CISM - Information Security Controls
C is the correct answer. Justification The type of control is not relevant. Notification of failure is not determinative of control effectiveness. Control effectiveness requires a process to verify that the control process works as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended. Reliability is not an indication of control strength; weak controls can be highly reliable, even if they are ineffective controls.
What is a reasonable approach to determine control effectiveness? Determine whether the control is preventive, detective or corrective. Review the control's capability of providing notification of failure. Confirm the control's ability to meet intended objectives. Assess and quantify the control's reliability.
D is the correct answer. Justification Properly developed organizational policies are not likely to require any changes when corporate standards change due to new technology. Risk assessment is a process used to identify and evaluate risk and its potential effects. Approaches to assessing risk probably will not need to change when corporate standards change due to new technology. A control objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular process. Properly developed control objectives are not likely to require any changes when corporate standards change due to new technology. Because security baselines are set by standards, it is most likely that a change in some standards will necessitate a review and possible changes in baseline security.
When corporate standards change due to new technology, which of the following choices is MOST likely to be impacted? Organizational policies The risk assessment approach Control objectives Systems security baselines
B is the correct answer. Justification Whether controls are procedural or technical will not affect layering requirements. To manage the aggregate risk of total risk, common failure modes in existing controls must be addressed by adding or modifying controls so that they fail under different conditions. The total cost of ownership is unlikely to be reduced by adding additional controls. Controls that fail in a closed condition pose a risk to availability, whereas controls that fail in an open condition may require additional control layers to prevent compromise.
Which of the following factors will MOST affect the extent to which controls should be layered? The extent to which controls are procedural The extent to which controls are subject to the same threat The total cost of ownership for existing controls The extent to which controls fail in a closed condition
C is the correct answer. Justification Control objectives cannot be evaluated until the exact nature of the compromise is understood, and therefore it is not clear how to best provide a solution. Increasing the restrictiveness of controls should only take place if it is determined by root cause analysis to be necessary to solve the problem. Assessing the root cause is the first step in understanding whether control objectives and controls are inadequate or there was some other cause that must be addressed. Repeating the control test does not provide a root cause of the compromise that occurred.
Although control effectiveness has recently been tested, a serious compromise occurred. What is the FIRST action that the information security manager should take? Evaluate control objectives. Develop more stringent controls. Perform root cause analysis. Repeat the control test.
A is the correct answer. Justification The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed. Cross-site scripting is not the problem in this case because the attack is not transferred to any other user's browser to obtain the output. Structured query language (SQL) injection is not a problem because input is provided as a valid employee ID and no SQL queries are injected to provide the output.
An internal review of a web-based application system reveals that it is possible to gain access to all employees' accounts by changing the employee's ID used for accessing the account on the uniform resource locator. The vulnerability identified is: broken authentication. unvalidated input. cross-site scripting. structured query language injection.
C is the correct answer. Justification Inherent strength will not ensure that controls do not degrade over time. Maintaining strategic alignment will help identify life cycle stages of controls but by itself will not address control degradation. Managing controls over their life cycle will allow for compensation of decreased effectiveness over time. Change management strongly supports life cycle management but by itself does not address the complete cycle.
The MOST effective approach to ensure the continued effectiveness of information security controls is by: ensuring inherent control strength. ensuring strategic alignment. using effective life cycle management. using effective change management.
B is the correct answer. Justification While the control may be more expensive than the cost of the physical asset, such as a laptop computer, the impact to the business may be much higher and thus justify the cost of the control. Controls are selected based on their impact on the business due to the nonavailability of the asset rather than on the cost of the asset or the available budget. Budget availability is a consideration; however, this is not as important as the overall impact to the business if the asset is compromised. Net present value (NPV) calculations are not useful to determine the cost of a control. While a laptop computer might be fully amortized (or even expensed), the impact of the loss of the asset may be much higher than its NPV.
A control for protecting an information technology (IT) asset, such as a laptop computer, is BEST selected if the cost of the control is less than the: cost of the asset. impact on the business if the asset is lost or stolen. available budget. net present value.
B is the correct answer. Justification Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risk. Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required. Vendor patches are not always available. Tracking usage is a detective control and will not prevent an attack.
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account? Prevent the system from being accessed remotely. Create a strong random password. Ask for a vendor patch. Track usage of the account by audit trails.
A is the correct answer. Justification A permissive controls policy allows activities that are not explicitly denied. Configuration to fail closed is a restrictive controls policy. Delegation of privileges refers to discretionary access control. Standards permit control variations within defined limits.
A permissive controls policy would be reflected in which one of the following implementations? Access is allowed unless explicitly denied. IT systems are configured to fail closed. Individuals can delegate privileges. Control variations are permitted within defined limits.
A is the correct answer. Justification The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal. Performing a vulnerability assessment of developer portal is prudent but is subsequent to understanding the requirements. Installing an intrusion detection system may be useful but not as essential as understanding the requirements. Obtaining a signed nondisclosure agreement is a prudent practice but is secondary to understanding requirements.
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network. What should the security manager do FIRST? Understand the business requirements of the developer portal Perform a vulnerability assessment of the developer portal Install an intrusion detection system Obtain a signed nondisclosure agreement from the external consultants before allowing external access to the server
D is the correct answer. Justification Depending on the font style, text messages may become illegible; however, character codes stay the same behind the scene. Therefore, scanning may not be affected by font settings. Even when a message is posted using a stolen identity, scanning will be able to catch an inappropriate posting by checking text against a predefined vocabulary table. Absence of the identity of the user who posted an inappropriate message may not be a major issue in conducting the scanning of posted information. Intentional misspellings are hard to detect by fixed rules or keyword search because it is difficult for the system to consider the possible misspellings. The computer may ignore misspelled items. Because humans can understand the context, it is rather easy for humans to sense the true intention hidden behind the misspelling.
A social media application system has a process to scan posted comments in search of inappropriate disclosures. Which of the following choices would circumvent this control? An elaborate font setting Use of a stolen identity An anonymous posting A misspelling in the text
A is the correct answer. Justification The most important feature of target attacks as seen in advanced persistent threats is that malware secretly sends information back to a command and control server. Therefore, monitoring of outbound server communications that do not follow predefined routes will be the best control to detect such security events. Server communications are usually not monitored to evaluate the resiliency of server operations. The effectiveness of an intrusion detection system may not be verified by monitoring outbound server communications. Nonrepudiation may be supported by technology, such as a digital signature. Server communication itself does not support the effectiveness of an e-commerce framework.
Abnormal server communication from inside the organization to external parties may be monitored to: record the trace of advanced persistent threats. evaluate the process resiliency of server operations. verify the effectiveness of an intrusion detection system. support a nonrepudiation framework in e-commerce.
A is the correct answer. Justification It is likely to be more effective to control the organization's vulnerabilities to third-party risk by limiting organizational exposure than to control the third party's actions. Knowing the risk is essential, but does not manage it. Defining contractual responsibilities of third parties is important, but will not directly manage risk. Audits may indicate the threats posed by third parties, but will not ensure that the risk is managed.
An information security manager's MOST effective efforts to manage the inherent risk related to a third-party service provider will be the result of: limiting organizational exposure. a risk assessment and analysis. strong service level agreements. independent audits of third parties.
B is the correct answer. Justification Rewriting the application is not a viable option. Because the operating system (OS) patch will adversely impact a critical application, a mitigating control should be identified that will provide an equivalent level of security. Altering the OS patch to allow the application to run in a privileged state is likely to create new security weaknesses. Running a production application on a test platform is not an acceptable alternative because it will mean running a critical production application on a platform not subject to the same level of security controls.
An operating system noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution? Rewrite the application to conform to the upgraded operating system. Compensate for not installing the patch with mitigating controls. Alter the patch to allow the application to run in a privileged state. Run the application on a test platform; tune production to allow patch and application.
D is the correct answer. Justification Periodic change of password is a good control against password theft. However, it would not compensate for the shortcoming in password length. Use of special characters will enhance password complexity. However, it will not fully replace the shortcoming in password length. Segregation of duties will tighten the control against fraud. However, it will not resolve password noncompliance. Vendor systems are sometimes unable to provide a security control that meets the policy of the organization. In such cases, compensating controls should be sought (e.g., password lockout on failed attempts).
An organization is using a vendor-supplied critical application which has a maximum password length that does not comply with organizational security standards. Which of the following approaches BEST helps mitigate the weakness? Shorten the password validity period. Encourage the use of special characters. Strengthen segregation of duties. Introduce compensating controls.
A is the correct answer. Justification Cross-site scripting attacks inject malformed input. Attackers who exploit weak application authentication controls can gain unauthorized access to applications, but this has little to do with cross-site scripting vulnerabilities. Attackers who exploit flawed cryptographic Secure Sockets Layer implementations and short key lengths can sniff network traffic and crack keys to gain unauthorized access to information. This has little to do with cross-site scripting vulnerabilities. Web application trust relationships do not relate directly to the attack.
Attackers who exploit cross-site scripting vulnerabilities take advantage of: a lack of proper input validation controls. weak authentication controls in the web application layer. flawed cryptographic Secure Sockets Layer implementations and short key lengths. implicit web application trust relationships.
A is the correct answer. Justification Control baselines are designed to mitigate risk and will depend on the organization's risk appetite. The viability and existence of threats will have a direct bearing on control baselines, but only to the extent that they can exploit vulnerabilities and create a risk of potential impact. In some cases the effectiveness may modify the control objectives if it is not feasible to mitigate the risk, but generally that will not change the objectives. Vulnerability assessments are conducted against a control baseline.
Control baselines are MOST directly related to the: organization's risk appetite. external threat landscape. effectiveness of mitigation options. vulnerability assessment.
C is the correct answer. Justification Risk tolerance is the acceptable level of deviation from acceptable risk and is not directly affected by control objectives. Criticality is the importance to the business and is one of the considerations when control objectives are set in addition to potential impact, exposure, cost and feasibility of possible controls, but criticality plays a lesser role in relationships between risk and control. Criticality is more a need for the business than a control to reduce risk for the environment. Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission. Control objectives are set so that controls can be designed on that basis. Sensitivity is the potential impact of unauthorized disclosure, which will also be one of the considerations in control objectives, but it is not a control itself. Sensitivity creates risk, and that risk is weighed against the controls put in place to reduce that risk, but sensitivity is an identification marker or classification of data or a control and does not define "acceptable risk."
Control objectives are MOST closely aligned with: risk tolerance. criticality. risk appetite. sensitivity.
A is the correct answer. Justification The purpose of controls is to bring residual risk to acceptable levels. When controls have this result, they are effective by definition. Continuous monitoring provides a means of monitoring the effectiveness of controls, but the existence of a monitoring program does not make controls effective. Inherent risk does not take controls into account. Identifying key performance indicators provides a means by which to gauge performance but does not make controls effective.
Controls are effective when: residual risk is at a level acceptable to the organization. continuous monitoring programs are in place. inherent risk is within the organizational risk tolerance. key performance indicators have been identified.
C is the correct answer. Justification Preventative controls, such as authentication mechanisms and encryption, are intended to stop intrusions, so a verified intrusion indicates that preventative controls were ineffective. Corrective controls, such as backups and failover capabilities, are intended to offset the impact caused by successful attacks directed against information systems. Intrusions may not have impact at the time of their detection, so an intrusion does not unto itself offer any indications regarding the workings of corrective controls. Detective controls, such as intrusion detection systems, are designed to alert staff to intrusions when they occur. Notification of a verified network intrusion is an indication that the control is working properly. Deterrent controls, such as warning banners, are intended to reduce the threat level by creating disincentives for threat events. A verified network intrusion indicates that the deterrent was inadequate for the responsible threat actor. Domain
For which of the following types of controls is notification of a verified network intrusion an indication that the control is working properly? Preventative Corrective Detective Deterrent
C is the correct answer. Justification Increased difficulty in problem management is incorrect.. Determining root causes in problem management may be more difficult in highly integrated systems because of the many interconnected functions, but that is not the primary risk concern. Incident management may be affected by the added complexity of highly integrated systems when attempting to quickly isolate and ascertain the source of a problem along a chain of tightly coupled functions; however, this is not the primary issue. Highly integrated systems are more susceptible to cascading risk where the failure or compromise of any one element has the possibility of causing a domino effect of failures. Setting service delivery objectives will be constrained by the extent of the integration because most elements require the same level of functionality. This is due to a lower service level of any component reducing functionality of all dependent elements; but this is not the primary consideration.
Highly integrated enterprise IT systems pose a challenge to the information security manager when attempting to set security baselines PRIMARILY from the perspective of: increased difficulty in problem management. added complexity in incident management. determining the impact of cascading risk. less flexibility in setting service delivery objectives.
A is the correct answer. Justification Advanced persistent threat (APT) refers to stealthy attacks not easily discovered without detailed analysis of behavior and traffic flows. Security information and event management (SIEM) solutions analyze network traffic over long periods of time to identify variances in behavior that may reveal APTs. Stateful inspection is a function of some firewalls, but is not part of a security information and event management (SIEM) solution. A stateful inspection firewall keeps track of the destination Internet Protocol address of each packet that leaves the organization's internal network. Whenever the response to a packet is received, its record is referenced to ascertain and ensure that the incoming message is in response to the request that went out from the organization. Zero-day attacks are not advanced persistent threats (APTs) because they are unknown until they manifest for the first time and cannot be proactively detected by security information and event management (SIEM) solutions. A vulnerability assessment identifies areas that may potentially be exploited, but does not detect attempts at exploitation, so it is not related to advanced persistent threat (APT).
How does a security information and event management solution MOST likely detect the existence of an advanced persistent threat in its infrastructure? Through analysis of the network traffic history Through stateful inspection of firewall packets Through identification of zero-day attacks Through vulnerability assessments
B is the correct answer. Justification Telling management what their risk appetite is will likely get a "So what?" response. It is meaningless outside the context of control effectiveness. Understanding risk appetite in key security control areas helps redirect resources from risk at or below acceptable levels to risk above the tolerance. The result is improved control effectiveness at no additional cost. This answer does not address the value of understanding risk appetite. The risk environment and control effectiveness do change, but continuous monitoring applies more to rapidly changing controls, and to areas of greatest risk. Risk appetite changes are usually more stable. Knowledge of risk appetite does help to facilitate communication with management, but is only one small element of effective communication with senior management.
How does knowledge of risk appetite help to increase security control effectiveness? It shows senior management that you understand their needs. It provides a basis for redistributing resources to mitigate risk outside the risk tolerance. It requires continuous monitoring because the entire risk environment is constantly changing. It facilitates communication with management about the importance of security.
D is the correct answer. Justification Legal and regulatory considerations are evaluated in the same manner as other forms of risk. Externally facing systems or applications are not necessarily high-impact systems. The prioritization of a vulnerability assessment needs to be made on the basis of impact. Although the impact associated with the loss of any resource subject to a performance contract is clearly quantifiable, it may not necessarily be a critical resource. If the loss of a contract system poses a significant impact to the organization, additional measures such as business interruption insurance will be in place. Maintaining business operations is always the priority. If a system is covered by business interruption insurance, it is a clear indication that management deems it to be a critical system.
In conducting an initial technical vulnerability assessment, which of the following choices should receive top priority? Systems impacting legal or regulatory standing Externally facing systems or applications Resources subject to performance contracts Systems covered by business interruption insurance
B is the correct answer. Justification Improper implementation can affect design control strength; however, even good implementation is not likely to overcome poor design. Inherent control strength is mainly achieved by proper design. Testing is important to determine whether design strength has been achieved but will generally not solve design problems. Policy support for appropriate controls is important but is generally too high level to ensure that a design has inherent control strength.
Inherent control strength is PRIMARILY a function of which of the following? Implementation Design Testing Policy
B is the correct answer. Justification Examples of containment defenses are awareness, training and physical security defenses. Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.
Logging is an example of which type of defense against systems compromise? Containment Detection Reaction Recovery
A is the correct answer. Justification Controls are designed and implemented to produce levels of risk aligned with the enterprise risk appetite. Industry standards offer managers and engineers direction on how desired objectives might be achieved, but organizations adopt them only when doing so aligns with business objectives and the enterprise risk appetite. Monitored threat levels do not provide a comprehensive basis for the design and implementation of preventive controls. The need to meet uptime targets specified in service level agreements is only one of many considerations taken into account when developing preventive controls.
Objectives for preventive controls should be developed PRIMARILY on the basis of: risk levels aligned with the enterprise risk appetite. technical requirements directed by industry standards. threat levels as established by monitoring tools. uptime targets specified in service level agreements.
C is the correct answer. Justification Tree diagrams are useful for decision analysis. Venn diagrams show the connection between sets but are not useful in indicating status. Heat charts, sometimes referred to as stoplight charts, quickly and clearly show the current status of remediation efforts. Bar charts show relative size but are a less direct presentation approach to tracking status of remediation efforts.
Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following? Tree diagrams Venn diagrams Heat charts Bar charts
D is the correct answer. Justification Validation of checks on structured query language injection does not apply to this scenario. Restricting access to social media sites may be helpful but is not the primary source of malware. Deleting temporary files is not applicable to this scenario. Restricting execution of mobile code is the most effective way to avoid introduction of malware into the end user's computers.
Repetition of initial consonant soundsWhich of the following provides the BEST defense against the introduction of malware in end-user computers via the Internet browser? Input validation checks on structured query language injection Restricting access to social media sites Deleting temporary files Restricting execution of mobile code
C is the correct answer. Justification Reducing risk to a level too small to measure is impractical and is often cost prohibitive. Depending on the risk preference of an organization, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense. Risk should be reduced to a level that an organization is willing to accept. To tie risk to a specific rate of return ignores the qualitative aspects of risk that must also be considered.
Risk management programs are designed to reduce risk to: a level that is too small to be measurable. the point at which the benefit exceeds the expense. a level that the organization is willing to accept. a rate of return that equals the current cost of capital.
A is the correct answer. Justification Monitoring processes are also required to guarantee fulfillment of laws and regulations of the organization; therefore, the information security manager will be obligated to advise compliance with the law. Even if short-term impact cannot be determined, it is a business decision to accept the risk. Industry security practices do not override the business decision to accept the risk. Changes in the roles matrix do not override the business decision to accept the risk.
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: it implies compliance risk. short-term impact cannot be determined. it violates industry security practices. changes in the roles matrix cannot be detected.
A is the correct answer. Justification A control baseline is obtained by reviewing the standards to determine the control objectives that they set, and then checking systems to determine whether they comply with the objectives set by the standards. Sampling hardware configurations without knowing the control objectives reflected in the standards provides information on the current state but not on how that state relates to the intended state. Anomalies in system logs do not necessarily indicate that baseline security is incorrect, nor does an absence of abnormalities mean that the baseline is correct. Penetration tests that reveal vulnerabilities must be evaluated in the context of the control objectives set by the standard.
The MOST direct way to accurately determine the control baseline in an IT system is to do which of the following activities? Review standards and system compliance. Sample hardware and software configurations. Review system and server logs for anomalies. Perform internal and external penetration tests.
D is the correct answer. Justification Threat and vulnerability are factors in determining probability, but without knowing the magnitude of loss (or impact) associated with a particular event, knowing its probability is an inadequate basis for prioritizing control development. Cost is always a consideration, and resource constraints may lead to certain controls being delayed, but prioritization occurs even among controls of comparable cost. These are considerations when developing control objectives but do not factor into the prioritization of controls. The probability that an adverse event will occur and the consequent impact provide an effective quantitative basis for ordering the development of controls.
The MOST important factors to consider when prioritizing control development are: threat and vulnerability. cost and frequency. risk appetite and tolerance. probability and impact.
B is the correct answer. Justification It is not desirable to leave user IDs of terminated personnel or contractors active in the systems because it increases the potential for unauthorized access. However, the risk related to not effectively managing terminated users is an access management issue, not a segregation of duties issue. When changing user roles are not adequately managed, access privileges may cross the boundary of segregation of duties. This often happens when a user's role changes as part of a promotion or transfer and they are assigned new system privileges to fulfill the new role, and the privileges of their old role are not removed. Role-based access is built on the premise that users are granted those privileges that they need to perform their daily job function (role). These may not necessarily be aligned with the organizational hierarchies. Using role mining tools in the access entitlement review may enhance the efficiency and effectiveness of the process, particularly in large and complex environments.
The effectiveness of segregation of duties may be MOST seriously compromised when: user IDs of terminated staff remain active in application systems. access privileges are accumulated based on previous job functions. application role-based access deviates from the organizational hierarchies. role mining tools are used in the access privilege review.
A is the correct answer. Justification It is appropriate to reduce control strength if it exceeds mitigation requirements set by acceptable risk levels. An inability to determine risk is not a justification for reducing control strength. Excessive control cost is not a reason to reduce strength, although it suggests that a redesign of the control is needed. Control effectiveness does not change the control strength requirement.
Under what circumstances is it MOST appropriate to reduce control strength? Assessed risk is below acceptable levels. Risk cannot be determined. The control cost is high. The control is not effective.
D is the correct answer. Justification Policies set high-level direction, not technical details. Procedures are used to provide instructions on accomplishing specific tasks. Technical guides provide support but not necessarily the requirements. Baselines describe the minimum configuration requirements across similar devices, activities or resources.
What is the BEST means to standardize security configurations in similar devices? Policies Procedures Technical guides Baselines
C is the correct answer. Justification Not all organizations are required to periodically test controls. Periodically testing controls does not help meet due care requirements. Due care is what a reasonable person of similar competency would do under similar circumstances. Periodically testing controls ensures that controls continue to meet control objectives. Compliance with policy is not the most important factor for periodically testing controls.
What is the MOST important reason to periodically test controls? To meet regulatory requirements To meet due care requirements To ensure that objectives are met To achieve compliance with standard policy
D is the correct answer. Justification Regulatory requirements drive business requirements. An expert advisory may not be aligned with business needs. A risk assessment is the main driver for selecting technologies. A risk assessment helps identify control gaps in the IT infrastructure and prioritize mitigation plans, which will help drive selection of security solutions.
What is the PRIMARY basis for the selection and implementation of products to protect the IT infrastructure? Regulatory requirements Technical expert advisories State-of-the-art technology A risk assessment
C is the correct answer. Justification SoD is unrelated to monitoring. As a secondary benefit, some reduction in supervision may be possible. Segregation of duties (SoD) is primarily used to prevent fraudulent activities. If SoD is a policy requirement, then a secondary benefit is enhanced compliance. However, the policy exists to reduce fraud.
What is the PRIMARY purpose of segregation of duties? Employee monitoring Reduced supervisory requirements Fraud prevention Enhanced compliance
D is the correct answer. Justification Risk analysis indirectly supports the security expenditure, but justifying the security expenditure is not its primary purpose. Helping businesses prioritize the assets to be protected is an indirect benefit of risk analysis but not its primary purpose. Informing executive management of residual risk value is not directly relevant. Risk analysis explores the degree to which an asset needs protecting so this can be managed effectively.
What is the PRIMARY purpose of using risk analysis within a security program? The risk analysis helps justify the security expenditure. The risk analysis helps prioritize the assets to be protected. The risk analysis helps inform executive management of the residual risk. The risk analysis helps assess exposures and plan remediation.
D is the correct answer. Justification It is expected that the organization will start work to improve the system beyond this level. It is not wrong for an organization to start off at the base of the maturity model. This method could be unnecessarily expensive if not well planned and may result in conflicts between the frameworks. It is very important that qualitative and quantitative objectives be well defined for a gap analysis to be effective. However, defining a desired state without input from the business strategy invalidates the entire process. Risk management is about the business. Defining a desired state without consideration of business objectives implies that the stated desired outcome may not be effective, even if attained.
When assessing the maturity of the risk management process, which of the following findings raises the GREATEST concern? Organizational processes are not adequately documented. Multiple frameworks are used to define the desired state. Required security objectives are not well defined. The desired state is not based on the business objectives.
D is the correct answer. Justification Control objectives are established on the basis of organizational risk appetite, so maximizing mitigation beyond the control objectives means incurring unnecessary cost. Cost is always a consideration, but an option cannot be considered to have "saved" money unless it also meets an objective. Regulatory requirements are considered no differently than any other consideration in the risk assessment process. Control objectives are established on the basis of risk appetite, which may or may not include accepting the risk of not complying with a regulation. Achieving control objectives is the reason for designing controls. No other benefit can offset failure to meet the control objectives.
When performing a review of risk treatment options, the MOST important benefit to consider is: maximum risk mitigation. savings in control options. alignment with regulatory requirements. achieving control objectives.
A is the correct answer. Justification While the activities of the security program are primarily the protection of the organization's assets, the key objective is to support the achievement of the strategic business goals and objectives. An information security program focuses on protecting information assets using manual and automated controls with the objective of supporting the achievement of strategic business goals. Information security is achieved by implementing any type of control; it is achieved not just by using IT controls, but also using manual controls. Threats cannot be eliminated; information security controls help reduce risk to an acceptable level.
Which of the following BEST describes the key objective of an information security program? Achieve strategic business goals and objectives. Protect information assets using manual and automated controls. Automate information security controls. Eliminate threats to the organization.
D is the correct answer. Justification Release management provides no indication that protection is proportionate to the value of the asset. An implemented ownership schema is one step in achieving proportionality, but other steps must also occur. Resource dependency analysis can reveal the level of protection afforded a particular system, but that may be unrelated to the level of protection of other assets. Classification provides the basis for protecting resources in relation to their importance to the organization; more important assets get a proportionally higher level of protection.
Which of the following BEST supports the principle of security proportionality? Release management Ownership schema Resource dependency analysis Asset classification
B is the correct answer. Justification Until a clear picture of risk has been developed, the extent of control increases needed cannot be determined. Control decisions are driven by risk. Risk should be carefully reassessed and analyzed to correct potential misjudgment in the original assessment. A control objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular process. Changes to control objectives should be made after risk has been reassessed. Security baselines set by appropriate standards are the minimum security requirements for different trust domains across the enterprise. Baselines may need to be strengthened after risk has been reassessed.
Which of the following actions should the information security manager take FIRST on finding that current controls are not sufficient to prevent a serious compromise? Strengthen existing controls. Reassess the risk. Set new control objectives. Modify security baselines.
B is the correct answer. Justification Man-in-the-middle attacks intercept network traffic and must be protected by encryption. Strong passwords mitigate brute force attacks. Buffer overflow attacks may not be protected by passwords. Root kits hook into the operating system's kernel and, therefore, operate underneath any authentication mechanism.
Which of the following attacks is BEST mitigated by using strong passwords? Man-in-the-middle attack Brute force attack Remote buffer overflow Root kit
B is the correct answer. Justification Capturing the authentication handshake and replaying it through the network will not work. Using hashes by itself will not prevent a replay. A challenge/response mechanism prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge. A wired equivalent privacy key will not prevent sniffing, but it will take the attacker longer to break the WEP key if he/she does not already have it). Therefore, it will not be able to prevent recording and replaying an authentication handshake. Hypertext Transfer Protocol basic authentication is cleartext and has no mechanisms to prevent replay.
Which of the following authentication methods prevents authentication replay? Password hash implementation Challenge/response mechanism Wired Equivalent Privacy encryption usage Hypertext Transfer Protocol basic authentication
C is the correct answer. Justification A warning banner is a deterrent control, which provides a warning that can deter potential compromise. Audit trails are an example of a detective control. Preventive controls inhibit attempts to violate security policies. An example of such a control is an access control. An alarm system is an example of a detective control.
Which of the following is a preventive measure? A warning banner Audit trails An access control An alarm system
B is the correct answer. Justification Documenting the password on paper is not the best method even if sent through interoffice mail—if the password is complex and difficult to memorize, the user will likely keep the printed password, and this creates a security concern. A temporary password that will need to be changed upon first logon is the best method because it is reset immediately and is replaced with the user's choice of password, which will make it easier for the user to remember. If it is given to the wrong person, the legitimate user will likely notify security if still unable to access the system; therefore, the security risk is low. Setting an account with no initial password is a security concern even if it is just for a few days. This choice provides the greatest security threat because user IDs are typically known by both users and security staff, thus compromising access for up to 30 days.
Which of the following is the BEST method to provide a new user with their initial password for email system access? Provide a system-generated complex password by interoffice mail with 30 days expiration. Provide a temporary password over the telephone set for immediate expiration. Require no password but force the user to set their own in 10 days. Set initial password equal to the user ID with expiration in 30 days.
A is the correct answer. Justification It is most important to perform a risk assessment to determine the exposure if additional controls are not deployed. The exposure level needs to be redetermined and compared with the residual risk before this decision can be made. Additional countermeasures may be deployed after determining possible losses so as to not overprotect or underprotect the asset. Risk transfer is an action that may be taken after reviewing the results of the risk assessment of the current situation.
Which of the following is the FIRST action to be taken when the information security manager notes that the controls for a critical application are inadequate? Perform a risk assessment to determine the level of exposure. Classify the risk as acceptable to senior management. Deploy additional countermeasures immediately. Transfer the remaining risk to another organization.
C is the correct answer. Justification Probability is part of the justification for adopting an automated fire suppression system, but which system is most appropriate depends on other factors. The cost of maintenance is an important consideration, but because damage is likely to be much more costly than maintenance, it is a later consideration. Fire suppression systems may be harmful to resources; therefore, automated systems that release gas or water automatically have their own pros and cons. Gas-based systems are harmful to human life, whereas water-based systems may damage IT resources. Hence, the selection and implementation must consider these aspects. Ownership of assets, including the new system to be acquired, is required to determine the protection levels of resources. However, it will be based on the organization's roles and responsibility definitions. In any case, resource protection will take priority in considering the choice of solutions.
Which of the following is the MOST important consideration when choosing between automated fire suppression systems? Probability of fire Cost of maintenance Damage to resources Ownership of the new system
D is the correct answer. Justification Defense in depth is an important standard concept but is a metric only to the extent that it meets control objectives. Whether the control fails open or closed is only relevant as a metric to the extent identified in defined control objectives. Without knowing the reason a control has failed, how often the control fails is not a good indication of control effectiveness. The extent to which control objectives are achieved is the only true indicator of control effectiveness. It is a measurement with a point of reference.
Which of the following is the MOST useful indicator of control effectiveness? The extent to which the control provides defense in depth Whether the control fails open or closed How often the control has failed The extent to which control objectives are achieved
B is the correct answer. Justification Because guidelines are generally not mandatory, their lack of enforcement is not a primary concern. The lack of effective oversight is likely to result in inconsistent change management activities, which can present a serious security risk. Systems that are developed by third-party vendors are becoming common and do not represent an increase in security risk as much as poor change management. Poor capacity management may not necessarily represent a major security risk.
Which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations? Systems operation guidelines are not enforced Change management procedures are poor Systems development is outsourced Systems capacity management is not performed
C is the correct answer. Justification Annual loss expectancy could help measure the benefit but does not address the costs. The potential reduction in the frequency of incidents could also help measure the benefit but does not address cost. The total cost of ownership would be the most relevant piece of information to determine both the total cost and the benefit. The approved budget for the project is not relevant to the cost-benefit analysis.
Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system? Annual loss expectancy of incidents Frequency of incidents Total cost of ownership Approved budget for the project
C is the correct answer. Justification The safeguards need to match the risk level. You can never be certain of having sufficient safeguards because threats are always evolving. While countermeasures could be too complicated to deploy, this is not the most compelling reason. An organization may decide to live with specific risk because it would cost more to protect the organization than the value of the potential loss. It is unlikely that a global financial institution would not be exposed to such attacks, and the likelihood could not be predicted.
Why would an organization decide not to take any action on a denial-of-service vulnerability found by the risk assessment team? There are sufficient safeguards in place to prevent this risk from happening. The needed countermeasures are too complicated to deploy. The cost of countermeasures outweighs the value of the asset and potential loss. The likelihood of the risk occurring is unknown.
