CISM Study Guide

Ace your homework & exams now with Quizwiz!

What task should be performed once a security incident has been verified? A. Identify the incident. B. Contain the incident. C. Determine the root cause of the incident. D. Perform a vulnerability assessment.

When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST? A. Develop a security architecture B. Establish good communication with steering committee members C. Assemble an experienced staff D. Benchmark peer organizations

When creating a forensic image of a hard drive, which of the following should be the FIRST step? A. Identify a recognized forensics software tool to create the image. B. Establish a chain of custody log. C. Connect the hard drive to a write blocker. D. Generate a cryptographic hash of the hard drive contents.

When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority? A. Assigning responsibility for acquiring the data B. Locating the data and preserving the integrity of the data C. Creating a forensically sound image D. Issuing a litigation hold to all affected parties

When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies? A. Create separate policies to address each regulation B. Develop policies that meet all mandated requirements C. Incorporate policy statements provided by regulators D. Develop a compliance risk assessment

When personal information is transmitted across networks, there MUST be adequate controls over: A. change management. B. privacy protection. C. consent to data transfer. D. encryption devices.

While implementing information security governance an organization should FIRST: A. adopt security standards. B. determine security baselines. C. define the security strategy. D. establish security policies.

Who is ultimately responsible for the organization's information? A. Data custodian B. Chief information security officer (CISO) C. Board of directors D. Chief information officer (CIO)

248 Which of the following is the MAIN reason for performing risk assessment on a continuous basis'? A. Justification of the security budget must be continually made. B. New vulnerabilities are discovered every day. C. The risk environment is constantly changing. D. Management needs to be continually informed about emerging risks.

C Explanation: 117 The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.

408 Which of the following areas is MOST susceptible to the introduction of security weaknesses? A. Database management B. Tape backup management C. Configuration management D. Incident response management

C Explanation: 193 Configuration management provides the greatest likelihood of security weaknesses through misconfiguration and failure to update operating system (OS) code correctly and on a timely basis.

Which of the following requirements would have the lowest level of priority in information security? A. Technical B. Regulatory C. Privacy D. Business

128 Which of the following is the BEST method or technique to ensure the effective implementation of an information security program? A. Obtain the support of the board of directors. B. Improve the content of the information security awareness program. C. Improve the employees' knowledge of security policies. D. Implement logical access controls to the information systems.

An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of: A. conflicting security controls with organizational needs. B. strong protection of information resources. C. implementing appropriate controls to reduce risk. D. proving information security's protective abilities.

An information security manager must understand the relationship between information security and business operations in order to: A. support organizational objectives. B. determine likely areas of noncompliance. C. assess the possible impacts of compromise. D. understand the threats to the business.

An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is: A. assess the likelihood of incidents from the reported cause. B. discontinue the use of the vulnerable technology. C. report to senior management that the organization is not affected. D. remind staff that no similar security breaches have taken place.

An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to: A. ensure that security processes are consistent across the organization. B. enforce baseline security levels across the organization. C. ensure that security processes are fully documented. D. implement monitoring of key performance indicators for security processes.

An organization's information security strategy should be based on: A. managing risk relative to business objectives. B. managing risk to a zero level and minimizing insurance premiums. C. avoiding occurrence of risks so that insurance is not required. D. transferring most risks to insurers and saving on control costs.

From an information security perspective, information that no longer supports the main purpose of the business should be: A. analyzed under the retention policy. B. protected under the information classification policy. C. analyzed under the backup policy. D. protected under the business impact analysis (BIA).

In implementing information security governance, the information security manager is PRIMARILY responsible for: A. developing the security strategy. B. reviewing the security strategy. C. communicating the security strategy. D. approving the security strategy

Investment in security technology and processes should be based on: A. clear alignment with the goals and objectives of the organization. B. success cases that have been experienced in previous projects. C. best business practices. D. safeguards that are inherent in existing technology.

On a company's e-commerce web site, a good legal statement regarding data privacy should include: A. a statement regarding what the company will do with the information it collects. B. a disclaimer regarding the accuracy of information on its web site. C. technical information regarding how information is protected. D. a statement regarding where the information is being hosted.

Recovery point objectives (RPOs) can be used to determine which of the following? A. Maximum tolerable period of data loss B. Maximum tolerable downtime C. Baseline for operational resiliency D. Time to restore backups

Secure customer use of an e-commerce application can BEST be accomplished through: A. data encryption. B. digital signatures. C. strong passwords. D. two-factor authentication.

Security technologies should be selected PRIMARILY on the basis of their: A. ability to mitigate business risks. B. evaluations in trade publications. C. use of new and emerging technologies. D. benefits in comparison to their costs.

Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing: A. organizational risk. B. organization wide metrics. C. security needs. D. the responsibilities of organizational units.

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: A. it implies compliance risks. B. short-term impact cannot be determined. C. it violates industry security practices. D. changes in the roles matrix cannot be detected.

The MOST basic requirement for an information security governance program is to: A. be aligned with the corporate business strategy. B. be based on a sound risk management approach. C. provide adequate regulatory compliance. D. provide best practices for security- initiatives.

The MOST complete business case for security solutions is one that. A. includes appropriate justification. B. explains the current risk profile. C. details regulatory requirements. D. identifies incidents and losses.

The MOST important component of a privacy policy is: A. notifications. B. warranties. C. liabilities. D. geographic coverage.

The MOST important objective of a post incident review is to: A. capture lessons learned to improve the process. B. develop a process for continuous improvement. C. develop a business case for the security program budget. D. identify new incident management tools.

The MOST useful way to describe the objectives in the information security strategy is through: A. attributes and characteristics of the "desired state." B. overall control objectives of the security program. C. mapping the IT systems to key business processes. D. calculation of annual loss expectations.

The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to: A. enable independent and objective review of the root cause of the incidents. B. obtain support for enhancing the expertise of the third-party teams. C. identify lessons learned for further improving the information security management process. D. obtain better buy-in for the information security program.

The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration? A. Laws and regulations of the country of origin may not be enforceable in the foreign country. B. A security breach notification might get delayed due to the time difference. C. Additional network intrusion detection sensors should be installed, resulting in an additional cost. D. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

What is the PRIMARY role of the information security manager in the process of information classification within an organization? A. Defining and ratifying the classification structure of information assets B. Deciding the classification levels applied to the organization's information assets C. Securing information assets in accordance with their classification D. Checking if information assets have been classified properly

When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set: A. to a higher false reject rate (FRR). B. to a lower crossover error rate. C. to a higher false acceptance rate (FAR). D. exactly to the crossover error rate.

Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept? A. Continuous analysis, monitoring and feedback B. Continuous monitoring of the return on security investment (ROSD C. Continuous risk reduction D. Key risk indicator (KRD setup to security management processes

Which of the following are likely to be updated MOST frequently? A. Procedures for hardening database servers B. Standards for password length and complexity C. Policies addressing information security governance D. Standards for document retention and destruction

Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan? A. Preparedness tests B. Paper tests C. Full operational tests D. Actual service disruption

Which of the following is a benefit of information security governance? A. Reduction of the potential for civil or legal liability B. Questioning trust in vendor relationships C. Increasing the risk of decisions based on incomplete management information D. Direct involvement of senior management in developing control processes

Which of the following is the MOST important consideration for an organization interacting with the media during a disaster? A. Communicating specially drafted messages by an authorized person B. Refusing to comment until recovery C. Referring the media to the authorities D. Reporting the losses and recovery strategy to the media

Which of the following is the MOST important element of an information security strategy? A. Defined objectives B. Time frames for delivery C. Adoption of a control framework D. Complete policies

Which of the following is the MOST important prerequisite for establishing information security management within an organization? A. Senior management commitment B. Information security framework C. Information security organizational structure D. Information security policy

Which of the following is the MOST important to keep in mind when assessing the value of information? A. The potential financial loss B. The cost of recreating the information C. The cost of insurance coverage D. Regulatory requirement

Which of the following processes is critical for deciding prioritization of actions in a business continuity plan? A. Business impact analysis (BIA) B. Risk assessment C. Vulnerability assessment D. Business process mapping

Which of the following should be included in an annual information security budget that is submitted for management approval? A. A cost-benefit analysis of budgeted resources B. All of the resources that are recommended by the business C. Total cost of ownership (TC'O) D. Baseline comparisons

Which of the following would BEST ensure the success of information security governance within an organization? A. Steering committees approve security projects B. Security policy training provided to all managers C. Security training available to all employees on the intranet D. Steering committees enforce compliance with laws and regulations

Which of the following would a security manager establish to determine the target for restoration of normal processing? A. Recovery time objective (RTO) B. Maximum tolerable outage (MTO) C. Recovery point objectives (RPOs) D. Services delivery objectives (SDOs)

Which of the following would be the BEST option to improve accountability for a system administrator who has security functions? A. Include security responsibilities in the job description B. Require the administrator to obtain security certification C. Train the system administrator on penetration testing and vulnerability assessment D. Train the system administrator on risk assessment

150 The value of information assets is BEST determined by: A. individual business managers. B. business systems analysts. C. information security management. D. industry averages benchmarking.

A 72 Explanation: Individual business managers are in the best position to determine the value of information assets since they are most knowledgeable of the assets' impact on the business. Business systems developers and information security managers are not as knowledgeable regarding the impact on the business. Peer companies' industry averages do not necessarily provide detailed enough information nor are they as relevant to the unique aspects of the business.

359 The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should: A. verify the decision with the business units. B. check the system's risk analysis. C. recommend update after post implementation review. D. request an audit review.

A Explanation: 170 Verifying the decision with the business units is the correct answer because it is not the IT function's responsibility to decide whether a new application modifies business processes Choice B does not consider the change in the applications. Choices C and D delay the update.

580 Why is "slack space" of value to an information security manager as pan of an incident investigation? A. Hidden data may be stored there B. The slack space contains login information C. Slack space is encrypted D. It provides flexible space for the investigation

A Explanation: "Slack space" is the unused space between where the fdc data end and the end of the cluster the data occupy. Login information is not typically stored in the slack space. Encryption for the slack space is no different from the rest of the file system. The slack space is not a viable means of storage during an investigation.

460 Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider? A. The right to conduct independent security reviews B. A legally binding data protection agreement C. Encryption between the organization and the provider D. A joint risk assessment of the system

A Explanation: A key requirement of an outsource contract involving critical business systems is the establishment of the organization's right to conduct independent security reviews of the provider's security controls. A legally binding data protection agreement is also critical, but secondary to choice A, which permits examination of the actual security controls prevailing over the system and. as such, is the more effective risk management tool. Network encryption of the link between the organization and the provider may well be a requirement, but is not as critical since it would also be included in choice A. A joint risk assessment of the system in conjunction with the outsource provider may be a compromise solution, should the right to conduct independent security reviews of the controls related to the system prove contractually difficult.

405 Which of the following environments represents the GREATEST risk to organizational security? A. Locally managed file server B. Enterprise data warehouse C. Load-balanced, web server cluster D. Centrally managed data switch

A Explanation: A locally managed file server will be the least likely to conform to organizational security policies because it is generally subject to less oversight and monitoring. Centrally managed data switches, web server clusters and data warehouses are subject to close scrutiny, good change control practices and monitoring.

348 Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices? A. Regular review of access control lists B. Security guard escort of visitors C. Visitor registry log at the door D. A biometric coupled with a PIN

A Explanation: A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy. Visitors accompanied by a guard will also provide assurance but may not be cost effective. A visitor registry is the next cost-effective control. A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed.

500 Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security: A. policy. B. strategy. C. guideline D. baseline.

A Explanation: A security policy is a general statement to define management objectives with respect to security. The security strategy addresses higher level issues. Guidelines are optional actions and operational tasks. A security baseline is a set of minimum requirements that is acceptable to an organization.

448 Good information security standards should: A. define precise and unambiguous allowable limits. B. describe the process for communicating violations. C. address high-level objectives of the organization. D. be updated frequently as new software is released.

A Explanation: A security standard should clearly state what is allowable; it should not change frequently. The process for communicating violations would be addressed by a security procedure, not a standard. High-level objectives of an organization would normally be addressed in a security policy.

511 Which of the following is the MOST likely outcome of a well-designed information security awareness course? A. Increased reporting of security incidents to the incident response function B. Decreased reporting of security incidents to the incident response function C. Decrease in the number of password resets D. Increase in the number of identified system vulnerabilities

A Explanation: A well-organized information security awareness course informs all employees of existing security policies, the importance of following safe practices for data security anil the need to report any possible security incidents to the appropriate individuals in the organization. The other choices would not be the likely outcomes.

270 Previously accepted risk should be: A. re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions. B. accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable. C. avoided next time since risk avoidance provides the best protection to the company. D. removed from the risk log once it is accepted.

A Explanation: Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to change(s) and. hence, risk cannot be accepted permanently. Risk is an inherent part of business and it is impractical and costly to eliminate all risk. Even risks that have been accepted should be monitored for changing conditions that could alter the original decision.

495 An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. The information security manager should recommend which of the following? A. Restrict account access to read only B. Log all usage of this account C. Suspend the account and activate only when needed D. Require that a change request be submitted for each download

A Explanation: Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Logging all usage of the account, suspending the account and activating only when needed, and requiring that a change request be submitted for each download will not reduce the exposure created by this excessive level of access. Restricting the account to read only access will ensure that the integrity can be maintained while permitting access.

512 Which item would be the BEST to include in the information security awareness training program for new general staff employees? A. Review of various security models B. Discussion of how to construct strong passwords C. Review of roles that have privileged access D. Discussion of vulnerability assessment results

A Explanation: All new employees will need to understand techniques for the construction of strong passwords. The other choices would not be applicable to general staff employees.

351 In an organization, information systems security is the responsibility of: A. all personnel. B. information systems personnel. 166 C. information systems security personnel. D. functional personnel.

A Explanation: All personnel of the organization have the responsibility of ensuring information systems securitythis can include indirect personnel such as physical security personnel. Information systems security cannot be the responsibility of information systems personnel alone since they cannot ensure security. Information systems security cannot be the responsibility of information systems security personnel alone since they cannot ensure security. Information systems security cannot be the responsibility of functional personnel alone since they cannot ensure security.

456 The PRIMARY focus of the change control process is to ensure that changes are: A. authorized. B. applied. C. documented. D. tested.

A Explanation: All steps in the change control process must be signed off on to ensure proper authorization. It is important that changes are applied, documented and tested; however, they are not the primary focus.

518 A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes? A. Prepare an impact assessment report. B. Conduct a penetration test. C. Obtain approval from senior management. D. Back up the firewall configuration and policy files.

A Explanation: An impact assessment report needs to be prepared first by providing the justification for the change, analysis of the changes to be made, the impact if the change does not work as expected, priority of the change and urgency of the change request. Choices B. C and D could be important steps, but the impact assessment report should be performed before the other steps.

576 The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify: A. weaknesses in network and server security. B. ways to improve the incident response process. C. potential attack vectors on the network perimeter. D. the optimum response to internal hacker attacks.

A Explanation: An internal attack and penetration test are designed to identify weaknesses in network and server security. They do not focus as much on incident response or the network perimeter.

298 An intranet server should generally be placed on the: A. internal network. B. firewall server. C. external router. D. primary domain controller.

A Explanation: An intranet server should be placed on the internal network. Placing it on an external router leaves it defenseless. Since firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to store the intranet server on the same physical device as the firewall. Similarly, primary- domain controllers do not normally share the physical device as the intranet server. 141

202 A security risk assessment exercise should be repeated at regular intervals because: A. business threats are constantly changing. B. omissions in earlier assessments can be addressed. C. repetitive assessments allow various methodologies. D. they help raise awareness on security in the business.

A Explanation: As business objectives and methods change, the nature and relevance of threats change as well. Choice B does not, by itself, justify regular reassessment. Choice C is not necessarily true in all cases. Choice D is incorrect because there are better ways of raising security awareness than by performing a risk assessment.

401 Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment? A. User B. Security C. Operations D. Database

A Explanation: As owners of the system, user management approval would be the most important. Although the signoffs of security, operations and database management may be appropriate, they are secondary to ensuring the new system meets the requirements of the business. 190

390 A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration? A. User B. Network C. Operations D. Database

A Explanation: As owners of the system, user management signoff is the most important. If a system does not meet the needs of the business, then it has not met its primary objective. The needs of network, operations and database management are secondary to the needs of the business. 185

595 A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to: A. confirm the incident. B. notify senior management. C. start containment. D. notify law enforcement.

A Explanation: Asserting that the condition is a true security incident is the necessary first step in determining the correct response. The containment stage would follow. Notifying senior management and law enforcement could be part of the incident response process that takes place after confirming an incident.

502 Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to: A. assess the problems and institute rollback procedures, if needed. B. disconnect the systems from the network until the problems are corrected. C. immediately uninstall the patches from these systems. D. immediately contact the vendor regarding the problems that occurred.

A Explanation: Assessing the problems and instituting rollback procedures as needed would be the best course of action. Choices B and C would not identify where the problem was, and may in fact make the problem worse. Choice D is part of the assessment.

308 The MAIN advantage of implementing automated password synchronization is that it: A. reduces overall administrative workload. B. increases security between multi-tier systems. C. allows passwords to be changed less frequently. D. reduces the need for two-factor authentication.

A Explanation: Automated password synchronization reduces the overall administrative workload of resetting passwords. It does not increase security between multi-tier systems, allow passwords to be changed less frequently or reduce the need for two-factor authentication.

339 The MOST important success factor to design an effective IT security awareness program is to: A. customize the content to the target audience. B. ensure senior management is represented. C. ensure that all the staff is trained. D. avoid technical content but give concrete examples.

A Explanation: Awareness training can only be effective if it is customized to the expectations and needs of attendees. Needs will be quite different depending on the target audience and will vary between business managers, end users and IT staff; program content and the level of detail communicated will therefore be different. Other criteria are also important; however, the customization of content is the most important factor.

588 Which of the following actions should lake place immediately after a security breach is reported to an information security manager? A. Confirm the incident B. Determine impact C. Notify affected stakeholders D. Isolate the incident

A Explanation: Before performing analysis of impact, resolution, notification or isolation of an incident, ii must be validated as a real security incident.

300 When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices? A. Centralizing security management B. Implementing sanctions for noncompliance C. Policy enforcement by IT management D. Periodic compliance reviews

A Explanation: By centralizing security management, the organization can ensure that security standards are applied to all systems equally and in line with established policy. Sanctions for noncompliance would not be the best way to correct poor management practices caused by work overloads or insufficient knowledge of security practices. Enforcement of policies is not solely the responsibility of IT management. Periodic compliance reviews would not correct the problems, by themselves, although reports to management would trigger corrective action such as centralizing security management.

458 A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this? A. Enable access through a separate device that requires adequate authentication B. Implement manual procedures that require password change after each use C. Request the vendor to add multiple user IDs D. Analyze the logs to detect unauthorized access

A Explanation: Choice A is correct because it allows authentication tokens to be provisioned and terminated for individuals and also introduces the possibility of logging activity by individual. Choice B is not effective because users can circumvent the manual procedures. Choice C is not the best option because vendor enhancements may take time and development, and this is a critical device. Choice D could, in some cases, be an effective complementary control but. because it is detective, it would not be the most effective in this instance.

375 At what stage of the applications development process would encryption key management initially be addressed? A. Requirements development B. Deployment C. Systems testing D. Code reviews

A Explanation: Encryption key management has to be integrated into the requirements of the application's design. During systems testing and deployment would be too late since the requirements have already been agreed upon. Code reviews are part of the final quality assurance (QA) process and would also be too late in the process.

366 The PRIMARY driver to obtain external resources to execute the information security program is that external resources can: A. contribute cost-effective expertise not available internally. B. be made responsible for meeting the security program requirements. C. replace the dependence on internal resources. D. deliver more effectively on account of their knowledge.

A Explanation: Choice A represents the primary driver for the information security manager to make use of external resources. The information security manager will continue to be responsible for meeting the security program requirements despite using the services of external resources. The external resources should never completely replace the role of internal resources from a strategic perspective. The external resources cannot have a better knowledge of the business of the information security manager's organization than do the internal resources.

474 Which of the following is the MOST effective, positive method to promote security awareness? A. Competitions and rewards for compliance B. Lock-out after three incorrect password attempts C. Strict enforcement of password formats D. Disciplinary action for noncompliance

A Explanation: Competitions and rewards are a positive encouragement to user participation in the security program. Merely locking users out for forgetting their passwords does not enhance user awareness. Enforcement of password formats and disciplinary actions do not positively promote awareness.

593 Which of the following provides the BKST confirmation that the business continuity/disaster recovery plan objectives have been achieved? A. The recovery time objective (RTO) was not exceeded during testing B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing D. Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan

A Explanation: Consistent achievement of recovery time objective (RTO) objectives during testing provides the most objective evidence that business continuity/disaster recovery plan objectives have been achieved. The successful testing of the business continuity/disaster recover) plan within the stated RTO objectives is the most indicative evidence that the business needs are being met. Objective testing of the business continuity/ disaster recovery plan will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.. Mere valuation and assignment of information assets to owners (per the business continuity/disaster recovery plan) will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.

505 The implementation of continuous monitoring controls is the BEST option where: A. incidents may have a high impact and frequency B. legislation requires strong information security controls C. incidents may have a high impact but low frequency D. Electronic commerce is a primary business driver

A Explanation: Continuous monitoring control initiatives are expensive, so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence. Regulations and legislations that require tight IT security measures focus on requiring organizations to establish an IT security governance structure that manages IT security with a riskbased approach, so each organization decides which kinds of controls are implemented. Continuous monitoring is not necessarily a requirement. Measures such as contingency planning are commonly used when incidents rarely happen but have a high impact each time they happen. Continuous monitoring is unlikely to be necessary. Continuous control monitoring initiatives are not needed in all electronic commerce environments. There are some electronic commerce environments where the impact of incidents is not high enough to support the implementation of this kind of initiative.

221 Attackers who exploit cross-site scripting vulnerabilities take advantage of: A. a lack of proper input validation controls. B. weak authentication controls in the web application layer. C. flawed cryptographic secure sockets layer (SSL) implementations and short key lengths. D. implicit web application trust relationships.

A Explanation: Cross-site scripting attacks inject malformed input. Attackers who exploit weak application authentication controls can gain unauthorized access to applications and this has little to do with cross-site scripting vulnerabilities. Attackers who exploit flawed cryptographic secure sockets layer (SSI.) implementations and short key lengths can sniff network traffic and crack keys to gain unauthorized access to information. This has little to do with cross-site scripting vulnerabilities. Web application trust relationships do not relate directly to the attack.

302 The information classification scheme should: A. consider possible impact of a security breach. B. classify personal information in electronic form. C. be performed by the information security manager. D. classify systems according to the data processed.

A Explanation: Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information. It must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager. Choice B is an incomplete answer because it addresses only privacy issues, while choice A is a more complete response. Systems are not classified per se, but the data they process and store should definitely be classified.

291 When a proposed system change violates an existing security standard, the conflict would be BEST resolved by: A. calculating the residual risk. B. enforcing the security standard. C. redesigning the system change. D. implementing mitigating controls.

A Explanation: Decisions regarding security should always weigh the potential loss from a risk against the existing controls. Each situation is unique; therefore, it is not advisable to always decide in favor of enforcing a standard. Redesigning the proposed change might not always be the best option because it might not meet the business needs. Implementing additional controls might be an option, but this would be done after the residual risk is known.

601 Which of the following is an example of a corrective control? A. Diverting incoming traffic upon responding to the denial of service (DoS) attack B. Filtering network traffic before entering an internal network from outside C. Examining inbound network traffic for viruses D. Logging inbound network traffic

A Explanation: Diverting incoming traffic corrects the situation and. therefore, is a corrective control. Choice B is a preventive control. Choices C and D are detective controls.

276 Which of the following BEST ensures that information transmitted over the Internet will remain confidential? A. Virtual private network (VPN) B. Firewalls and routers C. Biometric authentication D. Two-factor authentication

A Explanation: Encryption of data in a virtual private network (VPN) ensures that transmitted information is not readable, even if intercepted. Firewalls and routers protect access to data resources inside the network and do not protect traffic in the public network. Biometric and two-factor authentication, by themselves, would not prevent a message from being intercepted and read.

522 What is the MOST cost-effective method of identifying new vendor vulnerabilities? A. External vulnerability reporting sources B. Periodic vulnerability assessments performed by consultants C. Intrusion prevention software D. honey pots located in the DMZ

A Explanation: External vulnerability sources are going to be the most cost-effective method of identifying these vulnerabilities. The cost involved in choices B and C would be much higher, especially if performed at regular intervals. Honeypots would not identify all vendor vulnerabilities. In addition, honeypots located in the DMZ can create a security risk if the production network is not well protected from traffic from compromised honey pots.

453 Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value? A. The number of false positives increases B. The number of false negatives increases C. Active probing is missed D. Attack profiles are ignored

A Explanation: Failure to tune an intrusion detection system (IDS) will result in many false positives, especially when the threshold is set to a low value. The other options are less likely given the fact that the threshold for sounding an alarm is set to a low value.

553 At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor's hot site facility? A. Erase data and software from devices B. Conduct a meeting to evaluate the test C. Complete an assessment of the hot site provider D. Evaluate the results from all test scripts

A Explanation: For security and privacy reasons, all organizational data and software should be erased prior to departure. Evaluations can occur back at the office after everyone is rested, and the overall results can be discussed and compared objectively.

464 In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the: A. testing time window prior to deployment. B. technical skills of the team responsible. C. certification of validity for deployment. D. automated deployment to all the servers.

A Explanation: Having the patch tested prior to implementation on critical systems is an absolute prerequisite where availability is a primary concern because deploying patches that could cause a system to fail could be worse than the vulnerability corrected by the patch. It makes no sense to deploy patches on every system. Vulnerable systems should be the only candidate for patching. Patching skills are not required since patches are more often applied via automated tools.

567 When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern? A. Ensuring accessibility should a disaster occur B. Versioning control as plans are modified C. Broken hyperlinks to resources stored elsewhere D. Tracking changes in personnel and plan assets

A Explanation: If all of the plans exist only in electronic form, this presents a serious weakness if the electronic version is dependent on restoration of the intranet or other systems that are no longer available. Versioning control and tracking changes in personnel and plan assets is actually easier with an automated system. Broken hyperlinks are a concern, but less serious than plan accessibility.

591 An intrusion detection system (IDS) should: A. run continuously B. ignore anomalies C. require a stable, rarely changed environment D. be located on the network

A Explanation: If an intrusion detection system (IDS) does not run continuously the business remains vulnerable. An IDS should detect, not ignore anomalies. An IDS should be flexible enough to cope with a changing environment. Both host and network based IDS are recommended for adequate detection.

322 152 Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)? A. Tuning B. Patching C. Encryption D. Packet filtering

A Explanation: If an intrusion detection system (IDS) is not properly tuned it will generate an unacceptable number of false positives and/or fail to sound an alarm when an actual attack is underway. Patching is more related to operating system hardening, while encryption and packet filtering would not be as relevant.

513 A critical component of a continuous improvement program for information security is: A. measuring processes and providing feedback. B. developing a service level agreement (SLA) for security. C. tying corporate security standards to a recognized international standard. D. ensuring regulatory compliance.

A Explanation: If an organization is unable to take measurements that will improve the level of its safety program. then continuous improvement is not possible. Although desirable, developing a service level agreement (SLA) for security, tying corporate security standards to a recognized international standard and ensuring regulatory compliance are not critical components for a continuous improvement program.

507 An information security manager reviewing firewall rules will be MOST concerned if the firewall allows: A. source routing. B. broadcast propagation. C. unregistered ports. D. nonstandard protocols.

A Explanation: If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) IP addresses of the organization. Broadcast propagation, unregistered ports and nonstandard protocols do not create a significant security exposure.

488 What is the GREATEST risk when there is an excessive number of firewall rules? A. One rule may override another rule in the chain and create a loophole B. Performance degradation of the whole network C. The firewall may not support the increasing number of rules due to limitations D. The firewall may show abnormal behavior and may crash or automatically shut down

A Explanation: If there are many firewall rules, there is a chance that a particular rule may allow an external connection although other associated rules are overridden. Due to the increasing number of rules, it becomes complex to test them and. over time, a loophole may occur.

251 Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented? A. Countermeasure cost-benefit analysis B. Penetration testing C. Frequent risk assessment programs D. Annual loss expectancy (ALE) calculation

A Explanation: In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.

564 Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster? A. Detailed technical recovery plans are maintained offsite B. Network redundancy is maintained through separate providers C. Hot site equipment needs are recertified on a regular basis D. Appropriate declaration criteria have been established

A Explanation: In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business knowledge can be lost. It is therefore critical to maintain an updated copy of the detailed recovery plan at an offsite location. Continuity of the business requires adequate network redundancy, hot site infrastructure that is certified as compatible and clear criteria for declaring a disaster. Ideally, the business continuity program addresses all of these satisfactorily. However, in a disaster situation, where all these elements are present, but without the detailed technical plan, business recovery will be seriously impaired.

183 Information security managers should use risk assessment techniques to: A. justify selection of risk mitigation strategies. B. maximize the return on investment (ROD. C. provide documentation for auditors and regulators. D. quantify risks that would otherwise be subjective.

A Explanation: Information security managers should use risk assessment techniques to justify and implement a risk mitigation strategy as efficiently as possible. None of the other choices accomplishes that task, although they are important components.

376 The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is: A. messages displayed at every logon. B. periodic security-related e-mail messages. C. an Intranet web site for information security. D. circulating the information security policy.

A Explanation: Logon banners would appear every time the user logs on, and the user would be required to read and agree to the same before using the resources. Also, as the message is conveyed in writing and appears consistently, it can be easily enforceable in any organization. Security-related e-mail messages are frequently considered as "Spam" by network users and do not, by themselves, 178 ensure that the user agrees to comply with security requirements. The existence of an Intranet web site does not force users to access it and read the information. Circulating the information security policy atone does not confirm that an individual user has read, understood and agreed to comply with its requirements unless it is associated with formal acknowledgment, such as a user's signature of acceptance.

435 What is the MOST effective access control method to prevent users from sharing files with unauthorized users? A. Mandatory B. Discretionary C. Walled garden D. Role-based

A Explanation: Mandatory access controls restrict access to files based on the security classification of the file. This prevents users from sharing files with unauthorized users. Role-based access controls grant access according to the role assigned to a user; they do not prohibit file sharing. Discretionary and lattice-based access controls are not as effective as mandatory access controls in preventing file sharing. A walled garden is an environment that controls a user's access to web content and services. In effect, the walled garden directs the user's navigation within particular areas, and does not necessarily prevent sharing of other material.

334 An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know? A. Security in storage and transmission of sensitive data B. Provider's level of compliance with industry standards C. Security technologies in place at the facility D. Results of the latest independent security review

A Explanation: Mow the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will be protected. Choice B is an important but secondary consideration. Choice C is incorrect because security technologies are not the only components to protect the sensitive customer information. Choice D is incorrect because an independent security review may not include analysis on how sensitive customer information would be protected.

295 Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers? A. Daily B. Weekly C. Concurrently with O/S patch updates D. During scheduled change control updates

A Explanation: New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Patches may occur less frequently. Weekly updates may potentially allow new viruses to infect the system.

426 The return on investment of information security can BEST be evaluated through which of the following? A. Support of business objectives B. Security metrics C. Security deliverables D. Process improvement models

A Explanation: One way to determine the return on security investment is to illustrate how information security supports the achievement of business objectives. Security metrics measure improvement and effectiveness within the security practice but do not tie to business objectives. Similarly, listing deliverables and creating process improvement models does not necessarily tie into business objectives.

535 How would an organization know if its new information security program is accomplishing its goals? A. Key metrics indicate a reduction in incident impacts. B. Senior management has approved the program and is supportive of it. C. Employees are receptive to changes that were implemented. D. There is an immediate reduction in reported incidents.

A Explanation: Option A is correct since an effective security program will show a trend in impact reduction. Options B and C may well derive from a performing program, but are not as significant as option A. Option D may indicate that it is not successful.

173 The decision as to whether a risk has been reduced to an acceptable level should be determined by: A. organizational requirements. B. information systems requirements. C. information security requirements. D. international standards.

A Explanation: Organizational requirements should determine when a risk has been reduced to an acceptable level. Information systems and information security should not make the ultimate determination. Since each organization is unique, international standards of best practice do not represent the best solution.

290 Which of the following is MOST effective in preventing security weaknesses in operating systems? A. Patch management B. Change management C. Security baselines D. Configuration management 137

A Explanation: Patch management corrects discovered weaknesses by applying a correction (a patch) to the original program code. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Configuration management controls the updates to the production environment.

307 Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion? A. Patch management B. Change management C. Security baselines 145 D. Acquisition management

A Explanation: Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Acquisition management controls the purchasing process.

374 What is the MOST important reason for conducting security awareness programs throughout an organization? A. Reducing the human risk B. Maintaining evidence of training records to ensure compliance C. Informing business units about the security strategy D. Training personnel in security incident response

A Explanation: People are the weakest link in security implementation, and awareness would reduce this risk. Through security awareness and training programs, individual employees can be informed and 177 sensitized on various security policies and other security topics, thus ensuring compliance from each individual. Laws and regulations also aim to reduce human risk. Informing business units about the security strategy is best done through steering committee meetings or other forums.

149 Acceptable risk is achieved when: A. residual risk is minimized. B. transferred risk is minimized. C. control risk is minimized. D. inherent risk is minimized.

A Explanation: Residual risk is the risk that remains after putting into place an effective risk management program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a measure of control effectiveness. Inherent risk cannot be minimized.

446 Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers? A. Restrict the available drive allocation on all PCs B. Disable universal serial bus (USB) ports on all desktop devices C. Conduct frequent awareness training with noncompliance penalties D. Establish strict access controls to sensitive information

A Explanation: Restricting the ability of a PC to allocate new drive letters ensures that universal serial bus (USB) drives or even CD-writers cannot be attached as they would not be recognized by the operating system. Disabling USB ports on all machines is not practical since mice and other peripherals depend on these connections. Awareness training and sanctions do not prevent copying of information nor do access controls.

528 An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract? A. Right to audit B. Nondisclosure agreement C. Proper firewall implementation D. Dedicated security manager for monitoring compliance

A Explanation: Right to audit would be the most useful requirement since this would provide the company the ability to perform a security audit/assessment whenever there is a business need to examine whether the controls are working effectively at the third party. Options B, C and D are important requirements and can be examined during the audit. A dedicated security manager would be a costly solution and not always feasible for most situations.

145 A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures? A. Risk analysis results B. Audit report findings C. Penetration test results D. Amount of IT budget available

A Explanation: Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures. Audit report findings may not address all risks and do not address annual loss frequency. Penetration test results provide only a limited view of exposures, while the IT budget is not tied to the exposures faced by the organization.

203 Which of the following steps in conducting a risk assessment should be performed FIRST? A. Identity business assets B. Identify business risks C. Assess vulnerabilities D. Evaluate key controls

A Explanation: Risk assessment first requires one to identify the business assets that need to be protected before identifying the threats. The next step is to establish whether those threats represent business risk 96 by identifying the likelihood and effect of occurrence, followed by assessing the vulnerabilities that may affect the security of the asset. This process establishes the control objectives against which key controls can be evaluated.

261 A risk management approach to information protection is: 123 A. managing risks to an acceptable level, commensurate with goals and objectives. B. accepting the security posture provided by commercial security products. C. implementing a training program to educate individuals on information protection and risks. D. managing risk tools to ensure that they assess all information protection vulnerabilities.

A Explanation: Risk management is identifying all risks within an organization, establishing an acceptable level of risk and effectively managing risks which may include mitigation or transfer. Accepting the security- posture provided by commercial security products is an approach that would be limited to technology components and may not address all business operations of the organization. Education is a part of the overall risk management process. Tools may be limited to technology and would not address non-technology risks.

192 Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST: A. map the major threats to business objectives. B. review available sources of risk information. C. identify the value of the critical assets. D. determine the financial impact if threats materialize.

A Explanation: Risk mapping or a macro assessment of the major threats to the organization is a simple first step before performing a risk assessment. Compiling all available sources of risk information is part of the risk assessment. Choices C and D are also components of the risk assessment process, 91 which are performed subsequent to the threats-business mapping.

151 During which phase of development is it MOST appropriate to begin assessing the risk of a new application system? A. Feasibility B. Design C. Development D. Testing

A Explanation: Risk should be addressed as early in the development of a new application system as possible. In some cases, identified risks could be mitigated through design changes. If needed changes are not identified until design has already commenced, such changes become more expensive. For this reason, beginning risk assessment during the design, development or testing phases is not the best solution.

226 Which of the following measures would be MOST effective against insider threats to confidential information? A. Role-based access control B. Audit trail monitoring C. Privacy policy D. Defense-in-depth

A Explanation: Role-based access control provides access according to business needs; therefore, it reduces unnecessary- access rights and enforces accountability. Audit trail monitoring is a detective control, which is 'after the fact.' Privacy policy is not relevant to this risk. Defense-in-depth primarily focuses on external threats 107

387 Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack? A. An intrusion prevention system (IPS) B. An intrusion detection system (IDS) C. A host-based intrusion detection system (HIDS) D. A host-based firewall

A Explanation: SQL injection attacks occur at the application layer. Most IPS vendors will detect at least basic sets of SQL injection and will be able to stop them. IDS will detect, but not prevent I IIDS will be unaware of SQL injection problems. A host-based firewall, be it on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.

524 An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to: A. validate and sanitize client side inputs. B. harden the database listener component. C. normalize the database schema to the third normal form. D. ensure that the security patches are updated on operating systems.

A Explanation: SQL injection vulnerability arises when crafted or malformed user inputs are substituted directly in SQL queries, resulting into information leakage. Hardening the database listener does enhance the security of the database; however, it is unrelated to the SQL injection vulnerability. Normalization is related to the effectiveness and efficiency of the database but not to SQL injection vulnerability. SQL injections may also be observed in normalized databases. SQL injection vulnerability exploits the SQL query design, not the operating system.

314 Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database? A. Screened subnets B. Information classification policies and procedures C. Role-based access controls D. Intrusion detection system (IDS)

A Explanation: Screened subnets are demilitarized zones (DMZs) and are oriented toward preventing attacks on an internal network by external users. The policies and procedures to classify information will ultimately result in better protection but they will not prevent actual modification. Role-based access controls would help ensure that users only had access to files and systems appropriate for their job role. Intrusion detection systems (IDS) are useful to detect invalid attempts but they will not prevent attempts.

342 The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is: A. Secure Sockets Layer (SSL). B. Secure Shell (SSH). C. IP Security (IPSec). D. Secure/Multipurpose Internet Mail Extensions (S/MIME ).

A Explanation: Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications providing end point authentication and communications privacy over the Internet. In typical use, all data transmitted between the customer and the business are, therefore, encrypted by the business's web server and remain confidential. SSH File Transfer Protocol (SFTP) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer. IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of e-mail encapsulated in MIME; it is not a web transaction 162 protocol.

265 125 When implementing security controls, an information security manager must PRIMARILY focus on: A. minimizing operational impacts. B. eliminating all vulnerabilities. C. usage by similar organizations. D. certification from a third party.

A Explanation: Security controls must be compatible with business needs. It is not feasible to eliminate all vulnerabilities. Usage by similar organizations does not guarantee that controls are adequate. Certification by a third party is important, but not a primary concern.

204 The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by: A. periodically testing the incident response plans. B. regularly testing the intrusion detection system (IDS). C. establishing mandatory training of all personnel. D. periodically reviewing incident response procedures.

A Explanation: Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.

284 Security monitoring mechanisms should PRIMARILY: A. focus on business-critical information. B. assist owners to manage control risks. C. focus on detecting network intrusions. D. record all security violations.

A Explanation: Security monitoring must focus on business-critical information to remain effectively usable by and credible to business users. Control risk is the possibility that controls would not detect an incident or error condition, and therefore is not a correct answer because monitoring would not directly assist in managing this risk. Network intrusions are not the only focus of monitoring mechanisms; although they should record all security violations, this is not the primary objective.

485 To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOS T important item to include? A. Service level agreements (SLAs) B. Right to audit clause C. Intrusion detection system (IDS) services D. Spam filtering services

A Explanation: Service level agreements (

410 The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to: A. simulate an attack and review IDS performance. B. use a honeypot to check for unusual activity. C. audit the configuration of the IDS. D. benchmark the IDS against a peer site.

A Explanation: Simulating an attack on the network demonstrates whether the intrusion detection system (IDS) is properly tuned. Reviewing the configuration may or may not reveal weaknesses since an anomalybased system uses trends to identify potential attacks. A honeypot is not a good first step since it would need to have already been penetrated. Benchmarking against a peer site would generally not be practical or useful. 194

555 The BEST approach in managing a security incident involving a successful penetration should be to: A. allow business processes to continue during the response. B. allow the security team to assess the attack profile. C. permit the incident to continue to trace the source. D. examine the incident response process for deficiencies.

A Explanation: Since information security objectives should always be linked to the objectives of the business, it is imperative that business processes be allowed to continue whenever possible. Only when there is no alternative should these processes be interrupted. Although it is important to allow the security team to assess the characteristics of an attack, this is subordinate to the needs of the business. Permitting an incident to continue may expose the organization to additional damage. Evaluating the incident management process for deficiencies is valuable but it, too. is subordinate to allowing business processes to continue.

165 When residual risk is minimized: A. acceptable risk is probable. B. transferred risk is acceptable. C. control risk is reduced. D. risk is transferable.

A Explanation: Since residual risk is the risk that remains after putting into place an effective risk management program, it is probable that the organization will decide that it is an acceptable risk if sufficiently minimized. Transferred risk is risk that has been assumed by a third party, therefore its magnitude is not relevant. Accordingly, choices B and D are incorrect since transferred risk does not necessarily indicate whether risk is at an acceptable level. Minimizing residual risk will not reduce control risk. 79

215 An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to: A. mitigate the impact by purchasing insurance. B. implement a circuit-level firewall to protect the network. C. increase the resiliency of security measures in place. D. implement a real-time intrusion detection system.

A Explanation: Since residual risk will always be too high, the only practical solution is to mitigate the financial impact by purchasing insurance.

600 A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following? A. Invalid logon attempts B. Write access violations C. Concurrent logons D. Firewall logs

A Explanation: Since the password for the shared administrative account was obtained through guessing, it is probable that there were multiple unsuccessful logon attempts before the correct password was deduced. Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity. Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity since concurrent usage is common in this situation. Write access violations would not necessarily be observed since the information was merely copied and not altered. Firewall logs would not necessarily contain information regarding logon attempts.

431 Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements? A. Standards B. Guidelines C. Security metrics D. IT governance

A Explanation: Standards are the bridge between high-level policy statements and the "how to" detailed formal of procedures. Security metrics and governance would not ensure correct alignment between policies and procedures. Similarly, guidelines are not linkage documents but rather provide suggested guidance on best practices.

365 In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement: A. a strong authentication. B. IP antispoofing filtering. C. network encryption protocol. D. access lists of trusted devices.

A Explanation: Strong authentication will provide adequate assurance on the identity of the users, while IP antispoofing is aimed at the device rather than the user. Encryption protocol ensures data confidentiality and authenticity while access lists of trusted devices are easily exploited by spoofed identity of the clients. 173

176 A successful risk management program should lead to: A. optimization of risk reduction efforts against cost. B. containment of losses to an annual budgeted amount. C. identification and removal of all man-made threats. D. elimination or transference of all organizational risks.

A Explanation: Successful risk management should lead to a breakeven point of risk reduction and cost. The other options listed are not achievable. Threats cannot be totally removed or transferred, while losses cannot be budgeted in advance with absolute certainty.

139 Which of the following is the BEST reason to perform a business impact analysis (BIA)? A. To help determine the current state of risk B. To budget appropriately for needed controls C. To satisfy regulatory requirements D. To analyze the effect on the business

A Explanation: The BIA is included as part of the process to determine the current state of risk and helps determine the acceptable levels of response from impacts and the current level of response, leading to a gap analysis. Budgeting appropriately may come as a result, but is not the reason to perform the analysis. Performing an analysis may satisfy regulatory requirements, bill is not the 67 reason to perform one. Analyzing the effect on the business is part of the process, but one must also determine the needs or acceptable effect or response. Topic 2, INFORMATION RISK MANAGEMENT

503 When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the: A. access control matrix. B. encryption strength. C. authentication mechanism. D. data repository.

A Explanation: The access control matrix is the best indicator of the level of compliance with the service level agreement (SLA) data confidentiality clauses. Encryption strength, authentication mechanism and data repository might be defined in the SLA but are not confidentiality compliance indicators.

362 An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is: A. broken authentication. B. unvalidated input. C. cross-site scripting. D. structured query language (SQL) injection.

A Explanation: The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed. Cross-site scripting is not the problem in this case since the attack is not transferred to any other user's browser to obtain the output. Structured query language (SQL) injection is not a problem since input is provided as a valid employee ID and no SQL queries are injected to provide the output.

497 Which of the following is the BEST indicator that an effective security control is built into an organization? A. The monthly service level statistics indicate a minimal impact from security issues. B. The cost of implementing a security control is less than the value of the assets. C. The percentage of systems that is compliant with security standards. D. The audit reports do not reflect any significant findings on security.

A Explanation: The best indicator of effective security control is the evidence of little disruption to business operations. Choices B, C and D can support this evidence, but are supplemental to choice A.

249 There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period? A. Identify the vulnerable systems and apply compensating controls B. Minimize the use of vulnerable systems C. Communicate the vulnerability to system users D. Update the signatures database of the intrusion detection system (IDS)

A Explanation: The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.

584 Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source? A. A bit-level copy of all hard drive data B. The last verified backup stored offsite C. Data from volatile memory D. Backup servers

A Explanation: The bit-level copy image file ensures forensic quality evidence that is admissible in a court of law. Choices B and D may not provide forensic quality data for investigative work, while choice C alone may not provide enough evidence.

370 Which of the following is the MOST important reason why information security objectives should be defined? A. Tool for measuring effectiveness B. General understanding of goals C. Consistency with applicable standards D. Management sign-off and support initiatives 175

A Explanation: The creation of objectives can be used in part as a source of measurement of the effectiveness of information security management, which feeds into the overall governance. General understanding of goals and consistency with applicable standards are useful, but are not the primary reasons for having clearly defined objectives. Gaining management understanding is important, but by itself will not provide the structure for governance.

540 The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that: A. the existence of messages is unknown. B. required key sizes are smaller. C. traffic cannot be sniffed. D. reliability of the data is higher in transit.

A Explanation: The existence of messages is hidden when using steganography. This is the greatest risk. Keys are relevant for encryption and not for steganography. Sniffing of steganographic traffic is also possible. Option D is not relevant.

138 When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider? A. Preserving the confidentiality of sensitive data B. Establishing international security standards for data sharing C. Adhering to corporate privacy standards D. Establishing system manager responsibility for information security

A Explanation: The goal of information security is to protect the organization's information assets. International security standards are situational, depending upon the company and its business. Adhering to corporate privacy standards is important, but those standards must be appropriate and adequate and are not the most important factor to consider. All employees are responsible for information security, but it is not the most important factor to consider.

219 A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST? A. Understand the business requirements of the developer portal B. Perform a vulnerability assessment of the developer portal C. Install an intrusion detection system (IDS) D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

A Explanation: The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal. Performing a vulnerability assessment of developer portal and installing an intrusion detection system (IDS) are best practices but are subsequent to understanding the requirements. Obtaining a signed nondisclosure agreement will not take care of the risks inherent in the organization's application.

264 An information security organization should PRIMARILY: A. support the business objectives of the company by providing security-related support services. B. be responsible for setting up and documenting the information security responsibilities of the information security team members. C. ensure that the information security policies of the company are in line with global best practices and standards. D. ensure that the information security expectations are conveyed to employees.

A Explanation: The information security organization is responsible for options B and D within an organization, but they are not its primary mission. Reviewing and adopting appropriate standards (option C) is a requirement. The primary objective of an information security organization is to ensure that security supports the overall business objectives of the company.

260 Which of the following are the essential ingredients of a business impact analysis (B1A)? A. Downtime tolerance, resources and criticality B. Cost of business outages in a year as a factor of the security budget C. Business continuity testing methodology being deployed D. Structure of the crisis management team

A Explanation: The main purpose of a BIA is to measure the downtime tolerance, associated resources and criticality of a business function. Options B, C and D are all associated with business continuity planning, but are not related to the BIA.

399 Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs? A. Penetration attempts investigated B. Violation log reports produced C. Violation log entries D. Frequency of corrective actions taken

A Explanation: The most useful metric is one that measures the degree to which complete follow-through has 189 taken place. The quantity of reports, entries on reports and the frequency of corrective actions are not indicative of whether or not investigative action was taken.

306 The BEST metric for evaluating the effectiveness of a firewall is the: A. number of attacks blocked. B. number of packets dropped. C. average throughput rate. D. number of firewall rules.

A Explanation: The number of attacks blocked indicates whether a firewall is performing as intended. The number of packets dropped does not necessarily indicate the level of effectiveness. The number of firewall rules and the average throughput rate are not effective measurements.

345 Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee? A. Security compliant servers trend report B. Percentage of security compliant servers C. Number of security patches applied D. Security patches applied trend report

A Explanation: The percentage of compliant servers will be a relevant indicator of the risk exposure of the infrastructure. However, the percentage is less relevant than the overall trend, which would provide a measurement of the efficiency of the IT security program. The number of patches applied would be less relevant, as this would depend on the number of vulnerabilities identified and patches provided by vendors.

433 Security audit reviews should PRIMARILY: A. ensure that controls operate as required. B. ensure that controls are cost-effective. C. focus on preventive controls. D. ensure controls are technologically current.

A Explanation: The primary objective of a security review or audit should be to provide assurance on the adequacy of security controls. Reviews should focus on all forms of control, not just on preventive control. Cost-effectiveness and technological currency are important but not as critical.

468 A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is: A. an effective control over connectivity and continuity. B. a service level agreement (SLA) including code escrow. C. a business impact analysis (BIA). D. a third-party certification.

A Explanation: The principal risk focus is the connection procedures to maintain continuity- in case of any contingency. Although an information security manager may be interested in the service level agreement (SLA), code escrow is not a concern. A business impact analysis (BIA) refers to contingency planning and not to system access. Third-party certification does not provide any assurance of controls over connectivity to maintain continuity.

592 The PRIORITY action to be taken when a server is infected with a virus is to: A. isolate the infected server(s) from the network. B. identify all potential damage caused by the infection. C. ensure that the virus database files are current. D. establish security weaknesses in the firewall.

A Explanation: The priority in this event is to minimize the effect of the virus infection and to prevent it from spreading by removing the infected server(s) from the network. After the network is secured from further infection, the damage assessment can be performed, the virus database updated and any weaknesses sought.

338 An information security manager uses security metrics to measure the: A. performance of the information security program. B. performance of the security baseline. C. effectiveness of the security risk analysis. D. effectiveness of the incident response team.

A Explanation: The security metrics should be designed so that there is a relationship to the performance of the overall security program in terms of effectiveness measurement. Use of security metrics occurs after the risk assessment process and does not measure it. Measurement of the incident response team performance is included in the overall program performance, so this is an incomplete answer. 160

136 The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that: A. the plan aligns with the organization's business plan. B. departmental budgets are allocated appropriately to pay for the plan. C. regulatory oversight requirements are met. D. the impact of the plan on the business units is reduced.

A Explanation: The steering committee controls the execution of the information security strategy according to the needs of the organization and decides on the project prioritization and the execution plan. The steering committee does not allocate department budgets for business units. While ensuring that regulatory oversight requirements are met could be a consideration, it is not the main reason for the review. Reducing the impact on the business units is a secondary concern but not the main reason for the review.

452 Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY: A. define the circumstances where cryptography should be used. B. define cryp,0£raphic algorithms and key lengths. C. describe handling procedures of cryptographic keys. D. establish the use of cryptographic solutions.

A Explanation: There should be documented standards- procedures for the use of cryptography across the enterprise; they should define the circumstances where cryptography should be used. They should cover the selection of cryptographic algorithms and key lengths, but not define them precisely, and they should address the handling of cryptographic keys. However, this is secondary to how and when cryptography should be used. The use of cryptographic solutions should be addressed but, again, this is a secondary consideration.

336 In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation? A. Encryption B. Digital certificate C. Digital signature D. I lashing algorithm

A Explanation: To preserve confidentiality of a message while in transit, encryption should be implemented. Choices B and C only help authenticate the sender and the receiver. Choice D ensures integrity.

546 A desktop computer that was involved in a computer security incident should be secured as evidence by: A. disconnecting the computer from all power sources. B. disabling all local user accounts except for one administrator. C. encrypting local files and uploading exact copies to a secure server. D. copying all files using the operating system (OS) to write-once media.

A Explanation: To preserve the integrity of the desktop computer as an item of evidence, it should be immediately disconnected from all sources of power. Any attempt to access the information on the computer by copying, uploading or accessing it remotely changes the operating system (OS) and temporary files on the computer and invalidates it as admissible evidence.

551 Which of the following is the MOST important to ensure a successful recovery? A. Backup media is stored offsite B. Recovery location is secure and accessible C. More than one hot site is available D. Network alternate links are regularly tested

A Explanation: Unless backup media are available, all other preparations become meaningless. Recovery site location and security are important, but would not prevent recovery in a disaster situation. Having a secondary hot site is also important, but not as important as having backup media available. Similarly, alternate data communication lines should be tested regularly and successfully but, again, this is not as critical.

329 The advantage of Virtual Private Network (VPN) tunneling for remote users is that it: A. helps ensure that communications are secure. B. increases security between multi-tier systems. C. allows passwords to be changed less frequently. D. eliminates the need for secondary authentication.

A Explanation: Virtual Private Network (VPN) tunneling for remote users provides an encrypted link that helps ensure secure communications. It does not affect password change frequency, nor does it eliminate the need for secondary authentication or affect security within the internal network.

341 Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser? A. Certificate-based authentication of web client B. Certificate-based authentication of web server C. Data confidentiality between client and web server D. Multiple encryption algorithms

A Explanation: Web browsers have the capability of authenticating through client-based certificates; nevertheless, it is not commonly used. When using https, servers always authenticate with a certificate and, once the connection is established, confidentiality will be maintained between client and server. By default, web browsers and servers support multiple encryption algorithms and negotiate the best option upon connection.

478 Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization? A. The program's governance oversight mechanisms B. Information security periodicals and manuals C. The program's security architecture and design D. Training and certification of the information security team

A Explanation: While choices B, C and D will all assist the currency and coverage of the program, its governance oversight mechanisms are the best method.

492 The MOST important reason for formally documenting security procedures is to ensure: A. processes are repeatable and sustainable. B. alignment with business objectives. C. auditability by regulatory agencies. D. objective criteria for the application of metrics.

A Explanation: Without formal documentation, it would be difficult to ensure that security processes are performed in the proper manner every time that they are performed. Alignment with business objectives is not a function of formally documenting security procedures. Processes should not be formally documented merely to satisfy an audit requirement. Although potentially useful in the development of metrics, creating formal documentation to assist in the creation of metrics is a secondary objective.

597 When collecting evidence for forensic analysis, it is important to: A. ensure the assignment of qualified personnel. B. request the IT department do an image copy. C. disconnect from the network and isolate the affected devices. D. ensure law enforcement personnel are present before the forensic analysis commences.

A Explanation: Without the initial assignment of forensic expertise, the required levels of evidence may not be preserved. In choice B. the IT department is unlikely to have that level of expertise and should, thus, be prevented from taking action. Choice C may be a subsequent necessity that comes after choice A. Choice D, notifying law enforcement, will likely occur after the forensic analysis has been completed.

A risk mitigation report would include recommendations for: A. assessment B. acceptance C. evaluation D. quantification

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the: A. corporate data privacy policy. B. data privacy policy where data are collected. C. data privacy policy of the headquarters' country. D. data privacy directive applicable globally.

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should: A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions. B. establish baseline standards for all locations and add supplemental standards as required. C. bring all locations into conformity with a generally accepted set of industry best practices. D. establish a baseline standard incorporating those requirements that all jurisdictions have in common.

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles? A. Ethics B. Proportionality C. Integration D. Accountability

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management? A. Security metrics reports B. Risk assessment reports C. Business impact analysis (BIA) D. Return on security investment report

An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation? A. Inform senior management. B. Determine the extent of the compromise. C. Report the incident to the authorities. D. Communicate with the affected customers.

An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to: A. use the test equipment in the warm site facility to read the tapes. B. retrieve the tapes from the warm site and test them. C. have duplicate equipment available at the warm site. D. inspect the facility and inventory the tapes on a quarterly basis.

An outcome of effective security governance is: A. business dependency assessment B. strategic alignment. C. risk assessment. D. planning.

If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on: A. obtaining evidence as soon as possible. B. preserving the integrity of the evidence. C. disconnecting all IT equipment involved. D. reconstructing the sequence of events.

In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster? A. Copies of critical contracts and service level agreements (SLAs) B. Copies of the business continuity plan C. Key software escrow agreements for the purchased systems D. List of emergency numbers of service providers

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: A. prepare a security budget. B. conduct a risk assessment. C. develop an information security policy. D. obtain benchmarking information.

In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process? A. Perform a backup of the suspect media to new media. B. Perform a bit-by-bit image of the original media source onto new media. C. Make a copy of all files that are relevant to the investigation. D. Run an error-checking program on all logical drives to ensure that there are no disk errors.

Information security projects should be prioritized on the basis of: A. time required for implementation. B. impact on the organization. C. total cost for implementation. D. mix of resources required.

Investments in information security technologies should be based on: A. vulnerability assessments. B. value analysis. C. business climate. D. audit recommendations.

Logging is an example of which type of defense against systems compromise? A. Containment B. Detection C. Reaction D. Recovery

Quantitative risk analysis is MOST appropriate when assessment data: A. include customer perceptions. B. contain percentage estimates. C. do not contain specific details. D. contain subjective information.

Retention of business records should PRIMARILY be based on: A. business strategy and direction. B. regulatory and legal requirements. C. storage capacity and longevity. D. business ease and value analysis.

Successful implementation of information security governance will FIRST require: A. security awareness training. B. updated security policies. C. a computer incident management team. D. a security architecture.

The FIRST step in developing an information security management program is to: A. identify business risks that affect the organization. B. clarify organizational purpose for creating the program. C. assign responsibility for the program. D. assess adequacy of controls to mitigate business risks.

The PRIMARY concern of an information security manager documenting a formal data retention policy would be: A. generally accepted industry best practices. B. business requirements. C. legislative and regulatory requirements. D. storage availability.

The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is: A. regulatory requirements. B. business requirements. C. financial value. D. IT resource availability.

The PRIMARY objective of a security steering group is to: A. ensure information security covers all business functions. B. ensure information security aligns with business goals. C. raise information security awareness across the organization. D. implement all decisions on security management across the organization.

The chief information security officer (CISO) should ideally have a direct reporting relationship to the: A. head of internal audit. B. chief operations officer (COO). C. chief technology officer (CTO). D. legal counsel.

To achieve effective strategic alignment of security initiatives, it is important that: A. Steering committee leadership be selected by rotation. B. Inputs be obtained and consensus achieved between the major organizational units. C. The business strategy be updated periodically. D. Procedures and standards be approved by all departmental heads.

Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk? A. Ensure that all IT risks are identified B. Evaluate the impact of information security risks C. Demonstrate that IT mitigating controls are in place D. Suggest new IT controls to mitigate operational risk

Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)? A. Knowledge of information technology platforms, networks and development methodologies B. Ability to understand and map organizational needs to security technologies C. Knowledge of the regulatory environment and project management techniques D. Ability to manage a diverse group of individuals and resources across an organization

Which of the following devices should be placed within a demilitarized zone (DMZ )? A. Network switch B. Web server C. Database server D. File/print server

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group? A. Information security manager B. Chief operating officer (COO) C. Internal auditor D. Legal counsel

Which of the following is MOST appropriate for inclusion in an information security strategy? A. Business controls designated as key controls B. Security processes, methods, tools and techniques C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings D. Budget estimates to acquire specific security tools

Which of the following is MOST important in developing a security strategy? A. Creating a positive business security environment B. Understanding key business objectives C. Having a reporting line to senior management D. Allocating sufficient resources to information security

Which of the following is an advantage of a centralized information security organizational structure? A. It is easier to promote security awareness. B. It is easier to manage and control. C. It is more responsive to business unit needs. D. It provides a faster turnaround for security requests.

Which of the following is characteristic of centralized information security management? A. More expensive to administer B. Better adherence to policies C. More aligned with business unit needs D. Faster turnaround of requests

Which of the following is the BEST metric for evaluating the effectiveness of security awareness training? The number of: A. password resets. B. reported incidents. C. incidents resolved. D. access rule violations.

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise? A. Chief security officer (CSO) B. Chief operating officer (COO) C. Chief privacy officer (CPO) D. Chief legal counsel (CLC)

Which of the following is the MOST important information to include in a strategic plan for information security? A. Information security staffing requirements B. Current state and desired future state C. IT capital investment requirements D. information security mission statement

Which of the following is the MOST usable deliverable of an information security risk analysis? A. Business impact analysis (BIA) report B. List of action items to mitigate risk C. Assignment of risks to process owners D. Quantification of organizational risk

Which of the following should be the FIRST step in developing an information security plan? A. Perform a technical vulnerabilities assessment B. Analyze the current business strategy C. Perform a business impact analysis D. Assess the current levels of security awareness

Which of the following would BEST prepare an information security manager for regulatory reviews? A. Assign an information security administrator as regulatory liaison B. Perform self-assessments using regulatory guidelines and reports C. Assess previous regulatory reports with process owners input D. Ensure all regulatory inquiries are sanctioned by the legal department

Which of the following would help to change an organization's security culture? A. Develop procedures to enforce the information security policy B. Obtain strong management support C. Implement strict technical security controls D. Periodically audit compliance with the information security policy

Who should drive the risk analysis for an organization? A. Senior management B. Security manager C. Quality manager D. Legal department

273 Which of the following authentication methods prevents authentication replay? A. Password hash implementation B. Challenge/response mechanism C. Wired Equivalent Privacy (WEP) encryption usage D. HTTP Basic Authentication

B 129 Explanation: A challenge •response mechanism prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge. Therefore, capturing the authentication handshake and replaying it through the network will not work. Using hashes by itself will not prevent a replay. A WEP key will not prevent sniffing (it just takes a few more minutes to break the WEP key if the attacker does not already have it) and therefore will not be able to prevent recording and replaying an authentication handshake. HTTP Basic Authentication is clear text and has no mechanisms to prevent replay.

311 An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution? A. Rewrite the application to conform to the upgraded operating system B. Compensate for not installing the patch with mitigating controls C. Alter the patch to allow the application to run in a privileged state D. Run the application on a test platform; tune production to allow patch and application

B Explanation: 147 Since the operating system (OS) patch will adversely impact a critical application, a mitigating control should be identified that will provide an equivalent level of security . Since the application is critical, the patch should not be applied without regard for the application; business requirements must be considered. Altering the OS patch to allow the application to run in a privileged state may create new security weaknesses. Finally, running a production application on a test platform is not an acceptable alternative since it will mean running a critical production application on a platform not subject to the same level of security controls.

131 Who is responsible for ensuring that information is categorized and that specific protective measures are taken? A. The security officer B. Senior management C. The end user D. The custodian

B Explanation: 63 Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.

152 The MOST effective way to incorporate risk management practices into existing production systems is through: A. policy development. B. change management. C. awareness training. D. regular monitoring.

B Explanation: 73 Change is a process in which new risks can be introduced into business processes and systems. For this reason, risk management should be an integral component of the change management process. Policy development, awareness training and regular monitoring, although all worthwhile activities, are not as effective as change management.

170 The recovery point objective (RPO) requires which of the following? A. Disaster declaration B. Before-image restoration C. System restoration D. After-image processing

B Explanation: 81 The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Disaster declaration is independent of this processing checkpoint. Restoration of the system can occur at a later date, as does the return to normal, after-image processing.

489 Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center"? A. Mantrap B. Biometric lock C. Closed-circuit television (CCTV) D. Security guard

B Explanation: A biometric device will ensure that only the authorized user can access the data center. A mantrap, by itself, would not be effective. Closed-circuit television (CCTV) and a security guard provide a detective control, but would not be as effective in authenticating the access rights of each individual.

199 Which of the following attacks is BEST mitigated by utilizing strong passwords? A. Man-in-the-middle attack 94 B. Brute force attack C. Remote buffer overflow D. Root kit

B Explanation: A brute force attack is normally successful against weak passwords, whereas strong passwords would not prevent any of the other attacks. Man-in-the-middle attacks intercept network traffic, which could contain passwords, but is not naturally password-protected. Remote buffer overflows rarely require a password to exploit a remote host. Root kits hook into the operating system's kernel and, therefore, operate underneath any authentication mechanism.

164 A business impact analysis (BIA) is the BEST tool for calculating: A. total cost of ownership. B. priority of restoration. C. annualized loss expectancy (ALE). D. residual risk.

B Explanation: A business impact analysis (BIA) is the best tool for calculating the priority of restoration for applications. It is not used to determine total cost of ownership, annualized loss expectancy (ALE) or residual risk to the organization.

463 In business-critical applications, user access should be approved by the: A. information security manager. B. data owner. C. data custodian. D. business management.

B Explanation: A data owner is in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy. An information security manager will coordinate and execute the implementation of the role-based access control. A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian's responsibility to assign access rights. Business management is not. in all cases, the owner of the data.

532 Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities? A. Vulnerability scans B. Penetration tests C. Code reviews D. Security audits

B Explanation: A penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risks. Other security assessments such as vulnerability scans, code reviews and security audits can help give an extensive and thorough risk and vulnerability overview', but will not be able to test or demonstrate the final consequence of having several vulnerabilities linked together. Penetration testing can give risk a new perspective and prioritize based on the end result of a sequence of security problems.

160 The MOST important function of a risk management program is to: A. quantify overall risk. B. minimize residual risk. C. eliminate inherent risk. D. maximize the sum of all annualized loss expectancies (ALEs).

B Explanation: A risk management program should minimize the amount of risk that cannot be otherwise eliminated or transferred; this is the residual risk to the organization. Quantifying overall risk is important but not as critical as the end result. Eliminating inherent risk is virtually impossible. Maximizing the sum of all ALEs is actually the opposite of what is desirable.

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST: A. meet with stakeholders to decide how to comply. B. analyze key risks in the compliance process. C. assess whether existing controls meet the regulation. D. update the existing security/privacy policy.

382 An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage crosstraining. Which type of authorization policy would BEST address this practice? A. Multilevel B. Role-based C. Discretionary D. Attribute-based

B Explanation: A role-based policy will associate data access with the role performed by an individual, thus restricting access to data required to perform the individual's tasks. Multilevel policies are based on classifications and clearances. Discretionary policies leave access decisions up to information resource managers. 181

216 What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system? A. Business impact analyses B. Security gap analyses C. System performance metrics D. Incident response processes 102

B Explanation: A security gap analysis is a process which measures all security controls in place against typically good business practice, and identifies related weaknesses. A business impact analysis is less suited to identify security deficiencies. System performance metrics may indicate security weaknesses, but that is not their primary purpose. Incident response processes exist for cases where security weaknesses are exploited.

197 The PRIMARY benefit of performing an information asset classification is to: A. link security requirements to business objectives. B. identify controls commensurate to risk. C. define access rights. D. establish ownership.

B Explanation: All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process.

317 Which of the following devices should be placed within a DMZ? A. Proxy server B. Application server C. Departmental server D. Data warehouse server

B Explanation: An application server should normally be placed within a demilitarized zone (DMZ) to shield the internal network. Data warehouse and departmental servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise. A proxy server forms the inner boundary of the DMZ but is not placed within it. 150

563 Which of the following should be performed FIRST in the aftermath of a denial-of-service attack? A. Restore servers from backup media stored offsite B. Conduct an assessment to determine system status C. Perform an impact analysis of the outage D. Isolate the screened subnet

B Explanation: An assessment should be conducted to determine whether any permanent damage occurred and the overall system status. It is not necessary at this point to rebuild any servers. An impact analysis of the outage or isolating the demilitarized zone (DMZ) or screen subnet will not provide any immediate benefit.

319 An e-commerce order fulfillment web server should generally be placed on which of the following? A. Internal network B. Demilitarized zone (DMZ) C. Database server D. Domain controller

B Explanation: An e-commerce order fulfillment web server should be placed within a DMZ to protect it and the internal network from external attack. Placing it on the internal network would expose the internal network to potential attack from the Internet. Since a database server should reside on the internal network, the same exposure would exist. Domain controllers would not normally share the same physical device as a web server.

403 When a departmental system continues to be out of compliance with an information security policy's password strength requirements, the BEST action to undertake is to: A. submit the issue to the steering committee. B. conduct an impact analysis to quantify the risks. C. isolate the system from the rest of the network. D. request a risk acceptance from senior management.

B Explanation: An impact analysis is warranted to determine whether a risk acceptance should be granted and to demonstrate to the department the danger of deviating from the established policy. Isolating the system would not support the needs of the business. Any waiver should be granted only after performing an impact analysis.

519 An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST? A. Request that the third-party provider perform background checks on their employees. B. Perform an internal risk assessment to determine needed controls. C. Audit the third-party provider to evaluate their security controls. D. Perform a security assessment to detect security vulnerabilities.

B Explanation: An internal risk assessment should be performed to identify the risk and determine needed controls. A background check should be a standard requirement for the service provider. Audit objectives should be determined from the risk assessment results. Security assessment does not cover the operational risks.

310 Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application? A. Patch management B. Change management C. Security metrics D. Version control

B Explanation: Change management controls the process of introducing changes to systems. Failure to have good change management may introduce new weaknesses into otherwise secure systems. Patch management corrects discovered weaknesses by applying a correction to the original program code. Security metrics provide a means for measuring effectiveness. Version control is a subset of change management.

288 Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems? A. Patch management B. Change management 136 C. Security baselines D. Virus detection

B Explanation: Change management controls the process of introducing changes to systems. This is often the point at which a weakness will be introduced. Patch management involves the correction of software weaknesses and would necessarily follow change management procedures. Security baselines provide minimum recommended settings and do not prevent introduction of control weaknesses. Virus detection is an effective tool but primarily focuses on malicious code from external sources, and only for those applications that are online.

354 Which of the following would be the BEST metric for the IT risk management process? A. Number of risk management action plans B. Percentage of critical assets with budgeted remedial C. Percentage of unresolved risk exposures D. Number of security incidents identified

B Explanation: Percentage of unresolved risk exposures and the number of security incidents identified contribute to the IT risk management process, but the percentage of critical assets with budgeted remedial is the most indicative metric. Number of risk management action plans is not useful for assessing the quality of the process.

353 When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance? A. Number of controls B. Cost of achieving control objectives C. Effectiveness of controls D. Test results of controls 167

B Explanation: Comparison of cost of achievement of control objectives and corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery. Number of controls has no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated. Effectiveness of controls has no correlation with the value of assets unless their costs are also evaluated. Test results of controls have no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated.

427 To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY: A. set their accounts to expire in six months or less. B. avoid granting system administration roles. C. ensure they successfully pass background checks. D. ensure their access is approved by the data owner.

B Explanation: Contract personnel should not be given job duties that provide them with power user or other administrative roles that they could then use to grant themselves access to sensitive files. Setting expiration dates, requiring background checks and having the data owner assign access are all positive elements, but these will not prevent contract personnel from obtaining access to sensitive information. 202

211 Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program? A. Number of controls implemented B. Percent of control objectives accomplished C. Percent of compliance with the security policy D. Reduction in the number of reported security incidents

B Explanation: Control objectives are directly related to business objectives; therefore, they would be the best metrics. Number of controls implemented does not have a direct relationship with the results of a security program. Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B. 100

220 A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account? A. Prevent the system from being accessed remotely B. Create a strong random password C. Ask for a vendor patch D. Track usage of the account by audit trails

B Explanation: Creating a strong random password reduces the risk of a successful brute force attack by 104 exponentially increasing the time required. Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risks. Vendor patches are not always available, tracking usage is a detective control and will not prevent an attack.

496 Which would be the BEST recommendation to protect against phishing attacks? A. Install an antispam system B. Publish security guidance for customers C. Provide security awareness to the organization's staff D. Install an application-level firewall

B Explanation: Customers of the organization are the target of phishing attacks. Installing security software or training the organization's staff will be useless. The effort should be put on the customer side.

223 A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected? A. Access control policy B. Data classification policy C. Encryption standards D. Acceptable use policy

B Explanation: Data classification policies define the level of protection to be provided for each category of data. Without this mandated ranking of degree of protection, it is difficult to determine what access controls or levels of encryption should be in place. An acceptable use policy is oriented more toward the end user and, therefore, would not specifically address what controls should be in place to adequately protect information.

186 Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas? A. Platform security 88 B. Entitlement changes C. Intrusion detection D. Antivirus controls

B Explanation: Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible. Platform security, intrusion detection and antivirus controls are all within the responsibility of the information security manager.

476 Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department? A. Database administrator (DBA ) B. Finance department management C. Information security manager D. IT department management

B Explanation: Data owners are responsible for determining data classification; in this case, management of the finance department would be the owners of accounting ledger data. The database administrator (DBA) and IT management are the custodians of the data who would apply the appropriate security levels for the classification, while the security manager would act as an advisor and enforcer.

490 What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective? A. Provide detailed instructions on how to carry out different types of tasks B. Ensure consistency of activities to provide a more stable environment C. Ensure compliance to security standards and regulatory requirements D. Ensure reusability to meet compliance to quality requirements

B Explanation: Developing procedures and guidelines to ensure that business processes address information security risk is critical to the management of an information security program. Developing procedures and guidelines establishes a baseline for security program performance and consistency of security activities.

556 A post-incident review should be conducted by an incident management team to determine: A. relevant electronic evidence. B. lessons learned. C. hacker's identity. D. areas affected.

B Explanation: Post-incident reviews are beneficial in determining ways to improve the response process through lessons learned from the attack. Evaluating the relevance of evidence, who launched the attack or what areas were affected are not the primary purposes for such a meeting because these should have been already established during the response to the incident.

What would be the MOST significant security risks when using wireless local area network (LAN) technology? A. Man-in-the-middle attack B. Spoofing of data packets C. Rogue access point D. Session hijacking

303 Which of the following is the BEST method to provide a new user with their initial password for email system access? 143 A. Interoffice a system-generated complex password with 30 days expiration B. Give a dummy password over the telephone set for immediate expiration C. Require no password but force the user to set their own in 10 days D. Set initial password equal to the user ID with expiration in 30 days

B Explanation: Documenting the password on paper is not the best method even if sent through interoffice mail if the password is complex and difficult to memorize, the user will likely keep the printed password and this creates a security concern. A dummy (temporary) password that will need to be changed upon first logon is the best method because it is reset immediately and replaced with the user's choice of password, which will make it easier for the user to remember. If it is given to the wrong person, the legitimate user will likely notify security if still unable to access the system, so the security risk is low. Setting an account with no initial password is a security concern even if it is just for a few days. Choice D provides the greatest security threat because user IDs are typically known by both users and security staff, thus compromising access for up to 30 days.

357 Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message? A. Encrypting first by receiver's private key and second by sender's public key B. Encrypting first by sender's private key and second by receiver's public key C. Encrypting first by sender's private key and second decrypting by sender's public key D. Encrypting first by sender's public key and second by receiver's private key

B Explanation: Encrypting by the sender's private key ensures authentication. By being able to decrypt with the sender's public key, the receiver would know that the message is sent by the sender only and the sender cannot deny/repudiate the message. By encrypting with the sender's public key secondly, only the sender will be able to decrypt the message and confidentiality is assured. The receiver's private key is private to the receiver and the sender cannot have it for encryption. Similarly, the receiver will not have the private key of the sender to decrypt the second-level encryption. In the 169 case of encrypting first by the sender's private key and. second, decrypting by the sender's public key, confidentiality is not ensured since the message can be decrypted by anyone using the sender's public key. The receiver's private key would not be available to the sender for secondlevel encryption. Similarly, the sender's private key would not be available to the receiver for decrypting the message.

373 Which of the following would BEST protect an organization's confidential data stored on a laptop computer from unauthorized access? A. Strong authentication by password B. Encrypted hard drives C. Multifactor authentication procedures D. Network-based data backup

B Explanation: Encryption of the hard disks will prevent unauthorized access to the laptop even when the laptop is lost or stolen. Strong authentication by password can be bypassed by a determined hacker. Multifactor authentication can be bypassed by removal of the hard drive and insertion into another laptop. Network- based data backups do not prevent access but rather recovery from data loss.

371 What is the BEST policy for securing data on mobile universal serial bus (USB) drives? A. Authentication B. Encryption C. Prohibit employees from copying data to l)SB devices D. Limit the use of USB devices

B Explanation: Encryption provides the most effective protection of data on mobile devices. Authentication on its own is not very secure. Prohibiting employees from copying data to USB devices and limiting the use of USB devices are after the fact.

562 Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract? A. A hot site facility will be shared in multiple disaster declarations B. All equipment is provided "at time of disaster, not on floor" C. The facility is subject to a "first-come, first-served" policy D. Equipment may be substituted with equivalent model

B Explanation: Equipment provided "at time of disaster (ATOD), not on floor" means that the equipment is not available but will be acquired by the commercial hot site provider ON a best effort basis. This leaves the customer at the mercy of the marketplace. If equipment is not immediately available, the recovery will be delayed. Many commercial providers do require sharing facilities in cases where there are multiple simultaneous declarations, and that priority may be established on a firstcome, first-served basis. It is also common for the provider to substitute equivalent or better equipment, as they are frequently upgrading and changing equipment.

554 An incident response policy must contain: A. updated call trees. B. escalation criteria. C. press release templates. D. critical backup files inventory.

B Explanation: Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained within an incident response policy. Telephone trees, press release templates and lists of critical backup files are too detailed to be included in a policy document.

242 The PRIMARY reason for initiating a policy exception process is when: A. operations are too busy to comply. B. the risk is justified by the benefit. C. policy compliance would be difficult to enforce. D. users may initially be inconvenienced.

B Explanation: Exceptions to policy are warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits. Being busy is not a justification for policy exceptions, nor is the fact that compliance cannot be enforced. User inconvenience is not a reason to automatically grant exception to a policy.

340 Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts? A. Use security tokens for authentication B. Connect through an IPSec VPN C. Use https with a server-side certificate D. Enforce static media access control (MAC) addresses

B Explanation: IPSec effectively prevents man-in-the-middle (MitM) attacks by including source and destination IPs within the encrypted portion of the packet. The protocol is resilient to MitM attacks. Using token-based authentication does not prevent a MitM attack; however, it may help eliminate reusability of stolen cleartext credentials. An https session can be intercepted through Domain Name Server (DNS) or Address Resolution Protocol (ARP) poisoning. ARP poisoning—a specific kind of MitM attack—may be prevented by setting static media access control (MAC) addresses. Nevertheless, DNS and NetBIOS resolution can still be attacked to deviate traffic. 161

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value? A. Examples of genuine incidents at similar organizations B. Statement of generally accepted best practices C. Associating realistic threats to corporate objectives D. Analysis of current technological exposures

530 An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution? A. Design a training program for the staff involved to heighten information security awareness B. Set role-based access permissions on the shared folder C. The end user develops a PC macro program to compare sender and recipient file contents D. Shared folder operators sign an agreement to pledge not to commit fraudulent activities

B Explanation: Ideally, requesting that the IT department develop an automated integrity check would be desirable, but given the temporary nature of the problem, the risk can be mitigated by setting stringent access permissions on the shared folder. Operations staff should only have write access and disbursement staff should only have read access, and everyone else, including the administrator, should be disallowed. An information security awareness program and/or signing an agreement to not engage in fraudulent activities may help deter attempts made by employees: however, as long as employees see a chance of personal gain when internal control is loose, they may embark on unlawful activities such as alteration of payment files. A PC macro would be an inexpensive automated solution to develop with control reports. However, sound independence or segregation of duties cannot be expected in the reconciliation process since it is run by an enduser group. Therefore, this option may not provide sufficient proof.

246 In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST: 116 A. develop an operational plan for achieving compliance with the legislation. B. identify systems and processes that contain privacy components. C. restrict the collection of personal information until compliant. D. identify privacy legislation in other countries that may contain similar requirements.

B Explanation: Identifying the relevant systems and processes is the best first step. Developing an operational plan for achieving compliance with the legislation is incorrect because it is not the first step. Restricting the collection of personal information comes later. Identifying privacy legislation in other countries would not add much value.

557 An organization with multiple data centers has designated one of its own facilities as the recovery site. The MOST important concern is the: A. communication line capacity between data centers. B. current processing capacity loads at data centers. C. differences in logical security at each center. D. synchronization of system software release versions.

B Explanation: If data centers are operating at or near capacity, it may prove difficult to recover critical operations at an alternate data center. Although line capacity is important from a mirroring perspective, this is secondary to having the necessary capacity to restore critical systems. By comparison, differences in logical and physical security and synchronization of system software releases are much easier issues to overcome and are, therefore, of less concern.

569 Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter? A. Reboot the border router connected to the firewall B. Check IDS logs and monitor for any active attacks C. Update IDS software to the latest available version D. Enable server trace logging on the DMZ segment

B Explanation: Information security should check the intrusion detection system (IDS) logs and continue to monitor the situation. It would be inappropriate to take any action beyond that. In fact, updating the IDS could create a temporary exposure until the new version can be properly tuned. Rebooting the router and enabling server trace routing would not be warranted.

133 Information security should be: A. focused on eliminating all risks. B. a balance between technical and business requirements. C. driven by regulatory requirements. D. defined by the board of directors.

B Explanation: Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction 64 in support of the business goals and objectives.

504 The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for: A. identifying vulnerabilities in the system. B. sustaining the organization's security posture. C. the existing systems that will be affected. D. complying with segregation of duties.

B Explanation: It is important to maintain the organization's security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC).

423 The PRIMARY objective of security awareness is to: A. ensure that security policies are understood. B. influence employee behavior. C. ensure legal and regulatory compliance D. notify of actions for noncompliance.

B Explanation: It is most important that security-conscious behavior be encouraged among employees through training that influences expected responses to security incidents. Ensuring that policies are read and understood, giving employees fair warning of potential disciplinary action, or meeting legal and regulatory requirements is important but secondary. 200

486 To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to. A. create a separate account for the programmer as a power user. B. log all of the programmers' activity for review by supervisor. C. have the programmer sign a letter accepting full responsibility. D. perform regular audits of the application.

B Explanation: It is not always possible to provide adequate segregation of duties between programming and operations in order to meet certain business requirements. A mitigating control is to record all of the programmers' actions for later review by their supervisor, which would reduce the likelihood of any inappropriate action on the part of the programmer. Choices A, C and D do not solve the problem.

244 To determine the selection of controls required to meet business objectives, an information security manager should: A. prioritize the use of role-based access controls. B. focus on key controls. C. restrict controls to only critical applications. D. focus on automated controls.

B Explanation: Key controls primarily reduce risk and are most effective for the protection of information assets. The other choices could be examples of possible key controls.

585 In the course of responding 10 an information security incident, the BEST way to treat evidence for possible legal action is defined by: A. international standards. B. local regulations. C. generally accepted best practices. D. organizational security policies.

B Explanation: Legal follow-up will most likely be performed locally where the incident took place; therefore, it is critical that the procedure of treating evidence is in compliance with local regulations. In certain countries, there are strict regulations on what information can be collected. When evidence collected is not in compliance with local regulations, it may not be admissible in court. There are no common regulations to treat computer evidence that are accepted internationally. Generally accepted best practices such as a common chain-of-custody concept may have different implementation in different countries, and thus may not be a good assurance that evidence will be admissible. Local regulations always take precedence over organizational security policies.

256 When performing a qualitative risk analysis, which of the following will BEST produce reliable results? A. Estimated productivity losses B. Possible scenarios with threats and impacts C. Value of information assets D. Vulnerability assessment

B Explanation: Listing all possible scenarios that could occur, along with threats and impacts, will better frame the range of risks and facilitate a more informed discussion and decision. Estimated productivity losses, value of information assets and vulnerability assessments would not be sufficient on their 121 own.

472 Which of the following events generally has the highest information security impact? A. Opening a new office B. Merging with another organization C. Relocating the data center D. Rewiring the network

B Explanation: Merging with or acquiring another organization causes a major impact on an information security management function because new vulnerabilities and risks are inherited. Opening a new office, moving the data center to a new site, or rewiring a network may have information security risks, but generally comply with corporate security policy and are easier to secure.

398 Which of the following is the BEST indicator that security awareness training has been effective? A. Employees sign to acknowledge the security policy B. More incidents are being reported C. A majority of employees have completed training D. No incidents have been reported in three months

B Explanation: More incidents being reported could be an indicator that the staff is paying more attention to security. Employee signatures and training completion may or may not have anything to do with awareness levels. The number of individuals trained may not indicate they are more aware. No recent security incidents does not reflect awareness levels, but may prompt further research to confirm.

162 Which of the following will BEST prevent external security attacks? A. Static IP addressing B. Network address translation C. Background checks for temporary employees D. Securing and analyzing system access logs

B Explanation: Network address translation is helpful by having internal addresses that are nonroutable. Background checks of temporary employees are more likely to prevent an attack launched from within the enterprise. Static IP addressing does little to prevent an attack. Writing all computer logs to removable media does not help in preventing an attack.

425 Which of the following represents a PRIMARY area of interest when conducting a penetration test? A. Data mining B. Network mapping C. Intrusion Detection System (IDS) D. Customer data

B Explanation: Network mapping is the process of determining the topology of the network one wishes to penetrate. This is one of the first steps toward determining points of attack in a network. Data mining is associated with ad hoc reporting and. together with customer data, they are potential targets after the network is penetrated. The intrusion detection mechanism in place is not an area of focus because one of the objectives is to determine how effectively it protects the network or how easy it is to circumvent. 201

360 A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following? A. Denial of service (DoS) attacks B. Traffic sniffing C. Virus infections D. IP address spoofing

B Explanation: Network segmentation reduces the impact of traffic sniffing by limiting the amount of traffic that may be visible on any one network segment. Network segmentation would not mitigate the risk posed by denial of service (DoS) attacks, virus infections or IP address spoofing since each of these would be able to traverse network segments.

457 An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do? A. Research best practices B. Meet with stakeholders C. Establish change control procedures D. Identify critical systems

B Explanation: No new process will be successful unless it is adhered to by all stakeholders; to the extent stakeholders have input, they can be expected to follow the process. Without consensus agreement from the stakeholders, the scope of the research is too wide; input on the current environment is necessary to focus research effectively. It is premature to implement procedures without stakeholder consensus and research. Without knowing what the process will be the parameters to baseline are unknown as well.

598 What is the BEST method for mitigating against network denial of service (DoS) attacks? A. Ensure all servers are up-to-date on OS patches B. Employ packet filtering to drop suspect packets C. Implement network address translation to make internal addresses nonroutable D. Implement load balancing for Internet facing devices

B Explanation: Packet filtering techniques are the only ones which reduce network congestion caused by a network denial of service (DoS) attack. Patching servers, in general, will not affect network traffic. Implementing network address translation and load balancing would not be as effective in mitigating most network DoS attacks.

250 Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes? A. Business impact analysis (BIA) B. Penetration testing C. Audit and review D. Threat analysis 118

B Explanation: Penetration testing focuses on identifying vulnerabilities. None of the other choices would identify vulnerabilities introduced by changes.

247 Risk assessment is MOST effective when performed: A. at the beginning of security program development. B. on a continuous basis. C. while developing the business case for the security program. D. during the business change process.

B Explanation: Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.

324 Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required? A. Log all account usage and send it to their manager 153 B. Establish predetermined automatic expiration dates C. Require managers to e-mail security when the user leaves D. Ensure each individual has signed a security acknowledgement

B Explanation: Predetermined expiration dates are the most effective means of removing systems access for temporary users. Reliance on managers to promptly send in termination notices cannot always be counted on, while requiring each individual to sign a security acknowledgement would have little effect in this case.

545 Which of the following should be determined FIRST when establishing a business continuity program? A. Cost to rebuild information processing facilities B. Incremental daily cost of the unavailability of systems C. Location and cost of offsite recovery facilities D. Composition and mission of individual recovery teams

B Explanation: Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different systems. This will allow recovery time objectives to be determined which, in turn, affects the location and cost of offsite recovery facilities, and the composition and mission of individual recovery teams. Determining the cost to rebuild information processing facilities would not be the first thing to determine.

369 Which of the following controls would BEST prevent accidental system shutdown from the console or operations area? A. Redundant power supplies B. Protective switch covers C. Shutdown alarms D. Biometric readers

B Explanation: Protective switch covers would reduce the possibility of an individual accidentally pressing the power button on a device, thereby turning off the device. Redundant power supplies would not prevent an individual from powering down a device. Shutdown alarms would be after the fact. Biometric readers would be used to control access to the systems.

347 Which of the following BEST provides message integrity, sender identity authentication and 164 nonrepudiation? A. Symmetric cryptography B. Public key infrastructure (PKI) C. Message hashing D. Message authentication code

B Explanation: Public key infrastructure (PKI) combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender. Senders can digitally sign a message with their private key and attach their digital certificate (provided by the trusted third party). These characteristics allow senders to provide authentication, integrity validation and nonrepudiation. Symmetric cryptography provides confidentiality. Mashing can provide integrity and confidentiality. Message authentication codes provide integrity.

575 A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents? A. Risk assessment results B. Severity criteria C. Emergency call tree directory D. Table of critical backup files

B Explanation: Quickly ranking the severity criteria of an incident is a key element of incident response. The other choices refer to documents that would not likely be included in a computer incident response team (CIRT) manual.

565 The business continuity policy should contain which of the following? A. Emergency call trees B. Recovery criteria C. Business impact assessment (BIA) D. Critical backups inventory

B Explanation: Recovery criteria, indicating the circumstances under which specific actions are undertaken, should be contained within a business continuity policy. Telephone trees, business impact assessments (BIAs) and listings of critical backup files are too detailed to include in a policy document.

529 Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services? A. Provide security awareness training to the third-party provider's employees B. Conduct regular security reviews of the third-party provider C. Include security requirements in the service contract D. Request that the third-party provider comply with the organization's information security policy

B Explanation: Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced services. Depending on the type of services outsourced, security awareness may not be necessary. Security requirements should be included in the contract, but what is most important is verifying that the requirements are met by the provider. It is not necessary to require the provider to fully comply with the policy if only some of the policy is related and applicable.

301 142 Security awareness training is MOST likely to lead to which of the following? A. Decrease in intrusion incidents B. Increase in reported incidents C. Decrease in security policy changes D. Increase in access rule violations

B Explanation: Reported incidents will provide an indicator as to the awareness level of staff. An increase in reported incidents could indicate that staff is paying more attention to security. Intrusion incidents and access rule violations may or may not have anything to do with awareness levels. A decrease in changes to security policies may or may not correlate to security awareness training.

526 Of the following, retention of business records should be PRIMARILY based on: A. periodic vulnerability assessment. B. regulatory and legal requirements. C. device storage capacity and longevity. D. past litigation.

B Explanation: Retention of business records is a business requirement that must consider regulatory and legal requirements based on geographic location and industry. Options A and C are important elements for making the decision, but the primary driver is the legal and regulatory requirements that need to be followed by all companies. Record retention may take into consideration past litigation, but it should not be the primary decision factor.

157 Risk acceptance is a component of which of the following? A. Assessment B. Mitigation C. Evaluation D. Monitoring

B Explanation: Risk acceptance is one of the alternatives to be considered in the risk mitigation process. Assessment and evaluation are components of the risk analysis process. Risk acceptance is not a component of monitoring.

172 Which of the following BEST describes the scope of risk analysis? A. Key financial systems B. Organizational activities C. Key systems and infrastructure D. Systems subject to regulatory compliance

B Explanation: Risk analysis should include all organizational activities. It should not be limited to subsets of 82 systems or just systems and infrastructure.

A security manager meeting the requirements for the international flow of personal data will need to ensure: A. a data processing agreement. B. a data protection registration. C. the agreement of the data subjects. D. subject access procedures.

141 A risk management program should reduce risk to: A. zero. B. an acceptable level. C. an acceptable percent of revenue. D. an acceptable probability of occurrence.

B Explanation: Risk should be reduced to an acceptable level based on the risk preference of the organization. Reducing risk to zero is impractical and could be cost-prohibitive. Tying risk to a percentage of revenue is inadvisable since there is no direct correlation between the two. Reducing the probability of risk occurrence may not always be possible, as in the ease of natural disasters. The focus should be on reducing the impact to an acceptable level to the organization, not reducing the 68 probability of the risk.

142 The MOST important reason for conducting periodic risk assessments is because: A. risk assessments are not always precise. B. security risks are subject to frequent change. C. reviewers can optimize and reduce the cost of controls. D. it demonstrates to senior management that the security function can add value.

B Explanation: Risks are constantly changing. A previously conducted risk assessment may not include measured risks that have been introduced since the last assessment. Although an assessment can never be perfect and invariably contains some errors, this is not the most important reason for periodic reassessment. The fact that controls can be made more efficient to reduce costs is not sufficient. Finally, risk assessments should not be performed merely to justify the existence of the security function.

278 Which of the following is the MOST effective type of access control? A. Centralized B. Role-based C. Decentralized D. Discretionary

B Explanation: Role-based access control allows users to be grouped into job-related categories, which significantly cases the required administrative overhead. Discretionary access control would require a greater degree of administrative overhead. Decentralized access control generally requires a greater number of staff to administer, while centralized access control is an incomplete answer.

462 In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to: A. ensure access to individual functions can be granted to individual users only. B. implement role-based access control in the application. C. enforce manual procedures ensuring separation of conflicting duties. D. create service accounts that can only be used by authorized team members.

B Explanation: Role-based access control is the best way to implement appropriate segregation of duties. Roles will have to be defined once and then the user could be changed from one role to another without redefining the content of the role each time. Access to individual functions will not ensure appropriate segregation of duties. Giving a user access to all functions and implementing, in parallel, a manual procedure ensuring segregation of duties is not an effective method, and would be difficult to enforce and monitor. Creating service accounts that can be used by authorized team members would not provide any help unless their roles are properly segregated.

455 Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken? A. Information security officer B. Security steering committee C. Data owner D. Data custodian

B Explanation: Routine administration of all aspects of security is delegated, but senior management must retain overall responsibility. The information security officer supports and implements information security for senior management. The data owner is responsible for categorizing data security requirements. The data custodian supports and implements information security as directed.

389 The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to: A. perform penetration testing. B. establish security baselines. C. implement vendor default settings. D. link policies to an independent standard.

B Explanation: Security baselines will provide the best assurance that each platform meets minimum criteria. Penetration testing will not be as effective and can only be performed periodically. Vendor default settings will not necessarily meet the criteria set by the security policies, while linking policies to an independent standard will not provide assurance that the platforms meet these levels of security.

397 In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software? A. Applying patches B. Changing access rules C. Upgrading hardware D. Backing up files 188

B Explanation: Security software will generally have a well-controlled process for applying patches, backing up files and upgrading hardware. The greatest risk occurs when access rules are changed since they are susceptible to being opened up too much, which can result in the creation of a security exposure.

432 Which of the following are the MOST important individuals to include as members of an information security steering committee? A. Direct reports to the chief information officer 204 B. IT management and key business process owners C. Cross-section of end users and IT professionals D. Internal audit and corporate legal departments

B Explanation: Security steering committees provide a forum for management to express its opinion and take some ownership in the decision making process. It is imperative that business process owners be included in this process. None of the other choices includes input by business process owners.

506 A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors? A. System monitoring for traffic on network ports B. Security code reviews for the entire application C. Reverse engineering the application binaries D. Running the application from a high-privileged account on a test system

B Explanation: Security' code reviews for the entire application is the best measure and will involve reviewing the entire source code to detect all instances of back doors. System monitoring for traffic on network ports would not be able to detect all instances of back doors and is time consuming and would take a lot of effort. Reverse engineering the application binaries may not provide any definite clues. Back doors will not surface by running the application on high-privileged accounts since back doors are usually hidden accounts in the applications.

436 Which of the following is an inherent weakness of signature-based intrusion detection systems? A. A higher number of false positives B. New attack methods will be missed C. Long duration probing will be missed D. Attack profiles can be easily spoofed

B Explanation: Signature-based intrusion detection systems do not detect new attack methods for which signatures have not yet been developed. False positives are not necessarily any higher, and 206 spoofing is not relevant in this case. Long duration probing is more likely to fool anomaly-based systems (boiling frog technique).

577 Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was: A. removed into the custody of law enforcement investigators. B. kept in the tape library' pending further analysis. C. sealed in a signed envelope and locked in a safe under dual control. D. handed over to authorized independent investigators.

B Explanation: Since a number of individuals would have access to the tape library, and could have accessed and tampered with the tape, the chain of custody could not be verified. All other choices provide clear indication of who was in custody of the tape at all times.

235 An organization has to comply with recently published industry regulatory requirements—compliance that potentially has high implementation costs. What should the information security manager do FIRST? A. Implement a security committee. 111 B. Perform a gap analysis. C. Implement compensating controls. D. Demand immediate compliance.

B Explanation: Since they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place. Implementing a security committee or compensating controls would not be the first step. Demanding immediate compliance would not assess the situation.

393 Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his, her password reset? A. Performing reviews of password resets B. Conducting security awareness programs C. Increasing the frequency of password changes D. Implementing automatic password syntax checking

B Explanation: Social engineering can be mitigated best through periodic security awareness training for staff members who may be the target of such an attempt. Changing the frequency of password changes, strengthening passwords and checking the number of password resets may be desirable, but they will not be as effective in reducing the likelihood of a social engineering attack.

415 In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources? A. Implementing on-screen masking of passwords 196 B. Conducting periodic security awareness programs C. Increasing the frequency of password changes D. Requiring that passwords be kept strictly confidential

B Explanation: Social engineering can best be mitigated through periodic security awareness training for users who may be the target of such an attempt. Implementing on-screen masking of passwords and increasing the frequency of password changes are desirable, but these will not be effective in reducing the likelihood of a successful social engineering attack. Requiring that passwords be kept secret in security policies is a good control but is not as effective as periodic security awareness programs that will alert users of the dangers posed by social engineering.

440 Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers? A. Batch patches into frequent server updates B. Initially load the patches on a test machine C. Set up servers to automatically download patches D. Automatically push all patches to the servers

B Explanation: Some patches can conflict with application code. For this reason, it is very important to first test all patches in a test environment to ensure that there are no conflicts with existing application systems. For this reason, choices C and D are incorrect as they advocate automatic updating. As for frequent server updates, this is an incomplete (vague) answer from the choices given.

330 Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network? A. Boundary router B. Strong encryption C. Internet-facing firewall D. Intrusion detection system (IDS)

B Explanation: Strong encryption is the most effective means of protecting wireless networks. Boundary routers, intrusion detection systems (IDSs) and firewalling the Internet would not be as effective. 156

438 Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process? A. System analyst B. System user C. Operations manager D. Data security officer

B Explanation: System users, specifically the user acceptance testers, would be in the best position to note whether new exposures are introduced during the change management process. The system designer or system analyst, data security officer and operations manager would not be as closely involved in testing code changes. 207

266 All risk management activities are PRIMARILY designed to reduce impacts to: A. a level defined by the security manager. B. an acceptable level based on organizational risk tolerance. C. a minimum level consistent with regulatory requirements. D. the minimum level possible.

B Explanation: The aim of risk management is to reduce impacts to an acceptable level. "Acceptable" or "reasonable" are relative terms that can vary based on environment and circumstances. A minimum level that is consistent with regulatory requirements may not be consistent with business objectives, and regulators typically do not assign risk levels. The minimum level possible may not be aligned with business requirements.

254 The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for: A. determining the scope for inclusion in an information security program. B. defining the level of access controls. C. justifying costs for information resources. D. determining the overall budget of an information security program.

B Explanation: The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has 120 only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.

349 To BEST improve the alignment of the information security objectives in an organization, the chief 165 information security officer (CISO) should: A. revise the information security program. B. evaluate a balanced business scorecard. C. conduct regular user awareness sessions. D. perform penetration tests.

B Explanation: The balanced business scorecard can track the effectiveness of how an organization executes it information security strategy and determine areas of improvement. Revising the information security program may be a solution, but is not the best solution to improve alignment of the information security objectives. User awareness is just one of the areas the organization must track through the balanced business scorecard. Performing penetration tests does not affect alignment with information security objectives.

233 The BEST strategy for risk management is to: A. achieve a balance between risk and organizational goals. B. reduce risk to an acceptable level. C. ensure that policy development properly considers organizational risks. D. ensure that all unmitigated risks are accepted by management. 110

B Explanation: The best strategy for risk management is to reduce risk to an acceptable level, as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk. Achieving balance between risk and organizational goals is not always practical. Policy development must consider organizational risks as well as business objectives. It may be prudent to ensure that management understands and accepts risks that it is not willing to mitigate, but that is a practice and is not sufficient to l>e considered a strategy.

391 The BEST way to ensure that information security policies are followed is to: A. distribute printed copies to all employees. B. perform periodic reviews for compliance. C. include escalating penalties for noncompliance. D. establish an anonymous hotline to report policy abuses.

B Explanation: The best way to ensure that information security policies are followed is to periodically review levels of compliance. Distributing printed copies, advertising an abuse hotline or linking policies to an international standard will not motivate individuals as much as the consequences of being found in noncompliance. Escalating penalties will first require a compliance review.

209 Which of the following would help management determine the resources needed to mitigate a risk to the organization? A. Risk analysis process B. Business impact analysis (BIA) C. Risk management balanced scorecard D. Risk-based audit program

B Explanation: The business impact analysis (BIA) determines the possible outcome of a risk and is essential to determine the appropriate cost of control. The risk analysis process provides comprehensive data, but does not determine definite resources to mitigate the risk as does the BIA. The risk management balanced scorecard is a measuring tool for goal attainment. A risk-based audit program is used to focus the audit process on the areas of greatest importance to the organization. 99

195 After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented? A. Senior management B. Business manager C. IT audit manager D. Information security officer (ISO)

B Explanation: The business manager will be in the best position, based on the risk assessment and mitigation proposals. to decide which controls should/could be implemented, in line with the business strategy and with budget. Senior management will have to ensure that the business manager has a clear understanding of the risk assessed but in no case will be in a position to decide on specific controls. The IT audit manager will take part in the process to identify threats and vulnerabilities, and to make recommendations for mitigations. The information security officer (ISO) could make some decisions regarding implementation of controls. However, the business manager will have a broader business view and full control over the budget and, therefore, will be in a better position to make strategic decisions.

378 A digital signature using a public key infrastructure (PKI) will: A. not ensure the integrity of a message. B. rely on the extent to which the certificate authority (CA) is trusted. C. require two parties to the message exchange. D. provide a high level of confidentiality.

B Explanation: The certificate authority (CA) is a trusted third party that attests to the identity of the signatory, and 179 reliance will be a function of the level of trust afforded the CA. A digital signature would provide a level of assurance of message integrity, but it is a three-party exchange, including the CA. Digital signatures do not require encryption of the message in order to preserve confidentiality.

177 Which of the following risks would BEST be assessed using quantitative risk assessment techniques? 84 A. Customer data stolen B. An electrical power outage C. A web site defaced by hackers D. Loss of the software development team

B Explanation: The effect of the theft of customer data or web site defacement by hackers could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques. Loss of a majority of the software development team could have similar unpredictable repercussions. However, the loss of electrical power for a short duration is more easily measurable and can be quantified into monetary amounts that can be assessed with quantitative techniques.

174 Which of the following is the PRIMARY reason for implementing a risk management program? A. Allows the organization to eliminate risk B. Is a necessary part of management's due diligence C. Satisfies audit and regulatory requirements D. Assists in incrementing the return on investment (ROD

B Explanation: The key reason for performing risk management is that it is part of management's due diligence. The elimination of all risk is not possible. Satisfying audit and regulatory requirements is of secondary importance. A risk management program may or may not increase the return on investment (ROD. 83

171 Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations? A. Systems operation procedures are not enforced B. Change management procedures are poor C. Systems development is outsourced D. Systems capacity management is not performed

B Explanation: The lack of change management is a severe omission and will greatly increase information security risk. Since procedures are generally nonauthoritative, their lack of enforcement is not a primary concern. Systems that are developed by third-party vendors are becoming commonplace and do not represent an increase in security risk as much as poor change management. Poor capacity management may not necessarily represent a security risk.

402 Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that: A. the third party provides a demonstration on a test system. B. goals and objectives are clearly defined. C. the technical staff has been briefed on what to expect. D. special backups of production servers are taken.

B Explanation: The most important action is to clearly define the goals and objectives of the test. Assuming that adequate backup procedures are in place, special backups should not be necessary. Technical staff should not be briefed nor should there be a demo as this will reduce the spontaneity of the test.

409 Security policies should be aligned MOST closely with: A. industry' best practices. B. organizational needs. C. generally accepted standards. D. local laws and regulations.

B Explanation: The needs of the organization should always take precedence. Best practices and local regulations are important, but they do not take into account the total needs of an organization.

447 Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network? A. Signal strength B. Number of administrators C. Bandwidth D. Encryption strength

B Explanation: The number of individuals with access to the network configuration presents a security risk. Encryption strength is an area where wireless networks tend to fall short; however, the potential to compromise the entire network is higher when an inappropriate number of people can alter the configuration. Signal strength and network bandwidth are secondary issues.

207 A risk management program would be expected to: A. remove all inherent risk. B. maintain residual risk at an acceptable level. C. implement preventive controls for every threat. D. reduce control risk to zero.

B Explanation: The object of risk management is to ensure that all residual risk is maintained at a level acceptable to the business; it is not intended to remove every identified risk or implement controls for every threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a component of the program but is unlikely to be reduced to zero. 98

368 The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to: 174 A. ensure the confidentiality of sensitive material. B. provide a high assurance of identity. C. allow deployment of the active directory. D. implement secure sockets layer (SSL) encryption.

B Explanation: The primary purpose of a public key infrastructure (PKI) is to provide strong authentication. Confidentiality is a function of the session keys distributed by the PKI. An active directory can use PKI for authentication as well as using other means. Even though secure sockets layer (SSL) encryption requires keys to authenticate, it is not the main reason for deploying PKI.

182 Which two components PRIMARILY must be assessed in an effective risk analysis? A. Visibility and duration B. Likelihood and impact C. Probability and frequency D. Financial impact and duration

B Explanation: The probability or likelihood of the event and the financial impact or magnitude of the event must be assessed first. Duration refers to the length of the event; it is important in order to assess impact but is secondary. Once the likelihood is determined, the frequency is also important to determine overall impact.

590 In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the: A. volume of sensitive data. B. recovery point objective (RPO). C. recovery' time objective (RTO). D. interruption window.

B Explanation: The recovery point objective (RPO) defines the maximum loss of data (in terms of time) acceptable by the business (i.e., age of data to be restored). It will directly determine the basic elements of the backup strategy frequency of the backups and what kind of backup is the most appropriate (disk-to-disk, on tape, mirroring). The volume of data will be used to determine the capacity of the backup solution. The recovery time objective (RTO)—the time between disaster and return to normal operation—will not have any impact on the backup strategy. The availability to restore backups in a time frame consistent with the interruption window will have to be checked and will influence the strategy (e.g., full backup vs. incremental), but this will not be the primary factor.

181 Who would be in the BEST position to determine the recovery point objective (RPO) for business applications? A. Business continuity coordinator B. Chief operations officer (COO) C. Information security manager D. Internal audit

B Explanation: The recovery point objective (RPO) is the processing checkpoint to which systems are recovered. In addition to data owners, the chief operations officer (COO) is the most knowledgeable person to make this decision. It would be inappropriate for the information security manager or an internal audit to determine the RPO because they are not directly responsible for the data or the operation. 86

444 Which of the following is MOST important for measuring the effectiveness of a security awareness program? A. Reduced number of security violation reports B. A quantitative evaluation to ensure user comprehension C. Increased interest in focus groups on security issues D. Increased number of security violation reports

B Explanation: To truly judge the effectiveness of security awareness training, some means of measurable testing is necessary to confirm user comprehension. Focus groups may or may not provide meaningful feedback but, in and of themselves, do not provide metrics. An increase or reduction in the number of violation reports may not be indicative of a high level of security awareness.

560 A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat? A. Quarantine all picture files stored on file servers B. Block all e-mails containing picture file attachments C. Quarantine all mail servers connected to the Internet D. Block incoming Internet mail, but permit outgoing mail

B Explanation: Until signature files can be updated, incoming e-mail containing picture file attachments should be blocked. Quarantining picture files already stored on file servers is not effective since these files must be intercepted before they are opened. Quarantine of all mail servers or blocking all incoming mail is unnecessary overkill since only those e-mails containing attached picture files are in question.

508 What is the MOS T cost-effective means of improving security awareness of staff personnel? A. Employee monetary incentives B. User education and training C. A zero-tolerance security policy D. Reporting of security infractions

B Explanation: User education and training is the most cost-effective means of influencing staff to improve security since personnel are the weakest link in security. Incentives perform poorly without user education and training. A zero-tolerance security policy would not be as good as education and training. Users would not have the knowledge to accurately interpret and report violations without user education and training.

156 The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following? A. Mitigating controls B. Visibility of impact C. Likelihood of occurrence D. Incident frequency

B Explanation: Visibility of impact is the best measure since it manages risks to an organization in the timeliest manner. Likelihood of occurrence and incident frequency are not as relevant. Mitigating controls is not a determining factor on incident reporting. 75

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution? A. Risk assessment report B. Technical evaluation report C. Business case D. Budgetary requirements

386 Which of the following mechanisms is the MOST secure way to implement a secure wireless network? A. Filter media access control (MAC) addresses B. Use a Wi-Fi Protected Access (WPA2) protocol C. Use a Wired Equivalent Privacy (WEP) key D. Web-based authentication

B Explanation: WPA2 is currently one of the most secure authentication and encryption protocols for mainstream wireless products. MAC address filtering by itself is not a good security mechanism since allowed MAC addresses can be easily sniffed and then spoofed to get into the network. WEP is no longer a secure encryption mechanism for wireless communications. The WEP key can be easily broken within minutes using widely available software. And once the WEP key is obtained, all communications of every other wireless client are exposed. Finally, a web-based authentication 183 mechanism can be used to prevent unauthorized user access to a network, but it will not solve the wireless network's main security issues, such as preventing network sniffing.

259 After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program? A. Define security metrics B. Conduct a risk assessment C. Perform a gap analysis D. Procure security tools

B Explanation: When establishing an information security program, conducting a risk assessment is key to identifying the needs of the organization and developing a security strategy. Defining security metrics, performing a gap analysis and procuring security tools are all subsequent considerations.

241 When a significant security breach occurs, what should be reported FIRST to senior management? A. A summary of the security logs that illustrates the sequence of events B. An explanation of the incident and corrective action taken C. An analysis of the impact of similar attacks at other organizations D. A business case for implementing stronger logical access controls

B Explanation: When reporting an incident to senior management, the initial information to be communicated should include an explanation of what happened and how the breach was resolved. A summary of security logs would be too technical to report to senior management. An analysis of the impact of similar attacks and a business case for improving controls would be desirable; however, these 114 would be communicated later in the process.

227 Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should: A. conduct a risk assessment and allow or disallow based on the outcome. B. recommend a risk assessment and implementation only if the residual risks are accepted. C. recommend against implementation because it violates the company's policies. D. recommend revision of current policy.

B Explanation: Whenever the company's policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take. Recommending revision of current policy should not be triggered by a single request.

228 After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to: A. increase its customer awareness efforts in those regions. B. implement monitoring techniques to detect and react to potential fraud. C. outsource credit card processing to a third party. D. make the customer liable for losses if they fail to follow the bank's advice.

B Explanation: While customer awareness will help mitigate the risks, this is insufficient on its own to control fraud risk. Implementing monitoring techniques which will detect and deal with potential fraud cases is the most effective way to deal with this risk. If the bank outsources its processing, the bank still retains liability. While making the customer liable for losses is a possible approach, nevertheless, the bank needs to be seen to be proactive in managing its risks.

137 Which of the following should be determined while defining risk management strategies? A. Risk assessment criteria B. Organizational objectives and risk appetite C. IT architecture complexity D. Enterprise disaster recovery plans

B Explanation: While defining risk management strategies, one needs to analyze the organization's objectives and risk appetite and define a risk management framework based on this analysis. Some organizations may accept known risks, while others may invest in and apply mitigation controls to 66 reduce risks. Risk assessment criteria would become part of this framework, but only after proper analysis. IT architecture complexity and enterprise disaster recovery plans are more directly related to assessing risks than defining strategies.

499 An information security manager wishing to establish security baselines would: A. include appropriate measurements in the system development life cycle. B. implement the security baselines to establish information security best practices. C. implement the security baselines to fulfill laws and applicable regulations in different jurisdictions. D. leverage information security as a competitive advantage.

B Explanation: While including appropriate measurements in the system development life cycle may indicate a security baseline practice; these are wider in scope and, thus, implementing security baselines to establish information security best practices is the appropriate answer. Implementing security baselines to fulfill laws and applicable regulations in different jurisdictions, and leveraging information security as a competitive advantage may be supplementary benefits of using security baselines.

525 The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application: A. uses multiple redirects for completing a data commit transaction. B. has implemented cookies as the sole authentication mechanism. C. has been installed with a non-1egitimate license key. D. is hosted on a server along with other applications.

B Explanation: XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. XSRF is related to an authentication mechanism, not to redirection. Option C is related to intellectual property rights, not to XSRF vulnerability. Merely hosting multiple applications on the same server is not the root cause of this vulnerability.

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take? A. Enforce the existing security standard B. Change the standard to permit the deployment C. Perform a risk analysis to quantify the risk D. Perform research to propose use of a better technology

A good privacy statement should include: A. notification of liability on accuracy of information. B. notification that information will be encrypted. C. what the company will do with information it collects. D. a description of the information classification process.

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program? A. Representation by regional business leaders B. Composition of the board C. Cultures of the different countries D. IT security skills

A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager? A. Ensure that all OS patches are up-to-date B. Block inbound traffic until a suitable solution is found C. Obtain guidance from the firewall manufacturer D. Commission a penetration test

An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken? A. Unsure that critical data on the server are backed up. B. Shut down the compromised server. C. Initiate the incident response process. D. Shut down the network.

An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of: A. performance measurement. B. integration. C. alignment. D. value delivery.

An unauthorized user gained access to a merchant's database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities? A. Shut down and power off the server. B. Duplicate the hard disk of the server immediately. C. Isolate the server from the network. D. Copy the database log file to a protected server.

Developing a successful business case for the acquisition of information security software products can BEST be assisted by: A. assessing the frequency of incidents. B. quantifying the cost of control failures. C. calculating return on investment (ROD projections. D. comparing spending against similar organizations.

During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should: A. copy sample files as evidence. B. remove access privileges to the folder containing the data. C. report this situation to the data owner. D. train the HR team on properly controlling file permissions.

Information security policy enforcement is the responsibility of the: A. security steering committee. B. chief information officer (CIO). C. chief information security officer (CISO). D. chief compliance officer (CCO).

Obtaining senior management support for establishing a warm site can BEST be accomplished by: A. establishing a periodic risk assessment. B. promoting regulatory requirements. C. developing a business case. D. developing effective metrics.

Relationships among security technologies are BEST defined through which of the following? A. Security metrics B. Network topology C. Security architecture D. Process improvement models

Reviewing which of the following would BEST ensure that security controls are effective? A. Risk assessment policies B. Return on security investment C. Security metrics D. User access rights

Security awareness training should be provided to new employees: A. on an as-needed basis. B. during system user training. C. before they have access to data. D. along with department staff.

Senior management commitment and support for information security can BEST be enhanced through: A. a formal security policy sponsored by the chief executive officer (CEO). B. regular security awareness training for employees. C. periodic review of alignment with business management goals. D. senior management signoff on the information security strategy.

The BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk is to utilize: A. firewalls. B. bastion hosts. C. decoy files. D. screened subnets.

The MOST appropriate role for senior management in supporting information security is the: A. evaluation of vendors offering security products. B. assessment of risks to the organization. C. approval of policy statements and funding. D. monitoring adherence to regulatory requirements.

The MOST important characteristic of good security policies is that they: A. state expectations of IT management. B. state only one general security mandate. C. are aligned with organizational goals. D. govern the creation of procedures and guidelines.

The MOST important factor in ensuring the success of an information security program is effective: A. communication of information security requirements to all users in the organization. B. formulation of policies and procedures for information security. C. alignment with organizational goals and objectives . D. monitoring compliance with information security policies and procedures.

The cost of implementing a security control should not exceed the: A. annualized loss expectancy. B. cost of an incident. C. asset value. D. implementation opportunity costs.

To justify its ongoing security budget, which of the following would be of MOST use to the information security department? A. Security breach frequency B. Annualized loss expectancy (ALE) C. Cost-benefit analysis D. Peer group comparison

What will have the HIGHEST impact on standard information security governance models? A. Number of employees B. Distance between physical locations C. Complexity of organizational structure D. Organizational budget

When a security standard conflicts with a business objective, the situation should be resolved by: A. changing the security standard. B. changing the business objective. C. performing a risk analysis. D. authorizing a risk acceptance.

When designing an information security quarterly report to management, the MOST important element to be considered should be the: A. information security metrics. B. knowledge required to analyze each issue. C. linkage to business area objectives. D. baseline against which metrics are evaluated.

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified? A. Business management B. Operations manager C. Information security manager D. System users

When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates? A. Business continuity coordinator B. Information security manager C. Business process owners D. Industry averages benchmarks

Which of the following MOST commonly falls within the scope of an information security governance steering committee? A. Interviewing candidates for information security specialist positions B. Developing content for security awareness programs C. Prioritizing information security initiatives D. Approving access to critical financial systems

Which of the following are seldom changed in response to technological changes? A. Standards B. Procedures C. Policies D. Guidelines

Which of the following has the highest priority when defining an emergency response plan? A. Critical data B. Critical infrastructure C. Safety of personnel D. Vital records

Which of the following is MOST likely to be discretionary? A. Policies B. Procedures C. Guidelines D. Standards

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? A. More uniformity in quality of service B. Better adherence to policies C. Better alignment to business unit needs D. More savings in total operating costs

Which of the following is responsible for legal and regulatory liability? A. Chief security officer (CSO) B. Chief legal counsel (CLC) C. Board and senior management D. Information security steering group

Which of the following is the MOST important reason for an information security review of contracts? To help ensure that: A. the parties to the agreement can perform. B. confidential data are not included in the agreement. C. appropriate controls are included. D. the right to audit is a requirement.

Which of the following recovery strategies has the GREATEST chance of failure? A. Hot site B. Redundant site C. Reciprocal arrangement D. Cold site

Which of the following roles would represent a conflict of interest for an information security manager? A. Evaluation of third parties requesting connectivity B. Assessment of the adequacy of disaster recovery plans C. Final approval of information security policies D. Monitoring adherence to physical security controls

Which of the following would be MOST appropriate for collecting and preserving evidence? A. Encrypted hard drives B. Generic audit software C. Proven forensic processes D. Log correlation software

Which of the following would be MOST effective in successfully implementing restrictive password policies? A. Regular password audits B. Single sign-on system C. Security awareness program D. Penalties for noncompliance

Which of the following would be MOST helpful to achieve alignment between information security and organization objectives? A. Key control monitoring B. A robust security awareness program C. A security program that enables business activities D. An effective security architecture

Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)? A. Setting up a backup site B. Maintaining redundant systems C. Aligning with recovery time objectives (RTOs) D. Data backup frequency

190 An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the: A. threat. B. loss. C. vulnerability. D. probability.

C Explanation: 90 Implementing more restrictive preventive controls mitigates vulnerabilities but not the threats. Losses and probability of occurrence may not be primarily or directly affected.

129 When an organization is implementing an information security governance program, its board of directors should be responsible for: A. drafting information security policies. B. reviewing training and awareness programs. C. setting the strategic direction of the program. D. auditing for compliance.

C Explanation: A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company's vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and 62 focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.

531 Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made? A. A problem management process B. Background screening C. A change control process D. Business impact analysis (BIA)

C Explanation: A change control process is the methodology that ensures that anything that could be impacted by a development change will be reevaluated. Problem management is the general process intended to manage all problems, not those specifically related to security. Background screening is the process to evaluate employee references when they are hired. BIA is the methodology used to evaluate risks in the business continuity process.

541 As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be: A. considered at the discretion of the information owner. B. approved by the next higher person in the organizational structure. C. formally managed within the information security framework. D. reviewed and approved by the security manager.

C Explanation: A formal process for managing exceptions to information security policies and standards should be included as part of the information security framework. The other options may be contributors to the process but do not in themselves constitute a formal process.

539 Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges? A. Layered defense strategy B. System audit log monitoring C. Signed acceptable use policy D. High-availability systems

C Explanation: A layered defense strategy would only prevent those activities that are outside of the user's privileges. A signed acceptable use policy is often an effective deterrent against malicious activities because of the potential for termination of employment and/or legal actions being taken against the individual. System audit log monitoring is after the fact and may not be effective. Highavailability systems have high costs and are not always feasible for all devices and components or systems.

279 Which of the following devices should be placed within a DMZ? A. Router B. Firewall C. Mail relay D. Authentication server

C Explanation: A mail relay should normally be placed within a demilitarized zone (DMZ) to shield the internal network. An authentication server, due to its sensitivity, should always be placed on the internal 132 network, never on a DMZ that is subject to compromise. Both routers and firewalls may bridge a DMZ to another network, but do not technically reside within the DMZ, network segment.

161 Which of the following risks would BEST be assessed using qualitative risk assessment techniques? A. Theft of purchased software B. Power outage lasting 24 hours 77 C. Permanent decline in customer confidence D. Temporary loss of e-mail due to a virus attack

C Explanation: A permanent decline in customer confidence does not lend itself well to measurement by quantitative techniques. Qualitative techniques are more effective in evaluating things such as customer loyalty and goodwill. Theft of software, power outages and temporary loss of e-mail can be quantified into monetary amounts easier than can be assessed with quantitative techniques.

184 87 In assessing risk, it is MOST essential to: A. provide equal coverage for all asset types. B. use benchmarking data from similar organizations. C. consider both monetary value and likelihood of loss. D. focus primarily on threats and recent business losses.

C Explanation: A risk analysis should take into account the potential financial impact and likelihood of a loss. It should not weigh all potential losses evenly, nor should it focus primarily on recent losses or losses experienced by similar firms. Although this is important supplementary information, it does not reflect the organization's real situation. Geography and other factors come into play as well.

169 A risk analysis should: A. include a benchmark of similar companies in its scope. B. assume an equal degree of protection for all assets. C. address the potential size and likelihood of loss. D. give more weight to the likelihood vs. the size of the loss.

C Explanation: A risk analysis should take into account the potential size and likelihood of a loss. It could include comparisons with a group of companies of similar size. It should not assume an equal degree of protection for all assets since assets may have different risk factors. The likelihood of the loss should not receive greater emphasis than the size of the loss; a risk analysis should always address both equally.

225 A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action? A. A penetration test B. A security baseline review C. A risk assessment D. A business impact analysis (BIA)

C Explanation: A risk assessment will identify- the business impact of such vulnerability being exploited and is, thus, the correct process. A penetration test or a security baseline review may identify the vulnerability but not the remedy. A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.

258 The MOST effective use of a risk register is to: A. identify risks and assign roles and responsibilities for mitigation. B. identify threats and probabilities. C. facilitate a thorough review of all IT-related risks on a periodic basis. D. record the annualized financial amount of expected losses due to risks.

C Explanation: A risk register is more than a simple list—it should lie used as a tool to ensure comprehensive documentation, periodic review and formal update of all risk elements in the enterprise's IT and related organization. Identifying risks and assigning roles and responsibilities for mitigation are elements of the register. Identifying threats and probabilities are two elements that are defined in the risk matrix, as differentiated from the broader scope of content in, and purpose for, the risk register. While the annualized loss expectancy (ALE) should be included in the register, this quantification is only a single element in the overall risk analysis program. 122

381 Which of the following would be the FIRST step in establishing an information security program? A. Develop the security policy. B. Develop security operating procedures. C. Develop the security plan. D. Conduct a security controls study.

C Explanation: A security plan must be developed to implement the security strategy. All of the other choices should follow the development of the security plan.

337 The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs: A. create more overhead than signature-based IDSs. B. cause false positives from minor changes to system variables. C. generate false alarms from varying user or system actions. 159 D. cannot detect new types of attacks.

C Explanation: A statistical anomaly-based intrusion detection system (stat IDS) collects data from normal traffic and establishes a baseline. It then periodically samples the network activity based on statistical methods and compares samples to the baseline. When the activity is outside the baseline parameter (clipping level), the IDS notifies the administrator. The baseline variables can include a host's memory or central processing unit (CPU) usage, network packet types and packet quantities. If actions of the users or the systems on the network vary widely with periods of low activity and periods of frantic packet exchange, a stat IDS may not be suitable, as the dramatic swing from one level to another almost certainly will generate false alarms. This weakness will have the largest impact on the operation of the IT systems. Due to the nature of stat IDS operations (i.e., they must constantly attempt to match patterns of activity to the baseline parameters), a stat IDS requires much more overhead and processing than signature-based versions. Due to the nature of a stat IDS—based on statistics and comparing data with baseline parameters—this type of IDS may not detect minor changes to system variables and may generate many false positives. Choice D is incorrect; since the stat IDS can monitor multiple system variables, it can detect new types of variables by tracing for abnormal activity of any kind.

143 Which of the following BEST indicates a successful risk management practice? A. Overall risk is quantified B. Inherent risk is eliminated C. Residual risk is minimized D. Control risk is tied to business units

C Explanation: A successful risk management practice minimizes the residual risk to the organization. Choice A is incorrect because the fact that overall risk has been quantified does not necessarily indicate the existence of a successful risk management practice. Choice B is incorrect since it is virtually impossible to eliminate inherent risk. Choice D is incorrect because, although the tying of control risks to business may improve accountability, this is not as desirable as minimizing residual risk. 69

494 The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)? A. Data owner B. Data custodian C. Systems programmer D. Security administrator

C Explanation: A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them by the data owner.

222 Which of the following would BEST address the risk of data leakage? A. File backup procedures B. Database integrity checks C. Acceptable use policies D. Incident response procedures

C Explanation: Acceptable use policies are the best measure for preventing the unauthorized disclosure of confidential information. The other choices do not address confidentiality of information. 105

198 Which of the following is MOST essential for a risk management program to be effective? A. Flexible security budget B. Sound risk baseline C. New risks detection D. Accurate risk reporting

C Explanation: All of these procedures are essential for implementing risk management. However, without identifying new risks, other procedures will only be useful for a limited period.

144 Which of the following would generally have the GREATEST negative impact on an organization? A. Theft of computer software B. Interruption of utility services C. Loss of customer confidence D. Internal fraud resulting in monetary loss

C Explanation: Although the theft of software, interruption of utility services and internal frauds are all significant, the loss of customer confidence is the most damaging and could cause the business to fail.

282 An extranet server should be placed: A. outside the firewall. B. on the firewall server. C. on a screened subnet. D. on the external router.

C Explanation: An extranet server should be placed on a screened subnet, which is a demilitarized zone (DMZ). Placing it on the Internet side of the firewall would leave it defenseless. The same would be true of placing it on the external router, although this would not be possible. Since firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to store the extranet on the same physical device.

328 Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures? A. Stress testing B. Patch management C. Change management D. Security baselines

C Explanation: Change management controls the process of introducing changes to systems to ensure that unintended changes are not introduced. Patch management involves the correction of software 155 weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Security baselines provide minimum recommended settings. Stress testing ensures that there are no scalability problems.

578 When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach? A. Business continuity plan B. Disaster recovery plan C. Incident response plan D. Vulnerability management plan

C Explanation: An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities pertaining to all parties involved in responding to an information security breach. A business continuity plan or disaster recovery plan would be triggered during the execution of the incident response plan in the case of a breach impacting the business continuity. A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through configuration changes (patch management).

466 An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST? A. Review the procedures for granting access B. Establish procedures for granting emergency access C. Meet with data owners to understand business needs D. Redefine and implement proper access rights

C Explanation: An information security manager must understand the business needs that motivated the change prior to taking any unilateral action. Following this, all other choices could be correct depending on the priorities set by the business unit.

280 An intrusion detection system should be placed: A. outside the firewall. B. on the firewall server. C. on a screened subnet. D. on the external router.

C Explanation: An intrusion detection system (IDS) should be placed on a screened subnet, which is a demilitarized zone (DMZ). Placing it on the Internet side of the firewall would leave it defenseless. The same would be tmc of placing it on the external router, if such a thing were feasible. Since firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to store the IDS on the same physical dcvice.

210 A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that: A. there are sufficient safeguards in place to prevent this risk from happening. B. the needed countermeasure is too complicated to deploy. C. the cost of countermeasure outweighs the value of the asset and potential loss. D. The likelihood of the risk occurring is unknown.

C Explanation: An organization may decide to live with specific risks because it would cost more to protect themselves than the value of the potential loss. The safeguards need to match the risk level. While countermeasures could be too complicated to deploy, this is not the most compelling reason. It is unlikely that a global financial institution would not be exposed to such attacks and the frequency could not be predicted.

428 Information security policies should: A. address corporate network vulnerabilities. B. address the process for communicating a violation. C. be straightforward and easy to understand. D. be customized to specific groups and roles.

C Explanation: As high-level statements, information security policies should be straightforward and easy to understand. They arc high-level and, therefore, do not address network vulnerabilities directly or the process for communicating a violation. As policies, they should provide a uniform message to all groups and user roles.

196 When performing an information risk analysis, an information security manager should FIRST: A. establish the ownership of assets. B. evaluate the risks to the assets. C. take an asset inventory. D. categorize the assets.

C Explanation: Assets must be inventoried before any of the other choices can be performed. 93

461 Which resource is the MOST effective in preventing physical access tailgating/piggybacking? A. Card key door locks B. Photo identification C. Awareness training D. Biometric scanners

C Explanation: Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee. Choices A, B and D are physical controls that, by themselves, would not be effective against tailgating.

146 Which of the following will BEST protect an organization from internal security attacks? 70 A. Static IP addressing B. Internal address translation C. Prospective employee background checks D. Employee awareness certification program

C Explanation: Because past performance is a strong predictor of future performance, background checks of prospective employees best prevents attacks from originating within an organization. Static IP addressing does little to prevent an internal attack. Internal address translation using non-routable addresses is useful against external attacks but not against internal attacks. Employees who certify that they have read security policies are desirable, but this does not guarantee that the employees behave honestly.

325 Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the: A. corporate internal auditor. B. System developers/analysts. C. key business process owners. D. corporate legal counsel.

C Explanation: Business process owners are in the best position to understand how new regulatory requirements may affect their systems. Legal counsel and infrastructure management, as well as internal auditors, would not be in as good a position to fully understand all ramifications.

191 When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss? A. Evaluate productivity losses B. Assess the impact of confidential data disclosure C. Calculate the value of the information or asset D. Measure the probability of occurrence of each threat

C Explanation: Calculating the value of the information or asset is the first step in a risk analysis process to determine the impact to the organization, which is the ultimate goal. Determining how much productivity could be lost and how much it would cost is a step in the estimation of potential risk process. Knowing the impact if confidential information is disclosed is also a step in the estimation of potential risk. Measuring the probability of occurrence for each threat identified is a step in performing a threat analysis and therefore a partial answer.

323 Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register? A. Authentication B. Hardening C. Encryption D. Nonrepudiation

C Explanation: Cardholder data should be encrypted using strong encryption techniques. Hardening would be secondary in importance, while nonrepudiation would not be as relevant. Authentication of the point-of-sale (POS) terminal is a previous step to acquiring the card information.

411 The BEST time to perform a penetration test is after: A. an attempted penetration has occurred. B. an audit has reported weaknesses in security controls. C. various infrastructure changes are made. D. a high turnover in systems staff.

C Explanation: Changes in the systems infrastructure are most likely to inadvertently introduce new exposures. Conducting a test after an attempted penetration is not as productive since an organization should not wait until it is attacked to test its defenses. Any exposure identified by an audit should be corrected before it would be appropriate to test. A turnover in administrative staff does not warrant a penetration test, although it may- warrant a review of password change practices and configuration management.

237 One way to determine control effectiveness is by determining: A. whether it is preventive, detective or compensatory. B. the capability of providing notification of failure. C. the test results of intended objectives. D. the evaluation and analysis of reliability. 112

C Explanation: Control effectiveness requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended. The type of control is not relevant, and notification of failure is not determinative of control strength. Reliability is not an indication of control strength; weak controls can be highly reliable, even if they are ineffective controls.

268 The purpose of a corrective control is to: A. reduce adverse events. B. indicate compromise. C. mitigate impact. D. ensure compliance.

C Explanation: Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities. Preventive controls reduce adverse events, such as firewalls. Compromise can be detected by detective controls, such as intrusion detection systems (IDSs). Compliance could be ensured by preventive controls, such as access controls.

224 What is the BEST technique to determine which security controls to implement with a limited budget? A. Risk analysis B. Annualized loss expectancy (ALE) calculations C. Cost-benefit analysis D. Impact analysis

C Explanation: Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh it's benefit and that the best safeguard is provided for the cost of implementation. Risk analysis identifies the risks and suggests appropriate mitigation. The annualized loss expectancy (ALE) is a subset of a cost-benefit analysis. Impact analysis would indicate how much could be lost if a specific threat occurred. 106

536 A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that: A. it simulates the real-1ife situation of an external security attack. B. human intervention is not required for this type of test. C. less time is spent on reconnaissance and information gathering. D. critical infrastructure information is not revealed to the tester.

C Explanation: Data and information required for penetration are shared with the testers, thus eliminating time that would otherwise have been spent on reconnaissance and gathering of information. Blind (black box) penetration testing is closer to real life than full disclosure (white box) testing. There is no evidence to support that human intervention is not required for this type of test. A full disclosure (white box) methodology requires the knowledge of the subject being tested.

523 Which of the following is the BEST approach for improving information security management processes? A. Conduct periodic security audits. B. Perform periodic penetration testing. C. Define and monitor security metrics. D. Survey business units for feedback.

C Explanation: Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify an opportunity for improvement. This is a systematic and structured approach to process improvement. Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement. Penetration testing will only uncover technical vulnerabilities, and cannot provide a holistic picture of information security management, feedback is subjective and not necessarily reflective of true performance.

346 It is important to develop an information security baseline because it helps to define: A. critical information resources needing protection. B. a security policy for the entire organization. C. the minimum acceptable security to be implemented. D. required physical and logical access controls.

C Explanation: Developing an information security baseline helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels. Before determining the security baseline, an information security manager must establish the security policy, identify criticality levels of organization's information resources and assess the risk environment in which those resources operate.

422 A security awareness program should: A. present top management's perspective. B. address details on specific exploits. C. address specific groups and roles. D. promote security department procedures.

C Explanation: Different groups of employees have different levels of technical understanding and need awareness training that is customized to their needs; it should not be presented from a specific perspective. Specific details on technical exploits should be avoided since this may provide individuals with knowledge they might misuse or it may confuse the audience. This is also not the best forum in which to present security department procedures.

443 What is the BEST method to confirm that all firewall rules and router configuration settings are adequate? A. Periodic review of network configuration B. Review intrusion detection system (IDS) logs for evidence of attacks C. Periodically perform penetration tests D. Daily review of server logs for evidence of hacker activity 209

C Explanation: Due to the complexity of firewall rules and router tables, plus the sheer size of intrusion detection systems (IDSs) and server logs, a physical review will be insufficient. The best approach for confirming the adequacy of these configuration settings is to periodically perform attack and penetration tests.

459 Which of the following documents would be the BES T reference to determine whether access control mechanisms are appropriate for a critical application? A. User security procedures B. Business process flow C. IT security policy D. Regulatory requirements

C Explanation: IT management should ensure that mechanisms are implemented in line with IT security policy. Procedures are determined by the policy. A user security procedure does not describe the access control mechanism in place. The business process flow is not relevant to the access control mechanism. The organization's own policy and procedures should take into account regulatory requirements.

377 Which of the following would be the BEST defense against sniffing? A. Password protect the files B. Implement a dynamic IP address scheme C. Encrypt the data being transmitted D. Set static mandatory access control (MAC) addresses

C Explanation: Encrypting the data will obfuscate the data so that they are not visible in plain text. Someone would have to collate the entire data stream and try decrypting it, which is not easy. Passwords can be recovered by brute-force attacks and by password crackers, so this is not the best defense against sniffing. IP addresses can always be discovered, even if dynamic IP addresses are implemented. The person sniffing traffic can initiate multiple sessions for possible IP addresses. Setting static mandatory access control (MAC) addresses can prevent address resolution protocol (ARP) poisoning, but it does not prevent sniffing.

343 A message* that has been encrypted by the sender's private key and again by the receiver's public key achieves: A. authentication and authorization. B. confidentiality and integrity. C. confidentiality and nonrepudiation. D. authentication and nonrepudiation.

C Explanation: Encryption by the private key of the sender will guarantee authentication and nonrepudiation. Encryption by the public key of the receiver will guarantee confidentiality.

482 Which of the following would be MOST critical to the successful implementation of a biometric authentication system? A. Budget allocation B. Technical skills of staff C. User acceptance D. Password requirements

C Explanation: End users may react differently to the implementation, and may have specific preferences. The information security manager should be aware that what is viewed as reasonable in one culture may not be acceptable in another culture. Budget allocation will have a lesser impact since what is rejected as a result of culture cannot be successfully implemented regardless of budgetary considerations. Technical skills of staff will have a lesser impact since new staff can be recruited or existing staff can be trained. Although important, password requirements would be less likely to guarantee the success of the implementation.

454 What is the MOST appropriate change management procedure for the handling of emergency program changes? A. Formal documentation does not need to be completed before the change B. Business management approval must be obtained prior to the change C. Documentation is completed with approval soon after the change D. All changes must follow the same process

C Explanation: Even in the case of an emergency change, all change management procedure steps should be completed as in the case of normal changes. The difference lies in the timing of certain events. With an emergency change, it is permissible to obtain certain approvals and other documentation on "the morning after" once the emergency has been satisfactorily resolved. Obtaining business approval prior to the change is ideal but not always possible.

517 Which of the following is the MAIN objective in contracting with an external company to perform penetration testing? A. To mitigate technical risks B. To have an independent certification of network security C. To receive an independent view of security exposures D. To identify a complete list of vulnerabilities

C Explanation: Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure. Mitigating technical risks is not a direct result of a penetration test. A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.

130 A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BES T approach of the information security manager? A. Acceptance of the business manager's decision on the risk to the corporation B. Acceptance of the information security manager's decision on the risk to the corporation C. Review of the assessment with executive management for final input D. A new risk assessment and BIA are needed to resolve the disagreement

C Explanation: Executive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process.

255 An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs? A. Key performance indicators (KPIs) B. Business impact analysis (BIA) C. Gap analysis D. Technical vulnerability assessment

C Explanation: Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.

469 Which of the following should be in place before a black box penetration test begins? A. IT management approval B. Proper communication and awareness training C. A clearly stated definition of scope D. An incident response plan

C Explanation: Having a clearly stated definition of scope is most important to ensure a proper understanding of risk as well as success criteria, IT management approval may not be required based on senior management decisions. Communication, awareness and an incident response plan are not a necessary requirement. In fact, a penetration test could help promote the creation and execution of the incident response plan.

281 The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to: A. provide in-depth defense. B. separate test and production. C. permit traffic load balancing. D. prevent a denial-of-service attack.

C Explanation: Having two entry points, each guarded by a separate firewall, is desirable to permit traffic load balancing. As they both connect to the Internet and to the same demilitarized zone (DMZ), such an arrangement is not practical for separating test from production or preventing a denial-of-service attack. 133

267 After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks? A. Information security officer 126 B. Chief information officer (CIO) C. Business owner D. Chief executive officer (CF.O)

C Explanation: The business owner of the application needs to understand and accept the residual application risks.

168 Identification and prioritization of business risk enables project managers to: A. establish implementation milestones. 80 B. reduce the overall amount of slack time. C. address areas with most significance. D. accelerate completion of critical paths.

C Explanation: Identification and prioritization of risk allows project managers to focus more attention on areas of greater importance and impact. It will not reduce the overall amount of slack time, facilitate establishing implementation milestones or allow a critical path to be completed any sooner.

231 When performing a risk assessment, the MOST important consideration is that: A. management supports risk mitigation efforts. 109 B. annual loss expectations (ALEs) have been calculated for critical assets. C. assets have been identified and appropriately valued. D. attack motives, means and opportunities be understood.

C Explanation: Identification and valuation of assets provides the basis for risk management efforts as it relates to the criticality and sensitivity of assets. Management support is always important, but is not relevant when determining the proportionality of risk management efforts. ALE calculations are only valid if assets have first been identified and appropriately valued. Motives, means and opportunities should already be factored in as a part of a risk assessment.

214 Which of the following is the PRIMARY prerequisite to implementing data classification within an organization? 101 A. Defining job roles B. Performing a risk assessment C. Identifying data owners D. Establishing data retention policies

C Explanation: Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified). Establishing data retention policies may occur after data have been classified.

574 Which of the following application systems should have the shortest recovery time objective (RTO)? A. Contractor payroll B. Change management C. E-commerce web site D. Fixed asset system

C Explanation: In most businesses where an e-commerce site is in place, it would need to be restored in a matter of hours, if not minutes. Contractor payroll, change management and fixed assets would not require as rapid a recovery time.

561 When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken? A. Reboot the router connecting the DMZ to the firewall B. Power down all servers located on the DMZ segment C. Monitor the probe and isolate the affected segment D. Enable server trace logging on the affected segment

C Explanation: In the case of a probe, the situation should be monitored and the affected network segment isolated. Rebooting the router, powering down the demilitarized zone (DMZ) servers and enabling server trace routing are not warranted.

363 A test plan to validate the security controls of a new system should be developed during which phase of the project? A. Testing B. Initiation C. Design D. Development

C Explanation: In the design phase, security checkpoints are defined and a test plan is developed. The testing phase is too late since the system has already been developed and is in production testing. In the initiation phase, the basic security objective of the project is acknowledged. Development is the coding phase and is too late to consider test plans. 172

271 An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to: A. perform a comprehensive assessment of the organization's exposure to the hacker's techniques. B. initiate awareness training to counter social engineering. C. immediately advise senior management of the elevated risk. D. increase monitoring activities to provide early detection of intrusion. 128

C Explanation: Information about possible significant new risks from credible sources should be provided to management along with advice on steps that need to be taken to counter the threat. The security manager should assess the risk, but senior management should be immediately advised. It may be prudent to initiate an awareness campaign subsequent to sounding the alarm if awareness training is not current. Monitoring activities should also be increased.

132 An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next? A. Direct information security on what they need to do B. Research solutions to determine the proper solutions C. Require management to report on compliance D. Nothing; information security does not report to the board

C Explanation: Information security governance is the responsibility of the board of directors and executive management. In this instance, the appropriate action is to ensure that a plan is in place for implementation of needed safeguards and to require updates on that implementation.

548 Which of the following actions should be taken when an online trading company discovers a network attack in progress? A. Shut off all network access points B. Dump all event logs to removable media C. Isolate the affected network segment D. Enable trace logging on all event

C Explanation: Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing. Shutting off all network access points would create a denial of service that could result in loss of revenue. Dumping event logs and enabling trace logging, while perhaps useful, would not mitigate the immediate threat posed by the network attack.

516 An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that: A. an audit of the service provider uncovers no significant weakness. B. the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property. C. the contract should mandate that the service provider will comply with security policies. D. the third-party service provider conducts regular penetration testing.

C Explanation: It is critical to include the security requirements in the contract based ON the company's security policy to ensure that the necessary security controls are implemented by the service provider. The audit is normally a one-time effort and cannot provide ongoing assurance of the security. A nondisclosure agreement (NDA) should be part of the contract; however, it is not critical to the security of the web site. Penetration testing alone would not provide total security to the web site; there are lots of controls that cannot be tested through penetration testing.

396 When an emergency security patch is received via electronic mail, the patch should FIRST be: A. loaded onto an isolated test machine. B. decompiled to check for malicious code. C. validated to ensure its authenticity. D. copied onto write-once media to prevent tampering.

C Explanation: It is important to first validate that the patch is authentic. Only then should it be copied onto writeonce media, decompiled to check for malicious code or loaded onto an isolated test machine.

451 A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation? A. Sign a legal agreement assigning them all liability for any breach B. Remove all trading partner access until the situation improves C. Set up firewall rules restricting network traffic from that location D. Send periodic reminders advising them of their noncompliance

C Explanation: It is incumbent on an information security manager to see to the protection of their organization's network, but to do so in a manner that does not adversely affect the conduct of business. This can be accomplished by adding specific traffic restrictions for that particular location. Removing all access will likely result in lost business. Agreements and reminders do not protect the integrity of the network.

180 Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following? A. Tree diagrams B. Venn diagrams C. Heat charts D. Bar charts

C Explanation: Meat charts, sometimes referred to as stoplight charts, quickly and clearly show the current status of remediation efforts. Venn diagrams show the connection between sets; tree diagrams are useful for decision analysis; and bar charts show relative size.

450 What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They: A. all use weak encryption. B. are decrypted by the firewall. C. may be quarantined by mail filters. D. may be corrupted by the receiving mail server.

C Explanation: Often, mail filters will quarantine zip files that are password-protected since the filter (or the firewall) is unable to determine if the file contains malicious code. Many zip file products are capable of using strong encryption. Such files are not normally corrupted by the sending mail server.

543 Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does il always introduce? A. Remote buffer overflow B. Cross site scripting C. Clear text authentication D. Man-in-the-middle attack

C Explanation: One of the main problems with using SNMP vl and v°2 is the clear text "community string" that it uses to authenticate. It is easy to sniff and reuse. Most times, the SNMP community string is shared throughout the organization's servers and routers, making this authentication problem a serious threat to security. There have been some isolated cases of remote buffer overflows against SNMP daemons, but generally that is not a problem. Cross site scripting is a web application vulnerability that is not related to SNMP. A man-in- the-middlc attack against a user datagram protocol (UDP) makes no sense since there is no active session; every request has the community string and is answered independently.

434 Which of the following is the MOST appropriate method to protect a password that opens a confidential file? A. Delivery path tracing B. Reverse lookup translation C. Out-of-band channels D. Digital signatures

C Explanation: Out-of-band channels are useful when it is necessary, for confidentiality, to break a message into 205 two parts that are then sent by different means. Digital signatures only provide nonrepudiation. Reverse lookup translation involves converting ;in Internet Protocol (IP) address to a username. Delivery path tracing shows the route taken but does not confirm the identity of the sender.

331 Which of the following is MOST effective in protecting against the attack technique known as phishing? A. Firewall blocking rules B. Up-to-date signature files C. Security awareness training D. Intrusion detection monitoring

C Explanation: Phishing relies on social engineering techniques. Providing good security awareness training will best reduce the likelihood of such an attack being successful. Firewall rules, signature files and intrusion detection system (IDS) monitoring will be largely unsuccessful at blocking this kind of attack.

465 To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of: A. end users. B. legal counsel. C. operational units. D. audit management.

C Explanation: Procedures at the operational level must be developed by or with the involvement of operational units that will use them. This will ensure that they are functional and accurate. End users and legal counsel are normally not involved in procedure development. Audit management generally oversees information security operations but does not get involved at the procedural level.

175 Which of the following groups would be in the BEST position to perform a risk analysis for a business? A. External auditors B. A peer group within a similar business C. Process owners D. A specialized management consultant

C Explanation: Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business.

417 Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application? A. System analyst B. Quality control manager 197 C. Process owner D. Information security manager

C Explanation: Process owners implement information protection controls as determined by the business' needs. Process owners have the most knowledge about security requirements for the business application for which they are responsible. The system analyst, quality control manager, and information security manager do not possess the necessary knowledge or authority to implement and maintain the appropriate level of business security.

232 The MAIN reason why asset classification is important to a successful information security program is because classification determines: A. the priority and extent of risk mitigation efforts. B. the amount of insurance needed in case of loss. C. the appropriate level of protection to the asset. D. how protection levels compare to peer organizations.

C Explanation: Protection should be proportional to the value of the asset. Classification is based upon the value of the asset to the organization. The amount of insurance needed in case of loss may not be applicable in each case. Peer organizations may have different classification schemes for their assets.

358 The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to: A. change the root password of the system. B. implement multifactor authentication. C. rebuild the system from the original installation medium. D. disconnect the mail server from the network.

C Explanation: Rebuilding the system from the original installation medium is the only way to ensure all security vulnerabilities and potential stealth malicious programs have been destroyed. Changing the root password of the system does not ensure the integrity of the mail server. Implementing multifactor authentication is an aftermeasure and does not clear existing security threats. Disconnecting the mail server from the network is an initial step, but does not guarantee security.

364 The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be: A. service level monitoring. B. penetration testing. C. periodically auditing. D. security awareness training.

C Explanation: Regular audit exercise can spot any gap in the information security compliance. Service level monitoring can only pinpoint operational issues in the organization's operational environment. Penetration testing can identify security vulnerability but cannot ensure information compliance Training can increase users' awareness on the information security policy, but is not more effective than auditing.

205 Which of the following risks is represented in the risk appetite of an organization? A. Control B. Inherent C. Residual D. Audit

C Explanation: Residual risk is unmanaged, i.e., inherent risk which remains uncontrolled. This is key to the organization's risk appetite and is the amount of residual risk that a business is living with that 97 affects its viability. Hence, inherent risk is incorrect. Control risk, the potential for controls to fail, and audit risk, which relates only to audit's approach to their work, are not relevant in this context.

475 An information security program should focus on: A. best practices also in place at peer companies. B. solutions codified in international standards. C. key controls identified in risk assessments. D. continued process improvement.

C Explanation: Risk assessment identifies the appropriate controls to mitigate identified business risks that the program should implement to protect the business. Peer industry best practices, international standards and continued process improvement can be used to support the program, but these cannot be blindly implemented without the consideration of business risk.

252 An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of: A. eliminating the risk. B. transferring the risk. C. mitigating the risk. D. accepting the risk.

C Explanation: Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance 119 so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.

187 The PRIMARY goal of a corporate risk management program is to ensure that an organization's: A. IT assets in key business functions are protected. B. business risks are addressed by preventive controls. C. stated objectives are achievable. D. IT facilities and systems are always available.

C Explanation: Risk management's primary goal is to ensure an organization maintains the ability to achieve its objectives. Protecting IT assets is one possible goal as well as ensuring infrastructure and systems availability. However, these should be put in the perspective of achieving an organization's objectives. Preventive controls are not always possible or necessary; risk management will address issues with an appropriate mix of preventive and corrective controls.

158 Risk management programs are designed to reduce risk to: A. a level that is too small to be measurable. B. the point at which the benefit exceeds the expense. C. a level that the organization is willing to accept. D. a rate of return that equals the current cost of capital.

C Explanation: Risk should be reduced to a level that an organization is willing to accept. Reducing risk to a level too small to measure is impractical and is often cost-prohibitive. To tie risk to a specific rate of return ignores the qualitative aspects of risk that must also be considered. Depending on the risk preference of an organization, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense. Therefore, choice C is a more precise answer.

262 Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level? A. Implement countermeasures. B. Eliminate the risk. C. Transfer the risk. D. Accept the risk.

C Explanation: Risks are typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include: hurricanes, tornados and earthquakes. Implementing countermeasures may not be the most cost-effective approach to security management. Eliminating the risk may not be possible. Accepting the risk would leave the organization vulnerable to a catastrophic disaster which may cripple or ruin the organization. It would be more cost effective to pay recurring insurance costs than to be affected by a disaster from which the organization cannot financially recover.

293 Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information? A. Baseline security standards B. System access violation logs C. Role-based access controls D. Exit routines

C Explanation: Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Violation logs are detective and do not prevent unauthorized access. Baseline security standards do not prevent unauthorized access. Exit routines are dependent upon appropriate role-based access.

412 Successful social engineering attacks can BEST be prevented through: A. preemployment screening. B. close monitoring of users' access patterns. C. periodic awareness training. D. efficient termination procedures.

C Explanation: Security awareness training is most effective in preventing the success of social engineering attacks by providing users with the awareness they need to resist such attacks. Screening of new employees, monitoring and rapid termination will not be effective against external attacks.

416 Which of the following will BEST ensure that management takes ownership of the decision making process for information security? A. Security policies and procedures B. Annual self-assessment by management C. Security- steering committees D. Security awareness campaigns

C Explanation: Security steering committees provide a forum for management to express its opinion and take ownership in the decision making process. Security awareness campaigns, security policies and procedures, and self- assessment exercises are all good but do not exemplify the taking of ownership by management.

275 Who can BEST advocate the development of and ensure the success of an information security program? 130 A. Internal auditor B. Chief operating officer (COO) C. Steering committee D. IT management

C Explanation: Senior management represented in the security steering committee is in the best position to advocate the establishment of and continued support for an information security program. The chief operating officer (COO) will be a member of that committee. An internal auditor is a good advocate but is secondary to the influence of senior management. IT management has a lesser degree of influence and would also be part of the steering committee.

471 What is the MOST important success factor in launching a corporate information security awareness program? A. Adequate budgetary support B. Centralized program management C. Top-down approach D. Experience of the awareness trainers

C Explanation: Senior management support will provide enough resources and will focus attention to the program: training should start at the top levels to gain support and sponsorship. Funding is not a primary concern. Centralized management does not provide sufficient support. Trainer experience, while important, is not the primary success factor.

292 Who can BEST approve plans to implement an information security governance framework? A. Internal auditor B. Information security management C. Steering committee D. Infrastructure management

C Explanation: Senior management that is part of the security steering committee is in the best position to 138 approve plans to implement an information security governance framework. An internal auditor is secondary' to the authority and influence of senior management. Information security management should not have the authority to approve the security governance framework. Infrastructure management will not be in the best position since it focuses more on the technologies than on the business.

286 When contracting with an outsourcer to provide security administration, the MOST important 135 contractual element is the: A. right-to-terminate clause. B. limitations of liability. C. service level agreement (SLA). D. financial penalties clause.

C Explanation: Service level agreements (SLAs) provide metrics to which outsourcing firms can be held accountable. This is more important than a limitation on the outsourcing firm's liability, a right-toterminate clause or a hold- harmless agreement which involves liabilities to third parties.

305 Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers? A. Termination conditions B. Liability limits C. Service levels D. Privacy restrictions

C Explanation: Service levels are key to holding third parties accountable for adequate delivery of services. This is more important than termination conditions, privacy restrictions or liability limitations.

542 There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor? A. Black box pen test B. Security audit C. Source code review D. Vulnerability scan

C Explanation: Source code review is the best way to find and remove an application backdoor. Application backdoors can be almost impossible to identify' using a black box pen test or a security audit. A vulnerability scan will only find "known" vulnerability patterns and will therefore not find a programmer's application backdoor.

350 What is the MOST important item to be included in an information security policy? A. The definition of roles and responsibilities B. The scope of the security program C. The key objectives of the security program D. Reference to procedures and standards of the security program

C Explanation: Stating the objectives of the security program is the most important element to ensure alignment with business goals. The other choices are part of the security policy, but they are not as important.

312 Which of the following is MOST important to the success of an information security program? A. Security' awareness training B. Achievable goals and objectives C. Senior management sponsorship D. Adequate start-up budget and staffing

C Explanation: Sufficient senior management support is the most important factor for the success of an information security program. Security awareness training, although important, is secondary. Achievable goals and objectives as well as having adequate budgeting and staffing are important factors, but they will not ensure success if senior management support is not present.

596 A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to: A. document how the attack occurred. B. notify law enforcement. C. take an image copy of the media. D. close the accounts receivable system.

C Explanation: Taking an image copy of the media is a recommended practice to ensure legal admissibility. All of the other choices are subsequent and may be supplementary.

514 The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager A. report risks in other departments. B. obtain support from other departments. C. report significant security risks. D. have knowledge of security standards.

C Explanation: The IT manager needs to report the security risks in the environment pursuant to the security review, including risks in the IT implementation. Choices A, B and D are important, but not the main responsibilities or job requirements.

332 When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST? A. The firewall should block all inbound traffic during the outage B. All systems should block new logins until the problem is corrected C. Access control should fall back to no synchronized mode D. System logs should record all user activity for later analysis

C Explanation: The best mechanism is for the system to fallback to the original process of logging on individually to each system. Blocking traffic and new logins would be overly restrictive to the conduct of business, while recording all user activity would add little value.

479 Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state? A. Security audit reports B. Balanced scorecard C. Capability maturity model (CMM) D. Systems and business security architecture

C Explanation: The capability maturity model (CMM) grades each defined area of security processes on a scale of 0 to 5 based on their maturity, and is commonly used by entities to measure their existing state and then determine the desired one. Security audit reports offer a limited view of the current state of security. Balanced scorecard is a document that enables management to measure the implementation of their strategy and assists in its translation into action. Systems and business security architecture explain the security architecture of an entity in terms of business strategy, objectives, relationships, risks, constraints and enablers, and provides a business-driven and business-focused view of security architecture.

559 Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site? A. Cost to build a redundant processing facility and invocation B. Daily cost of losing critical systems and recovery time objectives (RTOs) C. Infrastructure complexity and system sensitivity D. Criticality results from the business impact analysis (BIA)

C Explanation: The complexity and business sensitivity of the processing infrastructure and operations largely determines the viability of such an option; the concern is whether the recovery site meets the operational and security needs of the organization. The cost to build a redundant facility is not relevant since only a fraction of the total processing capacity is considered critical at the time of the disaster and recurring contract costs would accrue over time. Invocation costs are not a factor because they will be the same regardless. The incremental daily cost of losing different systems and the recovery time objectives (RTOs) do not distinguish whether a commercial facility is chosen. Resulting criticality from the business impact analysis (BIA) will determine the scope and timeline of the recovery efforts, regardless of the recovery location.

289 Which of the following tools is MOST appropriate for determining how long a security project will take to implement? A. Gantt chart B. Waterfall chart C. Critical path D. Rapid Application Development (RAD)

C Explanation: The critical path method is most effective for determining how long a project will take. A waterfall chart is used to understand the flow of one process into another. A Gantt chart facilitates the proper estimation and allocation of resources. The Rapid Application Development (RAD) method is used as an aid to facilitate and expedite systems development.

239 Who is responsible for ensuring that information is classified? A. Senior management B. Security manager C. Data owner D. Custodian

C Explanation: The data owner is responsible for applying the proper classification to the data. Senior management is ultimately responsible for the organization. The security officer is responsible for 113 applying security protection relative to the level of classification specified by the owner. The technology group is delegated the custody of the data by the data owner, but the group does not classify the information.

185 When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify: A. the information security steering committee. B. customers who may be impacted. C. data owners who may be impacted. D. regulatory- agencies overseeing privacy.

C Explanation: The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team. Other parties will be notified later as required by corporate policy and regulatory requirements.

414 Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system? A. User ad hoc reporting is not logged B. Network traffic is through a single switch C. Operating system (OS) security patches have not been applied D. Database security defaults to ERP settings

C Explanation: The fact that operating system (OS) security patches have not been applied is a serious weakness. Routing network traffic through a single switch is not unusual. Although the lack of logging for user ad hoc reporting is not necessarily good, it does not represent as serious a security- weakness as the failure to install security patches. Database security defaulting to the ERP system's settings is not as significant.

272 Which of the following steps should be performed FIRST in the risk assessment process? A. Staff interviews B. Threat identification C. Asset identification and valuation D. Determination of the likelihood of identified risks

C Explanation: The first step in the risk assessment methodology is a system characterization, or identification and valuation, of all of the enterprise's assets to define the boundaries of the assessment. Interviewing is a valuable tool to determine qualitative information about an organization's objectives and tolerance for risk. Interviews are used in subsequent steps. Identification of threats comes later in the process and should not be performed prior to an inventory since many possible threats will not be applicable if there is no asset at risk. Determination of likelihood comes later in the risk assessment process.

480 Who is responsible for raising awareness of the need for adequate funding for risk action plans? A. Chief information officer (CIO) B. Chief financial officer (CFO) C. Information security manager D. Business unit management

C Explanation: The information security manager is responsible for raising awareness of the need for adequate funding for risk-related action plans. Even though the chief information officer (CIO), chief financial officer (CFO) and business unit management are involved in the final approval of fund expenditure, it is the information security manager who has the ultimate responsibility for raising awareness.

304 An information security program should be sponsored by: A. infrastructure management. B. the corporate audit department. C. key business process owners. D. information security management.

C Explanation: The information security program should ideally be sponsored by business managers, as represented by key business process owners. Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business requirements. A corporate audit department is not in as good a position to fully understand how an information security program needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions. Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient operational knowledge and lack of proper authority. 144

527 An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform? A. A due diligence security review of the business partner's security controls B. Ensuring that the business partner has an effective business continuity program C. Ensuring that the third party is contractually obligated to all relevant security requirements D. Talking to other clients of the business partner to check references for performance

C Explanation: The key requirement is that the information security manager ensures that the third party is contractually bound to follow the appropriate security requirements for the process being outsourced. This protects both organizations. All other steps are contributory to the contractual agreement, but are not key.

587 What is the FIRST action an information security manager should take when a company laptop is reported stolen? A. Evaluate the impact of the information loss B. Update the corporate laptop inventory C. Ensure compliance with reporting procedures D. Disable the user account immediately

C Explanation: The key step in such an incident is to report it to mitigate any loss. After this, the other actions should follow.

589 When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the: A. services delivery objective. B. recovery time objective (RTO). C. recovery window. D. maximum tolerable outage (MTO).

C Explanation: The length of the recovery window is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services/applications. The technical implementation of the disaster recovery (DR) site will be based on this constraint, especially the choice between a hot, warm or cold site. The service delivery objective is supported during the alternate process mode until the normal situation is restored, which is directly related to business needs. The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal operations. It is then longer than the interruption window and is very difficult to estimate in advance. The time frame between the reduced operation mode at the end of the interruption window and the return to normal operations depends on the magnitude of the disaster. Technical disaster recovery solutions alone will not be used for returning to normal operations. Maximum tolerable outage (MTO) is the maximum time acceptable by a company operating in reduced mode before experiencing losses. Theoretically, recovery time objectives (RTOs) equal the interruption window plus the maximum tolerable outage. This will not be the primary factor for the choice of the technical disaster recovery solution.

356 The MAIN goal of an information security strategic plan is to: A. develop a risk assessment plan. B. develop a data protection plan. C. protect information assets and resources. D. establish security governance.

C Explanation: The main goal of an information security strategic plan is to protect information assets and resources. Developing a risk assessment plan and H data protection plan, and establishing security governance refer to tools utilized in the security strategic plan that achieve the protection of information assets and resources.

333 Which of the following is the MOST important risk associated with middleware in a client-server environment? 157 A. Server patching may be prevented B. System backups may be incomplete C. System integrity may be affected D. End-user sessions may be hijacked

C Explanation: The major risk associated with middleware in a client-server environment is that system integrity may be adversely affected because of the very purpose of middleware, which is intended to support multiple operating environments interacting concurrently. Lack of proper software to control portability of data or programs across multiple platforms could result in a loss of data or program integrity. All other choices are less likely to occur.

581 What is the PRIMARY objective of a post-event review in incident response? A. Adjust budget provisioning B. Preserve forensic data C. Improve the response process D. Ensure the incident is fully documented

C Explanation: The primary objective is to find any weakness in the current process and improve it. The other choices are all secondary.

442 The PRIMARY reason for using metrics to evaluate information security is to: A. identify security weaknesses. B. justify budgetary expenditures. C. enable steady improvement. D. raise awareness on security issues.

C Explanation: The purpose of a metric is to facilitate and track continuous improvement. It will not permit the identification of all security weaknesses. It will raise awareness and help in justifying certain expenditures, but this is not its main purpose.

287 Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism? A. Number of attacks detected B. Number of successful attacks C. Ratio of false positives to false negatives D. Ratio of successful to unsuccessful attacks

C Explanation: The ratio of false positives to false negatives will indicate whether an intrusion detection system (IDS) is properly tuned to minimize the number of false alarms while, at the same time, minimizing the number of omissions. The number of attacks detected, successful attacks or the ratio of successful to unsuccessful attacks would not indicate whether the IDS is properly configured.

154 The recovery time objective (RTO) is reached at which of the following milestones? A. Disaster declaration B. Recovery of the backups C. Restoration of the system D. Return to business as usual processing

C Explanation: The recovery time objective (RTO) is based on the amount of time required to restore a system; disaster declaration occurs at the beginning of this period. Recovery of the backups occurs shortly after the beginning of this period. Return to business as usual processing occurs significantly later 74 than the RTO. RTO is an "objective," and full restoration may or may not coincide with the RTO. RTO can be the minimum acceptable operational level, far short of normal operations.

274 An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur? A. Nothing, since a risk assessment was completed during development. B. A vulnerability assessment should be conducted. C. A new risk assessment should be performed. D. The new vendor's SAS 70 type II report should be reviewed.

C Explanation: The risk assessment process is continual and any changes to an established process should include a new- risk assessment. While a review of the SAS 70 report and a vulnerability assessment may be components of a risk assessment, neither would constitute sufficient due diligence on its own. Topic 3, INFORMATION SECURITY PROGRAM DEVELOPMENT

218 Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk? A. Historical cost of the asset B. Acceptable level of potential business impacts C. Cost versus benefit of additional mitigating controls D. Annualized loss expectancy (ALE)

C Explanation: The security manager would be most concerned with whether residual risk would be reduced by a 103 greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.

533 In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen? A. Procedural design B. Architectural design C. System design specifications D. Software development

C Explanation: The system design specifications phase is when security specifications are identified. The procedural design converts structural components into a procedural description of the software. The architectural design is the phase that identifies the overall system design, hut not the specifics. Software development is too late a stage since this is the phase when the system is already being coded.

236 Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system? A. Annual loss expectancy (ALE) of incidents B. Frequency of incidents C. Total cost of ownership (TCO) D. Approved budget for the project

C Explanation: The total cost of ownership (TCO) would be the most relevant piece of information in that it would establish a cost baseline and it must be considered for the full life cycle of the control. Annual loss expectancy (ALE) and the frequency of incidents could help measure the benefit, but would have more of an indirect relationship as not all incidents may be mitigated by implementing a two-factor authentication system. The approved budget for the project may have no bearing on what the project may actually cost.

148 In a business impact analysis, the value of an information system should be based on the overall cost: A. of recovery. B. to recreate. 71 C. if unavailable. D. of emergency operations.

C Explanation: The value of an information system should be based on the cost incurred if the system were to become unavailable. The cost to design or recreate the system is not as relevant since a business impact analysis measures the impact that would occur if an information system were to become unavailable. Similarly, the cost of emergency operations is not as relevant.

602 To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs? A. Database server B. Domain name server (DNS) C. Time server D. Proxy server

C Explanation: To accurately reconstruct the course of events, a time reference is needed and that is provided by the time server. The other choices would not assist in the correlation and review1 of these logs.

558 Which of the following is MOST important in determining whether a disaster recovery test is successful? A. Only business data files from offsite storage are used B. IT staff fully recovers the processing infrastructure C. Critical business processes are duplicated D. All systems are restored within recovery time objectives (RTOs)

C Explanation: To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions were successfully recovered and duplicated. Although ensuring that only materials taken from offsite storage are used in the test is important, this is not as critical in determining a test's success. While full recovery of the processing infrastructure is a key recovery milestone, it does not ensure the success of a test. Achieving the RTOs is another important milestone, but does not necessarily prove that the critical business functions can be conducted, due to interdependencies with other applications and key elements such as data, staff, manual processes, materials and accessories, etc.

421 What is the BEST method to verify that all security patches applied to servers were properly documented? A. Trace change control requests to operating system (OS) patch logs B. Trace OS patch logs to OS vendor's update documentation C. Trace OS patch logs to change control requests D. Review change control documentation for key servers

C Explanation: To ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS) patch logs as a starting point and then check to see if change control documents are on file for each of these changes. Tracing from the documentation to the patch log 199 will not indicate if some patches were applied without being documented. Similarly, reviewing change control documents for key servers or comparing patches applied to those recommended by the OS vendor's web site does not confirm that these security patches were properly approved and documented.

315 Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user? A. Intrusion detection system (IDS) B. IP address packet filtering C. Two-factor authentication D. Embedded digital signature

C Explanation: Two-factor authentication provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a 149 corporate network. IP address packet filtering would protect against spoofing an internal address but would not provide strong authentication. An intrusion detection system (IDS) can be used to detect an external attack but would not help in authenticating a user attempting to connect. Digital signatures ensure that transmitted information can be attributed to the named sender.

571 Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23.00 hrs.)? A. Most new viruses* signatures are identified over weekends B. Technical personnel are not available to support the operation C. Systems are vulnerable to new viruses during the intervening week D. The update's success or failure is not known until Monday

C Explanation: Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released during the week; far more frequent updating is essential. All other issues are secondary to this very serious exposure.

537 Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages? A. Acceptable use policy B. Setting low mailbox limits C. User awareness training D. Taking disciplinary action

C Explanation: User awareness training would help in reducing the incidents of employees forwarding spam and chain e-mails since users would understand the risks of doing so and the impact on the organization's information system. An acceptable use policy, signed by employees, would legally address the requirements but merely having a policy is not the best measure. Setting low mailbox limits and taking disciplinary action are a reactive approach and may not help in obtaining proper support from employees.

285 Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood? A. Periodic focus group meetings B. Periodic compliance reviews C. Computer-based certification training (CBT) D. Employee's signed acknowledgement

C Explanation: Using computer-based training (CBT) presentations with end-of-section reviews provides feedback on how well users understand what has been presented. Periodic compliance reviews are a good tool to identify problem areas but do not ensure that procedures are known or understood. Eocus groups may or may not provide meaningful detail. Although a signed employee acknowledgement is good, it does not indicate whether the material has been read and/or understood.

380 Which of the following is the BEST method to securely transfer a message? A. Password-protected removable media B. Facsimile transmission in a secured room C. Using public key infrastructure (PKI) encryption D. Steganography 180

C Explanation: Using public key infrastructure (PKI) is currently accepted as the most secure method to transmit e-mail messages. PKI assures confidentiality, integrity and nonrepudiation. The other choices are not methods that are as secure as PKI. Steganography involves hiding a message in an image.

230 Which program element should be implemented FIRST in asset classification and control? A. Risk assessment B. Classification C. Valuation D. Risk mitigation

C Explanation: Valuation is performed first to identify and understand the assets needing protection. Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation. Classification and risk mitigation are steps following valuation.

579 Isolation and containment measures lor a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step? A. Run a forensics tool on the machine to gather evidence B. Reboot the machine to break remote connections C. Make a copy of the whole system's memory D. Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/ I'DP) ports

C Explanation: When investigating a security breach, it is important to preserve all traces of evidence left by the invader. For this reason, it is imperative to preserve the memory' contents of the machine in order to analyze them later. The correct answer is choice C because a copy of the whole system's memory is obtained for future analysis by running the appropriate tools. This is also important from a legal perspective since an attorney may suggest that the system was changed during the conduct of the investigation. Running a computer forensics tool in the compromised machine will cause the creation of at least one process that may overwrite evidence. Rebooting the machine will delete the contents of the memory, erasing potential evidence. Collecting information about current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports is correct, but doing so by using tools may also erase memory contents.

234 Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data? A. Disclosure of personal information B. Sufficient coverage of the insurance policy for accidental losses C. Intrinsic value of the data stored on the equipment D. Replacement cost of the equipment

C Explanation: When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carries mobile equipment for business purposes, an organization must develop a clear policy as to what information should be kept on the equipment and for what purpose. Personal information is not defined in the question as the data that were lost. Insurance may be a relatively smaller issue as compared with information theft or opportunity loss, although insurance is also an important factor for a successful business. Cost of equipment would be a less important issue as compared with other choices.

430 203 Which of the following presents the GREATEST exposure to internal attack on a network? A. User passwords are not automatically expired B. All network traffic goes through a single switch C. User passwords are encoded but not encrypted D. All users reside on a single internal subnet

C Explanation: When passwords are sent over the internal network in an encoded format, they can easily be converted to clear text. All passwords should be encrypted to provide adequate security. Not automatically expiring user passwords does create an exposure, but not as great as having unencrypted passwords. Using a single switch or subnet does not present a significant exposure.

467 When security policies are strictly enforced, the initial impact is that: A. they may have to be modified more frequently. B. they will be less subject to challenge. C. the total cost of security is increased. D. the need for compliance reviews is decreased.

C Explanation: When security policies are strictly enforced, more resources are initially required, thereby increasing, the total cost of security. There would be less need for frequent modification. Challenges would be rare and the need for compliance reviews would not necessarily be less.

240 After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be: A. transferred. B. treated. C. accepted. D. terminated.

C Explanation: When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more than the cost of the risk itself.

498 What is the BEST way to alleviate security team understaffing while retaining the capability inhouse? A. Hire a contractor that would not be included in the permanent headcount B. Outsource with a security services provider while retaining the control internally C. Establish a virtual security team from competent employees across the company D. Provide cross training to minimize the existing resources gap

C Explanation: While hiring an indirect resource that will not be part of headcount will help to add an extra resource, it usually costs more than a direct employee; thus, it is not cost efficient. Outsourcing may be a more expensive option and can add complexities to the service delivery. Competent security staff can be recruited from other departments e.g., IT. product development, research and development (R&D). By leveraging existing resources, there is a nominal additional cost. It is also a strategic option since the staff may join the team as full members in the future (internal transfer). Development of staff is often a budget drain and, if not managed carefully, these resources may move away from the company and leave the team with a bigger resource gap.

404 191 Which of the following is MOST important to the successful promotion of good security management practices? A. Security metrics B. Security baselines C. Management support D. Periodic training

C Explanation: Without management support, all other efforts will be undermined. Metrics, baselines and training are all important, but they depend on management support for their success.

534 Which of the following is generally considered a fundamental component of an information security program? A. Role-based access control systems B. Automated access provisioning C. Security awareness training D. Intrusion prevention systems (IPSs)

C Explanation: Without security awareness training, many components of the security program may not be effectively implemented. The other options may or may not be necessary, but are discretionary.

134 What is the MOST important factor in the successful implementation of an enterprise wide information security program? A. Realistic budget estimates B. Security awareness C. Support of senior management D. Recalculation of the work factor

C Explanation: Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management.

65 At what stage of the applications development process should the security department initially become involved? A. When requested B. At testing C. At programming D. At detail requirements

A common concern with poorly written web applications is that they can allow an attacker to: A. gain control through a buffer overflow. B. conduct a distributed denial of service (DoS) attack. C. abuse a race condition. D. inject structured query language (SQL) statements.

A possible breach of an organization's IT system is reported by the project manager. What is the FIRST thing the incident response manager should do? A. Run a port scan on the system B. Disable the logon ID C. Investigate the system logs D. Validate the incident

Acceptable levels of information security risk should be determined by: A. legal counsel. B. security management. C. external auditors. D. steering committee.

An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to: A. require the use of strong passwords. B. assign static IP addresses. C. implement centralized logging software. D. install an intrusion detection system (IDS).

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security: A. baseline. B. strategy. C. procedure. D. policy.

Effective IT governance is BEST ensured by: A. utilizing a bottom-up approach. B. management by the IT department. C. referring the matter to the organization's legal department. D. utilizing a top-down approach.

From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities? A. Enhanced policy compliance B. Improved procedure flows C. Segregation of duties D. Better accountability

How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation? A. Give organization standards preference over local regulations B. Follow local regulations only C. Make the organization aware of those standards where local regulations causes conflicts D. Negotiate a local version of the organization standards

In order to highlight to management the importance of network security, the security manager should FIRST: A. develop a security architecture. B. install a network intrusion detection system (NIDS) and prepare a list of attacks. C. develop a network security policy. D. conduct a risk assessment.

Information security governance is PRIMARILY driven by: A. technology constraints. B. regulatory requirements. C. litigation potential. D. business strategy.

It is MOST important that information security architecture be aligned with which of the following? A. Industry best practices B. Information technology plans C. Information security best practices D. Business objectives and goals

Minimum standards for securing the technical infrastructure should be defined in a security: A. strategy. B. guidelines. C. model. D. architecture.

Of the following, which is the MOST important aspect of forensic investigations? A. The independence of the investigator B. Timely intervention C. Identifying the perpetrator D. Chain of custody

Senior management commitment and support for information security can BEST be obtained through presentations that: A. use illustrative examples of successful attacks. B. explain the technical risks to the organization. C. evaluate the organization against best security practices. D. tie security risks to key business objectives.

The BEST way to justify the implementation of a single sign-on (SSO) product is to use: A. return on investment (ROD. B. a vulnerability assessment. C. annual loss expectancy (ALE). D. a business case.

The FIRST step in an incident response plan is to: A. notify the appropriate individuals. B. contain the effects of the incident to limit damage. C. develop response strategies for systematic attacks. D. validate the incident.

The FIRST step in establishing a security governance program is to: A. conduct a risk assessment. B. conduct a workshop for all end users. C. prepare a security budget. D. obtain high-level sponsorship.

The FIRST step to create an internal culture that focuses on information security is to: A. implement stronger controls. B. conduct periodic awareness training. C. actively monitor operations. D. gain the endorsement of executive management.

The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to: A. escalate issues to an external third party for resolution. B. ensure that senior management provides authority for security to address the issues. C. insist that managers or units not in agreement with the security solution accept the risk. D. refer the issues to senior management along with any security recommendations.

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in: A. storage capacity and shelf life. B. regulatory and legal requirements. C. business strategy and direction. D. application systems and media.

The PRIMARY goal in developing an information security strategy is to: A. establish security metrics and performance monitoring. B. educate business process owners regarding their duties. C. ensure that legal and regulatory requirements are met D. support the business objectives of the organization.

The data access requirements for an application should be determined by the: A. legal department. B. compliance officer. C. information security manager. D. business owner.

The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the: A. hourly billing rate charged by the carrier. B. value of the data transmitted over the network. C. aggregate compensation of all affected business users. D. financial losses incurred by affected business units.

To justify the need to invest in a forensic analysis tool, an information security manager should FIRST: A. review the functionalities and implementation requirements of the solution. B. review comparison reports of tool implementation in peer companies. C. provide examples of situations where such a tool would be useful. D. substantiate the investment in meeting organizational needs.

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be: A. aligned with the IT strategic plan. B. based on the current rate of technological change. C. three-to-five years for both hardware and software. D. aligned with the business strategy.

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint? A. Compliance with international security standards. B. Use of a two-factor authentication system. C. Existence of an alternate hot site in case of business disruption. D. Compliance with the organization's information security requirements.

When developing an information security program, what is the MOST useful source of information for determining available resources? A. Proficiency test B. Job descriptions C. Organization chart D. Skills inventory

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification? A. Alignment with industry best practices B. Business continuity investment C. Business benefits D. Regulatory compliance

Which of the following is MOST important to understand when developing a meaningful information security strategy? A. Regulatory environment B. International security standards C. Organizational risks D. Organizational goals

Which of the following is the BEST justification to convince management to invest in an information security program? A. Cost reduction B. Compliance with company policies C. Protection of business assets D. Increased business value

Which of the following is the BEST mechanism to determine the effectiveness of the incident response process? A. Incident response metrics B. Periodic auditing of the incident response process C. Action recording and review D. Post incident review

Which of the following is the MOST essential task for a chief information security officer (CISO) to perform? A. Update platform-level security settings B. Conduct disaster recovery test exercises C. Approve access to critical financial systems D. Develop an information security strategy paper

Which of the following is the MOST important factor when designing information security architecture? A. Technical platform interfaces B. Scalability of the network C. Development methodologies D. Stakeholder requirements

Which of the following is the MOST important information to include in an information security standard? A. Creation date B. Author name C. Initial draft approval date D. Last review date

Which of the following represents the MAJOR focus of privacy regulations? A. Unrestricted data mining B. Identity theft C. Human rights protection D. Identifiable personal data

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization? A. The information security department has difficulty filling vacancies. B. The chief information officer (CIO) approves security policy changes. C. The information security oversight committee only meets quarterly. D. The data center manager has final signoff on all security projects.

Which of the following situations would MOST inhibit the effective implementation of security governance: A. The complexity of technology B. Budgetary constraints C. Conflicting business priorities D. High-level sponsorship

Which of the following would be the MOST important goal of an information security governance program? A. Review of internal control mechanisms B. Effective involvement in business decision making C. Total elimination of risk factors D. Ensuring trust in data

Who in an organization has the responsibility for classifying information? A. Data custodian B. Database administrator C. Information security officer D. Data owner

Who should be responsible for enforcing access rights to application data? A. Data owners B. Business process owners C. The security steering committee D. Security administrators

326 Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise? A. Ease of installation B. Product documentation C. Available support D. System overhead

D 154 Explanation: Monitoring products can impose a significant impact ON system overhead for servers and networks. Product documentation, telephone support and ease of installation, while all important, would be secondary.

355 Which of the following is a key area of the ISO 27001 framework? A. Operational risk assessment B. Financial crime metrics C. Capacity management D. Business continuity management

D Explanation: 168 Operational risk assessment, financial crime metrics and capacity management can complement the information security framework, but only business continuity management is a key component.

419 Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected? A. Applying patches B. Changing access rules C. Upgrading hardware D. Backing up files

D Explanation: 198 If malicious code is not immediately detected, it will most likely be backed up as a part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected ON a backup tape. Any subsequent restores using that tape may reintroduce the malicious code. Applying patches, changing access rules and upgrading hardware does not significantly increase the level of difficulty.

163 In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the: A. original cost to acquire. B. cost of the software stored. C. annualized loss expectancy (ALE). D. cost to obtain a replacement.

D Explanation: 78 The value of the server should be based on its cost of replacement. The original cost may be significantly different from the current cost and, therefore, not as relevant. The value of the software is not at issue because it can be restored from backup media. The ALE for all risks related to the server does not represent the server's value.

188 It is important to classify and determine relative sensitivity of assets to ensure that: A. cost of protection is in proportion to sensitivity. B. highly sensitive assets are protected. C. cost of controls is minimized. D. countermeasures are proportional to risk.

D Explanation: 89 Classification of assets needs to be undertaken to determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented. While higher costs are allowable to protect sensitive assets, and it is always reasonable to minimize the costs of controls, it is most important that the controls and countermeasures are commensurate to the risk since this will justify the costs. Choice B is important but it is an incomplete answer because it does not factor in risk. Therefore, choice D is the most important.

201 The security responsibility of data custodians in an organization will include: A. assuming overall protection of information assets. B. determining data classification levels. C. implementing security controls in products they install. D. ensuring security measures are consistent with policy.

D Explanation: 95 Security responsibilities of data custodians within an organization include ensuring that appropriate security measures are maintained and are consistent with organizational policy. Executive management holds overall responsibility for protection of the information assets. Data owners determine data classification levels for information assets so that appropriate levels of controls can be provided to meet the requirements relating to confidentiality, integrity and availability. Implementation of information security in products is the responsibility of the IT developers.

344 When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSI.), confidentiality is MOST vulnerable to which of the following? A. IP spoofing B. Man-in-the-middle attack C. Repudiation D. Trojan

D Explanation: A Trojan is a program that gives the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user. IP spoofing will not work because IP is not used as an authentication mechanism. Man-in-the-middle attacks are not possible if using SSL with client-side certificates. Repudiation is unlikely because client-side certificates authenticate the user. 163

318 A border router should be placed on which of the following? A. Web server B. IDS server C. Screened subnet D. Domain boundary

D Explanation: A border router should be placed on a (security) domain boundary. Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ) would not provide any protection. Border routers are positioned on the boundary of the network, but do not reside on a server.

297 On which of the following should a firewall be placed? A. Web server B. Intrusion detection system (IDS) server C. Screened subnet D. Domain boundary

D Explanation: A firewall should be placed on a (security) domain boundary. Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ), does not provide any protection. Since firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to have the firewall and the intrusion detection system (IDS) on the same physical device.

167 Which of the following is the MOST appropriate use of gap analysis? A. Evaluating a business impact analysis (BIA) B. Developing a balanced business scorecard C. Demonstrating the relationship between controls D. Measuring current state vs. desired future state

D Explanation: A gap analysis is most useful in addressing the differences between the current state and an ideal future state. It is not as appropriate for evaluating a business impact analysis (BIA), developing a balanced business scorecard or demonstrating the relationship between variables.

385 Which of the following guarantees that data in a file have not changed? A. Inspecting the modified date of the file B. Encrypting the file with symmetric encryption C. Using stringent access control to prevent unauthorized access D. Creating a hash of the file, then comparing the file hashes

D Explanation: A hashing algorithm can be used to mathematically ensure that data haven't been changed by hashing a file and comparing the hashes after a suspected change.

400 Which of the following change management activities would be a clear indicator that normal operational procedures require examination? A high percentage of: A. similar change requests. B. change request postponements. C. canceled change requests. D. emergency change requests.

D Explanation: A high percentage of emergency change requests could be caused by changes that are being introduced at the last minute to bypass normal chance management procedures. Similar requests, postponements and canceled requests all are indicative of a properly functioning change management process.

238 What does a network vulnerability assessment intend to identify? A. 0-day vulnerabilities B. Malicious software and spyware C. Security design flaws D. Misconfiguration and missing updates

D Explanation: A network vulnerability assessment intends to identify known vulnerabilities based on common misconfigurations and missing updates. 0-day vulnerabilities by definition are not previously known and therefore are undetectable. Malicious software and spyware are normally addressed through antivirus and antispyware policies. Security design flaws require a deeper level of analysis.

582 Detailed business continuity plans should be based PRIMARILY on: A. consideration of different alternatives. B. the solution that is least expensive. C. strategies that cover all applications. D. strategies validated by senior management.

D Explanation: A recovery strategy identifies the best way to recover a system in ease of disaster and provides guidance based on detailed recovery procedures that can be developed. Different strategies should be developed and all alternatives presented to senior management. Senior management should select the most appropriate strategy from the alternatives provided. The selected strategy should be used for further development of the detailed business continuity plan. The selection of strategy depends on criticality of the business process and applications supporting the processes. It need not necessarily cover all applications. All recovery strategies have associated costs, which include costs of preparing for disruptions and putting them to use in the event of a disruption. The latter can be insured against, but not the former. The best recovery option need not be the least expensive.

510 Data owners will determine what access and authorizations users will have by: A. delegating authority to data custodian. B. cloning existing user accounts. C. determining hierarchical preferences. D. mapping to business needs.

D Explanation: Access and authorizations should be based on business needs. Data custodians implement the decisions made by data owners. Access and authorizations are not to be assigned by cloning existing user accounts or determining hierarchical preferences. By cloning, users may obtain more access rights and privileges than is required to do their job. Hierarchical preferences may be based on individual preferences and not on business needs.

352 An organization without any formal information security program that has decided to implement information security best practices should FIRST: A. invite an external consultant to create the security strategy. B. allocate budget based on best practices. C. benchmark similar organizations. D. define high-level business security requirements.

D Explanation: All four options are valid steps in the process of implementing information security best practices; however, defining high-level business security requirements should precede the others because the implementation should be based on those security requirements.

473 The configuration management plan should PRIMARILY be based upon input from: A. business process owners. B. the information security manager. C. the security steering committee. D. IT senior management.

D Explanation: Although business process owners, an information security manager and the security steering committee may provide input regarding a configuration management plan, its final approval is the primary responsibility of IT senior management.

253 Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset? A. Manager B. Custodian C. User D. Owner

D Explanation: Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels. Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc. The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc. Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data.

372 When speaking to an organization's human resources department about information security, an information security manager should focus on the need for: A. an adequate budget for the security program. B. recruitment of technical IT employees. C. periodic risk assessments. D. security awareness training for employees.

D Explanation: An information security manager has to impress upon the human resources department the need for security awareness training for all employees. Budget considerations are more of an 176 accounting function. The human resources department would become involved once they are convinced for the need of security awareness training. Recruiting lT-savvy staff may bring in new employees with better awareness of information security, but that is not a replacement for the training requirements of the other employees. Periodic risk assessments may or may not involve the human resources department function.

439 What is the BEST way to ensure users comply with organizational security requirements for password complexity? A. Include password construction requirements in the security standards B. Require each user to acknowledge the password requirements C. Implement strict penalties for user noncompliance D. Enable system-enforced password configuration

D Explanation: Automated controls are generally more effective in preventing improper actions. Policies and standards provide some deterrence, but are not as effective as automated controls.

509 Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)? A. Card-key door locks B. Photo identification C. Biometric scanners D. Awareness training

D Explanation: Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee. The other choices are physical controls which by themselves would not be effective against tailgating.

263 To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRS T crucial step an information security manager would take in ensuring business 124 continuity planning? A. Conducting a qualitative and quantitative risk analysis. B. Assigning value to the assets. C. Weighing the cost of implementing the plan vs. financial loss. D. Conducting a business impact analysis (BIA).

D Explanation: BIA is an essential component of an organization's business continuity plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. It is the first crucial step in business continuity planning. Qualitative and quantitative risk analysis will have been completed to define the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events. Assigning value to assets is part of the BIA process. Weighing the cost of implementing the plan vs. financial loss is another part of the BIA.

212 Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise? A. Strategic business plan B. Upcoming financial results C. Customer personal information D. Previous financial results

D Explanation: Previous financial results are public; all of the other choices are private information and should only be accessed by authorized entities.

599 To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective? A. Assessment of business impact of past incidents B. Need of an independent review of incident causes C. Need for constant improvement on the security level D. Possible business benefits from incident impact reduction

D Explanation: Business benefits from incident impact reduction would be the most important goal for establishing an incident management team. The assessment of business impact of past incidents would need to be completed to articulate the benefits. Having an independent review benefits the incident management process. The need for constant improvement on the security level is a benefit to the organization.

437 Data owners are normally responsible for which of the following? A. Applying emergency changes to application data B. Administering security over database records C. Migrating application code changes to production D. Determining the level of application security required

D Explanation: Data owners approve access to data and determine the degree of protection that should be applied (data classification). Administering database security, making emergency changes to data and migrating code to production are infrastructure tasks performed by custodians of the data.

392 The MOST appropriate individual to determine the level of information security needed for a specific business application is the: A. system developer. B. information security manager. C. steering committee. D. system data owner.

D Explanation: Data owners are the most knowledgeable of the security needs of the business application for which they are responsible. The system developer, security manager and system custodian will have specific knowledge on limited areas but will not have full knowledge of the business issues that affect the level of security required. The steering committee does not perform at that level of detail on the operation. 186

481 Managing the life cycle of a digital certificate is a role of a(n): A. system administrator. B. security administrator. C. system developer. D. independent trusted source.

D Explanation: Digital certificates must be managed by an independent trusted source in order to maintain trust in their authenticity. The other options are not necessarily entrusted with this capability.

294 Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender? A. Biometric authentication B. Embedded steganographic C. Two-factor authentication D. Embedded digital signature

D Explanation: Digital signatures ensure that transmitted information can be attributed to the named sender; this provides nonrepudiation. Steganographic techniques are used to hide messages or data within 139 other files. Biometric and two-factor authentication is not generally used to protect internet data transmissions.

388 Nonrepudiation can BEST be ensured by using: A. strong passwords. B. a digital hash. C. symmetric encryption. D. digital signatures.

D Explanation: Digital signatures use a private and public key pair, authenticating both parties. The integrity of the contents exchanged is controlled through the hashing mechanism that is signed by the private key of the exchanging party. A digital hash in itself helps in ensuring integrity of the contents, but not nonrepudiation. Symmetric encryption wouldn't help in nonrepudiation since the keys are always shared between parties. Strong passwords only ensure authentication to the system and cannot be used for nonrepudiation involving two or more parties. 184 Topic 4, INFORMATION SECURITY PROGRAM MANAGEMENT

552 Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site? A. Tests are scheduled on weekends B. Network IP addresses are predefined C. Equipment at the hot site is identical D. Business management actively participates

D Explanation: Disaster recovery testing requires the allocation of sufficient resources to be successful. Without the support of management, these resources will not be available, and testing will suffer as a result. Testing on weekends can be advantageous but this is not the most important choice. As vendor-provided hot sites are in a state of constant change, it is not always possible to have network addresses defined in advance. Although it would be ideal to provide for identical equipment at the hot site, this is not always practical as multiple customers must be served and equipment specifications will therefore vary.

586 Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and: A. determining the extent of property damage. B. preserving environmental conditions. C. ensuring orderly plan activation. D. reducing the extent of operational damage.

D Explanation: During an incident, emergency actions should minimize or eliminate casualties and damage to the business operation, thus reducing business interruptions. Determining the extent of property damage is not the consideration; emergency actions should minimize, not determine, the extent of the damage. Protecting/preserving environmental conditions may not be relevant. Ensuring orderly plan activation is important but not as critical as reducing damage to the operation.

406 Nonrepudiation can BEST be assured by using: A. delivery path tracing. B. reverse lookup translation. C. out-of-hand channels. 192 D. digital signatures.

D Explanation: Effective nonrepudiation requires the use of digital signatures. Reverse lookup translation involves converting Internet Protocol (IP) addresses to usernames. Delivery path tracing shows the route taken but does not confirm the identity of the sender. Out-of-band channels are useful when, for confidentiality, it is necessary to break a message into two parts that are sent by different means.

257 Which of the following is the BEST method to ensure the overall effectiveness of a risk management program? A. User assessments of changes B. Comparison of the program results with industry standards C. Assignment of risk within the organization D. Participation by all members of the organization

D Explanation: Effective risk management requires participation, support and acceptance by all applicable members of the organization, beginning with the executive levels. Personnel must understand their responsibilities and be trained on how to fulfill their roles.

550 The FIRST priority when responding to a major security incident is: A. documentation. B. monitoring. C. restoration. D. containment.

D Explanation: The first priority in responding to a security incident is to contain it to limit the impact. Documentation, monitoring and restoration are all important, but they should follow containment.

520 Which of the following would raise security awareness among an organization's employees? A. Distributing industry statistics about security incidents B. Monitoring the magnitude of incidents C. Encouraging employees to behave in a more conscious manner D. Continually reinforcing the security policy

D Explanation: Employees must be continually made aware of the policy and expectations of their behavior. Choice A would have little relevant bearing on the employee's behavior. Choice B does not involve the employees. Choice C could be an aspect of continual reinforcement of the security policy.

491 What is the BEST way to ensure data protection upon termination of employment? A. Retrieve identification badge and card keys B. Retrieve all personal computer equipment C. Erase all of the employee's folders D. Ensure all logical access is removed

D Explanation: Ensuring all logical access is removed will guarantee that the former employee will not be able to access company data and that the employee's credentials will not be misused. Retrieving identification badge and card keys would only reduce the capability to enter the building. Retrieving the personal computer equipment and the employee's folders are necessary tasks, but that should be done as a second step.

570 Which of the following are the MOST important criteria when selecting virus protection software? A. Product market share and annualized cost B. Ability to interface with intrusion detection system (IDS) software and firewalls C. Alert notifications and impact assessments for new viruses D. Ease of maintenance and frequency of updates

D Explanation: For the software to be effective, it must be easy to maintain and keep current. Market share and annualized cost, links to the intrusion detection system (IDS) and automatic notifications are all secondary in nature.

413 What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted? 195 A. Perform periodic penetration testing B. Establish minimum security baselines C. Implement vendor default settings D. Install a honeypot on the network

D Explanation: Honeypots attract hackers away from sensitive systems and files. Since honeypots are closely monitored, the intrusion is more likely to be detected before significant damage is inflicted. Security baselines will only provide assurance that each platform meets minimum criteria. Penetration testing is not as effective and can only be performed sporadically. Vendor default settings are not effective.

335 Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network? 158 A. Configuration of firewalls B. Strength of encryption algorithms C. Authentication within application D. Safeguards over keys

D Explanation: If keys are in the wrong hands, documents will be able to be read regardless of where they are on the network. Choice A is incorrect because firewalls can be perfectly configured, but if the keys make it to the other side, they will not prevent the document from being decrypted. Choice B is incorrect because even easy encryption algorithms require adequate resources to break, whereas encryption keys can be easily used. Choice C is incorrect because the application "front door" controls may be bypassed by accessing data directly.

538 Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts? A. Passwords stored in encrypted form B. User awareness C. Strong passwords that are changed periodically D. Implementation of lock-out policies

D Explanation: Implementation of account lock-out policies significantly inhibits brute-force attacks. In cases where this is not possible, strong passwords that are changed periodically would be an appropriate choice. Passwords stored in encrypted form w ill not defeat an online brute-force attack if the password itself is easily guessed. User awareness would help but is not the best approach of the options given.

193 The valuation of IT assets should be performed by: A. an IT security manager. B. an independent security consultant. C. the chief financial officer (CFO). D. the information owner.

D Explanation: Information asset owners are in the best position to evaluate the value added by the IT asset under review within a business process, thanks to their deep knowledge of the business processes and of the functional IT requirements. An IT security manager is an expert of the IT risk assessment methodology and IT asset valuation mechanisms. However, the manager could not have a deep understanding of all the business processes of the firm. An IT security subject matter expert will take part of the process to identify threats and vulnerabilities and will collaborate with the business information asset owner to define the risk profile of the asset. A chief financial officer (CFO) will have an overall costs picture but not detailed enough to evaluate the value of each IT asset.

483 Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to- date can be BEST achieved through which of the following? A. Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans B. Periodic audits of the disaster recovery/business continuity plans C. Comprehensive walk-through testing D. Inclusion as a required step in the system life cycle process

D Explanation: Information security should be an integral component of the development cycle; thus, it should be included at the process level. Choices A, B and C are good mechanisms to ensure compliance, but would not be nearly as timely in ensuring that the plans are always up-to-date. Choice D is a preventive control, while choices A, B and C are detective controls.

544 Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project? A. Design B. Implementation C. Application security testing D. Feasibility

D Explanation: Information security should be considered at the earliest possible stage. Security requirements must be defined before you enter into design specification, although changes in design may alter these requirements later on. Security requirements defined during system implementation are typically costly add-ons that are frequently ineffective. Application security testing occurs after security has been implemented. Topic 5, INCIDENT MANAGEMENT AND RESPONSE

153 Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)? A. Gap analysis B. Regression analysis C. Risk analysis D. Business impact analysis

D Explanation: Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs relate to the financial impact of a system not being available. A gap analysis is useful in addressing the differences between the current state and an ideal future state. Regression analysis is used to test changes to program modules. Risk analysis is a component of the business impact analysis.

445 Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test? A. Request a list of the software to be used B. Provide clear directions to IT staff C. Monitor intrusion detection system (IDS) and firewall logs closely D. Establish clear rules of engagement

D Explanation: It is critical to establish a clear understanding on what is permissible during the engagement. Otherwise, the tester may inadvertently trigger a system outage or inadvertently corrupt files. Not as important, but still useful, is to request a list of what software will be used. As for monitoring the intrusion detection system (IDS) and firewall, and providing directions to IT staff, it is better not to alert those responsible for monitoring (other than at the management level), so that the effectiveness of that monitoring can be accurately assessed.

189 The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should: A. ensure the provider is made liable for losses. B. recommend not renewing the contract upon expiration. C. recommend the immediate termination of the contract. D. determine the current level of security.

D Explanation: It is important to ensure that adequate levels of protection are written into service level agreements (SLAs) and other outsourcing contracts. Information must be obtained from providers to determine how that outsource provider is securing information assets prior to making any recommendation or taking any action in order to support management decision making. Choice A is not acceptable in most situations and therefore not a good answer.

470 What is the MOST important element to include when developing user security awareness material? A. Information regarding social engineering B. Detailed security policies C. Senior management endorsement D. Easy-to-read and compelling information

D Explanation: Making security awareness material easy and compelling to read is the most important success factor. Users must be able to understand, in easy terms, complex security concepts in a way that makes compliance more accessible. Choice A would also be important but it needs to be presented in an adequate format. Detailed security policies might not necessarily be included in the training materials. Senior management endorsement is important for the security program as a whole and not necessarily for the awareness training material.

501 An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. The MOST important element of the request for proposal (RI P) is the: A. references from other organizations. B. past experience of the engagement team. C. sample deliverable. D. methodology used in the assessment.

D Explanation: Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverables only tell how the assessment is presented, not the process.

316 What is an appropriate frequency for updating operating system (OS) patches on production servers? A. During scheduled rollouts of new applications B. According to a fixed security patch management schedule C. Concurrently with quarterly hardware maintenance D. Whenever important security patches are released

D Explanation: Patches should be applied whenever important security updates are released. They should not be delayed to coincide with other scheduled rollouts or maintenance. Due to the possibility of creating a system outage, they should not be deployed during critical periods of application activity such as month-end or quarter-end closing.

429 Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack? A. Utilize an intrusion detection system. B. Establish minimum security baselines. C. Implement vendor recommended settings. D. Perform periodic penetration testing.

D Explanation: Penetration testing is the best way to assure that perimeter security is adequate. An intrusion detection system (IDS) may detect an attempted attack, hut it will not confirm whether the perimeter is secured. Minimum security baselines and applying vendor recommended settings are beneficial, but they will not provide the level of assurance that is provided by penetration testing.

418 What is the BEST way to ensure that contract programmers comply with organizational security policies? A. Explicitly refer to contractors in the security standards B. Have the contractors acknowledge in writing the security policies C. Create penalties for noncompliance in the contracting agreement D. Perform periodic security reviews of the contractors

D Explanation: Periodic reviews are the most effective way of obtaining compliance. None of the other options detects the failure of contract programmers to comply.

395 The BEST way to ensure that an external service provider complies with organizational security 187 policies is to: A. Explicitly include the service provider in the security policies. B. Receive acknowledgment in writing stating the provider has read all policies. C. Cross-reference to policies in the service level agreement D. Perform periodic reviews of the service provider.

D Explanation: Periodic reviews will be the most effective way of obtaining compliance from the external service provider. References in policies and service level agreements and requesting written acknowledgement will not be as effective since they will not trigger the detection of noncompliance.

200 Phishing is BEST mitigated by which of the following? A. Security monitoring software B. Encryption C. Two-factor authentication D. User awareness

D Explanation: Phishing can best be detected by the user. It can be mitigated by appropriate user awareness. Security monitoring software would provide some protection, but would not be as effective as user awareness. Encryption and two-factor authentication would not mitigate this threat.

367 Priority should be given to which of the following to ensure effective implementation of information security governance? A. Consultation B. Negotiation C. Facilitation D. Planning

D Explanation: Planning is the key to effective implementation of information security governance. Consultation, negotiation and facilitation come after planning.

155 Which of the following results from the risk assessment process would BEST assist risk management decision making? A. Control risk B. Inherent risk C. Risk exposure D. Residual risk

D Explanation: Residual risk provides management with sufficient information to decide to the level of risk that an organization is willing to accept. Control risk is the risk that a control may not succeed in preventing an undesirable event. Risk exposure is the likelihood of an undesirable event occurring. Inherent risk is an important factor to be considered during the risk assessment.

521 Which of the following is the MOST appropriate method of ensuring password strength in a large organization? A. Attempt to reset several passwords to weaker values B. Install code to capture passwords for periodic audit C. Sample a subset of users and request their passwords for review D. Review general security settings on each platform

D Explanation: Reviewing general security settings on each platform will be the most efficient method for determining password strength while not compromising the integrity of the passwords. Attempting to reset several passwords to weaker values may not highlight certain weaknesses. Installing code to capture passwords for periodic audit, and sampling a subset of users and requesting their passwords for review, would compromise the integrity of the passwords.

213 The PRIMARY purpose of using risk analysis within a security program is to: A. justify the security expenditure. B. help businesses prioritize the assets to be protected. C. inform executive management of residual risk value. D. assess exposures and plan remediation.

D Explanation: Risk analysis explores the degree to which an asset needs protecting so this can be managed effectively. Risk analysis indirectly supports the security expenditure, but justifying the security expenditure is not its primary purpose. Helping businesses prioritize the assets to be protected is an indirect benefit of risk analysis, but not its primary purpose. Informing executive management of residual risk value is not directly relevant.

208 Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project? A. Programming B. Specification C. User testing D. Feasibility

D Explanation: Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C.

159 A risk assessment should be conducted: 76 A. once a year for each business process and subprocess. B. every three to six months for critical business processes. C. by external parties to maintain objectivity. D. annually or whenever there is a significant change.

D Explanation: Risks are constantly changing. Choice D offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change. Conducting a risk assessment once a year is insufficient if important changes take place. Conducting a risk assessment every three-to-six months for critical processes may not be necessary, or it may not address important changes in a timely manner. It is not necessary for assessments to be performed by external parties.

515 An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate? A. Rule-based B. Mandatory C. Discretionary D. Role-based

D Explanation: Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles. Rule-based access control needs to define the access rules, which is troublesome and error prone in large organizations. In mandatory access control, the individual's access to information resources needs to be defined, which is troublesome in large organizations. In discretionary access control, users have access to resources based on predefined sets of principles, which is an inherently insecure approach.

407 Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is: A. mandatory access controls. B. discretionary access controls. C. lattice-based access controls. D. role-based access controls.

D Explanation: Role-based access controls will grant temporary employee access based on the job function to be performed. This provides a better means of ensuring that the access is not more or less than what is required. Discretionary, mandatory and lattice-based access controls are all security models, hut they do not address the issue of temporary employees as well as role-based access controls.

394 Which of the following is the MOST likely to change an organization's culture to one that is more security conscious? A. Adequate security policies and procedures B. Periodic compliance reviews C. Security steering committees D. Security awareness campaigns

D Explanation: Security awareness campaigns will be more effective at changing an organizational culture than the creation of steering committees and security policies and procedures. Compliance reviews are helpful; however, awareness by all staff is more effective because compliance reviews are focused on certain areas groups and do not necessarily educate.

493 Which of the following is the BEST approach for an organization desiring to protect its intellectual property? A. Conduct awareness sessions on intellectual property policy B. Require all employees to sign a nondisclosure agreement C. Promptly remove all access when an employee leaves the organization D. Restrict access to a need-to-know basis

D Explanation: Security awareness regarding intellectual property policy will not prevent violations of this policy. Requiring all employees to sign a nondisclosure agreement and promptly removing all access when an employee leaves the organization are good controls, but not as effective as restricting access to a need-to- know basis.

277 The effectiveness of virus detection software is MOST dependent on which of the following? A. Packet filtering B. Intrusion detection C. Software upgrades D. D. Definition tables 131

D Explanation: The effectiveness of virus detection software depends on virus signatures which are stored in virus definition tables. Software upgrades are related to the periodic updating of the program code, which would not be as critical. Intrusion detection and packet filtering do not focus on virus detection.

441 Which of the following would present the GREATEST risk to information security? A. Virus signature files updates are applied to all servers every day B. Security access logs are reviewed within five business days 208 C. Critical patches are applied within 24 hours of their release D. Security incidents are investigated within five business days

D Explanation: Security incidents are configured to capture system events that are important from the security perspective; they include incidents also captured in the security access logs and other monitoring tools. Although, in some instances, they could wait for a few days before they are researched, from the options given this would have the greatest risk to security. Most often, they should be analyzed as soon as possible. Virus signatures should be updated as often as they become available by the vendor, while critical patches should be installed as soon as they are reviewed and tested, which could occur in 24 hours.

449 Good information security procedures should: A. define the allowable limits of behavior. B. underline the importance of security governance. C. describe security baselines for each platform. D. be updated frequently as new software is released.

D Explanation: Security procedures often have to change frequently to keep up with changes in software. Since a procedure is a how-to document, it must be kept up-to-date with frequent changes in software. A security standard such as platform baselines—defines behavioral limits, not the how-to process; it should not change frequently. High-level objectives of an organization, such as security governance, would normally be addressed in a security policy.

547 A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GRF.ATEST weakness in recovery capability? A. Exclusive use of the hot site is limited to six weeks B. The hot site may have to be shared with other customers C. The time of declaration determines site access priority D. The provider services all major companies in the area

D Explanation: Sharing a hot site facility is sometimes necessary in the case of a major disaster. Also, first come, first served usually determines priority of access based on general industry practice. Access to a hot site is not indefinite; the recovery plan should address a long-term outage. In case of a disaster affecting a localized geographical area, the vendor's facility and capabilities could be insufficient for all of its clients, which will all be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally.

321 What is the BEST defense against a Structured Query Language (SQL) injection attack? A. Regularly updated signature files B. A properly configured firewall C. An intrusion detection system D. Strict controls on input fields

D Explanation: Structured Query Language (SQL) injection involves the typing of programming command statements within a data entry field on a web page, usually with the intent of fooling the application into thinking that a valid password has been entered in the password entry field. The best defense against such an attack is to have strict edits on what can be typed into a data input field so that programming commands will be rejected. Code reviews should also be conducted to ensure that such edits are in place and that there are no inherent weaknesses in the way the code is written; software is available to test for such weaknesses. All other choices would fail to prevent such an attack.

313 Which of the following is MOST important for a successful information security program? A. Adequate training on emerging security technologies B. Open communication with key process owners C. Adequate policies, standards and procedures D. Executive management commitment

D Explanation: Sufficient executive management support is the most important factor for the success of an information security program. Open communication, adequate training, and good policies and 148 procedures, while important, are not as important as support from top management; they will not ensure success if senior management support is not present.

573 Which of the following is MOST closely associated with a business continuity program? A. Confirming that detailed technical recovery plans exist B. Periodically testing network redundancy C. Updating the hot site equipment configuration every quarter D. Developing recovery time objectives (RTOs) for critical functions

D Explanation: Technical recovery plans, network redundancy and equipment needs are all associated with infrastructure disaster recovery. Only recovery time objectives (RTOs) directly relate to business continuity.

309 Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met? A. SWOT analysis B. Waterfall chart C. Gap analysis D. Balanced scorecard

D Explanation: The balanced scorecard is most effective for evaluating the degree to which information security 146 objectives are being met. A SWOT analysis addresses strengths, weaknesses, opportunities and threats. Although useful, a SWOT analysis is not as effective a tool. Similarly, a gap analysis, while useful for identifying the difference between the current state and the desired future state, is not the most appropriate tool. A waterfall chart is used to understand the flow of one process into another.

229 108 The criticality and sensitivity of information assets is determined on the basis of: A. threat assessment. B. vulnerability assessment. C. resource dependency assessment. D. impact assessment.

D Explanation: The criticality and sensitivity of information assets depends on the impact of the probability of the threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets and the impairment of the value. Threat assessment lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value. Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value. Resource dependency assessment provides process needs but not impact.

594 Which of the following situations would be the MOST concern to a security manager? A. Audit logs are not enabled on a production server B. The logon ID for a terminated systems analyst still exists on the system C. The help desk has received numerous results of users receiving phishing e-mails D. A Trojan was found to be installed on a system administrator's laptop

D Explanation: The discovery of a Trojan installed on a system's administrator's laptop is highly significant since this may mean that privileged user accounts and passwords may have been compromised. The other choices, although important, do not pose as immediate or as critical a threat.

327 Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network? A. Never use open source tools B. Focus only on production servers C. Follow a linear process for attacks D. Do not interrupt production processes

D Explanation: The first rule of scanning for security exposures is to not break anything. This includes the interruption of any running processes. Open source tools are an excellent resource for performing scans. Scans should focus on both the test and production environments since, if compromised, the test environment could be used as a platform from which to attack production servers. Finally, the process of scanning for exposures is more of a spiral process than a linear process.

194 The PRIMARY objective of a risk management program is to: A. minimize inherent risk. B. eliminate business risk. C. implement effective controls. D. minimize residual risk.

D Explanation: The goal of a risk management program is to ensure that residual risk remains within manageable levels. Management of risk does not always require the removal of inherent risk nor is this always possible. A possible benefit of good risk management is to reduce insurance premiums, but this is 92 not its primary intention. Effective controls are naturally a clear objective of a risk management program, but with the choices given, choice C is an incomplete answer.

269 Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? A. Performing a business impact analysis (BIA) B. Considering personal information devices as pan of the security policy C. Initiating IT security training and familiarization D. Basing the information security infrastructure on risk assessment

D Explanation: The information security infrastructure should be based on risk. While considering personal 127 information devices as part of the security policy may be a consideration, it is not the most important requirement. A BIA is typically carried out to prioritize business processes as part of a business continuity plan. Initiating IT security training may not be important for the purpose of the information security infrastructure.

484 When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because: A. this is a requirement of the security policy. B. software licenses may expire in the future without warning. C. the asset inventory must be maintained. D. service level agreements may not otherwise be met.

D Explanation: The key requirement is to preserve availability of business operations. Choice A is a correct compliance requirement, but is not the main objective in this case. Choices B and C are supplementary requirements for business continuity/disaster recovery planning.

487 Before engaging outsourced providers, an information security manager should ensure that the organization's data classification requirements: A. are compatible with the provider's own classification. B. are communicated to the provider. C. exceed those of the outsourcer. D. are stated in the contract.

D Explanation: The most effective mechanism to ensure that the organization's security standards are met by a third party, would be a legal agreement. Choices A. B and C are acceptable options, but not as comprehensive or as binding as a legal contract.

566 The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify: A. weaknesses in network security. B. patterns of suspicious access. C. how an attack was launched on the network. D. potential attacks on the internal network.

D Explanation: The most important function of an intrusion detection system (IDS) is to identify potential attacks on the network. Identifying how the attack was launched is secondary. It is not designed specifically to identify weaknesses in network security or to identify patterns of suspicious logon attempts.

568 Which of the following is the BEST way to verify that all critical production servers are utilizing upto- date virus signature files? A. Verify the date that signature files were last pushed out B. Use a recently identified benign virus to test if it is quarantined C. Research the most recent signature file and compare to the console D. Check a sample of servers that the signature files are current

D Explanation: The only accurate way to check the signature files is to look at a sample of servers. The fact that an update was pushed out to a server does not guarantee that il was properly loaded onto that server. Checking the vendor information to the management console would still not be indicative as to whether the file was properly loaded on the server. Personnel should never release a virus, no matter how benign.

583 A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to: A. rebuild the server from the last verified backup. B. place the web server in quarantine. C. shut down the server in an organized manner. D. rebuild the server with original media and relevant patches.

D Explanation: The original media should be used since one can never be sure of all the changes a super-user may have made nor the timelines in which these changes were made. Rebuilding from the last known verified backup is incorrect since the verified backup may have been compromised by the super-user at a different time. Placing the web server in quarantine should have already occurred in the forensic process. Shut down in an organized manner is out of sequence and no longer a problem. The forensic process is already finished and evidence has already been acquired.

245 The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the: A. sales department. B. database administrator. C. chief information officer (CIO). D. head of the sales department.

D Explanation: The owner of the information asset should be the person with the decision-making power in the department deriving the most benefit from the asset. In this case, it would be the head of the sales department. The organizational unit cannot be the owner of the asset because that removes personal responsibility. The database administrator is a custodian. The chief information officer (CIO) would not be an owner of this database because the CTO is less likely to be knowledgeable about the specific needs of sales operations and security concerns.

477 Which of the following would be the MOST significant security risk in a pharmaceutical institution? A. Compromised customer information B. Unavailability of online transactions C. Theft of security tokens D. Theft of a Research and Development laptop

D Explanation: The research and development department is usually the most sensitive area of the pharmaceutical organization, Theft of a laptop from this area could result in the disclosure of sensitive formulas and other intellectual property which could represent the greatest security breach. A pharmaceutical organization does not normally have direct contact with end customers and their transactions are not time critical: therefore, compromised customer information and unavailability of online transactions are not the most significant security risks. Theft of security tokens would not be as significant since a pin would still be required for their use.

135 What is the MAIN risk when there is no user management representation on the Information Security Steering Committee? A. Functional requirements are not adequately considered. B. User training programs may be inadequate. C. Budgets allocated to business units are not appropriate. D. Information security plans are not aligned with business requirements

D Explanation: The steering committee controls the execution of the information security strategy, according to the needs of the organization, and decides on the project prioritization and the execution plan. User management is an important group that should be represented to ensure that the information 65 security plans are aligned with the business needs. Functional requirements and user training programs are considered to be part of the projects but are not the main risks. The steering committee does not approve budgets for business units.

147 For risk management purposes, the value of an asset should be based on: A. original cost. B. net cash flow. C. net present value. D. replacement cost.

D Explanation: The value of a physical asset should be based on its replacement cost since this is the amount that would be needed to replace the asset if it were to become damaged or destroyed. Original cost may be significantly different than the current cost of replacing the asset. Net cash flow and net present value do not accurately reflect the true value of the asset.

384 For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure? A. Biometrics B. Symmetric encryption keys C. Secure Sockets Layer (SSL)-based authentication D. Two-factor authentication

D Explanation: Two-factor authentication requires more than one type of user authentication. While biometrics provides unique authentication, it is not strong by itself, unless a PIN or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks. A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a 182 typical authentication mechanism for end users. This private key could still be compromised. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. SSL is not an authentication mechanism. If SSL is used with a client certificate and a password, it would be a two-factor authentication.

299 Access control to a sensitive intranet application by mobile users can BEST be implemented through: A. data encryption. B. digital signatures. C. strong passwords. D. two-factor authentication.

D Explanation: Two-factor authentication through the use of strong passwords combined with security tokens provides the highest level of security. Data encryption, digital signatures and strong passwords do not provide the same level of protection.

361 The PRIMARY objective of an Internet usage policy is to prevent: A. access to inappropriate sites. B. downloading malicious code. C. violation of copyright laws. D. disruption of Internet access.

D Explanation: Unavailability of Internet access would cause a business disruption. The other three objectives are secondary. 171

424 Which of the following will BEST protect against malicious activity by a former employee? A. Preemployment screening B. Close monitoring of users C. Periodic awareness training D. Effective termination procedures

D Explanation: When an employee leaves an organization, the former employee may attempt to use their credentials to perform unauthorized or malicious activity. Accordingly, it is important to ensure timely revocation of all access at the time an individual is terminated. Security awareness training, preemployment screening and monitoring are all important, but are not as effective in preventing this type of situation.

243 Which of (lie following would be the MOST relevant factor when defining the information classification policy? A. Quantity of information B. Available IT infrastructure C. Benchmarking D. Requirements of data owners

D Explanation: When defining the information classification policy, the requirements of the data owners need to be identified. The quantity of information, availability of IT infrastructure and benchmarking may be part of the scheme after the fact and would be less relevant. 115

CISM Study Guide

Related study sets

Network Operations

Biology: MIDTERM Photosynthesis

PEDs Chapt 16 Nursing Care of the Child with a Neurologic Disorder

405 ch 6-10

Basic Word in Ulum Hadis

Chapter 10 - School Health

PrepU Chap24: Asepsis and Infection Control

punctuation quiz #3

Schedule Management-PMP

Test 3 Quizzes

Econ Exam

ECON 202: quiz 2

Optics - multiple choice

Fire & Stars

AHL120 Class Cram

Chapter 3

OB chapter 15

digital forensics - module 14

Anatomy Skeletal System

Headway Intermediate 5th edition Unit 12