Security Program Administrative & Operational Services - Part 3
D is the correct answer. Justification Standardizations of browsers within organizations typically results in delays to upgrades and patching, making it more likely that the standardized browser will be susceptible to exploitation of known vulnerabilities. Controlling the version of the Internet browser used may not support the reconciliation between the subscription count and contract license number. Browser script development is generally not constrained by browser standardization. Information security managers seeking to prevent script execution would typically do so by standardizing configurations rather than versions. Internal web applications typically depend on particular versions of a web browser. Many organizations choose to retain versions of their browsers beyond periods of support in order to maintain compatibility with their deployed applications.
IT management has standardized the Internet browser used within the organization. This practice is MOST effective in meeting which of the following objectives? Prevent attacks designed to exploit known vulnerabilities. Ensure the subscription count is aligned with contract. Invalidate illegal browser script program development. Guarantee compatibility with internal web-based applications.
A is the correct answer. Justification Close integration of information security governance with overall enterprise governance is likely to provide better long-term information security by institutionalizing activities and increasing visibility in all organizational activities. Increased budgets and staff may improve information security but will not have the same beneficial impact as incorporating security into the strategic levels of the organization's operations. Control strength and compliance efforts must be balanced against business requirements, culture and other organizational factors and are best accomplished at the governance level. While technical security controls may improve some aspects of security, they will not address management issues nor provide the enduring organizational changes needed for improved maturity levels.
Serious security incidents typically lead to renewed focus by management on information security that then usually fades over time. What opportunity should the information security manager seize to BEST use this renewed focus? To improve the integration of business and information security processes To increase information security budgets and staffing levels To develop tighter controls and stronger compliance efforts To acquire better supplemental technical security controls
D is the correct answer. Justification The legal department is not typically involved in writing procedures, except for its own procedures. End users are not typically involved in writing procedures. Senior management would not be directly involved in the writing of security procedures. The operations group has firsthand knowledge of organizational processes and responsibilities and should ensure that all procedures that are written are functionally sound.
The newly appointed chief information security officer (CISO) of a pharmaceutical company is given the task of creating information security procedures for all departments in the company. Which one of the following groups should the CISO initially approach to write the procedures? Legal department End users Senior management Operations department
C is the correct answer. Justification In most cases, there is a direct relationship between policy and corporate standards. Corporate standards generally do not provide details on the meaning of policy, rather on the acceptable limits needed to comply with policy intent. Corporate standards set the allowable limits and boundaries for people, processes and technology as an expression of policy intent, and therefore provide direction on policy compliance. It would be a poor practice to have corporate standards not directly expressing the intent of a particular policy. To the extent that they exist, they should rely on an implicit policy.
The relationship between policies and corporate standards can BEST be described by which of the following associations? Standards and policies have only an indirect relationship. Standards provide a detailed description of the meaning of a policy. Standards provide direction on achieving compliance with policy intent. Standards can exist without a relationship to any particular policy.
D is the correct answer. Justification A control policy may specify a requirement for monitoring or metrics, but will not define specific metrics. Operational capabilities will likely be defined in a specific requirements or design document rather than in the control policy. There may be a general requirement for training, but not control-specific training, which will be dependent on the particular control. A control policy will state the required failure modes in terms of whether a control fails open or fails closed, which has implications for safety, confidentiality and availability.
A control policy is MOST likely to address which of the following implementation requirements? Specific metrics Operational capabilities Training requirements Failure modes
B is the correct answer. Justification The stability of an environment is not necessarily related to baselines; the application of a security baseline can sometimes even destabilize an environment by conflicting with existing software. A security baseline establishes a uniform security standard to be applied across similar systems. A baseline does not prioritize security objectives. Baselines are established as the result of a policy; they are not part of the policy development.
A security baseline can BEST be used for: securing unstable environments. establishing uniform system hardening. prioritizing security objectives. establishing a corporate security policy.
D is the correct answer. Justification The blocked access will not generally impact confidentiality. The blocked access will not generally impact integrity. The blocked access will not generally impact authenticity. A control (such as a firewall) that fails in a closed condition will typically prevent access to resources behind it, thus impacting availability.
Controls that fail closed (secure) will present a risk to: confidentiality. integrity. authenticity. availability.
B is the correct answer. Justification Sensitive information should not be sent to a third-party who has not been validated even if encryption is used, because the organization cannot guarantee that the recipient will be unable to decipher information in a time period during which the information can still be used. If the call recipient suspects any chance of social engineering over the phone, the callback option is quite effective. The best approach to identifying the caller is who they say they are is to call them back using the legitimate phone number listed in the office phone directory. The recipient should not use a phone number or email address provided by the caller. Once the legitimacy of the call has been reasonably verified, the information may be transmitted using message encryption. Even after voice verification, it is essential that encryption be used because voice verification might be subject to additional attacks (e.g., man-in-the-middle). Even when there is a strong suspicion of fraud, the recipient should not indicate this to the caller over the phone. Instead, the recipient should hang up and call back using the phone number from the office phone directory. The person attempting social engineering will attempt to pass business (or non-business) related questions to the caller. If proper answer is obtained, the recipient will continue the conversation. If the caller feels uneasy, he/she will have the control to end the conversation. Because this technique puts the control of the conversation on the attacker, it is not the best answer.
A person working at a bank receives a call on a voice-over Internet protocol line from a person claiming to be an employee of the bank at another branch office. He is requesting customer information. The FIRST action to take when receiving this type of call is to: obtain the email address of the caller and have the recipient transmit the information using message encryption. advise the employee who received the call to hang up and then return the call to the other branch using the number in the office phone directory. pose business-related questions to the caller, and if a proper reply is received, the recipient may forward the information to the caller. ask the person to call back later and notify regulatory officers of a possible fraud attempt.
B is the correct answer. Justification The level of risk that an organization deems acceptable is a business decision. Controls, including active security awareness programs, are implemented to reduce risk to acceptable levels and do not influence what level of risk is acceptable. An information security awareness program is an administrative control that reduces vulnerability, thereby yielding lower residual risk. Security awareness may be a control objective, depending on the information security strategy of the organization, but such a program does not primarily influence the objectives of other controls. Security awareness does not primarily influence business objectives.
Active information security awareness programs PRIMARILY influence: acceptable risk. residual risk. control objectives. business objectives.
B is the correct answer. Justification Defining security metrics is a subsequent consideration after control objectives are determined and a strategy is developed. When establishing an information security program, conducting a risk assessment is key to identifying the needs of the organization and developing a security strategy. A gap analysis would be used after the desired state of security and the current state are determined to assess what needs to happen to fill the gap. Procuring security tools is a subsequent consideration.
After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program? Define security metrics Conduct a risk assessment Perform a gap analysis Procure security tools
A is the correct answer. Justification One key advantage of cloud computing is the ability to rapidly adjust storage and network bandwidth needs as required. This is generally not possible in locally hosted environments. The amount of training required for users and managers is not substantially different between a cloud and a local solution. Sensitive data can be encrypted in transit regardless of whether it is locally hosted or hosted on a cloud provider. Access controls may be established in both local and cloud solutions.
An advantage of using a cloud computing solution over a locally hosted solution is: the ability to obtain storage and bandwidth on demand. reduced requirements for training of users and managers. increased security as a result of encrypting data in transit. the opportunity to control changes to applications and data.
D is the correct answer. Justification Acknowledging the receipt of electronic orders with a confirmation message is good practice, but will not authenticate orders from customers. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the company's orders, not the authenticity of its customers' orders. Encrypting sensitive messages is an appropriate step, but does not apply to messages received. An electronic data interchange system is subject not only to the usual risk exposures of computer systems, but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern.
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: acknowledge receipt of electronic orders with a confirmation message. perform reasonableness checks on quantities ordered before filling orders. encrypt electronic orders. verify the identity of senders and determine whether orders correspond to contract terms.
A is the correct answer. Justification The system administrator needs to be monitored to ensure that the administrator is in compliance with the information security program. Normally, an administrator will have more rights on the network than an end user, and while an administrator can monitor others, administrators must be monitored as well. The primary objective is to ensure that risk is managed appropriately, balancing operational efficiency against adequate safety. To simply monitor all network activity would be excessive and is not a risk-based approach to protecting the enterprise. Additional monitoring is needed in this situation. The system administrator needs to be monitored for the specific activities. The information security manager needs to use the resources available within the enterprise to assist in monitoring compliance. Using expertise for monitoring is an efficient method and should be used when possible.
An information security manager has implemented procedures for monitoring specific activities on the network. The system administrator has been trained to analyze the network events, take appropriate action and provide reports to the information security manager. What additional monitoring should be implemented to give a more accurate, risk-based view of network activity? The system administrator should be monitored by a separate reviewer. All activity on the network should be monitored. No additional monitoring is needed in this situation. Monitoring should be done only by the information security manager.
B is the correct answer. Justification Interference with policy-driven event logging is a potential concern but secondary to performance impact. Many database products come with a native audit log function. Although it can be easily activated, there is a risk that it may negatively impact the performance of the database. The need to develop supplementary tools is a potential concern but secondary to performance impact. Impaired flexibility in configuration management is not an issue.
An information security manager has instructed a system database administrator (DBA) to implement native database auditing in order to meet regulatory requirements for privileged user monitoring. Which of the following is the PRIMARY reason that the DBA would be concerned? Native database auditing: interferes with policy-driven event logging. affects production database performance. requires development of supplementary tools. impairs flexibility in configuration management.
A is the correct answer. Justification When information is provided to the penetration tester (white box testing), less time is spent on discovering and understanding the target to be penetrated. A black box approach, where no information is provided, better simulates an actual hacking attempt. Both white box and black box approaches could exploit Transmission Control Protocol/Internet Protocol vulnerabilities. Both white box and black box approaches would require use of penetration testing tools.
An organization has commissioned an information security expert to perform network penetration testing and has provided the expert with information about the infrastructure to be tested. The benefit of this approach is: more time is devoted to exploitation than to fingerprinting and discovery. this accurately simulates an external hacking attempt. the ability to exploit Transmission Control Protocol/Internet Protocol vulnerabilities. the elimination of the need for penetration testing tools.
D is the correct answer. Justification Encryption is the application of an algorithm that converts the plaintext password to the encrypted form, but using encrypted passwords requires that they be decrypted for authentication—this would expose the actual password. Also, the authentication mechanism would need to have access to the encryption key in order to decrypt the password for authentication. This would allow anyone with the appropriate access to the server to decrypt user passwords, which is not typically acceptable and is not a secure practice. Content filtering is not a component of password validation. Database hardening helps in enhancing the security of a database but does not assist with password validation. Hashing refers to a one-way algorithm that always creates the same output if applied to the same input. When hashing passwords, only the password's hash value (output) is stored, not the actual password (input). When a user logs in and enters the password, the hash is applied to the password by the authentication mechanism and compared to the stored hash. If the hash matches, then access is granted. The actual password cannot be derived from the hash (because it is a one-way algorithm), so there is no chance of the password being compromised from the hash values stored on the server.
An organization is planning to deliver subscription-based educational services to customers online that will require customers to log in with their user IDs and passwords. Which of the following is the BEST method to validate passwords entered by a customer before access to educational resources is granted? Encryption Content filtering Database hardening Hashing
A is the correct answer. Justification Application controls are employed when general system controls do not provide an adequate level of security. Detective controls exist at both general and application levels. Preventive controls exist at both general and application levels. Corrective controls exist at both general and application levels. Domain
Application level controls are MOST likely to be employed when: general controls are not sufficient. detective controls are required. preventive controls are required. corrective controls are the only option.
A is the correct answer. Justification It is always good practice to engage the management of the business unit when addressing security threats and risk. The input from business unit management is critical in formulating the next step. The issue should not be escalated until gaining an understanding of the risk and business issues from the business unit manager. Requesting the representatives stop sending sensitive information can be a temporary remediation but does not solve the underlying problem. Awareness training may help but does not resolve the problem.
During an audit, an information security manager discovered that sales representatives are sending sensitive customer information through email messages. Which of the following is the BEST course of action to address the issue? Review the finding with the sales manager to evaluate the risk and impact. Report the issue to senior management immediately. Request that the sales representatives stop emailing sensitive information. Provide security awareness training to the sales representatives.
C is the correct answer. Justification It is not common to conduct ethical hacking as part of disaster recovery testing at an alternate site. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. Ethical hacking would not be used as a substitute for substantive testing. The problem with legacy applications is that we do not have enough documentation to study their functionalities, including security controls. To assess control effectiveness, ethical hacking could be an efficient way to find out weaknesses rather than reviewing program code from the beginning. It is not necessarily a recommended practice to engage in ethical hacking in the last phase of a system recovery process after a cyberattack.
For which of the following purposes would ethical hacking MOST likely be used? As a: process resiliency test at an alternate site. substitute for substantive testing. control assessment of legacy applications. final check in a cyberattack recovery process.
B is the correct answer. Justification A business plan may address some issues of integrating activities, but that is not its main purpose. An architecture allows different activities to be integrated under one design authority. Requirements do not generally address integration. Specifications do not address integration.
Integrating a number of different activities in the development of an information security infrastructure is BEST achieved by developing: a business plan. an architecture. requirements. specifications.
D is the correct answer. Justification Good practices suppose that what is best for one is best for all. For some organizations it will be overkill and in others, insufficient. Information technology plans should be based on the architecture. Information security good practices suppose that what is best for one is best for all. For some organizations it will be overkill and in others, insufficient. Information security architecture is a manifestation of policy and must implement the technical standards.
It is MOST important that information security architecture be aligned with which of the following? Industry best practices Information technology plans Information security best practices Business objectives and goals
C is the correct answer. Justification Policies are written to support objectives, which are determined by business requirements. Audits are conducted to determine compliance with control objectives. An information security program is established to close the gap between the existing state of controls (as identified by a risk assessment) and the state desired on the basis of business requirements, which will be obtained through the meeting of control objectives. A program must have objectives before resources can be allocated in pursuit of those objectives.
Most standard frameworks for information security show the development of an information security program as starting with: policy development and implementation of process. an internal audit and remediation of findings. a risk assessment and control objectives. resource identification and budgetary requirements.
C is the correct answer. Justification Authorization is not a public key infrastructure function. A private key is used for signing. The counterparty's public key is used for authentication. The private key is used for nonrepudiation.
Obtaining another party's public key is required to initiate which of the following activities? Authorization Digital signing Authentication Nonrepudiation
A is the correct answer. Justification Monitoring user activities may result in access to sensitive corporate and personal information. The organization should implement training that provides guidance on appropriate legal behavior to reduce corporate liability and increase user awareness and understanding of data privacy and ethical behavior. While ethical training is a good practice for all employees, those that implement security controls are not necessarily privy to sensitive data. Employees who manage risk tolerance may have access to high-level corporate information, but not necessarily sensitive or private information. Again, while ethics training is good practice, it is not required to manage risk tolerance for an organization. Employees who manage network access do not necessarily need ethics training.
Organizations implement ethics training PRIMARILY to provide guidance to individuals engaged in: monitoring user activities. implementing security controls. managing risk tolerance. assigning access.
A is the correct answer. Justification Content filtering provides the ability to examine the content of attachments and prevent information containing certain words or phrases, or of certain identifiable classifications, from being sent out of the enterprise. Data classification helps identify the material that should not be transmitted via email attachments but by itself will not prevent it. Information security awareness training also helps limit confidential material from being disclosed via email as long as personnel are aware of what information should not be exposed and willingly comply with the requirements, but it is not as effective as outgoing content filtering. Encrypting all attachments is not effective because it does not limit the content and may actually obscure confidential information contained in the email.
The MOST effective technical approach to mitigate the risk of confidential information being disclosed in email attachments is to implement: content filtering. data classification. information security awareness. encryption for all attachments.
A is the correct answer. Justification Segmentation by trust domain limits the potential consequences of a successful compromise by constraining the scope of impact. Segmentation by trust domain does not substantially change vulnerability. Automated network scanning can treat a network as logically segmented without reliance on trust domains. Segmentation is not implemented primarily to facilitate data classification.
The MOST likely reason to segment a network by trust domains is to: limit consequences of a compromise. reduce vulnerability to a breach. facilitate automated network scanning. implement a data classification scheme.
A is the correct answer. Justification Without management support, the program will never be able to establish a charter that will allow it to function within the environment. All of the other choices follow the charter. Without a charter for the program, there will be no budget because the program will not exist. A charter is needed to establish the program before policy can be developed. The reporting structure will not be established until the program is chartered.
The extent to which senior management supports the implementation of the strategy and risk management activities of an information security program will FIRST determine: the charter. the budget. policy. the reporting structure.
C is the correct answer. Justification Firewalls attempt to keep the hacker out. Bastion hosts attempt to keep the hacker out. Decoy files, often referred to as honeypots, are the best choice for diverting a hacker away from critical files and alerting security of the hacker's presence. Screened subnets or demilitarized zones provide a middle ground between the trusted internal network and the external untrusted Internet but does not help detect hacker activities.
What is the BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk? Firewalls Bastion hosts Decoy files Screened subnets
B is the correct answer. Justification The configuration of the devices is not the primary responsibility of the information security manager. The security manager will work through technical staff to ensure that configurations are appropriate. Knowledge of information technology helps the information security manager understand how changes in the technical environment affect the security posture. Advising on acquisition and deployment in regard to security issues is a secondary function of the information security manager. Information security decisions can be made most effectively when they are understood by people in business functions, but this is secondary to understanding the relationship between technology and information security.
What is the MOST important reason that an information security manager must have an understanding of information technology? To ensure the proper configuration of the devices that store and process information To understand the risk of technology and its contribution to security objectives To assist and advise on the acquisition and deployment of information technology To improve communication between information security and business functions
A is the correct answer. Justification Each person/employee should know how information security is related to his/her job role and why work tasks should be performed in an appropriate way that protects the organization and its assets. Although compliance with the information security policy is important, security awareness training goes beyond to include cultural and behavioral elements of information security. Industry-specific regulation and legislation are not the primary drivers of security awareness training programs. Employee expectations do not necessarily ensure understanding of information security or influence cultural or behavioral attitudes directly.
What is the PRIMARY benefit of a security awareness training program? To reduce the likelihood of an information security event To encourage compliance with information security policy To comply with the local and industry-specific regulation and legislation To provide employees with expectations for information security
D is the correct answer. Justification An intrusion detection system is not designed to identify weaknesses in network security. An intrusion detection system is not designed to identify patterns of suspicious logon attempts. Identifying how an attack was launched is secondary. The most important function of an intrusion detection system is to identify potential attacks on the network.
What is the PRIMARY purpose of installing an intrusion detection system (IDS)? To identify weaknesses in network security To identify patterns of suspicious access To identify how an attack was launched on the network To identify potential attacks on the internal network
C is the correct answer. Justification Examining and understanding the culture within the organization is an important step in the overall evaluation process. Analyzing and understanding the control system is an essential step to determine what risk is addressed and what control objectives are currently in place. Identifying and evaluating the overall risk is most important, because it includes the other three elements, in addition to others. Examining and assessing security resources is important information in determining and evaluating overall risk and exposure of an organization.
When initially establishing an information security program, it is MOST important that managers: examine and understand the culture within the organization. analyze and understand the control system of the organization. identify and evaluate the overall risk exposure of the organization. examine and assess the security resources of the organization.
C is the correct answer. Justification Policies are developed to implement the strategy and may specify some requirements, but they are subsequent to, and a part of, implementing the strategy. The architecture must implement the policies and standards. The strategy must define the requirements for the resources necessary to implement the program. This is different from the tactical detail level necessary to identify specific resources. Procedures will define resource acquisition processes, but will not specify requirements.
Where should resource requirements for information security initially be identified? In policies In the architecture In the strategy In procedures
D is the correct answer. Justification Data protection levels are decided based on classification. Data are classified on business value and not on the possibility of leakage. Protection of the data may well be based on the possibility of leakage. Aligning the schema with data leak prevention (DLP) tools may help while automating protection, but the data classification schema already has to exist for it to align with DLP. While developing a data classification schema, it is most important that all users are made aware of the need for accurate data classification to reduce the cost of overprotection and the risk of underprotection of information assets.
Which of the following activities is MOST effective for developing a data classification schema? Classifying critical data based on protection levels Classifying data based on the possibility of leakage Aligning the schema with data leak prevention tools Building awareness of the benefit of data classification
A is the correct answer. Justification A matrix that documents the functions associated with particular kinds of work, typically referred to as a segregation of duties (SoD) matrix, shows which roles are required or permitted to have which permissions. Persistent data labels apply to mandatory access control environments where permissions are brokered by the objects themselves. They do not factor into role-based access controls (RBAC). Multifactor authentication deals with how users authenticate their identities, which helps to ensure that people are who they claim to be. It does not determine the permissions that they are assigned, particularly in a role-based access controls (RBAC) model, where permissions are assigned to roles rather than individual users. Using automated logon scripts is practical in some environments, but assigning permissions to individual accounts is contrary to the intent of role-based access controls (RBAC).
Which of the following approaches is the BEST for designing role-based access controls (RBAC)? Create a matrix of work functions. Apply persistent data labels. Enable multifactor authentication. Use individual logon scripts.
A is the correct answer. Justification Procedures, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace. Standards should generally be more static and less subject to frequent change. Well-conceived, mature policies will rarely require change. Standards regarding document retention and destruction will rarely need to be changed.
Which of the following are likely to be updated MOST frequently? Procedures for hardening database servers Standards for password length and complexity Policies addressing information security governance Standards for document retention and destruction
D is the correct answer. Justification Market share and annualized cost is secondary in nature. Ability to interface with the intrusion detection system is secondary in nature. Automatic notifications are very useful but not the most important criteria. For the software to be effective, it must be easy to maintain and keep current.
Which of the following are the MOST important criteria when selecting virus protection software? Product market share and annualized cost Ability to interface with intrusion detection system software and firewalls Alert notifications and impact assessments for new viruses Ease of maintenance and frequency of updates
A is the correct answer. Justification Evidential capability increases if data are taken from a location that is close to the origination point. For database auditing, activation of a built-in log may be ideal. However, there is a trade-off. The more elaborate logging becomes, the slower the performance. It is important to strike a balance. If database recovery log is impaired, there is a chance that data integrity may be lost. However, it is unlikely that audit logging will impair the integrity of the database. Database replication functionality will control the consistency between database instances. It is difficult to judge whether configuration change will become complex as the result of audit log activation. It depends on many different factors. Therefore, this is not the best option.
Which of the following choices is a MAJOR concern with using the database snapshot of the audit log function? Degradation of performance Loss of data integrity Difficulty maintaining consistency Inflexible configuration change
C is the correct answer. Justification The CA's public key is published and poses no risk. If destroyed, lost or compromised, the private key of any one relying party affects only that party. The certificate authority's (CA) private key is the single point of failure for the entire public key infrastructure (PKI) because it is unpublished and the system cannot function if the key is destroyed, lost or compromised. The public key is published and poses no risk.
Which of the following choices is the MOST significant single point of failure in a public key infrastructure? A certificate authority's (CA) public key A relying party's private key A CA's private key A relying party's public key
D is the correct answer. Justification If a procedure does not meet the standard, the procedure must be changed, not the standard. IT staff not understanding the standard may require clarification and/or training. Inconsistencies with the guidelines require that the guidelines be changed to conform to the standard. If conformance with the standard does not achieve control objectives, the standard requires modification.
Which of the following conditions is MOST likely to require that a corporate standard be modified? The standard does not conform to procedures. IT staff does not understand the standard. The standard is inconsistent with guidelines. Control objectives are not being met.
B is the correct answer. Justification Data privacy is part of the second layer, which is containment. Authentication is part of prevention, which is the first layer of defense in depth. Incident response is part of the fourth layer of defense, which is reaction. A backup policy is part of the last layer of defense, which is recovery/restoration.
Which of the following control practices represents the FIRST layer of the defense-in-depth strategy? Data privacy Authentication Incident response Backup
D is the correct answer. Justification A strategy is a broad, high-level document and not a standard. A guideline is advisory in nature. A security model shows the relationships between components. Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place.
Which of the following defines minimum requirements for securing the technical infrastructure? Information security strategy Information security guidelines Information security model Information security architecture
C is the correct answer. Justification Procedures determine the steps, not the configuration requirements. Guidelines are not enforceable. Baselines set the minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity and/or availability protection. Policies determine direction, but not detailed configurations.
Which of the following is BEST used to define minimum requirements for database security settings? Procedures Guidelines Baselines Policies
D is the correct answer. Justification Changes in the effectiveness of security controls will require a review of the controls, not necessarily the standards. Changes in the roles and responsibilities of department heads will not require a change to security standards, which will be captured during risk review. Standards set the requirements for procedures, so a change in procedures is not likely to affect the standard. Security policies need to be reviewed regularly in order to ensure that they appropriately address the organization's security objectives. A review of a security standard is prompted by changes in external and internal risk factors that are captured during risk assessment.
Which of the following is MOST likely to initiate a review of an information security standard? Changes in the: effectiveness of security controls. responsibilities of department heads. information security procedures. results of periodic risk assessments.
A is the correct answer. Justification Diverting incoming traffic helps correct the situation and, therefore, is a corrective control. Filtering network traffic is a preventive control. Examining inbound network traffic for viruses is a detective control. Logging inbound network traffic is a detective control.
Which of the following is an example of a corrective control? Diverting incoming traffic as a response to a denial of service attack Filtering network traffic Examining inbound network traffic for viruses Logging inbound network traffic
C is the correct answer. Justification Implementing such a program is an ongoing process that supports senior management's commitment toward information security. Assigning roles and responsibilities for information security is achieved largely by implementing information security policies. However, to be effective, it is important that the policy be supported by a corporate information security education and awareness program. Education, training and awareness help in the dissemination of information on the necessity of information security and in building a conducive environment for secure and reliable business operations. The information security policy and regulatory requirements contribute content to an education and awareness program.
Which of the following is the MAIN reason for implementing a corporate information security education and awareness program? To achieve commitment from the board and senior management To assign roles and responsibility for information security To establish a culture that is conducive to effective security To meet information security policy and regulatory requirements
B is the correct answer. Justification Policies are a statement of management intent, expectations and direction and should not address the specifics of regulatory compliance. Standards set the allowable boundaries for technologies, procedures and practices and thus are the appropriate documentation to define compliance requirements. Procedures are developed in order to provide instruction for meeting standards, but cannot be developed without established standards. Guidelines are not mandatory and will not normally address issues of regulatory compliance.
Which of the following is the MOST appropriate control to address compliance with specific regulatory requirements? Policies Standards Procedures Guidelines
C is the correct answer. Justification Email is not a strong communication medium to enhance information security awareness. Training for IT personnel is important, but information security awareness training needs to be provided to all employees. Role-based training that includes simulation of actual information security incidents is the most effective method to teach employees how their specific function can impact information security. Well-developed general awareness training can be an acceptable method to enhance information security awareness if resources are not available for role-specific training, but it is not typically as effective.
Which of the following is the MOST effective method to enhance information security awareness? Timely emails that address actual security threats Security training from specialized external experts for key information technology (IT) personnel Role-specific awareness training General online security awareness training for all staff
D is the correct answer. Justification The creation date is not that important. The name of the author is not that important. The initial draft date is not that important. The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard.
Which of the following is the MOST important information to include in an information security standard? Creation date Author name Initial draft approval date Last review date
C is the correct answer. Justification Executive management is responsible for security strategy oversight and alignment, and for executing all security program elements. The role of the quality manager is to review security-related documents for accuracy, completeness and comprehension. Ensuring consistency with laws and regulations is not a primary responsibility. The extent of policy compliance with legal and regulatory matters is ultimately a business decision made by the board of directors, who in turn will direct executive management in terms of required policy compliance. The role of the auditor is to review and evaluate policies, procedures, processes, etc., but not to ensure their compliance with laws and regulations.
Which of the following roles is MOST responsible for ensuring that information protection policies are consistent with applicable laws and regulations? Executive management The quality manager The board of directors The auditor
C is the correct answer. Justification A notification of liability on accuracy of information should be located in the web site's disclaimer. Although encryption may be applied, this is not generally disclosed. Most privacy laws and regulations require disclosure on how information will be used. Information classification is unrelated to privacy statements and would be contained in a separate policy.
Which of the following should be included in a good privacy statement? A notification of liability on accuracy of information A notification that information will be encrypted A statement of what the company will do with information it collects A description of the information classification process
A is the correct answer. Justification Certain people are either individually inclined or required by their positions to have greater interest in promoting security than others. By selecting these people and offering them broad, diverse opportunities for security education, they are able to act as ambassadors to their respective teams and departments, imparting a gradual and significant change in an organizational culture toward security. Structured training rarely aligns with the interests of individual employees when chosen at random to fill a small-group setting. Computer-based training is a common approach to annual information awareness, but there is no evidence that employees retain the information or adopt it into their regular activities. Streaming-video "webinars" are among the least effective means of presenting information, requiring very little interaction from end users.
Which of the following training mechanisms is the MOST effective means of promoting an organizational security culture? Choose a subset of influential people to promote the benefits of the security program. Hold structured training in small groups on an annual basis. Require each employee to complete a self-paced training module once per year. Deliver training to all employees across the organization via streaming video.
C is the correct answer. Justification Regular password audits would not be as effective on their own; people would go around them unless forced by the system. Single sign-on is a technology solution that would enforce password complexity but would not help the implementation of the policy. To be successful in implementing restrictive password policies, it is necessary to obtain the buy-in of the end users by promoting the need for the change. The best way to accomplish this is through a security awareness program. Penalties for noncompliance are likely to cause resentment and will not be helpful in a successful implementation.
Which of the following would be MOST effective in successfully implementing restrictive password policies? Regular password audits Single sign-on system Security awareness program Penalties for noncompliance
D is the correct answer. Justification Wired Equivalent Privacy (WEP) with 128-bit preshared key authentication can be easily cracked with open source tools. WEP is easily compromised and is no longer recommended for secure wireless networks. Temporal Key Integrity Protocol-Message Integrity Check (TKIP-MIC) with the RC4 cipher is not as strong as WPA2 with 802.1x authentication. WPA2 with preshared keys uses the strongest level of encryption, but the authentication is more easily compromised. Wi-Fi Protected Access 2 (WPA2) and 802.1x authentication is the strongest form of wireless authentication currently available. WPA2 combined with 802.1x forces the user to authenticate using strong Advanced Encryption Standard encryption.
Which one of the following combinations offers the STRONGEST encryption and authentication method for 802.11 wireless networks? Wired equivalent privacy with 128-bit preshared key authentication Temporal key integrity protocol-message integrity check with the RC4 cipher Wi-fi protected access 2 (WPA2) and preshared key authentication WPA2 and 802.1x authentication
D is the correct answer. Justification Signature-based detection cannot react to a distributed denial-of-service (DDoS) attack because it does not have any insight into increases in traffic levels. Deep packet inspection allows a protocol to be inspected and is not related to denial-of-service (DoS) attacks. Virus detection would have no effect on DDoS detection or mitigation. Anomaly-based detection establishes normal traffic patterns and then detects any deviation from that baseline. Traffic baselines are greatly exceeded when under a DDoS attack and are quickly identified by anomaly-based detection.
Which one of the following types of detection is NECESSARY to mitigate a denial or distributed denial of service attack? Signature-based detection Deep packet inspection Virus detection Anomaly-based detection
D is the correct answer. Justification Metrics support decisions. Knowing the number of email messages blocked due to viruses would not on its own be an actionable piece of information for the steering committee. The board of directors would have no use for the information. IT managers would be interested, but it would not be in their purview to address the issue. Information regarding the effectiveness of the current email antivirus control is most useful to the information security manager and staff because they can use the information to initiate an investigation to determine why the control is not performing as expected and to determine whether there are other factors contributing to the failure of the control. When these determinations are made, the information security manager can use these metrics, along with data collected during the investigation, to support decisions to alter processes or add to (or change) the controls in place.
Who would be the PRIMARY user of metrics regarding the number of email messages quarantined due to virus infection versus the number of infected email messages that were not caught? The security steering committee The board of directors IT managers The information security manager
B is the correct answer. Justification Public key cryptography is computationally intensive due to the long key lengths required. Symmetric or secret key encryption requires a separate key for each pair of individuals who wish to have confidential communication, resulting in an exponential increase in the number of keys as the number of users increase, creating an intractable distribution and storage problems. Public key infrastructure keys increase arithmetically, making it more practical from a scalability point of view. Public key cryptography typically requires more maintenance and is more costly than a symmetric key approach in small scale implementations. Secret key encryption requires shorter key lengths to achieve equivalent strength.
Why is public key infrastructure the preferred model when providing encryption keys to a large number of individuals? It is computationally more efficient. It is more scalable than a symmetric key. It is less costly to maintain than a symmetric key approach. It provides greater encryption strength than a secret key model.
D is the correct answer. Justification The security culture changes over time in part because of an effective security awareness training program. It is not necessary that the workforce be told that the culture will change. Changes in technology are only one part of security awareness. Changes in compliance requirements are not a primary driver of security awareness training. People tend to think that security awareness training can be completed once and it is good forever. It is important for everyone, including management and the general workforce, to understand that threats and vulnerabilities change constantly, and that regular refresher training is an important part of security awareness.
With regard to the implementation of security awareness programs in an organization, it is MOST relevant to understand that one of the following aspects can change? The security culture The information technology The compliance requirements The threats and vulnerabilities
