Domain 3 - Information Security Program 33%

Which of the following choices is MOST strongly supported by effective management of information assets? A. An information/data dictionary B. A data classification program C. An information-based security culture D. A business-oriented risk policy

A business-oriented risk policy Justification An information/data dictionary is a useful management tool but is only one aspect of holistic information asset management. A data classification program helps to prioritize asset protection based on business value, but management of information assets goes beyond asset protection. The security culture of an enterprise does not drive the effectiveness or efficiency of information assets. A risk policy that is oriented to business needs promotes the achievement of organizational objectives. The holistic risk-based approach to the management of information assets includes and addresses a broad range of factors such as data linkages, privacy, business orientation and risk relevance, which in turn help the assets to be managed in an effective and efficient manner.

To establish the contractual relationship between entities using public key infrastructure, the certificate authority must provide which of the following? A. A registration authority B. A digital certificate C. A nonrepudiation capability D. A certification practice statement

A certification practice statement Justification The registration authority is responsible for authentication of users prior to the issuance of a certificate. A digital certificate is the electronic credentials of individual entities but does not provide the contractual relationship of users and the certificate authority. Nonrepudiation is an inherent capability of a public key infrastructure by the virtue of the signing capability. The certification practice statement provides the contractual requirements between the relying parties and the certificate authority.

What is a desirable sensitivity setting for a biometric access control system that protects a high-security data center? A. A high false reject rate B. A high false acceptance rate C. Lower than the crossover error rate D. The exact crossover error rate

A high false reject rate Justification Biometric access control systems are not infallible. When tuning the solution, one has to adjust the sensitivity level to give preference either to false reject rate (FRR) (type I error rate) making the system more prone to err denying access to a valid user, or to err allow access to an invalid user. The preferable setting will be in the FRR region of sensitivity. A high false acceptance rate (FAR) will marginalize security by allowing too much unauthorized access. In systems in which the possibility of false rejects is a problem, it may be necessary to reduce sensitivity and thereby increase the number of false accepts. As the sensitivity of the biometric system is adjusted, the FRR and FAR change inversely. At one point, the two values intersect and are equal. This condition creates the crossover error rate, which is a measure of the system accuracy. Lower than the crossover error rate will create too high a FAR for a high-security data center. The crossover rate is sometimes referred to as equal error rate. In a very sensitive system, it may be desirable to minimize the number of false accepts—the number of unauthorized persons allowed access. To do this, the system is tuned to be more sensitive with a lower FAR, which causes the FRR—the number of authorized persons disallowed access—to increase.

Which of the following tools should a newly hired information security manager review to gain an understanding of how effectively the current set of information security projects are managed? A. A project database B. A project portfolio database C. Policy documents D. A program management office

A project portfolio database Justification A project database may contain information for one specific project and updates to various parameters pertaining to the current status of that single project. A project portfolio database is the basis for project portfolio management. It includes project data such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. A program management office is the team that oversees the delivery of the project portfolio. Review of the office may provide meaningful insights into the skill set and organizational structure but not on how effectively the current set of information security projects is managed.

Which of the following would PRIMARILY provide the potential for users to bypass a form-based authentication mechanism in an application with a back-end database? A. A weak password of six characters B. A structured query language (SQL) injection C. A session time-out of long duration D. Lack of an account lockout after multiple wrong attempts

A structured query language (SQL) injection Justification Weak passwords can make it easy to access the application, but there is no bypass of authentication. Although structured query language injection is well understood and preventable, it still is a significant security risk for many enterprises writing code. Using SQL injection, one can pass SQL statements in a manner that bypasses the logon page and allows access to the application. Long time-out duration is not relevant to the authentication mechanism. Because the authentication mechanism is bypassed, account lockout is not initiated.

Which of the following BEST ensures that information transmitted over the Internet will remain confidential? A. A virtual private network B. Firewalls and routers C. Biometric authentication D. Two-factor authentication

A virtual private network Justification Encryption of data in a virtual private network ensures that transmitted information is not readable, even if intercepted. Firewalls and routers protect access to data resources inside the network but do not protect traffic in the public network. Biometric authentication alone would not prevent a message from being intercepted and read. Two-factor authentication alone would not prevent a message from being intercepted and read.

Which of the following would be the BEST metric for an information security manager to provide to support a request to fund new controls? A. Adverse yearly incident trends B. Audit findings of poor compliance C. Results of a vulnerability scan D. Increased external port scans

Adverse yearly incident trends Justification Security incidents occur because either a control failed or there was no control in place. Trends are a metric providing their own points of reference. Failures of compliance with existing controls are not likely to be solved by additional controls. Also, an audit finding absent any prior findings of compliance or other reference point is a measure, not a metric. Without knowing exposure, threat and potential impact, risk cannot be determined and will be poor support for new controls. Also, results of a vulnerability scan constitute a measure, not a metric. Port scans are common and generally will not support funding of new controls.

When is the BEST time to perform a penetration test? A. After an attempted penetration has occurred B. After an audit has reported weaknesses in security controls C. After various infrastructure changes are made D. After a high turnover in systems staff

After various infrastructure changes are made Justification Conducting a test after an attempted penetration is not as productive because an enterprise should not wait until it is attacked to test its defenses. Any exposure identified by an audit should be corrected before it would be appropriate to test. Changes in the systems infrastructure are most likely to inadvertently introduce new exposures. A turnover in administrative staff does not warrant a penetration test, although it may warrant a review of password change practices and configuration management.

Which of the following is a preventive measure? A. A warning banner B. Audit trails C. An access control D. An alarm system

An access control Justification A warning banner is a deterrent control, which provides a warning that can deter potential compromise. Audit trails are an example of a detective control. Preventive controls inhibit attempts to violate security policies. An example of such a control is an access control. An alarm system is an example of a detective control.

Which of the following poses the GREATEST challenge to an enterprise seeking to prioritize risk management activities? A. An incomplete catalog of information assets B. A threat assessment that is not comprehensive C. A vulnerability assessment that is outdated D. An inaccurate valuation of information assets

An inaccurate valuation of information assets Justification Enterprises are only able to prioritize items they know to exist. An incomplete catalog of information assets introduces the possibility that prioritization is overlooking assets that may have substantial value, unintentionally resulting in the implicit acceptance of risk that may exceed the risk appetite and tolerance. However, inaccurate valuation of known assets has a greater negative impact on prioritization than the possibility of certain high-value assets not being properly taken into account. Evaluating the threat environment is the most challenging aspect of risk assessment, and it is nearly always the case that a threat assessment excludes one or more threats. As a result, any prioritization effort must assume that the threat assessment is not comprehensive. It is common for a vulnerability assessment to be outdated at the start of each cycle of a risk management program prior to the start of risk management activities, but the influence of outdated vulnerability information is less a concern than inaccurate valuation of assets. Although prioritization on the basis of risk requires knowledge of threat, vulnerability and potential consequence, it is this last factor expressed in terms of value that is most influential when prioritizing risk management activities. If assets are valued incorrectly, otherwise justifiable decisions of how to prioritize activities may be incorrect.

Which one of the following types of detection is NECESSARY to mitigate a denial or distributed denial-of-service attack? A. Signature-based detection B. Deep packet inspection C. Virus detection D. Anomaly-based detection

Anomaly-based detection Justification Signature-based detection cannot react to a distributed denial-of-service (DDoS) attack because it does not have any insight into increases in traffic levels. Deep packet inspection allows a protocol to be inspected and is not related to denial-of-service (DoS) attacks. Virus detection would have no effect on DDoS detection or mitigation. Anomaly-based detection establishes normal traffic patterns and then detects any deviation from that baseline. Traffic baselines are greatly exceeded when under a DDoS attack and are quickly identified by anomaly-based detection.

Which of the following is the BEST method to determine classification of data? A. Assessment of impact associated with compromise of data by the data owner B. Compliance requirements defined in the information security policy C. Requirements based on the protection level implemented for different datasets D. Assessment of risk of data loss by the information security manager

Assessment of impact associated with compromise of data by the data owner Justification The classification of data is based upon the potential impact from loss or corruption. Compliance requirements are used as an input to risk assessment by considering risk associated with noncompliance. The protection level is determined based on the classification of data and not the other way around. Classification is not based upon risk; it is based upon impact (criticality or sensitivity or business value). The data owner determines the classification level.

Obtaining another party's public key is required to initiate which of the following activities? A. Authorization B. Digital signing C. Authentication D. Nonrepudiation

Authentication Justification Authorization is not a public key infrastructure function. A private key is used for signing. The counterparty's public key is used for authentication. The private key is used for nonrepudiation.

Which resource is the MOST effective in preventing physical access tailgating/piggybacking? A. Card key door locks B. Photo identification C. Awareness training D. Biometric scanners

Awareness training Justification Card key door locks are a physical control that by itself would not be effective against tailgating. Photo identification by itself would not be effective against tailgating. Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee. A biometric scanner is a physical control that by itself would not be effective against tailgating.

Which of the following is MOST important for measuring the effectiveness of a security awareness program? A. Reduced number of security violation reports B. A quantitative evaluation to ensure user comprehension C. Increased interest in focus groups on security issues D. Increased number of security violation reports

B. A quantitative evaluation to ensure user comprehension Justification A reduction in the number of violation reports may not be indicative of a high level of security awareness. To truly judge the effectiveness of security awareness training, some means of measurable testing is necessary to confirm user comprehension. Focus groups may or may not provide meaningful feedback but in and of themselves do not provide metrics. An increase in the number of violation reports is a possible indication of increased awareness but is not as useful as direct testing of awareness levels.

What is the GREATEST benefit of decentralized security management? A. Reduction of the total cost of ownership B. Improved compliance with organizational policies and standards C. Better alignment of security with business needs D. Easier administration

Better alignment of security with business needs Justification Reduction of the total cost of ownership is a benefit of centralized security management. Improved compliance is a benefit of centralized security management. Better alignment of security with business needs is the only answer that fits because the other choices are benefits of centralized security management. Easier administration is a benefit of centralized security management.

Which of the following activities is MOST effective for developing a data classification schema? A. Classifying critical data based on protection levels B. Classifying data based on the possibility of leakage C. Aligning the schema with data leak prevention tools D. Building awareness of the benefit of data classification

Building awareness of the benefit of data classification Justification Data protection levels are decided based on classification or business value. Data are classified on business value and not on the possibility of leakage. Protection of the data may well be based on the possibility of leakage. Aligning the schema with data leak prevention (DLP) tools may help while automating protection, but the data classification schema already has to exist for it to align with DLP. While developing a data classification schema, it is most important that all users are made aware of the need for accurate data classification to reduce the cost of overprotection and the risk of underprotection of information assets.

Which of the following is MOST effective in preventing disruptions to production systems? A. Patch management B. Security baselines C. Virus detection D. Change management

Change management Justification Patch management involves the correction of software vulnerabilities as they are discovered by modifying the software with a "patch," which may or may not prevent production system disruptions. Security baselines provide minimum recommended settings and do not necessarily prevent introduction of control weaknesses. Virus detection is an effective tool but primarily focuses on malicious code from external sources. Change management controls the process of introducing changes to systems. Changes that are not properly reviewed before implementation can disrupt or alter established controls in an otherwise secure, stable environment.

Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems? A. Patch management B. Change management C. Security baselines D. Virus detection

Change management Justification Patch management involves the correction of software weaknesses and would necessarily follow change management procedures. Change management controls the process of introducing changes to systems and controlling unauthorized changes to production, which are often the points at which weaknesses will be introduced. Security baselines provide minimum recommended settings and do not prevent the introduction of control weaknesses. Virus detection is an effective tool but primarily focuses on malicious code from external sources. It is unrelated to the introduction of vulnerabilities.

Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures? A. Stress testing B. Patch management C. Change management D. Security baselines

Change management Justification Stress testing ensures that there are no scalability problems. Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Change management controls the process of introducing changes to systems to ensure that unintended changes are not introduced; within change management, regression testing is specifically designed to prevent the introduction of new security exposures when making modifications. Security baselines provide minimum required security settings.

Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files? A. Verify the date that signature files were last pushed out. B. Use a recently identified benign virus to test if it is quarantined. C. Research the most recent signature file and compare to the console. D. Check a sample of servers that the signature files are current.

Check a sample of servers that the signature files are current. Justification The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server. Personnel should never release a virus, no matter how benign. Checking the vendor information to the management console would still not indicate whether the file was properly loaded on the server. The only accurate way to check the signature files is to look at a sample of servers.

Which one of the following factors affects the extent to which controls should be layered? A. Impact on productivity B. Common failure modes C. Maintenance cost of controls D. Controls that fail in a closed condition

Common failure modes Justification A negative impact on productivity could indicate that controls may be too restrictive, but it is not a consideration for layering. Common failure modes in existing controls must be addressed by adding or modifying controls so they fail under different conditions. This is done to manage the aggregate risk of total control failure. Excessive maintenance costs will probably increase and not be addressed by layering additional controls. Excessive maintenance costs will probably increase and not be addressed by layering additional controls.

Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have their password reset? A. Performing reviews of password resets B. Conducting security awareness programs C. Increasing the frequency of password changes D. Implementing automatic password syntax checking

Conducting security awareness programs Justification Performing reviews of password resets may be desirable but will not be effective in reducing the likelihood of a social engineering attack. Social engineering can be mitigated best through periodic security awareness training for staff members who may be the target of such an attempt. Changing the frequency of password changes may be desirable but will not reduce the likelihood of a social engineering attack. Strengthening passwords is desirable but will not reduce the likelihood of a social engineering attack.

Which of the following security controls addresses availability? A. Least privilege B. Public key infrastructure C. Role-based access D. Contingency planning

Contingency planning Justification Least privilege is an access control that is concerned with confidentiality. Public key infrastructure is concerned with confidentiality and integrity. Role-based access limits access but does not directly address availability. Contingency planning ensures that the system and data are available in the event of a problem.

Which of the following would raise security awareness among an enterprise's employees? A. Distributing industry statistics about security incidents B. Monitoring the magnitude of incidents C. Encouraging employees to behave in a more conscious manner D. Continually reinforcing the security policy

Continually reinforcing the security policy Justification Distributing industry statistics about security incidents would have little bearing on the employee's behavior. Monitoring the magnitude of incidents does not involve the employees. Encouraging employees to behave in a more conscious manner could be an aspect of continual reinforcement of the security policy. Employees must be continually made aware of the policy and expectations for their behavior.

Which of the following conditions is MOST likely to require that a corporate standard be modified? A. The standard does not conform to procedures. B. IT staff does not understand the standard. C. The standard is inconsistent with guidelines. D. Control objectives are not being met.

Control objectives are not being met. Justification If a procedure does not meet the standard, the procedure must be changed, not the standard. IT staff not understanding the standard may require clarification and/or training. Inconsistencies with the guidelines require that the guidelines be changed to conform to the standard. If conformance with the standard does not achieve control objectives, the standard requires modification.

Assuming that the value of information assets is known, which of the following gives the information security manager the MOST objective basis for determining that the information security program is delivering value? A. Number of controls B. Cost of achieving control objectives C. Effectiveness of controls D. Test results of controls

Cost of achieving control objectives Justification Number of controls has no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated. A comparison of the cost of achievement of control objectives with the corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery. Effectiveness of controls has no correlation with the value of assets unless their costs are also evaluated. Test results of controls may determine their effectiveness but has no correlation with the value of assets.

What is the PRIMARY basis for the selection of controls and countermeasures? A. Eliminating IT risk B. Cost-benefit balance C. Resource management D. The number of assets protected

Cost-benefit balance Justification The focus must include procedural, operational and other risk—not just IT risk. The balance between cost and benefits should direct controls selection. Resource management is not directly related to controls. The implementation of controls is based on the impact and risk, not on the number of assets.

The classification level of an asset must be PRIMARILY based on which of the following choices? A. Criticality and sensitivity B. Likelihood and impact C. Valuation and replacement cost D. Threat vector and exposure

Criticality and sensitivity Justification The extent to which an asset is critical to business operations or can damage the enterprise if disclosed is the primary consideration for the level of protection required. Asset classification is driven by criticality and sensitivity, not likelihood of compromise. Probability and frequency are considerations of risk and not the main consideration of asset classification. Threat vector and exposure together do not provide information on impact needed for classification.

What is the MOST important success factor to design an effective IT security awareness program? A. Customization of content to the target audience B. Representation of senior management C. Training of staff across all hierarchical levels D. Replacing technical jargon with concrete examples

Customization of content to the target audience Justification Awareness training can only be effective if it is customized to the expectations and needs of attendees. Needs will be quite different depending on the target audience and will vary between business managers, end users and IT staff; program content and the level of detail communicated will, therefore, be different. Representation of senior management is important; however, the customization of content is the most important factor. Training of staff across all hierarchical levels is important; however, the customization of content is the most important factor. Replacing technical jargon with concrete examples is a good practice; however, the customization of content is the most important factor.

Which of the following BEST accomplishes secure customer use of an e-commerce application? A. Data encryption B. Digital signatures C. Strong passwords D. Two-factor authentication

Data encryption Justification Encryption is the preferred method of ensuring confidentiality in customer communications with an e-commerce application. A digital signature is not a practical solution because there is typically no client-side certificate and integrity of the communication cannot be ensured. Strong passwords, by themselves, would not be sufficient because the data could still be intercepted. Two-factor authentication would be impractical and provide no assurance that data have not been modified through a man-in-the-middle attack.

What does the effectiveness of virus detection software MOST depend on? A. Packet filtering B. Intrusion detection C. Software upgrades D. Definition files

Definition files Justification Packet filtering does not focus on virus detection. Intrusion detection does not address virus detection. Software upgrades are related to the periodic updating of the program code, which would not be critical. The effectiveness of virus detection software depends on virus signatures, which are stored in virus definition files.

Which of the following choices is a MAJOR concern with using the database snapshot of the audit log function? A. Degradation of performance B. Loss of data integrity C. Difficulty maintaining consistency D. Inflexible configuration change

Degradation of performance Justification Evidential capability increases if data are taken from a location that is close to the origination point. For database auditing, activation of a built-in log may be ideal. However, there is a trade-off. The more elaborate logging becomes, the slower the performance. It is important to strike a balance. If database recovery log is impaired, there is a chance that data integrity may be lost. However, it is unlikely that audit logging will impair the integrity of the database. Database replication functionality will control the consistency between database instances. It is difficult to judge whether configuration change will become complex as the result of audit log activation. It depends on many factors. Therefore, this is not the best option.

Inherent control strength is PRIMARILY a function of which of the following? A. Implementation B. Design C. Testing D. Policy

Design Justification Improper implementation can affect design control strength; however, even good implementation is not likely to overcome poor design. Inherent control strength is mainly achieved by proper design. Testing is important to determine whether design strength has been achieved but will generally not solve design problems. Policy support for appropriate controls is important but is generally too high level to ensure that a design has inherent control strength.

Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender? A. Biometric authentication B. Embedded steganographic C. Two-factor authentication D. Embedded digital signature

Embedded digital signature Justification Authentication does not ensure the authenticity of the data, just the identity of the sender. Steganography is a form of encryption that may ensure integrity but not identity. Authentication does not ensure the authenticity of the data, just the identity of the sender. Digital signature ensures both the identity and the integrity of the data.

Which of the following is the BEST way to mitigate the risk of the database administrator reading sensitive data from the database? A. Log all access to sensitive data. B. Employ application-level encryption. C. Install a database monitoring solution. D. Develop a data security policy.

Employ application-level encryption. Justification Access logging can be easily turned off by the database administrator. Data encrypted at the application level that is stored in a database cannot be viewed in cleartext by the database administrator. A database monitoring solution can be bypassed by the database administrator. A security policy will only be effective if the database administrator chooses to adhere to the policy.

What is the BEST method for mitigating against network denial-of-service (DoS) attacks? A. Ensure all servers are up to date on operating system patches. B. Employ packet filtering to drop suspect packets. C. Implement network address translation to make internal addresses non-routable. D. Implement load balancing for Internet-facing devices.

Employ packet filtering to drop suspect packets. Justification In general, patching servers will not affect network traffic. Packet filtering techniques are the only ones which reduce network congestion caused by a network denial-of-service (DoS) attack. Implementing network address translation would not be effective in mitigating most network DoS attacks. Load balancing would not be as effective in mitigating most network DoS attacks.

When securing wireless access points, which of the following controls would BEST assure confidentiality? A. Implementing wireless intrusion prevention systems B. Not broadcasting the service set identifier C. Implementing wired equivalent privacy authentication D. Enforcing a virtual private network over wireless

Enforcing a virtual private network over wireless Justification A wireless intrusion prevention system is a detective system and would not prevent wireless sniffing. Not broadcasting the service set identifier does not reduce the risk of wireless packets being captured. Wired equivalent privacy authentication is known to be weak and does not protect individual confidentiality. Enforcing a virtual private network over wireless is the best option to enforce strong authentication and encryption of the sessions.

What is the BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures? A. Perform penetration testing. B. Establish security baselines. C. Implement vendor default settings. D. Link policies to an independent standard.

Establish security baselines. Justification Penetration testing will not be the most effective and can only be performed periodically. Security baselines will provide the best assurance that each platform meets minimum security criteria. Vendor default settings will not necessarily meet the criteria set by the security policies. Linking policies to an independent standard will not provide assurance that the platforms meet the relevant security levels.

A control policy is MOST likely to address which of the following implementation requirements? A. Specific metrics B. Operational capabilities C. Training requirements D. Failure modes

Failure modes Justification A control policy may specify a requirement for monitoring or metrics but will not define specific metrics. Operational capabilities will likely be defined in specific requirements or in a design document rather than in the control policy. There may be a general requirement for training but not control-specific training, which will be dependent on the particular control. A control policy will state the required failure modes in terms of whether a control fails open or fails closed, which has implications for safety, confidentiality and availability.

Business management is finalizing the contents of a segregation of duties matrix to be loaded in a purchase order system. Which of the following should the information security manager recommend in order to BEST improve the effectiveness of the matrix? A. Ensure approvers are aligned with the organizational chart B. Trace approvers' paths to eliminate routing deadlocks C. Set triggers to go off in the event of exceptions D. Identify conflicts in the approvers' authority limits

Identify conflicts in the approvers' authority limits Justification The approver's structure in a purchase order system may not necessarily be in sync with the organizational structure. Depending on business requirements, modified hierarchy is acceptable purely in terms of approving certain transactions. It is rare that the structure of an approver's routing path will end up with deadlocks. If a highly complicated approval structure is developed, something similar to deadlock may occur (e.g., it takes very long time until request is approved). Even so, it is unlikely that routing effectiveness becomes a primary driver for quality improvement. Setting triggers to go off in the event of exceptions is a technical feature to be implemented inside the database. It is not relevant advice to be given to business management. In order to make the segregation of duties matrix complete, it is best to ensure that no conflicts exist in approvers' authorities. If there are any, it will introduce a flaw in the control, resulting the successful execution of unauthorized transactions.

What is the PRIMARY purpose of performing an internal attack and penetration test? A. Identify weaknesses in network and server security. B. Identify ways to improve the incident response process. C. Identify attack vectors on the network perimeter. D. Identify the optimum response to internal hacker attacks.

Identify weaknesses in network and server security. Justification Internal attack and penetration tests are designed to identify weaknesses in network and server security. Internal attack and penetration tests do not focus on incident response. The network perimeter is about external attacks. Possible responses can be a secondary follow-up effort after the internal attack and penetration test.

Why is asset classification important to a successful information security program? A. It determines the priority and extent of risk mitigation efforts. B. It determines the amount of insurance needed in case of loss. C. It determines the appropriate level of protection to the asset. D. It determines how protection levels compare to peer enterprises.

It determines the appropriate level of protection to the asset. Justification Classification does not determine the priority and extent of the risk mitigation efforts; prioritization of risk mitigation efforts is generally based on risk analysis or a business impact analysis. Classification does not establish the amount of insurance needed; insurance is often not a viable option. Classification is based on the value of the asset to the enterprise and helps establish the protection level in proportion to the value of the asset. Classification schemes differ from enterprise to enterprise and are often not suitable for benchmarking.

What is the PRIMARY benefit of performing an information asset classification? A. It links security requirements to business objectives. B. It identifies controls commensurate with impact. C. It defines access rights. D. It establishes asset ownership.

It identifies controls commensurate with impact. Justification Asset classification indirectly links security to business objectives on the basis of business value of assets. Classification levels are based on the business value (or potential impact) of assets and the stronger controls needed for higher classification. Classification does not define access rights. Classification does not establish ownership.

Which of the following BEST mitigates a situation in which an application programmer requires access to production data? A. Create a separate account for the programmer as a power user. B. Log all the programmers' activity for review by supervisor. C. Have the programmer sign a letter accepting full responsibility. D. Perform regular audits of the application.

Log all the programmers' activity for review by supervisor. Justification Creating a separate account for the programmer as a power user does not solve the problem. It is not always possible to provide adequate segregation of duties between programming and operations in order to meet certain business requirements. A mitigating control is to record all the programmers' actions for later review by their supervisor, which would detect any inappropriate action on the part of the programmer. Having the programmer sign a letter accepting full responsibility is not an effective control. Performing regular audits of the application is not relevant to determine if programmer activities are appropriate.

In a financial institution, under which of the following circumstances will policies MOST likely need modification? A. Current access controls have been insufficient to prevent a series of serious network breaches. B. The information security manager has determined that compliance with configuration standards is inadequate. C. The results of an audit have identified a going concern issue with the enterprise. D. Management has mandated compliance with a newly enacted set of information security requirements.

Management has mandated compliance with a newly enacted set of information security requirements. Justification Necessary modifications to access controls are most likely going to be reflected in standards, not policy. Compliance with existing standards is not likely to require a policy change; better enforcement may be needed. If the viability of the enterprise is in doubt (going concern), it is not likely that a change in policy will solve the problem. A new set of regulations requiring significant changes to the information security program most likely will be reflected in modifications of policy.

What is the MOST effective access control method to prevent users from sharing files with unauthorized users? A. Mandatory B. Discretionary C. Walled garden D. Role-based

Mandatory Justification Mandatory access controls restrict access to files based on the security classification of the file. This prevents users from sharing files with unauthorized users. Discretionary access controls are not as effective as mandatory access controls in preventing file-sharing. A walled garden is an environment that controls a user's access to web content and services. In effect, the walled garden directs the user's navigation within particular areas and does not necessarily prevent sharing of other material. Role-based access controls grant access ac

An information security manager has implemented an automated process to compare physical access using swipe cards operated by the physical security department with logical access in the single sign-on (SSO) system. What is the MOST likely use for this information? A. Monitoring a key risk indicator B. Determining whether staff is piggybacking C. Overseeing the physical security department D. Evaluating the SSO process

Monitoring a key risk indicator Justification Discrepancies between physical and logical access can occur for a variety of reasons, but all are indications that something is wrong and risk is elevated. Discrepancies could indicate piggybacking, shared passwords or attempts at unauthorized access, and therefore, this monitoring can serve as a key risk indicator (KRI). Potential piggybacking can be flagged if more individuals log in from within the network than physically enter the facility; however, this is just one KRI. Although this information could indicate that the physical access control is not functioning properly, the responsibility for oversight of the physical security department is not usually a function of the information security manager. Comparing physical access and logical access is not an effective way to monitor the single sign-on (SSO) system, and there are other methods more specific and useful for this purpose.

Which of the following represents a PRIMARY area of interest when conducting a penetration test? A. Data mining B. Network mapping C. Intrusion detection system D. Customer data

Network mapping Justification Data mining is associated with ad hoc reporting and is a potential target after the network is penetrated. Network mapping is the process of determining the topology of the network one wishes to penetrate. It is one of the first steps toward determining points of attack in a network. The intrusion detection mechanism in place is not an area of focus because one of the objectives is to determine how effectively it protects the network or how easy it is to circumvent. Customer data, together with data mining, is a potential target after the network is penetrated.

Which of the following is MOST effective in preventing security weaknesses in operating systems? A. Patch management B. Change management C. Security baselines D. Configuration management

Patch management Justification Patch management corrects discovered weaknesses by applying a correction (a patch) to the original program code. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Configuration management controls the updates to the production environment.

Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion? A. Patch management B. Change management C. Security baselines D. Acquisition management

Patch management Justification Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Change management controls the process of introducing changes to systems. Security baselines provide minimum required settings. Acquisition management controls the purchasing process.

Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack? A. Use an intrusion detection system. B. Establish minimum security baselines. C. Implement vendor-recommended settings. D. Perform periodic penetration testing.

Perform periodic penetration testing. Justification An intrusion detection system may detect an attempted attack, but it will not confirm whether the perimeter is secure. Minimum security baselines are beneficial, but they will not provide the level of assurance that is provided by penetration testing. Vendor-recommended settings may be used to harden systems but provide little assurance that other vulnerabilities do not exist, which may be exposed by penetration testing. Penetration testing is the best way to assure that perimeter security is adequate.

What is the BEST method to confirm that all firewall rules and router configuration settings are adequate? A. Periodic review of network configuration B. Review of intrusion detection system logs for evidence of attacks C. Periodically perform penetration tests D. Daily review of server logs for evidence of hacker activity

Periodically perform penetration tests Justification Due to the complexity of firewall rules and router tables, plus the sheer size of intrusion detection systems (IDSs) and server logs, a physical review would be complex, time-consuming and probably insufficient. Reviewing IDS logs for evidence of attacks would not indicate whether the settings were adequate. The best approach for confirming the adequacy of these configuration settings is to periodically perform attack and penetration tests. Evidence of hacker activity has little to do with configuration adequacy.

Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a publicly traded, multinational enterprise? A. Strategic business plan B. Upcoming financial results C. Customer personal information D. Previous financial results

Previous financial results Justification The strategic business plan is private information and should only be accessed by authorized entities. Upcoming financial results are private information and should only be accessed by authorized entities. Customer personal information is private information and should only be accessed by authorized entities. Previous financial results are public; all the other choices are private information and should only be accessed by authorized entities.

Which of the following is the PRIMARY driver for initial implementation of a risk-based information security program? A. Prioritization B. Motivation C. Optimization D. Standardization

Prioritization Justification Because enterprises rarely have adequate resources to address all concerns, a risk-based information security program is typically implemented to provide a basis for efficient allocation of limited resources. Motivation is useful in getting the job done but is not necessarily a result of implementing a risk-based information security program. Optimization is a long-term benefit associated with a mature risk-based program. It does not present itself during initial implementation. Standardization is a technique that offers numerous benefits and may support risk management activities. It is not the result of a focus on risk.

If a defined threat needs to be addressed and a preventive control is not feasible, the next BEST option is to do which of the following activities? A. Use a deterrent control. B. Reduce exposure. C. Use a compensating control. D. Reassess the risk.

Reduce exposure. Justification Using a deterrent control will have only a limited effect on the possibility of compromise. Reducing exposure reduces the probability that a risk can be exploited. Using a compensating control will serve to limit impact, but do nothing to prevent exploitation. Reassessing risk may provide a clearer picture of the risk but does nothing to reduce exploitation.

What is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the human risk B. Maintaining evidence of training records to ensure compliance C. Informing business units about the security strategy D. Training personnel in security incident response

Reducing the human risk Justification People are the weakest link in security implementation, and awareness would reduce this risk. Maintaining evidence of training is useful but far from the most important reason for conducting awareness training. Informing business units about the security strategy is best done through steering committee meetings or other forums. Security awareness training is not generally for security incident response.

An enterprise has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating the access control policy to the employees? A. Requiring employees to formally acknowledge receipt of the policy B. Integrating security requirements into job descriptions C. Making the policy available on the intranet D. Implementing an annual retreat for employees on information security

Requiring employees to formally acknowledge receipt of the policy Justification Requiring employees to formally acknowledge receipt of the policy does not guarantee that the policy has been read or understood but establishes employee acknowledgment of the existence of the new policy. Each communication should identify a point of contact for follow-up questions. Current employees do not necessarily reread job descriptions that would contain the new policy. Making the policy available on the intranet does not ensure that the document has been read, nor does it create an audit trail that establishes that employees have been made aware of the policy. An annual event may not be timely and may not rectify significant gaps in awareness.

Which of the following provides the BEST defense against the introduction of malware in end-user computers via the Internet browser? A. Input validation checks on structured query language injection B. Restricting access to social media sites C. Deleting temporary files D. Restricting execution of mobile code

Restricting execution of mobile code Justification Validation of checks on structured query language injection does not apply to this scenario. Restricting access to social media sites may be helpful but is not the primary source of malware. Deleting temporary files is not applicable to this scenario. Restricting execution of mobile code is the most effective way to avoid introduction of malware into the end user's computers.

The MOST direct way to accurately determine the control baseline in an IT system is to do which of the following activities? A. Review standards and system compliance. B. Sample hardware and software configurations. C. Review system and server logs for anomalies. D. Perform internal and external penetration tests.

Review standards and system compliance. Justification A control baseline is obtained by reviewing the standards to determine whether the baseline falls within the boundaries set by the standards. Sampling hardware configurations without knowing the control requirements reflected in the standards provides information on the current state but not on how that state relates to the intended state. Anomalies in system logs do not necessarily indicate that baseline security is incorrect, nor does an absence of abnormalities mean that the baseline is correct. Penetration tests that reveal vulnerabilities must be evaluated in the context of the control requirements set by the standard.

Which of the following is the MOST cost-effective type of access control? A. Centralized B. Role-based C. Decentralized D. Discretionary

Role-based Justification Centralized access control is not a type of access control but a form of administration. Role-based access control allows users to be grouped into job-related categories, which significantly eases the required administrative overhead. In most enterprises there are fewer roles than employees, and roles change far less frequently. Decentralized access control is not a type of access control but an administrative approach. Discretionary access control would require a greater degree of administrative overhead because it is based on each individual rather than on groups of individuals.

An enterprise has implemented an enterprise resource planning system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate? A. Rule-based B. Mandatory C. Discretionary D. Role-based

Role-based Justification Rule-based access control needs to define the individual access rules, which is troublesome and error prone in large enterprises. In mandatory access control, the individual's access to information resources is based on a clearance level that needs to be defined, which is troublesome in large enterprises. In discretionary access control, users have access to resources based on delegation of rights by someone with the proper authority, which requires a significant amount of administration and overhead. Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.

Which of the following is the MOST effective solution for preventing individuals external to the enterprise from modifying sensitive information on a corporate database? A. Screened subnets B. Information classification policies and procedures C. Role-based access control D. Intrusion detection system

Screened subnets Justification Screened subnets are demilitarized zones and are oriented toward preventing attacks on an internal network by external users. The policies and procedures to classify information will ultimately result in better protection, but they will not prevent actual modification. Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Intrusion detection systems are useful to detect invalid attempts, but they will not prevent attempts.

Which of the following challenges associated with information security documentation is MOST likely to affect a large, established enterprise? A. Standards change more slowly than the environment. B. Policies change faster than they can be distributed. C. Procedures are ignored to meet operational requirements. D. Policies remain unchanged for long periods of time.

Standards change more slowly than the environment. Justification Large, established enterprises tend to have numerous layers of review and approval associated with changes to standards. These review mechanisms are likely to be outpaced by changes in technology and the risk environment. Policies are meant to reflect strategic goals and objectives. In small or immature enterprises, the policy model may be poorly implemented, resulting in rapid changes to policies that are treated more like standards, but this situation is unlikely to arise in a large, established enterprise. Large, established enterprises typically have formal training programs and internal controls that keep activities substantially in line with published procedures. Although policies should be subject to periodic review and not be regarded as static, properly written policies should require significant changes only when there are substantial changes in strategic goals and objectives. It is reasonable that a large, established enterprise would experience policy changes only rarely.

Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network? A. Boundary router B. Strong encryption C. Internet-facing firewall D. Intrusion detection system

Strong encryption Justification Boundary routers would do little to secure wireless networks. Strong encryption is the most effective means of protecting wireless networks. An Internet-facing firewall would offer no protection from a local attack on a wireless network. Compromise of weak encryption would not be detected by an intrusion detection system.

In which of the following system development life cycle phases are access control and encryption algorithms chosen? A. Procedural design B. Architectural design C. System design specifications D. Software development

System design specifications Justification The procedural design converts structural components into a procedural description of the software. The architectural design is the phase that identifies the overall system design but not the specifics. The system design specifications phase that identifies security specifications. Software development is too late a stage because during this phase the system is already being coded.

What is the BIGGEST concern for an information security manager reviewing firewall rules? A. The firewall allows source routing. B. The firewall allows broadcast propagation. C. The firewall allows unregistered ports. D. The firewall allows nonstandard protocols.

The firewall allows source routing. Justification If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) Internet Protocol addresses of the enterprise. Broadcast propagation does not create a significant security exposure. Unregistered ports are a poor practice but do not necessarily create a significant security exposure. Nonstandard protocols can be filtered and do not necessarily create a significant security exposure.

Which of the following is the BEST indicator that security controls are performing effectively? A. The monthly service level statistics indicate minimal impact from security issues. B. The cost of implementing security controls is less than the value of the assets. C. The percentage of systems that are compliant with security standards is satisfactory. D. Audit reports do not reflect any significant findings on security.

The monthly service level statistics indicate minimal impact from security issues. Justification The best indicator of effective security control is the evidence of acceptable disruption to business operations. The cost of implementing controls is unrelated to their effectiveness. The percentage of systems that are compliant with security standards is not an indicator of their effectiveness. Audit reports that do not reflect any significant findings on security can support this evidence, but this is generally not sufficiently frequent to be a useful management tool and is only supplemental to monthly service level statistics.

Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system with the threshold set to a low value? A. The number of false positives increases B. The number of false negatives increases C. Active probing is missed D. Attack profiles are ignored

The number of false positives increases Justification Failure to tune an intrusion detection system will result in many false positives, especially when the threshold is set to a low value. An increase in false negatives is less likely given the fact that the threshold for sounding an alarm is set to a low value. Missed active probing is less likely given the fact that the threshold for sounding an alarm is set to a low value. Ignored attack profiles are less likely given the fact that the threshold for sounding an alarm is set to a low value.

When implementing a cloud computing solution that will provide software as a service (SaaS) to the enterprise, what is the GREATEST concern for the information security manager? A. The lack of clear regulations regarding the storage of data with a third party B. The training of the users to access the new technology properly C. The risk of network failure and the resulting loss of application availability D. The possibility of disclosure of sensitive data in transit or storage

The possibility of disclosure of sensitive data in transit or storage Justification Disclosure of sensitive data is a primary concern of the information security manager. Many jurisdictions have regulations regarding data privacy. The concern of the information security manager is compliance with those regulations, not the lack of regulations. The training of how to use software as a service (SaaS) is no different from the need for training required for more traditional solutions. In most cases, the use of SaaS is fairly simple and requires minimal technology but is not within the scope of the information security manager's responsibility in any case. Loss of application availability as a result of network failure is an inherent risk associated with SaaS and must be taken into account by the enterprise as part of the decision to move to cloud computing, but this is a business decision rather than a principal concern of the information security manager.

In a large enterprise, what makes an information security awareness program MOST effective? A. The program is developed by a professional training company. B. The program is embedded into the orientation process. C. The program is customized to the audience using the appropriate delivery channel. D. The program is required by the information security policy.

The program is customized to the audience using the appropriate delivery channel. Justification It does not have to be developed by a professional training company to make it effective. The awareness program should be embedded into the orientation process for new employees, but that does not necessarily indicate efficacy. An awareness program should be customized for different types of audiences (e.g., for new employees, system administration, sales and delivery channels such as posters or e-learning). Being required by policy does not make the program more effective.

The facilities department of a large financial enterprise uses electronic swipe cards to manage physical access. The information security manager requests that facilities provide the manager with read-only access to the physical access data. What is the MOST likely purpose? A. To monitor personnel compliance with contract provisions B. To determine who is in the building in case of fire C. To compare logical and physical access for anomalies D. To ensure that the physical access control system is operating correctly

To compare logical and physical access for anomalies Justification Contract compliance monitoring would usually not be part of an information security manager's role. The physical security and emergency response personnel should be monitoring presence in the building in case of fire. Any differences between physical and logical access may indicate one of several risk scenarios, such as personnel not swiping in and tailgating, password sharing, or system compromise, and serves as a key risk indicator. Some of the best security metrics come from non-security-related activities. The correct operation of the system is likely the responsibility of IT, although a periodic validation by security is prudent.

What is the PRIMARY purpose of installing an intrusion detection system? A. To identify weaknesses in network security B. To identify patterns of suspicious access C. To identify how an attack was launched on the network D. To identify potential attacks on the internal network

To identify potential attacks on the internal network Justification An intrusion detection system is not designed to identify weaknesses in network security. An intrusion detection system is not designed to identify patterns of suspicious logon attempts. Identifying how an attack was launched is secondary. The most important function of an intrusion detection system is to identify potential attacks on the network.

What is the MAIN objective for developing an information security program? A. To create the information security policy B. To maximize system uptime C. To develop strong controls D. To implement the strategy

To implement the strategy Justification The policy should not be written for its own sake. To be effective, the policy must address the threat and risk landscape that is usually the basis for strategy development. The degree of uptime required will be defined as a part of strategy development balanced against costs. Not all controls need to be strong, and the degree of control must be determined by cost-effectiveness, impact on productivity and other factors. The information security strategy provides a development road map to which the program is built.

Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user? A. Intrusion detection system B. IP address packet filtering C. Two-factor authentication D. Embedded digital signature

Two-factor authentication Justification An intrusion detection system can be used to detect an external attack but would not help in authenticating a user attempting to connect. IP address packet filtering would protect against spoofing an internal address but would not provide strong authentication. Two-factor authentication provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network. Digital signatures ensure that transmitted information can be attributed to the named sender.

Which of the following is the MOST important consideration when briefing board executives about the current state of the information security program? A. Include a program metrics dashboard. B. Include third-party audit results. C. Use a balanced score card to show business alignment. D. Use appropriate language for the target audience.

Use appropriate language for the target audience. Justification A program trends dashboard will not be very effective without connections to business requirements. Third-party audit results may be helpful, but if the board does not understand the content, it is less useful. The balanced score card may be helpful, but if the board does not understand the content, it is less useful. When reporting to board executives, it is most important to use business terms that the target audience will understand to effectively communicate the message.

Which of the following presents the GREATEST exposure to internal attack on a network? A. User passwords are not automatically expired. B. All network traffic goes through a single switch. C. User passwords are encoded but not encrypted. D. All users reside on a single internal subnet.

User passwords are encoded but not encrypted. Justification Not setting user passwords to automatically expire does create an exposure but not as great as having unencrypted passwords. Using a single switch does not present a significant exposure. When passwords are sent over the internal network in an encoded format, they can easily be converted to cleartext. All passwords should be encrypted to provide adequate security. Using a subnet does not present a significant exposure.

Which program element should be implemented FIRST in asset classification and control? A. Risk assessment B. Classification C. Valuation D. Risk mitigation

Valuation Justification Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation. Classification is a step following valuation. Valuation is performed first to identify and understand the value of assets needing protection. Risk mitigation is a step following valuation based on the valuation.

In what circumstances should mandatory access controls be used? A. When the enterprise has a high risk tolerance B. When delegation of rights is contrary to policy C. When the control policy specifies continuous oversight D. When access is permitted, unless explicitly denied

When delegation of rights is contrary to policy Justification Mandatory access controls (MACs) are a restrictive control employed in situations of low risk tolerance. With MAC, the security policy is centrally controlled by a security policy administrator, and users do not have the ability to delegate rights. A requirement for continuous oversight is not related to MACs. MACs do not allow access as a default condition.

In which of the following situations is continuous monitoring the BEST option? A. Where incidents may have a high impact and frequency B. Where legislation requires strong information security controls C. Where incidents may have a high impact but low frequency D. Where e-commerce is a primary business driver

Where incidents may have a high impact and frequency Justification Continuous monitoring control initiatives are expensive, so they should be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence. Regulations and legislation that require tight IT security measures focus on requiring enterprises to establish an IT security governance structure that manages IT security with a risk-based approach, so each enterprise decides which kinds of controls are implemented. Continuous monitoring is not necessarily a requirement. Measures such as contingency planning or insurance are commonly used when incidents rarely happen but have a high impact each time they happen. Continuous monitoring is unlikely to be necessary. Continuous control monitoring initiatives are not needed in all e-commerce environments. There are some e-commerce environments where the impact of incidents is not high enough to support the implementation of this kind of initiative.

For which of the following purposes would ethical hacking MOST likely be used? A. a process resiliency test at an alternate site. B. a substitute for substantive testing. C. a control assessment of legacy applications. D. a final check in a cyberattack recovery process.

a control assessment of legacy applications. Justification It is not common to conduct ethical hacking as part of disaster recovery testing at an alternate site. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. Ethical hacking would not be used as a substitute for substantive testing. The problem with legacy applications is that there is typically not enough documentation to study their functionalities, including security controls. To assess control effectiveness, ethical hacking could be a more efficient way to find out weaknesses than reviewing program code. It is not necessarily a recommended practice to engage in ethical hacking in the last phase of a system recovery process after a cyberattack.

When performing a review of risk treatment options, the MOST important benefit to consider is: A. maximum risk mitigation. B. savings in control options. C. alignment with regulatory requirements. D. achieving control objectives.

achieving control objectives. Justification Control objectives are established on the basis of organizational risk appetite, so maximizing mitigation beyond the control objectives means incurring unnecessary cost. Cost is always a consideration, but an option cannot be considered to have saved money unless it also meets an objective. Regulatory requirements are considered no differently from any other consideration in the risk assessment process. Control objectives are established on the basis of risk appetite, which may or may not include accepting the risk of not complying with a regulation. Controls are designed and implemented to mitigate the risk. Hence, achievement of control objective is the most important benefit. No other benefit can offset failure to meet the control objectives.

An information security manager has instructed a system database administrator to implement native database auditing in order to meet regulatory requirements for privileged user monitoring. Which of the following is the PRIMARY reason that the database administrator would be concerned? Native database auditing: A. interferes with policy-driven event logging. B. affects production database performance. C. requires development of supplementary tools. D. impairs flexibility in configuration management.

affects production database performance. Justification Interference with policy-driven event logging is a potential concern but secondary to performance impact. Many database products come with a native audit log function. Although it can be easily activated, there is a risk that it may negatively impact the performance of the database. The need to develop supplementary tools is a potential concern but secondary to performance impact. Impaired flexibility in configuration management is not an issue.

Integrating a number of different activities in the development of an information security infrastructure is BEST achieved by developing: A. a business plan. B. an architecture. C. requirements. D. specifications.

an architecture. Justification A business plan may address some issues of integrating activities, but that is not its main purpose. An architecture allows different activities to be integrated under one design authority. Requirements do not generally address integration. Specifications do not address integration.

The MOST important aspect in establishing good information security policies is to ensure that they: A. have the consensus of all concerned groups. B. are easy to access by all employees. C. capture the intent of management. D. have been approved by the internal audit department.

capture the intent of management. Justification Having the consensus of all concerned groups is desirable but is not the most important aspect of good policies, which express the intent and direction of senior management. Easy availability of policies is important but not an indicator of good information security content and guidance. Policies should reflect the intent and direction of senior management, and this is the most important aspect of establishing good information security policies. The internal audit department tests compliance with policy, but it does not write the policies.

An information security manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT help desk with complaints of being unable to perform business functions on Internet sites. This is an example of: A. conflicting security controls with organizational needs. B. strong protection of information resources. C. implementing appropriate controls to reduce risk. D. proving information security's protective abilities.

conflicting security controls with organizational needs. Justification The needs of the enterprise were not considered, so there is a conflict. This example is not strong protection as it pertains to enabling restrictions and not safeguards. A control that significantly restricts the ability of users to do their job is not appropriate. Proving protection abilities at an unacceptable cost or performance is a poor strategy. This control does not prove the ability to protect but proves the ability to interfere with business.

The information classification scheme should: A. consider possible impact of a security breach. B. classify personal information in electronic form. C. be performed by the information security manager. D. be based on a risk assessment.

consider possible impact of a security breach. Justification Data classification is determined by the business value of the asset (i.e., the potential impact on the business of the loss, corruption or disclosure of information). Classification of personal information in electronic form is an incomplete answer because it addresses a subset of organizational data. Information classification is performed by the data owner based on accepted security criteria. The risk to a particular asset is not the basis for classification, rather the potential impact from compromise is the basis.

When setting up an information classification scheme, the role of the information owner is to: A. ensure that all data on an information system are protected according to the classification policy. B. determine the classification of information across the information owner's scope of responsibility. C. identify all information that requires backup according to its criticality and classification. D. delegate the classification of information to responsible information custodians.

determine the classification of information across the information owner's scope of responsibility. Justification The information system owner is responsible for protecting data on an information system according to the information security policy and the mandate and classification of the information. The classification would have been set up earlier. The information owner must determine the classification of information across the role's scope of responsibility and ensure that information is classified consistently. Identification of all information that requires backup according to classification will happen after the information classification scheme has been set up. Ensuring backup of data is the role of the information custodian and operations group. The information owner may delegate the classification to another responsible manager however this is not the advised role in setting up the classification scheme.

Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when: A. assessing overall system risk. B. developing a controls policy. C. determining treatment options. D. developing a classification scheme.

developing a controls policy. Justification Overall risk is not affected by determining which element of the triad is of the greatest importance because overall risk is constructed from all known risk, regardless of the components of the triad to which each risk applies. Because preventive controls necessarily must fail in either an open or closed state (i.e., fail safe or fail secure), and failing open favors availability while failing closed favors confidentiality—each at the expense of the other—a clear prioritization of the triad components is needed to develop a controls policy. Although it is feasible that establishing a control that bolsters one component of the triad may diminish another, treatment options may be determined without a clear prioritization of the triad. Classification is based on the potential impact of compromise and is not a function of prioritization within the confidentiality, integrity and availability (CIA) triad.

A certificate authority is required for a public key infrastructure: A. in cases where confidentiality is an issue. B. when challenge/response authentication is used. C. except where users attest to each other's identity. D. in role-based access control deployments.

except where users attest to each other's identity. Justification The requirement of confidentiality is not relevant to the certificate authority (CA) other than to provide an authenticated user's public key. Challenge/response authentication is not a process used in a public key infrastructure (PKI). The role of the CA is not needed in implementations such as Pretty Good Privacy, where the authenticity of the users' public keys are attested to by others in a circle of trust. If the role-based access control is PKI-based, either a CA is required or other trusted parties will have to attest to the validity of users.

When initially establishing an information security program, it is MOST important that managers: A. examine and understand the culture within the enterprise. B. analyze and understand the control system of the enterprise. C. identify and evaluate the overall risk exposure of the enterprise. D. examine and assess the security resources of the enterprise.

identify and evaluate the overall risk exposure of the enterprise. Justification Examining and understanding the culture within the enterprise is an important step in the overall evaluation process. Analyzing and understanding the control system is an essential step to determine what risk is addressed and what control objectives are currently in place. Identifying and evaluating the overall risk is most important, because it includes the other three elements, in addition to others. Examining and assessing security resources is important information in determining and evaluating overall risk and exposure of an enterprise.

A control for protecting an IT asset, such as a laptop computer, is BEST selected if the cost of the control is less than the: A. cost of the asset. B. impact on the business if the asset is lost or stolen. C. available budget. D. net present value.

impact on the business if the asset is lost or stolen. Justification While the control may be more expensive than the cost of the physical asset, such as a laptop computer, the impact to the business may be much higher and thus justify the cost of the control. Controls are selected based on their impact on the business due to the nonavailability of the asset rather than on the cost of the asset or the available budget. Budget availability is a consideration; however, this is not as important as the overall impact to the business if the asset is compromised. Net present value (NPV) calculations are not useful to determine the cost of a control. While a laptop computer might be fully amortized (or even expensed), the impact of the loss of the asset may be much higher than its NPV.

The implementation of an effective change management process is an example of a: A. corrective control. B. deterrent control. C. preventative control. D. compensating control.

preventative control. Justification A corrective control is designed to correct errors, omissions and unauthorized uses and intrusions once they are detected. Deterrent controls are intended to discourage individuals from intentionally violating information security policy or procedures. Change management is intended to reduce the introduction of vulnerability by unauthorized changes. An effective change management process can prevent (and detect) unauthorized changes. It requires formal approval, documentation and testing of all changes by a supervisory process. Compensating controls are meant to mitigate impact when existing controls fail. Change management is the primary control for preventing or detecting unauthorized changes. It is not compensating for another control that has that function.

Abnormal server communication from inside the enterprise to external parties may be monitored to: A. record the trace of advanced persistent threats. B. evaluate the process resiliency of server operations. C. verify the effectiveness of an intrusion detection system. D. support a nonrepudiation framework in e-commerce.

record the trace of advanced persistent threats. Justification The most important feature of target attacks as seen in advanced persistent threats is that malware secretly sends information back to a command and control server. Therefore, monitoring of outbound server communications that do not follow predefined routes will be the best control to detect such security events. Server communications are usually not monitored to evaluate the resiliency of server operations. The effectiveness of an intrusion detection system may not be verified by monitoring outbound server communications. Nonrepudiation may be supported by technology, such as a digital signature. Server communication itself does not support the effectiveness of an e-commerce framework.

Active information security awareness programs PRIMARILY influence: A. acceptable risk. B. residual risk. C. control objectives. D. business objectives.

residual risk. Justification The level of risk that an enterprise deems acceptable is a business decision. Controls, including active security awareness programs, are implemented to reduce risk to acceptable levels and do not influence what level of risk is acceptable. An information security awareness program is an administrative control that reduces vulnerability, thereby yielding lower residual risk. Security awareness may be a control objective, depending on the information security strategy of the enterprise, but such a program does not primarily influence the objectives of other controls. Security awareness does not primarily influence business objectives.

An information security manager determines that management of risk is inconsistent across a mature enterprise, creating a weak link in overall protection. The MOST appropriate initial response for the information security manager is to: A. escalate to the steering committee. B. review compliance with standards. C. write more stringent policies. D. increase enforcement.

review compliance with standards. Justification The steering committee may be able to assist in achieving better compliance after it has been established by audit. The steering committee is an executive management-level committee that assists in the delivery of the security strategy, oversees day-to-day management of service delivery and IT projects, and focuses on implementation. A mature enterprise will have a complete suite of policies and standards, and inconsistent risk treatment is most likely to be inconsistent compliance with standards. Policies need to be reviewed to determine whether they are adequate. The problem may be with enforcement. Enforcement can only be as effective as the policies it supports. Increasing enforcement prior to determining the issues would not be the best initial response.

A newly hired information security manager notes that existing information security practices and procedures appear ad hoc. Based on this observation, the next action should be to: A. assess the commitment of senior management to the program. B. assess the maturity level of the enterprise. C. review the corporate standards. D. review corporate risk management practices.

review the corporate standards. Justification While management may not be exercising due care, it is concerned enough to engage a new information security manager. Assessing the commitment of senior management will not address the immediate concern of ad hoc practices and procedures. It is evident from the initial review that maturity is very low and efforts required for a complete assessment are not warranted. It may be better to address the immediate problem of ad hoc practices and procedures. The absence of current, effective standards is a concern that must be addressed promptly. It is apparent that risk management is not being practiced; establishing an effective program will take time. A more prudent initial activity is to implement basic controls.

What human resources (HR) activity is MOST crucial in managing mobile devices supplied by the enterprise? HR provides: A. termination notices. B. background checks. C. reporting structures. D. awareness support.

termination notices. Justification When the human resources (HR) department provides staff termination notices, security management can perform deprovisioning of mobile devices. Background checks generally do not help the management of mobile devices. Reporting structures generally do not affect the management of mobile devices. HR could support information security awareness programs. However, from the management perspective, device deprovisioning upon staff termination will be more important.

Information security policy development should PRIMARILY be based on: A. vulnerabilities. B. exposures. C. threats. D. impacts.

threats. Justification Absent a threat, vulnerabilities do not pose a risk. Vulnerability is defined as a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse impacts from threat events. Exposure is only important if there is a threat. Exposure is defined as the potential loss to an area due to the occurrence of an adverse event. Policies are developed in response to perceived threats. If there is no perceived threat, there is no need for a policy. A threat is defined as anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Impact is not an issue if no threat exists. The impact is generally quantified as a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term.

The MOST effective approach to ensure the continued effectiveness of information security controls is by: A. ensuring inherent control strength. B. ensuring strategic alignment. C. using effective life cycle management. D. using effective change management.

using effective life cycle management. Justification Inherent strength will not ensure that controls do not degrade over time. Maintaining strategic alignment will help identify life cycle stages of controls but by itself will not address control degradation. Managing controls over their life cycle will allow for compensation of decreased effectiveness over time. Change management strongly supports life cycle management but by itself does not address the complete cycle.