CISM Practice Question 2010 Session 7
**********
Session 1
++++++++++
Q01
Which of the following is MOST essential for a risk management program to be effective?
A. Flexible security budget
B. Sound risk baseline
C. New risks detection
D. Accurate risk reporting
C is correct
All of these procedures are essential for implementing risk management. However, without identifying new risks, other procedures will only be useful for a limited period.
++++++++++
Q2
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
A. Manager
B. Custodian
C. UserCorrect
D. Owner
D is correct
Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels.
Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc.
The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc.
Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data.
++++++++++
Q3
An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A. conflicting security controls with organizational needs.
B. strong protection of information resources.
C. implementing appropriate controls to reduce risk.
D. proving information security's protective abilities.
A is correct
The needs of the organization were not taken into account, so there is a conflict.
This example is not strong protection, it is poorly configured.
Implementing appropriate controls to reduce risk is not an appropriate control as it is being used.
This does not prove the ability to protect, but proves the ability to interfere with business.
++++++++++
Q04
What is the MOST important reason for conducting security awareness programs throughout an organization?
A. Reducing the human risk
B. Maintaining evidence of training records to ensure compliance
C. Informing business units about the security strategy
D. Training personnel in security incident response
A is correct
People are the weakest link in security implementation, and awareness would reduce this risk.
Through security awareness and training programs, individual employees can be informed and sensitized on various security policies and other security topics, thus ensuring compliance from each individual.
Laws and regulations also aim to reduce human risk.
Informing business units about the security strategy is best done through steering committee meetings or other forums.
++++++++++
Q05
Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?
A. Systems operation procedures are not enforced
B. Change management procedures are poor
C. Systems development is outsourced
D. Systems capacity management is not performed
B is correct
The lack of change management is a severe omission and will greatly increase information security risk.
Since procedures are generally nonauthoritative, their lack of enforcement is not a primary concern.
Systems that are developed by third-party vendors are becoming commonplace and do not represent an increase in security risk as much as poor change management.
Poor capacity management may not necessarily represent a security risk.
++++++++++
Q06
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
A. User
B. Network
C. Operations
D. Database
A is correct
As owners of the system, user management signoff is the most important. If a system does not meet the needs of the business, then it has not met its primary objective.
The needs of network, operations and database management are secondary to the needs of the business.
++++++++++
Q07
The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
A. return on investment (ROI).
B. a vulnerability assessment.
C. annual loss expectancy (ALE).
D. a business case.
D is correct
A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management.
Return on investment (ROI) would only provide the costs needed to preclude specific risks, and would not provide other indirect benefits such as process improvement and learning.
A vulnerability assessment is more technical in nature and would only identify and assess the vulnerabilities. This would also not provide insights on indirect benefits.
Annual loss expectancy (ALE) would not weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of implementation.
++++++++++
Q08
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?
A. Implement countermeasures.
B. Eliminate the risk.
C. Transfer the risk.
D. Accept the risk.
C is correct
Risks are typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include hurricanes, tornados and earthquakes. It would be more cost effective to pay recurring insurance costs than to be affected by a disaster from which the organization cannot financially recover.
Implementing countermeasures may not be the most cost-effective approach to security management.
Eliminating the risk may not be possible.
Accepting the risk would leave the organization vulnerable to a catastrophic disaster which may cripple or ruin the organization.
++++++++++
Q09
What is the MOST important factor in the successful implementation of an enterprisewide information security program?
A. Realistic budget estimates
B. Security awareness
C. Support of senior management
D. Recalculation of the work factor
C is correct
Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor.
Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources.
Security awareness is important, but not the most important factor.
Recalculation of the work factor is a part of risk management.
++++++++++
Q10
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
A. define the circumstances where cryptography should be used.
B. define cryptographic algorithms and key lengths.
C. describe handling procedures of cryptographic keys.
D. establish the use of cryptographic solutions.
A is correct
There should be documented standards/procedures for the use of cryptography across the enterprise; they should define the circumstances where cryptography should be used.
They should cover the selection of cryptographic algorithms and key lengths, but not define them precisely
They should address the handling of cryptographic keys. However, this is secondary to how and when cryptography should be used.
The use of cryptographic solutions should be addressed but, again, this is a secondary consideration.
++++++++++
Q11
Successful social engineering attacks can BEST be prevented through:
A. preemployment screening.
B. close monitoring of users' access patterns.
C. periodic awareness training.
D. efficient termination procedures.
C is correct
Security awareness training is most effective in preventing the success of social engineering attacks by providing users with the awareness they need to resist such attacks.
Screening of new employees, monitoring and rapid termination will not be effective against external attacks.
++++++++++
Q12
What is the BEST defense against a Structured Query Language (SQL) injection attack?
A. Regularly updated signature files
B. A properly configured firewall
C. An intrusion detection system
D. Strict controls on input fields
D is correct
Structured Query Language (SQL) injection involves the typing of programming command statements within a data entry field on a web page, usually with the intent of fooling the application into thinking that a valid password has been entered in the password entry field. The best defense against such an attack is to have strict edits on what can be typed into a data input field so that programming commands will be rejected. Code reviews should also be conducted to ensure that such edits are in place and that there are no inherent weaknesses in the way the code is written; software is available to test for such weaknesses.
All other choices would fail to prevent such an attack.
++++++++++
Q13
The FIRST priority when responding to a major security incident is:
A. documentation.
B. monitoring.
C. restoration.
D. containment.
D is correct
The first priority in responding to a security incident is to contain it to limit the impact.
Documentation, monitoring and restoration are all important, but they should follow containment.
++++++++++
Q14
Who can BEST advocate the development of and ensure the success of an information security program?
A. Internal auditor
B. Chief operating officer (COO)
C. Steering committee
D. IT management
C is correct
Senior management represented in the security steering committee is in the best position to advocate the establishment of and continued support for an information security program.
The chief operating officer (COO) will be a member of that committee.
An internal auditor is a good advocate but is secondary to the influence of senior management.
IT management has a lesser degree of influence and would also be part of the steering committee.
++++++++++
Q15
It is important to develop an information security baseline because it helps to define:
A. critical information resources needing protection.
B. a security policy for the entire organization.
C. the minimum acceptable security to be implemented.
D. required physical and logical access controls.
C is correct
Developing an information security baseline helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Before determining the security baseline, an information security manager must establish the security policy, identify criticality levels of organization's information resources and assess the risk environment in which those resources operate.
++++++++++
Q16
Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives.
D is correct
Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives.
Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives.
Industry best practices are important to senior management, but again, senior management will give them the right level of importance when they are presented in terms of key business objectives.
++++++++++
Q17
Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?
A. Boundary router
B. Strong encryption
C. Internet-facing firewall
D. Intrusion detection system (IDS)
B is correct
Strong encryption is the most effective means of protecting wireless networks.
Boundary routers, intrusion detection systems (IDSs) and firewalling the Internet would not be as effective.
++++++++++
Q18
Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?
A. Symmetric cryptography
B. Public key infrastructure (PKI)
C. Message hashing
D. Message authentication code
B is correct
Public key infrastructure (PKI) combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender. Senders can digitally sign a message with their private key and attach their digital certificate (provided by the trusted third party). These characteristics allow senders to provide authentication, integrity validation and nonrepudiation.
Symmetric cryptography provides confidentiality.
Hashing can provide integrity and confidentiality.
Message authentication codes provide integrity.
++++++++++
Q19
The chief information security officer (CISO) should ideally have a direct reporting relationship to the:
A. head of internal audit.
B. chief operations officer (COO).
C. chief technology officer (CTO).
D. legal counsel.
B is correct
The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations.
The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations.
Reporting to the chief technology officer (CTO) could become problematic as the CTO's goals for the infrastructure might, at times, run counter to the goals of information security.
++++++++++
Q20
Security audit reviews should PRIMARILY:
A. ensure that controls operate as required.
B. ensure that controls are cost-effective.
C. focus on preventive controls.
D. ensure controls are technologically current.
A is correct
The primary objective of a security review or audit should be to provide assurance on the adequacy of security controls.
Reviews should focus on all forms of control, not just on preventive control.
Cost-effectiveness and technological currency are important but not as critical.
++++++++++
Q21
When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
A. the information security steering committee.
B. customers who may be impacted.
C. data owners who may be impacted.
D. regulatory agencies overseeing privacy.
C is correct
The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team.
Other parties will be notified later as required by corporate policy and regulatory requirements.
++++++++++
Q22
Information security managers should use risk assessment techniques to:
A. justify selection of risk mitigation strategies.
B. maximize the return on investment (ROI).
C. provide documentation for auditors and regulators.
D. quantify risks that would otherwise be subjective.
A is correct
Information security managers should use risk assessment techniques to justify and implement a risk mitigation strategy as efficiently as possible.
None of the other choices accomplishes that task, although they are important components.
++++++++++
Q23
When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?
A. Assigning responsibility for acquiring the data
B. Locating the data and preserving the integrity of the data
C. Creating a forensically sound image
D. Issuing a litigation hold to all affected parties
B is correct
Locating the data and preserving data integrity is the only correct answer because it represents the primary responsibility of an investigator and is a complete and accurate statement of the first priority.
While assigning responsibility for acquiring the data is a step that should be taken, it is not the first step or the highest priority.
Creating a forensically sound image may or may not be a necessary step, depending on the type of investigation, but it would never be the first priority.
Issuing a litigation hold to all affected parties might be a necessary step early on in an investigation of certain types, but not the first priority.
++++++++++
Q24
Which of the following is an advantage of a centralized information security organizational structure?
A. It is easier to promote security awareness.
B. It is easier to manage and control.
C. It is more responsive to business unit needs.
D. It provides a faster turnaround for security requests.
B is correct
It is easier to manage and control a centralized structure.
Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message.
Decentralized operations allow security administrators to be more responsive.
Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
++++++++++
Q25
An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
A. Rule-based
B. Mandatory
C. Discretionary
D. Role-based
D is correct
Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Rule-based access control needs to define the access rules, which is troublesome and error prone in large organizations.
In mandatory access control, the individual's access to information resources needs to be defined, which is troublesome in large organizations.
In discretionary access control, users have access to resources based on predefined sets of principles, which is an inherently insecure approach.
++++++++++
Q26
Which of the following is the BEST approach for improving information security management processes?
A. Conduct periodic security audits.
B. Perform periodic penetration testing.
C. Define and monitor security metrics.
D. Survey business units for feedback.
C is correct
Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify an opportunity for improvement. This is a systematic and structured approach to process improvement.
Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement.
Penetration testing will only uncover technical vulnerabilities, and cannot provide a holistic picture of information security management.
Feedback is subjective and not necessarily reflective of true performance.
++++++++++
Q27
The BEST strategy for risk management is to:
A. achieve a balance between risk and organizational goals.
B. reduce risk to an acceptable level.
C. ensure that policy development properly considers organizational risks.
D. ensure that all unmitigated risks are accepted by management.
B is correct
The best strategy for risk management is to reduce risk to an acceptable level, as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Achieving balance between risk and organizational goals is not always practical.
Policy development must consider organizational risks as well as business objectives.
It may be prudent to ensure that management understands and accepts risks that it is not willing to mitigate, but that is a practice and is not sufficient to be considered a strategy.
++++++++++
Q28
An information security program should be sponsored by:
A. infrastructure management.
B. the corporate audit department.
C. key business process owners.
D. information security management.
C is correct
The information security program should ideally be sponsored by business managers, as represented by key business process owners.
Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business requirements.
A corporate audit department is not in as good a position to fully understand how an information security program needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions.
Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient operational knowledge and lack of proper authority.
++++++++++
Q29
The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
A. escalate issues to an external third party for resolution.
B. ensure that senior management provide authority for security to address the issues.
C. insist that managers or units not in agreement with the security solution accept the risk.
D. refer the issues to senior management along with any security recommendations.
D is correct
Senior management is in the best position to arbitrate since they will look at the overall needs of the business in reaching a decision. The authority may be delegated to others by senior management after their review of the issues and security recommendations.
Units should not be asked to accept the risk without first receiving input from senior management.
++++++++++
Q30
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
A. Information security manager
B. Chief operating officer (COO)
C. Internal auditor
D. Legal counsel
B is correct
The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives.
The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business.
Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group.
**********
# Q# Task Stmt.
01 183 2.2 Information Risk Mgmt.
02 153 2.1 Information Risk Mgmt.
03 030 1.1 Info. Security Governance
04 351 3.7 Info. Security Program Dev.
05 167 2.2 Information Risk Mgmt.
06 469 4.5 Info. Security Program Mgmt.
07 061 1.3 Info. Security Governance
08 198 2.2 Information Risk Mgmt.
09 108 1.6 Info. Security Governance
10 405 4.1 Info. Security Program Mgmt.
11 505 4.7 Info. Security Program Mgmt.
12 303 3.5 Info. Security Program Dev.
13 588 5.4 Incident Mgmt./Response
14 267 3.1 Info. Security Program Dev.
15 368 3.8 Info. Security Program Dev.
16 094 1.6 Info. Security Governance
17 367 3.8 Info. Security Program Dev.
18 316 3.5 Info. Security Program Dev.
19 134 1.8 Info. Security Governance
20 528 4.8 Info. Security Program Mgmt.
21 578 5.2 Incident Mgmt./Response
22 176 2.2 Information Risk Mgmt.
23 644 5.9 Incident Mgmt./Response
24 129 1.7 Info. Security Governance
25 546 4.8 Info. Security Program Mgmt.
26 549 4.8 Info. Security Program Mgmt.
27 237 2.5 Information Risk Mgmt.
28 271 3.1 Info. Security Program Dev.
29 127 1.7 Info. Security Governance
30 097 1.6 Info. Security Governance
**********
Session 1
++++++++++
Q01
Which of the following is MOST essential for a risk management program to be effective?
A. Flexible security budget
B. Sound risk baseline
C. New risks detection
D. Accurate risk reporting
C is correct
All of these procedures are essential for implementing risk management. However, without identifying new risks, other procedures will only be useful for a limited period.
++++++++++
Q2
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
A. Manager
B. Custodian
C. UserCorrect
D. Owner
D is correct
Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels.
Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc.
The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc.
Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data.
++++++++++
Q3
An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A. conflicting security controls with organizational needs.
B. strong protection of information resources.
C. implementing appropriate controls to reduce risk.
D. proving information security's protective abilities.
A is correct
The needs of the organization were not taken into account, so there is a conflict.
This example is not strong protection, it is poorly configured.
Implementing appropriate controls to reduce risk is not an appropriate control as it is being used.
This does not prove the ability to protect, but proves the ability to interfere with business.
++++++++++
Q04
What is the MOST important reason for conducting security awareness programs throughout an organization?
A. Reducing the human risk
B. Maintaining evidence of training records to ensure compliance
C. Informing business units about the security strategy
D. Training personnel in security incident response
A is correct
People are the weakest link in security implementation, and awareness would reduce this risk.
Through security awareness and training programs, individual employees can be informed and sensitized on various security policies and other security topics, thus ensuring compliance from each individual.
Laws and regulations also aim to reduce human risk.
Informing business units about the security strategy is best done through steering committee meetings or other forums.
++++++++++
Q05
Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?
A. Systems operation procedures are not enforced
B. Change management procedures are poor
C. Systems development is outsourced
D. Systems capacity management is not performed
B is correct
The lack of change management is a severe omission and will greatly increase information security risk.
Since procedures are generally nonauthoritative, their lack of enforcement is not a primary concern.
Systems that are developed by third-party vendors are becoming commonplace and do not represent an increase in security risk as much as poor change management.
Poor capacity management may not necessarily represent a security risk.
++++++++++
Q06
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
A. User
B. Network
C. Operations
D. Database
A is correct
As owners of the system, user management signoff is the most important. If a system does not meet the needs of the business, then it has not met its primary objective.
The needs of network, operations and database management are secondary to the needs of the business.
++++++++++
Q07
The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
A. return on investment (ROI).
B. a vulnerability assessment.
C. annual loss expectancy (ALE).
D. a business case.
D is correct
A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management.
Return on investment (ROI) would only provide the costs needed to preclude specific risks, and would not provide other indirect benefits such as process improvement and learning.
A vulnerability assessment is more technical in nature and would only identify and assess the vulnerabilities. This would also not provide insights on indirect benefits.
Annual loss expectancy (ALE) would not weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of implementation.
++++++++++
Q08
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?
A. Implement countermeasures.
B. Eliminate the risk.
C. Transfer the risk.
D. Accept the risk.
C is correct
Risks are typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include hurricanes, tornados and earthquakes. It would be more cost effective to pay recurring insurance costs than to be affected by a disaster from which the organization cannot financially recover.
Implementing countermeasures may not be the most cost-effective approach to security management.
Eliminating the risk may not be possible.
Accepting the risk would leave the organization vulnerable to a catastrophic disaster which may cripple or ruin the organization.
++++++++++
Q09
What is the MOST important factor in the successful implementation of an enterprisewide information security program?
A. Realistic budget estimates
B. Security awareness
C. Support of senior management
D. Recalculation of the work factor
C is correct
Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor.
Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources.
Security awareness is important, but not the most important factor.
Recalculation of the work factor is a part of risk management.
++++++++++
Q10
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
A. define the circumstances where cryptography should be used.
B. define cryptographic algorithms and key lengths.
C. describe handling procedures of cryptographic keys.
D. establish the use of cryptographic solutions.
A is correct
There should be documented standards/procedures for the use of cryptography across the enterprise; they should define the circumstances where cryptography should be used.
They should cover the selection of cryptographic algorithms and key lengths, but not define them precisely
They should address the handling of cryptographic keys. However, this is secondary to how and when cryptography should be used.
The use of cryptographic solutions should be addressed but, again, this is a secondary consideration.
++++++++++
Q11
Successful social engineering attacks can BEST be prevented through:
A. preemployment screening.
B. close monitoring of users' access patterns.
C. periodic awareness training.
D. efficient termination procedures.
C is correct
Security awareness training is most effective in preventing the success of social engineering attacks by providing users with the awareness they need to resist such attacks.
Screening of new employees, monitoring and rapid termination will not be effective against external attacks.
++++++++++
Q12
What is the BEST defense against a Structured Query Language (SQL) injection attack?
A. Regularly updated signature files
B. A properly configured firewall
C. An intrusion detection system
D. Strict controls on input fields
D is correct
Structured Query Language (SQL) injection involves the typing of programming command statements within a data entry field on a web page, usually with the intent of fooling the application into thinking that a valid password has been entered in the password entry field. The best defense against such an attack is to have strict edits on what can be typed into a data input field so that programming commands will be rejected. Code reviews should also be conducted to ensure that such edits are in place and that there are no inherent weaknesses in the way the code is written; software is available to test for such weaknesses.
All other choices would fail to prevent such an attack.
++++++++++
Q13
The FIRST priority when responding to a major security incident is:
A. documentation.
B. monitoring.
C. restoration.
D. containment.
D is correct
The first priority in responding to a security incident is to contain it to limit the impact.
Documentation, monitoring and restoration are all important, but they should follow containment.
++++++++++
Q14
Who can BEST advocate the development of and ensure the success of an information security program?
A. Internal auditor
B. Chief operating officer (COO)
C. Steering committee
D. IT management
C is correct
Senior management represented in the security steering committee is in the best position to advocate the establishment of and continued support for an information security program.
The chief operating officer (COO) will be a member of that committee.
An internal auditor is a good advocate but is secondary to the influence of senior management.
IT management has a lesser degree of influence and would also be part of the steering committee.
++++++++++
Q15
It is important to develop an information security baseline because it helps to define:
A. critical information resources needing protection.
B. a security policy for the entire organization.
C. the minimum acceptable security to be implemented.
D. required physical and logical access controls.
C is correct
Developing an information security baseline helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels.
Before determining the security baseline, an information security manager must establish the security policy, identify criticality levels of organization's information resources and assess the risk environment in which those resources operate.
++++++++++
Q16
Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives.
D is correct
Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives.
Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives.
Industry best practices are important to senior management, but again, senior management will give them the right level of importance when they are presented in terms of key business objectives.
++++++++++
Q17
Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?
A. Boundary router
B. Strong encryption
C. Internet-facing firewall
D. Intrusion detection system (IDS)
B is correct
Strong encryption is the most effective means of protecting wireless networks.
Boundary routers, intrusion detection systems (IDSs) and firewalling the Internet would not be as effective.
++++++++++
Q18
Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?
A. Symmetric cryptography
B. Public key infrastructure (PKI)
C. Message hashing
D. Message authentication code
B is correct
Public key infrastructure (PKI) combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender. Senders can digitally sign a message with their private key and attach their digital certificate (provided by the trusted third party). These characteristics allow senders to provide authentication, integrity validation and nonrepudiation.
Symmetric cryptography provides confidentiality.
Hashing can provide integrity and confidentiality.
Message authentication codes provide integrity.
++++++++++
Q19
The chief information security officer (CISO) should ideally have a direct reporting relationship to the:
A. head of internal audit.
B. chief operations officer (COO).
C. chief technology officer (CTO).
D. legal counsel.
B is correct
The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations.
The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations.
Reporting to the chief technology officer (CTO) could become problematic as the CTO's goals for the infrastructure might, at times, run counter to the goals of information security.
++++++++++
Q20
Security audit reviews should PRIMARILY:
A. ensure that controls operate as required.
B. ensure that controls are cost-effective.
C. focus on preventive controls.
D. ensure controls are technologically current.
A is correct
The primary objective of a security review or audit should be to provide assurance on the adequacy of security controls.
Reviews should focus on all forms of control, not just on preventive control.
Cost-effectiveness and technological currency are important but not as critical.
++++++++++
Q21
When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
A. the information security steering committee.
B. customers who may be impacted.
C. data owners who may be impacted.
D. regulatory agencies overseeing privacy.
C is correct
The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team.
Other parties will be notified later as required by corporate policy and regulatory requirements.
++++++++++
Q22
Information security managers should use risk assessment techniques to:
A. justify selection of risk mitigation strategies.
B. maximize the return on investment (ROI).
C. provide documentation for auditors and regulators.
D. quantify risks that would otherwise be subjective.
A is correct
Information security managers should use risk assessment techniques to justify and implement a risk mitigation strategy as efficiently as possible.
None of the other choices accomplishes that task, although they are important components.
++++++++++
Q23
When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?
A. Assigning responsibility for acquiring the data
B. Locating the data and preserving the integrity of the data
C. Creating a forensically sound image
D. Issuing a litigation hold to all affected parties
B is correct
Locating the data and preserving data integrity is the only correct answer because it represents the primary responsibility of an investigator and is a complete and accurate statement of the first priority.
While assigning responsibility for acquiring the data is a step that should be taken, it is not the first step or the highest priority.
Creating a forensically sound image may or may not be a necessary step, depending on the type of investigation, but it would never be the first priority.
Issuing a litigation hold to all affected parties might be a necessary step early on in an investigation of certain types, but not the first priority.
++++++++++
Q24
Which of the following is an advantage of a centralized information security organizational structure?
A. It is easier to promote security awareness.
B. It is easier to manage and control.
C. It is more responsive to business unit needs.
D. It provides a faster turnaround for security requests.
B is correct
It is easier to manage and control a centralized structure.
Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message.
Decentralized operations allow security administrators to be more responsive.
Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
++++++++++
Q25
An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
A. Rule-based
B. Mandatory
C. Discretionary
D. Role-based
D is correct
Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Rule-based access control needs to define the access rules, which is troublesome and error prone in large organizations.
In mandatory access control, the individual's access to information resources needs to be defined, which is troublesome in large organizations.
In discretionary access control, users have access to resources based on predefined sets of principles, which is an inherently insecure approach.
++++++++++
Q26
Which of the following is the BEST approach for improving information security management processes?
A. Conduct periodic security audits.
B. Perform periodic penetration testing.
C. Define and monitor security metrics.
D. Survey business units for feedback.
C is correct
Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify an opportunity for improvement. This is a systematic and structured approach to process improvement.
Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement.
Penetration testing will only uncover technical vulnerabilities, and cannot provide a holistic picture of information security management.
Feedback is subjective and not necessarily reflective of true performance.
++++++++++
Q27
The BEST strategy for risk management is to:
A. achieve a balance between risk and organizational goals.
B. reduce risk to an acceptable level.
C. ensure that policy development properly considers organizational risks.
D. ensure that all unmitigated risks are accepted by management.
B is correct
The best strategy for risk management is to reduce risk to an acceptable level, as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk.
Achieving balance between risk and organizational goals is not always practical.
Policy development must consider organizational risks as well as business objectives.
It may be prudent to ensure that management understands and accepts risks that it is not willing to mitigate, but that is a practice and is not sufficient to be considered a strategy.
++++++++++
Q28
An information security program should be sponsored by:
A. infrastructure management.
B. the corporate audit department.
C. key business process owners.
D. information security management.
C is correct
The information security program should ideally be sponsored by business managers, as represented by key business process owners.
Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business requirements.
A corporate audit department is not in as good a position to fully understand how an information security program needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions.
Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient operational knowledge and lack of proper authority.
++++++++++
Q29
The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:
A. escalate issues to an external third party for resolution.
B. ensure that senior management provide authority for security to address the issues.
C. insist that managers or units not in agreement with the security solution accept the risk.
D. refer the issues to senior management along with any security recommendations.
D is correct
Senior management is in the best position to arbitrate since they will look at the overall needs of the business in reaching a decision. The authority may be delegated to others by senior management after their review of the issues and security recommendations.
Units should not be asked to accept the risk without first receiving input from senior management.
++++++++++
Q30
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?
A. Information security manager
B. Chief operating officer (COO)
C. Internal auditor
D. Legal counsel
B is correct
The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives.
The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business.
Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group.
**********
# Q# Task Stmt.
01 183 2.2 Information Risk Mgmt.
02 153 2.1 Information Risk Mgmt.
03 030 1.1 Info. Security Governance
04 351 3.7 Info. Security Program Dev.
05 167 2.2 Information Risk Mgmt.
06 469 4.5 Info. Security Program Mgmt.
07 061 1.3 Info. Security Governance
08 198 2.2 Information Risk Mgmt.
09 108 1.6 Info. Security Governance
10 405 4.1 Info. Security Program Mgmt.
11 505 4.7 Info. Security Program Mgmt.
12 303 3.5 Info. Security Program Dev.
13 588 5.4 Incident Mgmt./Response
14 267 3.1 Info. Security Program Dev.
15 368 3.8 Info. Security Program Dev.
16 094 1.6 Info. Security Governance
17 367 3.8 Info. Security Program Dev.
18 316 3.5 Info. Security Program Dev.
19 134 1.8 Info. Security Governance
20 528 4.8 Info. Security Program Mgmt.
21 578 5.2 Incident Mgmt./Response
22 176 2.2 Information Risk Mgmt.
23 644 5.9 Incident Mgmt./Response
24 129 1.7 Info. Security Governance
25 546 4.8 Info. Security Program Mgmt.
26 549 4.8 Info. Security Program Mgmt.
27 237 2.5 Information Risk Mgmt.
28 271 3.1 Info. Security Program Dev.
29 127 1.7 Info. Security Governance
30 097 1.6 Info. Security Governance
