2023 CISM
Juanita is conducting an analysis of a compromised computer. She has determined the computer had all known security patches applied, and the anti-malware was running with the most recent signatures update. What is the MOST likely reason why the computer was compromised? A) The computer was compromised by a zero-day exploit B) Heuristic algorithms were not used by the anti-malware C) The computer was compromised by a user who opened a file stored in quarantine D) The computer was compromised by a worm
A) The computer was compromised by a zero-day exploit Explanation The computer was compromised by a zero-day exploit, meaning the attacker discovered a vulnerability and based the attack on the vulnerability before the vendor was notified of the vulnerability, and before the virus signatures could be updated to include that attack. Anti-malware running heuristic scans may detect the presence of the malware after the computer was compromised. Files are placed in quarantine when malware is detected that cannot be removed from the file, indicating the anti-malware had recognized the file was infected.
We have had a year with a lot of security incidents, we have experienced all of those mentioned below. Which of them would have the MOST negative impact? A) The loss of customers confidence. B) Stolen software. C) A power outage at our data center. D) Internal fraud with monetary loss.
A) The loss of customers confidence.
Bob is reviewing the capabilities of the new incident handling process. Which is the BEST process that Bob could link to the new process? A) Training and awareness program B) Helpdesk C) Applications software D) Systems software
A) Training and awareness program Explanation The incident handling process is closely linked to the company's training and awareness program; both educate users about incidents so users know what to do when they occur. The helpdesk is a tool to handle incidents. Both systems software and applications software can be leveraged by intruders to create security incidents.
Jane is implementing a new heuristic IDS (Intrusion Detection System) solution. For that implementation what should be the MOST important consideration? A) Tuning it. B) Encrypting it. C) Set up packet filtering. D) Patching it.
A) Tuning it.
Bob is using GAP analysis to prepare for a board meeting presentation. Which of these MOST accurately describes a GAP analysis? A) We do analysis on our current state versus desired state. B) We do analysis on what we as an organization is good at and see if we can use that to our advantage. C) We are evaluating the BIA (business impact analysis) to make sure it is aligned with our business goals. D) We do analysis on the control objects we have to ensure they align with the business goals.
A) We do analysis on our current state versus desired state.
Which of these activities is a security administrator responsible for? A) Install and remove programs. B) Produce reports of access rights for management review. C) Terminate user's access when advised by HR. D) Create generic group user accounts when requested by HR with full access privileges.
A, B, and C Explanation A security administrator (SA) should always create a new user when advised by HR, but we would never make generic accounts, we want accountability. Most programs are installed and removed by domain administrators (who are not an SA), but an SA may install or remove security management programs. An SA also terminates user's access and produces reports of access rights for review by management and/or auditors.
Of these options, when is the BEST time to have penetration tests conducted? A) After a high staff turnover. B) After significant system changes. C) After an attempted intrusion. D) After an audit has found weaknesses in our security controls.
B) After significant system changes.
Jane is the Information Security Manager in our organization. She has been tasked with developing a strategic plan for Information Security. The timeline of the plan she makes should be: A) Aligned with the strategic plan for all of IT. B) Aligned with our business strategy. C) Based on a 3-4 year tech refresh cycle to ensure we are aligned with trends and developments within Information Security. D) Agile to keep up with the changes in technology.
B) Aligned with our business strategy.
Nayeli wants to use a surveillance technique with the results to be analyzed after events have occurred; the technique should be passive so that it does not consume her time until a significant event has been detected. Which of the following is Nayeli MOST likely to choose? A) Security guard and dog B) Audit logs C) Line monitoring D) Motion detectors
B) Audit logs
Our leadership has decided that for 2 of our critical applications, it is impossible to minimize the residual risk to an acceptable level. Even with all our countermeasures, the residual risk is always too high. What can we do to mitigate that? A) Build a SOC (Security Operations Center) and implement live monitoring. B) Buy insurance. C) Update to state-of-the-art firewalls. D) Get professional pen-testers to pen test the 2 applications.
B) Buy insurance.
Trisha works for the Internal Audit department of a small company, ThorTeaches.com. To whom is her final report MOST likely be sent? A) C-level executives and specific managers B) C-level executives C) Stakeholders and investors D) C-level executives and Board of Directors
B) C-level executives Explanation Trisha will be conducting an Internal Audit and her final report is most likely to be delivered to the C-level executives, who may (but not always) share the report with Board of Directors. Specific managers will receive a draft of the Audit Report from internal auditors, so they can review the findings and prepare the Management Action Plans to remediate the shortcomings. Stakeholders and investors are very unlikely to receive a copy of the Audit Report from Internal Audit.
Doug is an IT Security auditor working at a small company, ThorTeaches.com. In order to ensure his next audit focuses only on the highest risks facing the company, what is MOST likely to be the first step in his audit? A) Conduct a quantitative risk analysis B) Conduct a qualitative risk analysis C) Review the recommendations from previous audit reports D) Ask the CIO what risks are keeping her awake at night
B) Conduct a qualitative risk analysis
In the beginning of an audit, Margaret reviews written procedures that detail the segregation of duty adopted by management to strengthen internal controls. What part of the finding do these procedures form? A) Cause B) Criteria C) Effect D) Condition
B) Criteria
Which of these would we do FIRST after a successful DDOS (Distributed Denial-Of-Service) attack? A) Isolate the affected subnets. B) Do an assessment of our systems to determine their status. C) Do an impact analysis of the DDOS attack. D) Restore servers using backup media from our offsite storage facility.
B) Do an assessment of our systems to determine their status.
What is the MAIN reason for our Information Security objectives being clearly defined? A) To get the staff's buy-in. B) For us to measure the effectiveness. C) To ensure our objectives are consistent with the standards. D) To clearly understand the objectives.
B) For us to measure the effectiveness.
Bob has just been hired as our new CISO (Chief Information Security Officer). Which of these options should Bob focus on FIRST? A) He should develop a new security architecture. B) He should establish good communication with the steering committee. C) He should hire a highly skilled staff. D) He should do a risk analysis on the entire enterprise and present that to senior management.
B) He should establish good communication with the steering committee.
To protect against SQL (Structured Query Language) injection attacks, which of these would be the BEST to implement? A) An IPS (Intrusion Prevention System). B) Input field restrictions. C) Referential integrity checks. D) Proper change control.
B) Input field restrictions.
One of our critical systems has an administrator account, the account prevents account locking, privileges, and name changes. What could we implement that would protect us BEST against brute force password attacks? A) Don't allow the system to be accessed from outside our organization. B) Make a strong random password for the account. C) Request a patch from the vendor. D) Log all account usage.
B) Make a strong random password for the account.
Cassandra has gone on two weeks' vacation and her replacement worker Bob has found the ledger accounts do not balance. Nayeli is called to investigate. What is Nayeli MOST likely to do? A) Nayeli notifies HR and makes a copy of the files in the affected folders. B) Nayeli removes the hard disk from Cassandra's computer, makes a bit-by-bit copy and places the original hard drive in a safe location. She inserts a new hard drive with all the correct programs and data in Cassandra's machine. C) Nayeli asks Cassandra's manager to meet with Cassandra and Bob when she returns from vacation to walk through the problem and determine what has happened. D) Nayeli meets Cassandra when she returns from vacation and asks her to explain what is going on.
B) Nayeli removes the hard disk from Cassandra's computer, makes a bit-by-bit copy and places the original hard drive in a safe location. She inserts a new hard drive with all the correct programs and data in Cassandra's machine.
Paul asks his manager Naomi why separation of roles is important. What is the MOST likely answer Naomi will give to Paul? A) Divides the knowledge necessary to complete key tasks B) No one person has complete control over a transaction or an activity C) Employees from different departments do not work together D) Avoids conflicts of interest
B) No one person has complete control over a transaction or an activity
Jane is building a business case for adding IDSs (Intrusion Detection Systems) to our network. Where would it be BEST to place those? A) On the firewall. B) On a screened subnet. C) Outside our firewalls. D) On an external router.
B) On a screened subnet.
What should the retention of our business records PRIMARILY be based on? A) A business case and value analysis. B) Our business strategy. C) The regulatory and legal requirements we need to adhere to. D) Our storage capacity and how long we are keeping the data for.
B) Our business strategy. Explanation Our retention is dictated by the our business strategy. We can chose not to comply with regulations if the cost of compliance is higher than the penalties for instance. Just like anything else we do a cost-benefit analysis. Business case and value analysis would be based on our strategy, making strategy a MORE right answer. How easy it is to use or the capacity on our data stores should never be a deciding factor.
The relationship between different security technologies would BEST be defined in which of these? A) Our network topology. B) Our security architecture. C) The process improvement models we use. D) Our security metrics.
B) Our security architecture.
Nayeli is seeking the most valuable information about a network's vulnerabilities. What is the BEST way for Nayeli to get this information? A) Periodic drills B) Periodic staged intrusions C) Periodic procedure updates D) Periodic policy updates
B) Periodic staged intrusions
Which of these would most often be something the Information Security steering committee would do? A) Develop our security awareness programs content. B) Pick which order we would work on security initiatives. C) Approve user access to mission critical financial servers. D) Interview new people for very technical Information Security positions.
B) Pick which order we would work on security initiatives.
Which type of access control is the MOST efficient? A) Decentralized access control. B) Role based access control. C) Discretionary access control. D) Centralized access control.
B) Role based access control. Explanation Role based access control would be the most efficient type of access control based on the answer options. Access is assigned to job roles reducing administrative overhead and making it more efficient. Decentralized would require more administrative overhead, so would discretionary access control, where the data owner would assign access at their discretion. Centralized access control is more efficient than decentralized, but in this example, we do not have enough information for it to the be the right answer.
Our company uses a lot of contractors and temporary employees. What would be the BEST way to ensure their access is removed when they no longer need it? A) Request the overseeing manager emails Information Security when the contractor has completed their work. B) Set automatic expiration dates. C) Have all contractors and temporary employees sign an NDA (Non-Disclosure Agreement). D) Send an audit of their account activity to the manager overseeing them.
B) Set automatic expiration dates.
Claire wants to expedite the approval of business transactions over $5000. Which control is Claire MOST likely to choose? A) Sign off by the manager and the treasurer B) Sign off by the treasurer C) Digital signature by the manager, then digital signature by the treasurer D) Digital signature using a symmetric key held in two halves: one by the manager and the other by the treasurer
B) Sign off by the treasurer
We are making an entirely new set of user awareness training materials. Which of these is the MOST important element? A) The buy-in from the information security steering committee. B) That the materials are easy to read and understand. C) Detailed information about our security policies and consequences for not following them. D) Detailed information about social engineering.
B) That the materials are easy to read and understand.
Who would be responsible in our organization for classifying our information? A) The CISO (Chief Information Security Officer). B) The Data owner. C) The Database administrator. D) The Data custodian.
B) The Data owner.
Which project management tool would be the BEST to determine how long a security project should take to implement? A) The ideal path. B) The critical path. C) The Gantt chart. D) The SWOT charts.
B) The critical path. Explanation We would look at the critical path to determine how long a project would take to complete. The critical path is the longest distance between the start and the finish of your project, including all the tasks, their duration, which gives you a clear picture of the project's actual schedule. We would use SWOT analysis to determine our strengths, weaknesses, opportunities, and threats. The Gannt chart is used to estimate required resources and resource allocation, as well as task sequencing. Ideal path is not a project management term.
Susan is preparing a report for management on why computer security incidents are not reported on a timely basis. What is the MOST common reason for the reporting not being timely? A) To learn from system attacks B) To avoid negative publicity C) To fix system problems D) To take legal action against the attacker
B) To avoid negative publicity
Our credit card database has been compromised. What should we do FIRST? A) Notify the data owner. B) Verify there was an incident. C) Notify the Information Security steering committee. D) Start containment and network segmentation.
B) Verify there was an incident.
At what point do we reach our RTO (Recovery time objective)? A) When the system software is restored. B) When the system hardware is restored. C) When the system is back in production. D) When the system is completely offline.
B) When the system hardware is restored.
Jane is working on a risk analysis for all of our systems, facilities, and applications. Where would it be BEST to use quantitative risk analysis? A) Half of our marketing department leaving our organization to work for a competing business. B) When our ecommerce website is defaced by hackers. C) A power outage. D) To deal with stolen customer data.
C) A power outage. Explanation We would be able to quantify the financial loss we would see after a power outage. The loss of customer data and confidence, our website being defaced or how it would impact us if we lose half of your marketing team would be hard to quantify, for those we would probably use qualitative risk analysis.
When we make investments in Information Security technologies, what should those investments be based on? A) Our vulnerability assessments. B) Recommendations from our audits. C) A value analysis. D) The business climate.
C) A value analysis.
Nayeli wants to ensure she applies the principle of least privilege when she creates access rules. What is the BEST method of doing so? A) Assign all or nothing privileges B) Assign creeping privileges C) Assign appropriate privileges D) Assign super-user privileges to everyone
C) Assign appropriate privileges
At a change control meeting, a system owner requests a change to their system that would conflict with our security standards. What would be the BEST way to resolve this conflict? A) Add mitigating controls to the system. B) Make changes to the proposed system change to match the security standard. C) Calculate the risk. D) Enforce the security standard.
C) Calculate the risk.
Jane is doing risk analysis throughout our large international organization, she should: A) Compare us with the benchmarks of other similar organizations. B) Give the same protection profile to all of our assets. C) Consider the size and likelihood of the loss. D) Focus on the number of incidences over the potential size of the loss.
C) Consider the size and likelihood of the loss.
Who are liable for negligence if they fail to protect and sustain sensitive data? A) Process owners B) Data Custodians C) Data owners D) System owners
C) Data owners
Which activity is a data custodian NOT responsible for? A) Managing data storage. B) Deciding which users will have appropriate access to the data. C) Deploying a security solution based on the data classification. D) Validating data integrity.
C) Deploying a security solution based on the data classification. Explanation The data owner decides who has the appropriate access to the data; the data custodian may implement those decisions by deploying a security solution based on the classification. Data custodians are also responsible for performing and testing backups, managing data storage, and validating data integrity.
A new regulatory requirement has been published for our industry. It looks like the implementation cost will be very high. What should you as the Information Security manager do FIRST? A) Implement immediate countermeasures. B) Implement compensating controls. C) Do a GAP analysis. D) Start an Information Security steering committee.
C) Do a GAP analysis.
What would be MOST useful for Jane when she is working on RTOs (Recovery Time Objectives) for some of our critical systems? A) Doing a risk analysis. B) Doing a SWOT analysis. C) Doing a business impact analysis. D) Doing a GAP analysis.
C) Doing a business impact analysis.
Naomi is reviewing the policies, standards, guidelines, and procedures that govern the use of a certain application. What is the MOST likely type of controls in which these documents belong? A) Technical controls B) Development controls C) Management controls D) Operational controls
C) Management controls
Francis is a sales representative of a software vendor and has sold the software to rival companies. What is the MOST likely agreement that both companies will ask Francis to sign? A) NonCompete Agreement (NCA) B) Acceptable Use Policy (AUP) C) NonDisclosure Agreement (NDA) D) Code of Conduct (CC)
C) NonDisclosure Agreement (NDA)
We are a large multinational organization with offices in Europe, the US, Asia, Australia, Russia and Africa. Which type of information would we expect to have the LOWEST level of security protection? A) Our upcoming financial results. B) Our strategic plan. C) Our previous financial results. D) Customer PII (Personally Identifiable Information).
C) Our previous financial results. Explanation Our previous financial results would have the LOWEST level of protection, they are already public. Exposing our strategic plan, our upcoming financial results or customer PII would have adverse effects.
Cassandra is explaining the security concept of Integrity to her co-workers. What is the LEAST likely term she can use in this regard? A) Completeness B) Authentic C) Precision D) Accuracy
C) Precision
Our organization has just finished a companywide Information Security user awareness training effort and we are going to try to social engineer our employees to gauge how effective the training was. Which of these is NOT a type of social engineering attack? A) Authority B) Vishing C) Reconnaissance D) Scarcity
C) Reconnaissance Reconnaissance is one of the phases of an attack or penetration testing, it is not a form of social engineering. Vishing (voice phishing), authority, and scarcity are all types of social engineering.
Dee is training operations staff in the datacenter to proactively manage the threat of fire breaking out in the server racks. Which of the following steps is LEAST likely to be included in Dee's training? A) Evacuation from smoke filled rooms B) Fire suppression techniques C) Recovery from the fire D) Early detection of the fire
C) Recovery from the fire
We just recovered from a security incident on a server. The systems administrator tried to stop the attack and did not notify the Information Security team right away. What could we have done to avoid this mistake? A) Creating mandatory Information Security training for all employees. B) Regular testing of our IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems). C) Regular testing of the incident response plan. D) Regular reviews of the incident response procedures.
C) Regular testing of the incident response plan.
Nayeli wants to tie the concept of accountability to a more familiar term, in order to gain user acceptance. Which of the following terms is Nayeli MOST likely to choose? A) Accessibility B) Availability C) Responsibility D) Usability
C) Responsibility
For our information security program to be successful, which of these is the MOST important? A) That the goals and objectives are achievable. B) Security awareness training. C) Senior managements buy-in. D) Sufficient initial budget and staff.
C) Senior managements buy-in. Explanation The MOST important thing in the success of our information security program is senior managements buy-in. The other answer options are secondary to senior management. We would need the awareness training, the achievable goals and objectives, and initial budget and staff, but they are less important. If we do not have the buy-in from senior management, we are less likely to succeed.
Who would be the BEST person in our organization to sponsor the creation of an information security steering group? A) Our legal counsel B) The Information Security manager. C) The Chief Operating Officer (COO) D) The lead internal auditor.
C) The Chief Operating Officer (COO)
Which of these is MOST important to ensure is in place before we have outside contractors do a penetration test on our organization? A) Our IT staff has been informed about the penetration test. B) The penetration testers show us what the plan to do on a test system. C) The goals and objectives are clearly defined. D) Everyone including senior management is unaware of the penetration test; to ensure the penetration test is as close to a real attack as possible.
C) The goals and objectives are clearly defined.
What would be the BEST metric we could use to evaluate how effective our security awareness training is? A) The number of resolved security incidents. B) The number of failed login attempts. C) The number of security incidents reported. D) The number of password resets.
C) The number of security incidents reported.
We want to reduce risk to an acceptable level, what is that determined by? A) The requirements of Information Security. B) The requirements of international standards. C) The requirements of our organization. D) The requirements of our IT systems.
C) The requirements of our organization.
What would be the BEST reason to get help from external resources to work on our Information Security program? A) They can give us more redundancy for internal employees B) They would be responsible for our Information Security program meeting the requirements C) They can be more cost effective and can have expertise we do not internally D) They can deliver the product faster because of their external knowledge
C) They can be more cost effective and can have expertise we do not internally
What is the MOST important reason we have Information Security review our contracts throughout the enterprise? A) To ensure that both parties can perform their contractual promises. B) To ensure the right to audit is a requirement. C) To ensure appropriate controls are included. D) To ensure no confidential information is included in the contract.
C) To ensure appropriate controls are included.
Bob is scanning our internal network for security vulnerabilities. What is the MOST important thing Bob should ensure? A) To not use open source vulnerability scanners. B) To follow the normal attack cycle. C) To not interrupt production environments. D) To only scan production environments.
C) To not interrupt production environments.
Jane is the first person from the disaster recovery team to reach the cold site recovery center. What is the MOST likely set of actions Jane will have to do? A) Turn on the hydro power, then the HVAC, turn on the room lights, and power up the servers B) Turn on the room lights and start the recovery of data from the production site backups if available C) Turn on the hydro power, then the HVAC, turn on the room lights, and start to remove the servers from the boxes to install them in the racks D) Turn on the room lights, power on the servers, install the most recent patches and upgrades and start the recovery of data from the production site backups if available
C) Turn on the hydro power, then the HVAC, turn on the room lights, and start to remove the servers from the boxes to install them in the racks
What would be the BEST security measure we could use to prevent data disclosure and data exfiltration? A) User authentication in all applications. B) Use very strong encryption. C) Use very strong key storage. D) Use very complex firewall rules.
C) Use very strong key storage. Explanation We would want a very strong key storage, if the attackers can get to our encryption keys, most of the other security measures are irrelevant. Most encryption today is strong enough to not be breakable with current technologies, making it stronger does often not make it significantly more secure. Complex firewall rules do not mean more secure, and in this example is a distractor. We would want user authentication in all applications, but not relevant for this question.
We want our employees to be able to access our internal network over the internet from an external connection. For this implementation we also want to make sure attackers are not able to gain access pretending to be authorized users. Which of these technologies would make it the MOST secure? A) IDS (Intrusion Detection System). B) Challenge response. C) SSO (Single Sign-On). D) 2FA (2 Factor Authentication).
D) 2FA (2 Factor Authentication).
Which of these events would normally have the LARGEST impact on Information Security? A) Upgrading our firewalls. B) Moving our data center. C) Opening a new office. D) Acquisition of a competing organization.
D) Acquisition of a competing organization.
As a manager you are asked to perform a cost justification of the selection of protection mechanisms. What is the MOST likely means of accomplishing this? A) Determine the comparative costs of implementing different safeguards. B) Establish the value of each asset without regard to the data classification. C) List the capabilities of different safeguards against the costs of implementing them. D) Classify the data in each asset, and establish the asset value of each asset.
D) Classify the data in each asset, and establish the asset value of each asset.
As head of the disaster recovery team, Nayeli has just formally declared a disaster. Assuming a triage team has been sent to assess the extent of the damage and/or injuries, which of the following teams would MOST likely be called upon? A) Facilities management B) Legal department C) IT Services department D) Communications team
D) Communications team
An incident response policy HAS to contain which of these? A) An inventory of our critical backup files. B) Templates for our press releases. C) Up-to-date call trees. D) Criteria for escalation.
D) Criteria for escalation.
As an IT auditor, Trisha is conducting a compliance review. Which of these is she MOST likely to be performing? A) Performing job activity analysis B) Performing program activity analysis C) Performing system aging analysis D) Determine whether program changes are approved
D) Determine whether program changes are approved Explanation Compliance reviews determine whether the controls are enforcing the regulations and include ensuring there are no unauthorized changes to the production environment. The other answers are part of a substantive review, that verify the accuracy and reasonableness of reported information.
Which of these would be BEST to ensure the data in a file has not been altered? A) Use strong access control to ensure the file can't be accessed by anyone without the proper permissions. B) Look at the file size of the file. C) Encrypt the file using symmetric encryption. D) Hash the original file and compare the hashes.
D) Hash the original file and compare the hashes. Explanation If we want to ensure the data has not been altered, the best way to do that is to compare a hash of the original file and a hash of the current file. The 2 hashes should be identical, if they are not the data was altered. We would not be able to tell what was changed, just that something was. The file size can easily be made to look the same as the original even if the data was altered. Using symmetric encryption can give us confidentiality, but not an integrity check. If the file is important, we would most likely use strong access control, but again it would not tell us if the file was altered, only that it would be difficult to access.
As the Information Security manager, you are looking at antivirus software for our organization. What is the MOST important consideration before choosing a product? A) How large market share the product has and the TCO (Total Cost of Ownership). B) How often the vendor releases major updates and their feature roadmap. C) How well it works with our IDSs (Intrusion Detection Systems), IPSs (Intrusion Prevention Systems) and firewalls. D) How easy it is to maintain and how often signature updates are released.
D) How easy it is to maintain and how often signature updates are released.
Bob is finishing up this iteration of our risk management program. What is the BIGGEST benefit of the program? A) It can bring our losses in alignment with what we had budgeted for. B) It can identify and remove all threats posed by people. C) It can eliminate or transfer all organizational risks. D) It can align our risk with the cost of countermeasures.
D) It can align our risk with the cost of countermeasures.
Jane is our Information Security Director. Her team is going to do an information risk analysis. Which of these options should be their FIRST step? A) Evaluate the risks to all assets. B) Determine ownership of all assets. C) Classify all assets. D) Make an asset inventory.
D) Make an asset inventory.
If we want to protect our organization against external security threats, which of these would be the BEST to use? A) Writing server logs to an external WORM (Write Once Read Many) media. B) Static IP addresses. C) Background checks. D) NAT (Network Address Translation).
D) NAT (Network Address Translation). Explanation NAT is the only option that may help us against external security threats. Local IP addresses are not routable. Using static IPs would really do nothing, background checks would be for our internal employees, and the WORM media may prevent the attacker from deleting the logs, it will do nothing to protect us against attackers.
In order to mitigate newly discovered security vulnerabilities in an operating system, we would use which of these processes to address the vulnerability in a timely manner? A) Security vulnerability management. B) Change management. C) Server management. D) Patch management.
D) Patch management.
We have implemented a new antivirus solution in our organization. If we automatically push the new signatures to all workstations every Friday at 19:00 (7PM), which of these would be the WORST security exposure in regard to the automatically updating signatures? A) Users not being able to test during the weekend. B) Helpdesk not being available during the weekend. C) We don't know if the automatic signature update was successful until Monday morning. D) Systems are vulnerable to any new viruses found between updates.
D) Systems are vulnerable to any new viruses found between updates.
As part of our BIA (Business Impact Analysis), we need to determine the recovery times and cost estimates for all our systems. Who would be responsible for those values? A) The BCP (Business Continuity Plan) coordinator. B) The Information Security manager. C) The Information Security steering committee. D) The business process owner.
D) The business process owner.
Jane is the lead of our incident response team; they have proof hackers have gained access to some of our systems and they have successfully altered some of our customer information. Jane reports this to Bob, the Information Security Manager. Who should Bob notify FIRST? A) The customers who were compromised. B) The Information Security steering committee. C) The regulatory agencies that govern our sector. D) The data owner.
D) The data owner.
In a parallel configuration of security controls, what is the MOST likely outcome if a single control fails? A) Threats may pass through a different security control. B) The rest of the solution will compensate for a single control failing. C) Threats are forced to pass through a different security control. D) The entire solution of all security controls is rendered ineffective.
D) The entire solution of all security controls is rendered ineffective.
At which phase of our systems or software development lifecycle should risk assessments be built in to ensure risks are addressed in the project development? A) The specifications phase. B) The programming phase. C) The user testing phase. D) The feasibility phase.
D) The feasibility phase. Explanation We should address risk as early on in the project as possible, of the phases listed here that would be feasibility. In the programming or the user testing phase is way too late, if the feasibility phase was not an option, then we would do it in specifications, but feasibility is much better.
In any organization, the PRIMARY goal of the risk management program is to ensure that: A) The critical IT assets are protected. B) The business risks we face are acted on with preventative controls. C) IT systems are always available. D) The objectives are achievable.
D) The objectives are achievable.
Which group of people would be the BEST for performing risk analysis on our organization? A) A group of peers from our competitors. B) An external management consultant specialized on our line of business. C) External auditors. D) The process owners.
D) The process owners.
As part of our forensics after a security incident, we are looking at the slack space on the compromised servers' hard drives. Why do we do that? A) The slack space can contain system log files. B) The slack space can contain the login information the attackers used. C) The slack space can contain unused data sectors. D) The slack space can contain hidden data.
D) The slack space can contain hidden data. Explanation Slack space is leftover space from when a file does not need the entire cluster for the data it is storing. The slack space is whatever is left over of the cluster, it may contain old data, or can be used intentionally by attackers to hide information. The slack space could technically contain login information or log files, but hidden data is MORE correct. Sectors can contain slack space, not the other way around.
Susan's report to management needs to make the case for performing a post-incident analysis. What is the MOST likely reason for a post-incident analysis? A) To learn how the attack was done B) To recreate the original attack C) To execute the response to an attack D) To determine how security threats and vulnerabilities were addressed
D) To determine how security threats and vulnerabilities were addressed
What is the PRIMARY reason we do security awareness training in our organization? A) To explain our security strategy to our staff. B) To prove we are compliant with the laws and regulations in our sector. C) To train staff to react in security incidences. D) To reduce human risk.
D) To reduce human risk.
Who in our organization is responsible for us being in compliance with the legal and regulatory requirements for our line of business? A) The board of directors and senior management. B) The CISO (Chief Information Security Officer). C) Our Chief Legal counsel (CLC). D) The Information Security steering committee.
A) The board of directors and senior management.
We are considering moving our BCP (Business Continuity Plan) to an automated solution to ensure specific users have access to only what they need from the plan to do their job. Which of these should be our primary concern? A) Making sure the plans are accessible during a disaster. B) Correct versioning of the BCP (Business Continuity Plan) and it's sub-plans. C) Ensuring the content of all web links in the plan are available through alternative means. D) Ensure that the plan automatically updates users when new personnel joins or leaves our organization.
A) Making sure the plans are accessible during a disaster.
In an internal security audit, we notice in an entire department, all have super user access to a critical application. What should the Information Security manager do FIRST? A) Meet with the data owner to understand the business needs. B) Review our procedures for granting access to the critical application. C) Change the access rights policies. D) Restrict the access until it is confirmed all members of the department has a need the access.
A) Meet with the data owner to understand the business needs.
What is our Information Security governance PRIMARILY driven by? A) Our business strategy. B) The technology constraints we face today. C) The regulatory requirements in our industry. D) The potential of lawsuits.
A) Our business strategy.
Which of these would be the BEST proof that our risk management practices are successful? A) Our residual risk is minimized. B) Our inherent risk is eliminated. C) We maximize our risk. D) Our overall risk is quantified.
A) Our residual risk is minimized.
We have hired an external company to perform penetration testing on a new application we just finished building. They have a clear SOW (Statement Of Work) and we give them an internal user account with regular user privileges to use in their penetration testing. Which type of penetration testing are they performing? A) Gray Box. B) White box. C) Blue box. D) Black box.
A) Gray Box. Explanation If the penetration tester has an internal regular user account/knowledge, they are conducting a gray box penetration test. Black box would be no knowledge or access. White box would be administrator access and detailed knowledge of our network. There is no blue box penetration testing, we do however use red and blue team in testing. Red team are the attackers and blue team the defenders.
Bob is making a presentation to senior management about Information Security. What would be BEST to include in the presentation to get their support? A) Refer security risks back to the key business objectives. B) In depth illustrations that show successful attacks. C) Explanations of the technical risks the organization is facing. D) A full breakdown of the organization against best security practices.
A) Refer security risks back to the key business objectives.
Tanya has set up a server but has deliberately not applied the latest security patches. She is using synthetic transactions sent to the new server from other servers on the same production subnet. She has copied real production data from other servers, has used pseudonyms to replace the real customer names, telephone numbers, and street addresses, and has created false product names as tokens to replace the real products sold. What type of system is it MOST likely that Tanya is setting up? A) Honeypot B) Parallel test server C) Test server D) IPS
A) Honeypot
Claire wants to implement a combination of controls to support accountability. Which is the LEAST likely control that Claire will choose to combine with authorization by access control lists? A) Identification by badge card B) Authentication by password C) Identification by username D) Authentication by biometric
A) Identification by badge card
What is the PRIMARY reason we would implement a risk management program? A) It is a part of our management's due diligence. B) It allows us to satisfy regulatory requirements. C) It will allow our organization to eliminate risk. D) It helps us provide a positive ROI (Return On Investment).
A) It is a part of our management's due diligence.
After a security incident the incident management team does a post-incident review. They do the review to produce what? A) A lessons learned document. B) Relevant electronic evidence. C) To determine the areas affected. D) To determine the hacker's identity.
A) A lessons learned document.
What does encrypting a message with the sender's private key and then encrypting it again with the receiver's public key give us? A) Confidentiality and non-repudiation. B) Authentication and non-repudiation. C) Authentication and authorization. D) Confidentiality and integrity.
A) Confidentiality and non-repudiation.
Francis is a security engineer who helps development teams decide on which controls should be included in new applications. He has a list of existing controls that have been implemented in other applications, a list of new controls that will be implemented soon in other applications, and a list of new designs for controls that probably cannot be implemented using the current technology. Which list provides no security protection? A) Controls that have not been implemented yet B) Existing controls that have been proven to work C) Existing controls that due to their age of use have probably been cracked D) New controls that have not been proven to work
A) Controls that have not been implemented yet
Claire wants to ensure accountability for the approval of business transactions over $5000. Which control is Claire MOST likely to choose? A) Digital signature by the manager, then digital signature by the treasurer B) Digital signature using a symmetric key held in two halves, one by the manager and the other by the treasurer C) Physical signatures of manager and treasurer D) Physical signature of treasurer
A) Digital signature by the manager, then digital signature by the treasurer Explanation Only the correct answer ensures that it can be later demonstrated that the manager signed off the transaction before the treasurer also signed off. The physical signature of the treasurer alone does not provide nearly as much accountability because the treasurer could act alone.
Francis is considering the purchase of an electronic data vault. Which of the following aspects is MOST likely to help Francis make the decision? A) Electronic vaults can restore data to servers at any location B) Electronic vaults provide faster retrieval than tapes C) Electronic vaults can be connected to any server OS D) Electronic vaults reduce the storage space required for physical backup media
A) Electronic vaults can restore data to servers at any location
What would be the BEST way for us to send a message securely? A) Send the message using (PKI) Public Key Infrastructure. B) Send the message using steganography. C) Send the message with a hash. D) Password protected portable media.
A) Send the message using (PKI) Public Key Infrastructure.
