CISM Practice Question 2010 Session 4
++++++++++
Q01
The BEST defense against successful phishing attacks is:
A. application hardening.
B. spam filters.
C. an intrusion detection system (IDS).
D. end user awareness.
D is correct
Phishing attacks are due to social engineering attacks and are best defended by user awareness training.
Application hardening, spam filters and IDSs are inadequate since the phishing attacks usually don't have the same patterns or unique signatures.
++++++++++
Q2
An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?
A. Direct information security on what they need to do
B. Research solutions to determine the proper solutions
C. Require management to report on compliance
D. Nothing; information security does not report to the board
C is correct
Information security governance is the responsibility of the board of directors and executive management. In this instance, the appropriate action is to ensure that a plan is in place for implementation of needed safeguards and to require updates on that implementation.
++++++++++
Q3
Which of the following would be the FIRST step in establishing an information security program?
A. Develop the security policy.
B. Develop security operating procedures.
C. Develop the security plan.
D. Conduct a security controls study.
C is correct
A security plan must be developed to implement the security strategy.
All of the other choices should follow the development of the security plan.
++++++++++
Q04
The PRIMARY reason for using metrics to evaluate information security is to:
A. identify security weaknesses.
B. justify budgetary expenditures.
C. enable steady improvement.
D. raise awareness on security issues.
C is correct
The purpose of a metric is to facilitate and track continuous improvement.
It will not permit the identification of all security weaknesses.
It will raise awareness and help in justifying certain expenditures, but this is not its main purpose.
++++++++++
Q05
Quantitative risk analysis is MOST appropriate when assessment data:
A. include customer perceptions.
B. contain percentage estimates.
C. do not contain specific details.
D. contain subjective information.
B is correct
Percentage estimates are characteristic of quantitative risk analysis.
Customer perceptions, lack of specific details or subjective information lend themselves more to qualitative risk analysis.
++++++++++
Q06
Which of the following would help to change an organization's security culture?
A. Develop procedures to enforce the information security policy
B. Obtain strong management support
C. Implement strict technical security controls
D. Periodically audit compliance with the information security policy
B is correct
Management support and pressure will help to change an organization's culture.
Procedures will support an information security policy, but cannot change the culture of the organization.
Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed.
Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company.
++++++++++
Q07
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.
D is correct
Governance is directly tied to the strategy and direction of the business.
Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.
++++++++++
Q08
Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?
A. Termination conditions
B. Liability limits
C. Service levels
D. Privacy restrictions
C is correct
Service levels are key to holding third parties accountable for adequate delivery of services. This is more important than termination conditions, privacy restrictions or liability limitations.
++++++++++
Q09
There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?
A. Black box pen test
B. Security audit
C. Source code review
D. Vulnerability scan
C is correct
Source code review is the best way to find and remove an application backdoor.
Application backdoors can be almost impossible to identify using a black box pen test or a security audit.
A vulnerability scan will only find "known" vulnerability patterns and will therefore not find a programmer's application backdoor.
++++++++++
Q10
When implementing security controls, an information security manager must PRIMARILY focus on:
A. minimizing operational impacts.
B. eliminating all vulnerabilities.
C. usage by similar organizations.
D. certification from a third party.
A is correct
Security controls must be compatible with business needs.
It is not feasible to eliminate all vulnerabilities.
Usage by similar organizations does not guarantee that controls are adequate.
Certification by a third party is important, but not a primary concern.
++++++++++
Q11
Which of the following is a benefit of information security governance?Correct
A. Reduction of the potential for civil or legal liability
B. Questioning trust in vendor relationships
C. Increasing the risk of decisions based on incomplete management information
D. Direct involvement of senior management in developing control processes
A is correct
Information security governance decreases the risk of civil or legal liability.
The remaining answers are incorrect.
Option D appears to be correct, but senior management would provide oversight and approval as opposed to direct involvement in developing control processes.
++++++++++
Q12
If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:
A. obtaining evidence as soon as possible.
B. preserving the integrity of the evidence.
C. disconnecting all IT equipment involved.
D. reconstructing the sequence of events.
B is correct
The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law).
All other options are part of the investigative procedure, but they are not as important as preserving the integrity of the evidence.
++++++++++
Q13
Which of the following is the MOST important reason why information security objectives should be defined?
A. Tool for measuring effectiveness
B. General understanding of goals
C. Consistency with applicable standards
D. Management sign-off and support initiatives
A is correct
The creation of objectives can be used in part as a source of measurement of the effectiveness of information security management, which feeds into the overall governance.
General understanding of goals and consistency with applicable standards are useful, but are not the primary reasons for having clearly defined objectives.
Gaining management understanding is important, but by itself will not provide the structure for governance.
++++++++++
Q14
Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?
A. Intrusion detection system (IDS)
B. IP address packet filtering
C. Two-factor authentication
D. Embedded digital signature
C is correct
Two-factor authentication provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
IP address packet filtering would protect against spoofing an internal address but would not provide strong authentication.
An intrusion detection system (IDS) can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Digital signatures ensure that transmitted information can be attributed to the named sender.
++++++++++
Q15
When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?
A. The firewall should block all inbound traffic during the outage
B. All systems should block new logins until the problem is corrected
C. Access control should fall back to nonsynchronized mode
D. System logs should record all user activity for later analysis
C is correct
The best mechanism is for the system to fallback to the original process of logging on individually to each system.
Blocking traffic and new logins would be overly restrictive to the conduct of business, while recording all user activity would add little value.
++++++++++
Q16
Which of the following is MOST important in developing a security strategy?
A. Creating a positive business security environment
B. Understanding key business objectives
C. Having a reporting line to senior management
D. Allocating sufficient resources to information security
B is correct
Alignment with business strategy is of utmost importance.
Understanding business objectives is critical in determining the security needs of the organization.
++++++++++
Q17
Who is responsible for ensuring that information is classified?
A. Senior management
B. Security manager
C. Data owner
D. Custodian
C is correct
The data owner is responsible for applying the proper classification to the data.
Senior management is ultimately responsible for the organization.
The security officer is responsible for applying security protection relative to the level of classification specified by the owner.
The technology group is delegated the custody of the data by the data owner, but the group does not classify the information.
++++++++++
Q18
Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
A. organizational risk.
B. organizationwide metrics.
C. security needs.
D. the responsibilities of organizational units.
A is correct
Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence.
Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified.
++++++++++
Q19
Which of the following would be the GREATEST challenge when developing a standard awareness training program for a global organization?
A. Technical input requirements for IT security staff
B. Evaluating training program effectiveness
C. A diverse culture and varied technical abilities of end users
D. Availability of users either on weekends or after office hours
C is correct
A diverse culture and differences in the levels of IT knowledge and IT exposure pose the most difficulties when developing a standard training program since the learning needs of employees vary.
IT security staff will require technical inputs and having a separate training program would not be considered a challenge.
Evaluating training program effectiveness is not a problem when developing a standard training program. In fact, the evaluation of training program effectiveness will be easier for a standard training program delivered across the organization.
Availability of users on weekends or beyond office hours has no impact on the development of a standard training program.
++++++++++
Q20
To justify its ongoing security budget, which of the following would be of MOST use to the information security department?
A. Security breach frequency
B. Annualized loss expectancy (ALE)
C. Cost-benefit analysis
D. Peer group comparison
C is correct
Cost-benefit analysis is the legitimate way to justify budget.
The frequency of security breaches may assist the argument for budget but is not the key tool; it does not address the impact.
Annualized loss expectancy (ALE) does not address the potential benefit of security investment.
Peer group comparison would provide a good estimate for the necessary security budget but it would not take into account the specific needs of the organization.
++++++++++
Q21
The reason that would MOST inhibit the effective implementation of security governance is:
A. the complexity of technology.
B. budgetary constraints.
C. conflicting business priorities.
D. high-level sponsorship.
D is correct
The need for senior management involvement and support is a key success factor for the implementation of appropriate security governance.
Complexity of technology, budgetary constraints and conflicting business priorities are realities that should be factored into the governance model of the organization, and should not be regarded as inhibitors.
++++++++++
Q22
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
A. User ad hoc reporting is not logged
B. Network traffic is through a single switch
C. Operating system (OS) security patches have not been applied
D. Database security defaults to ERP settings
C is correct
The fact that operating system (OS) security patches have not been applied is a serious weakness.
Routing network traffic through a single switch is not unusual.
Although the lack of logging for user ad hoc reporting is not necessarily good, it does not represent as serious a security weakness as the failure to install security patches.
Database security defaulting to the ERP system's settings is not as significant.
++++++++++
Q23
The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:
A. regulatory requirements.
B. business requirements.
C. financial value.
D. IT resource availability.
B is correct
The criticality to business should always drive the decision.
Regulatory requirements could be more flexible than business needs.
The financial value of an asset could not correspond to its business value.
While a consideration, IT resource availability is not a primary factor.
++++++++++
Q24
Which of the following attacks is BEST mitigated by utilizing strong passwords?
A. Man-in-the-middle attack
B. Brute force attack
C. Remote buffer overflow
D. Root kit
B is correct
A brute force attack is normally successful against weak passwords, whereas strong passwords would not prevent any of the other attacks.
Man-in-the-middle attacks intercept network traffic, which could contain passwords, but is not naturally password-protected.
Remote buffer overflows rarely require a password to exploit a remote host.
Root kits hook into the operating system's kernel and, therefore, operate underneath any authentication mechanism.
++++++++++
Q25
Which of the following has the highest priority when defining an emergency response plan?
A. Critical data
B. Critical infrastructure
C. Safety of personnel
D. Vital records
C is correct
The safety of an organization's employees should be the most important consideration given human safety laws. Human safety is considered first in any process or management practice.
All of the other choices are secondary.
++++++++++
Q26
A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:
A. document how the attack occurred.
B. notify law enforcement.
C. take an image copy of the media.
D. close the accounts receivable system.
C is correct
Taking an image copy of the media is a recommended practice to ensure legal admissibility.
All of the other choices are subsequent and may be supplementary.
++++++++++
Q27
The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
A. perform penetration testing.
B. establish security baselines.
C. implement vendor default settings.
D. link policies to an independent standard.
B is correct
Security baselines will provide the best assurance that each platform meets minimum criteria.
Penetration testing will not be as effective and can only be performed periodically.
Vendor default settings will not necessarily meet the criteria set by the security policies, while linking policies to an independent standard will not provide assurance that the platforms meet these levels of security.
++++++++++
Q28
To achieve effective strategic alignment of security initiatives, it is important that:
A. steering committee leadership be selected by rotation.
B. inputs be obtained and consensus achieved between the major organizational units.
C. the business strategy be updated periodically.
D. procedures and standards be approved by all departmental heads.
B is correct
It is important to achieve consensus on risks and controls, and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Rotation of steering committee leadership does not help in achieving strategic alignment.
Updating business strategy does not lead to strategic alignment of security initiatives.
Procedures and standards need not be approved by all departmental heads.
++++++++++
Q29
To determine the selection of controls required to meet business objectives, an information security manager should:
A. prioritize the use of role-based access controls.
B. focus on key controls.
C. restrict controls to only critical applications.
D. focus on automated controls.
B is correct
Key controls primarily reduce risk and are most effective for the protection of information assets.
The other choices could be examples of possible key controls.
++++++++++
Q30
Which of the following is MOST closely associated with a business continuity program?
A. Confirming that detailed technical recovery plans exist
B. Periodically testing network redundancy
C. Updating the hot site equipment configuration every quarter
D. Developing recovery time objectives (RTOs) for critical functions
D is correct
Only recovery time objectives (RTOs) directly relate to business continuity.
Technical recovery plans, network redundancy and equipment needs are all associated with infrastructure disaster recovery.
**********
# Q# Task Stmt.
01 353 3.7 Info. Security Program Dev.
02 045 1.2 Info. Security Governance
03 282 3.2 Info. Security Program Dev.
04 532 4.8 Info. Security Program Mgmt.
05 165 2.2 Information Risk Mgmt.
06 105 1.6 Info. Security Governance
07 002 1.1 Info. Security Governance
08 384 3.10 Info. Security Program Dev.
09 491 4.5 Info. Security Program Mgmt.
10 243 2.5 Information Risk Mgmt.
11 044 1.2 Info. Security Governance
12 599 5.4 Incident Mgmt./Response
13 397 3.11 Info. Security Program Dev.
14 364 3.8 Info. Security Program Dev.
15 307 3.5 Info. Security Program Dev.
16 015 1.1 Info. Security Governance
17 149 2.1 Information Risk Mgmt.
18 098 1.6 Info. Security Governance
19 354 3.7 Info. Security Program Dev.
20 055 1.3 Info. Security Governance
21 104 1.6 Info. Security Governance
22 476 4.5 Info. Security Program Mgmt.
23 574 5.1 Incident Mgmt./Response
24 225 2.5 Information Risk Mgmt.
25 620 5.6 Incident Mgmt./Response
26 596 5.4 Incident Mgmt./Response
27 415 4.2 Info. Security Program Mgmt.
28 018 1.1 Info. Security Governance
29 240 2.5 Information Risk Mgmt.
30 632 5.8 Incident Mgmt./Response
++++++++++
Q01
The BEST defense against successful phishing attacks is:
A. application hardening.
B. spam filters.
C. an intrusion detection system (IDS).
D. end user awareness.
D is correct
Phishing attacks are due to social engineering attacks and are best defended by user awareness training.
Application hardening, spam filters and IDSs are inadequate since the phishing attacks usually don't have the same patterns or unique signatures.
++++++++++
Q2
An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?
A. Direct information security on what they need to do
B. Research solutions to determine the proper solutions
C. Require management to report on compliance
D. Nothing; information security does not report to the board
C is correct
Information security governance is the responsibility of the board of directors and executive management. In this instance, the appropriate action is to ensure that a plan is in place for implementation of needed safeguards and to require updates on that implementation.
++++++++++
Q3
Which of the following would be the FIRST step in establishing an information security program?
A. Develop the security policy.
B. Develop security operating procedures.
C. Develop the security plan.
D. Conduct a security controls study.
C is correct
A security plan must be developed to implement the security strategy.
All of the other choices should follow the development of the security plan.
++++++++++
Q04
The PRIMARY reason for using metrics to evaluate information security is to:
A. identify security weaknesses.
B. justify budgetary expenditures.
C. enable steady improvement.
D. raise awareness on security issues.
C is correct
The purpose of a metric is to facilitate and track continuous improvement.
It will not permit the identification of all security weaknesses.
It will raise awareness and help in justifying certain expenditures, but this is not its main purpose.
++++++++++
Q05
Quantitative risk analysis is MOST appropriate when assessment data:
A. include customer perceptions.
B. contain percentage estimates.
C. do not contain specific details.
D. contain subjective information.
B is correct
Percentage estimates are characteristic of quantitative risk analysis.
Customer perceptions, lack of specific details or subjective information lend themselves more to qualitative risk analysis.
++++++++++
Q06
Which of the following would help to change an organization's security culture?
A. Develop procedures to enforce the information security policy
B. Obtain strong management support
C. Implement strict technical security controls
D. Periodically audit compliance with the information security policy
B is correct
Management support and pressure will help to change an organization's culture.
Procedures will support an information security policy, but cannot change the culture of the organization.
Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed.
Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company.
++++++++++
Q07
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy.
D is correct
Governance is directly tied to the strategy and direction of the business.
Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.
++++++++++
Q08
Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?
A. Termination conditions
B. Liability limits
C. Service levels
D. Privacy restrictions
C is correct
Service levels are key to holding third parties accountable for adequate delivery of services. This is more important than termination conditions, privacy restrictions or liability limitations.
++++++++++
Q09
There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?
A. Black box pen test
B. Security audit
C. Source code review
D. Vulnerability scan
C is correct
Source code review is the best way to find and remove an application backdoor.
Application backdoors can be almost impossible to identify using a black box pen test or a security audit.
A vulnerability scan will only find "known" vulnerability patterns and will therefore not find a programmer's application backdoor.
++++++++++
Q10
When implementing security controls, an information security manager must PRIMARILY focus on:
A. minimizing operational impacts.
B. eliminating all vulnerabilities.
C. usage by similar organizations.
D. certification from a third party.
A is correct
Security controls must be compatible with business needs.
It is not feasible to eliminate all vulnerabilities.
Usage by similar organizations does not guarantee that controls are adequate.
Certification by a third party is important, but not a primary concern.
++++++++++
Q11
Which of the following is a benefit of information security governance?Correct
A. Reduction of the potential for civil or legal liability
B. Questioning trust in vendor relationships
C. Increasing the risk of decisions based on incomplete management information
D. Direct involvement of senior management in developing control processes
A is correct
Information security governance decreases the risk of civil or legal liability.
The remaining answers are incorrect.
Option D appears to be correct, but senior management would provide oversight and approval as opposed to direct involvement in developing control processes.
++++++++++
Q12
If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:
A. obtaining evidence as soon as possible.
B. preserving the integrity of the evidence.
C. disconnecting all IT equipment involved.
D. reconstructing the sequence of events.
B is correct
The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law).
All other options are part of the investigative procedure, but they are not as important as preserving the integrity of the evidence.
++++++++++
Q13
Which of the following is the MOST important reason why information security objectives should be defined?
A. Tool for measuring effectiveness
B. General understanding of goals
C. Consistency with applicable standards
D. Management sign-off and support initiatives
A is correct
The creation of objectives can be used in part as a source of measurement of the effectiveness of information security management, which feeds into the overall governance.
General understanding of goals and consistency with applicable standards are useful, but are not the primary reasons for having clearly defined objectives.
Gaining management understanding is important, but by itself will not provide the structure for governance.
++++++++++
Q14
Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?
A. Intrusion detection system (IDS)
B. IP address packet filtering
C. Two-factor authentication
D. Embedded digital signature
C is correct
Two-factor authentication provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
IP address packet filtering would protect against spoofing an internal address but would not provide strong authentication.
An intrusion detection system (IDS) can be used to detect an external attack but would not help in authenticating a user attempting to connect.
Digital signatures ensure that transmitted information can be attributed to the named sender.
++++++++++
Q15
When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?
A. The firewall should block all inbound traffic during the outage
B. All systems should block new logins until the problem is corrected
C. Access control should fall back to nonsynchronized mode
D. System logs should record all user activity for later analysis
C is correct
The best mechanism is for the system to fallback to the original process of logging on individually to each system.
Blocking traffic and new logins would be overly restrictive to the conduct of business, while recording all user activity would add little value.
++++++++++
Q16
Which of the following is MOST important in developing a security strategy?
A. Creating a positive business security environment
B. Understanding key business objectives
C. Having a reporting line to senior management
D. Allocating sufficient resources to information security
B is correct
Alignment with business strategy is of utmost importance.
Understanding business objectives is critical in determining the security needs of the organization.
++++++++++
Q17
Who is responsible for ensuring that information is classified?
A. Senior management
B. Security manager
C. Data owner
D. Custodian
C is correct
The data owner is responsible for applying the proper classification to the data.
Senior management is ultimately responsible for the organization.
The security officer is responsible for applying security protection relative to the level of classification specified by the owner.
The technology group is delegated the custody of the data by the data owner, but the group does not classify the information.
++++++++++
Q18
Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
A. organizational risk.
B. organizationwide metrics.
C. security needs.
D. the responsibilities of organizational units.
A is correct
Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence.
Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified.
++++++++++
Q19
Which of the following would be the GREATEST challenge when developing a standard awareness training program for a global organization?
A. Technical input requirements for IT security staff
B. Evaluating training program effectiveness
C. A diverse culture and varied technical abilities of end users
D. Availability of users either on weekends or after office hours
C is correct
A diverse culture and differences in the levels of IT knowledge and IT exposure pose the most difficulties when developing a standard training program since the learning needs of employees vary.
IT security staff will require technical inputs and having a separate training program would not be considered a challenge.
Evaluating training program effectiveness is not a problem when developing a standard training program. In fact, the evaluation of training program effectiveness will be easier for a standard training program delivered across the organization.
Availability of users on weekends or beyond office hours has no impact on the development of a standard training program.
++++++++++
Q20
To justify its ongoing security budget, which of the following would be of MOST use to the information security department?
A. Security breach frequency
B. Annualized loss expectancy (ALE)
C. Cost-benefit analysis
D. Peer group comparison
C is correct
Cost-benefit analysis is the legitimate way to justify budget.
The frequency of security breaches may assist the argument for budget but is not the key tool; it does not address the impact.
Annualized loss expectancy (ALE) does not address the potential benefit of security investment.
Peer group comparison would provide a good estimate for the necessary security budget but it would not take into account the specific needs of the organization.
++++++++++
Q21
The reason that would MOST inhibit the effective implementation of security governance is:
A. the complexity of technology.
B. budgetary constraints.
C. conflicting business priorities.
D. high-level sponsorship.
D is correct
The need for senior management involvement and support is a key success factor for the implementation of appropriate security governance.
Complexity of technology, budgetary constraints and conflicting business priorities are realities that should be factored into the governance model of the organization, and should not be regarded as inhibitors.
++++++++++
Q22
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
A. User ad hoc reporting is not logged
B. Network traffic is through a single switch
C. Operating system (OS) security patches have not been applied
D. Database security defaults to ERP settings
C is correct
The fact that operating system (OS) security patches have not been applied is a serious weakness.
Routing network traffic through a single switch is not unusual.
Although the lack of logging for user ad hoc reporting is not necessarily good, it does not represent as serious a security weakness as the failure to install security patches.
Database security defaulting to the ERP system's settings is not as significant.
++++++++++
Q23
The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:
A. regulatory requirements.
B. business requirements.
C. financial value.
D. IT resource availability.
B is correct
The criticality to business should always drive the decision.
Regulatory requirements could be more flexible than business needs.
The financial value of an asset could not correspond to its business value.
While a consideration, IT resource availability is not a primary factor.
++++++++++
Q24
Which of the following attacks is BEST mitigated by utilizing strong passwords?
A. Man-in-the-middle attack
B. Brute force attack
C. Remote buffer overflow
D. Root kit
B is correct
A brute force attack is normally successful against weak passwords, whereas strong passwords would not prevent any of the other attacks.
Man-in-the-middle attacks intercept network traffic, which could contain passwords, but is not naturally password-protected.
Remote buffer overflows rarely require a password to exploit a remote host.
Root kits hook into the operating system's kernel and, therefore, operate underneath any authentication mechanism.
++++++++++
Q25
Which of the following has the highest priority when defining an emergency response plan?
A. Critical data
B. Critical infrastructure
C. Safety of personnel
D. Vital records
C is correct
The safety of an organization's employees should be the most important consideration given human safety laws. Human safety is considered first in any process or management practice.
All of the other choices are secondary.
++++++++++
Q26
A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:
A. document how the attack occurred.
B. notify law enforcement.
C. take an image copy of the media.
D. close the accounts receivable system.
C is correct
Taking an image copy of the media is a recommended practice to ensure legal admissibility.
All of the other choices are subsequent and may be supplementary.
++++++++++
Q27
The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
A. perform penetration testing.
B. establish security baselines.
C. implement vendor default settings.
D. link policies to an independent standard.
B is correct
Security baselines will provide the best assurance that each platform meets minimum criteria.
Penetration testing will not be as effective and can only be performed periodically.
Vendor default settings will not necessarily meet the criteria set by the security policies, while linking policies to an independent standard will not provide assurance that the platforms meet these levels of security.
++++++++++
Q28
To achieve effective strategic alignment of security initiatives, it is important that:
A. steering committee leadership be selected by rotation.
B. inputs be obtained and consensus achieved between the major organizational units.
C. the business strategy be updated periodically.
D. procedures and standards be approved by all departmental heads.
B is correct
It is important to achieve consensus on risks and controls, and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization.
Rotation of steering committee leadership does not help in achieving strategic alignment.
Updating business strategy does not lead to strategic alignment of security initiatives.
Procedures and standards need not be approved by all departmental heads.
++++++++++
Q29
To determine the selection of controls required to meet business objectives, an information security manager should:
A. prioritize the use of role-based access controls.
B. focus on key controls.
C. restrict controls to only critical applications.
D. focus on automated controls.
B is correct
Key controls primarily reduce risk and are most effective for the protection of information assets.
The other choices could be examples of possible key controls.
++++++++++
Q30
Which of the following is MOST closely associated with a business continuity program?
A. Confirming that detailed technical recovery plans exist
B. Periodically testing network redundancy
C. Updating the hot site equipment configuration every quarter
D. Developing recovery time objectives (RTOs) for critical functions
D is correct
Only recovery time objectives (RTOs) directly relate to business continuity.
Technical recovery plans, network redundancy and equipment needs are all associated with infrastructure disaster recovery.
**********
# Q# Task Stmt.
01 353 3.7 Info. Security Program Dev.
02 045 1.2 Info. Security Governance
03 282 3.2 Info. Security Program Dev.
04 532 4.8 Info. Security Program Mgmt.
05 165 2.2 Information Risk Mgmt.
06 105 1.6 Info. Security Governance
07 002 1.1 Info. Security Governance
08 384 3.10 Info. Security Program Dev.
09 491 4.5 Info. Security Program Mgmt.
10 243 2.5 Information Risk Mgmt.
11 044 1.2 Info. Security Governance
12 599 5.4 Incident Mgmt./Response
13 397 3.11 Info. Security Program Dev.
14 364 3.8 Info. Security Program Dev.
15 307 3.5 Info. Security Program Dev.
16 015 1.1 Info. Security Governance
17 149 2.1 Information Risk Mgmt.
18 098 1.6 Info. Security Governance
19 354 3.7 Info. Security Program Dev.
20 055 1.3 Info. Security Governance
21 104 1.6 Info. Security Governance
22 476 4.5 Info. Security Program Mgmt.
23 574 5.1 Incident Mgmt./Response
24 225 2.5 Information Risk Mgmt.
25 620 5.6 Incident Mgmt./Response
26 596 5.4 Incident Mgmt./Response
27 415 4.2 Info. Security Program Mgmt.
28 018 1.1 Info. Security Governance
29 240 2.5 Information Risk Mgmt.
30 632 5.8 Incident Mgmt./Response
