CISM Practice Question 2010 Session 5
++++++++++
Q01
At what stage of the applications development process would encryption key management initially be addressed?
A. Requirements development
B. Deployment
C. Systems testing
D. Code reviews
A is correct
Encryption key management has to be integrated into the requirements of the application's design.
During systems testing and deployment would be too late since the requirements have already been agreed upon.
Code reviews are part of the final quality assurance (QA) process and would also be too late in the process.
++++++++++
Q2
Of the following, which is the MOST important aspect of forensic investigations?
A. The independence of the investigator
B. Timely intervention
C. Identifying the perpetrator
D. Chain of custody
D is correct
Establishing the chain of custody is one of the most important steps in conducting forensic investigations since it preserves the evidence in a manner that is admissible in court.
The independence of the investigator may be important, but is not the most important aspect.
Timely intervention is important for containing incidents, but not as important for forensic investigation.
Identifying the perpetrator is important, but maintaining the chain of custody is more important in order to have the perpetrator convicted in court.
++++++++++
Q3
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life.
B. regulatory and legal requirements.
C. business strategy and direction.
D. application systems and media.
D is correct
Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover.
Business strategy and direction do not generally apply, nor do legal and regulatory requirements.
Storage capacity and shelf life are important but secondary issues.
++++++++++
Q04
What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:
A. all use weak encryption.
B. are decrypted by the firewall.
C. may be quarantined by mail filters.
D. may be corrupted by the receiving mail server.
C is correct
Often, mail filters will quarantine zip files that are password-protected since the filter (or the firewall) is unable to determine if the file contains malicious code.
Many zip file products are capable of using strong encryption. Such files are not normally corrupted by the sending mail server.
++++++++++
Q05
Which item would be the BEST to include in the information security awareness training program for new general staff employees?
A. Review of various security models
B. Discussion of how to construct strong passwords
C. Review of roles that have privileged access
D. Discussion of vulnerability assessment results
B is correct
All new employees will need to understand techniques for the construction of strong passwords.
The other choices would not be applicable to general staff employees.
++++++++++
Q06
In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:
A. testing time window prior to deployment.
B. technical skills of the team responsible.
C. certification of validity for deployment.
D. automated deployment to all the servers.
A is correct
Having the patch tested prior to implementation on critical systems is an absolute prerequisite where availability is a primary concern because deploying patches that could cause a system to fail could be worse than the vulnerability corrected by the patch.
It makes no sense to deploy patches on every system. Vulnerable systems should be the only candidate for patching.
Patching skills are not required since patches are more often applied via automated tools.
++++++++++
Q07
An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:
A. ensure that security processes are consistent across the organization.
B. enforce baseline security levels across the organization.
C. ensure that security processes are fully documented.
D. implement monitoring of key performance indicators for security processes.
A is correct
The organization first needs to move from ad hoc to repeatable processes.
The organization then needs to document the processes and implement process monitoring and measurement.
Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement.
The organization needs to standardize processes both before documentation, and before monitoring and measurement.
++++++++++
Q08
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
A. Sign a legal agreement assigning them all liability for any breach
B. Remove all trading partner access until the situation improves
C. Set up firewall rules restricting network traffic from that location
D. Send periodic reminders advising them of their noncompliance
C is correct
It is incumbent on an information security manager to see to the protection of their organization's network, but to do so in a manner that does not adversely affect the conduct of business. This can be accomplished by adding specific traffic restrictions for that particular location.
Removing all access will likely result in lost business.
Agreements and reminders do not protect the integrity of the network.
++++++++++
Q09
Which of the following events generally has the highest information security impact?
A. Opening a new office
B. Merging with another organization
C. Relocating the data center
D. Rewiring the network
B is correct
Merging with or acquiring another organization causes a major impact on an information security management function because new vulnerabilities and risks are inherited.
Opening a new office, moving the data center to a new site, or rewiring a network may have information security risks, but generally comply with corporate security policy and are easier to secure.
++++++++++
Q10
At what point should a risk assessment of a new process occur to determine appropriate controls? It should occur:
A. only at the beginning and at the end of the new process.
B. during the entire life cycle of the process.
C. at the appropriate point since timing of assessments will differ for processes.
D. depending upon laws and regulations.
B is correct
A risk assessment should be conducted during the entire life cycle of a new or a changed process. This allows an understanding of how implementation of an early control will affect control needs later on in a process.
++++++++++
Q11
In assessing risk, it is MOST essential to:
A. provide equal coverage for all asset types.
B. use benchmarking data from similar organizations.
C. consider both monetary value and likelihood of loss.
D. focus primarily on threats and recent business losses.
C is correct
A risk analysis should take into account the potential financial impact and likelihood of a loss.
It should not weigh all potential losses evenly, nor should it focus primarily on recent losses or losses experienced by similar firms.
Although this is important supplementary information, it does not reflect the organization's real situation.
Geography and other factors come into play as well.
++++++++++
Q12
Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?
A. Restrict the available drive allocation on all PCs
B. Disable universal serial bus (USB) ports on all desktop devices
C. Conduct frequent awareness training with noncompliance penalties
D. Establish strict access controls to sensitive information
A is correct
Restricting the ability of a PC to allocate new drive letters ensures that universal serial bus (USB) drives or even CD-writers cannot be attached as they would not be recognized by the operating system.
Disabling USB ports on all machines is not practical since mice and other peripherals depend on these connections.
Awareness training and sanctions do not prevent copying of information nor do access controls.
++++++++++
Q13
An intranet server should generally be placed on the:
A. internal network.
B. firewall server.
C. external router.
D. primary domain controller.
A is correct
An intranet server should be placed on the internal network.
Placing it on an external router leaves it defenseless.
Since firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to store the intranet server on the same physical device as the firewall.
Similarly, primary domain controllers do not normally share the physical device as the intranet server.
++++++++++
Q14
When developing metrics to measure and monitor information security programs, the information security manager should ensure that the metrics reflect the:
A. residual risks.
B. levels of security.
C. security objectives.
D. statistics of security incidents.
C is correct
Metrics should be developed based on security objectives, so they can measure the effectiveness and efficiency of information security controls.
Metrics are not only used to measure the results of the security controls (residual risks and levels of security), but also the attributes of the control implementation.
Not only statistics are collected, but other attributes of the information security controls should also be considered.
++++++++++
Q15
An information security manager is advised by contacts in law enforcement that there is evidence that his/her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:
A. perform a comprehensive assessment of the organization's exposure to the hacker's techniques.
B. initiate awareness training to counter social engineering.
C. immediately advise senior management of the elevated risk.
D. increase monitoring activities to provide early detection of intrusion.
C is correct
Information about possible significant new risks from credible sources should be provided to management along with advice on steps that need to be taken to counter the threat.
The security manager should assess the risk, but senior management should be immediately advised.
It may be prudent to initiate an awareness campaign subsequent to sounding the alarm if awareness training is not current.
Monitoring activities should also be increased.
++++++++++
Q16
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
B is correct
The greatest risk occurs when access rules are changed since they are susceptible to being opened up too much, which can result in the creation of a security exposure.
Security software will generally have a well-controlled process for applying patches, backing up files and upgrading hardware.
++++++++++
Q17
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A. Regular review of access control lists
B. Security guard escort of visitors
C. Visitor registry log at the door
D. A biometric coupled with a PIN
A is correct
A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy.
Visitors accompanied by a guard will also provide assurance but may not be cost effective.
A visitor registry is the next cost-effective control.
A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed.
++++++++++
Q18
Which of the following is generally considered a fundamental component of an information security program?
A. Role-based access control systems
B. Automated access provisioning
C. Security awareness training
D. Intrusion prevention systems (IPSs)
C is correct
Without security awareness training, many components of the security program may not be effectively implemented.
The other options may or may not be necessary, but are discretionary.
++++++++++
Q19
What does a network vulnerability assessment intend to identify?
A. 0-day vulnerabilities
B. Malicious software and spyware
C. Security design flaws
D. Misconfiguration and missing updates
D is correct
A network vulnerability assessment intends to identify known vulnerabilities based on common misconfigurations and missing updates.
0-day vulnerabilities by definition are not previously known and therefore are undetectable.
Malicious software and spyware are normally addressed through antivirus and antispyware policies.
Security design flaws require a deeper level of analysis.
++++++++++
Q20
Which of the following would be the MOST important goal of an information security governance program?
A. Review of internal control mechanisms
B. Effective involvement in business decision making
C. Total elimination of risk factors
D. Ensuring trust in data
D is correct
The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance.
Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible.
Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true.
Involvement in decision making is important only to ensure business data integrity so that data can be trusted.
++++++++++
Q21
A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
A. A penetration test
B. A security baseline review
C. A risk assessment
D. A business impact analysis (BIA)
C is correct
A risk assessment will identify the business impact of such vulnerability being exploited and is, thus, the correct process.
A penetration test or a security baseline review may identify the vulnerability but not the remedy.
A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.
++++++++++
Q22
Information security policies should:
A. address corporate network vulnerabilities.
B. address the process for communicating a violation.
C. be straightforward and easy to understand.
D. be customized to specific groups and roles.
C is correct
As high-level statements, information security policies should be straightforward and easy to understand.
They are high-level and, therefore, do not address network vulnerabilities directly or the process for communicating a violation.
As policies, they should provide a uniform message to all groups and user roles.
++++++++++
Q23
Which of the following results from the risk assessment process would BEST assist risk management decision making?
A. Control risk
B. Inherent risk
C. Risk exposure
D. Residual risk
D is correct
Residual risk provides management with sufficient information to decide on the level of risk that an organization is willing to accept.
Control risk is the risk that a control may not succeed in preventing an undesirable event.
Risk exposure is the likelihood of an undesirable event occurring.
Inherent risk is an important factor to be considered during the risk assessment.
++++++++++
Q24
An organization has to comply with recently published industry regulatory requirements—compliance that potentially has high implementation costs. What should the information security manager do FIRST?
A. Implement a security committee.
B. Perform a gap analysis.
C. Implement compensating controls.
D. Demand immediate compliance.
B is correct
Since they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place.
Implementing a security committee or compensating controls would not be the first step.
Demanding immediate compliance would not assess the situation.
++++++++++
Q25
A border router should be placed on which of the following?
A. Web server
B. IDS server
C. Screened subnet
D. Domain boundary
D is correct
A border router should be placed on a (security) domain boundary.
Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ), would not provide any protection.
Border routers are positioned on the boundary of the network, but do not reside on a server.
++++++++++
Q26
Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?
A. Continuous analysis, monitoring and feedback
B. Continuous monitoring of the return on security investment (ROSI)
C. Continuous risk reduction
D. Key risk indicator (KRI) setup to security management processes
A is correct
To improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback compared to the current state of maturity.
Return on security investment (ROSI) may show the performance result of the security-related activities; however, the result is interpreted in terms of money and extends to multiple facets of security initiatives. Thus, it may not be an adequate option.
Continuous risk reduction would demonstrate the effectiveness of the security governance framework, but does not indicate a higher level of maturity.
Key risk indicator (KRI) setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
++++++++++
Q27
Which of the following is the BEST method to provide a new user with their initial password for e-mail system access?
A. Interoffice a system-generated complex password with 30 days expiration
B. Give a dummy password over the telephone set for immediate expiration
C. Require no password but force the user to set their own in 10 days
D. Set initial password equal to the user ID with expiration in 30 days
B is correct
A dummy (temporary) password that will need to be changed upon first logon is the best method because it is reset immediately and replaced with the user's choice of password, which will make it easier for the user to remember. If it is given to the wrong person, the legitimate user will likely notify security if still unable to access the system, so the security risk is low.
Documenting the password on paper is not the best method even if sent through interoffice mail—if the password is complex and difficult to memorize, the user will likely keep the printed password and this creates a security concern.
Setting an account with no initial password is a security concern even if it is just for a few days.
Choice D provides the greatest security threat because user IDs are typically known by both users and security staff, thus compromising access for up to 30 days.
++++++++++
Q28
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage crosstraining. Which type of authorization policy would BEST address this practice?
A. Multilevel
B. Role-based
C. Discretionary
D. Attribute-based
B is correct
A role-based policy will associate data access with the role performed by an individual, thus restricting access to data required to perform the individual's tasks.
Multilevel policies are based on classifications and clearances.
Discretionary policies leave access decisions up to information resource managers.
++++++++++
Q29
In business-critical applications, user access should be approved by the:
A. information security manager.
B. data owner.
C. data custodian.
D. business management.
B is correct
A data owner is in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy.
An information security manager will coordinate and execute the implementation of the role-based access control.
A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian's responsibility to assign access rights.
Business management is not, in all cases, the owner of the data.
++++++++++
Q30
Security monitoring mechanisms should PRIMARILY:
A. focus on business-critical information.
B. assist owners to manage control risks.
C. focus on detecting network intrusions.
D. record all security violations.
A is correct
Security monitoring must focus on business-critical information to remain effectively usable by and credible to business users.
Control risk is the possibility that controls would not detect an incident or error condition, and therefore is not a correct answer because monitoring would not directly assist in managing this risk.
Network intrusions are not the only focus of monitoring mechanisms;
although they should record all security violations, this is not the primary objective.
**********
# Q# Task Stmt.
01 379 3.9 Info. Security Program Dev.
02 602 5.4 Incident Mgmt./Response
03 080 1.5 Info. Security Governance
04 429 4.2 Info. Security Program Mgmt.
05 519 4.7 Info. Security Program Mgmt.
06 482 4.5 Info. Security Program Mgmt.
07 437 4.2 Info. Security Program Mgmt.
08 430 4.2 Info. Security Program Mgmt.
09 483 4.5 Info. Security Program Mgmt.
10 493 4.5 Info. Security Program Mgmt.
11 177 2.2 Information Risk Mgmt.
12 426 4.2 Info. Security Program Mgmt.
13 358 3.8 Info. Security Program Dev.
14 550 4.8 Info. Security Program Mgmt.
15 266 2.7 Information Risk Mgmt.
16 471 4.5 Info. Security Program Mgmt.
17 317 3.5 Info. Security Program Dev.
18 521 4.7 Info. Security Program Mgmt.
19 215 2.4 Information Risk Mgmt.
20 036 1.2 Info. Security Governance
21 234 2.5 Information Risk Mgmt.
22 419 4.2 Info. Security Program Mgmt.
23 159 2.2 Information Risk Mgmt.
24 189 2.2 Information Risk Mgmt.
25 301 3.5 Info. Security Program Dev.
26 042 1.2 Info. Security Governance
27 299 3.5 Info. Security Program Dev.
28 283 3.2 Info. Security Program Dev.
29 434 4.2 Info. Security Program Mgmt.
30 387 3.11 Info. Security Program Dev.
++++++++++
Q01
At what stage of the applications development process would encryption key management initially be addressed?
A. Requirements development
B. Deployment
C. Systems testing
D. Code reviews
A is correct
Encryption key management has to be integrated into the requirements of the application's design.
During systems testing and deployment would be too late since the requirements have already been agreed upon.
Code reviews are part of the final quality assurance (QA) process and would also be too late in the process.
++++++++++
Q2
Of the following, which is the MOST important aspect of forensic investigations?
A. The independence of the investigator
B. Timely intervention
C. Identifying the perpetrator
D. Chain of custody
D is correct
Establishing the chain of custody is one of the most important steps in conducting forensic investigations since it preserves the evidence in a manner that is admissible in court.
The independence of the investigator may be important, but is not the most important aspect.
Timely intervention is important for containing incidents, but not as important for forensic investigation.
Identifying the perpetrator is important, but maintaining the chain of custody is more important in order to have the perpetrator convicted in court.
++++++++++
Q3
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life.
B. regulatory and legal requirements.
C. business strategy and direction.
D. application systems and media.
D is correct
Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover.
Business strategy and direction do not generally apply, nor do legal and regulatory requirements.
Storage capacity and shelf life are important but secondary issues.
++++++++++
Q04
What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:
A. all use weak encryption.
B. are decrypted by the firewall.
C. may be quarantined by mail filters.
D. may be corrupted by the receiving mail server.
C is correct
Often, mail filters will quarantine zip files that are password-protected since the filter (or the firewall) is unable to determine if the file contains malicious code.
Many zip file products are capable of using strong encryption. Such files are not normally corrupted by the sending mail server.
++++++++++
Q05
Which item would be the BEST to include in the information security awareness training program for new general staff employees?
A. Review of various security models
B. Discussion of how to construct strong passwords
C. Review of roles that have privileged access
D. Discussion of vulnerability assessment results
B is correct
All new employees will need to understand techniques for the construction of strong passwords.
The other choices would not be applicable to general staff employees.
++++++++++
Q06
In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:
A. testing time window prior to deployment.
B. technical skills of the team responsible.
C. certification of validity for deployment.
D. automated deployment to all the servers.
A is correct
Having the patch tested prior to implementation on critical systems is an absolute prerequisite where availability is a primary concern because deploying patches that could cause a system to fail could be worse than the vulnerability corrected by the patch.
It makes no sense to deploy patches on every system. Vulnerable systems should be the only candidate for patching.
Patching skills are not required since patches are more often applied via automated tools.
++++++++++
Q07
An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:
A. ensure that security processes are consistent across the organization.
B. enforce baseline security levels across the organization.
C. ensure that security processes are fully documented.
D. implement monitoring of key performance indicators for security processes.
A is correct
The organization first needs to move from ad hoc to repeatable processes.
The organization then needs to document the processes and implement process monitoring and measurement.
Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement.
The organization needs to standardize processes both before documentation, and before monitoring and measurement.
++++++++++
Q08
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
A. Sign a legal agreement assigning them all liability for any breach
B. Remove all trading partner access until the situation improves
C. Set up firewall rules restricting network traffic from that location
D. Send periodic reminders advising them of their noncompliance
C is correct
It is incumbent on an information security manager to see to the protection of their organization's network, but to do so in a manner that does not adversely affect the conduct of business. This can be accomplished by adding specific traffic restrictions for that particular location.
Removing all access will likely result in lost business.
Agreements and reminders do not protect the integrity of the network.
++++++++++
Q09
Which of the following events generally has the highest information security impact?
A. Opening a new office
B. Merging with another organization
C. Relocating the data center
D. Rewiring the network
B is correct
Merging with or acquiring another organization causes a major impact on an information security management function because new vulnerabilities and risks are inherited.
Opening a new office, moving the data center to a new site, or rewiring a network may have information security risks, but generally comply with corporate security policy and are easier to secure.
++++++++++
Q10
At what point should a risk assessment of a new process occur to determine appropriate controls? It should occur:
A. only at the beginning and at the end of the new process.
B. during the entire life cycle of the process.
C. at the appropriate point since timing of assessments will differ for processes.
D. depending upon laws and regulations.
B is correct
A risk assessment should be conducted during the entire life cycle of a new or a changed process. This allows an understanding of how implementation of an early control will affect control needs later on in a process.
++++++++++
Q11
In assessing risk, it is MOST essential to:
A. provide equal coverage for all asset types.
B. use benchmarking data from similar organizations.
C. consider both monetary value and likelihood of loss.
D. focus primarily on threats and recent business losses.
C is correct
A risk analysis should take into account the potential financial impact and likelihood of a loss.
It should not weigh all potential losses evenly, nor should it focus primarily on recent losses or losses experienced by similar firms.
Although this is important supplementary information, it does not reflect the organization's real situation.
Geography and other factors come into play as well.
++++++++++
Q12
Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?
A. Restrict the available drive allocation on all PCs
B. Disable universal serial bus (USB) ports on all desktop devices
C. Conduct frequent awareness training with noncompliance penalties
D. Establish strict access controls to sensitive information
A is correct
Restricting the ability of a PC to allocate new drive letters ensures that universal serial bus (USB) drives or even CD-writers cannot be attached as they would not be recognized by the operating system.
Disabling USB ports on all machines is not practical since mice and other peripherals depend on these connections.
Awareness training and sanctions do not prevent copying of information nor do access controls.
++++++++++
Q13
An intranet server should generally be placed on the:
A. internal network.
B. firewall server.
C. external router.
D. primary domain controller.
A is correct
An intranet server should be placed on the internal network.
Placing it on an external router leaves it defenseless.
Since firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to store the intranet server on the same physical device as the firewall.
Similarly, primary domain controllers do not normally share the physical device as the intranet server.
++++++++++
Q14
When developing metrics to measure and monitor information security programs, the information security manager should ensure that the metrics reflect the:
A. residual risks.
B. levels of security.
C. security objectives.
D. statistics of security incidents.
C is correct
Metrics should be developed based on security objectives, so they can measure the effectiveness and efficiency of information security controls.
Metrics are not only used to measure the results of the security controls (residual risks and levels of security), but also the attributes of the control implementation.
Not only statistics are collected, but other attributes of the information security controls should also be considered.
++++++++++
Q15
An information security manager is advised by contacts in law enforcement that there is evidence that his/her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:
A. perform a comprehensive assessment of the organization's exposure to the hacker's techniques.
B. initiate awareness training to counter social engineering.
C. immediately advise senior management of the elevated risk.
D. increase monitoring activities to provide early detection of intrusion.
C is correct
Information about possible significant new risks from credible sources should be provided to management along with advice on steps that need to be taken to counter the threat.
The security manager should assess the risk, but senior management should be immediately advised.
It may be prudent to initiate an awareness campaign subsequent to sounding the alarm if awareness training is not current.
Monitoring activities should also be increased.
++++++++++
Q16
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
B is correct
The greatest risk occurs when access rules are changed since they are susceptible to being opened up too much, which can result in the creation of a security exposure.
Security software will generally have a well-controlled process for applying patches, backing up files and upgrading hardware.
++++++++++
Q17
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A. Regular review of access control lists
B. Security guard escort of visitors
C. Visitor registry log at the door
D. A biometric coupled with a PIN
A is correct
A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy.
Visitors accompanied by a guard will also provide assurance but may not be cost effective.
A visitor registry is the next cost-effective control.
A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed.
++++++++++
Q18
Which of the following is generally considered a fundamental component of an information security program?
A. Role-based access control systems
B. Automated access provisioning
C. Security awareness training
D. Intrusion prevention systems (IPSs)
C is correct
Without security awareness training, many components of the security program may not be effectively implemented.
The other options may or may not be necessary, but are discretionary.
++++++++++
Q19
What does a network vulnerability assessment intend to identify?
A. 0-day vulnerabilities
B. Malicious software and spyware
C. Security design flaws
D. Misconfiguration and missing updates
D is correct
A network vulnerability assessment intends to identify known vulnerabilities based on common misconfigurations and missing updates.
0-day vulnerabilities by definition are not previously known and therefore are undetectable.
Malicious software and spyware are normally addressed through antivirus and antispyware policies.
Security design flaws require a deeper level of analysis.
++++++++++
Q20
Which of the following would be the MOST important goal of an information security governance program?
A. Review of internal control mechanisms
B. Effective involvement in business decision making
C. Total elimination of risk factors
D. Ensuring trust in data
D is correct
The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance.
Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible.
Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true.
Involvement in decision making is important only to ensure business data integrity so that data can be trusted.
++++++++++
Q21
A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
A. A penetration test
B. A security baseline review
C. A risk assessment
D. A business impact analysis (BIA)
C is correct
A risk assessment will identify the business impact of such vulnerability being exploited and is, thus, the correct process.
A penetration test or a security baseline review may identify the vulnerability but not the remedy.
A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.
++++++++++
Q22
Information security policies should:
A. address corporate network vulnerabilities.
B. address the process for communicating a violation.
C. be straightforward and easy to understand.
D. be customized to specific groups and roles.
C is correct
As high-level statements, information security policies should be straightforward and easy to understand.
They are high-level and, therefore, do not address network vulnerabilities directly or the process for communicating a violation.
As policies, they should provide a uniform message to all groups and user roles.
++++++++++
Q23
Which of the following results from the risk assessment process would BEST assist risk management decision making?
A. Control risk
B. Inherent risk
C. Risk exposure
D. Residual risk
D is correct
Residual risk provides management with sufficient information to decide on the level of risk that an organization is willing to accept.
Control risk is the risk that a control may not succeed in preventing an undesirable event.
Risk exposure is the likelihood of an undesirable event occurring.
Inherent risk is an important factor to be considered during the risk assessment.
++++++++++
Q24
An organization has to comply with recently published industry regulatory requirements—compliance that potentially has high implementation costs. What should the information security manager do FIRST?
A. Implement a security committee.
B. Perform a gap analysis.
C. Implement compensating controls.
D. Demand immediate compliance.
B is correct
Since they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place.
Implementing a security committee or compensating controls would not be the first step.
Demanding immediate compliance would not assess the situation.
++++++++++
Q25
A border router should be placed on which of the following?
A. Web server
B. IDS server
C. Screened subnet
D. Domain boundary
D is correct
A border router should be placed on a (security) domain boundary.
Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ), would not provide any protection.
Border routers are positioned on the boundary of the network, but do not reside on a server.
++++++++++
Q26
Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?
A. Continuous analysis, monitoring and feedback
B. Continuous monitoring of the return on security investment (ROSI)
C. Continuous risk reduction
D. Key risk indicator (KRI) setup to security management processes
A is correct
To improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback compared to the current state of maturity.
Return on security investment (ROSI) may show the performance result of the security-related activities; however, the result is interpreted in terms of money and extends to multiple facets of security initiatives. Thus, it may not be an adequate option.
Continuous risk reduction would demonstrate the effectiveness of the security governance framework, but does not indicate a higher level of maturity.
Key risk indicator (KRI) setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.
++++++++++
Q27
Which of the following is the BEST method to provide a new user with their initial password for e-mail system access?
A. Interoffice a system-generated complex password with 30 days expiration
B. Give a dummy password over the telephone set for immediate expiration
C. Require no password but force the user to set their own in 10 days
D. Set initial password equal to the user ID with expiration in 30 days
B is correct
A dummy (temporary) password that will need to be changed upon first logon is the best method because it is reset immediately and replaced with the user's choice of password, which will make it easier for the user to remember. If it is given to the wrong person, the legitimate user will likely notify security if still unable to access the system, so the security risk is low.
Documenting the password on paper is not the best method even if sent through interoffice mail—if the password is complex and difficult to memorize, the user will likely keep the printed password and this creates a security concern.
Setting an account with no initial password is a security concern even if it is just for a few days.
Choice D provides the greatest security threat because user IDs are typically known by both users and security staff, thus compromising access for up to 30 days.
++++++++++
Q28
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage crosstraining. Which type of authorization policy would BEST address this practice?
A. Multilevel
B. Role-based
C. Discretionary
D. Attribute-based
B is correct
A role-based policy will associate data access with the role performed by an individual, thus restricting access to data required to perform the individual's tasks.
Multilevel policies are based on classifications and clearances.
Discretionary policies leave access decisions up to information resource managers.
++++++++++
Q29
In business-critical applications, user access should be approved by the:
A. information security manager.
B. data owner.
C. data custodian.
D. business management.
B is correct
A data owner is in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy.
An information security manager will coordinate and execute the implementation of the role-based access control.
A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian's responsibility to assign access rights.
Business management is not, in all cases, the owner of the data.
++++++++++
Q30
Security monitoring mechanisms should PRIMARILY:
A. focus on business-critical information.
B. assist owners to manage control risks.
C. focus on detecting network intrusions.
D. record all security violations.
A is correct
Security monitoring must focus on business-critical information to remain effectively usable by and credible to business users.
Control risk is the possibility that controls would not detect an incident or error condition, and therefore is not a correct answer because monitoring would not directly assist in managing this risk.
Network intrusions are not the only focus of monitoring mechanisms;
although they should record all security violations, this is not the primary objective.
**********
# Q# Task Stmt.
01 379 3.9 Info. Security Program Dev.
02 602 5.4 Incident Mgmt./Response
03 080 1.5 Info. Security Governance
04 429 4.2 Info. Security Program Mgmt.
05 519 4.7 Info. Security Program Mgmt.
06 482 4.5 Info. Security Program Mgmt.
07 437 4.2 Info. Security Program Mgmt.
08 430 4.2 Info. Security Program Mgmt.
09 483 4.5 Info. Security Program Mgmt.
10 493 4.5 Info. Security Program Mgmt.
11 177 2.2 Information Risk Mgmt.
12 426 4.2 Info. Security Program Mgmt.
13 358 3.8 Info. Security Program Dev.
14 550 4.8 Info. Security Program Mgmt.
15 266 2.7 Information Risk Mgmt.
16 471 4.5 Info. Security Program Mgmt.
17 317 3.5 Info. Security Program Dev.
18 521 4.7 Info. Security Program Mgmt.
19 215 2.4 Information Risk Mgmt.
20 036 1.2 Info. Security Governance
21 234 2.5 Information Risk Mgmt.
22 419 4.2 Info. Security Program Mgmt.
23 159 2.2 Information Risk Mgmt.
24 189 2.2 Information Risk Mgmt.
25 301 3.5 Info. Security Program Dev.
26 042 1.2 Info. Security Governance
27 299 3.5 Info. Security Program Dev.
28 283 3.2 Info. Security Program Dev.
29 434 4.2 Info. Security Program Mgmt.
30 387 3.11 Info. Security Program Dev.
