Domain 2 Information Security Risk Management
The BEST process for assessing an existing risk level is: an impact analysis. a security review. a vulnerability assessment. a threat analysis.
B is the correct answer. Justification An impact analysis is used to determine potential impact in the event of the loss of a resource. A security review is used to determine the current state of security for various program components. While vulnerability assessments help identify and classify weakness in the design, implementation, operation or internal control of a process, they are only one aspect of a security review. A threat analysis is not normally a part of a security review. Threat assessments evaluate the type, scope and nature of events or actions that can result in adverse consequences; identification is made of the threats that exist against enterprise assets.
A serious vulnerability is reported in the firewall software used by an enterprise. Which of the following should be the immediate action of the information security manager? Ensure that all operating system patches are up to date. Block inbound traffic until a suitable solution is found. Obtain guidance from the firewall manufacturer. Commission a penetration test.
C is the correct answer. Justification Ensuring that all operating system patches are up to date is a good practice, in general, but it will not necessarily address the reported vulnerability in the firewall software. Blocking inbound traffic may not be practical or effective from a business perspective. The best source of information is the firewall manufacturer because the manufacturer may have a patch to fix the vulnerability or a workaround solution. Commissioning a penetration test will take too much time and will not necessarily provide a solution for corrective actions.
What mechanism should be used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system? a. Business impact analysis b. Security gap analysis c. System performance metrics d. Incident response processes
B is the correct answer. Justification A business impact analysis does not identify vulnerabilities. Security gap analysis is a process that measures all security controls in place against control objectives, which will identify gaps. System performance metrics may indicate security weaknesses, but that is not their primary purpose. Incident response processes exist for cases in which security weaknesses are exploited.
Cross- Site Forgery Attack (XSRF)
XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. It is a type of website attack in which unauthorized commands are transmitted from a trusted user.
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices? a.Regular review of access control lists b.Security guard escort of visitors c.Visitor registry log at the door d.A biometric coupled with a personal identification number
A is the correct answer. Justification A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy. Visitors accompanied by a guard will also provide assurance but that may not be cost-effective. A visitor registry is the next most cost-effective control but not as secure. A biometric coupled with a personal identification number will strengthen access control; however, compliance assurance logs will still have to be reviewed to ensure only authorized access.
Under what circumstances do good information security practices dictate a full reassessment of risk? a. After a material control failure b. When regular assessments show unremediated risk c. Subsequent to installing an updated operating system d. After emergency changes have been initiated
A is the correct answer. Justification A significant control failure indicates that either the control was poorly designed or the risk was not properly identified and classified. Depending on the nature and extent of unremediated risk, reassessment may be warranted; however, in some cases the process of change management while addressing the risk will have provided adequate understanding of the risk and adequacy of treatment. Updating an operating system under change management will include an incremental assessment of any new risk and full reassessment is not likely to be needed. Emergency changes usually require that the change management process be completed subsequently and any specific new risk addressed, making it unlikely that a full risk reassessment is required.
Which of the following would be the FIRST step in effectively integrating risk management into business processes? Workflow analysis Business impact analysis Threat and vulnerability assessment Analysis of the governance structure
A is the correct answer. Justification Analyzing the workflow will be essential to understanding process vulnerabilities and where risk may exist in integrating risk management into business processes. A business impact analysis will be important once the workflow and processes are understood in order to understand unit inputs, outputs and dependencies and the potential consequences of compromise. Threat and vulnerability assessments are properly conducted after the relationship between risk management and business processes has been determined through workflow analysis. The governance structure may be one of the vulnerabilities that poses a potential risk but it should be analyzed after the workflow analysis. Ideally, the governance structure should reflect the workflow.
Addressing risk scenarios at various information system life cycle stages is PRIMARILY a function of: change management. release management. incident management. configuration management.
A is the correct answer. Justification Change management is the overall process to assess and control risk scenarios introduced by changes. Release management is the process to manage risk scenarios of production system deployment, and it is a component of change management. Incident management addresses impacts when or after they occur. Configuration management is the specific process to manage risk scenarios associated with systems configuration, and it is a component of change management.
Attackers who exploit cross-site scripting vulnerabilities take advantage of: a. a lack of proper input validation controls. b. weak authentication controls in the web application layer. c. flawed cryptographic Secure Sockets Layer implementations and short key lengths. d. implicit web application trust relationships.
A is the correct answer. Justification Cross-site scripting attacks inject malformed input. Attackers who exploit weak application authentication controls can gain unauthorized access to applications, but this has little to do with cross-site scripting vulnerabilities. Attackers who exploit flawed cryptographic Secure Sockets Layer implementations and short key lengths can sniff network traffic and crack keys to gain unauthorized access to information. This has little to do with cross-site scripting vulnerabilities. Web application trust relationships do not relate directly to the attack.
What is the MOST cost-effective method of identifying new vendor vulnerabilities? a. External vulnerability reporting sources b. Periodic vulnerability assessments performed by consultants c. Intrusion prevention software d. Honeypots located in the demilitarized zone (DMZ)
A is the correct answer. Justification External vulnerability sources are the most cost-effective method of identifying these vulnerabilities. The cost involved in periodic vulnerability assessments would be much higher. Intrusion prevention software would not identify new vendor vulnerabilities. Honeypots may or may not identify vulnerabilities and may create their own security risk.
When the security risk assessment result was reviewed, it was found that the rationale for risk rating varied by department. Which of the following would BEST improve this situation? Apply common risk measurement criteria to each department Introduce risk appetite and risk tolerance at the policy level Place increased focus on quantitative risk assessment Implement routine peer review of the risk assessment results
A is the correct answer. Justification If departments are reaching different risk ratings for the same outcomes, common risk measurement criteria that can be used across the enterprise are needed. Risk appetite and risk tolerance inform the acceptance of risk but do not affect the risk ratings. Quantitative risk assessments produces numeric results, but subjectivity in inputs may continue to yield varying risk ratings among departments unless common criteria are applied. Peer review of risk assessments between departments may be hampered by differing expertise among staff members in different job functions. Also, the results of risk assessments generally should not be shared more broadly than is necessary to meet business goals.
An enterprise has identified a major threat to which it is vulnerable. Which of the following choices is the BEST reason information security management would not be concerned with preventive remediation under these circumstances? The vulnerability is compartmentalized. Incident response procedures are in place. Compensating controls exist if there is any impact. The identified threat has only been found on another continent.
A is the correct answer. Justification If the compartmentalization of the vulnerability results in the enterprise having no exposure, then there is no risk. Prevention is a more prudent approach to dealing with major threats than even the most capable incident response. Compensating controls are a less desirable approach to addressing a major threat than preventive remediation of its corresponding vulnerability. Distance is an inadequate barrier to compromise in the context of information systems.
When a major vulnerability in the security of a critical web server is discovered, immediate notification should be made to the: system owner to take corrective action. incident response team to investigate. data owners to mitigate damage. development team to remediate.
A is the correct answer. Justification In order to correct the vulnerabilities, the system owner needs to be notified quickly before an incident can take place. Sending the incident response team to investigate is not correct because the incident has not taken place and notification could delay implementation of the fix data owners authorize to mitigate damage. Data owners would be notified only if the vulnerability could have compromised data. The development team may be called upon by the system owner to resolve the vulnerability.
An information security manager's MOST effective efforts to manage the inherent risk related to a third-party service provider will be the result of: limiting organizational exposure. a risk assessment and analysis. strong service level agreements. independent audits of third parties
A is the correct answer. Justification It is likely to be more effective to control the enterprise's vulnerabilities to third-party risk by limiting organizational exposure than to control the third party's actions. It is essential to know the risk but it does not manage the risk. Defining contractual responsibilities of third parties is important but it will not directly manage risk. Audits may indicate the threats posed by third parties but will not ensure that the risk is managed.
The return on investment of information security can BEST be evaluated through which of the following? Support of business objectives Security metrics Security deliverables Process improvement models
A is the correct answer. Justification One way to determine the return on security investment is to illustrate how information security supports the achievement of business objectives. Security metrics measure improvement and effectiveness within the security practice but do not necessarily tie to business objectives. Listing deliverables does not necessarily tie to business objectives. Creating process improvement models does not necessarily tie directly to business objectives.
An information security manager is tasked with initiating a risk assessment on controls focused on user access. Which of the following would be the MOST useful information to prepare for this assessment? Previous audit reports Current user access lists Access approval procedures Authentication log files
A is the correct answer. Justification Previous audit reports will provide insight into trends and identified vulnerabilities that will greatly assist in a risk assessment. Current user access lists help with conducting the assessment, but the previous audit report may outline completed remediation actions. Access approval procedures help with conducting the assessment, but the previous audit report may outline completed remediation actions. Authentication log files help with conducting the assessment, but the previous audit report may outline completed remediation actions.
The PRIMARY purpose of risk evaluation is to: provide a basis on which to select risk responses. ensure that controls are deployed to mitigate risk. provide a means of targeting assessment activities. ensure that risk responses align with control objectives.
A is the correct answer. Justification Risk evaluation provides management with the extent that the risk meets the acceptability criteria and options for response. Response to risk may come in the form of acceptance, transfer (sharing), mitigation or avoidance. Mitigation is only one possible response to risk. Risk evaluation is the final stage of an assessment activity. Control objectives align with the risk management strategy, which determines risk response.
To improve accuracy, which of the following is the MOST important action to take to account for the subjective nature of risk assessment? a. Train or calibrate the assessor. b. Use only standardized approaches. c. Ensure the impartiality of the assessor. d. Use multiple methods of analysis.
A is the correct answer. Justification Studies show that training or calibrating the assessor improves accuracy and reduces the subjectivity of risk assessments. A standardized approach is less effective in preventing overestimation of risk. Assessor impartiality is important but does not compensate for the tendency to overestimate risk. Multiple methods of analysis may help accuracy but training risk assessors is the most effective.
An information security manager reviewing user access to a critical business application to ensure that users have rights aligned with their job responsibilities notes many instances of excessive access. Which of the following individuals would be the PRIMARY contact to inform regarding this risk? Application owner Users' manager Security manager Database administrator
A is the correct answer. Justification The application owner should be informed about any potential risk to make appropriate decisions. The users' manager is responsible for access to the application; however, the application owner is the primary contact in this case. Security would not be immediately informed of this risk unless determined by the application owner. The database administrator is responsible for revoking access if determined by the application owner.
There is a delay between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period? a. Identify the vulnerable systems and apply compensating controls. b. Minimize the use of vulnerable systems. c. Communicate the vulnerability to system users. d. Update the signatures database of the intrusion detection system
A is the correct answer. Justification The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems could be a compensating control but would not be the first course of action. Communicating the vulnerability to system users would not be of much benefit. Updating the signatures database of the intrusion detection system (IDS) would not address the timing of when the IDS signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.
When conducting a risk assessment, which of the following elements is the MOST important? Consequences Threat Vulnerability Probability
A is the correct answer. Justification Unless the exploitation of vulnerability by a threat has consequences, there is no risk to the enterprise. A threat poses no risk absent corresponding vulnerability. Vulnerability poses no risk absent a corresponding threat. Probability is a function of threat and vulnerability, but even a guaranteed event poses no risk to the enterprise unless there are consequences.
To be effective, risk management should be applied to: all organizational activities. elements identified by a risk assessment. any area that exceeds acceptable risk levels. only areas that have potential impact.
A is the correct answer. Justification While not all organizational activities will pose an unacceptable risk, the practice of risk management is still applied to determine which risk requires treatment. Risk assessment is part of the risk management function. Risk assessment does not precede inclusion of the activity in the risk management program. Whether a risk level is acceptable can be determined only when the risk is known. Potential impact can be evaluated only when the risk is known and the value of the asset is determined.
Which of the following choices would be the MOST useful in determining the possible consequences of a major compromise? Risk assessment Asset valuation Penetration testing Architectural review
B is the correct answer. Justification A comprehensive risk assessment requires an assessment of probability and potential consequences, so it goes beyond what is required. Asset valuation provides a cost representation of what the enterprise stands to lose in the event of a major compromise. Penetration tests indicate vulnerability rather than the value of what may be affected if a vulnerability is exploited. Architectural review may indicate vulnerability, but like penetration testing, it will not reveal the value of what may be affected if a vulnerability is exploited.
B is the correct answer. Justification Alignment with business objectives will help prioritize information security program objectives and what the program will focus on as it is developed. Building an asset inventory will help determine what the enterprise needs to protect and sets the scope for the information security program. The risk matrix will not be accurate if the assets are resources that are unknown. A risk assessment relies on the identification of assets in an enterprise.
B is the correct answer. Justification Alignment with business objectives will help prioritize information security program objectives and what the program will focus on as it is developed. Building an asset inventory will help determine what the enterprise needs to protect and sets the scope for the information security program. The risk matrix will not be accurate if the assets are resources that are unknown. A risk assessment relies on the identification of assets in an enterprise.
Which of the following is the MOST supportable basis for prioritizing risk for treatment? Cost and asset value Frequency and impact Frequency and scope Cost and effort
B is the correct answer. Justification Cost to remediate is a major factor relative to the value of the applicable assets (i.e., is remediation appropriate for this asset versus another risk treatment option?). It is ineffective as a means of prioritization across different assets, because it does not take into account their business value. The balance between impact and frequency captures the adjusted probability of loss to the enterprise associated with each risk. It provides an immediate and relevant basis for prioritization of treatment, with high-impact and high-frequency risk ranking highest on the list. Breadth of scope is not necessarily equivalent to impact. Prioritizing a risk that affects a broad range of relatively unimportant systems over a risk that impacts a single critical system would not be beneficial to the enterprise. Effort is a subset of overall cost representing time and expertise. Unto itself, cost is not a suitable basis for prioritization.
What is the root cause of a successful cross-site request forgery attack? The application uses multiple redirects for completing a data commit transaction. The application has implemented cookies as the sole authentication mechanism. The application has been installed with a non-legitimate license key. The application is hosted on a server along with other applications.
B is the correct answer. Justification Cross-site request forgery (XSRF) is related to an authentication mechanism, not to redirection. XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. It is a type of website attack in which unauthorized commands are transmitted from a trusted user. A non-legitimate license key is related to intellectual property rights, not to XSRF vulnerability. Merely hosting multiple applications on the same server is not the root cause of this vulnerability.
How does knowledge of risk appetite help to increase security control effectiveness? It helps to gain required support from senior management for information security strategy. It provides a basis for redistributing resources to mitigate risk above the risk appetite. It requires continuous monitoring because the entire risk environment is constantly changing. It facilitates communication with management about the importance of security. Solution
B is the correct answer. Justification Having knowledge of the enterprise's risk appetite is not the sole requirement for gaining senior management support. Understanding risk appetite in key security control areas helps redirect resources from risk at or below acceptable levels to risk above the appetite. The result is improved control effectiveness at no additional cost. This answer does not address the value of understanding risk appetite. The risk environment and control effectiveness do change, but continuous monitoring applies more to rapidly changing controls and to areas of greatest risk. Risk appetite changes are usually more stable. Knowledge of risk appetite does help to facilitate communication with management but is only one small element of effective communication with senior management.
The PRIMARY reason to consider information security during the first stage of a project life cycle is: a.the cost of security is higher in later stages. b.information security may affect project feasibility. c.information security is essential to project approval. d. it ensures proper project classification
B is the correct answer. Justification Introducing security at later stages can cause projects to exceed budgets and can create issues with project schedules and delivery dates, but these outcomes are generally avoided if security issues are assessed in feasibility. Project feasibility can be directly impacted by information security requirements and is the primary reason to introduce information security requirements at this stage. The cost of security must be factored into any business case that will support project feasibility, and sometimes the cost of doing something securely exceeds the benefits that the project is anticipated to produce. Project approval is a business decision that may be influenced by information security considerations, but they are not essential. Considering information security during the first stage will not ensure proper project classification.
A solution using an emerging security technology may allow an enterprise to increase its revenue, but the technology remains unproven. Which of the following is the BEST approach to take when considering use of the technology? a. Hold until competitors introduce the solution. b. Run a pilot project to assess potential risk. c. Build the solution in a vendor's environment. d. Obtain insurance to cover unexpected losses. It is not common practice to buy insurance in anticipation of failures that may be caused by unproven technology.
B is the correct answer. Justification Management may advise holding off until a competitor implements the technology; however, the enterprise would then lose out on any potential revenue presented by the opportunity. This decision is best made once potential risk is assessed. When considering using unproven, emerging technologies, it is best to start small. A pilot project will be best suited for this purpose because risk can be assessed in a controlled manner as the business explores the viability of the technology and potential further deployment on a larger scale. Even when the solution is built in a service vendor's technical environment, the service requestor must own the risk stemming from the technical solution. Therefore, the enterprise will want to assess the potential risk first. It is not common practice to buy insurance in anticipation of failures may be caused by unproven technology.
High risk volatility would be a basis for the information security manager to: base mitigation measures solely on assessed impact. raise the assessed risk level and increase remediation priority. disregard volatility as irrelevant to assessed risk level. perform another risk assessment to validate results.
B is the correct answer. Justification Mitigation should be based on likelihood, potential impact and cost benefit. High risk volatility means that the risk is higher during one period and lower in another. The appropriate response is to assess risk at its highest level and due to unpredictability, raise the priority of treatment. Volatility must be considered in terms of maximum risk potential. A second risk assessment would not be useful as a volatility assessment and it would be unnecessary.
High risk tolerance is useful when: the enterprise considers high risk acceptable the uncertainty of risk shown by an assessment is high. the impact from compromise is very low. indicated by a business impact analysis.
B is the correct answer. Justification Risk tolerance is the acceptable deviation from acceptable risk and is not related to whether the risk is high or low. High risk tolerance (i.e., a high degree of variability in acceptable risk) addresses the issue of uncertainty in the risk assessment process itself. Risk tolerance is unrelated to impact. The degree of risk tolerance is not indicated by a business impact analysis.
Which is the BEST way to assess aggregate risk derived from a chain of linked system vulnerabilities? a. Vulnerability scans b. Penetration tests c. Code reviews d. Security audits
B is the correct answer. Justification Security assessments, such as vulnerability scans, can help give an extensive and thorough risk and vulnerability overview but will not be able to test or demonstrate the final consequence of having several vulnerabilities linked together. A penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risk. Penetration testing can give risk a new perspective and prioritization based on the result of a sequence of security problems. Code reviews are very time-consuming and unlikely to occur on different parts of a system at the same time, making the discovery of linked system vulnerabilities unlikely. Audits are unlikely to assess aggregate risk from linked system vulnerabilities.
Who should the information security manger FIRST notify after the discovery of an information security threat that is likely to exploit an unpatched server holding critical information? a. System administrators b. The system owner c. The data owner d. Incident response manager
B is the correct answer. Justification System administrators may be involved, but they will act at the guidance of the system owner. The first person to be notified when an exploit is found should be the system owner, who will determine the best mitigation strategy. Data owners can be notified later in the process if the vulnerability may compromise data. The incident response manager should be notified if an incident related to the vulnerability is confirmed.
Which of the following types of risk is BEST assessed using quantitative risk assessment techniques? Stolen customer data An electrical power outage A defaced website Loss of the software development team
B is the correct answer. Justification The effect of the theft of customer data could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques. The loss of electrical power for a short duration is more easily measurable than the other choices and can be quantified into monetary amounts that can be assessed with quantitative techniques. The risk of website defacement by hackers is nearly impossible to quantify but could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques. Loss of a majority of the software development team would be impossible to quantify.
Which of the following processes is PRIMARILY supported by information asset identification and classification? Risk register development Risk assessment Cybersecurity training program Regulatory compliance requirement
B is the correct answer. Justification Tracking risk in a register is important, but it is not solely based on the classification of the asset. Unless assets are identified and classified, it will not be possible to assess the risk associated with each asset. Cybersecurity training should be risk-based. However, user training is typically based on a scenario, such as phishing. While addressing compliance risk is valid, the key benefit goes beyond compliance because classification assists the enterprise in protecting the assets through incident response. If the incident response plan is lacking, the enterprise would consider additional policy statements to protect higher priority assets. Incident response plans are often safety nets for limiting damage when a control fails or does not exist.
Value at risk can be used: as a qualitative approach to evaluating risk. to determine maximum probable loss over a period of time. for risk analysis applicable only to financial enterprises. as a useful tool to expedite the assessment process.
B is the correct answer. Justification Value at risk (VAR) is an analysis tool, not an assessment tool and is quantitative rather than qualitative. VAR provides a quantitative value of the maximum probable loss in a given time period—typically at 95 or 99 percent certainty. While primarily used by financial enterprises, applicability to information security has been demonstrated. VAR calculations are typically complex and time-consuming.
Which of the following is MOST essential for a risk management program to be effective? Flexible security budget Sound risk baseline Detection of new risk Accurate risk reporting
C is the correct answer. Justification A flexible security budget is essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period. A sound risk baseline is essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period. All of these procedures are essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period. Accurate risk reporting is essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period.
Which of the following choices BEST reveals the evolving nature of attacks in an online environment? A high-interaction honeypot A rogue access point Industry tracking groups A vulnerability scanner
C is the correct answer. Justification A honeypot is used to lure a hacker and learn the methods of attacks. However, an attacker may or may not use known methods of attacks. Also, the honeypot will only reveal attacks directed against the enterprise, not the overall nature of attacks occurring in the broader online environment. A rogue access point is put in place by an attacker to lure legitimate users to connect to it. Industry tracking groups, such as Infraguard, US Computer Emergency Readiness Team (CERT) and Internet Storm Center, provide insight into what sort of attacks are affecting enterprises on a national or global scale. Even if a vulnerability scanner is updated regularly, it will reveal vulnerabilities, not attacks.
The information security policies of an enterprise require that all confidential information must be encrypted while communicating to external entities. A regulatory agency insisted that a compliance report must be sent without encryption. The information security manager should: a. extend the information security awareness program to include employees of the regulatory authority. b. send the report without encryption on the authority of the regulatory agency. c. initiate an exception process for sending the report without encryption. d.refuse to send the report without encryption.
C is the correct answer. Justification Although this choice may not be possible, the information security manager can discuss and understand the reason for insisting on an unencrypted report and try to convince the regulatory authority. If the information security manager chooses to ignore the regulatory authority's request (which may not be possible in many parts of the world), it is necessary that a comparative risk assessment be conducted. The information security manager should first assess the risk in sending the report to the regulatory authority without encryption. The information security manager can consider alternate communication channels that will address the risk and provide for the exception. The information security policy states that confidential information must be encrypted when sent to external entities. The information security manager's role is to find a way within the policy to complete the task. The best way to do this is to initiate an exception.
Which of the following metrics will provide the BEST indication of organizational risk? Annual loss expectancy The number of information security incidents The extent of unplanned business interruptions The number of high-impact vulnerabilities
C is the correct answer. Justification Annual loss expectancy is the quantification of loss exposure based on probability and frequency of outages with a known or estimated cost. It is part of a business impact analysis and may be calculated at the enterprise or system level, but it is based on projections rather than on observed data. The number of recorded or recognized incidents does not reveal impact or indicate organizational risk. An unplanned business interruption will be the best indication of organizational risk as it provides a quantifiable measure of how much business may be lost due to the inability to acquire, process and produce results that affect customers. The number of high-impact vulnerabilities provides an indication of weakness within the information network and/or systems but is not by itself an indicator of risk.
The MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs: a. create more overhead than signature-based IDSs. b. cause false positives from minor changes to system variables. c. generate false alarms from varying user or system actions. d. cannot detect new types of attacks.
C is the correct answer. Justification Due to the nature of statistical anomaly-based intrusion detection system (stat IDS) operations (i.e., they must constantly attempt to match patterns of activity to the baseline parameters), a stat IDS requires much more overhead and processing than signature-based versions. However, this is not the most important reason. Due to the nature of a stat IDS—based on statistics and comparing data with baseline parameters— this type of IDS may not detect minor changes to system variables and may generate many false positives. However, this is not the most important reason. A stat IDS collects data from normal traffic and establishes a baseline. It then periodically samples the network activity based on statistical methods and compares samples to the baseline. When the activity is outside the baseline parameter (clipping level), the IDS notifies the administrator. The baseline variables can include a host's memory or central processing unit usage, network packet types and packet quantities. If actions of the users or the systems on the network vary widely with periods of low activity and periods of frantic packet exchange, a stat IDS may not be suitable, as the dramatic swing from one level to another almost certainly will generate false alarms. This weakness will have the largest impact on the operation of the IT systems. Because the stat IDS can monitor multiple system variables, it can detect new types of variables by tracing for abnormal activity of any kind.
Which of the following would BEST address the risk of data leakage? File backup procedures Database integrity checks Acceptable use policies Incident response procedures
C is the correct answer. Justification File backup procedures ensure the availability of information in alignment with data retention requirements but do nothing to prevent leakage. Database integrity checks verify the allocation and structural integrity of all the objects in the specified database but do nothing to prevent leakage. An acceptable use policy establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before gaining access to a network or the Internet. Incident response procedures provide detailed steps that help an enterprise minimize the impact of an adverse event but do not directly address data leakage.
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level? Implement countermeasures. Eliminate the risk. Transfer the risk. Accept the risk.
C is the correct answer. Justification Implementing countermeasures may not be possible likely would not be the most cost-effective approach to security management. Eliminating the risk may not be possible. Risk is typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include hurricanes, tornadoes and earthquakes. Accepting the risk would leave the enterprise vulnerable to a catastrophic disaster that might cripple or ruin the enterprise. It would be more cost-effective to pay recurring insurance costs than to be affected by a disaster from which the enterprise could not financially recover.
The PRIMARY objective of a vulnerability assessment is to: a. reduce risk to the business. b. ensure compliance with security policies. c. provide assurance to management. d. measure efficiency of services provided.
C is the correct answer. Justification It is necessary to identify vulnerabilities in order to mitigate them. Actual reduction of risk is accomplished through deployment of controls and is a business decision based on a cost-benefit analysis. A security policy may mandate a vulnerability assessment program, but such a program is not established primarily to comply with policy. A vulnerability assessment identifies vulnerabilities so that they may be considered for mitigation. By giving management a complete picture of the vulnerabilities that exist, a vulnerability assessment program allows management to prioritize those vulnerabilities deemed to pose the greatest risk. Vulnerability assessment is not concerned with efficiency of services.
Which of the following is the MAIN reason for performing risk assessment on a continuous basis? The security budget must be continually justified. New vulnerabilities are discovered every day. The risk environment is constantly changing. Management needs to be continually informed about emerging risk.
C is the correct answer. Justification Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. The risk environment is impacted by factors such as changes in technology and business strategy. These changes introduce new threats and vulnerabilities to the enterprise. As a result, risk assessment should be performed continuously. Informing management about emerging risk is important but is not the main driver for determining when a risk assessment should be performed.
Which of the following will be the MOST likely exploitation target when looking at flaws in application controls? a. Password change options at the login stage b. Weak transaction monitoring controls c. Inadequate validation checks in entry forms d. Open ports available for external access
C is the correct answer. Justification Password cracking by exploiting a password change option may not be easy unless the perpetrator obtains a valid password in advance. Hence, attackers prefer to look for weaknesses in validation checks in the application control layer. Weak or nonexistent transaction monitoring controls can be a target for exploitation; however, controls with nonexistent or inadequate validation checks are an easier target for attackers. Many attackers exploit weaknesses existing in the application layer. A weak validation check-in entry screen may be vulnerable to structured query language (SQL) injection attacks. Hence, validation control is a key feature in application controls. Control of open ports may be handled by network administration, which is separate from the application control layer. Hence, it is unlikely that attackers exploiting application weaknesses will look for open ports.
Which of the following BEST assists the information security manager in identifying new threats to information security? Performing more frequent reviews of the enterprise's risk factors Developing more realistic information security risk scenarios Understanding the flow and classification of information used by the enterprise A process to monitor post-incident review reports prepared by IT staff
C is the correct answer. Justification Risk factors determine the business impact or frequency of risk and are not related to the identification of threats. Risk scenarios are not used to identify threats as much as they are used to identify the impact and frequency of threats exploiting vulnerabilities within the information security architecture. Understanding the business objectives of the enterprise and how data are to be used by the business assists management in assessing whether an information security event should be considered a new information security threat. The analysis of post-incident reviews assists managers in identifying IS threats that have materialized into incidents and does not necessarily assist IT managers in identifying threats that pose a risk to information security.
Control objectives are MOST closely aligned with: risk tolerance. criticality. risk appetite. sensitivity.
C is the correct answer. Justification Risk tolerance is the acceptable level of deviation from acceptable risk and is not directly affected by control objectives. Criticality is the importance to the business and is one of the considerations when control objectives are set in addition to potential impact, exposure, cost and feasibility of possible controls. However, criticality plays a lesser role in relationships between risk and control. Criticality is more a need for the business than a control to reduce risk for the environment. Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission. Control objectives are set so that controls can be designed on that basis. Sensitivity is the potential impact of unauthorized disclosure, which is one of the considerations in control objectives but is not a control itself. Sensitivity creates risk, which is weighed against the controls put in place to reduce that risk, but sensitivity is an identification marker or classification of data for a control and does not define acceptable risk.
Which of the following is the MOST important risk associated with middleware in a client-server environment? a. Server patching may be prevented. b. System backups may be incomplete. c. Data integrity may be affected d. End-user sessions may be hijacked.
C is the correct answer. Justification Sever patching is not affected by the presence of middleware. System backups are not affected. The major risk associated with middleware in a client-server environment is that data integrity may be adversely affected if middleware should fail or become corrupted. Hijacked end-user sessions can occur but they can be detected by implementing security checks in the middleware.
Question Quantifying the level of acceptable risk can BEST be indicated by which of the following choices? Surveying business process owners and senior managers Determining the percentage of the IT budget allocated to security Determining the ratio of business interruption insurance to its cost Determining the number and severity of incidents impacting the enterprise
C is the correct answer. Justification Surveying management typically provides a widely varying perspective on acceptable risk. The amount spent on security is an indicator but does not quantify acceptable levels of risk. The amount of business interruption insurance carried and the cost specifies a directly quantifiable level of risk that the enterprise will accept, and at what cost. The history of incidents will show what risk was not addressed and elicit comments about acceptability but will not indicate what the enterprise is willing to spend on mitigation.
The MOST likely reason that management would choose not to mitigate a risk that exceeds the risk appetite is that it: is the residual risk after controls are applied. is a risk that is expensive to mitigate. falls within the risk tolerance level. is a risk of relatively low frequency.
C is the correct answer. Justification The residual risk may or may not be considered appropriate depending on the level of acceptable risk and the tolerance for variation to that level. If mitigation is too expensive, management should consider other treatment options and not simply choose not to address it. Risk tolerance is the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives. Even if a risk occurs infrequently, the information security manager should address the risk if the magnitude is substantial.
An enterprise is considering the purchase of a new technology that will facilitate better customer interactions and will be integrated into the existing customer relationship management system. Which of the following is the PRIMARY risk the information security manager should consider related to this purchase? The potential that the new technology will not deliver the promised functionality to support the business The availability of ongoing support for the technology and whether existing staff can provide the support The possibility of the new technology affecting the security or operation of other systems The downtime required to reconfigure the existing system to implement and integrate the new technology
C is the correct answer. Justification The risk that the new technology will not support business needs is primarily a responsibility of the business manager rather than the information security manager. The availability of support is a concern, but it is primarily a responsibility of the IT operations manager. The greatest security risk is that the new technology may bypass existing security or impair the operation of existing systems. The security manager should examine the new system for these issues. The downtime required to implement the new technology is primarily a business and IT department factor.
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be: transferred. treated. accepted. terminated.
C is the correct answer. Justification Transferring the risk is of limited benefit if the cost of the control is more than the potential cost of the risk manifesting. Treating the risk is of limited benefit if the cost of the control is more than the cost of the risk being exploited. When the cost of the control is more than the cost of the risk, the risk should be accepted. If the value of the activity is greater than the potential cost of compromise, then terminating the activity would not be the appropriate advice.
Determining the level of effort needed to meet particular improvement targets in risk management can BEST be determined using which of the following tools? a. A workflow diagram b. A Gantt chart c. A gap analysis d. A return on investment computation
C is the correct answer. Justification Workflow diagrams document processes. Having a visual representation of how a risk management process works today versus how it would work in a desired state may be useful as part of proposing or implementing changes, but comparing the two states is not the same as knowing what tasks must be completed to move from the current state to the proposed future state, which is what is needed to determine the level of effort. Gantt charts are used to schedule activities (tasks) needed to complete a project. A fully constructed schedule includes all tasks that must be completed and times they will take, but building a schedule deals with prioritization and issues that go beyond what is needed to determine the level of effort. A gap analysis documents the tasks that must be completed to move from the current state to the desired state, and the level of effort may readily be determined. A gap analysis is required for various components of the strategy previously discussed, such as maturity levels, each control objective, and each risk and impact objective. Return on investment, computed in its simplest form by dividing net income by the total investment over the period being considered, is a measure of operating performance and efficiency. It does not measure levels of effort.
The acquisition of new IT systems that are critical to an enterprise's core business can create significant risk. To effectively manage the risk, the information security manager should FIRST: ensure that the IT manager accepts the risk of the technology choices. require the approval of auditors prior to deployment. obtain senior management approval for IT purchases. ensure that appropriate procurement processes are employed.
D is the correct answer. Justification Acceptance of identified risk associated with particular technologies is the responsibility of the business process owner, and possibly of senior management, but it would happen after the risk was identified during the procurement process. Auditors may identify risk but are not responsible for managing it. Senior management will typically be involved in IT acquisitions only from a budgetary perspective. Appropriate procurement processes will include processes to initially identify the risk that may be introduced by the new system.
In which phase of the development process should risk assessment be FIRST introduced? Programming Specification User testing Feasibility
D is the correct answer. Justification Assessment would not be relevant in the programming phase. Risk should be considered in the specification phase, when the controls are designed, but this evaluation would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in the user testing phase. Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds.
At what interval should a risk assessment TYPICALLY be conducted? a.Once a year for each business process and subprocess b. Every three to six months for critical business processes c. On a continuous basis d. Annually or whenever there is a significant change
D is the correct answer. Justification Conducting a risk assessment once a year is insufficient if important changes take place. Conducting a risk assessment every three to six months for critical processes is not typical and may not be necessary, or it may not address important changes in a timely manner. Performing risk assessments on a continuous basis is generally financially not feasible; it is more cost-effective to conduct risk assessments annually or whenever there is a significant change. Risk is constantly changing. Conducting a risk assessment annually or whenever there is a significant change offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change.
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the enterprise's network? a. Configuration of firewalls b. Strength of encryption algorithms c. Authentication within application d. Safeguards over keys
D is the correct answer. Justification Firewalls can be perfectly configured, but if the keys make it to the other side, they will not prevent the document from being decrypted. Even easy encryption algorithms require adequate resources to break, whereas encryption keys can be easily used. The application front door controls may be bypassed by accessing data directly. Key management is the weakest link in encryption. If keys are in the wrong hands, documents can be read regardless of where they are on the network.
In conducting an initial technical vulnerability assessment, which of the following choices should receive top priority? a. Systems impacting legal or regulatory standing b. Externally facing systems or applications c. Resources subject to performance contracts d. Systems covered by business interruption insurance
D is the correct answer. Justification Legal and regulatory considerations are evaluated in the same manner as other forms of risk. Externally facing systems or applications are not necessarily high-impact systems. The prioritization of a vulnerability assessment needs to be made on the basis of impact. Although the impact associated with the loss of any resource subject to a performance contract is clearly quantifiable, it may not necessarily be a critical resource. If the loss of a contract system poses a significant impact to the enterprise, additional measures such as business interruption insurance will be in place. Maintaining business operations is always the priority. If a system is covered by business interruption insurance, it is a clear indication that management deems it to be a critical system.
For risk management purposes, the value of a physical asset should be based on: a. original cost. b. net cash flow. c. net present value. d. replacement cost.
D is the correct answer. Justification Original cost may be significantly different from the current cost of replacing the asset. Net cash flow does not accurately reflect the true value of the asset. Net present value does not accurately reflect the true value of the asset. The value of a physical asset should be based on its replacement cost because this is the amount that would be needed to replace the asset if it were to become damaged or destroyed.
An enterprise security risk assessment was conducted based on assumptions about enterprise risk. Which of the following would be the BEST course of action to improve the quality of the assessment? Recruit experienced interviewers to the assessment team Review past risk assessments for background information Request that business units classify information assets Include relevant stakeholders during assessment activities
D is the correct answer. Justification Skilled interviewers may help in conducting risk assessments; however, interview skills alone may not resolve this type of problem. Past risk assessments may not be relevant to the current state of the enterprise. Classification of information assets is a part of an information security program conducted in the business area. It does not affect how an information security risk assessment is currently conducted. Including relevant stakeholders is an ideal way to move beyond a risk assessment based on assumptions, as they can provide essential insight that would otherwise be missed.
Which of the following internal or external influences on an enterprise is the MOST difficult to estimate? Vulnerability posture Compliance requirements Outsourcing expenses Threat landscape
D is the correct answer. Justification The vulnerability posture of an enterprise can be estimated with a high degree of accuracy through systematic, iterative review of systems, data flows, people and processes. Compliance requirements may be ambiguous at first, but as requirements are reviewed and narrowed, their influence on an enterprise becomes more predictable until the requirements change or expand over time. The long-term costs of outsourcing are difficult to predict, but the cost is generally clear for defined periods of time (e.g., contract periods). In contrast, the threat landscape is always difficult to estimate. Threats originate from independent sources that may be natural or human-directed. Neither can be positively predicted in all cases. Human-directed threats in particular are extremely difficult to estimate in an information security context because very small numbers of threat actors (including individuals with no assistance) may be ready and able to initiate threat events for any reason at all, including reasons that are not sensible to the individual or an impartial observer.
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program? User assessments of changes Comparison of the program results with industry standards Assignment of risk within the enterprise Participation by all members of the enterprise
D is the correct answer. Justification User assessments are most likely focused on their convenience and ease of use rather than effectiveness of the program. Comparing results with industry standards is a meaningless gauge; however, comparing results to program objectives would be very useful. Assigning ownership of risk is a good first step in improving accountability and, therefore, probably effectiveness. Effective risk management requires participation, support and acceptance by all applicable members of the enterprise, beginning with the executive levels. Personnel must understand their responsibilities and be trained on how to fulfill their roles.
Reducing exposure of a critical asset is an effective mitigation measure because it reduces: the impact of a compromise. the likelihood of being exploited. the vulnerability of the asset. the time needed for recovery.
b is the correct answer. Justification The impact of a successful exploit will not change. Reducing exposure reduces the likelihood of a vulnerability being exploited. The vulnerabilities of the asset will not change because exposure is reduced. The recovery time is not affected by a reduction in exposure.
