CISM Practice Question 2010 Session 8
++++++++++
Q01
Security awareness training is MOST likely to lead to which of the following?
A. Decrease in intrusion incidents
B. Increase in reported incidents
C. Decrease in security policy changes
D. Increase in access rule violations
B is correct
Reported incidents will provide an indicator as to the awareness level of staff. An increase in reported incidents could indicate that staff is paying more attention to security.
Intrusion incidents and access rule violations may or may not have anything to do with awareness levels.
A decrease in changes to security policies may or may not correlate to security awareness training.
++++++++++
Q2
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?
A. The number of false positives increases
B. The number of false negatives increases
C. Active probing is missed
D. Attack profiles are ignored
A is correct
Failure to tune an intrusion detection system (IDS) will result in many false positives, especially when the threshold is set to a low value.
The other options are less likely given the fact that the threshold for sounding an alarm is set to a low value.
++++++++++
Q3
Minimum standards for securing the technical infrastructure should be defined in a security:
A. strategy.
B. guidelines.
C. model.
D. architecture.
D is correct
Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place.
A strategy is a broad, high-level document.
A guideline is advisory in nature
A security model shows the relationships between components.
++++++++++
Q04
Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
A. assess the problems and institute rollback procedures, if needed.
B. disconnect the systems from the network until the problems are corrected.
C. immediately uninstall the patches from these systems.
D. immediately contact the vendor regarding the problems that occurred.
A is correct
Assessing the problems and instituting rollback procedures as needed would be the best course of action.
Choices B and C would not identify where the problem was, and may in fact make the problem worse.
Choice D is part of the assessment.
++++++++++
Q05
The MOST important objective of a postincident review is to:
A. capture lessons learned to improve the process.
B. develop a process for continuous improvement.
C. develop a business case for the security program budget.
D. identify new incident management tools.
A is correct
The main purpose of a postincident review is to identify areas of improvement in the process.
Developing a process for continuous improvement is not true in every case.
Developing a business case for the security program budget and identifying new incident management tools may come from the analysis of the incident, but are not the key objectives.
++++++++++
Q06
What will have the HIGHEST impact on standard information security governance models?
A. Number of employees
B. Distance between physical locations
C. Complexity of organizational structure
D. Organizational budget
C is correct
Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication.
Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance.
Organizational budget is not a major impact once good governance models are in place, hence governance will help in effective management of the organization's budget.
++++++++++
Q07
Recovery point objectives (RPOs) can be used to determine which of the following?
A. Maximum tolerable period of data loss
B. Maximum tolerable downtime
C. Baseline for operational resiliency
D. Time to restore backups
A is correct
The RPO is determined based on the acceptable data loss in the case of disruption of operations. It indicates the farthest point in time prior to the incident to which it is acceptable to recover the data. RPO effectively quantifies the permissible amount of data loss in the case of interruption. It also dictates the frequency of backups required for a given data set since the smaller the allowable gap in data, the more frequent that backups must occur.
++++++++++
Q08
Which of the following roles would represent a conflict of interest for an information security manager?
A. Evaluation of third parties requesting connectivity
B. Assessment of the adequacy of disaster recovery plans
C. Final approval of information security policies
D. Monitoring adherence to physical security controls
C is correct
Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval.
Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest.
++++++++++
Q09
The criticality and sensitivity of information assets is determined on the basis of:
A. threat assessment.
B. vulnerability assessment.
C. resource dependency assessment.
D. impact assessment.
D is correct
The criticality and sensitivity of information assets depends on the impact of the probability of the threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets and the impairment of the value.
Threat assessment lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Resource dependency assessment provides process needs but not impact.
++++++++++
Q10
Which of the following is the MOST important prerequisite for establishing information security management within an organization?
A. Senior management commitment
B. Information security framework
C. Information security organizational structure
D. Information security policy
A is correct
Senior management commitment is necessary in order for each of the other elements to succeed.
Without senior management commitment, the other elements will likely be ignored within the organization.
++++++++++
Q11
In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
A. Procedural design
B. Architectural design
C. System design specifications
D. Software development
C is correct
The system design specifications phase is when security specifications are identified.
The procedural design converts structural components into a procedural description of the software.
The architectural design is the phase that identifies the overall system design, but not the specifics.
Software development is too late a stage since this is the phase when the system is already being coded.
++++++++++
Q12
The information classification scheme should:
A. consider possible impact of a security breach.
B. classify personal information in electronic form.
C. be performed by the information security manager.
D. classify systems according to the data processed.
A is correct
Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information. It must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager.
Choice B is an incomplete answer because it addresses only privacy issues, while choice A is a more complete response.
Systems are not classified per se, but the data they process and store should definitely be classified.
++++++++++
Q13
Which of the following is MOST likely to be discretionary?
A. Policies
B. Procedures
C. Guidelines
D. Standards
C is correct
Policies define security goals and expectations for an organization.
These are defined in more specific terms within standards and procedures.
Standards establish what is to be done while procedures describe how it is to be done.
Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary.
++++++++++
Q14
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?
A. Authentication
B. Hardening
C. Encryption
D. Nonrepudiation
C is correct
Cardholder data should be encrypted using strong encryption techniques.
Hardening would be secondary in importance, while nonrepudiation would not be as relevant.
Authentication of the point-of-sale (POS) terminal is a previous step to acquiring the card information.
++++++++++
Q15
Access control to a sensitive intranet application by mobile users can BEST be implemented through:
A. data encryption.
B. digital signatures.
C. strong passwords.
D. two-factor authentication.
D is correct
Two-factor authentication through the use of strong passwords combined with security tokens provides the highest level of security.
Data encryption, digital signatures and strong passwords do not provide the same level of protection.
++++++++++
Q16
Good information security standards should:
A. define precise and unambiguous allowable limits.
B. describe the process for communicating violations.
C. address high-level objectives of the organization.
D. be updated frequently as new software is released.
A is correct
A security standard should clearly state what is allowable; it should not change frequently.
The process for communicating violations would be addressed by a security procedure, not a standard.
High-level objectives of an organization would normally be addressed in a security policy.
++++++++++
Q17
Which of the following mechanisms is the MOST secure way to implement a secure wireless network?
A. Filter media access control (MAC) addresses
B. Use a Wi-Fi Protected Access (WPA2) protocol
C. Use a Wired Equivalent Privacy (WEP) key
D. Web-based authentication
B is correct
WPA2 is currently one of the most secure authentication and encryption protocols for mainstream wireless products.
MAC address filtering by itself is not a good security mechanism since allowed MAC addresses can be easily sniffed and then spoofed to get into the network.
WEP is no longer a secure encryption mechanism for wireless communications. The WEP key can be easily broken within minutes using widely available software. And once the WEP key is obtained, all communications of every other wireless client are exposed.
Finally, a web-based authentication mechanism can be used to prevent unauthorized user access to a network, but it will not solve the wireless network's main security issues, such as preventing network sniffing.
++++++++++
Q18
Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
A. Card-key door locks
B. Photo identification
C. Biometric scanners
D. Awareness training
D is correct
Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee.
The other choices are physical controls which by themselves would not be effective against tailgating.
++++++++++
Q19
Which of the following devices should be placed within a DMZ?
A. Router
B. Firewall
C. Mail relay
D. Authentication server
C is correct
A mail relay should normally be placed within a demilitarized zone (DMZ) to shield the internal network.
An authentication server, due to its sensitivity, should always be placed on the internal network, never on a DMZ that is subject to compromise.
Both routers and firewalls may bridge a DMZ to another network, but do not technically reside within the DMZ network segment.
++++++++++
Q20
Which of the following is the MOST important to keep in mind when assessing the value of information?
A. The potential financial loss
B. The cost of recreating the information
C. The cost of insurance coverage
D. Regulatory requirement
A is correct
The potential for financial loss is always a key factor when assessing the value of information.
Choices B, C and D may be contributors, but not the key factor.
++++++++++
Q21
To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:
A. end users.
B. legal counsel.
C. operational units.
D. audit management.
C is correct
Procedures at the operational level must be developed by or with the involvement of operational units that will use them. This will ensure that they are functional and accurate.
End users and legal counsel are normally not involved in procedure development.
Audit management generally oversees information security operations but does not get involved at the procedural level.
++++++++++
Q22
What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
A. Periodic review of network configuration
B. Review intrusion detection system (IDS) logs for evidence of attacks
C. Periodically perform penetration tests
D. Daily review of server logs for evidence of hacker activity
C is correct
The best approach for confirming the adequacy of these configuration settings is to periodically perform attack and penetration tests.
Due to the complexity of firewall rules and router tables, plus the sheer size of intrusion detection system (IDSs) and server logs, a physical review will be insufficient.
++++++++++
Q23
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
D is correct
If malicious code is not immediately detected, it will most likely be backed up as a part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected on a backup tape. Any subsequent restores using that tape may reintroduce the malicious code.
Applying patches, changing access rules and upgrading hardware does not significantly increase the level of difficulty.
++++++++++
Q24
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?
A. Utilize an intrusion detection system.
B. Establish minimum security baselines.
C. Implement vendor recommended settings.
D. Perform periodic penetration testing.
D is correct
Penetration testing is the best way to assure that perimeter security is adequate.
An intrusion detection system (IDS) may detect an attempted attack, but it will not confirm whether the perimeter is secure.
Minimum security baselines and applying vendor recommended settings are beneficial, but they will not provide the level of assurance that is provided by penetration testing.
++++++++++
Q25
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
A. Feasibility
B. Design
C. Development
D. Testing
A is correct
Risk should be addressed as early in the development of a new application system as possible. In some cases, identified risks could be mitigated through design changes.
If needed changes are not identified until design has already commenced, such changes become more expensive.
For this reason, beginning risk assessment during the design, development or testing phases is not the best solution.
++++++++++
Q26
The value of information assets is BEST determined by:
A. individual business managers.
B. business systems analysts.
C. information security management.
D. industry averages benchmarking.
A is correct
Individual business managers are in the best position to determine the value of information assets since they are most knowledgeable of the assets' impact on the business.
Business systems developers and information security managers are not as knowledgeable regarding the impact on the business.
Peer companies' industry averages do not necessarily provide detailed enough information nor are they as relevant to the unique aspects of the business.
++++++++++
Q27
An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. The information security manager should recommend which of the following?
A. Restrict account access to read-only
B. Log all usage of this account
C. Suspend the account and activate only when needed
D. Require that a change request be submitted for each download
A is correct
Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Restricting the account to read-only access will ensure that file integrity can be maintained while permitting access.
Logging all usage of the account, suspending the account and activating only when needed, and requiring that a change request be submitted for each download will not reduce the exposure created by this excessive level of access.
++++++++++
Q28
Which of the following presents the GREATEST exposure to internal attack on a network?
A. User passwords are not automatically expired
B. All network traffic goes through a single switch
C. User passwords are encoded but not encrypted
D. All users reside on a single internal subnet
C is correct
When passwords are sent over the internal network in an encoded format, they can easily be converted to cleartext. All passwords should be encrypted to provide adequate security.
Not automatically expiring user passwords does create an exposure, but not as great as having unencrypted passwords.
Using a single switch or subnet does not present a significant exposure.
++++++++++
Q29
On a company's e-commerce web site, a good legal statement regarding data privacy should include:
A. a statement regarding what the company will do with the information it collects.
B. a disclaimer regarding the accuracy of information on its web site.
C. technical information regarding how information is protected.
D. a statement regarding where the information is being hosted.
A is correct
Most privacy laws and regulations require disclosure on how information will be used.
A disclaimer is not necessary since it does not refer to data privacy.
Technical details regarding how information is protected are not mandatory to publish on the web site and in fact would not be desirable.
It is not mandatory to say where information is being hosted.
++++++++++
Q30
Which of the following would BEST ensure the success of information security governance within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training and awareness available to all employees on the company intranet
D.Steering committees enforce compliance with laws and regulations
A is correct
The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program.
Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer.
Awareness training is important at all levels in any medium, and also an indicator of good governance.
However, it must be guided and approved as a security project by the steering committee.
**********
# Q# Task Stmt.
01 347 3.7 Info. Security Program Dev.
02 535 4.8 Info. Security Program Mgmt.
03 318 3.5 Info. Security Program Dev.
04 488 4.5 Info. Security Program Mgmt.
05 642 5.9 Incident Mgmt./Response
06 088 1.5 Info. Security Governance
07 622 5.6 Incident Mgmt./Response
08 110 1.7 Info. Security Governance
09 236 2.5 Information Risk Mgmt.
10 281 3.2 Info. Security Program Dev.
11 467 4.4 Info. Security Program Mgmt.
12 287 3.4 Info. Security Program Dev.
13 005 1.1 Info. Security Governance
14 305 3.5 Info. Security Program Dev.
15 359 3.8 Info. Security Program Dev.
16 428 4.2 Info. Security Program Mgmt.
17 333 3.5 Info. Security Program Dev.
18 517 4.7 Info. Security Program Mgmt.
19 295 3.5 Info. Security Program Dev.
20 053 1.3 Info. Security Governance
21 435 4.2 Info. Security Program Mgmt.
22 533 4.8 Info. Security Program Mgmt.
23 477 4.5 Info. Security Program Mgmt.
24 530 4.8 Info. Security Program Mgmt.
25 250 2.6 Information Risk Mgmt.
26 201 2.3 Information Risk Mgmt.
27 441 4.2 Info. Security Program Mgmt.
28 422 4.2 Info. Security Program Mgmt.
29 073 1.4 Info. Security Governance
30 095 1.6 Info. Security Governance
++++++++++
Q01
Security awareness training is MOST likely to lead to which of the following?
A. Decrease in intrusion incidents
B. Increase in reported incidents
C. Decrease in security policy changes
D. Increase in access rule violations
B is correct
Reported incidents will provide an indicator as to the awareness level of staff. An increase in reported incidents could indicate that staff is paying more attention to security.
Intrusion incidents and access rule violations may or may not have anything to do with awareness levels.
A decrease in changes to security policies may or may not correlate to security awareness training.
++++++++++
Q2
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?
A. The number of false positives increases
B. The number of false negatives increases
C. Active probing is missed
D. Attack profiles are ignored
A is correct
Failure to tune an intrusion detection system (IDS) will result in many false positives, especially when the threshold is set to a low value.
The other options are less likely given the fact that the threshold for sounding an alarm is set to a low value.
++++++++++
Q3
Minimum standards for securing the technical infrastructure should be defined in a security:
A. strategy.
B. guidelines.
C. model.
D. architecture.
D is correct
Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place.
A strategy is a broad, high-level document.
A guideline is advisory in nature
A security model shows the relationships between components.
++++++++++
Q04
Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
A. assess the problems and institute rollback procedures, if needed.
B. disconnect the systems from the network until the problems are corrected.
C. immediately uninstall the patches from these systems.
D. immediately contact the vendor regarding the problems that occurred.
A is correct
Assessing the problems and instituting rollback procedures as needed would be the best course of action.
Choices B and C would not identify where the problem was, and may in fact make the problem worse.
Choice D is part of the assessment.
++++++++++
Q05
The MOST important objective of a postincident review is to:
A. capture lessons learned to improve the process.
B. develop a process for continuous improvement.
C. develop a business case for the security program budget.
D. identify new incident management tools.
A is correct
The main purpose of a postincident review is to identify areas of improvement in the process.
Developing a process for continuous improvement is not true in every case.
Developing a business case for the security program budget and identifying new incident management tools may come from the analysis of the incident, but are not the key objectives.
++++++++++
Q06
What will have the HIGHEST impact on standard information security governance models?
A. Number of employees
B. Distance between physical locations
C. Complexity of organizational structure
D. Organizational budget
C is correct
Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication.
Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance.
Organizational budget is not a major impact once good governance models are in place, hence governance will help in effective management of the organization's budget.
++++++++++
Q07
Recovery point objectives (RPOs) can be used to determine which of the following?
A. Maximum tolerable period of data loss
B. Maximum tolerable downtime
C. Baseline for operational resiliency
D. Time to restore backups
A is correct
The RPO is determined based on the acceptable data loss in the case of disruption of operations. It indicates the farthest point in time prior to the incident to which it is acceptable to recover the data. RPO effectively quantifies the permissible amount of data loss in the case of interruption. It also dictates the frequency of backups required for a given data set since the smaller the allowable gap in data, the more frequent that backups must occur.
++++++++++
Q08
Which of the following roles would represent a conflict of interest for an information security manager?
A. Evaluation of third parties requesting connectivity
B. Assessment of the adequacy of disaster recovery plans
C. Final approval of information security policies
D. Monitoring adherence to physical security controls
C is correct
Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval.
Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest.
++++++++++
Q09
The criticality and sensitivity of information assets is determined on the basis of:
A. threat assessment.
B. vulnerability assessment.
C. resource dependency assessment.
D. impact assessment.
D is correct
The criticality and sensitivity of information assets depends on the impact of the probability of the threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets and the impairment of the value.
Threat assessment lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value.
Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value.
Resource dependency assessment provides process needs but not impact.
++++++++++
Q10
Which of the following is the MOST important prerequisite for establishing information security management within an organization?
A. Senior management commitment
B. Information security framework
C. Information security organizational structure
D. Information security policy
A is correct
Senior management commitment is necessary in order for each of the other elements to succeed.
Without senior management commitment, the other elements will likely be ignored within the organization.
++++++++++
Q11
In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
A. Procedural design
B. Architectural design
C. System design specifications
D. Software development
C is correct
The system design specifications phase is when security specifications are identified.
The procedural design converts structural components into a procedural description of the software.
The architectural design is the phase that identifies the overall system design, but not the specifics.
Software development is too late a stage since this is the phase when the system is already being coded.
++++++++++
Q12
The information classification scheme should:
A. consider possible impact of a security breach.
B. classify personal information in electronic form.
C. be performed by the information security manager.
D. classify systems according to the data processed.
A is correct
Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information. It must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager.
Choice B is an incomplete answer because it addresses only privacy issues, while choice A is a more complete response.
Systems are not classified per se, but the data they process and store should definitely be classified.
++++++++++
Q13
Which of the following is MOST likely to be discretionary?
A. Policies
B. Procedures
C. Guidelines
D. Standards
C is correct
Policies define security goals and expectations for an organization.
These are defined in more specific terms within standards and procedures.
Standards establish what is to be done while procedures describe how it is to be done.
Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary.
++++++++++
Q14
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?
A. Authentication
B. Hardening
C. Encryption
D. Nonrepudiation
C is correct
Cardholder data should be encrypted using strong encryption techniques.
Hardening would be secondary in importance, while nonrepudiation would not be as relevant.
Authentication of the point-of-sale (POS) terminal is a previous step to acquiring the card information.
++++++++++
Q15
Access control to a sensitive intranet application by mobile users can BEST be implemented through:
A. data encryption.
B. digital signatures.
C. strong passwords.
D. two-factor authentication.
D is correct
Two-factor authentication through the use of strong passwords combined with security tokens provides the highest level of security.
Data encryption, digital signatures and strong passwords do not provide the same level of protection.
++++++++++
Q16
Good information security standards should:
A. define precise and unambiguous allowable limits.
B. describe the process for communicating violations.
C. address high-level objectives of the organization.
D. be updated frequently as new software is released.
A is correct
A security standard should clearly state what is allowable; it should not change frequently.
The process for communicating violations would be addressed by a security procedure, not a standard.
High-level objectives of an organization would normally be addressed in a security policy.
++++++++++
Q17
Which of the following mechanisms is the MOST secure way to implement a secure wireless network?
A. Filter media access control (MAC) addresses
B. Use a Wi-Fi Protected Access (WPA2) protocol
C. Use a Wired Equivalent Privacy (WEP) key
D. Web-based authentication
B is correct
WPA2 is currently one of the most secure authentication and encryption protocols for mainstream wireless products.
MAC address filtering by itself is not a good security mechanism since allowed MAC addresses can be easily sniffed and then spoofed to get into the network.
WEP is no longer a secure encryption mechanism for wireless communications. The WEP key can be easily broken within minutes using widely available software. And once the WEP key is obtained, all communications of every other wireless client are exposed.
Finally, a web-based authentication mechanism can be used to prevent unauthorized user access to a network, but it will not solve the wireless network's main security issues, such as preventing network sniffing.
++++++++++
Q18
Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
A. Card-key door locks
B. Photo identification
C. Biometric scanners
D. Awareness training
D is correct
Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee.
The other choices are physical controls which by themselves would not be effective against tailgating.
++++++++++
Q19
Which of the following devices should be placed within a DMZ?
A. Router
B. Firewall
C. Mail relay
D. Authentication server
C is correct
A mail relay should normally be placed within a demilitarized zone (DMZ) to shield the internal network.
An authentication server, due to its sensitivity, should always be placed on the internal network, never on a DMZ that is subject to compromise.
Both routers and firewalls may bridge a DMZ to another network, but do not technically reside within the DMZ network segment.
++++++++++
Q20
Which of the following is the MOST important to keep in mind when assessing the value of information?
A. The potential financial loss
B. The cost of recreating the information
C. The cost of insurance coverage
D. Regulatory requirement
A is correct
The potential for financial loss is always a key factor when assessing the value of information.
Choices B, C and D may be contributors, but not the key factor.
++++++++++
Q21
To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:
A. end users.
B. legal counsel.
C. operational units.
D. audit management.
C is correct
Procedures at the operational level must be developed by or with the involvement of operational units that will use them. This will ensure that they are functional and accurate.
End users and legal counsel are normally not involved in procedure development.
Audit management generally oversees information security operations but does not get involved at the procedural level.
++++++++++
Q22
What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
A. Periodic review of network configuration
B. Review intrusion detection system (IDS) logs for evidence of attacks
C. Periodically perform penetration tests
D. Daily review of server logs for evidence of hacker activity
C is correct
The best approach for confirming the adequacy of these configuration settings is to periodically perform attack and penetration tests.
Due to the complexity of firewall rules and router tables, plus the sheer size of intrusion detection system (IDSs) and server logs, a physical review will be insufficient.
++++++++++
Q23
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
D is correct
If malicious code is not immediately detected, it will most likely be backed up as a part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected on a backup tape. Any subsequent restores using that tape may reintroduce the malicious code.
Applying patches, changing access rules and upgrading hardware does not significantly increase the level of difficulty.
++++++++++
Q24
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?
A. Utilize an intrusion detection system.
B. Establish minimum security baselines.
C. Implement vendor recommended settings.
D. Perform periodic penetration testing.
D is correct
Penetration testing is the best way to assure that perimeter security is adequate.
An intrusion detection system (IDS) may detect an attempted attack, but it will not confirm whether the perimeter is secure.
Minimum security baselines and applying vendor recommended settings are beneficial, but they will not provide the level of assurance that is provided by penetration testing.
++++++++++
Q25
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
A. Feasibility
B. Design
C. Development
D. Testing
A is correct
Risk should be addressed as early in the development of a new application system as possible. In some cases, identified risks could be mitigated through design changes.
If needed changes are not identified until design has already commenced, such changes become more expensive.
For this reason, beginning risk assessment during the design, development or testing phases is not the best solution.
++++++++++
Q26
The value of information assets is BEST determined by:
A. individual business managers.
B. business systems analysts.
C. information security management.
D. industry averages benchmarking.
A is correct
Individual business managers are in the best position to determine the value of information assets since they are most knowledgeable of the assets' impact on the business.
Business systems developers and information security managers are not as knowledgeable regarding the impact on the business.
Peer companies' industry averages do not necessarily provide detailed enough information nor are they as relevant to the unique aspects of the business.
++++++++++
Q27
An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. The information security manager should recommend which of the following?
A. Restrict account access to read-only
B. Log all usage of this account
C. Suspend the account and activate only when needed
D. Require that a change request be submitted for each download
A is correct
Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Restricting the account to read-only access will ensure that file integrity can be maintained while permitting access.
Logging all usage of the account, suspending the account and activating only when needed, and requiring that a change request be submitted for each download will not reduce the exposure created by this excessive level of access.
++++++++++
Q28
Which of the following presents the GREATEST exposure to internal attack on a network?
A. User passwords are not automatically expired
B. All network traffic goes through a single switch
C. User passwords are encoded but not encrypted
D. All users reside on a single internal subnet
C is correct
When passwords are sent over the internal network in an encoded format, they can easily be converted to cleartext. All passwords should be encrypted to provide adequate security.
Not automatically expiring user passwords does create an exposure, but not as great as having unencrypted passwords.
Using a single switch or subnet does not present a significant exposure.
++++++++++
Q29
On a company's e-commerce web site, a good legal statement regarding data privacy should include:
A. a statement regarding what the company will do with the information it collects.
B. a disclaimer regarding the accuracy of information on its web site.
C. technical information regarding how information is protected.
D. a statement regarding where the information is being hosted.
A is correct
Most privacy laws and regulations require disclosure on how information will be used.
A disclaimer is not necessary since it does not refer to data privacy.
Technical details regarding how information is protected are not mandatory to publish on the web site and in fact would not be desirable.
It is not mandatory to say where information is being hosted.
++++++++++
Q30
Which of the following would BEST ensure the success of information security governance within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training and awareness available to all employees on the company intranet
D.Steering committees enforce compliance with laws and regulations
A is correct
The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program.
Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer.
Awareness training is important at all levels in any medium, and also an indicator of good governance.
However, it must be guided and approved as a security project by the steering committee.
**********
# Q# Task Stmt.
01 347 3.7 Info. Security Program Dev.
02 535 4.8 Info. Security Program Mgmt.
03 318 3.5 Info. Security Program Dev.
04 488 4.5 Info. Security Program Mgmt.
05 642 5.9 Incident Mgmt./Response
06 088 1.5 Info. Security Governance
07 622 5.6 Incident Mgmt./Response
08 110 1.7 Info. Security Governance
09 236 2.5 Information Risk Mgmt.
10 281 3.2 Info. Security Program Dev.
11 467 4.4 Info. Security Program Mgmt.
12 287 3.4 Info. Security Program Dev.
13 005 1.1 Info. Security Governance
14 305 3.5 Info. Security Program Dev.
15 359 3.8 Info. Security Program Dev.
16 428 4.2 Info. Security Program Mgmt.
17 333 3.5 Info. Security Program Dev.
18 517 4.7 Info. Security Program Mgmt.
19 295 3.5 Info. Security Program Dev.
20 053 1.3 Info. Security Governance
21 435 4.2 Info. Security Program Mgmt.
22 533 4.8 Info. Security Program Mgmt.
23 477 4.5 Info. Security Program Mgmt.
24 530 4.8 Info. Security Program Mgmt.
25 250 2.6 Information Risk Mgmt.
26 201 2.3 Information Risk Mgmt.
27 441 4.2 Info. Security Program Mgmt.
28 422 4.2 Info. Security Program Mgmt.
29 073 1.4 Info. Security Governance
30 095 1.6 Info. Security Governance
