Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISM Notes > CISM Deck I > Flashcards

CISM Deck I Flashcards

1
Q

Business goals define the strategic direction of the organization. Functional goals define the tactical direction of a business function. Security goals define the security direction of the organization. What is the MOST important relationship between these concepts?

  • 

Functional goals should be derived from security goals




  • 

Security and business goals should be defined independently from each other




  • 

Business goals should be derived from security goals




  • 

Security goals should be derived from business goals
A

Security goals should be derived from business goals

Explanation
Security goals should be developed based on the overall business strategy. The business strategy is the most important steering mechanism for directing the business and is defined by the highest management level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?

  • 

Concurrently with operating system patch updates




  • 

Daily





  • 

During scheduled change control updates




  • 

Weekly

A

Daily

Explanation
New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Risk acceptance is a component of which of the following?

  • 

Risk mitigation




  • 

Risk monitoring




  • 

Risk assessment




  • 

Risk identification
A



Risk mitigation





Explanation
If after risk evaluation a risk is unacceptable, acceptability is determined after risk mitigation efforts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The MOST effective way to ensure that outsourced service providers comply with the organization’s information security policy would be:

  • 

security awareness training




  • 

penetration testing




  • 

periodically auditing




  • 

service level monitoring
A

Periodically Auditing

Regular audit exercise can spot any gap in the information security compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is MOST essential for a risk management program to be effective?

  • 

Accurate risk reporting





  • 

Flexible security budget




  • 

Sound risk baseline




  • 

Detection of new risk

A

Detection of New Risk

Explanation
All of these procedures are essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the PRIMARY factor to be taken into account when designing a backup strategy that will be consistent with a disaster recovery strategy?

  • 

Interruption window




  • 

Recovery point objective




  • 

Volume of sensitive data




  • 

Recovery time objective

A

Recovery Point Objective

Explanation
The recovery point objective defines the maximum loss of data acceptable by the business (i.e., age of data to be restored). It will directly determine the basic elements of the backup strategy-frequency of the backups and what kind of backup is the most appropriate (disk-to-disk, on tape, mirroring).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?

  • 

Internet-facing firewall




  • 

Boundary router




  • 

Intrusion detection system




  • 

Strong encryption

A

Strong Encryption

Explanation
Strong encryption is the most effective means of protecting wireless networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

  • 

More savings in total operating costs




  • 

More uniformity in quality of service




  • 

Better adherence to policies




  • 

Better alignment to business unit needs


A

Better alignment to business unit needs

Decentralization of information security management generally results in better alignment to business unit needs because security management is closer to the end user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The decision as to whether an IT risk has been reduced to an acceptable level should be determined by:

  • 

organizational requirements



  • 

information security requirements




  • 

international standards




  • 

information systems requirements

A

organizational requirements

Organizational requirements should determine when a risk has been reduced to an acceptable level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is characteristic of centralized information security management?

  • 

More responsive to business unit needs




  • 

More expensive to administer




  • 

Faster turnaround of requests




  • 

Better adherence to policies

A

Better adherence to policies


Centralization of information security management results in greater uniformity and better adherence to security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is the MOST important consideration when implementing an intrusion detection system?

  • 

Packet filtering




  • 

Patching




  • 

Encryption




  • 

Tuning



A

Tuning

If an intrusion detection system is not properly tuned it will generate an unacceptable number of false positives and/or fail to sound an alarm when an actual attack in underway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following requirements would have the LOWEST level of priority in information security?

  • 

Business




  • 

Technical



  • 

Regulatory




  • 

Privacy

A

Technical

Explanation
Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An information security manager is investigating an internal cybersecurity incident and has been directed to preserve potential evidence. After an image copy of the hard drive of suspected systems with a commonly used tool and making copies on which to perform analysis, which of the following should the information security manager do NEXT?

  • 

Use an alternate tool to make an image copy of the hard drive




  • 

Encrypt the primary and backup hard drive images




  • 

Document the process used to make an image copy of the hard drive




  • 

Generate hashes for the primary and backup hard drive images



A

Generate hashes for the primary and backup hard drive images




Generating hashes for the primary and backup memory dumps provides a means of demonstrating that the dump used for analysis is identical to the one stored for reference. It is essential that this step be performed before anything might happen to corrupt the original memory source, so it should be done as soon as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is the MOST important factor when designing information security architecture?

  • 

Scalability of the network




  • 

Development methodologies




  • 

Technical platform interfaces




  • 

Stakeholder requirements

A



Stakeholder requirements


Explanation
The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A computer incident response team manual should PRIMARILY contain which of the following documents?

  • 

Severity criteria



  • 

Risk assessment results




  • 

Emergency call tree directory




  • 

Table of critical backup files

A

Severity Criteria

Explanation
Quickly ranking the severity criteria of an incident is a key element of incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?

  • 

System access violation logs




  • 

Baseline security standards




  • 

Exit routines




  • 

Role-based access controls

A

Role-based access controls


Role-based access controls help ensure that users only have access to files and systems appropriate for their job role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a reasonable expectation to have of a risk management program?

  • 

It reduces control risk to zero




  • 

It implements preventive controls for every threat




  • 

It removes all inherent risk




  • 

It maintains residual risk at an acceptable level

A

It maintains residual risk at an acceptable level


Explanation
The goal of risk management is to ensure that all residual risk is maintained at a level acceptable to the business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which two components PRIMARY must be assessed in an effective risk analysis?

  • 

Probability and frequency




  • 

Likelihood and impact



  • 

Financial impact and duration




  • 

Visibility and duration

A

Likelihood and Impact

Explanation
Likelihood and impact are the primary elements that are determined in a risk analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the MOST important contractual element when contracting with an outsourcer to provide security administration?

  • 

The financial penalties clause




  • 

The right-to-terminate clause




  • 

The service level agreement



  • 

Limitations of liability


A

The service level agreement

Explanation
The SLA includes the other options in addition to a number of other conditions, representations and warranties as well as right to inspect, provisions for audits, requirements on termination, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Attackers who exploit cross-site scripting vulnerabilities take advantage of:

  • 

flawed cryptographic Secure Sockets Layer implementations and short key lengths




  • 

a lack of proper input validation controls



  • 

Implicit web application trust relationships




  • 

weak authentication controls in the web application layer



A

a lack of proper input validation controls




Explanation
Cross-site scripting attacks inject malformed input.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The MOST appropriate role for senior management in supporting information security is the:
• 

assessment of risk to the organization




• 

approval of policy statements and funding



• 

developing standards sufficient to achieve acceptable risk




• 

evaluation of vendors offering security products



A

approval of policy statements and funding




Explanation
Policies are a statement of senior management intent and direction. Therefore, senior management must approve them in addition to providing sufficient funding to achieve the organization’s risk management objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q 
Which of the following measures would be MOST effective against insider threats to confidential information?
	•			

Defense in depth




	•			

Role-based access control


	•			

Privacy policy




	•			

Audit trail monitoring


A

Role-based access control




Explanation
Role-based access control is a preventive control that provides access according to business needs; therefore, it reduces unnecessary access rights and enforces accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Senior management commitment and support for information security can BEST be obtained through presentations that:
• 

use illustrative examples of successful attacks




• 

evaluate the organization against good security practices




• 

explain the technical risk to the organization




• 

tie security risk to key business objectives


A

tie security risk to key business objectives

Explanation
Senior management wants to understand the business justification for investing in security in relation to achieving key business objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q 
Which of the following BEST ensures that information transmitted over the Internet will remain confidential?
	•			

Biometric authentication




	•			

Two-factor authentication




	•			

A virtual private network



	•			

Firewalls and router

A

A virtual private network




Explanation
Encryption of data in a virtual private network ensure that transmitted information is not readable, even if intercepted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization’s network?
• 

Strength of encryption algorithms




• 

Configuration of firewalls




• 

Safeguards over keys

• 

Authentication within application


A

Safeguards over keys



Explanation
Key management is the weakest link in encryption. If keys are in the wrong hands, documents will be able to be read regardless of where they are on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q 
A control policy is MOST likely to address which of the following implementation requirements?
	•			

Failure modes



	•			

Training requirements

	•			

Specific metrics




	•			

Operational capabilities


A

Failure modes

Explanation
A control policy will state the required failure modes in terms of whether a control fails open or fails closed, which has implications for safety, confidentiality and availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q 
What is the PRIMARY objective of a risk management program?
	•			

Implement effective controls




	•			

Achieve acceptable risk



	•			

Eliminate business risk




	•			

Minimize inherent risk

A



Achieve acceptable risk




Explanation
The goal of a risk management program is to ensure that acceptable risk levels are achieved and maintained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following would BEST prepare an information security manager for regulatory reviews?
• 

Ensure all regulatory inquiries are sanctioned by the legal department




• 

Assess previous regulatory reports with process owners input




• 

Perform self-assessments using regulatory guidelines and reports



• 

Assign an information security administrator as regulatory liaison


A

Perform self-assessments using regulatory guidelines and reports




Explanation
Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Evidence from a compromised server must be acquired for a forensic investigation. What would be the BEST source?
• 

The last verified backup stored offsite




• 

A bit-level copy of the hard drive



• 

Backup servers




• 

Data from volatile memory


A



A bit-level copy of the hard drive




Explanation
The bit-level copy image file ensures forensic quality evidence that is admissible in a court of law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following actions should be taken when an information security manager discovers that a hacker is footprinting the network perimeter?
• 

Enable server trace routing on the demilitarized zone segment




• 

Check intrusion detection system logs and monitor for any active attacks


• 

Update IDS software to the latest available version




• 

Reboot the border router connected to the firewall


A

Check intrusion detection system logs and monitor for any active attacks



Explanation
Information security should check the intrusion detection system (IDS) logs and continue to monitor the situation. It would be inappropriate to take any action beyond that.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following would be the BEST indicator of effective information security governance within an organization?
• 

Security training is available to all employees on the intranet




• 

IT personnel are trained in testing and applying required patches




• 

The steering committee approves security projects



• 

Security policy training is provided to all managers


A

The steering committee approves security projects

Explanation
The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. To ensure that all stakeholders impacted by security considerations are involved, many organizations use a steering committee comprised of senior representatives of affected groups. This composition helps to achieve consensus on priorities and trade-offs and serves as an effective communication channel for ensuring the alignment of the security program with business objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following is a key component of an incident response policy?
• 

Press release templates




• 

Critical backup files inventory




• 

Updated call trees




• 

Escalation criteria


A

Escalation criteria


Explanation
Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained within an incident response policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q 
When designing an intrusion detection system, the information security manager should recommend that it be placed:
	•			

on the firewall server




	•			

outside the firewall




	•			

on the external router




	•			

on a screened subnet

A

on a screened subnet


Explanation
An IDS should be placed on a screened subnet, which is a demilitarized zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q 
Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?
	•			

Chang management




	•			

Stress testing




	•			

Patch management




	•			

Security baselines

A

Change management





Explanation
Change management controls the process of introduction changes to systems to ensure that unintended changes are not introduced; within change management, regression testing is specifically designed to prevent the introduction of new security exposures when making modifications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which of the following is the MOST appropriate use of gap analysis?
• 

Measuring current state versus desired future state





• 

Evaluating a business impact analysis




• 

Developing a business balanced scorecard




• 

Demonstrating the relationship between controls


A

Measuring current state versus desired future state

Explanation
A gap analysis is most useful in addressing the differences between the current state and future state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following is the BEST basis for determining the criticality and sensitivity of information assets?
• 

A resource dependency assessment




• 

A vulnerability assessment




• 

A threat assessment




• 

An impact assessment



A

An impact assessment

Explanation
The criticality and sensitivity of information assets depends on the impact of the likelihood of the threats exploiting vulnerabilities in the asset and takes into consideration the value of the assets and the impairment of the value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

A web server is a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. What is the most appropriate next step?
• 

Rebuild the server from the last verified backup




• 

Rebuild the server with original media and relevant patches





• 

Place the web server in quarantine




• 

Shut down the server in an organized manner



A

Rebuild the server with original media and relevant patches






Explanation
The original media should be used because one could never find and eliminate all the changes a super-user may have made or the time lines in which these changes were made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q 
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
	•			

Incident response plan





	•			

Vulnerability management plan




	•			

Disaster recovery plan




	•			

Business continuity plan


A

Incident Response Plan

Explanation
An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities pertaining to all parties involved in responding to an information security breach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q 
A web-based business application is being migrated from test to production. Which of the following is the MOST important management sign-off for this migration?
	•			

User





	•			

Network




	•			

Database




	•			

Operations


A

User

Explanation
As owners of the system, user management sign-off is the most important. If a system does not meet the needs of the business, then it has not met its primary objective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following groups would be in the BEST position to perform a risk analysis for a business?
• 

A specialized management consultant




• 

Process owners





• 

A peer group within a similar business




• 

External auditors

A

Process Owners

Explanation
Process owners have the most in-depth knowledge of risk and compensating controls within their environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which of the following risk scenarios would BEST be assessed using qualitative risk assessment techniques?
• 

Permanent decline in customer confidence





• 

Power outage lasting 24 hours




• 

Theft of purchased software




• 

Temporary loss of email services


A

Permanent decline in customer confidence

Explanation
A permanent decline in customer confidence does not lend itself well to measurement by quantitative techniques. Qualitative techniques are more effective in evaluating things such as customer loyalty and goodwill.

42
Q

Why is “slack space” of value to an information security manager as part of an incident investigation?
• 

Hidden data may be stored there





• 

It provides flexible space for the investigation




• 

The slack space contains login information




• 

Slack space is encrypted


A

Hidden data may be stored there






Explanation
“Slack space” is the unused space between where the file data end and the end of the cluster the data occupy.

43
Q

What is a reasonable approach to determine control effectiveness?
• 

Assess and quantity the control’s reliability




• 

Confirm the control’s ability to meet intended objectives





• 

Determine whether the control is preventive, detective or corrective




• 

Review the control’s capability of providing notification of failure



A

Confirm the control’s ability to meet intended objectives

Explanation
Control effectiveness requires a process to verify that the control process works as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.

44
Q

The MOST important element(s) to consider when developing a business case for a project is the:
• 

alignment with organizational objectives




• 

resource and time requirements




• 

financial analysis of benefits




• 

feasibility and value proposition



A

feasibility and value proposition

Explanation
Feasibility and whether the value proposition makes sense will be major considerations of whether a project will proceed.

45
Q

Where should an intranet server generally be placed?
• 

On the primary domain controller




• 

On the external router




• 

On the internal network





• 

On the firewall server

A

On the internal network

Explanation
An intranet server should be placed on the internal network. An intranet server should stay in the internal network because external people do not need to access it. This reduces the risk of unauthorized access.

46
Q

Which of the following is MOST appropriate for inclusion in an information security strategy?
• 

Budget estimates to acquire specific security tools




• 

Business controls designated as key controls




• 

Security processes, methods, tools and techniques





• 

Firewall rule sets, network defaults and intrusion detection system settings



A

Security processes, methods, tools and techniques

Explanation
A set of security objectives supported by processes, methods, tools and techniques together are the elements that constitute a security strategy.

47
Q

How does a security information and event management solution MOST likely detect the existence of an advanced persistent threat in its infrastructure?
• 

Through vulnerability assessments




• 

Through identification of zero-day attacks




• 

Through analysis of the network traffic history





• 

Through stateful inspection of firewall packets



A

Through analysis of the network traffic history

Explanation
Advanced persistent threat (APT) refers to stealthy attacks not easily discovered without detailed analysis of behavior and traffic flows. Security information and event management (SIEM) solutions analyze network traffic over long periods of time to identify variances in behavior that may reveal APTs.

48
Q

Which of the following choices is the WEAKEST link in the authorized user registration process?
• 

The registration authority’s private key





• 

The relying party’s private key




• 

The certificate authority’s private key




• 

A secured communication private key


A

The registration authority’s private key


Explanation
The registration authority’s (RA’s) private key is in the possession of the RA, often stored on a smart card or laptop, and is typically protected by a password and, therefore, is potentially accessible. If the RA’s private key is compromised, it can be used to register anyone for a certificate using any identity, compromising the entire public key infrastructure for that CA.

49
Q

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?
• 

Performing a risk assessment




• 

Establishing data retention policies




• 

Identifying data owners





• 

Defining job roles


A

Identifying data owners

Explanation
Identifying the data owners is the first step and is essential to implementing data classification.

50
Q 
Addressing the root cause of an incident is one aspect of which of the following incident management processes?
	•			

Recovery




	•			

Containment




	•			

Lessons learned




	•			

Eradication

A

Eradication

Explanation
Determining the root cause of an incident and eliminating it are key activities that occur as part of the eradication process.

51
Q

For virtual private network access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
• 

Symmetric encryption keys




• 

Secure Sockets Layer-based authentication




• 

Two-factor authentication





• 

Biometrics



A

Two-factor authentication

Explanation
Two-factor authentication requires more than one type of user authentication, typically something you know and something you have, such as a PIN and smart card.

52
Q 
An organization determined that if its email system failed for three days, the cost to the organization would be eight times greater than if it could be recovered in one day. This determination MOST likely was the result of:
	•			

disaster recovery planning




	•			

business impact analysis





	•			

full interruption testing




	•			

site proximity analysis


A

business impact analysis

Explanation
A business impact analysis is used to establish the escalation of loss over time in addition to other elements.

53
Q

An information security manager receives a report showing an increase in the number of security events. The MOST likely explanation is:
• 

failure of a previously deployed detective control




• 

exploitation of a vulnerability in the information system





• 

approval of a new exception for noncompliance by management




• 

threat actors targeting the organization in greater numbers



A

exploitation of a vulnerability in the information system


Explanation
Exploitation of a vulnerability is likely to generate security events.

54
Q 
Which of the following is MOST effective in preventing weaknesses from being introduced into existing production system?
	•			

Change management

	•			

Virus detection




	•			

Security baselines




	•			

Patch management


A

Change Management

Explanation
Change management controls the process of introducing changes to systems. This is often the point at which a weakness will be introduced.

55
Q

What is a desirable sensitivity setting for a biometric access control system that protects a high-security data center?
• 

A high false acceptance rate




• 

Exactly to the crossover error rate




• 

Lower than the crossover error rate




• 

A high fales reject rate


A

A high false reject rate

Explanation
Biometric access control systems are not infallible. When tuning the solution, one has to adjust the sensitivity level to give preference either to false reject rate (FRR) (type 1 error rate) where the system will be more prone to err denying access to a valid user or erring and allowing access to an invalid user. The preferable setting will be in the FRR region of sensitivity.

56
Q 
Which of the following security controls addresses availability?
	•			

Least privilege




	•			

Contingency planning


	•			

Role-based access




	•			

Public key infrastructure
A

Contingency Planning

Explanation
Contingency planning ensure that the system and data are available in the event of a problem.

57
Q

Which of the following devices could potentially stop a structured query language injection attack?
• 

A host-based firewall




• 

A host-based intrusion detection system




• 

An intrusion detection system




• 

An intrusion prevention system

A

An intrusion prevention system

Explanation
Structured query language (SQL) injection attacks occur at the application layer. Most intrusion prevention systems will detect at least basic sets of SQL injection and will be able to stop them.

58
Q

An outsourced service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?
• 

Security in storage and transmission of sensitive data





• 

Provider’s level of compliance with industry standards




• 

Security technologies in place at the facility




• 

Results of the latest independent security review



A

Security in storage and transmission of sensitive data






Explanation
Knowledge of how the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will be protected.

59
Q

Which of the following roles would represent a conflict of interest for an information security manager?
• 

Assessment of the adequacy of disaster recovery plans




• 

Evaluation of third parties requesting connectivity




• 

Monitoring adherence to physical security controls




• 

Final approval of information security policies



A

Final approval of information security policies

Explanation
Because senior management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval.

60
Q

The PRIMARY way in which incident management adds value to an organization is by:
• 

optimizing risk management efforts





• 

streamlining the reporting structure




• 

eliminating redundant recovery plans




• 

reducing the overall threat level


A

optimizing risk management efforts



Explanation
Incident management is a component of risk management that can provide an optimal balance between prevention, containment and restoration.

61
Q 
In the process of deploying a new email system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new email system implementation?
	•			

Strong authentication




	•			

Digital signature




	•			

Encryption





	•			

Hashing algorithm



A

Encryption

Explanation
To preserve confidentiality of a message while in transit, encryption should be implemented.

62
Q 
Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?
	•			

Shutdown alarms




	•			

Protective switch covers





	•			

Redundant power supplies




	•			

Biometric readers

A

Protective Switch Covers

Explanation
Protective switch covers would reduce the possibility of an individual accidentally pressing the power button on a device, thereby turning off the device.

63
Q

Which of the following is MOST important in determining whether a disaster recovery test is successful?
• 

Only business data files from offsite storage are used




• 

All systems are restored within recovery time objectives




• 

Critical business processes are duplicated





• 

IT staff fully recovers the processing infrastructure


A

Critical business processes are duplicated

Explanation
To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions were successfully recovered and duplicated.

64
Q 
An enterprise is implementing an information security program. During which phase of the implementation should metrics be established to assess the effectiveness of the program over time?
	•			

Initiation




	•			

Testing




	•			

Development




	•			

Design

A

Design

Explanation
In the design phase, security checkpoints are defined and a test plan is developed.

65
Q 
Which of the following attacks is BEST mitigated by using strong passwords?
	•			

Root kit




	•			

Brute force attack





	•			

Remote buffer overflow




	•			

Man-in-the-middle attack
A

Brute force attack

Explanation
Strong passwords mitigate brute force attacks.

66
Q

What is the PRIMARY role of the information security manager related to the data classification and handling process within an organization?
• 

Securing information assets in accordance with their data classification




• 

Assigning the classification levels to the information assets




• 

Confirming that information assets have been properly classified




• 

Defining and ratifying the organization’s data classification structure

A

Defining and ratifying the organization’s data classification structure

Explanation
Defining and ratifying the data classification structure consistent with the organization’s risk appetite and the business value of information assets in the primary role of the information security manager related to the data classification and handling process within the organization.

67
Q

Which of the following steps should be FIRST in developing an information security plan?
• 

Perform a business impact analysis




• 

Perform a technical vulnerabilities assessment




• 

Assess the current levels of security awareness




• 

Analyze the current business strategy

A

Analyze the current business strategy

Explanation
An information security manager needs to gain an understanding of the current business strategy and direction to understand the organization’s objectives and the impact of the other answers on achieving those objectives.

68
Q 
Which of the following is MOST useful in managing increasingly complex security deployments?
	•			

A standards-based approach




	•			

Senior management support




	•			

Policy development




	•			

A security architecture


A


A security architecture

Explanation
Deploying complex security initiatives and integrating a range of diverse projects and activities would be more easily managed with the overview and relationships provided by a security architecture.

69
Q 
Which of the following steps in conducting a risk assessment should be performed FIRST?
	•			

Evaluate key controls



	•			

Identify business assets





	•			

Identify business risk




	•			

Assess vulnerabilities

A

Identify business assets

Explanation
Risk assessment first requires that the business assets that need to be protected be identified before identifying the threats.

70
Q

To BEST improve the alignment of the information security objectives in an organization, the chief information security officer should:
• 

evaluate a business balanced scorecard





• 

conduct regular user awareness sessions




• 

perform penetration tests




• 

revise the information security program

A

evaluate a business balanced scorecard


Explanation
The business balanced scorecard (BSC) can track the effectiveness of how an organization executes it information security strategy and determine areas of improvement.

71
Q

How can access control to a sensitive intranet application by mobile users BEST be implemented?
• 

Through digital signatures




• 

Through strong passwords




• 

Through data encryption




• 

Through two-factor authentication


A

Through two-factor authentication


Explanation
Two-factor authentication, through the use of strong passwords combined with security tokens, provides the highest level of security.

72
Q

At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor’s hot site facility?
• 

Evaluate the results from all test scripts




• 

Conduct a meeting to evaluate the test




• 

Complete an assessment of the hot site provider




• 

Erase data and software from devices


A

Erase data and software from devices


Explanation
For security and privacy reasons, all organizational data and software should be erased prior to departure.

73
Q 
Which of the following is MOST effective in preventing security weaknesses in operating system?
	•			

Configuration management




	•			

Patch management





	•			

Change management


	•			

Security baselines

A

Patch Management

Explanation
Patch management corrects discovered weaknesses by applying a correction (a patch) to the original program code.

74
Q

An online banking institution is concerned that a breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:
• 

implement a circuit-level firewall to protect the network




• 

mitigate the impact by purchasing insurance





• 

increase the resiliency of security measures in place




• 

implement a real-time intrusion detection system


A

mitigate the impact by purchasing insurance

Explanation
Residual risk is the remaining risk after management has implemented a risk response. Because residual risk will always be too high, the only practical solution is to mitigate the financial impact by purchasing insurance. Purchasing insurance is also known as risk transfer.

75
Q

hich of the following is the MOST important risk associated with middleware in a client-server environment?
• 

End-user sessions may be hijacked




• 

Server patching may be prevented




• 

Data integrity may be affected





• 

System backups may be incomplete

A

Data integrity may be affected

Explanation
The major risk associated with middleware in a client-server environment is that data integrity may be adversely affected if middleware were to fail or become corrupted.

76
Q

Assuming that the value of information assets is known, which of the following gives the information security manager the MOST objective basis for determining that the information security program is delivering value?
• 

Number of controls




• 

Test results of controls




• 

Cost of achieving control objectives





• 

Effectiveness of controls


A

Cost of achieving control objectives

Explanation
Comparison of cost of achievement of control objectives and corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery.

77
Q

The MOST basic requirement for an information security governance program is to:
• 

be aligned with the corporate business strategy





• 

provide good practices for security initiatives




• 

provide adequate regulatory compliance




• 

be based on a sound risk management approach



A

be aligned with the corporate business strategy

Explanation
To be effective and receive senior management support, an information security program must be aligned with the corporate business strategy.

78
Q

What is the MOST essential attribute of an effective key risk indicator (KRI)? The KRI:
• 

is predictive of a risk event





• 

is accurate and reliable




• 

provides quantitative metrics




• 

indicates required action


A

is predictive of a risk event

Explanation
A KRI should indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk.

79
Q

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following items would be of MOST value?
• 

Analysis of current technological exposures




• 

Association realistic threats to corporate objectives





• 

Examples of genuine incidents at similar organizations




• 

Statement of generally accepted good practices


A

Association realistic threats to corporate objectives

Explanation
Linking realistic threats to key business objectives will direct executive attention to them.

80
Q

An effective risk management program should reduce risk to:
• 

an acceptable percent of revenue




• 

an acceptable probability of occurrence




• 

an acceptable level





• 

zero


A

An acceptable level

Explanation
An effective risk management program reduces the risk to an acceptable level; this is achieved by reducing the probability of a loss event through preventive measures as well as reducing the impact of a loss event through corrective measures.

81
Q

Which of the following should automatically occur FIRST when a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning?
• 

The firewall should block all inbound traffic during the outage




• 

Access control should fall back to nonsynchronized mode





• 

System logs should record all user activity for later analysis




• 

All systems should block new logins until the problem is corrected

A

Access control should fall back to nonsynchronized mode

Explanation
The best mechanism is for the system to fall back to the original process of logging on individually to each system.

82
Q 
Which of the following devices should be placed within a demilitarized zone?
	•			

Database server




	•			

New switch




	•			

Web server





	•			

File/print server

A

Web server

Explanation
A web server should normally be placed within a DMZ to shield the internal network.

83
Q 
When performing a business impact analysis, which of the following should calculate the recovery time and cost estimates?
	•			

Information security manager




	•			

IT management




	•			

Business process owners





	•			

Business continuity coordinator

A

Business Process Owners

Explanation
Business process owners are in the best position to understand the true impact on the business that a system outage would create.

84
Q

Why would an organization decide not to take any action on a denial-of-service vulnerability found by the risk assessment team?
• 

The needed countermeasures are too complicated to deploy




• 

The likelihood of the risk occurring is unknown




• 

There are sufficient safeguards in place to prevent this risk from happening




• 

The cost of countermeasures outweighs the value of the asset and potential loss


A

The cost of countermeasures outweighs the value of the asset and potential loss

Explanation
An organization may decide to live with specific risk because it would cost more to protect the organization than the value of the potential loss.

85
Q

Which of the following attributes would be MOST essential to developing effective metrics?

  • Easily implemented
  • Meaningful to the recipient
  • Meets regulatory requirements
  • Quantifiably represented
A

+++Explanation+++

Metrics will only be effective if the recipient can take appropriate action based upon the results.

86
Q

Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was:

  • kept in the tape library pending further analysis
  • removed into the custody of law enforcement investigators
  • handed over to authorized independent investigators
  • sealed in signed envelope and locked in a safe under dual control
A

+++Explanation+++
Because a number of individuals would have access to the tape library and could have accessed and tampered with the tape, the chain of custody could not be verified.

87
Q

The information security manager identifies a vulnerability in a publicly exposed business application during risk assessment activities. The NEXT step he/she should take is:

  • analysis
  • eradication
  • containment
  • recovery
A

+++Explanation+++
Identification of a vulnerability does not necessarily mean that an incident has occurred, but reliance on automated detection mechanisms when a vulnerability has been identified may allow any compromises that have already occurred to continue unimpeded. Analysis is appropriate to determine whether a threat actor may have already exploited the vulnerability and, if so, to determine the scope of the compromise.

88
Q

In conducting an initial technical vulnerability assessment, which of the following choices should receive top priority?

  • Systems covered by business interruption insurance
  • Resources subject to performance contracts
  • Systems impacting legal or regulatory standing
  • Externally facing systems or applications
A

+++Explanation+++
Maintaining business operations is always the priority. If a system is covered by business interruption insurance, it is a clear indication that management deems it to be a critical system.

89
Q

An organization’s security awareness program should focus on which of the following?

  • Access levels within the organization for applications and the Internet
  • Installing training software which simulates security incidents
  • Establishing metrics for network backups
  • Communicating what employees should or should not do in the context of their job responsibilities
A

+++Explanation+++
An organization’s security awareness program should focus on employee behavior and the consequences of both compliance and noncompliance with the security policy.

90
Q

An information security manager can BEST attain senior management commitment and support by emphasizing:

  • organizational risk
  • the responsibilities of organizational units
  • security needs
  • performance metrics
A

+++Explanation+++
Information security exists to address risk to the organization that may impede achieving its objectives. Organizational risk will be the most persuasive argument for management commitment and support.

91
Q

What mechanism should be used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?

  • Business impact analysis
  • Security gap analysis
  • System performance metrics
  • Incident response processes
A

+++Explanation+++
Security gap analysis is a process that measures all security controls in place against control objectives, which will identify gaps.

92
Q

Senior management commitment and support for information security can BEST be enhanced through:

  • a formal security policy sponsored by the chief executive officer
  • senior management sign-off on the information security strategy
  • periodic review of alignment with business management goals
  • regular security awareness training for employees
A

+++Explanation+++
Ensuring that security activities continue to be aligned and support business goals is critical to obtaining
management support.

93
Q

Which of the following actions should take place immediately after a security breach is reported to an information security manager?

  • Notify affected stakeholders
  • Isolate the incident
  • Confirm the incident
  • Determine impact
A

+++Explanation+++
Before performing analysis of impact, notification or isolation of an incident, it must be validated as a real security incident.

94
Q

When a user employs a client-side digital certificate to authenticate to a web server through Secure Sockets Layer, confidentiality is MOST vulnerable to which of the following?

  • Man-in-the-middle attack
  • Internet Protocol spoofing
  • Trojan
  • Repudiation
A

+++Explanation+++
A Trojan is a program that can give the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user.

95
Q

When creating an effective data-protection strategy, the information security manager must understand the flow of data and its protection at various stages. This is BEST achieved with:

  • a third-party vulnerability assessment
  • a tailored methodology based on exposure
  • a tokenization system set up in a secure network environment
  • an insurance policy for accidental data losses
A

a tailored methodology based on exposure

+++Explanation+++
Organizations classify data according to their value and exposure. The organization can then develop a sensible plan to invest budget and effort where they matter most.

96
Q

Information security managers should use risk assessment techniques to:

  • maximize the return on investment
  • provide documentation for auditors and regulators
  • quantify risk and that would otherwise be subjective
  • justify selection of risk mitigation strategies
A

+++Explanation+++
Information security managers should use risk assessment techniques as one of the main basis to justify and implement a risk mitigation strategy as efficiently as possible.

97
Q

The PRIMARY goal of a corporate risk management program is to ensure that an organization’s:

  • IT assets in key business functions are protected
  • business risk is addressed by preventive controls
  • IT facilities and systems are always available
  • stated objectives are achieved
A

Risk management’s primary goal is to ensure an organization maintains the ability to achieve its objectives.

98
Q

Which of the following is the MOST important consideration when performing a risk assessment?

  • Attack motives, means and opportunities are understood
  • Assets have been identified and appropriately valued
  • Management supports risk mitigation efforts
  • Annual loss expectancies have been calculated for critical assets
A

+++Explanation+++
Identification and valuation of assets provides the essential basis for risk assessment efforts. Without knowing an asset exists and its value to the organization, the risk and impact cannot be determined.

99
Q

Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?

  • Equipment at the hot site is identical
  • Network Internet Protocol addresses are predefined
  • Tests are scheduled on weekends
  • Business management actively participates
A

+++Explanation+++
Disaster recovery testing requires the allocation of sufficient resources to be successful. Without the support of management, these resources will not be available, and testing will suffer as a result.

100
Q

What is the BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures?

  • Implement vendor default settings
  • Perform penetration testing
  • Establish security baselines
  • Link policies to an independent standard
A

Security baselines will provide the best assurance that each platform meets minimum security criteria.

CISM Notes (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions