Vendor Management
A is the correct answer. Justification Knowledge of how the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will be protected. The provider's level of compliance with industry standards may or may not be important. Security technologies are not the only components to protect the sensitive customer information. An independent security review may not include analysis on how sensitive customer information would be protected.
An outsourced service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know? Security in storage and transmission of sensitive data Provider's level of compliance with industry standards Security technologies in place at the facility Results of the latest independent security review
A is the correct answer. Justification The access control matrix is the best indicator of the level of compliance with the service level agreement (SLA) data confidentiality clauses. Encryption strength might be defined in the SLA but is not a confidentiality compliance indicator. Authentication mechanism might be defined in the SLA but is not a confidentiality compliance indicator. Data repository requirements might be defined in the SLA but is not a confidentiality compliance indicator.
What is the BEST indicator of compliance when defining a service level agreement regarding the level of data confidentiality that is handled by a third-party service provider? Access control matrix Encryption strength Authentication mechanism Data repository
D is the correct answer. Justification The court of jurisdiction may be defined in the agreement, and in fact may be a benefit or a detriment to a satisfactory solution of operational issues, but seeking court remedies is generally costly and time-consuming and is not the best way to resolve operational issues with a vendor. A process description has a minimal impact on issue resolution. Audits may help identify and determine the nature of issues but by themselves will not help resolve the issues. When issues arise with cloud vendors, it is most important to identify responsibility ownership. This will promptly determine the next action to be taken for follow-up.
Which of the following aspects is MOST important to include in the service level agreement to promote resolution of operational issues with a cloud computing vendor? The court of jurisdiction A process description Audit requirements Defined responsibilities
C is the correct answer. Justification The ability of the parties to perform is normally the responsibility of legal and the business operation involved. Confidential information may be in the agreement by necessity, and while the information security manager can advise and provide approaches to protect the information, the responsibility rests with the business and legal department. Agreements with external parties can expose an organization to information security risk that must be assessed and appropriately mitigated with appropriate controls. Audit rights may be one of many possible controls to include in a third-party agreement but is not necessarily a contract requirement, depending on the nature of the agreement.
Which of the following is the MOST important reason for an information security review of contracts? To help ensure the parties to the agreement can perform To help ensure confidential data are not included in the agreement To help ensure appropriate controls are included To help ensure the right to audit is a requirement
B is the correct answer. Justification A contract language review is part of the risk assessment. A risk assessment identifies the risk involved in allowing access to an external party and the required controls. The exposure factor is part of the risk assessment. Vendor due diligence is part of the risk assessment.
Which of the following should be done FIRST when making a decision to allow access to the information processing facility of an enterprise to a new external party? A contract language review A risk assessment The exposure factor Vendor due diligence
B is the correct answer. Justification Many commercial providers require sharing facilities in cases where there are multiple simultaneous declarations. Equipment provided "at time of disaster, not on floor" means that the equipment is not available but will be acquired by the commercial hot site provider on a best effort basis. This does not meet the requirements of a hot site. Many commercial providers require sharing facilities in cases where there are multiple simultaneous declarations, and that priority may be established on a first-come, first-served basis. It is common for the provider to substitute equivalent or better equipment, as they are frequently upgrading and changing equipment.
Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract? A hot site facility will be shared in multiple disaster declarations All equipment is provided "at time of disaster, not on floor" The facility is subject to a "first-come, first-served" policy Equipment may be substituted with equivalent models
C is the correct answer. Justification The certificate authority (CA) does not provide proof of message integrity. Nonrepudiation prevents a party from denying that the party originated a specific transaction, and is provided by a user's private key signing communication. The CA is a trusted third party that attests to the authenticity of a user's public key by digitally signing it with the CA's private key. A conventional CA does not store a user's private key.
Why is a certificate authority needed in a public key infrastructure? It provides a proof of the integrity of data. It prevents the denial of specific transactions. It attests to the validity of a user's public key. It stores a user's private key.
A is the correct answer. Justification Once the contract is signed, the security manager should ensure that continuous vendor monitoring is established and operational. This control will help identify and provide alerts on security events and minimize potential losses. The reporting relationships will have been defined prior to the contract being signed. The service level agreement will be part of the contract. Nondisclosure agreements will have been signed prior to entering in contract discussions.
A contract has just been signed with a new vendor to manage IT support services. Which of the following tasks should the information security manager ensure is performed NEXT? Establish vendor monitoring. Define reporting relationships. Create a service level agreement. Have the vendor sign a nondisclosure agreement.
C is the correct answer. Justification Agreements do not protect the integrity of the network. Removing all access will likely result in lost business and be a career-ending solution. It is incumbent on an information security manager to see to the protection of their organization's network but to do so in a manner that does not adversely affect the conduct of business. This can be accomplished by adding specific traffic restrictions for that particular location. Reminders do not protect the integrity of the network.
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation? Sign a legal agreement assigning them all liability for any breach Remove all trading partner access until the situation improves Set up firewall rules restricting network traffic from that location Send periodic reminders advising them of their noncompliance
A is the correct answer. Justification User access rights limit the access and rights that users have to a network, file system or database once they have been authenticated. Biometric access controls is a method of user access control that manages user access to an overall system, not generally to a specific set of files or records. Password authentication controls access but not rights once the system is accessed. Two-factor authentication controls access but not rights once the system is accessed.
An enterprise has a network of suppliers that it allows to remotely access an important database that contains critical supply chain data. What is the BEST control to ensure that the individual supplier representatives who have access to the system do not improperly access or modify information within this system? User access rights Biometric access controls Password authentication Two-factor authentication
A is the correct answer. Justification Because the service agreement has not been significantly revised in four years, it is entirely likely that the vendor is delivering exactly what was purchased and that the disappointment shown by senior management is the result of the agreement not reflecting current business requirements. Knowing whether the vendor is meeting the terms of the agreement is actionable only after the information security manager is certain that the terms of the agreement align with the business requirements of the company. If the vendor has committed to a level of security services that metrics indicate are consistently not being met, it may be worthwhile to conduct a formal assessment of the vendor's capabilities to determine whether a new vendor is needed. However, knowing how what was contracted aligns with business requirements needs to be the first step. Automation of the incident reporting process to ensure timely reporting and monitoring is only a reporting mechanism and does not resolve the issues faced.
An information security manager has received complaints from senior management about the level of security delivered by a third-party service provider. The service provider is a long-standing vendor providing services based on a service agreement that has been renewed regularly without much change over the last four years. Which of the following actions is the FIRST one the information security manager should take in this situation? Ensure that security requirements in the service agreement meet current business requirements. Review security metrics to determine whether the vendor is meeting the terms of the service agreement. Conduct a formal assessment of the vendor's capability to deliver security services. Automate the incident reporting process to ensure timely reporting and monitoring.
C is the correct answer. Justification A due diligence security review is contributory to the contractual agreement but not key. Ensuring that the business partner has an effective business continuity program is contributory to the contractual agreement but not key. The key requirement is that the information security manager ensures that the third party is contractually bound to follow the appropriate security requirements for the process being outsourced. This protects both organizations. Talking to other clients of the business partner is contributory to the contractual agreement but not key.
An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform? A due diligence security review of the business partner's security controls Ensuring that the business partner has an effective business continuity program Ensuring that the third party is contractually obligated to all relevant security requirements Talking to other clients of the business partner to check references for performance
C is the correct answer. Justification The audit is normally a one-time effort and cannot provide ongoing assurance of the security. A nondisclosure agreement should be part of the contract and would be a part of the policy compliance requirements. It is critical to include the security requirements in the contract based on the company's security policy to ensure that the necessary security controls are implemented by the service provider. Penetration testing alone would not provide total security to the web site; there are many controls that cannot be tested through penetration testing.
An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that: an audit of the service provider uncovers no significant weakness. the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property. the contract should mandate that the service provider will comply with security policies. the third-party service provider conducts regular penetration testing.
B is the correct answer. Justification A background check should be a standard requirement for the service provider. An internal risk assessment should be performed to identify the risk and determine needed controls. Audit objectives should be determined from the risk assessment results. Security assessment does not cover the operational risk.
An organization plans to outsource its customer relationship management to a third-party service provider. Which of the following should the organization do FIRST? Request that the third-party provider perform background checks on their employees. Perform an internal risk assessment to determine needed controls. Audit the third-party provider to evaluate their security controls. Perform a security assessment to detect security vulnerabilities.
A is the correct answer. Justification Right to audit would be the most useful requirement because this would provide the company the ability to perform a security audit/assessment whenever there is a business need to examine whether the controls are working effectively at the third party. A nondisclosure agreement is an important requirement and can be examined during the audit. Proper firewall implementation would not be a specific requirement in the contract but part of general control requirements. A dedicated security manager would be a costly solution and not always feasible for most situations.
An organization that outsourced its payroll processing needs to perform independent assessments of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract? Right to audit Nondisclosure agreement Proper firewall implementation Dedicated security manager for monitoring compliance
D is the correct answer. Justification While service level agreements are an important consideration, without the ability to audit the provider, it is very difficult to validate compliance with the contract. Background checks would not be the security manager's job. Specific system requirements are more of an operational issue. A right to audit is essential to ensure contract compliance.
From an information security manager's perspective, which of the following is the MOST important element of a third-party contract to outsource a sensitive business process? Security service level agreements Background checks for key personnel Specific system requirements A right to audit
B is the correct answer. Justification Agreements that address availability do not address other aspects of the organization's security policy. When considering a cloud implementation, an information security manager must verify that a chosen vendor will meet the organization's security requirements. An organization defines its security policies with its business risk in mind. Changing internal policy requirements to reflect what a vendor can deliver raises risk to the organization and is an inappropriate approach. Third-party audit reports are snapshots that tell what was true at a particular time and address only those items that were within the audit scope. Each organization has its own security policy considerations, and verification with the vendor should be accomplished with the organization's specific considerations and requirements in mind.
How should an information security manager proceed when selecting a public cloud vendor to provide outsourced infrastructure and software? Insist on strict service level agreements to guarantee application availability. Verify that the vendor's security architecture meets the organization's requirements. Update the organization's security policies to reflect the vendor agreement. Consult a third party to provide an audit report to assess the vendor's security program.
C is the correct answer. Justification Service level monitoring can only pinpoint operational issues in the organization's operational environment. Penetration testing can identify security vulnerability but cannot ensure information policy compliance. Regular audit exercise can spot any gap in the information security compliance. Training can increase users' awareness on the information security policy but does not ensure compliance.
The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be: service level monitoring. penetration testing. periodically auditing. security awareness training.
A is the correct answer. Justification When storing data with a third party, the ownership and responsibility for the adequate protection of the data remains with the outsourcing organization. The outsourcing organization should have measures in place to provide assurance of compliance with the terms of the contract, which should be written on the basis of the organizational risk appetite. Independent security audits are one assurance mechanism that an organization may use to verify compliance with contractual requirements, but whether these are appropriate is situational and based on the organizational risk appetite. Awareness training and background checks are assurance mechanisms, but may or may not be appropriate or important in all cases. Review of contracts and policies is important, but it does not assure compliance.
The protection of sensitive data stored at a third-party location requires: assurances that the third party will comply with the requirements of the contract. commitments to completion of periodic independent security audits. security awareness training and background checks of all third-party employees. periodic review of third-party contracts and policies to ensure compliance.
D is the correct answer. Justification The registration authority is responsible for authentication of users prior to the issuance of a certificate. A digital certificate is the electronic credentials of individual entities but does not provide the contractual relationship of users and the certificate authority. Non-repudiation is an inherent capability of a public key infrastructure by the virtue of the signing capability. The certification practice statement provides the contractual requirements between the relying parties and the certificate authority.
To establish the contractual relationship between entities using public key infrastructure, the certificate authority must provide which of the following? A registration authority A digital certificate A non-repudiation capability A certification practice statement
D is the correct answer. Justification Ensuring the data classification requirements are compatible with the provider's own classification is an acceptable option but does not provide a requirement for the handling of classified data. Ensuring the data classification requirements are communicated to the provider does not provide a requirement for appropriate handling of classified data. Ensuring the data classification requirements exceed those of the outsourcer is an acceptable option but not as comprehensive or as binding as a legal contract. The most effective mechanism to ensure that the organization's security standards are met by a third party would be a legal agreement stating the handling requirements for classified data and including the right to inspect and audit.
What action should be taken in regards to data classification requirements before engaging outsourced providers? Ensure the data classification requirements: are compatible with the provider's own classification. are communicated to the provider. exceed those of the outsourcer. are stated in the contract.
B is the correct answer. Justification Forcing all locations to be in compliance with all the regulations places an undue burden on those locations and may result in contradictory requirements. It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Using industry good practices may cause certain locations to fail regulatory compliance. Seeking a lowest common denominator may cause certain locations to fail regulatory compliance.
What is the BEST approach to manage regulatory and legal compliance in a global organization operating in multiple governmental jurisdictions with differing requirements? Bring all locations into conformity with the aggregate requirements of all governmental jurisdictions. Establish baseline standards for all locations and add supplemental standards as required. Bring all locations into conformity with a generally accepted set of industry best practices. Establish a baseline standard incorporating those requirements that all jurisdictions have in common.
D is the correct answer. Justification References in policies will not be as effective because they will not trigger the detection of noncompliance. Assurance that the provider has read the policies does nothing to ensure compliance. Written documents by themselves provide little assurance without confirming oversight. Periodic reviews will be the most effective way of ensuring compliance from the external service provider.
What is the BEST way to ensure that an external service provider complies with organizational security policies? Explicitly include the service provider in the security policies Receive acknowledgement in writing stating the provider has read all policies Cross-reference to policies in the service level agreement Perform periodic reviews of the service provider
A is the correct answer. Justification Secure Sockets Layer is a cryptographic protocol that provides secure communications, providing end point authentication and communications privacy over the Internet. In typical use, all data transmitted between the customer and the business are, therefore, encrypted by the business's web server and remain confidential. Secure Shell (SSH) File Transfer Protocol is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer. IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of email encapsulated in MIME; it is not a web transaction protocol.
What is the MOST common protocol to ensure confidentiality of transmissions in a business-to-customer financial web application? Secure Sockets Layer Secure Shell IP Security Secure/Multipurpose Internet Mail Extensions
B is the correct answer. Justification A demonstration of the test system will reduce the spontaneity of the test. The most important action is to clearly define the goals and objectives of the test. Technical staff should not be briefed as this will reduce the spontaneity of the test. Assuming that adequate backup procedures are in place, special backups should not be necessary.
What is the MOST important action prior to having a third party perform an attack and penetration test against an organization? Ensure that the third party provides a demonstration on a test system. Ensure that goals and objectives are clearly defined. Ensure that technical staff has been briefed on what to expect. Ensure that special backups of production servers are taken.
C is the correct answer. Justification The SLA provides metrics to which outsourcing firms can be held accountable and will always include the right-to-terminate clause. Limitations of liability will also be included in the SLA. The SLA includes the other options in addition to a number of other conditions, representations and warranties as well as right to inspect, provisions for audits, requirements on termination, etc. Financial penalties clauses are a standard part of SLAs.
What is the MOST important contractual element when contracting with an outsourcer to provide security administration? The right-to-terminate clause Limitations of liability The service level agreement The financial penalties clause
D is the correct answer. Justification Requiring compliance only with this security standard does not guarantee that a service provider complies with the organization's security requirements. The requirement to use a specific kind of control methodology is not usually stated in the contract with third-party service providers. The requirement for a hot site is not usually stated in the contract with third-party service providers. From a security standpoint, compliance with the organization's information security requirements is one of the most important topics that should be included in the contract with third-party service provider.
When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint? Compliance with international security standards. Use of a two-factor authentication system. Existence of an alternate hot site in case of business disruption. Compliance with the organization's information security requirements.
C is the correct answer. Justification Waiting until later in the process can lead to vendors having to re-bid and can disrupt negotiations. There may be situations where information security involvement is not required, but those situations would be established by conducting an initial risk assessment. Information security should be involved in the vendor or third-party management process from the beginning of the selection process, when the business is defining what it needs. This will ensure that all bids for the service take into consideration, and reflect in bid prices, the security requirements. Waiting until after the contract is signed when an incident occurs can expose the enterprise to significant security risk, with little recourse to correct, because the contract has already been executed.
When considering outsourcing services, at what point should information security become involved in the vendor management process? During contract negotiation Upon request for assistance from the business unit When requirements are being established When a security incident occurs
D is the correct answer. Justification Quality assurance is an area of concern when dealing with third-party service providers, but it is not a primary focus of the information security manager. Penalties written into service level agreements are a form of risk transfer (sharing) that may be appropriate for an organization's business objectives, but the sufficiency of such arrangements are not a primary focus of the information security manager. Reducing or controlling cost is typically one of the main reasons that organizations choose to enter into third-party service agreements, but whether or not such agreements deliver their expected cost savings is not a primary focus of the information security manager. When an organization enters into an outsourcing agreement with a third-party service provider, the information security manager becomes responsible for ensuring that the provider adheres to the same security requirements as apply to the organization itself and that any variances are documented and presented to senior management for an appropriate risk response. The challenge of being able to assess a provider's security behaviors on an ongoing and verifiable basis is one of the main concerns of the information security manager in any outsourcing arrangement.
When considering outsourcing technical or business processes, one of the MAIN concerns of the information security manager is whether the third-party service provider will: deliver a level of quality acceptable to the organization's established customer base. agree to service level agreements with penalties sufficient to offset potential losses. provide technical services at a lower cost than would be possible on an in-house basis. meet the organization's security requirements on an ongoing and verifiable basis.
D is the correct answer. Justification Many jurisdictions have regulations regarding data privacy. The concern of the information security manager is compliance with those regulations, not the lack of regulations. The training of how to use Software as a Service (SaaS) is no different than the need for training required for more traditional solutions. In most cases, the use of SaaS is fairly simple and requires minimal technology, but is not within the scope of the information security manager's responsibility in any case. Loss of application availability as a result of network failure is an inherent risk associated with SaaS and must be taken into account by the organization as part of the decision to move to cloud computing, but this is a business decision rather than a principle concern of the information security manager. Disclosure of senstive data is a primary concern of the information security manager.
When implementing a cloud computing solution that will provide Software as a Service (SaaS) to the organization, what is the GREATEST concern for the information security manager? The lack of clear regulations regarding the storage of data with a third party The training of the users to access the new technology properly The risk of network failure and the resulting loss of application availability The possibility of disclosure of sensitive data in transit or storage
B is the correct answer. Justification Technical competency is a usual area for review to ensure that the offshore provider meets acceptable standards. Individuals in different cultures often have different perspectives on what information is considered sensitive or confidential and how the information should be handled. Those perspectives may not be consistent with the enterprise's requirements. Cultural norms are not usually an area of consideration in a security review or during an onsite inspection. Defense in depth is a usual area for review to ensure that the offshore provider meets acceptable standards. Policies are a usual area for review to ensure that the offshore provider meets acceptable standards.
When outsourcing to an offshore provider, the MOST difficult element to determine during a security review will be: technical competency. incompatible culture. defense in depth. adequate policies.
B is the correct answer. Justification A predefined meeting schedule is a contributor to, but does not ensure, compliance. A periodic security audit is a formal and documented way to determine compliance level. A call tree is useful for dealing with incidents but does nothing to ensure compliance. Inclusion of a confidentiality clause does not ensure compliance.
When outsourcing, to ensure that third-party service providers comply with an organization security policy, which of the following should occur? A predefined meeting schedule A periodic security audit Inclusion in the contract of a list of individuals to be called in the event of an incident (call tree) Inclusion in the contract of a confidentiality clause
C is the correct answer. Justification Assessing project feasibility involves a variety of factors that must be determined prior to issuing a request for proposal (RFP). An RFP is a document distributed to software vendors requesting them to submit a proposal to develop or provide a software solution. Final management approval is likely to occur subsequent to receiving responses to an RFP. Development of a project budget depends on the responses to an RFP. The business case will be developed as a part of determining feasibility, which occurs prior to issuing an RFP.
When should a request for proposal be issued? At the project feasibility stage Upon management project approval Prior to developing a project budget When developing the business case
A is the correct answer. Justification Encryption would be the preferred method of ensuring confidentiality in customer communications with an e-commerce application. A digital signature is not a practical solution because there is typically no client-side certificate and integrity of the communication cannot be ensured. Strong passwords, by themselves, would not be sufficient because the data could still be intercepted. Two-factor authentication would be impractical and provide no assurance that data have not been modified through a man-in-the-middle attack.
Which of the following BEST accomplishes secure customer use of an e-commerce application? Data encryption Digital signatures Strong passwords Two-factor authentication
B is the correct answer. Justification Depending on the type of services outsourced, security awareness training may not be relevant or necessary. Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced services. Security requirements should be included in the contract, but what is most important is verifying that the requirements are met by the provider. It is not necessary to require the provider to fully comply with the policy if only some of the policy is related and applicable.
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services? Provide security awareness training to the third-party provider's employees Conduct regular security reviews of the third-party provider Include security requirements in the service contract Request that the third-party provider comply with the organization's information security policy
D is the correct answer. Justification Audit documentation may not show whether the vendor meets the company's needs; the company needs to know the testing procedures. While comprehensive contracts set minimum service levels, contracts do not ensure that vendors will meet the minimum levels. Onsite visits to the vendor's site are not sufficient by themselves; they should be coupled with an audit approach to gauge information security compliance. Audits and compliance reviews are the most effect way to ensure compliance.
Which of the following is the MOST effective method for ensuring that outsourced operations comply with the company's information security posture? The vendor is provided with audit documentation. A comprehensive contract is written with service level metrics and penalties. Periodic onsite visits are made to the vendor's site. An onsite audit and compliance review is performed.
B is the correct answer. Justification A cost-benefit analysis should be undertaken from a business perspective but not from a security perspective. Applicable privacy requirements may be a matter of law or policy and will require consideration when outsourcing processes that involve personal information. When data are transferred, it may be necessary to ensure data security, but there are many other privacy and security issues to consider. Past incidents may not reflect the current security posture of the service provider nor do they reflect applicable security requirements.
Which of the following is the MOST important aspect that needs to be considered from a security perspective when payroll processes are outsourced to an external service provider? A cost-benefit analysis has been completed. Privacy requirements are met. The service provider ensures a secure data transfer. No significant security incident occurred at the service provider.
D is the correct answer. Justification Ease of installation, while important, would be secondary. Product documentation, while important, would be secondary. Available support, while important, would be secondary. Monitoring products can impose a significant impact on system overhead for servers and networks.
Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise? Ease of installation Product documentation Available support System overhead
A is the correct answer. Justification A key requirement of an outsourced contract involving critical business systems is the establishment of the organization's right to conduct independent security reviews of the provider's security controls. A legally binding data protection agreement is also critical but secondary to conducting independent security reviews, which permits examination of the actual security controls prevailing over the system and, as such, is the more effective risk management tool. Network encryption of the link between the organization and the provider may well be a requirement but by itself will not provide the assurance of independent security reviews. A joint risk assessment of the system in conjunction with the outsourced provider may be a compromise solution should the right to conduct independent security reviews of the controls related to the system prove contractually difficult, but it is not the best option.
Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider? The right to conduct independent security reviews A legally binding data protection agreement Encryption between the organization and the provider A joint risk assessment of the system
