Information Security Framework, Infrastructure & Architecture
B is the correct answer. Justification The information security officer supports and implements information security for senior management. Routine administration of all aspects of security is delegated, but senior management must retain overall responsibility. The data owner is responsible for categorizing data security requirements. The data custodian supports and implements information security as directed.
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken? Information security officer Security steering committee Data owner Data custodian
B is the correct answer. Justification The security manager would contact the vendor to modify the application only after assessing the risk and compensating controls. Before approving any exception, the security manager should first check for compensating controls and assess the possible risk due to deviation. The security manager may make a case for deviation from the policy, but this would be based on a risk assessment and compensating controls. The deviation itself would be approved in accordance with a defined process. Updating the baseline configuration is not associated with requests for deviations.
A new business application requires deviation from the standard configuration of the operating system (OS). Which of the following steps should the security manager take FIRST? Contact the vendor to modify the application. Assess risk and identify compensating controls. Approve an exception to the policy to meet business needs. Review and update the OS baseline configuration.
A is the correct answer. Justification Determining the drivers of a program establishes objectives and is essential to developing relevant metrics for the organization. Determining drivers may establish objectives of a program, but the controls are determined by risk and impact. Risk reporting goes beyond the specific drivers, and will encompass all organizational risk. Drivers may indirectly provide subject matter for training, but security awareness goes beyond just the drivers.
It is essential to determine the forces that drive the business need for the information security program. Determining drivers is critical to: establish the basis for the development of metrics. establish the basis for security controls. report risk results to senior management. develop security awareness training modules.
B is the correct answer. Justification The risk of compromise is a major consideration in the level of protection required, but not at the expense of safety. Only in very rare circumstances does risk of compromise outweigh life safety, and even then it is the risk to a larger population that justifies a fail secure configuration. Safety of personnel is always the first consideration. For example, even if a data center has highly confidential data, failure of physical access controls should not fail closed and prevent emergency exit. Only in very rare circumstances does risk of compromise outweigh life safety, and even then it is the risk to a larger population that justifies a fail secure configuration. The mean time between failures is a consideration for technical or mechanical controls and must be considered from a safety perspective. The nature of a threat is a consideration for the type and strength of controls.
The MOST important consideration when determining how a control policy is implemented is: the risk of compromise. life safety. the mean time between failure. the nature of a threat.
B is the correct answer. Justification Revising the information security program may be a solution, but it is not the best solution to improve alignment of the information security objectives. The BSC can track the effectiveness of how an organization executes it information security strategy and determine areas of improvement. User awareness is just one of the areas the organization must track through the business BSC. Performing penetration tests does not affect alignment with information security objectives.
To BEST improve the alignment of the information security objectives in an organization, the chief information security officer should: revise the information security program. evaluate a balanced business scorecard. conduct regular user awareness sessions. perform penetration tests.
D is the correct answer. Justification The exception process can be used after assessing the noncompliance risk and determining whether compensating controls are required. Modifying policy is not necessary, unless there is no applicable standard and policy. It is not appropriate to increase compliance enforcement until the information security manager has determined the extent of the risk posed by weak compliance. The first action after finding noncompliance with particular standards should be to determine the risk to the organization and the potential impact.
What activity should the information security manager perform FIRST after finding that compliance with a set of standards is weak? Initiate the exception process. Modify policy to address the risk. Increase compliance enforcement. Perform a risk assessment.
D is the correct answer. Justification An intrusion detection system may detect an attempted attack, but it will not confirm whether the perimeter is secure. Minimum security baselines are beneficial, but they will not provide the level of assurance that is provided by penetration testing. Vendor recommended settings may be used to harden systems but provide little assurance that other vulnerabilities do not exist, which may be exposed by penetration testing. Penetration testing is the best way to assure that perimeter security is adequate.
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack? Use an intrusion detection system. Establish minimum security baselines. Implement vendor recommended settings. Perform periodic penetration testing.
A is the correct answer. Justification Failure to tune an intrusion detection system will result in many false positives, especially when the threshold is set to a low value. An increase in false negatives is less likely given the fact that the threshold for sounding an alarm is set to a low value. Missed active probing is less likely given the fact that the threshold for sounding an alarm is set to a low value. Ignored attack profiles are less likely given the fact that the threshold for sounding an alarm is set to a low value.
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system with the threshold set to a low value? The number of false positives increases The number of false negatives increases Active probing is missed Attack profiles are ignored
B is the correct answer. Justification Industry frameworks are useful in improving security implementation to the extent that they align with and support business objectives. The most critical factor to be considered in defining information security requirements is the business strategy because everything that the business does—including information security—is only done for the sake of pursuing the business strategy. Security requirements are driven by the information security policy, procedures and practices. The technology infrastructure needs to be considered while implementing security, but if the current infrastructure cannot support information security requirements that are aligned to the business strategy, then the infrastructure will also need to be reevaluated. User competencies reflect a current state and may be useful in mapping a path forward for the lowest cost, but competencies can be enhanced to those required by providing training to bring users to the required level. The business strategy is the driver of information security requirements (and all other activities).
A newly appointed information security manager has been asked to re-define information security requirements because senior management is unhappy with the current state of information security. Which of the following choices would the information security manager consider MOST critical? An industry framework The business strategy The technology infrastructure User competencies
C is the correct answer. Justification Reviewing the procedures for granting access could be correct depending on the priorities set by the business unit, but this would follow understanding the business needs. Procedures for granting emergency access require first understanding business needs. An information security manager must understand the business needs that motivated the change prior to taking any unilateral action. Redefining and implementing proper access rights would follow understanding the business needs.
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST? Review the procedures for granting access Establish procedures for granting emergency access Meet with data owners to understand business needs Redefine and implement proper access rights
A is the correct answer. Justification A security review is used to determine the current state of security for various program components. An impact assessment is used to determine potential impact in the event of the loss of a resource. Vulnerability is only one specific aspect that can be considered in a security review. A threat analysis would not normally be a part of a security review.
Determining the nature and extent of activities required in developing an information security program often requires assessing the existing program components. The BEST way to accomplish this is to perform a(n): security review. impact assessment. vulnerability assessment. threat analysis.
C is the correct answer. Justification Active participation by a steering committee made up of business owners or their delegates is one way to accomplish strategic alignment, but a steering committee is not the only way to achieve this goal. If an organization has a strategic planning business unit, active participation in its activities may provide insight into future business directions and ensure that security considerations are included in the planning progress, but strategic alignment of the information security program does not require creation of such a unit. Alignment of the information security program requires an understanding of business plans and objectives as determined by business owners. Although the method of achieving regular interaction with business owners can vary based on the size and structure of an organization, the interaction itself is a requirement. Alignment of an information security program must take into account culture and existing technology, but information security supports the business objectives of the organization, which may include changes to the culture and technology currently in place. These aspects of the organization should not be accepted as foundations for program alignment when they are misaligned with business objectives.
Effective strategic alignment of the information security program requires: active participation by a steering committee. creation of a strategic planning business unit. regular interaction with business owners. acceptance of cultural and technical limitations.
D is the correct answer. Justification Assessing and analyzing risk is required to develop a strategy and will provide some of the information needed to develop the strategy that will achieve the desired outcomes, but it will not define the scope and charter of the security program. A security architecture is a part of implementation subsequent to developing the strategy. The applicability statement is a part of strategy implementation using International Organization for Standardization (ISO) 27001 or 27002 subsequent to determining the scope and responsibilities of the program. After management has determined the desired outcomes of the information security program, development of a strategy can begin as well as initiating the process of developing information security governance structures, achieving organizational adoption and developing an implementation strategy, which will define the scope and responsibilities of the security program.
How does the development of an information security program begin? Risk is assessed and analyzed. The security architecture is developed. The controls statement of applicability is completed. The information security strategy is established.
B is the correct answer. Justification Assessing and analyzing risk is required to develop a strategy and will provide some of the information needed to develop it, but will not define the scope and charter of the security program. Also, how the organization chooses to approach identified risk is a business decision that must be made by senior management and identified in a strategy. An effective information security strategy provides clear direction on how the organization will attain security outcomes desired and directed by senior management. A security architecture is ideally a part of implementation after developing the strategy. It is possible to adopt an architecture without a strategy, but its implementation will not necessarily help the organization to attain the security outcomes desired by senior management. The applicability statement is a part of strategy implementation using ISO 27001 or 27002 after determining the scope and responsibilities of the program. Like a security architecture, an applicability statement can be adopted without a strategy, but will not necessarily help the organization to attain the security outcomes desired by senior management.
The maturity of an information security program is PRIMARILY the result of: a comprehensive risk assessment and analysis. an effective information security strategy. the development of a security architecture. completing a controls statement of applicability.
A is the correct answer. Justification One way to determine the return on security investment is to illustrate how information security supports the achievement of business objectives. Security metrics measure improvement and effectiveness within the security practice but do not necessarily tie to business objectives. Listing deliverables does not necessarily tie into business objectives. Creating process improvement models does not necessarily tie directly into business objectives.
The return on investment of information security can BEST be evaluated through which of the following? Support of business objectives Security metrics Security deliverables Process improvement models
D is the correct answer. Justification Assessing and analyzing risk is required to develop a strategy and will provide some of the information needed to develop it, but will not define the scope and charter of the security program. A physical security architecture is a part of an implementation. The applicability statement is a part of the strategy implementation using International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 or 27002 subsequent to determining the scope and responsibilities of the program. The process of developing information security governance structures, achieving organizational adoption and developing a strategy to implement will define the scope and responsibilities of the security program.
What is the BEST evidence of a mature information security program? A comprehensive risk assessment and analysis exists. A development of a physical security architecture exists. A controls statement of applicability exists. An effective information security strategy exists.
C is the correct answer. Justification Reduction of the total cost of ownership is a benefit of centralized security management. Improved compliance is a benefit of centralized security management. Better alignment of security to business needs is the only answer that fits because the other choices are benefits of centralized security management. Easier administration is a benefit of centralized security management.
What is the GREATEST benefit of decentralized security management? Reduction of the total cost of ownership Improved compliance with organizational policies and standards Better alignment of security to business needs Easier administration
D is the correct answer. Justification The policy should not be written for its own sake. To be effective, the policy must address the threat and risk landscape that is usually the basis for strategy development. The degree of uptime required will be defined as a part of strategy development balanced against costs. Not all controls need to be strong, and the degree of control must be determined by cost effectiveness, impact on productivity and other factors. The information security strategy provides a development road map to which the program is built.
What is the MAIN objective for developing an information security program? To create the information security policy To maximize system uptime To develop strong controls To implement the strategy
A is the correct answer. Justification The development of an information security program is usually seen as a manifestation of the information security strategy. Thus, the goal of developing the information security program is to implement the strategy. Optimizing resources can be achieved in an information security program once the program has been aligned to the strategy. Delivery of the metrics is a subset of strategic alignment with the information security program in an organization. Assurance of information security occurs upon the strategic alignment of the information security program.
What is the PRIMARY goal of developing an information security program? To implement the strategy To optimize resources To deliver on metrics To achieve assurance
C is the correct answer. Justification Control objectives cannot be determined until desired outcomes have been determined and subsequent specific objectives defined. Without determining the desired outcomes of the security program, the strategic aims that would lead to the desired outcomes cannot be determined. Without determining the desired outcomes of the security program, it will be difficult or impossible to determine a viable strategy, control objectives and logical architecture. Architecture is the physical manifestation of policy which is developed subsequent to and in support of strategy.
Which is the FIRST thing that should be determined by the information security manager when developing an information security program? The control objectives The strategic aims The desired outcomes The logical architecture
B is the correct answer. Justification Direct reports to the chief information officer do not include business process owners, and their input is necessary. Security steering committees provide a forum for management to express its opinion and take some ownership in the decision-making process. It is imperative that business process owners be included in this process. End users and IT professionals would not be part of the steering committee. Internal audit would not be on the steering committee, although legal representation might.
Which of the following are the MOST important individuals to include as members of an information security steering committee? Direct reports to the chief information officer IT management and key business process owners Cross-section of end users and IT professionals Internal audit and corporate legal departments
B is the correct answer. Justification Good practices are generally a substitute for a clear understanding of what exactly is needed in a specific organization and may be too much or too little. Policies must support the needs of the organization. Generally accepted standards do not exist; they are always tailored to the requirements of the organization. Local law and regulation compliance may be identified in policies but would only be a small part of overall policies that must support the needs of the organization.
Which of the following do security policies need to be MOST closely aligned with? Industry good practices Organizational needs Generally accepted standards Local laws and regulations
C is the correct answer. Justification Security awareness training, although important, is secondary. Achievable goals and objectives is an important factor but will not ensure success if senior management support is not present. Sufficient senior management support is the most important factor for the success of an information security program. Having adequate budget and staffing is an important factor and unlikely without senior management support and by themselves will not ensure success without senior management support.
Which of the following is MOST important to the success of an information security program? Security awareness training Achievable goals and objectives Senior management sponsorship Adequate start-up budget and staffing
B is the correct answer. Justification Decentralization allows the of use field security personnel as security missionaries or ambassadors to spread the security awareness message. It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
Which of the following is an advantage of a centralized information security organizational structure? It is easier to promote security awareness. It is easier to manage and control. It is more responsive to business unit needs. It provides a faster turnaround for security requests.
D is the correct answer. Justification Only after sign-off is obtained can communicating to employees begin. Only after sign-off is obtained can training IT staff begin. Only after sign-off is obtained can identifying relevant technologies for automation begin. Sign-off must be obtained from all stakeholders because that would signify formal acceptance of all the policy objectives and expectations of the business along with all residual risk.
Which of the following is the MOST important step before implementing a security policy? Communicating to employees Training IT staff Identifying relevant technologies for automation Obtaining sign-off from stakeholders
D is the correct answer. Justification The security organization is developed to meet the needs of the security program, and may evolve over time, based on evolving requirements. Conceptual and logical architecture designs should have been completed as a part of strategy and road map development. Risk management objectives are a part of strategy development. The majority of program development activities will involve designing, testing and deploying controls that achieve the risk management objectives.
Which of the following project activities is the MAIN activity in developing an information security program? Security organization development Conceptual and logical architecture designs Development of risk management objectives Control design and deployment
C is the correct answer. Justification Audit recommendations may lead to a cost-benefit analysis, but generally do not direct a particular approach to solving an identified problem. Technology for intrusion detection that reduces complexity to manage the levels is available, but may not be cost-effective. A cost-benefit analysis addresses the trade-offs between in-house and outsourced services. If outsourcing is chosen, it is generally chosen on the basis of cost effectiveness. Hiring staff with the proper skill set for intrusion detection is generally possible, but may not be cost-effective.
Which of the following reasons is MOST likely why an organization has decided to outsource intrusion detection services? As a response to audit recommendations Due to the complexity of interpreting attacks As a result of a cost-benefit analysis Due to lack of competent staff
B is the correct answer. Justification Data mining is associated with ad hoc reporting and is a potential target after the network is penetrated. Network mapping is the process of determining the topology of the network one wishes to penetrate. This is one of the first steps toward determining points of attack in a network. The intrusion detection mechanism in place is not an area of focus because one of the objectives is to determine how effectively it protects the network or how easy it is to circumvent. Customer data, together with data mining, is a potential target after the network is penetrated.
Which of the following represents a PRIMARY area of interest when conducting a penetration test? Data mining Network mapping Intrusion detection system Customer data
C is the correct answer. Justification Security policies and procedures are good but do not necessarily result in the taking of ownership by management. Self-assessment exercises do not necessarily indicate management has taken ownership of the security decision-making process. Security steering committees provide a forum for management to express its opinion and take ownership in the decision-making process. Awareness campaigns are no indication that management has taken ownership of the security decision-making process.
Which of the following will BEST ensure that management takes ownership of the decision making process for information security? Security policies and procedures Annual self-assessment by management Security steering committees Security awareness campaigns
C is the correct answer. Justification Security audit reports offer a limited view of the current state of security. Balanced scorecard is a document that enables management to measure the implementation of their strategy and assists in its translation into action. The capability maturity model grades each defined area of security processes on a scale of 0 to 5 based on their maturity and is commonly used by entities to measure their existing state or maturity and then determine the desired one. Systems and business security architecture explain the security architecture of an entity in terms of business strategy, objectives, relationships, risk, constraints and enablers, and provides a business-driven and business-focused view of security architecture, but it is not the best way to determine the existing level of security process development.
Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state? Security audit reports Balanced scorecard Capability maturity model Systems and business security architecture
C is the correct answer. Justification The business process owner is typically required to enforce the policy and would not normally have the authority to grant an exception. The departmental manager cannot approve an exception to policy because he/she is not responsible for the policy delivering its promised results. The person or body empowered to approve a policy is empowered to grant exceptions to it because in approving it, he/she assumed responsibility for the results that it promises to deliver. The information security manager cannot approve an exception to policy because he/she is not responsible for the policy delivering its promised results.
Who has the inherent authority to grant an exception to information security policy? The business process owner The departmental manager The policy approver The information security manager