Architecture Implementation
C is the correct answer. Justification The right to audit is an important consideration when evaluating an enterprise but is not as closely related to the concept of due diligence. Service level agreements are an important consideration when evaluating an enterprise but are not as closely related to the concept of due diligence. The standard of care is most closely related to due diligence. It is based on the legal notion of the steps that would be taken by a person of similar competency in similar circumstances. Periodic security reviews is not as closely related to due diligence.
The requirement for due diligence is MOST closely associated with which of the following? The right to audit Service level agreements Appropriate standard of care Periodic security reviews
A is the correct answer. Justification As owners of the system, user management sign-off is the most important. If a system does not meet the needs of the business, then it has not met its primary objective. The needs of the network are secondary to the needs of the business. The needs of operations are secondary to the needs of the business. The needs of database management are secondary to the needs of the business.
A web-based business application is being migrated from test to production. Which of the following is the MOST important management sign-off for this migration? User Network Operations Database
D is the correct answer. Justification Application hardening has no effect on phishing attacks. Spam filters may catch some unsophisticated phishing attacks. An intrusion detection system will not detect phishing attacks. Phishing attacks are social engineering attacks and are best defended by end-user awareness training.
The BEST defense against successful phishing attacks is: application hardening. spam filters. an intrusion detection system. end-user awareness.
A is the correct answer. Justification Enabling access through a separate device that requires adequate authentication allows authentication tokens to be provisioned and terminated for individuals and also introduces the possibility of logging activity by individual. Implementing manual procedures that require a password change after each use is not effective because users can circumvent the manual procedures. Vendor enhancements may take time and development, and this is a critical device. Analyzing the logs to detect unauthorized access could, in some cases, be an effective complementary control, but because it is detective, it would not be the most effective in this instance.
A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this? Enable access through a separate device that requires adequate authentication Implement manual procedures that require password change after each use Request the vendor to add multiple user IDs Analyze the logs to detect unauthorized access
B is the correct answer. Justification Optimize the IT resource budget by reducing physical maintenance to remote PCs is incorrect. Physical maintenance is reduced in a VDI environment, but cost reduction is not the benefit of VDI from a security perspective. The major benefit of introducing a virtual desktop infrastructure (VDI) is to establish remote desktop hosting while keeping personal areas in a client personal computer (PC) separate. This serves as a control against unauthorized copies of business data on a user PC. Remote data wiping is not possible in a VDI. Termination of antivirus updates may represent a cost savings to the organization, but the presence or absence of antivirus software on a remote PC is irrelevant in a VDI context.
A virtual desktop infrastructure enables remote access. The benefit of this approach from a security perspective is to: optimize the IT resource budget by reducing physical maintenance to remote personal computers (PCs). establish segregation of personal and organizational data while using a remote PC. enable the execution of data wipe operations into a remote PC environment. terminate the update of the approved antivirus software list for remote PCs.
C is the correct answer. Justification A comparative analysis should have been accomplished prior to the decision to purchase. Development of a business case should have been accomplished prior to the decision to purchase. The information security manager should always use existing organization practices and processes whenever possible to minimize potential issues with other departments. Ensuring adequate capacity should have been accomplished prior to the decision to purchase.
After deciding to acquire a security information and event management system, it is MOST important for the information security manager to: perform a comparative analysis of available systems. develop a comprehensive business case for the system. utilize the organization's existing acquisition process. ensure that there is adequate network capacity for the system.
D is the correct answer. Justification Rule-based access control needs to define the individual access rules, which is troublesome and error prone in large organizations. In mandatory access control, the individual's access to information resources is based on a clearance level that needs to be defined, which is troublesome in large organizations. In discretionary access control, users have access to resources based on delegation of rights by someone with the proper authority, which requires a significant amount of administration and overhead. Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
An organization has implemented an enterprise resource planning system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate? Rule-based Mandatory Discretionary Role-based
D is the correct answer. Justification The approver's structure in a purchase order system may not necessarily be in sync with the organizational structure. Depending on business requirements, modified hierarchy is acceptable purely in terms of approving certain transactions. It is rare that the structure of an approver's routing path will end up with deadlocks. If a highly complicated approval structure is developed, something similar to deadlock may occur (e.g., it takes very long time until request is approved). Even so, it is unlikely that routing effectiveness becomes a primary driver for quality improvement. Setting triggers to go off in the event of exceptions is a technical feature to be implemented inside the database. It is not relevant advice to be given to business management. In order to make the segregation of duties matrix complete, it is best to ensure that no conflicts exist in approvers' authorities. If there are any, it will introduce a flaw in the control, resulting the successful execution of unauthorized transactions.
Business management is finalizing the contents of a segregation of duties matrix to be loaded in a purchase order system. Which of the following should the information security manager recommend in order to BEST improve the effectiveness of the matrix? Ensure approvers are aligned with the organizational chart Trace approvers' paths to eliminate routing deadlocks Set triggers to go off in the event of exceptions Identify conflicts in the approvers' authority limits
D is the correct answer. Justification Data encryption does not provide access control. Digital signatures provide assurance of the identity of the sender, not access control. Strong passwords provide an intermediate strength of access controls but not as strong as two-factor authentication. Two-factor authentication, through the use of strong passwords combined with security tokens, provides the highest level of security.
How can access control to a sensitive intranet application by mobile users BEST be implemented? Through data encryption Through digital signatures Through strong passwords Through two-factor authentication
B is the correct answer. Justification Implementing on-screen masking of passwords is desirable but will not be effective in reducing the likelihood of a successful social engineering attack. Social engineering can best be mitigated through periodic security awareness training for users who may be the target of such an attempt. Increasing the frequency of password changes is desirable but will not be effective in reducing the likelihood of a successful social engineering attack. Requiring that passwords be kept secret in security policies is a good control but is not as effective as periodic security awareness programs that will alert users of the dangers posed by social engineering.
In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources? Implementing on-screen masking of passwords Conducting periodic security awareness programs Increasing the frequency of password changes Requiring that passwords be kept strictly confidential
A is the correct answer. Justification Continuous monitoring control initiatives are expensive, so they should be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence. Regulations and legislations that require tight IT security measures focus on requiring organizations to establish an IT security governance structure that manages IT security with a risk-based approach, so each organization decides which kinds of controls are implemented. Continuous monitoring is not necessarily a requirement. Measures such as contingency planning or insurance are commonly used when incidents rarely happen but have a high impact each time they happen. Continuous monitoring is unlikely to be necessary. Continuous control monitoring initiatives are not needed in all e-commerce environments. There are some e-commerce environments where the impact of incidents is not high enough to support the implementation of this kind of initiative.
In which of the following situations is continuous monitoring the BEST option? Where incidents may have a high impact and frequency Where legislation requires strong information security controls Where incidents may have a high impact but low frequency Where e-commerce is a primary business driver
A is the correct answer. Justification Assessing the problems and instituting rollback procedures as needed would be the best course of action. Disconnecting the systems from the network would not identify where the problem was and may make the problem worse. Uninstalling the patches would not identify where the problem was and would recreate the risk the patches were meant to address. Contacting the vendor regarding the problems that occurred is part of the assessment.
Several business units reported problems with their systems after multiple security patches were deployed. What is the FIRST step to handle this problem? Assess the problems and institute rollback procedures, if needed. Disconnect the systems from the network until the problems are corrected. Uninstall the patches from these systems. Contact the vendor regarding the problems that occurred.
C is the correct answer. Justification A corrective control is designed to correct errors, omissions and unauthorized uses and intrusions, once they are detected. Deterrent controls are intended to discourage individuals from intentionally violating information security policy or procedures. Change management is intended to reduce the introduction of vulnerability by unauthorized changes. An effective change management process can prevent (and detect) unauthorized changes. It requires formal approval, documentation and testing of all changes by a supervisory process. Compensating controls are meant to mitigate impact when existing controls fail. Change management is the primary control for preventing or detecting unauthorized changes. It is not compensating for another control that has that function.
The implementation of an effective change management process is an example of a: corrective control. deterrent control. preventative control. compensating control.
A is the correct answer. Justification A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc., are usually available to communicate notifications. Installation of additional network intrusion detection sensors is a manageable problem that requires additional funding, but it can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits can address such concerns.
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration? Laws and regulations of the country of origin may not be enforceable in the foreign country. A security breach notification might get delayed due to the time difference. Additional network intrusion detection sensors should be installed, resulting in an additional cost. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.
B is the correct answer. Justification Setting an expiration date is a positive element but will not prevent contract personnel from obtaining access to sensitive information. Contract personnel should not be given job duties that provide them with power user or other administrative roles that they could then use to grant themselves access to sensitive files. Requiring background checks is a positive element but will not prevent contract personnel from obtaining access to sensitive information. Having the data owner approve access is a marginally effective approach to limiting access to sensitive information.
What activity BEST helps ensure that contract personnel do not obtain unauthorized access to sensitive information? Set accounts to pre-expire Avoid granting system administration roles Ensure they successfully pass background checks Ensure their access is approved by the data owner
A is the correct answer. Justification The existence of messages is hidden in another file, such as a JPEG image, when using steganography. Some implementations count on security through obscurity and others require keys, which may or may not be smaller in size. Sniffing of steganographic traffic is possible. The reliability of the data is not relevant.
What is an advantage of sending messages using steganographic techniques as opposed to using encryption? The existence of messages is unknown. Required key sizes are smaller. Traffic cannot be sniffed. Reliability of the data is higher in transit.
B is the correct answer. Justification The issue should not be escalated before understanding the risk of noncompliance. A risk assessment is warranted to determine whether a risk acceptance should be granted and to demonstrate to the department the danger of deviating from the established policy. Isolating the system would not support the needs of the business. Any waiver should be granted only after performing a risk assessment.
What is the BEST action to undertake when a departmental system continues to be out of compliance with an information security policy's password strength requirement? Submit the issue to the steering committee. Conduct a risk assessment to quantify the risk. Isolate the system from the rest of the network. Request a risk acceptance waiver from senior management.
B is the correct answer. Justification Access to individual functions will not ensure appropriate SoD. Role-based access control is the best way to implement appropriate segregation of duties (SoD). Roles will have to be defined once, and then the user could be changed from one role to another without redefining the content of the role each time. Giving a user access to all functions and implementing, in parallel, a manual procedure ensuring SoD is not an effective method, and it would be difficult to enforce and monitor. Creating service accounts that can be used by authorized team members would not provide any help unless their roles are properly segregated.
What is the BEST approach to implement adequate segregation of duties in business critical applications, where shared access to elevated privileges by a small group is necessary? Ensure access to individual functions can be granted to individual users only. Implement role-based access control in the application. Enforce manual procedures ensuring separation of conflicting duties. Create service accounts that can only be used by authorized team members.
C is the correct answer. Justification Tracing from the documentation to the patch log will not indicate if some patches were applied without being documented. Comparing patches applied to those recommended by the OS vendor's web site does not confirm that these security patches were properly approved and documented. To ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS) patch logs as a starting point and then check to see if change control documents are on file for each of these changes. Reviewing change control documents for key servers does not confirm that security patches were properly approved and documented.
What is the BEST method to verify that all security patches applied to servers were properly documented? Trace change control requests to operating system (OS) patch logs. Trace OS patch logs to OS vendor's update documentation. Trace OS patch logs to change control requests. Review change control documentation for key servers.
C is the correct answer. Justification Conducting a test after an attempted penetration is not as productive because an organization should not wait until it is attacked to test its defenses. Any exposure identified by an audit should be corrected before it would be appropriate to test. Changes in the systems infrastructure are most likely to inadvertently introduce new exposures. A turnover in administrative staff does not warrant a penetration test, although it may warrant a review of password change practices and configuration management.
What is the BEST time to perform a penetration test? After an attempted penetration has occurred After an audit has reported weaknesses in security controls After various infrastructure changes are made After a high turnover in systems staff
D is the correct answer. Justification Standards provide some deterrence but are not as effective as automated controls. Requiring use acknowledgement will help but not to the extent of automatic system enforcement. Penalties for noncompliance may be fairly effective but will not provide the level of assurance provided by automated system enforcement. Automated system enforced password construction provides the highest level of assurance of compliance.
What is the BEST way to ensure users comply with organizational security requirements for password complexity? Include password construction requirements in the security standards Require each user to acknowledge the password requirements Implement strict penalties for user noncompliance Enable system-enforced password configuration
A is the correct answer. Justification If there are many firewall rules, there is a chance that a particular rule may allow an external connection although other associated rules are overridden. Due to the increasing number of rules, it becomes complex to test them and, over time, a loophole may occur. Excessive firewall rules may impact network performance, but this is a secondary concern. It is unlikely that the capacity to support rules will exceed capacity and is not a significant risk. There is a slight risk that the firewall will behave erratically, but that is not the greatest risk.
What is the GREATEST risk when there is an excessive number of firewall rules? One rule may override another rule in the chain and create a loophole Performance degradation of the whole network The firewall may not support the increasing number of rules due to limitations The firewall may show abnormal behavior and may crash or automatically shut down
C is the correct answer. Justification Formal documentation is still required as soon as possible after the emergency changes have been implemented. Obtaining business approval prior to the change is ideal but not always possible. Even in the case of an emergency change, all change management procedure steps should be completed as in the case of normal changes. The difference lies in the timing of certain events. With an emergency change, it is permissible to obtain certain approvals and other documentation after the emergency has been satisfactorily resolved. Emergency changes require the same process as regular changes, but the process may be delayed until the emergency has been resolved.
What is the MOST appropriate change management procedure for the handling of emergency program changes? Formal documentation does not need to be completed before the change Business management approval must be obtained prior to the change Documentation is completed with approval soon after the change All changes must follow the same process
A is the correct answer. Justification Having the patch tested prior to implementation on critical systems is an absolute prerequisite where availability is a primary concern because deploying patches that could cause a system to fail could be worse than the vulnerability corrected by the patch. A high level of technical skills is not required because patches are usually applied via automated tools. Validation of the patch is essential but is unrelated to the testing, which is the primary area of concern. It makes no sense to deploy patches on every system. Vulnerable systems should be the only candidate for patching.
What is the MOST critical success factor of the patch management procedure in an organization where availability is a primary concern? Testing time window prior to deployment Technical skills of the team responsible Certification of validity for deployment Automated deployment to all the servers
A is the correct answer. Justification Mandatory access controls restrict access to files based on the security classification of the file. This prevents users from sharing files with unauthorized users. Discretionary access controls are not as effective as mandatory access controls in preventing file sharing. A walled garden is an environment that controls a user's access to web content and services. In effect, the walled garden directs the user's navigation within particular areas and does not necessarily prevent sharing of other material. Role-based access controls grant access according to the role assigned to a user; they do not prevent file sharing with unauthorized users.
What is the MOST effective access control method to prevent users from sharing files with unauthorized users? Mandatory Discretionary Walled garden Role-based
C is the correct answer. Justification Developing a methodology is a step separate from defining requirements. The question relates to requirements gathering phase of the project, not the design phase. Therefore, it would be too early to start building the requirement into the design. The key to successful requirements gathering is to focus initially on the business problem before trying to develop a solution. Otherwise, the solution may address the wrong problem. An agile development methodology first requires the determination of business requirements.
What is the initial step that an information security manager would take during the requirements gathering phase of an IT project to avoid project failure? Develop a comprehensive methodology that defines and documents project needs. Build security requirements into the design of the system with consideration of enterprise security needs. Ensure that the business problem is clearly understood before working on the solution. Create a project plan based on the principles of agile development methodology.
D is the correct answer. Justification It is not important who oversees the change management process provided notification occurs and a consistent process is in place. Change management oversight may or may not be the responsibility of the steering committee. Change management is just as essential as release and configuration management to properly manage risk. Release and configuration management may be included as part of the change management process. In some organizations, information security is represented on the change control board. At a minimum, the change management function must have a process that ensures notification to information security of proposed changes in order to manage the risk that the change may affect.
What must change management achieve from a risk management perspective? It must be operated by information security to ensure that security is maintained. It must be overseen by the steering committee because of its importance. It must be secondary to release and configuration management. It must include mandatory notification of the information security department.
D is the correct answer. Justification Making emergency changes to data is an infrastructure task performed by custodians of the data. Administering database security is an infrastructure task performed by custodians of the data. Migrating code to production is an infrastructure task performed by custodians of the data. Data owners approve access to data and determine the degree of protection that should be applied (data classification).
What responsibility do data owners normally have? Applying emergency changes to application data Administering security over database records Migrating application code changes to production Determining the level of application security required
D is the correct answer. Justification A wireless intrusion prevention system is a detective system and would not prevent wireless sniffing. Not broadcasting the service set identifier does not reduce the risk of wireless packets being captured. Wired equivalent privacy authentication is known to be weak and does not protect individual confidentiality. Enforcing a virtual private network over wireless is the best option to enforce strong authentication and encryption of the sessions.
When securing wireless access points, which of the following controls would BEST assure confidentiality? Implementing wireless intrusion prevention systems Not broadcasting the service set identifier Implementing wired equivalent privacy authentication Enforcing a virtual private network over wireless
C is the correct answer. Justification Stress testing ensures that there are no scalability problems. Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Change management controls the process of introducing changes to systems to ensure that unintended changes are not introduced; within change management, regression testing is specifically designed to prevent the introduction of new security exposures when making modifications. Security baselines provide minimum required security settings.
Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures? Stress testing Patch management Change management Security baselines
C is the correct answer. Justification Problem management is the general process intended to manage all problems, not those specifically related to security. Background screening is the process to evaluate employee references when they are hired. A change control process is the methodology that ensures that anything that could be impacted by a development change will be reevaluated. Business impact analysis is the methodology used to evaluate impacts and the cost of losing a particular function.
Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made? A problem management process Background screening A change control process Business impact analysis
D is the correct answer. Justification Applying patches does not significantly increase the level of difficulty. Changing access rules has no effect on eradication of malicious code. Upgrading hardware does not significantly increase the level of difficulty. If malicious code is not immediately detected, it will most likely be backed up as a part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected on a backup tape. Any subsequent restores using that tape may reintroduce the malicious code.
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected? Applying patches Changing access rules Upgrading hardware Backing up files
C is the correct answer. Justification Emergency changes require documentation, although it may occur after implementation. Emergency changes require formal authorization, although it may occur after implementation. When a change is being made on an emergency basis, it generally is implemented outside of the normal schedule. However, it should not bypass other aspects of the change management process. Emergency changes require testing.
Which of the following change management process steps can be bypassed to implement an emergency change? Documentation Authorization Scheduling Testing
B is the correct answer. Justification The CA's private key is heavily secured both electronically and physically and is extremely difficult to access by anyone. The registration authority's (RA's) private key is in the possession of the RA, often stored on a smart card or laptop, and is typically protected by a password and, therefore, is potentially accessible. If the RA's private key is compromised, it can be used to register anyone for a certificate using any identity, compromising the entire public key infrastructure for that certificate authority (CA). The relying party's private key, if compromised, only puts that party at risk. The private key used for secure communication will only pose a risk to the parties communicating.
Which of the following choices is the WEAKEST link in the authorized user registration process? The certificate authority's private key The registration authority's private key The relying party's private key A secured communication private key
A is the correct answer. Justification Nonrepudiation is a control technique that addresses the integrity of information by ensuring that the originator of a message or transaction cannot repudiate (deny or reject) the message, so the message or transaction can be considered authorized, authentic and valid. Using time stamps is a control that addresses only one component of message integrity. Biometric scanning is a control that addresses access. Encryption is a control that addresses confidentiality, and may be an element of a data integrity scheme, but this is not sufficient to achieve the same level of integrity as the set of measures used to ensure nonrepudiation.
Which of the following control measures BEST addresses integrity? Nonrepudiation Timestamps Biometric scanning Encryption
A is the correct answer. Justification A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy. Visitors accompanied by a guard will also provide assurance but may not be cost-effective. A visitor registry is the next cost-effective control but not as secure. A biometric coupled with a personal identification number will strengthen the access control; however, compliance assurance logs will still have to be reviewed to ensure only authorized access.
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices? Regular review of access control lists Security guard escort of visitors Visitor registry log at the door A biometric coupled with a personal identification number
A is the correct answer. Justification Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Change management controls the process of introducing changes to systems. Security baselines provide minimum required settings. Acquisition management controls the purchasing process.
Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion? Patch management Change management Security baselines Acquisition management
A is the correct answer. Justification A locally managed file server will be the least likely to conform to organizational security policies because it is generally subject to less oversight and monitoring. Data warehouses are subject to close scrutiny, good change control practices and monitoring. Web server clusters are located in data centers or warehouses and subject to good management. Centrally managed switches are also part of a data center or warehouse.
Which of the following environments represents the GREATEST risk to organizational security? Locally managed file server Enterprise data warehouse Load-balanced, web server cluster Centrally managed data switch
A is the correct answer. Justification Patch management corrects discovered weaknesses by applying a correction (a patch) to the original program code. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Configuration management controls the updates to the production environment.
Which of the following is MOST effective in preventing security weaknesses in operating systems? Patch management Change management Security baselines Configuration management
D is the correct answer. Justification Least privilege is an access control that is concerned with confidentiality. Public key infrastructure is concerned with confidentiality and integrity. Role-based access limits access but does not directly address availability. Contingency planning ensures that the system and data are available in the event of a problem.
Which of the following security controls addresses availability? Least privilege Public key infrastructure Role-based access Contingency planning
B is the correct answer. Justification Patch management involves the correction of software weaknesses and would necessarily follow change management procedures. Change management controls the process of introducing changes to systems. This is often the point at which a weakness will be introduced. Security baselines provide minimum recommended settings and do not prevent introduction of control weaknesses. Virus detection is an effective tool but primarily focuses on malicious code from external sources. It is unrelated to the introduction of vulnerabilities.
Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems? Patch management Change management Security baselines Virus detection
D is the correct answer. Justification Mandatory access controls require users to have a clearance at or above the level of asset classification but providing clearances for temporary employees is time-consuming and expensive. Discretionary access control allows delegation based on the individual but requires administrative action to grant and remove access. Lattice based access control is a mandatory access model based on the interaction between any combination of "objects" (such as resources, computers and applications) and "subjects." Role-based access controls will grant temporary employee access based on the job function to be performed. This provides a better means of ensuring that the access is not more or less than what is required, and removing access requires less effort.
Which of the following is the BEST method for ensuring that temporary employees do not receive excessive access rights? Mandatory access controls Discretionary access controls Lattice-based access controls Role-based access controls
C is the correct answer. Justification The number of attacks detected does not indicate how many attacks were not detected, and therefore, it is no indication of effectiveness. The number of successful attacks does not indicate how many were detected. The ratio of false positives to false negatives will indicate the effectiveness of the intrusion detection system. Without knowing whether attacks were detected or not, the ratio of successful attacks to unsuccessful attacks indicates nothing about the effectiveness of the IDS.
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism? Number of attacks detected Number of successful attacks Ratio of false positives to false negatives Ratio of successful to unsuccessful attacks
D is the correct answer. Justification Security requirements must be defined before doing design specification, although changes in design may alter these requirements later on. Security requirements defined during system implementation are typically costly add-ons that are frequently ineffective. Application security testing occurs after security has been implemented. Information security should be considered at the earliest possible stage because it may affect feasibility of the project.
Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project? Design Implementation Application security testing Feasibility
B is the correct answer. Justification The system analyst would not be as closely involved in testing code changes. System users, specifically the user acceptance testers, would be in the best position to note whether new exposures are introduced during the change management process. The operations manager would not be involved in testing code changes. The data security officer would not be involved in testing code changes.
Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process? System analyst System user Operations manager Data security officer
C is the correct answer. Justification The system analyst does not possess the necessary knowledge or authority to implement and maintain the appropriate level of business security. Quality control managers do not implement security. Process owners implement information protection controls as determined by the business' needs. Process owners have the most knowledge about security requirements for the business application for which they are responsible. The information security manager will implement the information security framework and develop standards and controls, but the level of security required by a specific business application is determined by the process owner.
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application? System analyst Quality control manager Process owner Information security manager
C is the correct answer. Justification Delivery path tracing shows the route taken but does not confirm the identity of the sender. Reverse lookup translation involves converting an Internet Protocol address to a username. It is risky to send the password to a file by the same method as the file was sent. An out-of-band channel such as the telephone reduces the risk of interception. Digital signatures prove the identity of the sender of a message and ensure integrity.
Which of the following is the MOST appropriate method to protect a password that opens a confidential file? Delivery path tracing Reverse lookup translation Out-of-band channels Digital signatures
C is the correct answer. Justification Baseline security standards will provide for general access controls but not for specific authorizations. Violation logs are detective and do not prevent unauthorized access. Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Exit routines are dependent upon appropriate role-based access.
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information? Baseline security standards System access violation logs Role-based access controls Exit routines
C is the correct answer. Justification Although the lack of logging for user ad hoc reporting is not necessarily good, it does not represent as serious a security weakness as the failure to install security patches. Routing network traffic through a single switch is not unusual. The fact that operating system security patches have not been applied is a serious weakness. Database security defaulting to the enterprise resource planning system's settings is not as significant.
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system? User ad hoc reporting is not logged Network traffic is through a single switch Operating system security patches have not been applied Database security defaults to ERP settings
B is the correct answer. Justification A project database may contain information for one specific project and updates to various parameters pertaining to the current status of that single project. A project portfolio database is the basis for project portfolio management. It includes project data such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. A program management office is the team that oversees the delivery of the project portfolio. Review of the office may provide meaningful insights into the skill set and organizational structure, but not on how effectively the current set of information security projects is managed.
Which of the following tools should a newly hired information security manager review to gain an understanding of how effectively the current set of information security projects is managed? A project database A project portfolio database Policy documents A program management office
A is the correct answer. Justification Restricting the ability of a personal computer to allocate new drive letters ensures that universal serial bus (USB) drives or even compact disc writers cannot be attached because they would not be recognized by the operating system. Disabling USB ports on all machines is not practical because mice and other peripherals depend on these connections. Awareness training does not prevent copying of information. Access controls do not prevent copying.
Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers? Restrict the available drive allocation on all personal computers Disable USB ports on all desktop devices Conduct frequent awareness training with noncompliance penalties Establish strict access controls to sensitive information
D is the correct answer. Justification Preemployment screening is important but not as effective in preventing this type of situation. Monitoring is important but not as effective in preventing this type of situation. Security awareness training is important but not as effective in preventing this type of situation. When an employee leaves an organization, the former employee may attempt to use their credentials to perform unauthorized or malicious activity. Accordingly, it is important to ensure timely revocation of all access at the time an individual is terminated.
Which of the following will BEST protect against malicious activity by a former employee? Preemployment screening Close monitoring of users Periodic awareness training Effective termination procedures
B is the correct answer. Justification Performing reviews of password resets may be desirable, but will not be effective in reducing the likelihood of a social engineering attack. Social engineering can be mitigated best through periodic security awareness training for staff members who may be the target of such an attempt. Changing the frequency of password changes may be desirable, but will not reduce the likelihood of a social engineering attack. Strengthening passwords is desirable, but will not reduce the likelihood of a social engineering attack.
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his/her password reset? Performing reviews of password resets Conducting security awareness programs Increasing the frequency of password changes Implementing automatic password syntax checking
C is the correct answer. Justification The design phase helps determine how the requirements will be implemented; however, if an information security manager first becomes involved in the design phase, the manager will likely find that influencing the outcome of the development effort will be more difficult. The user acceptance testing and sign-off phase is too late in the life cycle to effectively influence the outcome. An information security manager should be involved in the earliest phase of the application development life cycle to effectively influence the outcome of the development effort. Of the choices listed, the requirements gathering and analysis phase represents the earliest opportunity for an information security manager to have such influence. During this phase, both functional and nonfunctional requirements, including security, should be considered. The implementation phase is too late in the life cycle to effectively influence the outcome.
Which one of the following phases of the application development life cycle for in-house development represents the BEST opportunity for an information security manager to influence the outcome of the development effort? System design for a new application User acceptance testing and sign-off Requirements gathering and analysis Implementation
B is the correct answer. Justification An information security manager will coordinate and execute the implementation of the role-based access control. Data owners are in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy. A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian's responsibility to assign access rights. Business management is not, in all cases, the owner of the data.
Who should approve user access in business-critical applications? The information security manager The data owner The data custodian Business management
A is the correct answer. Justification Quality assurance uses metrics as indicators to identify systemic problems in processes that may result in unacceptable levels of output quality. Because this monitoring is intended to be effectively continuous as a matter of statistical sampling, integrating information security with quality assurance helps to ensure that risk is addressed as a standard part of production processing. Procurement approves initial acquisitions, but it has no involvement in implementation or production monitoring. Compliance focuses on legal and regulatory requirements, which represent a subset of overall risk. The involvement of the project management office is typically limited to planning and implementation.
With which of the following business functions is integration of information security MOST likely to result in risk being addressed as a standard part of production processing? Quality assurance Procurement Compliance Project management