively it protects the network or how easy it is to circumvent. Customer data, together with data mining, is a potential target after the network is penetrated.
Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise? A. Ease of installation B. Product documentation C. Available support D. System overhead
System overhead Justification Ease of installation, while important, would be secondary. Product documentation, while important, would be secondary. Available support, while important, would be secondary. Monitoring products can impose a significant impact on system overhead for servers and networks.
Which of the following choices would BEST align information security objectives with business objectives? A. A capability maturity model B. A process assessment model C. A risk assessment and analysis D. A business balanced scorecard
A business balanced scorecard Justification A capability maturity model may not include business objectives; in that case, it would not provide a complete perspective, being more focused on security objectives. While providing greater detail into processes and capabilities, a process assessment model only provides a process-focused view rather than a multidimensional one covering business and security. A risk assessment is used to identify vulnerabilities and controls and does not address alignment of security with business objectives. A business balanced scorecard will align information security goals with business goals and provide a multidimensional view of both quantitative and qualitative factors.
A company's mail server allows anonymous File Transfer Protocol access, which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action? A. A penetration test B. A security baseline review C. A risk assessment D. A business impact analysis
A risk assessment Justification A penetration test may identify the vulnerability but not potential threats or the remedy. A security baseline review may identify the vulnerability but not the remedy. A risk assessment will identify the business impact of the vulnerability being exploited and the remedial options. A business impact analysis will identify the impact of the loss of the mail server and requirements for restoration.
What is the PRIMARY factor that should be taken into consideration when designing the technical solution for a disaster recovery site? A. Service delivery objective B. Recovery time objective C. Allowable interruption window D. Maximum tolerable outage
Allowable interruption window Justification The service delivery objective is the required level of functionality that must be supported during the alternate process mode until the normal situation is restored, which is directly related to business needs. The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal or acceptable operations defined by the service level objective. The RTO must be shorter than the allowable interruption window (AIW). The length of the AIW is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services and applications. AIW is generally based on the downtime before the enterprise suffers major financial damage. The technical implementation of the disaster recovery site will be based on this constraint, especially the choice between a mirrored, hot, warm or cold site. Maximum tolerable outage is the amount of time the enterprise can operate in alternate mode based on various factors such as accessibility and performance levels.
Which of the following poses the GREATEST challenge to an enterprise seeking to prioritize risk management activities? A. An incomplete catalog of information assets B. A threat assessment that is not comprehensive C. A vulnerability assessment that is outdated D. An inaccurate valuation of information assets
An inaccurate valuation of information assets Justification Enterprises are only able to prioritize items they know to exist. An incomplete catalog of information assets introduces the possibility that prioritization is overlooking assets that may have substantial value, unintentionally resulting in the implicit acceptance of risk that may exceed the risk appetite and tolerance. However, inaccurate valuation of known assets has a greater negative impact on prioritization than the possibility of certain high-value assets not being properly taken into account. Evaluating the threat environment is the most challenging aspect of risk assessment, and it is nearly always the case that a threat assessment excludes one or more threats. As a result, any prioritization effort must assume that the threat assessment is not comprehensive. It is common for a vulnerability assessment to be outdated at the start of each cycle of a risk management program prior to the start of risk management activities, but the influence of outdated vulnerability information is less a concern than inaccurate valuation of assets. Although prioritization on the basis of risk requires knowledge of threat, vulnerability and potential consequence, it is this last factor expressed in terms of value that is most influential when prioritizing risk management activities. If assets are valued incorrectly, otherwise justifiable decisions of how to prioritize activities may be incorrect.
An information security manager reviewing user access to a critical business application to ensure that users have rights aligned with their job responsibilities notes many instances of excessive access. Which of the following individuals would be the PRIMARY contact to inform regarding this risk? A. Application owner B. Users' manager C. Security manager D. Database administrator
Application owner Justification The application owner should be informed about any potential risk to make appropriate decisions. The users' manager is responsible for access to the application; however, the application owner is the primary contact in this case. Security would not be immediately informed of this risk unless determined by the application owner. The database administrator is responsible for revoking access if determined by the application owner.
Which of the following choices would be the MOST useful in determining the possible consequences of a major compromise? A. Risk assessment B. Asset valuation C. Penetration testing D. Architectural review
Asset valuation Justification A comprehensive risk assessment requires an assessment of probability and potential consequences, so it goes beyond what is required. Asset valuation provides a cost representation of what the enterprise stands to lose in the event of a major compromise. Penetration tests indicate vulnerability rather than the value of what may be affected if a vulnerability is exploited. Architectural review may indicate vulnerability, but like penetration testing, it will not reveal the value of what may be affected if a vulnerability is exploited.
Which of the following choices is the MOST important consideration when developing the security strategy of a company operating in different countries? A. Diverse attitudes toward security by employees and management B. Time differences and the ability to reach security officers C. A coherent implementation of security policies and procedures in all countries D. Compliance with diverse laws and governmental regulations
Compliance with diverse laws and governmental regulations Justification Attitudes among employees and managers may vary by country, and this will impact implementation of a security policy. However, the impact is not nearly as significant as the variance in national laws. Time differences and reachability are not significant considerations when developing a security strategy. Implementation occurs after a security strategy has been developed, so this cannot be a consideration in its development. Laws vary from one country to another, and they can also be in conflict, making it difficult for an enterprise to create an overarching enterprise security policy that adequately addresses the requirements in each nation. The repercussions of failing to adhere to multiple legal frameworks at the same time is the most important among the considerations listed.
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have their password reset? A. Performing reviews of password resets B. Conducting security awareness programs C. Increasing the frequency of password changes D. Implementing automatic password syntax checking
Conducting security awareness programs Justification Performing reviews of password resets may be desirable but will not be effective in reducing the likelihood of a social engineering attack. Social engineering can be mitigated best through periodic security awareness training for staff members who may be the target of such an attempt. Changing the frequency of password changes may be desirable but will not reduce the likelihood of a social engineering attack. Strengthening passwords is desirable but will not reduce the likelihood of a social engineering attack.
Which of the following security controls addresses availability? A. Least privilege B. Public key infrastructure C. Role-based access D. Contingency planning
Contingency planning Justification Least privilege is an access control that is concerned with confidentiality. Public key infrastructure is concerned with confidentiality and integrity. Role-based access limits access but does not directly address availability. Contingency planning ensures that the system and data are available in the event of a problem.
The classification level of an asset must be PRIMARILY based on which of the following choices? A. Criticality and sensitivity B. Likelihood and impact C. Valuation and replacement cost D. Threat vector and exposure
Criticality and sensitivity Justification The extent to which an asset is critical to business operations or can damage the enterprise if disclosed is the primary consideration for the level of protection required. Asset classification is driven by criticality and sensitivity, not likelihood of compromise. Probability and frequency are considerations of risk and not the main consideration of asset classification. Threat vector and exposure together do not provide information on impact needed for classification.
Which of the following is MOST likely to be responsible for establishing the information security requirements over an application? A. IT steering committee B. Data owner C. System owner D. IT auditor
Data owner Justification The IT steering committee is an executive management-level committee that assists in the delivery of the IT strategy, oversees day-to-day management of IT service delivery and IT projects, and focuses on implementation aspects. Data owners determine the level of controls deemed necessary to secure data and the applications that store or process the data. System owners are responsible for platforms, rather than for applications or data. The IT auditor evaluates the adequacy, efficiency and effectiveness of controls.
Which of the following is the BEST approach for improving information security management processes? A. Conduct periodic security audits. B. Perform periodic penetration testing. C. Define and monitor security metrics. D. Survey business units for feedback.
Define and monitor security metrics. Justification Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement on an ongoing basis. Penetration testing will only uncover technical vulnerabilities and cannot provide a holistic picture of information security management. Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify opportunities for improvement. This is a systematic and structured approach to process improvement. Feedback is subjective and not necessarily reflective of true performance.
Which of the following is MOST important when collecting evidence for forensic analysis? A. Ensure the assignment of qualified personnel. B. Request the IT department do an image copy. C. Disconnect from the network and isolate the affected devices. D. Ensure law enforcement personnel are present before the forensic analysis commences.
Ensure the assignment of qualified personnel. Justification Without the initial assignment of forensic expertise, the required levels of evidence may not be preserved properly. The IT department is unlikely to have the necessary level of expertise and should, therefore, be prevented from taking action. Disconnecting from the network may be a prudent step prior to collecting evidence but does not eliminate the requirement for properly qualified forensic personnel. Notifying law enforcement will likely occur after the forensic analysis has been completed.
Which of the following is the BEST justification to convince management to invest in an information security program? A. Cost reduction B. Compliance with company policies C. Protection of business assets D. Increased business value
Increased business value Justification Cost reduction by itself is rarely the motivator for implementing an information security program. Compliance is secondary to business value and cannot be the best justification, as the company may already be in compliance as managed by the legal team. Protection of business assets is not the best justification, as management can counter it by stating that it can ensure protection of assets. Investing in an information security program would increase business value as a result of fewer business disruptions, fewer losses, increased productivity and stronger brand reputation.
What is the MAIN risk when there is no user management representation on the information security steering committee? A. Functional requirements are not adequately considered. B. User training programs may be inadequate. C. Budgets allocated to business units are not appropriate. D. Information security plans are not aligned with business requirements.
Information security plans are not aligned with business requirements. Justification Functional requirements and user training programs are parts of project development and are not the main risk. Specifics of training programs are usually not under the purview of the steering committee; training is an operational/delivery issue to be managed by the team or person responsible for the program. The information security steering committee does not have the mandate to approve budgets for business units. The steering committee is responsible for the execution of the information security strategy; lacking representation of user management, the committee may miss consideration of the impact on productivity and the need for adequate user controls.
Which action should the information security manager first take when alerted to a possible cybersecurity incident by the security operations center team? A. Contain and eradicate the incident B. Initiate incident analysis C. Gather and handle evidence D. Perform incident eradication and recovery
Initiate incident analysis Justification Containing and eradicating the incident would occur only after the incident is validated. The first step in incident response is to confirm the incident is valid. This would be done through incident analysis. Evidence gathering, eradication and containment occur after the incident is confirmed. Recovery, evidence gathering, eradication and containment occur after the incident is confirmed.
Which of the following authentication methods is MOST the secure when users require remote access to production systems? A. A one-time password B. A virtual private network C. Multifactor authentication D. Complex passwords
Multifactor authentication Justification One-time passwords are more secure than static passwords, but alone, they are not the most secure method. A virtual private network is an encryption connection from a device to a network; it is not an authentication method. Multifactor authentication is the most secure way to authenticate users when remote access to production system is required. Multifactor authentication uses three common factors: something you know (e.g., passwords), something you have (e.g., tokens, smart cards) and something you are (e.g., biometric methods such as fingerprints or retina scans). A complex password includes two out of three common factors used for multifactor authentication. Requiring complex passwords is a good practice, but it is not the most secure method.
Which of the following choices will MOST influence how the information security program will be designed and implemented? A. Type and nature of risk B. Organizational culture C. Overall business objectives D. Lines of business
Organizational culture Justification The specific risk faced by the enterprise will affect the security program, but how this risk is perceived and dealt with depends on the organizational culture. The organizational culture generally influences risk appetite and risk tolerance in addition to how issues are perceived and dealt with and many other aspects that have significant influence over how an information security program should be designed and implemented. Business objectives will determine the specific kinds of risk to be addressed but will not greatly influence the actual program development and implementation. The lines of business will affect the specific kinds of risk to be addressed but will not greatly influence the actual program development and implementation.
Which of the following is the MOST cost-effective approach to achieve strategic alignment? A. Periodically survey management B. Implement a governance framework C. Ensure that controls meet objectives D. Develop an enterprise architecture
Periodically survey management Justification Achieving and maintaining strategic alignment means that business process owners and managers believe that information security is effectively supporting their organizational activities. This can most easily and inexpensively be determined by periodic surveys, which will also indicate improvement or degradation over time. Implementing an appropriate governance framework may improve strategic alignment in addition to a number of other benefits, but it is exceedingly complex, time-consuming and expensive and may not directly capture business owners' perceptions or show changes over time. While important, controls meeting objectives may not be perceived by managers as helpful to the business and may, in fact, be seen as an impediment to their activities. An enterprise architecture should consider business objectives during design and development, but in an effort to balance many other requirements, such as security and functionality, it may or may not be perceived as supporting business activities.
Which of the following is the MOST important aspect that needs to be considered from a security perspective when payroll processes are outsourced to an external service provider? A. A cost-benefit analysis has been completed. B. Privacy requirements are met. C. The service provider ensures a secure data transfer. D. No significant security incident occurred at the service provider
Privacy requirements are met. Justification A cost-benefit analysis should be undertaken from a business perspective but not from a security perspective. Applicable privacy requirements may be a matter of law or policy and will require consideration when outsourcing processes that involve personal information. When data are transferred, it may be necessary to ensure data security, but there are many other privacy and security issues to consider. Past incidents may not reflect the current security posture of the service provider, nor do they reflect applicable security requirements.
Which of the following is KEY for selecting a third-party information security provider? A. Contract review B. Audit report review C. Projected cost of services D. Risk assessment
Risk assessment Justification The contract review is important, but the risk assessment should provide guidance concerning whether the enterprise should engage with the third party. The audit review is important after the risk assessment is complete. Some items identified in the assessment will determine if any of the findings are material to the enterprise. Projected cost of services is important, but the risk assessment will guide the enterprise concerning whether it should engage with the third party. The risk assessment is essential because it provides guidance to the enterprise concerning whether it should engage with the third party. The risk assessment should address strategic, operational, compliance and other key risk relevant to the enterprise.
What is the MOST important consideration when developing a business case for an information security investment? A. The impact on the risk profile of the enterprise B. The acceptability to the board of directors C. The implementation benefits D. The affordability to the enterprise
The implementation benefits Justification The impact on the risk profile can be one component of the business case but does not include all the areas the business case would cover. The basis for acceptance among the directors should be the impact on the risk profile. A business case is defined as documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle. A business case covers not only long-term benefits, but also short-term ones, along with costs. While cost is important to consider, if the benefits outweigh the costs, it will be in the best interests of the enterprise to go ahead with the investment.
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system with the threshold set to a low value? A. The number of false positives increases B. The number of false negatives increases C. Active probing is missed D. Attack profiles are ignored
The number of false positives increases Justification Failure to tune an intrusion detection system will result in many false positives, especially when the threshold is set to a low value. An increase in false negatives is less likely given the fact that the threshold for sounding an alarm is set to a low value. Missed active probing is less likely given the fact that the threshold for sounding an alarm is set to a low value. Ignored attack profiles are less likely given the fact that the threshold for sounding an alarm is set to a low value.
Which of the following choices would be the BEST measure of the effectiveness of a risk assessment? A. The time, frequency and cost of assessing risk B. The scope and severity of new risk discovered C. The collective potential impact of defined risk D. The percentage of incidents from unknown risk
The percentage of incidents from unknown risk Justification The time and cost of performing a risk assessment is not an indicator of its effectiveness in discovering new risk. The scope and severity of new risk discovered is a useful indicator, but it is not as good a measure of effectiveness as the risk that is not uncovered and leads to a security incident. The potential impact of defined risk is a secondary measure that may be useful in determining the extent of remedial actions to consider. Incidents that result from unidentified risk are the best indicators of how well the risk assessment served to discover risk, thereby indicating effectiveness.
Which of the following is the BEST quantitative indicator of an enterprise's current risk appetite? A. The number of incidents and the subsequent mitigation activities B. The number, type and layering of deterrent control technologies C. The extent of risk management requirements in policies and standards D. The ratio of cost to insurance coverage for business interruption protection
The ratio of cost to insurance coverage for business interruption protection Justification Incident history can provide only an approximation of the enterprise's efforts to mitigate further occurrences after consequences have been determined. Incident history may also indicate a lack of risk awareness. Controls deployment can provide a rough qualitative estimation of risk appetite as long as technologies are tested and effectiveness is determined. Requirements set in policies and standards can only serve as a qualitative approximation of risk appetite. The cost of a business interruption can be accurately determined. The comparison of this expense (added to any deductible) with the total cost of premiums paid for a specific amount of insurance can serve as an accurate indicator of how much the enterprise will spend to protect against a defined loss.
Different types of tests exist for testing the effectiveness of recovery plans. Which of the following choices would occur during a parallel test but not occur during a simulation test? A. The team members step through the individual recovery tasks. B. The primary site operations are interrupted. C. A fictitious scenario is used for the test. D. The recovery site is brought to operational readiness.
The recovery site is brought to operational readiness. Justification A walk-through of all necessary recovery tasks is part of both tests. Only a full interruption test includes interruption of primary site operations. Both parallel tests and simulation tests rely on fictitious scenarios. A parallel recovery test includes the test of the operational capabilities of the recovery site, while a simulation test focuses on role-playing.
Which of the following metrics is the MOST useful for the effectiveness of a controls monitoring program? A. The percentage of key controls being monitored B. The time between detection and initiating remediation C. The monitoring cost versus incidents detected D. The time between an incident and detection
The time between an incident and detection Justification While the percentage of key controls being monitored is an important metric, it is not an indication of effectiveness. The time between detection and remediation is an indication of the effectiveness of the incident response activity. The monitoring cost per incident is an indicator of efficiency rather than effectiveness. The time it takes to detect an incident after it has occurred is a good indication of the effectiveness of the control monitoring effort.
The facilities department of a large financial enterprise uses electronic swipe cards to manage physical access. The information security manager requests that facilities provide the manager with read-only access to the physical access data. What is the MOST likely purpose? A. To monitor personnel compliance with contract provisions B. To determine who is in the building in case of fire C. To compare logical and physical access for anomalies D. To ensure that the physical access control system is operating correctly
To compare logical and physical access for anomalies Justification Contract compliance monitoring would usually not be part of an information security manager's role. The physical security and emergency response personnel should be monitoring presence in the building in case of fire. Any differences between physical and logical access may indicate one of several risk scenarios, such as personnel not swiping in and tailgating, password sharing, or system compromise, and serves as a key risk indicator. Some of the best security metrics come from non-security-related activities. The correct operation of the system is likely the responsibility of IT, although a periodic validation by security is prudent.
Which of the following is the MOST important reason to develop a communication plan regarding security incidents as part of an incident management program? A. To increase security awareness B. To comply with regulatory requirements C. To identify communication flows to stakeholders D. To improve incident response
To improve incident response Justification Although a communication plan helps increase awareness, it is not the most important reason. Meeting compliance requirements may be a requirement in some cases, but it is not the most important reason for communication regarding incidents. Communication flows are part of the communication plan to improve the resolution of the incident. The overall goal of the communication plan is to improve incident response. Effective communication helps stakeholders respond to the incident.
The PRIMARY factor determining maximum tolerable outage is: A. available resources. B. operational capabilities. C. long haul network diversity. D. last mile protection.
available resources. Justification The main variable affecting the ability to operate in the recovery site is adequate resource availability, such as diesel fuel to operate generators. Although resources would be taken into account during initial calculation of the maximum tolerable outage (MTO), circumstances associated with disaster recovery frequently have unexpected impacts on availability of resources. As a result, the expectations may not be met during real-world events. The operational capabilities of the recovery site would have been predetermined and factored into the MTO. Long haul diversity does not affect MTO. Last mile protection does not affect MTO.
The BEST time to determine who should notify external entities of an information security breach involving customer privacy data is: A. after the incident has been detected and confirmed. B. after the approval of the incident by senior management. C. during the development of the incident response plan. D. dependent on applicable laws and regulations.
during the development of the incident response plan. Justification Determining roles and responsibilities during an incident is counterproductive and causes confusion. Senior management does not approve incidents; incident response teams confirm them. Responsibilities, including who should communicate what and how, should be established when the incident response plan is developed. This ensures that teams know their roles and responsibilities prior to an incident occurring. Laws and regulations and requirements are part of the foundation of an incident response plan.
The MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs: A. create more overhead than signature-based IDSs. B. cause false positives from minor changes to system variables. C. generate false alarms from varying user or system actions. D. cannot detect new types of attacks.
generate false alarms from varying user or system actions. Justification Due to the nature of statistical anomaly-based intrusion detection system (stat IDS) operations (i.e., they must constantly attempt to match patterns of activity to the baseline parameters), a stat IDS requires much more overhead and processing than signature-based versions. However, this is not the most important reason. Due to the nature of a stat IDS—based on statistics and comparing data with baseline parameters— this type of IDS may not detect minor changes to system variables and may generate many false positives. However, this is not the most important reason. A stat IDS collects data from normal traffic and establishes a baseline. It then periodically samples the network activity based on statistical methods and compares samples to the baseline. When the activity is outside the baseline parameter (clipping level), the IDS notifies the administrator. The baseline variables can include a host's memory or central processing unit usage, network packet types and packet quantities. If actions of the users or the systems on the network vary widely with periods of low activity and periods of frantic packet exchange, a stat IDS may not be suitable, as the dramatic swing from one level to another almost certainly will generate false alarms. This weakness will have the largest impact on the operation of the IT systems. Because the stat IDS can monitor multiple system variables, it can detect new types of variables by tracing for abnormal activity of any kind.
When initially establishing an information security program, it is MOST important that managers: A. examine and understand the culture within the enterprise. B. analyze and understand the control system of the enterprise. C. identify and evaluate the overall risk exposure of the enterprise. D. examine and assess the security resources of the enterprise.
identify and evaluate the overall risk exposure of the enterprise. Justification Examining and understanding the culture within the enterprise is an important step in the overall evaluation process. Analyzing and understanding the control system is an essential step to determine what risk is addressed and what control objectives are currently in place. Identifying and evaluating the overall risk is most important, because it includes the other three elements, in addition to others. Examining and assessing security resources is important information in determining and evaluating overall risk and exposure of an enterprise.
An information security manager is advised by contacts in law enforcement that there is evidence that the company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to: A. perform a comprehensive assessment of the enterprise's exposure to the hackers' techniques. B. initiate awareness training to counter social engineering. C. immediately advise senior management of the elevated risk. D. increase monitoring activities to provide early detection of intrusion.
immediately advise senior management of the elevated risk. Justification The security manager should assess the risk, but senior management should be immediately advised. It may be prudent to initiate an awareness campaign after sounding the alarm if awareness training is not current. Information about possible significant new risk from credible sources should be provided to management along with advice on steps that need to be taken to counter the threat. Monitoring activities should be increased after notifying management.
While defining incident response procedures, an information security manager must PRIMARILY focus on: A. closing incident tickets in a predetermined time frame. B. reducing the number of incidents. C. minimizing operational interruptions. D. meeting service delivery objectives.
meeting service delivery objectives. Justification Closing tickets is not a priority of incident response. Reducing the number of incidents is the focus of overall incident management. Minimizing the impact on operations is not necessarily the primary focus. Some disruption in operations may be within acceptable limits. The primary focus of incident response is to ensure that business-defined service delivery objectives are met.
When designing information security standards for an enterprise, the information security manager should require that an extranet server be placed: A. outside the firewall. B. on the firewall server. C. on a screened subnet. D. on the external router.
on a screened subnet. Justification Placing the extranet server on the Internet side of the firewall would leave it defenseless. Because firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to store the extranet on the same physical device. An extranet server should be placed on a screened subnet, which is a demilitarized zone. Placing the extranet server on the external router, although not be possible, would leave it defenseless.
The PRIMARY objective of a vulnerability assessment is to: A. reduce risk to the business. B. ensure compliance with security policies. C. provide assurance to management. D. measure efficiency of services provided.
provide assurance to management. Justification It is necessary to identify vulnerabilities in order to mitigate them. Actual reduction of risk is accomplished through deployment of controls and is a business decision based on a cost-benefit analysis. A security policy may mandate a vulnerability assessment program, but such a program is not established primarily to comply with policy. A vulnerability assessment identifies vulnerabilities so that they may be considered for mitigation. By giving management a complete picture of the vulnerabilities that exist, a vulnerability assessment program allows management to prioritize those vulnerabilities deemed to pose the greatest risk. Vulnerability assessment is not concerned with efficiency of services.
An enterprise's IT change management process requires that all change requests be approved by the asset owner and the information security manager. The PRIMARY objective of getting the information security manager's approval is to ensure that: A. changes comply with security policy. B. risk from proposed changes is managed. C. rollback to a current status has been considered. D. changes are initiated by business managers.
risk from proposed changes is managed. Justification A change affecting a security policy is not handled by an IT change process. Changes in the IT infrastructure may have an impact on existing risk. An information security manager must ensure that the proposed changes do not adversely affect the security posture. Rollback to a current state may cause a security risk event and is normally part of change management, but it is not the primary reason that security is involved in the review. The person who initiates a change has no effect on the person who reviews and authorizes an actual change.
