OLD - CISM TQ 7 *
When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST? A. The firewall should block all inbound traffic during the outage B. All systems should block new logins until the problem is corrected C. Access control should fall back to no synchronized mode D. System logs should record all user activity for later analysis
Access control should fall back to no synchronized mode The best mechanism is for the system to fallback to the original process of logging on individually to each system. Blocking traffic and new logins would be overly restrictive to the conduct of business, while recording all user activity would add little value.
What is the MOST important consideration when establishing metrics for reporting to the information security strategy committee? A. Agreeing on baseline values for the metrics B. Developing a dashboard for communicating the metrics C. Providing real-time insight on the security posture of the organization D. Benchmarking the expected value of the metrics against industry standards
Agreeing on baseline values for the metrics
Which of the following devices should be placed within a DMZ? A. Proxy server B. Application server C. Departmental server D. Data warehouse server
Application server An application server should normally be placed within a demilitarized zone (DMZ) to shield the internal network. Data warehouse and departmental servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise. A proxy server forms the inner boundary of the DMZ but is not placed within it.
Which of the following BEST validates that security controls are implemented in a new business process? A. Assess the process according to information security policy. B. Benchmark the process against industry practices. C. Verify the use of a recognized control framework. D. Review the process for conformance with information security best practices
Assess the process according to information security policy
Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met? A. SWOT analysis B. Waterfall chart C. Gap analysis D. Balanced scorecard
Balanced scorecard The balanced scorecard is most effective for evaluating the degree to which information security objectives are being met. A SWOT analysis addresses strengths, weaknesses, opportunities and threats. Although useful, a SWOT analysis is not as effective a tool. Similarly, a gap analysis, while useful for identifying the difference between the current state and the desired future state, is not the most appropriate tool. A waterfall chart is used to understand the flow of one process into another.
Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network? A. Boundary router B. Strong encryption C. Internet-facing firewall D. Intrusion detection system (IDS)
Boundary router Strong encryption is the most effective means of protecting wireless networks. Boundary routers, intrusion detection systems (IDSs) and firewalling the Internet would not be as effective
Which of the following is MOST important to consider when developing a disaster recovery plan? A. Business continuity plan (BCP) B. Business impact analysis (BIA) C. Cost-benefit analysis D. Feasibility assessment
Business impact analysis (BIA)
Which of the following processes if the FIRST step in establishing an information security policy? A. Security controls evaluation B. Information security audit C. Review of current global standards D. Business risk assessment
Business risk assessment
Which of the following should be of MOST influence to an information security manager when developing IT security policies? A. Past and current threats B. IT security framework C. Compliance with regulations D. Business strategy
Business strategy
When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices? A. Centralizing security management B. Implementing sanctions for noncompliance C. Policy enforcement by IT management D. Periodic compliance reviews
Centralizing security management By centralizing security management, the organization can ensure that security standards are applied to all systems equally and in line with established policy. Sanctions for noncompliance would not be the best way to correct poor management practices caused by work overloads or insufficient knowledge of security practices. Enforcement of policies is not solely the responsibility of IT management. Periodic compliance reviews would not correct the problems, by themselves, although reports to management would trigger corrective action such as centralizing security management.
Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser? A. Certificate-based authentication of web client B. Certificate-based authentication of web server C. Data confidentiality between client and web server D. Multiple encryption algorithms
Certificate-based authentication of web client Web browsers have the capability of authenticating through client-based certificates; nevertheless, it is not commonly used. When using https, servers always authenticate with a certificate and, once the connection is established, confidentiality will be maintained between client and server. By default, web browsers and servers support multiple encryption algorithms and negotiate the best option upon connection.
Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures? A. Stress testing B. Patch management C. Change management D. Security baselines
Change management Change management controls the process of introducing changes to systems to ensure that unintended changes are not introduced. Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Security baselines provide minimum recommended settings. Stress testing ensures that there are no scalability problems
Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems? A. Patch management B. Change management C. Security baselines D. Virus detection
Change management Change management controls the process of introducing changes to systems. This is often the point at which a weakness will be introduced. Patch management involves the correction of software weaknesses and would necessarily follow change management procedures. Security baselines provide minimum recommended settings and do not prevent introduction of control weaknesses. Virus detection is an effective tool but primarily focuses on malicious code from external sources, and only for those applications that are online.
Which of the following is MOST effective in preventing the introduction of vulnerabilities that may disrupt the availability of a critical business application? A. A patch management process B. Change management controls C. Logical access controls D. Version control
Change management controls Change management controls the process of introducing changes to systems Failure to have good change management may introduce new weaknesses into otherwise secure systems Patch management corrects discovered weaknesses by applying a correction to the original program code. Security metrics provide a means for measuring effectiveness. Version control is a subset of change management
An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution? A. Rewrite the application to conform to the upgraded operating system B. Compensate for not installing the patch with mitigating controls C. Alter the patch to allow the application to run in a privileged state D. Run the application on a test platform; tune production to allow patch and application
Compensate for not installing the patch with mitigating controls Since the operating system (OS) patch will adversely impact a critical application, a mitigating control should be identified that will provide an equivalent level of security. Since the application is critical, the patch should not be applied without regard for the application; business requirements must be considered. Altering the OS patch to allow the application to run in a privileged state may create new security weaknesses. Finally, running a production application on a test platform is not an acceptable alternative since it will mean running a critical production application on a platform not subject to the same level of security controls.
Which of the following should be an information security manager's PRIMARY focus during the development of a critical system storing highly confidential data? A. Ensuring the amount of residual risk is acceptable B. Reducing the number of vulnerabilities detected C. Avoiding identified system threats D. Complying with regulatory requirements
Complying with regulatory requirements
Which of the following is the BEST approach for encouraging business units to assume their roles and responsibilities in an information security program? A. Perform a risk assessment. B. Conduct an awareness program. C. Conduct a security audit. D. Develop controls and countermeasures.
Conduct an awareness program
Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts? A. Use security tokens for authentication B. Connect through an IPSec VPN C. Use https with a server-side certificate D. Enforce static media access control (MAC) addresses
Connect through an IPSec VPN IPSec effectively prevents man-in-the-middle (MitM) attacks by including source and destination IPs within the encrypted portion of the packet. The protocol is resilient to MitM attacks. Using token-based authentication does not prevent a MitM attack; however, it may help eliminate reusability of stolen cleartext credentials. An https session can be intercepted through Domain Name Server (DNS) or Address Resolution Protocol (ARP) poisoning. ARP poisoning " a specific kind of MitM attack " may be prevented by setting static media access control (MAC) addresses. Nevertheless, DNS and NetBIOS resolution can still be attacked to deviate traffic.
When preparing a business case for the implementation of a security information and event management (SIEM) system, which of the following should be a PRIMARY driver in the feasibility study? A. Cost of software B. Cost-benefit analysis C. Implementation timeframe D. Industry benchmarks
Cost-benefit analysis
Which of the following tools is MOST appropriate for determining how long a security project will take to implement? A. Gantt chart B. Waterfall chart C. Critical path D. Rapid Application Development (RAD)
Critical path The critical path method is most effective for determining how long a project will take. A waterfall chart is used to understand the flow of one process into another. A Gantt chart facilitates the proper estimation and allocation of resources. The Rapid Application Development (RAD) method is used as an aid to facilitate and expedite systems development.
Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers? A. Daily B. Weekly C. Concurrently with O/S patch updates D. During scheduled change control updates
Daily New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Patches may occur less frequently. Weekly updates may potentially allow new viruses to infect the system.
Which of the following is the MOST effective approach for integrating security into application development? A. Defining security requirements B. Performing vulnerability scans C. Including security in user acceptance testing sign-off D. Developing security models in parallel
Defining security requirements
An e-commerce order fulfillment web server should generally be placed on which of the following? A. Internal network B. Demilitarized zone (DMZ) C. Database server D. Domain controller
Demilitarized zone (DMZ) An e-commerce order fulfillment web server should be placed within a DMZ to protect it and the internal network from external attack. Placing it on the internal network would expose the internal network to potential attack from the Internet. Since a database server should reside on the internal network, the same exposure would exist. Domain controllers would not normally share the same physical device as a web server.
Which of the following is the BEST way for an information security manager to justify continued investment in the information security program when the organization is facing significant budget cuts? A. Demonstrate that the program enables business activities B. Demonstrate an increase in ransomware attacks targeting peer organizations C. Demonstrate that implemented program controls are effective D. Demonstrate the readiness of business continuity plans
Demonstrate that the program enables business activities
Which of the following should be the information security manager's NEXT step following senior management approval of the information security strategy? A. Develop a security policy. B. Develop a budget. C. Perform a gap analysis. D. Form a steering committee.
Develop a security policy
After adopting an information security framework, an information security manager is working with senior management to change the organization-wide perception that information security is solely the responsibility of the information security department. To achieve this objective, what should be the information security manager's FIRST A. Develop an operational plan providing best practices for information security projects. B. Develop an information security awareness campaign with senior management's support. C. Document and publish the responsibilities of the information security department. D. Implement a formal process to conduct periodic compliance reviews.
Develop an information security awareness campaign with senior management's support.
Which of the following is the information security manager's PRIMARY role in the information assets classification process? A. Assigning asset ownership B. Assigning the asset classification level C. Securing assets in accordance with their classification D. Developing an asset classification model
Developing an asset classification model
Which of the following is the - responsibility of the information security steering committee? A. Developing security polices aligned with the corporate and IT strategies B. Reviewing business cases where benefits have not been realized C. Identifying risks associated with new security initiatives D. Developing and presenting business cases for security initiatives
Developing security polices aligned with the corporate and IT strategies
A multinational organization has developed a bring your own device (BYOD) policy that requires the installation of mobile device management (MDM) software on personally owned devices. Which of the following poses the GREATEST challenge for implementing the police? A. Varying employee data privacy rights B. Translation and communication of policy C. Differences in mobile OS platforms D. Differences in corporate cultures
Differences in mobile OS platforms
Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network? A. Never use open source tools B. Focus only on production servers C. Follow a linear process for attacks D. Do not interrupt production processes
Do not interrupt production processes The first rule of scanning for security exposures is to not break anything. This includes the interruption of any running processes. Open source tools are an excellent resource for performing scans. Scans should focus on both the test and production environments since, if compromised, the test environment could be used as a platform from which to attack production servers. Finally, the process of scanning for exposures is more of a spiral process than a linear process.
A border router should be placed on which of the following? A. Web server B. IDS server C. Screened subnet D. Domain boundary
Domain boundary A border router should be placed on a (security) domain boundary. Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ) would not provide any protection. Border routers are positioned on the boundary of the network, but do not reside on a server.
On which of the following should a firewall be placed? A. Web server B. Intrusion detection system (IDS) server C. Screened subnet D. Domain boundary
Domain boundary A firewall should be placed on a (security) domain boundary. Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ), does not provide any protection. Since firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to have the firewall and the intrusion detection system (IDS) on the same physical device.
Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender? A. Biometric authentication B. Embedded steganographic C. Two-factor authentication D. Embedded digital signature
Embedded digital signature Digital signatures ensure that transmitted information can be attributed to the named sender; this provides nonrepudiation. Steganographic techniques are used to hide messages or data within other files. Biometric and two-factor authentication is not generally used to protect internet data transmissions.
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register? A. Authentication B. Hardening C. Encryption D. Nonrepudiation
Encryption Cardholder data should be encrypted using strong encryption techniques. Hardening would be secondary in importance, while nonrepudiation would not be as relevant. Authentication of the point-of-sale (POS) terminal is a previous step to acquiring the card information.
In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation? A. Encryption B. Digital certificate C. Digital signature D. I lashing algorithm
Encryption To preserve confidentiality of a message while in transit, encryption should be implemented. Choices B and C only help authenticate the sender and the receiver. Choice D ensures integrity
Which of the following contributes MOST to the effective implementation of an information security strategy? A. Reporting of security metrics B. Regular security awareness training C. Endorsement by senior management D. Implementation of security standards
Endorsement by senior management
Implementing a strong password policy is part of an organization's information security strategy for the year. A business unit believes the strategy may adversely affect a client's adoption of a recently developed mobile application and has decided not to implement the policy. Which of the following is the information security manager's BEST course of action? A. Analyze the risk and impact of not implementing the policy. B. Develop and implement a password policy for the mobile application. C. Escalate non-implementation of the policy to senior management. D. Benchmark with similar mobile applications to identify gaps.
Escalate non-implementation of the policy to senior management
Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required? A. Log all account usage and send it to their manager B. Establish predetermined automatic expiration dates C. Require managers to e-mail security when the user leaves D. Ensure each individual has signed a security acknowledgement
Establish predetermined automatic expiration dates Predetermined expiration dates are the most effective means of removing systems access for temporary users. Reliance on managers to promptly send in termination notices cannot always be counted on, while requiring each individual to sign a security acknowledgement would have little effect in this case.
An organization plans to leverage popular social network platforms to promote its products and services. Which of the following is the BEST course of action for the information security manager to support this initiative? A. Develop security controls for the use of social networks B. Assess the security risk associated with the use of social networks C. Establish processes to publish content on social networks D. Conduct vulnerability assessments on social network platforms
Establish processes to publish content on social networks
Which of the following is MOST important for a successful information security program? A. Adequate training on emerging security technologies B. Open communication with key process owners C. Adequate policies, standards and procedures D. Executive management commitment
Executive management commitment Sufficient executive management support is the most important factor for the success of an information security program. Open communication, adequate training, and good policies and procedures, while important, are not as important as support from top management; they will not ensure success if senior management support is not present.
Which of the following is the BEST method to provide a new user with their initial password for e-mail system access? A. Interoffice a system-generated complex password with 30 days expiration B. Give a dummy password over the telephone set for immediate expiration C. Require no password but force the user to set their own in 10 days D. Set initial password equal to the user ID with expiration in 30 days
Give a dummy password over the telephone set for immediate expiration Documenting the password on paper is not the best method even if sent through interoffice mail if the password is complex and difficult to memorize, the user will likely keep the printed password and this creates a security concern. A dummy (temporary) password that will need to be changed upon first logon is the best method because it is reset immediately and replaced with the user's choice of password, which will make it easier for the user to remember. If it is given to the wrong person, the legitimate user will likely notify security if still unable to access the system, so the security risk is low. Setting an account with no initial password is a security concern even if it is just for a few days. Choice D provides the greatest security threat because user IDs are typically known by both users and security staff, thus compromising access for up to 30 days.
Which of the following would BEST enable an organization to effectively monitor the implementation of standardized configurations? A. Implement a separate change tracking system to record changes to configurations. B. Perform periodic audits to detect non-compliant configurations. C. Develop policies requiring use of the established benchmarks. D. Implement automated scanning against the established benchmarks.
Implement automated scanning against the established benchmarks
What should the information security manager recommend to support the development of a new web application that will allow retail customers to view inventory and order products? A. Building an access control matrix B. Request customers adhere to baseline security standards C. Access through a virtual private network (VPN) D. Implementation of secure transmission protocols
Implementation of secure transmission protocols
Security awareness training is MOST likely to lead to which of the following? A. Decrease in intrusion incidents B. Increase in reported incidents C. Decrease in security policy changes D. Increase in access rule violations
Increase in reported incidents Reported incidents will provide an indicator as to the awareness level of staff. An increase in reported incidents could indicate that staff is paying more attention to security. Intrusion incidents and access rule violations may or may not have anything to do with awareness levels. A decrease in changes to security policies may or may not correlate to security awareness training.
What should be the PRIMARY objective of conducting interviews with business unit managers when developing an information security strategy? A. Determine information types B. Obtain information on departmental goals C. Identify data and system ownership D. Classify information assets
Obtain information on departmental goals
Which of the following is MOST effective in preventing security weaknesses in operating systems? A. Patch management B. Change management C. Security baselines D. Configuration management
Patch management Patch management corrects discovered weaknesses by applying a correction (a patch) to the original program code. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Configuration management controls the updates to the production environment.
Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion? A. Patch management B. Change management C. Security baselines D. Acquisition management
Patch management Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Acquisition management controls the purchasing process.
When developing a new application, which of the following is the BEST approach to ensure compliance with security requirements? A. Provide security training for developers. B. Prepare detailed acceptance criteria. C. Adhere to change management processes. D. Perform a security gap analysis.
Prepare detailed acceptance criteria
Management is questioning the need for several items in the information security budget proposal. Which of the following would have been MOST helpful prior to budget submission? A. Benchmarking information security efforts of industry competitors B. Obtaining better pricing from information security service vendors C. Presenting a report of current threats to the organization D. Educating management on information security best practices
Presenting a report of current threats to the organization
Which of the following would be MOST important to include in a business case to help obtain senior management's commitment for an information security investment? A. Results of an independent audit B. Industry best practices C. Projected business value D. Reference to business polices
Projected business value
Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation? A. Symmetric cryptography B. Public key infrastructure (PKI) C. Message hashing D. Message authentication code
Public key infrastructure (PKI) Public key infrastructure (PKI) combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender. Senders can digitally sign a message with their private key and attach their digital certificate (provided by the trusted third party). These characteristics allow senders to provide authentication, integrity validation and nonrepudiation. Symmetric cryptography provides confidentiality. Mashing can provide integrity and confidentiality. Message authentication codes provide integrity.
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism? A. Number of attacks detected B. Number of successful attacks C. Ratio of false positives to false negatives D. Ratio of successful to unsuccessful attacks
Ratio of false positives to false negatives The ratio of false positives to false negatives will indicate whether an intrusion detection system (IDS) is properly tuned to minimize the number of false alarms while, at the same time, minimizing the number of omissions. The number of attacks detected, successful attacks or the ratio of successful to unsuccessful attacks would not indicate whether the IDS is properly configured.
When using a newly implemented security information and event management (SIEM) infrastructure, which of the following should be considered FIRST? A. Retention B. Tuning C. Encryption D. Report distribution
Report distribution
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information? A. Baseline security standards B. System access violation logs C. Role-based access controls D. Exit routines
Role-based access controls Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Violation logs are detective and do not prevent unauthorized access. Baseline security standards do not prevent unauthorized access. Exit routines are dependent upon appropriate role-based access.
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network? A. Configuration of firewalls B. Strength of encryption algorithms C. Authentication within application D. Safeguards over keys
Safeguards over keys If keys are in the wrong hands, documents will be able to be read regardless of where they are on the network. Choice A is incorrect because firewalls can be perfectly configured, but if the keys make it to the other side, they will not prevent the document from being decrypted. Choice B is incorrect because even easy encryption algorithms require adequate resources to break, whereas encryption keys can be easily used. Choice C is incorrect because the application "front door" controls may be bypassed by accessing data directly.
Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database? A. Screened subnets B. Information classification policies and procedures C. Role-based access controls D. Intrusion detection system (IDS)
Screened subnets Screened subnets are demilitarized zones (DMZs) and are oriented toward preventing attacks on an internal network by external users. The policies and procedures to classify information will ultimately result in better protection but they will not prevent actual modification. Role-based access controls would help ensure that users only had access to files and systems appropriate for their job role. Intrusion detection systems (IDS) are useful to detect invalid attempts but they will not prevent attempts.
The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is: A. Secure Sockets Layer (SSL). B. Secure Shell (SSH). C. IP Security (IPSec). D. Secure/Multipurpose Internet Mail Extensions (S/MIME ).
Secure Sockets Layer (SSL). Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications providing end point authentication and communications privacy over the Internet. In typical use, all data transmitted between the customer and the business are, therefore, encrypted by the business's web server and remain confidential. SSH File Transfer Protocol (SFTP) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer. IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of e-mail encapsulated in MIME; it is not a web transaction protocol.
Which of the following is MOST effective in protecting against the attack technique known as phishing? A. Firewall blocking rules B. Up-to-date signature files C. Security awareness training D. Intrusion detection monitoring
Security awareness training Phishing relies on social engineering techniques. Providing good security awareness training will best reduce the likelihood of such an attack being successful. Firewall rules, signature files and intrusion detection system (IDS) monitoring will be largely unsuccessful at blocking this kind of attack.
Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee? A. Security compliant servers trend report B. Percentage of security compliant servers C. Number of security patches applied D. Security patches applied trend report
Security compliant servers trend report The percentage of compliant servers will be a relevant indicator of the risk exposure of the infrastructure. However, the percentage is less relevant than the overall trend, which would provide a measurement of the efficiency of the IT security program. The number of patches applied would be less relevant, as this would depend on the number of vulnerabilities identified and patches provided by vendors.
An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know? A. Security in storage and transmission of sensitive data B. Provider's level of compliance with industry standards C. Security technologies in place at the facility D. Results of the latest independent security review
Security in storage and transmission of sensitive data Mow the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will be protected. Choice B is an important but secondary consideration. Choice C is incorrect because security technologies are not the only components to protect the sensitive customer information. Choice D is incorrect because an independent security review may not include analysis on how sensitive customer information would be protected.
Which of the following is MOST important to the success of an information security program? A. Security' awareness training B. Achievable goals and objectives C. Senior management sponsorship D. Adequate start-up budget and staffing
Senior management sponsorship Sufficient senior management support is the most important factor for the success of an information security program. Security awareness training, although important, is secondary. Achievable goals and objectives as well as having adequate budgeting and staffing are important factors, but they will not ensure success if senior management support is not present.
Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers? A. Termination conditions B. Liability limits C. Service levels D. Privacy restrictions
Service levels Service levels are key to holding third parties accountable for adequate delivery of services. This is more important than termination conditions, privacy restrictions or liability limitations
Who can BEST approve plans to implement an information security governance framework? A. Internal auditor B. Information security management C. Steering committee D. Infrastructure management
Steering committee Senior management that is part of the security steering committee is in the best position to approve plans to implement an information security governance framework. An internal auditor is secondary' to the authority and influence of senior management. Information security management should not have the authority to approve the security governance framework. Infrastructure management will not be in the best position since it focuses more on the technologies than on the business.
What is the BEST defense against a Structured Query Language (SQL) injection attack? A. Regularly updated signature files B. A properly configured firewall C. An intrusion detection system D. Strict controls on input fields
Strict controls on input fields Structured Query Language (SQL) injection involves the typing of programming command statements within a data entry field on a web page, usually with the intent of fooling the application into thinking that a valid password has been entered in the password entry field. The best defense against such an attack is to have strict edits on what can be typed into a data input field so that programming commands will be rejected. Code reviews should also be conducted to ensure that such edits are in place and that there are no inherent weaknesses in the way the code is written; software is available to test for such weaknesses. All other choices would fail to prevent such an attack.
Which of the following is the MOST important risk associated with middleware in a client-server environment? A. Server patching may be prevented B. System backups may be incomplete C. System integrity may be affected D. End-user sessions may be hijacked
System integrity may be affected The major risk associated with middleware in a client-server environment is that system integrity may be adversely affected because of the very purpose of middleware, which is intended to support multiple operating environments interacting concurrently. Lack of proper software to control portability of data or programs across multiple platforms could result in a loss of data or program integrity. All other choices are less likely to occur.
Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise? A. Ease of installation B. Product documentation C. Available support D. System overhead
System overhead Monitoring products can impose a significant impact ON system overhead for servers and networks. Product documentation, telephone support and ease of installation, while all important, would be secondary.
A third-party service provider is developing a mobile app for an organization's customers. Which of the following issues should be of GREATEST concern to the information security manager? A. Software escrow is not addressed in the contract. B. The contract has no requirement for secure development practices. C. The mobile app's programmers are all offshore contractors. D. SLAs after deployment are not clearly defined.
The contract has no requirement for secure development practices
Which of the following is the MOST important consideration when designing information security architecture? A. Risk management parameters for the organization are defined. B. The information security architecture is aligned with industry standards. C. The level of security supported is based on business decisions. D. The existing threat landscape is monitored.
The level of security supported is based on business decisions
A company has purchased a rival organization and is looking to integrate security strategies. Which of the following is the GREATEST issue to consider? A. The organizations have different risk appetites B. Differing security technologies C. Differing security skills within the organizations D. Confidential information could be leaked
The organizations have different risk appetites
An information security manager is developing a new information security strategy. Which of the following functions would serve as the BEST resource to review the strategy and provide guidance for business alignment? A. Internal audit B. The steering committee C. The legal department D. The board of directors
The steering committee
When integrating information security requirements into software development, which of the following practices should be FIRST in the development lifecycle? A. Penetration testing B. Dynamic code analysis C. Threat modeling D. Source code review
Threat modeling
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following? A. IP spoofing B. Man-in-the-middle attack C. Repudiation D. Trojan
Trojan A Trojan is a program that gives the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user. IP spoofing will not work because IP is not used as an authentication mechanism. Man-in-the-middle attacks are not possible if using SSL with client-side certificates. Repudiation is unlikely because client-side certificates authenticate the user.
Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)? A. Tuning B. Patching C. Encryption D. Packet filtering
Tuning If an intrusion detection system (IDS) is not properly tuned it will generate an unacceptable number of false positives and/or fail to sound an alarm when an actual attack is underway. Patching is more related to operating system hardening, while encryption and packet filtering would not be as relevant.
Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user? A. Intrusion detection system (IDS) B. IP address packet filtering C. Two-factor authentication D. Embedded digital signature
Two-factor authentication Two-factor authentication provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network. IP address packet filtering would protect against spoofing an internal address but would not provide strong authentication. An intrusion detection system (IDS) can be used to detect an external attack but would not help in authenticating a user attempting to connect. Digital signatures ensure that transmitted information can be attributed to the named sender.
Which of the following devices should be placed within a demilitarized zone (DMZ)? A. Network switch B. Web server C. Database server D. File/print server
Web server A web server should normally be placed within a demilitarized zone (DMZ) to shield the internal network. Database and file/print servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise. Switches may bridge a DMZ to another
What is an appropriate frequency for updating operating system (OS) patches on production servers? A. During scheduled rollouts of new applications B. According to a fixed security patch management schedule C. Concurrently with quarterly hardware maintenance D. Whenever important security patches are released
Whenever important security patches are released Patches should be applied whenever important security updates are released. They should not be delayed to coincide with other scheduled rollouts or maintenance. Due to the possibility of creating a system outage, they should not be deployed during critical periods of application activity such as month-end or quarter-end closing.
A message* that has been encrypted by the sender's private key and again by the receiver's public key achieves: A. authentication and authorization. B. confidentiality and integrity. C. confidentiality and nonrepudiation. D. authentication and nonrepudiation.
confidentiality and nonrepudiation Encryption by the private key of the sender will guarantee authentication and nonrepudiation. Encryption by the public key of the receiver will guarantee confidentiality.
The information classification scheme should: A. consider possible impact of a security breach. B. classify personal information in electronic form. C. be performed by the information security manager. D. classify systems according to the data processed.
consider possible impact of a security breach Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information. It must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager. Choice B is an incomplete answer because it addresses only privacy issues, while choice A is a more complete response. Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information. It must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager.
The MOST important success factor to design an effective IT security awareness program is to: A. customize the content to the target audience. B. ensure senior management is represented. C. ensure that all the staff is trained. D. avoid technical content but give concrete examples.
customize the content to the target audience Awareness training can only be effective if it is customized to the expectations and needs of attendees. Needs will be quite different depending on the target audience and will vary between business managers, end users and IT staff; program content and the level of detail communicated will therefore be different. Other criteria are also important; however, the customization of content is the most important factor.
Secure customer use of an e-commerce application can BEST be accomplished through: A. data encryption. B. digital signatures. C. strong passwords. D two factor authentication
data encryption Encryption would be the preferred method of ensuring confidentiality in customer communications with an e- commerce application. Strong passwords, by themselves, would not be sufficient since the data could still be intercepted, while two-factor authentication would be impractical. Digital signatures would not provide a secure means of communication. In most business-to-customer (B-to-C) web applications, a digital signature is also not a practical solution.
When creating an incident response plan, the PRIMARY benefit of establishing a clear definition of a security incident is that it helps to: A. communicate the incident response process to stakeholders B. develop effective escalation and response procedures C. make tabletop testing more effective D. adequately staff and train incident response teams
develop effective escalation and response procedures
The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs: A. create more overhead than signature-based IDSs. B. cause false positives from minor changes to system variables. C. generate false alarms from varying user or system actions. D. cannot detect new types of attacks.
generate false alarms from varying user or system actions A statistical anomaly-based intrusion detection system (stat IDS) collects data from normal traffic and establishes a baseline. It then periodically samples the network activity based on statistical methods and compares samples to the baseline. When the activity is outside the baseline parameter (clipping level), the IDS notifies the administrator. The baseline variables can include a host's memory or central processing unit (CPU) usage, network packet types and packet quantities. If actions of the users or the systems on the network vary widely with periods of low activity and periods of frantic packet exchange, a stat IDS may not be suitable, as the dramatic swing from one level to another almost certainly will generate false alarms. This weakness will have the largest impact on the operation of the IT systems. Due to the nature of stat IDS operations (i.e., they must constantly attempt to match patterns of activity to the baseline parameters), a stat IDS requires much more overhead and processing than signature-based versions. Due to the nature of a stat IDS " based on statistics and comparing data with baseline parameters " this type of IDS may not detect minor changes to system variables and may generate many false positives. Choice D is incorrect; since the stat IDS can monitor multiple system variables, it can detect new types of variables by tracing for abnormal activity of any kind.
The advantage of Virtual Private Network (VPN) tunneling for remote users is that it: A. helps ensure that communications are secure. B. increases security between multi-tier systems. C. allows passwords to be changed less frequently. D. eliminates the need for secondary authentication.
helps ensure that communications are secure. Virtual Private Network (VPN) tunneling for remote users provides an encrypted link that helps ensure secure communications. It does not affect password change frequency, nor does it eliminate the need for secondary authentication or affect security within the internal network.
When a proposed system change violates an existing security standard, the conflict would be BEST resolved by: A. calculating the residual risk. B. enforcing the security standard. C. redesigning the system change. D. implementing mitigating controls.
implementing mitigating controls
An intranet server should generally be placed on the: A. internal network. B. firewall server. C. external router. D. primary domain controller.
internal network An intranet server should be placed on the internal network. Placing it on an external router leaves it defenseless. Since firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to store the intranet server on the same physical device as the firewall. Similarly, primary- domain controllers do not normally share the physical device as the intranet server.
Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the: A. corporate internal auditor. B. System developers/analysts. C. key business process owners. D. corporate legal counsel.
key business process owners Business process owners are in the best position to understand how new regulatory requirements may affect their systems. Legal counsel and infrastructure management, as well as internal auditors, would not be in as good a position to fully understand all ramifications.
An information security program should be sponsored by: A. infrastructure management. B. the corporate audit department. C. key business process owners. D. information security management.
key business process owners The information security program should ideally be sponsored by business managers, as represented by key business process owners. Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business requirements. A corporate audit department is not in as good a position to fully understand how an information security program needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions. Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient operational knowledge and lack of proper authority.
For a business operating in a competitive and evolving online market, it is MOST important for a security policy to focus on: A. defining policies for new technologies. B. enabling adoption of new technologies. C. requiring accreditation for new technologies. D. managing risks of new technologies.
managing risks of new technologies
In an organization with effective IT risk management, the PRIMARY reason to establish key risk indicators (KRIs) is to: A. provide information to remediate risk events. B. demonstrate the alignment of risk management efforts. C. map potential risk to key organizational strategic initiatives. D. identity triggers that exceed risk thresholds.
map potential risk to key organizational strategic initiatives
The BEST metric for evaluating the effectiveness of a firewall is the: A. number of attacks blocked. B. number of packets dropped. C. average throughput rate. D. number of firewall rules.
number of attacks blocked The number of attacks blocked indicates whether a firewall is performing as intended. The number of packets dropped does not necessarily indicate the level of effectiveness. The number of firewall rules and the average throughput rate are not effective measurements.
An information security manager uses security metrics to measure the: A. performance of the information security program. B. performance of the security baseline. C. effectiveness of the security risk analysis. D. effectiveness of the incident response team.
performance of the information security program The security metrics should be designed so that there is a relationship to the performance of the overall security program in terms of effectiveness measurement. Use of security metrics occurs after the risk assessment process and does not measure it. Measurement of the incident response team performance is included in the overall program performance, so this is an incomplete answer
The MAIN advantage of implementing automated password synchronization is that it: A. . B. increases security between multi-tier systems. C. allows passwords to be changed less frequently. D. reduces the need for two-factor authentication.
reduces overall administrative workload Automated password synchronization reduces the overall administrative workload of resetting passwords. It does not increase security between multi-tier systems, allow passwords to be changed less frequently or reduce the need for two-factor authentication.
The FIRST step in establishing an information security program is to: A. define policies and standards that mitigate the organization's risks B. secure organizational commitment and support. C. assess the organization's compliance with regulatory requirements. D. determine the level of risk that is acceptable to senior management.
secure organizational commitment and support
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the: A. right-to-terminate clause. B. limitations of liability. C. service level agreement (SLA). D. financial penalties clause.
service level agreement (SLA) Service level agreements (SLAs) provide metrics to which outsourcing firms can be held accountable. This is more important than a limitation on the outsourcing firm's liability, a right-to-terminate clause or a holdharmless agreement which involves liabilities to third parties.
It is important to develop an information security baseline because it helps to define: A. critical information resources needing protection. B. a security policy for the entire organization. C. the minimum acceptable security to be implemented. D. required physical and logical access controls.
the minimum acceptable security to be implemented. Developing an information security baseline helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels. Before determining the security baseline, an information security manager must establish the security policy, identify criticality levels of organization's information resources and assess the risk environment in which those resources operate.
When developing a protection strategy for outsourcing applications, the information security manager MUST ensure that: A. escrow agreements are in place. B. the security requirements are included in the service level agreement (SLA). C. the responsibility for security is transferred in the service level agreement (SLA). D. nondisclosure clauses are in the contract.
the security requirements are included in the service level agreement (SLA)
Access control to a sensitive intranet application by mobile users can BEST be implemented through: A. data encryption. B. digital signatures. C. strong passwords. D. two-factor authentication.
two-factor authentication Two-factor authentication through the use of strong passwords combined with security tokens provides the highest level of security. Data encryption, digital signatures and strong passwords do not provide the same level of protection.
Planning for the implementation of an information security program is MOST effective when it: A. uses decision trees to prioritize security projects B. applies gap analysis to current and future business plans C. uses risk-based analysis for security projects D. applies technology-driven solutions to identified needs
uses risk-based analysis for security projects
