NET 3550
Life safety
Which of the following is the MOST important consideration for a control policy? Data protection Life safety Security strategy Regulatory factors
Standards change more slowly than the environment.
Which of the following challenges associated with information security documentation is MOST likely to affect a large, established organization? Standards change more slowly than the environment. Policies change faster than they can be distributed. Procedures are ignored to meet operational requirements. Policies remain unchanged for long periods of time.
A detailed business case
Which of the following choices BEST justifies an information security program? The impact on critical IT assets A detailed business case Steering committee approval User acceptance
risk appetite.
Control objectives are MOST closely aligned with: risk tolerance. risk tolerance. criticality. risk appetite. sensitivity.
using a top-down approach.
Effective governance of enterprise security is BEST ensured by: using a bottom-up approach. management by the IT department. referring the matter to the organization's legal department. using a top-down approach.
Interview senior managers to address their concerns with the program
Senior management has expressed some concern about the effectiveness of the information security program. What can the information security manager do to gain the support of senior management for the program? Rebuild the program on the basis of a recognized, auditable standard. Calculate the cost-benefit analysis of the existing controls that are in place. Interview senior managers to address their concerns with the program. Present a report from the steering committee supporting the program.
security review.
The BEST process for assessing an existing risk level is a(n): impact analysis. impact analysis security review. vulnerability assessment. threat analysis.
ensure that appropriate procurement processes are employed.
The acquisition of new IT systems that are critical to an organization's core business can create significant risk. To effectively manage the risk, the information security manager should FIRST: ensure that the IT manager accepts the risk of the technology choices. require the approval of auditors prior to deployment. obtain senior management approval for IT purchases. ensure that appropriate procurement processes are employed.
standards.
The aspect of governance that is MOST relevant to setting security baselines is: policies. acceptable risk. impacts. standards.
align organization assurance functions.
The concept of governance, risk and compliance serves PRIMARILY to: align organization assurance functions. ensure that all three activities are addressed by policy. present the correct sequence of security activities. define the responsibilities of information security.
The board of directors
During a stakeholder meeting, a question was asked regarding who is ultimately accountable for the protection of sensitive data. Assuming all of the following roles exist in the enterprise, which would be the MOST appropriate answer? Security administrators The IT steering committee The board of directors The information security mana
Data owner
Who in an organization has the responsibility for classifying information? Data custodian Database administrator Information security officer Data owner
Security goals should be derived from business goals
Business goals define the strategic direction of the organization. Functional goals define the tactical direction of a business function. Security goals define the security direction of the organization. What is the MOST important relationship between these concepts? Functional goals should be derived from security goals. Business goals should be derived from security goals. Security goals should be derived from business goals. Security and business goals should be defined independently from each other.
direct traceability.
Business objectives should be evident in the security strategy by: inferred connections. standardized controls. managed constraints. direct traceability.
The cost of compliance exceeds the cost of possible sanctions.
Management decided that the organization will not achieve compliance with a recently issued set of regulations. Which of the following is the MOST likely reason for the decision? The regulations are ambiguous and difficult to interpret. Management has a low level of risk tolerance. The cost of compliance exceeds the cost of possible sanctions. The regulations are inconsistent with the organizational strategy.
process performance and capabilities.
Maturity levels are an approach to determine the extent that sound practices have been implemented in an organization based on outcomes. Another approach that has been developed to achieve essentially the same result is: controls applicability statements. process performance and capabilities. probabilistic risk assessment. factor analysis of information risk.
affected departments.
New regulatory and legal compliance requirements that will have an effect on information security will MOST likely come from the: corporate legal officer. internal audit department. affected departments. compliance officer.
developing and presenting a business case.
Obtaining senior management support for an information security initiative can BEST be accomplished by: developing and presenting a business case. defining the risk that will be addressed. presenting a financial analysis of benefits. aligning the initiative with organizational objectives.
Risk mitigation
Risk acceptance is a component of which of the following? Risk assessment Risk mitigation Risk identification Risk monitoring
updated security policies.
Successful implementation of information security governance will FIRST require: security awareness training updated security policies. a computer incident management team. a security architecture.
gain endorsement from executive management.
The FIRST step to create an internal culture that embraces information security is to: implement stronger controls. conduct periodic awareness training. actively monitor operations. gain endorsement from executive management.
verify the decision with the business units.
The IT function has declared that it is not necessary to update the business impact analysis when putting a new application into production because it does not produce modifications in the business processes. The information security manager should: verify the decision with the business units. check the system's risk analysis. recommend update after post-implementation review. request an audit review.
be aligned with the corporate business strategy.
The MOST basic requirement for an information security governance program is to: be aligned with the corporate business strategy. be based on a sound risk management approach. provide adequate regulatory compliance. provide good practices for security initiatives.
Review standards and system compliance.
The MOST direct way to accurately determine the control baseline in an IT system is to do which of the following activities? Review standards and system compliance. Sample hardware and software configurations. Review system and server logs for anomalies. Perform internal and external penetration tests.
feasibility and value proposition
The MOST important basis for developing a business case is the: risk that will be addressed. financial analysis of benefits. alignment with organizational objectives. feasibility and value proposition.
demonstrate support for desired outcomes.
The MOST important requirement for gaining management commitment to the information security program is to: benchmark a number of successful organizations. demonstrate potential losses and other impacts that can result from a lack of support. inform management of the legal requirements of due care. demonstrate support for desired outcomes.
organizational requirements.
The decision as to whether an IT risk has been reduced to an acceptable level should be determined by: organizational requirements. information systems requirements. information security requirements. international standards.
Governance
The enactment of policies and procedures for preventing hacker intrusions is an example of an activity that belongs to: risk management. compliance. IT management. governance.
Assessed risk is below acceptable levels.
Under what circumstances is it MOST appropriate to reduce control strength? Assessed risk is below acceptable levels. Risk cannot be determined. The control cost is high. The control is not effective.
to determine maximum probable loss over a period of time.
Value at risk can be used: as a qualitative approach to evaluating risk. to determine maximum probable loss over a period of time. for risk analysis applicable only to financial organizations. as a useful tool to expedite the assessment process.
Complexity of organizational structure
What will have the HIGHEST impact on standard information security governance models? Number of employees Distance between physical locations Complexity of organizational structure Organizational budget
Supporting business objectives
Which of the following is the MOST important consideration when developing an information security strategy? Supporting business objectives Maximizing the effectiveness of available resources Ensuring that legal and regulatory constraints are addressed Determining the effect on the organizational roles and responsibilities
Assets have been identified and appropriately valued.
Which of the following is the MOST important consideration when performing a risk assessment? Management supports risk mitigation efforts. Annual loss expectancies have been calculated for critical assets. Assets have been identified and appropriately valued. Attack motives, means and opportunities are understood.
Stakeholder requirements
Which of the following is the MOST important factor when designing information security architecture? Technical platform interfaces Scalability of the network Development methodologies Stakeholder requirements
Change management procedures are poor.
Which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations? Systems operation guidelines are not enforced. Change management procedures are poor. Systems development is outsourced. Systems capacity management is not performed.
Analyze the current business strategy
Which of the following steps should be FIRST in developing an information security plan? Perform a technical vulnerabilities assessment. Analyze the current business strategy. Perform a business impact analysis. Assess the current levels of security awareness.
Business impact analysis
Which of the following would be MOST useful in developing a series of recovery time objectives? Gap analysis Regression analysis Risk analysis Business impact analysis
provide structure and guidance.
information security frameworks can be MOST useful for the information security manager because they: provide detailed processes and methods. are designed to achieve specific outcomes. provide structure and guidance. provide policy and procedure.
acknowledges a commitment to legal responsibility for information security.
An organization that appoints a chief information security officer: improves collaboration among the ranks of senior management. acknowledges a commitment to legal responsibility for information security. infringes on the governance role of the board of directors. enhances the financial accountability of technology projects.
Brute force attack
Which of the following attacks is BEST mitigated by using strong passwords? Man-in-the-middle attack Brute force attack Remote buffer overflow Root kit
risk activities are embedded in business processes.
A risk management process is MOST effective in achieving organizational objectives if: asset owners perform risk assessments. the risk register is updated regularly. the process is overseen by a steering committee. risk activities are embedded in business processes.
Associating realistic threats to corporate objectives
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following items would be of MOST value? Examples of genuine incidents at similar organizations Statement of generally accepted good practices Associating realistic threats to corporate objectives Analysis of current technological exposures
key performance indicator.
Achieving compliance with a particular information security standard selected by management would BEST be described as a: key goal indicator. critical success factor. key performance indicator. business impact analysis.
change management.
Addressing risk scenarios at various information system life cycle stages is PRIMARILY a function of: change management. release management. incident management. configuration management.
implement monitoring techniques to detect and react to potential fraud.
After a risk assessment study, a bank with global operations decided to continue conducting business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to: increase its customer awareness efforts in those regions. implement monitoring techniques to detect and react to potential fraud. outsource credit card processing to a third party. make the customer liable for losses if they fail to follow the bank's advice.
accepted
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be: transferred. treated. accepted. terminated.
managing the risk to the information infrastructure.
An information security manager is PRIMARILY responsible for: managing the risk to the information infrastructure. implementing a standard configuration for IT assets. conducting a business impact analysis (BIA). closing identified technical vulnerabilities.
Evaluate the risk due to noncompliance and suggest an alternate control.
An information security manager observed a high degree of noncompliance for a specific control. The business manager explained that noncompliance is necessary for operational efficiency. The information security manager should: Evaluate the risk due to noncompliance and suggest an alternate control. ignore the issue of operational efficiency and insist on compliance for the control. change the security policies to reduce the amount of noncompliance risk. conduct an awareness session for the business manager to emphasize compliance.
Compensate for not installing the patch with mitigating controls.
An operating system noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution? Rewrite the application to conform to the upgraded operating system. Compensate for not installing the patch with mitigating controls. Alter the patch to allow the application to run in a privileged state. Run the application on a test platform; tune production to allow patch and application.
To improve risk management
An organization has decided to implement governance, risk and compliance processes into several critical areas of the enterprise. Which of the following objectives is the MAIN one? To reduce governance costs To improve risk management To harmonize security activities To meet or maintain regulatory compliance
the residual risk is less than or equal to the risk acceptance level.
An organization has implemented several risk mitigation strategies to reduce an identified risk. The risk control measures are sufficient when: the risk acceptance level is less than or equal to the total risk level. the residual risk is less than or equal to the risk acceptance level. risk avoidance is justified by cost-benefit analysis. risk mitigation is equal to annual loss expectancy.
Requiring employees to formally acknowledge receipt of the policy
An organization has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating the access control policy to the employees? Requiring employees to formally acknowledge receipt of the policy Integrating security requirements into job descriptions Making the policy available on the intranet Implementing an annual retreat for employees on information security
The possibility of the new technology affecting the security or operation of other systems
An organization is considering the purchase of a new technology that will facilitate better customer interaction and would be integrated into the existing customer relationship management system. Which of the following is the PRIMARY risk the information security manager consider related to this purchase? The potential that the new technology will not deliver the promised functionality to support the business The availability of ongoing support for the technology and whether existing staff can provide the support The possibility of the new technology affecting the security or operation of other systems The downtime required to re-configure the existing system to implement and integrate the new technology
business value.
Asset classification should be MOSTLY based on: business value. book value. replacement cost. initial cost.
A gap analysis
Determining the level of effort needed to meet particular improvement targets in risk management can BEST be determined using which of the following tools? A workflow diagram A Gantt chart A gap analysis A return on investment computation
developing a controls policy
Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important, and is a necessary task when: assessing overall system risk. developing a controls policy. determining treatment options. developing a classification scheme.
Information owner
For an organization's information security program to be highly effective, who should have final responsibility for authorizing information system access? Information owner Security manager Chief information officer System administrator
Detective
For which of the following types of controls is notification of a verified network intrusion an indication that the control is working properly? Preventative Corrective Detective Deterrent
raise the assessed risk level and increase remediation priority.
High risk volatility would be a basis for the information security manager to: base mitigation measures solely on assessed impact. raise the assessed risk level and increase remediation priority. disregard volatility as irrelevant to assessed risk level. perform another risk assessment to validate results.
determining the impact of cascading risk.
Highly integrated enterprise IT systems pose a challenge to the information security manager when attempting to set security baselines PRIMARILY from the perspective of: increased difficulty in problem management. added complexity in incident management. determining the impact of cascading risk. less flexibility in setting service delivery objectives.
Reduce exposure.
If a defined threat needs to be addressed and a preventive control is not feasible, the next BEST option is to do which of the following activities? Use a deterrent control. Reduce exposure. Use a compensating control. Reassess the risk.
conduct a risk assessment.
In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: Prepare a security budget. Conduct a risk assessment. develop an information security policy. obtain benchmarking information.
business strategy
Information security governance is PRIMARILY driven by: technology constraints. regulatory requirements. litigation potential. business strategy.
liability
It is essential for the board of directors to be involved with information security activities primarily because of concerns regarding: technology liability compliance strategy
reduces financial risk but leaves legal responsibility generally unchanged.
Outsourcing combined with indemnification: reduces legal responsibility but leaves financial risk relatively unchanged. is more cost-effective as a means of risk transfer than purchasing insurance. eliminates the reputational risk present when operations remain in-house. reduces financial risk but leaves legal responsibility generally unchanged.
Determining the ratio of business interruption insurance to its cost
Quantifying the level of acceptable risk can BEST be indicated by which of the following choices? Surveying business process owners and senior managers Determining the percentage of the IT budget allocated to security Determining the ratio of business interruption insurance to its cost Determining the number and severity of incidents impacting the organization
contain percentage estimates.
Quantitative risk analysis is MOST appropriate when assessment results: include customer perceptions. contain percentage estimates. lack specific details. contain subjective information.
the likelihood of being exploited.
Reducing exposure of a critical asset is an effective mitigation measure because it reduces: the impact of a compromise. the likelihood of being exploited. the vulnerability of the asset. the time needed for recovery.
regulatory and legal requirements.
Retention of business records should PRIMARILY be based on: business strategy and direction. regulatory and legal requirements. storage capacity and longevity. business case and value analysis.
business requirements.
The PRIMARY concern of an information security manager documenting a formal data retention policy is: generally accepted industry good practices. business requirements. legislative and regulatory requirements. storage availability.
reducing the impact of risk on the business.
The PRIMARY objective for information security program development should be: creating an information security strategy. establishing incident response procedures. implementing cost-effective security solutions. reducing the impact of risk on the business.
information security may affect project feasibility.
The PRIMARY reason to consider information security during the first stage of a project life cycle is: the cost of security is higher in later stages. information security may affect project feasibility. information security is essential to project approval. it ensures proper project classification.
Assigned accountability
Which of the following choices is MOST likely to ensure that responsibilities are carried out? Signed contracts Severe penalties Assigned accountability Clear policies
The key objectives of the security program
What is the MOST important item to be included in an information security policy? The definition of roles and responsibilities The scope of the security program The key objectives of the security program Reference to procedures and standards of the security program
To ensure that objectives are met
What is the MOST important reason to periodically test controls? To meet regulatory requirements To meet due care requirements To ensure that objectives are met To achieve compliance with standard policy
It identifies controls commensurate with impact.
What is the PRIMARY benefit of performing an information asset classification? It links security requirements to business objectives. It identifies controls commensurate with impact. It defines access rights. It establishes asset ownership.
Identify weaknesses in network and server security.
What is the PRIMARY purpose of performing an internal attack and penetration test? Identify weaknesses in network and server security. Identify ways to improve the incident response process. Identify attack vectors on the network perimeter. Identify the optimum response to internal hacker attacks.
To identify significant overall risk from a single threat vector
What is the goal of risk aggregation? To combine homogenous elements to reduce overall risk To influence the organization's risk acceptance methodologies To group individual acceptable risk events for simplified risk reporting To identify significant overall risk from a single threat vector
Apply common risk measurement criteria to each department
When the security risk assessment result was reviewed, it was found that the rationale for risk rating varies by department. Which of the following will BEST improve this situation? Apply common risk measurement criteria to each department Introduce risk appetite and risk tolerance at the policy level Place increased focus on quantitative risk assessment Implement routine peer review of the risk assessment results
Better adherence to policies
Which is a characteristic of centralized information security management? More expensive to administer Better adherence to policies More responsive to business unit needs Faster turnaround of requests
Residual risk is acceptable.
Which of the following BEST indicates a successful risk management practice? Overall risk is quantified. Inherent risk is eliminated. Residual risk is acceptable. Control risk is tied to business units.
Approval of risk management methodology
Which of the following BEST indicates senior management commitment toward supporting information security? Assessment of risk to the assets Approval of risk management methodology Review of inherent risk to information assets Review of residual risk for information asset
Treat regulatory compliance as any other risk.
Which of the following approaches is BEST for addressing regulatory requirements? Treat regulatory compliance as any other risk. Ensure that policies address regulatory requirements. Make regulatory compliance mandatory. Obtain insurance for noncompliance.
The percentage of incidents from unknown risk
Which of the following choices would be the BEST measure of the effectiveness of a risk assessment? The time, frequency and cost of assessing risk The scope and severity of new risk discovered The collective potential impact of defined risk The percentage of incidents from unknown risk
The organizational culture
Which of the following factors is the MOST significant in determining an organization's risk appetite? The nature and extent of threats Organizational policies The overall security strategy The organizational culture
Process owners
Which of the following groups would be in the BEST position to perform a risk analysis for a business? External auditors A peer group within a similar business Process owners A specialized management consultant
Chief operating officer
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group? Information security manager Chief operating officer Internal auditor Legal counsel
Understanding key business objectives
Which of the following is MOST important in developing a security strategy? Creating a positive security environment Understanding key business objectives Having a reporting line to senior management Allocating sufficient resources to information security
Guidelines
Which of the following is MOST likely to be discretionary? Policies Procedures Guidelines Standards
An impact assessment
Which of the following is the BEST basis for determining the criticality and sensitivity of information assets? A threat assessment A vulnerability assessment A resource dependency assessment An impact assessment
Individual business managers
Which of the following is the BEST source for determining the value of information assets? Individual business managers Business systems analysts Information security management Industry benchmarking results
Determination of clearly defined objectives
Which of the following is the MOST important step in developing a cost-effective information security strategy that is aligned with business requirements? Identification of information assets and resource ownership Valuation of information assets Determination of clearly defined objectives Classification of assets as to criticality and sensitivity
An inaccurate valuation of information assets
Which of the following poses the GREATEST challenge to an organization seeking to prioritize risk management activities? An incomplete catalog of information assets A threat assessment that is not comprehensive A vulnerability assessment that is outdated An inaccurate valuation of information assets
Restricting execution of mobile code
Which of the following provides the BEST defense against the introduction of malware in end-user computers via the Internet browser? Input validation checks on structured query language injection Restricting access to social media sites Deleting temporary files Restricting execution of mobile code
Identifiable personal data
Which of the following represents the MAJOR focus of privacy regulations? Unrestricted data mining Identity theft Human rights protection Identifiable personal data
Validation checks are missing in data input pages.
Which of the following vulnerabilities allowing attackers access to the application database is the MOST serious? Validation checks are missing in data input pages. Password rules do not allow sufficient complexity. Application transaction log management is weak. Application and database share a single access ID.
Prospective employee background checks
Which of the following will BEST protect an organization from insider security attacks? Static Internet Protocol addressing Internal address translation Prospective employee background checks Employee awareness certification program
Reviewing and modifying procedures
Which of the following will require the MOST effort when supporting an operational information security program? Reviewing and modifying procedures Modifying policies to address changing technologies Writing additional policies to address new regulations Drafting standards to address regional differences
Workflow analysis
Which of the following would be the FIRST step in effectively integrating risk management into business processes? Workflow analysis Business impact analysis Threat and vulnerability assessment Analysis of the governance structure
Defining the need
Which of the following would be the FIRST step when developing a business case for an information security investment? Defining the objectives Calculating the cost Defining the need Analyzing the cost-effectiveness