CISM Practice Question 2010 Session 3
++++++++++
Q01
Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?
A. SWOT analysis
B. Waterfall chart
C. Gap analysis
D. Balanced scorecard
D is correct
The balanced scorecard is most effective for evaluating the degree to which information security objectives are being met.
A SWOT analysis addresses strengths, weaknesses, opportunities and threats. Although useful, a SWOT analysis is not as effective a tool.
Similarly, a gap analysis, while useful for identifying the difference between the current state and the desired future state, is not the most appropriate tool.
A waterfall chart is used to understand the flow of one process into another.
++++++++++
Q2
A common concern with poorly written web applications is that they can allow an attacker to:
A. gain control through a buffer overflow.
B. conduct a distributed denial of service (DoS) attack.
C. abuse a race condition.
D. inject structured query language (SQL) statements.
D is correct
Structured query language (SQL) injection is one of the most common and dangerous web application vulnerabilities.
Buffer overflows and race conditions are very difficult to find and exploit on web applications.
Distributed denial of service (DoS) attacks have nothing to do with the quality of a web application.
++++++++++
Q3
When a security standard conflicts with a business objective, the situation should be resolved by:
A. changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance.
C is correct
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard.
It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance is a process that derives from the risk analysis.
++++++++++
Q04
Who is ultimately responsible for the organization's information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
C is correct
The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection.
The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department.
The chief information security officer (CISO) is responsible for security and carrying out senior management's directives.
The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.
++++++++++
Q05
Which of the following is the PRIMARY reason for implementing a risk management program?
A. Allows the organization to eliminate risk
B. Is a necessary part of management's due diligence
C. Satisfies audit and regulatory requirements
D. Assists in incrementing the return on investment (ROI)
B is correct
The key reason for performing risk management is that it is part of management's due diligence.
The elimination of all risk is not possible.
Satisfying audit and regulatory requirements is of secondary importance.
A risk management program may or may not increase the return on investment (ROI).
++++++++++
Q06
Information security projects should be prioritized on the basis of:
A. time required for implementation.
B. impact on the organization.
C. total cost for implementation.
D. mix of resources required.
B is correct
Information security projects should be assessed on the basis of the positive impact that they will have on the organization.
Time, cost and resource issues should be subordinate to this objective.
++++++++++
Q07
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?
A. IP spoofing
B. Man-in-the-middle attack
C. Repudiation
D. Trojan
D is correct
A Trojan is a program that gives the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user.
IP spoofing will not work because IP is not used as an authentication mechanism.
Man-in-the-middle attacks are not possible if using SSL with client-side certificates.
Repudiation is unlikely because client-side certificates authenticate the user.
++++++++++
Q08
An organization without any formal information security program that has decided to implement information security best practices should FIRST:
A. invite an external consultant to create the security strategy.
B. allocate budget based on best practices.
C. benchmark similar organizations.
D. define high-level business security requirements.
D is correct
All four options are valid steps in the process of implementing information security best practices; however, defining high-level business security requirements should precede the others because the implementation should be based on those security requirements.
++++++++++
Q09
Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:
A. the parties to the agreement can perform.
B. confidential data are not included in the agreement.
C. appropriate controls are included.
D. the right to audit is a requirement.
C is correct
Agreements with external parties can expose an organization to information security risks that must be assessed and appropriately mitigated.
The ability of the parties to perform is normally the responsibility of legal and the business operation involved.
Confidential information may be in the agreement by necessity and, while the information security manager can advise and provide approaches to protect the information, the responsibility rests with the business and legal.
Audit rights may be one of many possible controls to include in a third-party agreement, but is not necessarily a contract requirement, depending on the nature of the agreement.
++++++++++
Q10
Which of the following is the MOST important step before implementing a security policy?
A. Communicating to employees
B. Training IT staff
C. Identifying relevant technologies for automation
D. Obtaining sign-off from stakeholders
D is correct
Sign-off must be obtained from all stakeholders since that would signify formal acceptance of all the policy objectives and expectations of the business along with all residual risks. Only after sign-off is obtained can the other mentioned activities begin.
++++++++++
Q11
The valuation of IT assets should be performed by:
A. an IT security manager.
B. an independent security consultant.
C. the chief financial officer (CFO).
D. the information owner.
D is correct
Information asset owners are in the best position to evaluate the value added by the IT asset under review within a business process, thanks to their deep knowledge of the business processes and of the functional IT requirements.
An IT security manager is an expert of the IT risk assessment methodology and IT asset valuation mechanisms. However, the manager could not have a deep understanding of all the business processes of the firm.
An IT security subject matter expert will take part of the process to identify threats and vulnerabilities and will collaborate with the business information asset owner to define the risk profile of the asset.
A chief financial officer (CFO) will have an overall costs picture but not detailed enough to evaluate the value of each IT asset.
++++++++++
Q12
Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
A. Include security responsibilities in the job description
B. Require the administrator to obtain security certification
C. Train the system administrator on penetration testing and vulnerability assessment
D. Train the system administrator on risk assessment
A is correct
The first step to improve accountability is to include security responsibilities in a job description. This documents what is expected and approved by the organization.
The other choices are methods to ensure that the system administrator has the training to fulfill the responsibilities included in the job description.
++++++++++
Q13
An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:
A. validate and sanitize client side inputs.
B. harden the database listener component.
C. normalize the database schema to the third normal form.
D. ensure that the security patches are updated on operating systems.
A is correct
SQL injection vulnerability arises when crafted or malformed user inputs are substituted directly in SQL queries, resulting in information leakage.
Hardening the database listener does enhance the security of the database; however, it is unrelated to the SQL injection vulnerability.
Normalization is related to the effectiveness and efficiency of the database but not to SQL injection vulnerability. SQL injections may also be observed in normalized databases.
SQL injection vulnerability exploits the SQL query design, not the operating system.
++++++++++
Q14
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A. periodically testing the incident response plans.
B. regularly testing the intrusion detection system (IDS).
C. establishing mandatory training of all personnel.
D. periodically reviewing incident response procedures.
A is correct
Security incident response plans should be tested to find any deficiencies and improve existing processes.
Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation.
All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended.
Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
++++++++++
Q15
The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
A. system developer.
B. information security manager.
C. steering committee.
D. system data owner.
D is correct
Data owners are the most knowledgeable of the security needs of the business application for which they are responsible.
The system developer, security manager and system custodian will have specific knowledge on limited areas but will not have full knowledge of the business issues that affect the level of security required.
The steering committee does not perform at that level of detail on the operation.
++++++++++
Q16
Before engaging outsourced providers, an information security manager should ensure that the organization's data classification requirements:
A. are compatible with the provider's own classification.
B. are communicated to the provider.
C. exceed those of the outsourcer.
D. are stated in the contract.
D is correct
The most effective mechanism to ensure that the organization's security standards are met by a third party would be a legal agreement.
Choices A, B and C are acceptable options, but not as comprehensive or as binding as a legal contract.
++++++++++
Q17
Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?
A. Platform security
B. Entitlement changes
C. Intrusion detection
D. Antivirus controls
B is correct
Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Platform security, intrusion detection and antivirus controls are all within the responsibility of the information security manager.
++++++++++
Q18
Which of the following would BEST protect an organization's confidential data stored on a laptop computer from unauthorized access?
A. Strong authentication by password
B. Encrypted hard drives
C. Multifactor authentication procedures
D. Network-based data backup
B is correct
Encryption of the hard disks will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Strong authentication by password can be bypassed by a determined hacker.
Multifactor authentication can be bypassed by removal of the hard drive and insertion into another laptop.
Network-based data backups do not prevent access but rather recovery from data loss.
++++++++++
Q19
Who should drive the risk analysis for an organization?
A. Senior management
B. Security manager
C. Quality manager
D. Legal department
B is correct
Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department.
Quality management and the legal department will contribute to the project.
++++++++++
Q20
The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
A. the plan aligns with the organization's business plan.
B. departmental budgets are allocated appropriately to pay for the plan.
C. regulatory oversight requirements are met.
D. the impact of the plan on the business units is reduced.
A is correct
The steering committee controls the execution of the information security strategy according to the needs of the organization and decides on the project prioritization and the execution plan.
The steering committee does not allocate department budgets for business units.
While ensuring that regulatory oversight requirements are met could be a consideration, it is not the main reason for the review.
Reducing the impact on the business units is a secondary concern but not the main reason for the review.
++++++++++
Q21
The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is:
A. messages displayed at every logon.
B. periodic security-related e-mail messages.
C. an intranet web site for information security.
D. circulating the information security policy.
A is correct
Logon banners would appear every time the user logs on, and the user would be required to read and agree to the same before using the resources. Also, as the message is conveyed in writing and appears consistently, it can be easily enforceable in any organization.
Security-related e-mail messages are frequently considered as "spam" by network users and do not, by themselves, ensure that the user agrees to comply with security requirements.
The existence of an intranet web site does not force users to access it and read the information.
Circulating the information security policy alone does not confirm that an individual user has read, understood and agreed to comply with its requirements unless it is associated with formal acknowledgment, such as a user's signature of acceptance.
++++++++++
Q22
One way to determine control effectiveness is by determining:
A. whether it is preventive, detective or compensatory.
B. the capability of providing notification of failure.
C. the test results of intended objectives.
D. the evaluation and analysis of reliability.
C is correct
Control effectiveness requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
The type of control is not relevant, and notification of failure is not determinative of control strength.
Reliability is not an indication of control strength; weak controls can be highly reliable, even if they are ineffective controls.
++++++++++
Q23
How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?
A. Give organization standards preference over local regulations
B. Follow local regulations only
C. Make the organization aware of those standards where local regulations cause conflicts
D. Negotiate a local version of the organization standards
D is correct
Adherence to local regulations must always be the priority. Not following local regulations can prove detrimental to the group organization.
Following local regulations only is incorrect since there needs to be some recognition of organization requirements.
Making an organization aware of standards is a sensible step, but is not a total solution.
Negotiating a local version of the organization standards is the most effective compromise in this situation.
++++++++++
Q24
The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
A. ensure the confidentiality of sensitive material.
B. provide a high assurance of identity.
C. allow deployment of the active directory.
D. implement secure sockets layer (SSL) encryption.
B is correct
The primary purpose of a public key infrastructure (PKI) is to provide strong authentication.
Confidentiality is a function of the session keys distributed by the PKI.
An active directory can use PKI for authentication as well as using other means.
Even though secure sockets layer (SSL) encryption requires keys to authenticate, it is not the main reason for deploying PKI.
++++++++++
Q25
Isolation and containment measures for a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step?
A. Run a forensics tool on the machine to gather evidence
B. Reboot the machine to break remote connections
C. Make a copy of the whole system's memory
D. Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports
C is correct
When investigating a security breach, it is important to preserve all traces of evidence left by the invader. For this reason, it is imperative to preserve the memory contents of the machine in order to analyze them later. The correct answer is choice C because a copy of the whole system's memory is obtained for future analysis by running the appropriate tools. This is also important from a legal perspective since an attorney may suggest that the system was changed during the conduct of the investigation.
Running a computer forensics tool in the compromised machine will cause the creation of at least one process that may overwrite evidence.
Rebooting the machine will delete the contents of the memory, erasing potential evidence.
Collecting information about current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports is correct, but doing so by using tools may also erase memory contents.
++++++++++
Q26
An organization's information security manager is planning the structure of the Information Security Steering Committee. Which of the following groups should the manager invite?
A. External audit and network penetration testers
B. Board of directors and the organization's regulators
C. External trade union representatives and key security vendors
D. Leadership from IT, human resources and the sales department
D is correct
Leaders from IT, human resources and sales are key individuals who must support an information security program.
External audit may assess and advise on the program, and testers may be used by the program, but they are not appropriate steering committee members.
The steering committee needs to have practitioner-level representation. It may report to the board, but board members would not generally be part of the steering committee, except for its executive sponsor. Regulators would not participate on this committee.
External trade union representatives and key security vendors are entities that may need to be consulted as part of program activities, but would not be members of the steering committee.
++++++++++
Q27
An organization's security awareness program should focus on which of the following?
A. Establishing metrics for network backups
B. Installing training software which simulates security incidents
C. Communicating what employees should do/not do in the context of their job responsibilities
D. Accessing levels within the organization for applications and the Internet
C is correct
An organization's security awareness program should focus on employee behavior and the consequences of both compliance and noncompliance with the security policy.
++++++++++
Q28
Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required?
A. Log all account usage and send it to their manager
B. Establish predetermined automatic expiration dates
C. Require managers to e-mail security when the user leaves
D. Ensure each individual has signed a security acknowledgement
B is correct
Predetermined expiration dates are the most effective means of removing systems access for temporary users.
Reliance on managers to promptly send in termination notices cannot always be counted on, while requiring each individual to sign a security acknowledgement would have little effect in this case.
++++++++++
Q29
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
A. Information security officer
B. Security steering committee
C. Data owner
D. Data custodian
B is correct
Routine administration of all aspects of security is delegated, but senior management must retain overall responsibility.
The information security officer supports and implements information security for senior management.
The data owner is responsible for categorizing data security requirements.
The data custodian supports and implements information security as directed.
++++++++++
Q30
Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?
A. Gap analysis
B. Regression analysis
C. Risk analysis
D. Business impact analysis
D is correct
Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs relate to the financial impact of a system not being available.
A gap analysis is useful in addressing the differences between the current state and an ideal future state.
Regression analysis is used to test changes to program modules.
Risk analysis is a component of the business impact analysis.
**********
# Q# Task Stmt.
01 390 3.11 Info. Security Program Dev.
02 254 2.6 Information Risk Mgmt.
03 077 1.5 Info. Security Governance
04 124 1.7 Info. Security Governance
05 170 2.2 Information Risk Mgmt.
06 010 1.1 Info. Security Governance
07 315 3.5 Info. Security Program Dev.
08 275 3.1 Info. Security Program Dev.
09 385 3.10 Info. Security Program Dev.
10 344 3.6 Info. Security Program Dev.
11 181 2.2 Information Risk Mgmt.
12 128 1.7 Info. Security Governance
13 443 4.2 Info. Security Program Mgmt.
14 212 2.4 Information Risk Mgmt.
15 416 4.2 Info. Security Program Mgmt.
16 455 4.3 Info. Security Program Mgmt.
17 138 2.1 Information Risk Mgmt.
18 324 3.5 Info. Security Program Dev.
19 125 1.7 Info. Security Governance
20 047 1.2 Info. Security Governance
21 371 3.8 Info. Security Program Dev.
22 258 2.6 Information Risk Mgmt.
23 089 1.5 Info. Security Governance
24 322 3.5 Info. Security Program Dev.
25 591 5.4 Incident Mgmt./Response
26 293 3.4 Info. Security Program Dev.
27 352 3.7 Info. Security Program Dev.
28 306 3.5 Info. Security Program Dev.
29 102 1.6 Info. Security Governance
30 202 2.3 Information Risk Mgmt.
++++++++++
Q01
Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?
A. SWOT analysis
B. Waterfall chart
C. Gap analysis
D. Balanced scorecard
D is correct
The balanced scorecard is most effective for evaluating the degree to which information security objectives are being met.
A SWOT analysis addresses strengths, weaknesses, opportunities and threats. Although useful, a SWOT analysis is not as effective a tool.
Similarly, a gap analysis, while useful for identifying the difference between the current state and the desired future state, is not the most appropriate tool.
A waterfall chart is used to understand the flow of one process into another.
++++++++++
Q2
A common concern with poorly written web applications is that they can allow an attacker to:
A. gain control through a buffer overflow.
B. conduct a distributed denial of service (DoS) attack.
C. abuse a race condition.
D. inject structured query language (SQL) statements.
D is correct
Structured query language (SQL) injection is one of the most common and dangerous web application vulnerabilities.
Buffer overflows and race conditions are very difficult to find and exploit on web applications.
Distributed denial of service (DoS) attacks have nothing to do with the quality of a web application.
++++++++++
Q3
When a security standard conflicts with a business objective, the situation should be resolved by:
A. changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance.
C is correct
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard.
It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance is a process that derives from the risk analysis.
++++++++++
Q04
Who is ultimately responsible for the organization's information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
C is correct
The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection.
The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department.
The chief information security officer (CISO) is responsible for security and carrying out senior management's directives.
The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.
++++++++++
Q05
Which of the following is the PRIMARY reason for implementing a risk management program?
A. Allows the organization to eliminate risk
B. Is a necessary part of management's due diligence
C. Satisfies audit and regulatory requirements
D. Assists in incrementing the return on investment (ROI)
B is correct
The key reason for performing risk management is that it is part of management's due diligence.
The elimination of all risk is not possible.
Satisfying audit and regulatory requirements is of secondary importance.
A risk management program may or may not increase the return on investment (ROI).
++++++++++
Q06
Information security projects should be prioritized on the basis of:
A. time required for implementation.
B. impact on the organization.
C. total cost for implementation.
D. mix of resources required.
B is correct
Information security projects should be assessed on the basis of the positive impact that they will have on the organization.
Time, cost and resource issues should be subordinate to this objective.
++++++++++
Q07
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?
A. IP spoofing
B. Man-in-the-middle attack
C. Repudiation
D. Trojan
D is correct
A Trojan is a program that gives the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user.
IP spoofing will not work because IP is not used as an authentication mechanism.
Man-in-the-middle attacks are not possible if using SSL with client-side certificates.
Repudiation is unlikely because client-side certificates authenticate the user.
++++++++++
Q08
An organization without any formal information security program that has decided to implement information security best practices should FIRST:
A. invite an external consultant to create the security strategy.
B. allocate budget based on best practices.
C. benchmark similar organizations.
D. define high-level business security requirements.
D is correct
All four options are valid steps in the process of implementing information security best practices; however, defining high-level business security requirements should precede the others because the implementation should be based on those security requirements.
++++++++++
Q09
Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:
A. the parties to the agreement can perform.
B. confidential data are not included in the agreement.
C. appropriate controls are included.
D. the right to audit is a requirement.
C is correct
Agreements with external parties can expose an organization to information security risks that must be assessed and appropriately mitigated.
The ability of the parties to perform is normally the responsibility of legal and the business operation involved.
Confidential information may be in the agreement by necessity and, while the information security manager can advise and provide approaches to protect the information, the responsibility rests with the business and legal.
Audit rights may be one of many possible controls to include in a third-party agreement, but is not necessarily a contract requirement, depending on the nature of the agreement.
++++++++++
Q10
Which of the following is the MOST important step before implementing a security policy?
A. Communicating to employees
B. Training IT staff
C. Identifying relevant technologies for automation
D. Obtaining sign-off from stakeholders
D is correct
Sign-off must be obtained from all stakeholders since that would signify formal acceptance of all the policy objectives and expectations of the business along with all residual risks. Only after sign-off is obtained can the other mentioned activities begin.
++++++++++
Q11
The valuation of IT assets should be performed by:
A. an IT security manager.
B. an independent security consultant.
C. the chief financial officer (CFO).
D. the information owner.
D is correct
Information asset owners are in the best position to evaluate the value added by the IT asset under review within a business process, thanks to their deep knowledge of the business processes and of the functional IT requirements.
An IT security manager is an expert of the IT risk assessment methodology and IT asset valuation mechanisms. However, the manager could not have a deep understanding of all the business processes of the firm.
An IT security subject matter expert will take part of the process to identify threats and vulnerabilities and will collaborate with the business information asset owner to define the risk profile of the asset.
A chief financial officer (CFO) will have an overall costs picture but not detailed enough to evaluate the value of each IT asset.
++++++++++
Q12
Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
A. Include security responsibilities in the job description
B. Require the administrator to obtain security certification
C. Train the system administrator on penetration testing and vulnerability assessment
D. Train the system administrator on risk assessment
A is correct
The first step to improve accountability is to include security responsibilities in a job description. This documents what is expected and approved by the organization.
The other choices are methods to ensure that the system administrator has the training to fulfill the responsibilities included in the job description.
++++++++++
Q13
An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:
A. validate and sanitize client side inputs.
B. harden the database listener component.
C. normalize the database schema to the third normal form.
D. ensure that the security patches are updated on operating systems.
A is correct
SQL injection vulnerability arises when crafted or malformed user inputs are substituted directly in SQL queries, resulting in information leakage.
Hardening the database listener does enhance the security of the database; however, it is unrelated to the SQL injection vulnerability.
Normalization is related to the effectiveness and efficiency of the database but not to SQL injection vulnerability. SQL injections may also be observed in normalized databases.
SQL injection vulnerability exploits the SQL query design, not the operating system.
++++++++++
Q14
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A. periodically testing the incident response plans.
B. regularly testing the intrusion detection system (IDS).
C. establishing mandatory training of all personnel.
D. periodically reviewing incident response procedures.
A is correct
Security incident response plans should be tested to find any deficiencies and improve existing processes.
Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation.
All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended.
Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
++++++++++
Q15
The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
A. system developer.
B. information security manager.
C. steering committee.
D. system data owner.
D is correct
Data owners are the most knowledgeable of the security needs of the business application for which they are responsible.
The system developer, security manager and system custodian will have specific knowledge on limited areas but will not have full knowledge of the business issues that affect the level of security required.
The steering committee does not perform at that level of detail on the operation.
++++++++++
Q16
Before engaging outsourced providers, an information security manager should ensure that the organization's data classification requirements:
A. are compatible with the provider's own classification.
B. are communicated to the provider.
C. exceed those of the outsourcer.
D. are stated in the contract.
D is correct
The most effective mechanism to ensure that the organization's security standards are met by a third party would be a legal agreement.
Choices A, B and C are acceptable options, but not as comprehensive or as binding as a legal contract.
++++++++++
Q17
Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?
A. Platform security
B. Entitlement changes
C. Intrusion detection
D. Antivirus controls
B is correct
Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible.
Platform security, intrusion detection and antivirus controls are all within the responsibility of the information security manager.
++++++++++
Q18
Which of the following would BEST protect an organization's confidential data stored on a laptop computer from unauthorized access?
A. Strong authentication by password
B. Encrypted hard drives
C. Multifactor authentication procedures
D. Network-based data backup
B is correct
Encryption of the hard disks will prevent unauthorized access to the laptop even when the laptop is lost or stolen.
Strong authentication by password can be bypassed by a determined hacker.
Multifactor authentication can be bypassed by removal of the hard drive and insertion into another laptop.
Network-based data backups do not prevent access but rather recovery from data loss.
++++++++++
Q19
Who should drive the risk analysis for an organization?
A. Senior management
B. Security manager
C. Quality manager
D. Legal department
B is correct
Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department.
Quality management and the legal department will contribute to the project.
++++++++++
Q20
The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
A. the plan aligns with the organization's business plan.
B. departmental budgets are allocated appropriately to pay for the plan.
C. regulatory oversight requirements are met.
D. the impact of the plan on the business units is reduced.
A is correct
The steering committee controls the execution of the information security strategy according to the needs of the organization and decides on the project prioritization and the execution plan.
The steering committee does not allocate department budgets for business units.
While ensuring that regulatory oversight requirements are met could be a consideration, it is not the main reason for the review.
Reducing the impact on the business units is a secondary concern but not the main reason for the review.
++++++++++
Q21
The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is:
A. messages displayed at every logon.
B. periodic security-related e-mail messages.
C. an intranet web site for information security.
D. circulating the information security policy.
A is correct
Logon banners would appear every time the user logs on, and the user would be required to read and agree to the same before using the resources. Also, as the message is conveyed in writing and appears consistently, it can be easily enforceable in any organization.
Security-related e-mail messages are frequently considered as "spam" by network users and do not, by themselves, ensure that the user agrees to comply with security requirements.
The existence of an intranet web site does not force users to access it and read the information.
Circulating the information security policy alone does not confirm that an individual user has read, understood and agreed to comply with its requirements unless it is associated with formal acknowledgment, such as a user's signature of acceptance.
++++++++++
Q22
One way to determine control effectiveness is by determining:
A. whether it is preventive, detective or compensatory.
B. the capability of providing notification of failure.
C. the test results of intended objectives.
D. the evaluation and analysis of reliability.
C is correct
Control effectiveness requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
The type of control is not relevant, and notification of failure is not determinative of control strength.
Reliability is not an indication of control strength; weak controls can be highly reliable, even if they are ineffective controls.
++++++++++
Q23
How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?
A. Give organization standards preference over local regulations
B. Follow local regulations only
C. Make the organization aware of those standards where local regulations cause conflicts
D. Negotiate a local version of the organization standards
D is correct
Adherence to local regulations must always be the priority. Not following local regulations can prove detrimental to the group organization.
Following local regulations only is incorrect since there needs to be some recognition of organization requirements.
Making an organization aware of standards is a sensible step, but is not a total solution.
Negotiating a local version of the organization standards is the most effective compromise in this situation.
++++++++++
Q24
The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
A. ensure the confidentiality of sensitive material.
B. provide a high assurance of identity.
C. allow deployment of the active directory.
D. implement secure sockets layer (SSL) encryption.
B is correct
The primary purpose of a public key infrastructure (PKI) is to provide strong authentication.
Confidentiality is a function of the session keys distributed by the PKI.
An active directory can use PKI for authentication as well as using other means.
Even though secure sockets layer (SSL) encryption requires keys to authenticate, it is not the main reason for deploying PKI.
++++++++++
Q25
Isolation and containment measures for a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step?
A. Run a forensics tool on the machine to gather evidence
B. Reboot the machine to break remote connections
C. Make a copy of the whole system's memory
D. Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports
C is correct
When investigating a security breach, it is important to preserve all traces of evidence left by the invader. For this reason, it is imperative to preserve the memory contents of the machine in order to analyze them later. The correct answer is choice C because a copy of the whole system's memory is obtained for future analysis by running the appropriate tools. This is also important from a legal perspective since an attorney may suggest that the system was changed during the conduct of the investigation.
Running a computer forensics tool in the compromised machine will cause the creation of at least one process that may overwrite evidence.
Rebooting the machine will delete the contents of the memory, erasing potential evidence.
Collecting information about current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports is correct, but doing so by using tools may also erase memory contents.
++++++++++
Q26
An organization's information security manager is planning the structure of the Information Security Steering Committee. Which of the following groups should the manager invite?
A. External audit and network penetration testers
B. Board of directors and the organization's regulators
C. External trade union representatives and key security vendors
D. Leadership from IT, human resources and the sales department
D is correct
Leaders from IT, human resources and sales are key individuals who must support an information security program.
External audit may assess and advise on the program, and testers may be used by the program, but they are not appropriate steering committee members.
The steering committee needs to have practitioner-level representation. It may report to the board, but board members would not generally be part of the steering committee, except for its executive sponsor. Regulators would not participate on this committee.
External trade union representatives and key security vendors are entities that may need to be consulted as part of program activities, but would not be members of the steering committee.
++++++++++
Q27
An organization's security awareness program should focus on which of the following?
A. Establishing metrics for network backups
B. Installing training software which simulates security incidents
C. Communicating what employees should do/not do in the context of their job responsibilities
D. Accessing levels within the organization for applications and the Internet
C is correct
An organization's security awareness program should focus on employee behavior and the consequences of both compliance and noncompliance with the security policy.
++++++++++
Q28
Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required?
A. Log all account usage and send it to their manager
B. Establish predetermined automatic expiration dates
C. Require managers to e-mail security when the user leaves
D. Ensure each individual has signed a security acknowledgement
B is correct
Predetermined expiration dates are the most effective means of removing systems access for temporary users.
Reliance on managers to promptly send in termination notices cannot always be counted on, while requiring each individual to sign a security acknowledgement would have little effect in this case.
++++++++++
Q29
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
A. Information security officer
B. Security steering committee
C. Data owner
D. Data custodian
B is correct
Routine administration of all aspects of security is delegated, but senior management must retain overall responsibility.
The information security officer supports and implements information security for senior management.
The data owner is responsible for categorizing data security requirements.
The data custodian supports and implements information security as directed.
++++++++++
Q30
Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?
A. Gap analysis
B. Regression analysis
C. Risk analysis
D. Business impact analysis
D is correct
Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs relate to the financial impact of a system not being available.
A gap analysis is useful in addressing the differences between the current state and an ideal future state.
Regression analysis is used to test changes to program modules.
Risk analysis is a component of the business impact analysis.
**********
# Q# Task Stmt.
01 390 3.11 Info. Security Program Dev.
02 254 2.6 Information Risk Mgmt.
03 077 1.5 Info. Security Governance
04 124 1.7 Info. Security Governance
05 170 2.2 Information Risk Mgmt.
06 010 1.1 Info. Security Governance
07 315 3.5 Info. Security Program Dev.
08 275 3.1 Info. Security Program Dev.
09 385 3.10 Info. Security Program Dev.
10 344 3.6 Info. Security Program Dev.
11 181 2.2 Information Risk Mgmt.
12 128 1.7 Info. Security Governance
13 443 4.2 Info. Security Program Mgmt.
14 212 2.4 Information Risk Mgmt.
15 416 4.2 Info. Security Program Mgmt.
16 455 4.3 Info. Security Program Mgmt.
17 138 2.1 Information Risk Mgmt.
18 324 3.5 Info. Security Program Dev.
19 125 1.7 Info. Security Governance
20 047 1.2 Info. Security Governance
21 371 3.8 Info. Security Program Dev.
22 258 2.6 Information Risk Mgmt.
23 089 1.5 Info. Security Governance
24 322 3.5 Info. Security Program Dev.
25 591 5.4 Incident Mgmt./Response
26 293 3.4 Info. Security Program Dev.
27 352 3.7 Info. Security Program Dev.
28 306 3.5 Info. Security Program Dev.
29 102 1.6 Info. Security Governance
30 202 2.3 Information Risk Mgmt.
