CISM Practice Question 2010 Session 9
++++++++++
Q01
Which of the following is the MOST important information to include in an information security standard?
A. Creation date
B. Author name
C. Initial draft approval date
D. Last review date
The correct answer is D.
The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard.
The name of the author, as well as the creation and draft dates, are not that important.
++++++++++
Q2
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
A. Information security officer
B. Security steering committee
C. Data owner
D. Data custodian
The correct answer is B.
Routine administration of all aspects of security is delegated, but senior management must retain overall responsibility.
The information security officer supports and implements information security for senior management.
The data owner is responsible for categorizing data security requirements.
The data custodian supports and implements information security as directed.
++++++++++
Q3
Which of the following would BEST ensure the success of information security governance within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training and awareness available to all employees on the company intranet
D. Steering committees enforce compliance with laws and regulations
The correct answer is A.
The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program.
Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer.
Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee.
++++++++++
Q04
Which of the following is MOST likely to be discretionary?
A. Policies
B. Procedures
C. Guidelines
D. Standards
The correct answer is C.
Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary.
Policies define security goals and expectations for an organization.
These are defined in more specific terms within standards and procedures. Standards establish what is to be done while procedures describe how it is to be done.
++++++++++
Q05
To determine the selection of controls required to meet business objectives, an information security manager should:
A. prioritize the use of role-based access controls.
B. focus on key controls.
C. restrict controls to only critical applications.
D. focus on automated controls.
The correct answer is B.
Key controls primarily reduce risk and are most effective for the protection of information assets.
The other choices could be examples of possible key controls.
++++++++++
Q06
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
A. User assessments of changes
B. Comparison of the program results with industry standards
C. Assignment of risk within the organization
D. Participation by all members of the organization
The correct answer is D.
Effective risk management requires participation, support and acceptance by all applicable members of the organization, beginning with the executive levels. Personnel must understand their responsibilities and be trained on how to fulfill their roles.
++++++++++
Q07
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
A. Sign a legal agreement assigning them all liability for any breach
B. Remove all trading partner access until the situation improves
C. Set up firewall rules restricting network traffic from that location
D. Send periodic reminders advising them of their noncompliance
The correct answer is C.
It is incumbent on an information security manager to see to the protection of their organization's network, but to do so in a manner that does not adversely affect the conduct of business. This can be accomplished by adding specific traffic restrictions for that particular location.
Removing all access will likely result in lost business.
Agreements and reminders do not protect the integrity of the network.
++++++++++
Q08
Secure customer use of an e-commerce application can BEST be accomplished through:
A. data encryption.
B. digital signatures.
C. strong passwords.
D. two-factor authentication.
The correct answer is A.
Encryption would be the preferred method of ensuring confidentiality in customer communications with an e-commerce application.
Digital signatures would not provide a secure means of communication. In most business-to-customer (B-to-C) web applications, a digital signature is also not a practical solution.
Strong passwords, by themselves, would not be sufficient since the data could still be intercepted
Two-factor authentication would be impractical.
++++++++++
Q09
The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
A. return on investment (ROI).
B. a vulnerability assessment.
C. annual loss expectancy (ALE).
D. a business case.
The correct answer is D.
A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management.
Return on investment (ROI) would only provide the costs needed to preclude specific risks, and would not provide other indirect benefits such as process improvement and learning.
A vulnerability assessment is more technical in nature and would only identify and assess the vulnerabilities. This would also not provide insights on indirect benefits.
Annual loss expectancy (ALE) would not weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of implementation.
++++++++++
Q10
An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
A. Research best practices
B. Meet with stakeholders
C. Establish change control procedures
D. Identify critical systems
The correct answer is B.
No new process will be successful unless it is adhered to by all stakeholders; to the extent stakeholders have input, they can be expected to follow the process.
Without consensus agreement from the stakeholders, the scope of the research is too wide; input on the current environment is necessary to focus research effectively.
It is premature to implement procedures without stakeholder consensus and research.
Without knowing what the process will be, the parameters to baseline are unknown as well.
++++++++++
Q11
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A. periodically testing the incident response plans.
B. regularly testing the intrusion detection system (IDS).
C. establishing mandatory training of all personnel.
D. periodically reviewing incident response procedures.
The correct answer is A.
Security incident response plans should be tested to find any deficiencies and improve existing processes.
Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation.
All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended.
Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
++++++++++
Q12
An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:
A. use the test equipment in the warm site facility to read the tapes.
B. retrieve the tapes from the warm site and test them.
C. have duplicate equipment available at the warm site.
D. inspect the facility and inventory the tapes on a quarterly basis.
The correct answer is B.
A warm site is not fully equipped with the company's main systems; therefore, the tapes should be tested using the company's production systems.
Inspecting the facility and checking the tape inventory does not guarantee that the tapes are usable.
++++++++++
Q13
An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:
A. ensure that security processes are consistent across the organization.
B. enforce baseline security levels across the organization.
C. ensure that security processes are fully documented.
D. implement monitoring of key performance indicators for security processes.
The correct answer is A.
The organization first needs to move from ad hoc to repeatable processes. The organization then needs to document the processes and implement process monitoring and measurement.
Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement.
The organization needs to standardize processes both before documentation, and before monitoring and measurement.
++++++++++
Q14
A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
A. A penetration test
B. A security baseline review
C. A risk assessment
D. A business impact analysis (BIA)
The correct answer is C.
A risk assessment will identify the business impact of such vulnerability being exploited and is, thus, the correct process.
A penetration test or a security baseline review may identify the vulnerability but not the remedy.
A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.
++++++++++
Q15
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
A. Number of attacks detected
B. Number of successful attacks
C. Ratio of false positives to false negatives
D. Ratio of successful to unsuccessful attacks
The correct answer is C.
The ratio of false positives to false negatives will indicate whether an intrusion detection system (IDS) is properly tuned to minimize the number of false alarms while, at the same time, minimizing the number of omissions.
The number of attacks detected, successful attacks or the ratio of successful to unsuccessful attacks would not indicate whether the IDS is properly configured.
++++++++++
Q16
Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
A. organizational risk.
B. organizationwide metrics.
C. security needs.
D. the responsibilities of organizational units.
The correct answer is A.
Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs.
Organizational or business risk should always take precedence.
Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified.
++++++++++
Q17
Reviewing which of the following would BEST ensure that security controls are effective?
A. Risk assessment policies
B. Return on security investment
C. Security metrics
D.User access rights
The correct answer is C.
Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture.
Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working.
Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself.
Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.
++++++++++
Q18
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
A. corporate data privacy policy.
B. data privacy policy where data are collected.
C. data privacy policy of the headquarters' country.
D. data privacy directive applicable globally.
The correct answer is B.
As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance.
The policy, being internal, cannot supersede the local law.
Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a groupwide policy will address all the local legal requirements.
In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.
++++++++++
Q19
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A. Regular review of access control lists
B. Security guard escort of visitors
C. Visitor registry log at the door
D. A biometric coupled with a PIN
The correct answer is A.
A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy.
Visitors accompanied by a guard will also provide assurance but may not be cost effective.
A visitor registry is the next cost-effective control.
A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed.
++++++++++
Q20
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
A. To mitigate technical risks
B. To have an independent certification of network security
C. To receive an independent view of security exposures
D. To identify a complete list of vulnerabilities
The correct answer is C.
Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure.
Mitigating technical risks is not a direct result of a penetration test.
A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.
++++++++++
Q21
Which of the following is an advantage of a centralized information security organizational structure?
A. It is easier to promote security awareness.
B. It is easier to manage and control.
C. It is more responsive to business unit needs.
D. It provides a faster turnaround for security requests.
The correct answer is B.
It is easier to manage and control a centralized structure.
Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message.
Decentralized operations allow security administrators to be more responsive.
Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
++++++++++
Q22
An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?
A. Inform senior management.
B. Determine the extent of the compromise.
C. Report the incident to the authorities.
D. Communicate with the affected customers.
The correct answer is B.
Before reporting to senior management, affected customers or the authorities, the extent of the exposure needs to be assessed.
++++++++++
Q23
Which of the following would be the MOST important goal of an information security governance program?
A. Review of internal control mechanisms
B. Effective involvement in business decision making
C. Total elimination of risk factors
D. Ensuring trust in data
The correct answer is D.
The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance.
Review of internal control mechanisms relates more to auditing.
The total elimination of risk factors is not practical or possible.
Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.
++++++++++
Q24
The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:
A. contribute cost-effective expertise not available internally.
B. be made responsible for meeting the security program requirements.
C. replace the dependence on internal resources.
D. deliver more effectively on account of their knowledge.
The correct answer is A.
Choice A represents the primary driver for the information security manager to make use of external resources.
The information security manager will continue to be responsible for meeting the security program requirements despite using the services of external resources.
The external resources should never completely replace the role of internal resources from a strategic perspective.
The external resources cannot have a better knowledge of the business of the information security manager's organization than do the internal resources.
++++++++++
Q25
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
The correct answer is B.
The greatest risk occurs when access rules are changed since they are susceptible to being opened up too much, which can result in the creation of a security exposure.
Security software will generally have a well-controlled process for applying patches, backing up files and upgrading hardware.
++++++++++
Q26
Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
A. baseline.
B. strategy.
C. procedure.
D. policy.
The correct answer is D.
A policy is a high-level statement of an organization's beliefs, goals, roles and objectives.
Baselines assume a minimum security level throughout an organization.
The information security strategy aligns the information security program with business objectives rather than making control statements.
A procedure is a step-by-step process of how policy and standards will be implemented.
++++++++++
Q27
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life.
B. regulatory and legal requirements.
C. business strategy and direction.
D. application systems and media.
The correct answer is D.
Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover.
Business strategy and direction do not generally apply, nor do legal and regulatory requirements.
Storage capacity and shelf life are important but secondary issues.
++++++++++
Q28
Which of the following is the BEST reason to perform a business impact analysis (BIA)?
A. To help determine the current state of risk
B. To budget appropriately for needed controls
C. To satisfy regulatory requirements
D. To analyze the effect on the business
The correct answer is A.
The BIA is included as part of the process to determine the current state of risk and helps determine the acceptable levels of response from impacts and the current level of response, leading to a gap analysis.
Budgeting appropriately may come as a result, but is not the reason to perform the analysis.
Performing an analysis may satisfy regulatory requirements, but is not the reason to perform one.
Analyzing the effect on the business is part of the process, but one must also determine the needs or acceptable effect or response.
++++++++++
Q29
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.
The correct answer is B.
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement.
Best practices may be a useful guide but not a primary concern.
Legislative and regulatory requirements are only relevant if compliance is a business need.
Storage is irrelevant since whatever is needed must be provided.
++++++++++
Q30
The implementation of continuous monitoring controls is the BEST option where:
A. incidents may have a high impact and frequency.
B. legislation requires strong information security controls.
C. incidents may have a high impact but low frequency.
D. electronic commerce is a primary business driver.
The correct answer is A.
Continuous monitoring control initiatives are expensive, so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Regulations and legislation that require tight IT security measures focus on requiring organizations to establish an IT security governance structure that manages IT security with a risk-based approach, so each organization decides which kinds of controls are implemented. Continuous monitoring is not necessarily a requirement.
Measures such as contingency planning are commonly used when incidents rarely happen but have a high impact each time they happen. Continuous monitoring is unlikely to be necessary.
Continuous control monitoring initiatives are not needed in all electronic commerce environments. There are some electronic commerce environments where the impact of incidents is not high enough to support the implementation of this kind of initiative.
**********
# Q# Task Stmt.
01 436 4.2 Info. Security Program Mgmt.
02 102 1.6 Info. Security Governance
03 095 1.6 Info. Security Governance
04 005 1.1 Info. Security Governance
05 240 2.5 Information Risk Mgmt.
06 193 2.2 Information Risk Mgmt.
07 430 4.2 Info. Security Program Mgmt.
08 365 3.8 Info. Security Program Dev.
09 061 1.3 Info. Security Governance
10 496 4.6 Info. Security Program Mgmt.
11 212 2.4 Information Risk Mgmt.
12 584 5.3 Incident Mgmt./Response
13 437 4.2 Info. Security Program Mgmt.
14 234 2.5 Information Risk Mgmt.
15 388 3.11 Info. Security Program Dev.
16 098 1.6 Info. Security Governance
17 118 1.7 Info. Security Governance
18 087 1.5 Info. Security Governance
19 317 3.5 Info. Security Program Dev.
20 457 4.3 Info. Security Program Mgmt.
21 129 1.7 Info. Security Governance
22 580 5.2 Incident Mgmt./Response
23 036 1.2 Info. Security Governance
24 290 3.4 Info. Security Program Dev.
25 471 4.5 Info. Security Program Mgmt.
26 121 1.7 Info. Security Governance
27 080 1.5 Info. Security Governance
28 035 1.1 Info. Security Governance
29 337 3.6 Info. Security Program Dev.
30 489 4.5 Info. Security Program Mgmt.
++++++++++
Q01
Which of the following is the MOST important information to include in an information security standard?
A. Creation date
B. Author name
C. Initial draft approval date
D. Last review date
The correct answer is D.
The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard.
The name of the author, as well as the creation and draft dates, are not that important.
++++++++++
Q2
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
A. Information security officer
B. Security steering committee
C. Data owner
D. Data custodian
The correct answer is B.
Routine administration of all aspects of security is delegated, but senior management must retain overall responsibility.
The information security officer supports and implements information security for senior management.
The data owner is responsible for categorizing data security requirements.
The data custodian supports and implements information security as directed.
++++++++++
Q3
Which of the following would BEST ensure the success of information security governance within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training and awareness available to all employees on the company intranet
D. Steering committees enforce compliance with laws and regulations
The correct answer is A.
The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program.
Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer.
Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee.
++++++++++
Q04
Which of the following is MOST likely to be discretionary?
A. Policies
B. Procedures
C. Guidelines
D. Standards
The correct answer is C.
Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary.
Policies define security goals and expectations for an organization.
These are defined in more specific terms within standards and procedures. Standards establish what is to be done while procedures describe how it is to be done.
++++++++++
Q05
To determine the selection of controls required to meet business objectives, an information security manager should:
A. prioritize the use of role-based access controls.
B. focus on key controls.
C. restrict controls to only critical applications.
D. focus on automated controls.
The correct answer is B.
Key controls primarily reduce risk and are most effective for the protection of information assets.
The other choices could be examples of possible key controls.
++++++++++
Q06
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
A. User assessments of changes
B. Comparison of the program results with industry standards
C. Assignment of risk within the organization
D. Participation by all members of the organization
The correct answer is D.
Effective risk management requires participation, support and acceptance by all applicable members of the organization, beginning with the executive levels. Personnel must understand their responsibilities and be trained on how to fulfill their roles.
++++++++++
Q07
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
A. Sign a legal agreement assigning them all liability for any breach
B. Remove all trading partner access until the situation improves
C. Set up firewall rules restricting network traffic from that location
D. Send periodic reminders advising them of their noncompliance
The correct answer is C.
It is incumbent on an information security manager to see to the protection of their organization's network, but to do so in a manner that does not adversely affect the conduct of business. This can be accomplished by adding specific traffic restrictions for that particular location.
Removing all access will likely result in lost business.
Agreements and reminders do not protect the integrity of the network.
++++++++++
Q08
Secure customer use of an e-commerce application can BEST be accomplished through:
A. data encryption.
B. digital signatures.
C. strong passwords.
D. two-factor authentication.
The correct answer is A.
Encryption would be the preferred method of ensuring confidentiality in customer communications with an e-commerce application.
Digital signatures would not provide a secure means of communication. In most business-to-customer (B-to-C) web applications, a digital signature is also not a practical solution.
Strong passwords, by themselves, would not be sufficient since the data could still be intercepted
Two-factor authentication would be impractical.
++++++++++
Q09
The BEST way to justify the implementation of a single sign-on (SSO) product is to use:
A. return on investment (ROI).
B. a vulnerability assessment.
C. annual loss expectancy (ALE).
D. a business case.
The correct answer is D.
A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management.
Return on investment (ROI) would only provide the costs needed to preclude specific risks, and would not provide other indirect benefits such as process improvement and learning.
A vulnerability assessment is more technical in nature and would only identify and assess the vulnerabilities. This would also not provide insights on indirect benefits.
Annual loss expectancy (ALE) would not weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of implementation.
++++++++++
Q10
An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
A. Research best practices
B. Meet with stakeholders
C. Establish change control procedures
D. Identify critical systems
The correct answer is B.
No new process will be successful unless it is adhered to by all stakeholders; to the extent stakeholders have input, they can be expected to follow the process.
Without consensus agreement from the stakeholders, the scope of the research is too wide; input on the current environment is necessary to focus research effectively.
It is premature to implement procedures without stakeholder consensus and research.
Without knowing what the process will be, the parameters to baseline are unknown as well.
++++++++++
Q11
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
A. periodically testing the incident response plans.
B. regularly testing the intrusion detection system (IDS).
C. establishing mandatory training of all personnel.
D. periodically reviewing incident response procedures.
The correct answer is A.
Security incident response plans should be tested to find any deficiencies and improve existing processes.
Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation.
All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended.
Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
++++++++++
Q12
An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:
A. use the test equipment in the warm site facility to read the tapes.
B. retrieve the tapes from the warm site and test them.
C. have duplicate equipment available at the warm site.
D. inspect the facility and inventory the tapes on a quarterly basis.
The correct answer is B.
A warm site is not fully equipped with the company's main systems; therefore, the tapes should be tested using the company's production systems.
Inspecting the facility and checking the tape inventory does not guarantee that the tapes are usable.
++++++++++
Q13
An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:
A. ensure that security processes are consistent across the organization.
B. enforce baseline security levels across the organization.
C. ensure that security processes are fully documented.
D. implement monitoring of key performance indicators for security processes.
The correct answer is A.
The organization first needs to move from ad hoc to repeatable processes. The organization then needs to document the processes and implement process monitoring and measurement.
Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement.
The organization needs to standardize processes both before documentation, and before monitoring and measurement.
++++++++++
Q14
A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
A. A penetration test
B. A security baseline review
C. A risk assessment
D. A business impact analysis (BIA)
The correct answer is C.
A risk assessment will identify the business impact of such vulnerability being exploited and is, thus, the correct process.
A penetration test or a security baseline review may identify the vulnerability but not the remedy.
A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.
++++++++++
Q15
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
A. Number of attacks detected
B. Number of successful attacks
C. Ratio of false positives to false negatives
D. Ratio of successful to unsuccessful attacks
The correct answer is C.
The ratio of false positives to false negatives will indicate whether an intrusion detection system (IDS) is properly tuned to minimize the number of false alarms while, at the same time, minimizing the number of omissions.
The number of attacks detected, successful attacks or the ratio of successful to unsuccessful attacks would not indicate whether the IDS is properly configured.
++++++++++
Q16
Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:
A. organizational risk.
B. organizationwide metrics.
C. security needs.
D. the responsibilities of organizational units.
The correct answer is A.
Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs.
Organizational or business risk should always take precedence.
Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified.
++++++++++
Q17
Reviewing which of the following would BEST ensure that security controls are effective?
A. Risk assessment policies
B. Return on security investment
C. Security metrics
D.User access rights
The correct answer is C.
Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture.
Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working.
Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself.
Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.
++++++++++
Q18
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
A. corporate data privacy policy.
B. data privacy policy where data are collected.
C. data privacy policy of the headquarters' country.
D. data privacy directive applicable globally.
The correct answer is B.
As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance.
The policy, being internal, cannot supersede the local law.
Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a groupwide policy will address all the local legal requirements.
In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.
++++++++++
Q19
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A. Regular review of access control lists
B. Security guard escort of visitors
C. Visitor registry log at the door
D. A biometric coupled with a PIN
The correct answer is A.
A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy.
Visitors accompanied by a guard will also provide assurance but may not be cost effective.
A visitor registry is the next cost-effective control.
A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed.
++++++++++
Q20
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
A. To mitigate technical risks
B. To have an independent certification of network security
C. To receive an independent view of security exposures
D. To identify a complete list of vulnerabilities
The correct answer is C.
Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure.
Mitigating technical risks is not a direct result of a penetration test.
A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.
++++++++++
Q21
Which of the following is an advantage of a centralized information security organizational structure?
A. It is easier to promote security awareness.
B. It is easier to manage and control.
C. It is more responsive to business unit needs.
D. It provides a faster turnaround for security requests.
The correct answer is B.
It is easier to manage and control a centralized structure.
Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message.
Decentralized operations allow security administrators to be more responsive.
Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
++++++++++
Q22
An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?
A. Inform senior management.
B. Determine the extent of the compromise.
C. Report the incident to the authorities.
D. Communicate with the affected customers.
The correct answer is B.
Before reporting to senior management, affected customers or the authorities, the extent of the exposure needs to be assessed.
++++++++++
Q23
Which of the following would be the MOST important goal of an information security governance program?
A. Review of internal control mechanisms
B. Effective involvement in business decision making
C. Total elimination of risk factors
D. Ensuring trust in data
The correct answer is D.
The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance.
Review of internal control mechanisms relates more to auditing.
The total elimination of risk factors is not practical or possible.
Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.
++++++++++
Q24
The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:
A. contribute cost-effective expertise not available internally.
B. be made responsible for meeting the security program requirements.
C. replace the dependence on internal resources.
D. deliver more effectively on account of their knowledge.
The correct answer is A.
Choice A represents the primary driver for the information security manager to make use of external resources.
The information security manager will continue to be responsible for meeting the security program requirements despite using the services of external resources.
The external resources should never completely replace the role of internal resources from a strategic perspective.
The external resources cannot have a better knowledge of the business of the information security manager's organization than do the internal resources.
++++++++++
Q25
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
A. Applying patches
B. Changing access rules
C. Upgrading hardware
D. Backing up files
The correct answer is B.
The greatest risk occurs when access rules are changed since they are susceptible to being opened up too much, which can result in the creation of a security exposure.
Security software will generally have a well-controlled process for applying patches, backing up files and upgrading hardware.
++++++++++
Q26
Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:
A. baseline.
B. strategy.
C. procedure.
D. policy.
The correct answer is D.
A policy is a high-level statement of an organization's beliefs, goals, roles and objectives.
Baselines assume a minimum security level throughout an organization.
The information security strategy aligns the information security program with business objectives rather than making control statements.
A procedure is a step-by-step process of how policy and standards will be implemented.
++++++++++
Q27
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life.
B. regulatory and legal requirements.
C. business strategy and direction.
D. application systems and media.
The correct answer is D.
Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover.
Business strategy and direction do not generally apply, nor do legal and regulatory requirements.
Storage capacity and shelf life are important but secondary issues.
++++++++++
Q28
Which of the following is the BEST reason to perform a business impact analysis (BIA)?
A. To help determine the current state of risk
B. To budget appropriately for needed controls
C. To satisfy regulatory requirements
D. To analyze the effect on the business
The correct answer is A.
The BIA is included as part of the process to determine the current state of risk and helps determine the acceptable levels of response from impacts and the current level of response, leading to a gap analysis.
Budgeting appropriately may come as a result, but is not the reason to perform the analysis.
Performing an analysis may satisfy regulatory requirements, but is not the reason to perform one.
Analyzing the effect on the business is part of the process, but one must also determine the needs or acceptable effect or response.
++++++++++
Q29
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.
The correct answer is B.
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement.
Best practices may be a useful guide but not a primary concern.
Legislative and regulatory requirements are only relevant if compliance is a business need.
Storage is irrelevant since whatever is needed must be provided.
++++++++++
Q30
The implementation of continuous monitoring controls is the BEST option where:
A. incidents may have a high impact and frequency.
B. legislation requires strong information security controls.
C. incidents may have a high impact but low frequency.
D. electronic commerce is a primary business driver.
The correct answer is A.
Continuous monitoring control initiatives are expensive, so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Regulations and legislation that require tight IT security measures focus on requiring organizations to establish an IT security governance structure that manages IT security with a risk-based approach, so each organization decides which kinds of controls are implemented. Continuous monitoring is not necessarily a requirement.
Measures such as contingency planning are commonly used when incidents rarely happen but have a high impact each time they happen. Continuous monitoring is unlikely to be necessary.
Continuous control monitoring initiatives are not needed in all electronic commerce environments. There are some electronic commerce environments where the impact of incidents is not high enough to support the implementation of this kind of initiative.
**********
# Q# Task Stmt.
01 436 4.2 Info. Security Program Mgmt.
02 102 1.6 Info. Security Governance
03 095 1.6 Info. Security Governance
04 005 1.1 Info. Security Governance
05 240 2.5 Information Risk Mgmt.
06 193 2.2 Information Risk Mgmt.
07 430 4.2 Info. Security Program Mgmt.
08 365 3.8 Info. Security Program Dev.
09 061 1.3 Info. Security Governance
10 496 4.6 Info. Security Program Mgmt.
11 212 2.4 Information Risk Mgmt.
12 584 5.3 Incident Mgmt./Response
13 437 4.2 Info. Security Program Mgmt.
14 234 2.5 Information Risk Mgmt.
15 388 3.11 Info. Security Program Dev.
16 098 1.6 Info. Security Governance
17 118 1.7 Info. Security Governance
18 087 1.5 Info. Security Governance
19 317 3.5 Info. Security Program Dev.
20 457 4.3 Info. Security Program Mgmt.
21 129 1.7 Info. Security Governance
22 580 5.2 Incident Mgmt./Response
23 036 1.2 Info. Security Governance
24 290 3.4 Info. Security Program Dev.
25 471 4.5 Info. Security Program Mgmt.
26 121 1.7 Info. Security Governance
27 080 1.5 Info. Security Governance
28 035 1.1 Info. Security Governance
29 337 3.6 Info. Security Program Dev.
30 489 4.5 Info. Security Program Mgmt.
