CISM Practice Question 2010 Session 1
**********
Session 1
++++++++++
Q01
Of the following, retention of business records should be PRIMARILY based on:
A. periodic vulnerability assessment.
B. regulatory and legal requirements.
C. device storage capacity and longevity.
D. past litigation
B is correct
Retention of business records is a business requirement that must consider regulatory and legal requirements based on geographic location and industry.
Options A and C are important elements for making the decision, but the primary driver is the legal and regulatory requirements that need to be followed by all companies.
Record retention may take into consideration past litigation, but it should not be the primary decision factor.
++++++++++
Q2
Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files?
A. Verify the date that signature files were last pushed out
B. Use a recently identified benign virus to test if it is quarantined
C. Research the most recent signature file and compare to the console
D. Check a sample of servers that the signature files are current
D is correct
The only accurate way to check the signature files is to look at a sample of servers.
The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server.
Checking the vendor information to the management console would still not be indicative as to whether the file was properly loaded on the server.
Personnel should never release a virus, no matter how benign.
++++++++++
Q3
An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?
A. Ensure that critical data on the server are backed up.
B. Shut down the compromised server.
C. Initiate the incident response process.
D. Shut down the network.
C is correct
The incident response process will determine the appropriate course of action.
If the data have been corrupted by a hacker, the backup may also be corrupted.
Shutting down the server is likely to destroy any forensic evidence that may exist and may be required by the investigation.
Shutting down the network is a drastic action, especially if the hacker is no longer active on the network.
++++++++++
Q04
Which of the following is the MOST important factor when designing information security architecture?
A. Technical platform interfaces
B. Scalability of the network
C. Development methodologies
D. Stakeholder requirements
D is correct
The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements.
Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.
++++++++++
Q05
Secure customer use of an e-commerce application can BEST be accomplished through:
A. data encryption.
B. digital signatures.
C. strong passwords.Incorrect
D. two-factor authentication.
A is correct
Encryption would be the preferred method of ensuring confidentiality in customer communications with an e-commerce application.
Strong passwords, by themselves, would not be sufficient since the data could still be intercepted, while two-factor authentication would be impractical.
Digital signatures would not provide a secure means of communication.
In most business-to-customer (B-to-C) web applications, a digital signature is also not a practical solution.
++++++++++
Q06
Which of the following risks would BEST be assessed using quantitative risk assessment techniques?
A. Customer data stolen
B. An electrical power outage
C. A web site defaced by hackers
D. Loss of the software development team
B is correct
The effect of the theft of customer data or web site defacement by hackers could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques.
Loss of a majority of the software development team could have similar unpredictable repercussions.
However, the loss of electrical power for a short duration is more easily measurable and can be quantified into monetary amounts that can be assessed with quantitative techniques.
++++++++++
Q07
To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRST crucial step an information security manager would take in ensuring business continuity planning?
A. Qualitative and quantitative risk analysis
B. Assigning value to the assets
C. Weighing the cost of implementing the plan vs. financial loss
D. Business impact analysis (BIA)
D is correct
BIA is an essential component of an organization's business continuity plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. It is the first crucial step in business continuity planning.
Qualitative and quantitative risk analysis will have been completed to define the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events.
Assigning value to assets is part of the BIA process.
Weighing the cost of implementing the plan vs. financial loss is another part of the BIA.
++++++++++
Q08
For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
A. Biometrics
B. Symmetric encryption keys
C. Secure Sockets Layer (SSL)–based authentication
D. Two-factor authentication
D is correct
Two-factor authentication requires more than one type of user authentication.
While biometrics provides unique authentication, it is not strong by itself, unless a PIN or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks.
A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a typical authentication mechanism for end users. This private key could still be compromised.
SSL is the standard security technology for establishing an encrypted link between a web server and a browser. SSL is not an authentication mechanism. If SSL is used with a client certificate and a password, it would be a two-factor authentication.
++++++++++
Q09
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
A. To mitigate technical risks
B. To have an independent certification of network security
C. To receive an independent view of security exposures
D. To identify a complete list of vulnerabilities
C is correct
Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure.
Mitigating technical risks is not a direct result of a penetration test.
A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.
++++++++++
Q10
The configuration management plan should PRIMARILY be based upon input from:
A. business process owners.
B. the information security manager.
C. the security steering committee.
D. IT senior management.
D is correct
Although business process owners, an information security manager and the security steering committee may provide input regarding a configuration management plan, its final approval is the primary responsibility of IT senior management.
++++++++++
Q11
What is the MOST important element to include when developing user security awareness material?
A. Information regarding social engineering
B. Detailed security policies
C. Senior management endorsement
D. Easy-to-read and compelling information
D is correct
Making security awareness material easy and compelling to read is the most important success factor. Users must be able to understand, in easy terms, complex security concepts in a way that makes compliance more accessible.
Choice A would also be important but it needs to be presented in an adequate format.
Detailed security policies might not necessarily be included in the training materials.
Senior management endorsement is important for the security program as a whole and not necessarily for the awareness training material.
++++++++++
Q12
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.
B is correct
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement.
Best practices may be a useful guide but not a primary concern.
Legislative and regulatory requirements are only relevant if compliance is a business need.
Storage is irrelevant since whatever is needed must be provided.
++++++++++
Q13
Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
A. baseline.
B. strategy.
C. procedure.
D. policy.
D is correct
A policy is a high-level statement of an organization's beliefs, goals, roles and objectives.
Baselines assume a minimum security level throughout an organization.
The information security strategy aligns the information security program with business objectives rather than making control statements.
A procedure is a step-by-step process of how policy and standards will be implemented.
++++++++++
Q14
The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:
A. simulate an attack and review IDS performance.
B. use a honeypot to check for unusual activity.
C. audit the configuration of the IDS.
D. benchmark the IDS against a peer site.
A is correct
Simulating an attack on the network demonstrates whether the intrusion detection system (IDS) is properly tuned.
Reviewing the configuration may or may not reveal weaknesses since an anomaly-based system uses trends to identify potential attacks.
A honeypot is not a good first step since it would need to have already been penetrated.
Benchmarking against a peer site would generally not be practical or useful.
++++++++++
Q15
Which of the following is MOST useful in managing increasingly complex security deployments?
A. A standards-based approach
B. A security architecture
C. Policy development
D. Senior management support
B is correct
Deploying complex security initiatives and integrating a range of diverse projects and activities would be more easily managed with the overview and relationships provided by a security architecture.
Standards may provide metrics for deployment and policies would guide direction, but standards and policies would not provide significant management tools.
++++++++++
Q16
Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?
A. Disclosure of personal information
B. Sufficient coverage of the insurance policy for accidental losses
C. Intrinsic value of the data stored on the equipment
D. Replacement cost of the equipment
C is correct
When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carry mobile equipment for business purposes, an organization must develop a clear policy as to what information should be kept on the equipment and for what purpose.
Personal information is not defined in the question as the data that were lost.
Insurance may be a relatively smaller issue as compared with information theft or opportunity loss, although insurance is also an important factor for a successful business.
Cost of equipment would be a less important issue as compared with other choices.
++++++++++
Q17
Risk assessment is MOST effective when performed:
A. at the beginning of security program development.
B. on a continuous basis.
C. while developing the business case for the security program.
D. during the business change process.
B is correct
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes.
Risk assessment must take into account all significant changes in order to be effective.
++++++++++
Q18
Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
A. Number of controls implemented
B. Percent of control objectives accomplished
C. Percent of compliance with the security policy
D. Reduction in the number of reported security incidents
B is correct
Control objectives are directly related to business objectives; therefore, they would be the best metrics.
Number of controls implemented does not have a direct relationship with the results of a security program.
Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B.
++++++++++
Q19
A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?
A. Representation by regional business leaders
B. Composition of the board
C. Cultures of the different countries
D. IT security skills
C is correct
Culture has a significant impact on how information security will be implemented.
Representation by regional business leaders may not have a major influence unless it concerns cultural issues.
Composition of the board may not have a significant impact compared to cultural issues.
IT security skills are not as key or high impact in designing a multinational information security program as would be cultural issues.
++++++++++
Q20
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network?
A. Configuration of firewallsIncorrect
B. Strength of encryption algorithms
C. Authentication within application
D. Safeguards over keys
D is correct
If keys are in the wrong hands, documents will be able to be read regardless of where they are on the network.
Choice A is incorrect because firewalls can be perfectly configured, but if the keys make it to the other side, they will not prevent the document from being decrypted.
Choice B is incorrect because even easy encryption algorithms require adequate resources to break, whereas encryption keys can be easily used.
Choice C is incorrect because the application “front door” controls may be bypassed by accessing data directly.
++++++++++
Q21
A successful risk management program should lead to:
A. optimization of risk reduction efforts against cost.
B. containment of losses to an annual budgeted amount.
C. identification and removal of all man-made threats.
D. elimination or transference of all organizational risks.
A is correct
Successful risk management should lead to a breakeven point of risk reduction and cost.
The other options listed are not achievable. Threats cannot be totally removed or transferred, while losses cannot be budgeted in advance with absolute certainty.
++++++++++
Q22
The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:
A. contribute cost-effective expertise not available internally.
B. be made responsible for meeting the security program requirements.
C. replace the dependence on internal resources.
D. deliver more effectively on account of their knowledge.
A is correct
Choice A represents the primary driver for the information security manager to make use of external resources.
The information security manager will continue to be responsible for meeting the security program requirements despite using the services of external resources.
The external resources should never completely replace the role of internal resources from a strategic perspective.
The external resources cannot have a better knowledge of the business of the information security manager's organization than do the internal resources.
++++++++++
Q23
A security risk assessment exercise should be repeated at regular intervals because:
A. business threats are constantly changing.
B. omissions in earlier assessments can be addressed.
C. repetitive assessments allow various methodologies.
D. they help raise awareness on security in the business.
A is correct
As business objectives and methods change, the nature and relevance of threats change as well.
Choice B does not, by itself, justify regular reassessment.
Choice C is not necessarily true in all cases.
Choice D is incorrect because there are better ways of raising security awareness than by performing a risk assessment.
++++++++++
Q24
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?
A. Knowledge of information technology platforms, networks and development methodologies
B. Ability to understand and map organizational needs to security technologies
C. Knowledge of the regulatory environment and project management techniques
D. Ability to manage a diverse group of individuals and resources across an organization
B is correct
Information security will be properly aligned with the goals of the business only with the ability to understand and map organizational needs to enable security technologies.
All of the other choices are important but secondary to meeting business security needs.
++++++++++
Q25
An e-commerce order fulfillment web server should generally be placed on which of the following?
A. Internal network
B. Demilitarized zone (DMZ)
C. Database server
D. Domain controller
B is correct
An e-commerce order fulfillment web server should be placed within a DMZ to protect it and the internal network from external attack.
Placing it on the internal network would expose the internal network to potential attack from the Internet.
Since a database server should reside on the internal network, the same exposure would exist.
Domain controllers would not normally share the same physical device as a web server.
++++++++++
Q26
An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:
A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
B. establish baseline standards for all locations and add supplemental standards as required.
C. bring all locations into conformity with a generally accepted set of industry best practices.
D. establish a baseline standard incorporating those requirements that all jurisdictions have in common.
B is correct
It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements.
Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance.
The opposite approach—forcing all locations to be in compliance with the regulations—places an undue burden on those locations.
++++++++++
Q27
Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?
A. Penetration attempts investigated
B. Violation log reports produced
C. Violation log entries
D. Frequency of corrective actions taken
A is correct
The most useful metric is one that measures the degree to which complete follow-through has taken place.
The quantity of reports, entries on reports and the frequency of corrective actions are not indicative of whether or not investigative action was taken.
++++++++++
Q28
What is the MOST cost-effective means of improving security awareness of staff personnel?
A. Employee monetary incentives
B. User education and training
C. A zero-tolerance security policy
D. Reporting of security infractions
B is correct
User education and training is the most cost-effective means of influencing staff to improve security since personnel are the weakest link in security.
Incentives perform poorly without user education and training.
A zero-tolerance security policy would not be as good as education and training.
Users would not have the knowledge to accurately interpret and report violations without user education and training.
++++++++++
Q29
To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?
A. Service level agreements (SLAs)
B. Right-to-audit clause
C. Intrusion detection system (IDS) services
D. Spam filtering services
A is correct
Service level agreements (SLAs) will be most effective in ensuring that Internet service providers (ISPs) comply with expectations for service availability.
Intrusion detection system (IDS) and spam filtering services would not mitigate (as directly) the potential for service interruptions.
A right-to-audit clause would not be effective in mitigating the likelihood of a service interruption.
++++++++++
Q30
Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
A. Performing a business impact analysis (BIA)
B. Considering personal information devices as part of the security policy
C. Initiating IT security training and familiarization
D. Basing the information security infrastructure on risk assessment
D is correct
The information security infrastructure should be based on risk.
While considering personal information devices as part of the security policy may be a consideration, it is not the most important requirement.
A BIA is typically carried out to prioritize business processes as part of a business continuity plan.
Initiating IT security training may not be important for the purpose of the information security infrastructure.
**********
# Q# Task Stmt.
01 445 4.2 Info. Security Program Mgmt.
02 559 5.1 Incident Mgmt./Response
03 576 5.1 Incident Mgmt./Response
04 007 1.1 Info. Security Governance
05 365 3.8 Info. Security Program Dev.
06 173 2.2 Information Risk Mgmt.
07 208 2.3 Information Risk Mgmt.
08 284 3.2 Info. Security Program Dev.
09 457 4.3 Info. Security Program Mgmt.
10 484 4.5 Info. Security Program Mgmt.
11 511 4.7 Info. Security Program Mgmt.
12 337 3.6 Info. Security Program Dev.
13 121 1.7 Info. Security Governance
14 525 4.8 Info. Security Program Mgmt.
15 330 3.5 Info. Security Program Dev.
16 207 2.3 Information Risk Mgmt.
17 190 2.2 Information Risk Mgmt.
18 143 2.1 Information Risk Mgmt.
19 092 1.5 Info. Security Governance
20 309 3.5 Info. Security Program Dev.
21 172 2.2 Information Risk Mgmt.
22 290 3.4 Info. Security Program Dev.
23 211 2.4 Information Risk Mgmt.
24 008 1.1 Info. Security Governance
25 302 3.5 Info. Security Program Dev.
26 086 1.5 Info. Security Governance
27 524 4.8 Info. Security Program Mgmt.
28 516 4.7 Info. Security Program Mgmt.
29 454 4.3 Info. Security Program Mgmt.
30 247 2.5 Information Risk Mgmt.
**********
Session 1
++++++++++
Q01
Of the following, retention of business records should be PRIMARILY based on:
A. periodic vulnerability assessment.
B. regulatory and legal requirements.
C. device storage capacity and longevity.
D. past litigation
B is correct
Retention of business records is a business requirement that must consider regulatory and legal requirements based on geographic location and industry.
Options A and C are important elements for making the decision, but the primary driver is the legal and regulatory requirements that need to be followed by all companies.
Record retention may take into consideration past litigation, but it should not be the primary decision factor.
++++++++++
Q2
Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files?
A. Verify the date that signature files were last pushed out
B. Use a recently identified benign virus to test if it is quarantined
C. Research the most recent signature file and compare to the console
D. Check a sample of servers that the signature files are current
D is correct
The only accurate way to check the signature files is to look at a sample of servers.
The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server.
Checking the vendor information to the management console would still not be indicative as to whether the file was properly loaded on the server.
Personnel should never release a virus, no matter how benign.
++++++++++
Q3
An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?
A. Ensure that critical data on the server are backed up.
B. Shut down the compromised server.
C. Initiate the incident response process.
D. Shut down the network.
C is correct
The incident response process will determine the appropriate course of action.
If the data have been corrupted by a hacker, the backup may also be corrupted.
Shutting down the server is likely to destroy any forensic evidence that may exist and may be required by the investigation.
Shutting down the network is a drastic action, especially if the hacker is no longer active on the network.
++++++++++
Q04
Which of the following is the MOST important factor when designing information security architecture?
A. Technical platform interfaces
B. Scalability of the network
C. Development methodologies
D. Stakeholder requirements
D is correct
The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements.
Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.
++++++++++
Q05
Secure customer use of an e-commerce application can BEST be accomplished through:
A. data encryption.
B. digital signatures.
C. strong passwords.Incorrect
D. two-factor authentication.
A is correct
Encryption would be the preferred method of ensuring confidentiality in customer communications with an e-commerce application.
Strong passwords, by themselves, would not be sufficient since the data could still be intercepted, while two-factor authentication would be impractical.
Digital signatures would not provide a secure means of communication.
In most business-to-customer (B-to-C) web applications, a digital signature is also not a practical solution.
++++++++++
Q06
Which of the following risks would BEST be assessed using quantitative risk assessment techniques?
A. Customer data stolen
B. An electrical power outage
C. A web site defaced by hackers
D. Loss of the software development team
B is correct
The effect of the theft of customer data or web site defacement by hackers could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques.
Loss of a majority of the software development team could have similar unpredictable repercussions.
However, the loss of electrical power for a short duration is more easily measurable and can be quantified into monetary amounts that can be assessed with quantitative techniques.
++++++++++
Q07
To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRST crucial step an information security manager would take in ensuring business continuity planning?
A. Qualitative and quantitative risk analysis
B. Assigning value to the assets
C. Weighing the cost of implementing the plan vs. financial loss
D. Business impact analysis (BIA)
D is correct
BIA is an essential component of an organization's business continuity plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. It is the first crucial step in business continuity planning.
Qualitative and quantitative risk analysis will have been completed to define the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events.
Assigning value to assets is part of the BIA process.
Weighing the cost of implementing the plan vs. financial loss is another part of the BIA.
++++++++++
Q08
For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
A. Biometrics
B. Symmetric encryption keys
C. Secure Sockets Layer (SSL)–based authentication
D. Two-factor authentication
D is correct
Two-factor authentication requires more than one type of user authentication.
While biometrics provides unique authentication, it is not strong by itself, unless a PIN or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks.
A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a typical authentication mechanism for end users. This private key could still be compromised.
SSL is the standard security technology for establishing an encrypted link between a web server and a browser. SSL is not an authentication mechanism. If SSL is used with a client certificate and a password, it would be a two-factor authentication.
++++++++++
Q09
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
A. To mitigate technical risks
B. To have an independent certification of network security
C. To receive an independent view of security exposures
D. To identify a complete list of vulnerabilities
C is correct
Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure.
Mitigating technical risks is not a direct result of a penetration test.
A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.
++++++++++
Q10
The configuration management plan should PRIMARILY be based upon input from:
A. business process owners.
B. the information security manager.
C. the security steering committee.
D. IT senior management.
D is correct
Although business process owners, an information security manager and the security steering committee may provide input regarding a configuration management plan, its final approval is the primary responsibility of IT senior management.
++++++++++
Q11
What is the MOST important element to include when developing user security awareness material?
A. Information regarding social engineering
B. Detailed security policies
C. Senior management endorsement
D. Easy-to-read and compelling information
D is correct
Making security awareness material easy and compelling to read is the most important success factor. Users must be able to understand, in easy terms, complex security concepts in a way that makes compliance more accessible.
Choice A would also be important but it needs to be presented in an adequate format.
Detailed security policies might not necessarily be included in the training materials.
Senior management endorsement is important for the security program as a whole and not necessarily for the awareness training material.
++++++++++
Q12
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.
B is correct
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement.
Best practices may be a useful guide but not a primary concern.
Legislative and regulatory requirements are only relevant if compliance is a business need.
Storage is irrelevant since whatever is needed must be provided.
++++++++++
Q13
Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
A. baseline.
B. strategy.
C. procedure.
D. policy.
D is correct
A policy is a high-level statement of an organization's beliefs, goals, roles and objectives.
Baselines assume a minimum security level throughout an organization.
The information security strategy aligns the information security program with business objectives rather than making control statements.
A procedure is a step-by-step process of how policy and standards will be implemented.
++++++++++
Q14
The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:
A. simulate an attack and review IDS performance.
B. use a honeypot to check for unusual activity.
C. audit the configuration of the IDS.
D. benchmark the IDS against a peer site.
A is correct
Simulating an attack on the network demonstrates whether the intrusion detection system (IDS) is properly tuned.
Reviewing the configuration may or may not reveal weaknesses since an anomaly-based system uses trends to identify potential attacks.
A honeypot is not a good first step since it would need to have already been penetrated.
Benchmarking against a peer site would generally not be practical or useful.
++++++++++
Q15
Which of the following is MOST useful in managing increasingly complex security deployments?
A. A standards-based approach
B. A security architecture
C. Policy development
D. Senior management support
B is correct
Deploying complex security initiatives and integrating a range of diverse projects and activities would be more easily managed with the overview and relationships provided by a security architecture.
Standards may provide metrics for deployment and policies would guide direction, but standards and policies would not provide significant management tools.
++++++++++
Q16
Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?
A. Disclosure of personal information
B. Sufficient coverage of the insurance policy for accidental losses
C. Intrinsic value of the data stored on the equipment
D. Replacement cost of the equipment
C is correct
When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carry mobile equipment for business purposes, an organization must develop a clear policy as to what information should be kept on the equipment and for what purpose.
Personal information is not defined in the question as the data that were lost.
Insurance may be a relatively smaller issue as compared with information theft or opportunity loss, although insurance is also an important factor for a successful business.
Cost of equipment would be a less important issue as compared with other choices.
++++++++++
Q17
Risk assessment is MOST effective when performed:
A. at the beginning of security program development.
B. on a continuous basis.
C. while developing the business case for the security program.
D. during the business change process.
B is correct
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes.
Risk assessment must take into account all significant changes in order to be effective.
++++++++++
Q18
Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
A. Number of controls implemented
B. Percent of control objectives accomplished
C. Percent of compliance with the security policy
D. Reduction in the number of reported security incidents
B is correct
Control objectives are directly related to business objectives; therefore, they would be the best metrics.
Number of controls implemented does not have a direct relationship with the results of a security program.
Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B.
++++++++++
Q19
A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?
A. Representation by regional business leaders
B. Composition of the board
C. Cultures of the different countries
D. IT security skills
C is correct
Culture has a significant impact on how information security will be implemented.
Representation by regional business leaders may not have a major influence unless it concerns cultural issues.
Composition of the board may not have a significant impact compared to cultural issues.
IT security skills are not as key or high impact in designing a multinational information security program as would be cultural issues.
++++++++++
Q20
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network?
A. Configuration of firewallsIncorrect
B. Strength of encryption algorithms
C. Authentication within application
D. Safeguards over keys
D is correct
If keys are in the wrong hands, documents will be able to be read regardless of where they are on the network.
Choice A is incorrect because firewalls can be perfectly configured, but if the keys make it to the other side, they will not prevent the document from being decrypted.
Choice B is incorrect because even easy encryption algorithms require adequate resources to break, whereas encryption keys can be easily used.
Choice C is incorrect because the application “front door” controls may be bypassed by accessing data directly.
++++++++++
Q21
A successful risk management program should lead to:
A. optimization of risk reduction efforts against cost.
B. containment of losses to an annual budgeted amount.
C. identification and removal of all man-made threats.
D. elimination or transference of all organizational risks.
A is correct
Successful risk management should lead to a breakeven point of risk reduction and cost.
The other options listed are not achievable. Threats cannot be totally removed or transferred, while losses cannot be budgeted in advance with absolute certainty.
++++++++++
Q22
The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:
A. contribute cost-effective expertise not available internally.
B. be made responsible for meeting the security program requirements.
C. replace the dependence on internal resources.
D. deliver more effectively on account of their knowledge.
A is correct
Choice A represents the primary driver for the information security manager to make use of external resources.
The information security manager will continue to be responsible for meeting the security program requirements despite using the services of external resources.
The external resources should never completely replace the role of internal resources from a strategic perspective.
The external resources cannot have a better knowledge of the business of the information security manager's organization than do the internal resources.
++++++++++
Q23
A security risk assessment exercise should be repeated at regular intervals because:
A. business threats are constantly changing.
B. omissions in earlier assessments can be addressed.
C. repetitive assessments allow various methodologies.
D. they help raise awareness on security in the business.
A is correct
As business objectives and methods change, the nature and relevance of threats change as well.
Choice B does not, by itself, justify regular reassessment.
Choice C is not necessarily true in all cases.
Choice D is incorrect because there are better ways of raising security awareness than by performing a risk assessment.
++++++++++
Q24
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?
A. Knowledge of information technology platforms, networks and development methodologies
B. Ability to understand and map organizational needs to security technologies
C. Knowledge of the regulatory environment and project management techniques
D. Ability to manage a diverse group of individuals and resources across an organization
B is correct
Information security will be properly aligned with the goals of the business only with the ability to understand and map organizational needs to enable security technologies.
All of the other choices are important but secondary to meeting business security needs.
++++++++++
Q25
An e-commerce order fulfillment web server should generally be placed on which of the following?
A. Internal network
B. Demilitarized zone (DMZ)
C. Database server
D. Domain controller
B is correct
An e-commerce order fulfillment web server should be placed within a DMZ to protect it and the internal network from external attack.
Placing it on the internal network would expose the internal network to potential attack from the Internet.
Since a database server should reside on the internal network, the same exposure would exist.
Domain controllers would not normally share the same physical device as a web server.
++++++++++
Q26
An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:
A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
B. establish baseline standards for all locations and add supplemental standards as required.
C. bring all locations into conformity with a generally accepted set of industry best practices.
D. establish a baseline standard incorporating those requirements that all jurisdictions have in common.
B is correct
It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements.
Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance.
The opposite approach—forcing all locations to be in compliance with the regulations—places an undue burden on those locations.
++++++++++
Q27
Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?
A. Penetration attempts investigated
B. Violation log reports produced
C. Violation log entries
D. Frequency of corrective actions taken
A is correct
The most useful metric is one that measures the degree to which complete follow-through has taken place.
The quantity of reports, entries on reports and the frequency of corrective actions are not indicative of whether or not investigative action was taken.
++++++++++
Q28
What is the MOST cost-effective means of improving security awareness of staff personnel?
A. Employee monetary incentives
B. User education and training
C. A zero-tolerance security policy
D. Reporting of security infractions
B is correct
User education and training is the most cost-effective means of influencing staff to improve security since personnel are the weakest link in security.
Incentives perform poorly without user education and training.
A zero-tolerance security policy would not be as good as education and training.
Users would not have the knowledge to accurately interpret and report violations without user education and training.
++++++++++
Q29
To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?
A. Service level agreements (SLAs)
B. Right-to-audit clause
C. Intrusion detection system (IDS) services
D. Spam filtering services
A is correct
Service level agreements (SLAs) will be most effective in ensuring that Internet service providers (ISPs) comply with expectations for service availability.
Intrusion detection system (IDS) and spam filtering services would not mitigate (as directly) the potential for service interruptions.
A right-to-audit clause would not be effective in mitigating the likelihood of a service interruption.
++++++++++
Q30
Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
A. Performing a business impact analysis (BIA)
B. Considering personal information devices as part of the security policy
C. Initiating IT security training and familiarization
D. Basing the information security infrastructure on risk assessment
D is correct
The information security infrastructure should be based on risk.
While considering personal information devices as part of the security policy may be a consideration, it is not the most important requirement.
A BIA is typically carried out to prioritize business processes as part of a business continuity plan.
Initiating IT security training may not be important for the purpose of the information security infrastructure.
**********
# Q# Task Stmt.
01 445 4.2 Info. Security Program Mgmt.
02 559 5.1 Incident Mgmt./Response
03 576 5.1 Incident Mgmt./Response
04 007 1.1 Info. Security Governance
05 365 3.8 Info. Security Program Dev.
06 173 2.2 Information Risk Mgmt.
07 208 2.3 Information Risk Mgmt.
08 284 3.2 Info. Security Program Dev.
09 457 4.3 Info. Security Program Mgmt.
10 484 4.5 Info. Security Program Mgmt.
11 511 4.7 Info. Security Program Mgmt.
12 337 3.6 Info. Security Program Dev.
13 121 1.7 Info. Security Governance
14 525 4.8 Info. Security Program Mgmt.
15 330 3.5 Info. Security Program Dev.
16 207 2.3 Information Risk Mgmt.
17 190 2.2 Information Risk Mgmt.
18 143 2.1 Information Risk Mgmt.
19 092 1.5 Info. Security Governance
20 309 3.5 Info. Security Program Dev.
21 172 2.2 Information Risk Mgmt.
22 290 3.4 Info. Security Program Dev.
23 211 2.4 Information Risk Mgmt.
24 008 1.1 Info. Security Governance
25 302 3.5 Info. Security Program Dev.
26 086 1.5 Info. Security Governance
27 524 4.8 Info. Security Program Mgmt.
28 516 4.7 Info. Security Program Mgmt.
29 454 4.3 Info. Security Program Mgmt.
30 247 2.5 Information Risk Mgmt.
