CISM Definitions Flashcards
_____ is a binary-to-text encoding process that converts long bit sequences into
alphanumeric text.
Base64 Encoding
Description of the logical grouping of capabilities that manage the objects necessary to process
information and support the enterprise’s objectives.
Application architecture
A tool for managing organizational strategy that uses weighted measures for the areas of financial
performance (lag) indicators, internal operations, customer measurements, learning and growth
(lead) indicators, combined to rate the enterprise
Business balanced scorecard
An application software deployed at multiple points in an IT architecture. It is designed to detect and
potentially eliminate virus code before damage is done and repair or quarantine files that have
already been infected.
Antivirus software
Logical and physical controls to define a perimeter between the organization and the outside world
Boundary
Preventing, mitigating and recovering from disruption
Continuity
The translation of the enterprise’s mission from a statement of intention into performance targets
and results
Business goal
An algorithm to perform encryption
Cipher
All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes.
Bus configuration
The technique used for selecting records in a file, one at a time, for processing, retrieval or
storage.The access method is related to, but distinct from, the file organization, which determines
how the records are stored.
Access Method
_____ is a way to identify, acquire and retain customers. _____ is also an industry term for software solutions
that help an enterprise manage customer relationships in an organized manner.
Customer relationship management (CRM)
Any process that directly reduces a threat or vulnerability.
Countermeasure
An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing.
Abend
A mechanism that is used to isolate applications from each other within the context of a running
operating system instance.
Application containerization
The examination of ratios, trends, and changes in balances and other values between periods to
obtain a broad understanding of the enterprise’s financial or operational position and to identify
areas that may require further or closer investigation
Analytical technique
Automatic or manual process designed and established to continue critical business processes from point-of-failure to return-to-normal.
Alternative routing
The process of cost allocation that assigns the original cost of an intangible asset to the periods benefited; calculated in the same way as depreciation.
Amortization
A third party that delivers and manages applications and computer services, including security
services to multiple users via the Internet or a private network.
Application or managed service provider (ASP/MSP)
Device that performs the functions of both a bridge and a router.
Brouter
An internal computerized table of access rules regarding the levels of computer access permitted to logon ID and computer terminals. Also referred to as conrol tables
Access Control List (ACL)
A program that translates programming language (source code) into machine executable instructions
(object code).
Compiler
A method/process by which management and staff of all levels collectively identify and evaluate risk
and controls with their business areas. This may be under the guidance of a facilitator such as an
auditor or risk manager.
Control risk self-assessment
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in: A. storage capacity and shelf life. B. regulatory and legal requirements. C. business strategy and direction. D. application systems and media.
Answer : D
Explanation: Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and
shelf life are important but secondary issues
Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives.
Balanced scorecard (BSC)
A public algorithm that operates on plaintext in blocks (strings or groups) of bits
Cipher
An internal computerized table of access rules regarding the levels of computer access permitted to
logon IDs and computer terminals.
Access control table
A process for protecting very-high value assets or in environments where trust is an issue. Access to
an asset requires two or more processes, controls or individuals.
Compartmentalization
A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message
Asymmetric key (public key)
A trusted third party that serves authentication infrastructures or enterprises and registers entities
and issues them certificates
Certificate (Certification) authority (CA)
Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact
of losing the support of any resource to an enterprise, establishes the escalation of that loss over
time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes
and the supporting system
Business impact analysis/assessment (BIA)
The process of establishing the effective design and operation of automated controls within an
application.
Application benchmarking
The individual accountable for delivering the benefits and value of an IT-enabled business investment
program to the enterprise.
Business sponsor
A method of user authentication that is carried out through use of the Challenge Handshake Authentication Protocol (CHAP).
Challenge/response token
An alternate facility to continue IT/IS operations when the primary data processing (DP) center is unavailable.
Backup center
The system by which enterprises are directed and controlled. The board of directors is responsible for
the governance of their enterprise. It consists of the leadership and organizational structures and
processes that ensure the enterprise sustains and extends strategies and objectives.
Corporate Governance
A public algorithm that supports keys from 128 bits to 256 bits in size
Advanced Encryption Standard (AES)
The thorough analysis and significant redesign of business processes and management systems to
establish a better performing structure, more responsive to the customer base and market
conditions, while yielding material cost savings.
Business process reengineering (BPR)
The policies, procedures, practices and organizational structures designed to provide reasonable
assurance that a business process will achieve its objectives.
Business process control
The individual, group or entity that is ultimately responsible for a subject matter, process or
scope.
Accountable party
The processes, rules, and deployment mechanisms that control access to the information systems, resources, and physical access to premises
Access Control
The risk of reaching an incorrect conclusion based upon audit findings.
Audit risk
A type of challenge-response test used in computing to ensure that the response is not generated by
a computer. An example is the site request for web site users to recognize and type a phrase posted
using various challenging-to-read fonts
Completely Automated Public Touring test to tell Computers and Humans Apart (CAPTCHA)
A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly
by the receiver without errors, or that the receiver is now ready to accept a transmission.
Acknowledgment (ACK)
This approach allows IS auditors to monitor system reliability on a continuous basis and to gather
selective audit evidence through the computer.
Continuous audit approach
Process of developing advance arrangements and procedures that enable an enterprise to respond to
an event that could occur by chance or unforeseen circumstances.
Contingency Planning
The highest ranking individual in an enterprise
Chief executive officer (CEO)
The policies, procedures, practices and organizational structures designed to provide reasonable
assurance that the business objectives will be achieved and undesired events will be prevented or
detected.
Business control
An IS backup facility that has the necessary electrical and physical components of a computer facility,
but does not have the computer equipment in place.
Cold site
The individual primarily responsible for managing the financial risk of an enterprise.
Chief financial officer (CFO)
Which of the following is the BEST method or technique to ensure the effective
implementation of an information security program?
A. Obtain the support of the board of directors.
B. Improve the content of the information security awareness program.
C. Improve the employees’ knowledge of security policies.
D. Implement logical access controls to the information systems.
Answer : A
Explanation: It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (‘ are measures proposed to ensure the efficiency of the information security program implementation, but are of less
significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program
The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business
strategies, and planning, resourcing and managing the delivery of IT services, information and the
deployment of associated human resources
Chief information officer (CIO)
Common path or channel between hardware devices.
Bus
A statement of the desired result or purpose to be achieved by implementing control procedures in a
particular process.
Control objective
A catalogue of attack patterns as “an abstraction mechanism for helping describe how an attack
against vulnerable systems or networks is executed” published by the MITRE Corporation
Common Attack Pattern Enumeration and Classification (CAPEC)
The consolidation in 1998 of the “Cadbury,” “Greenbury” and “Hampel” Reports
Combined Code on Corporate Governance
An outcome of effective security governance is: A. business dependency assessment B. strategic alignment. C. risk assessment. D. planning
Answer : B
Explanation: Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.
The existing description of the fundamental underlying design of the components of the business
system before entering a cycle of architecture review and redesign
Baseline architecture
Any formal declaration or set of declarations about the subject matter made by management.
Assertion
The means of managing risk, including policies, procedures, guidelines, practices or organizational
structures, which can be of an administrative, technical, management, or legal
nature
Control
A service that connects programs running on internal networks to services on exterior networks by
creating two connections, one from the requesting client and another to the destination service
Application proxy
______ is a binary-to-text encoding process that converts long bit sequences into
alphanumeric text, which is easier for users
Base58 Encoding
Who is ultimately responsible for the organization’s information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
Answer : C
Explanation: The board of directors is ultimately responsible for the organization’s information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management’s directives. The
chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization’s information.
The Committee on the Financial Aspects of Corporate Governance, set up in May 1991 by the UK
Financial Reporting Council, the London Stock Exchange and the UK accountancy profession, was
chaired by Sir Adrian Cadbury and produced a report on the subject commonly known in the UK as
the Cadbury Report.
Cadbury
Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage.
Batch control
A proven activity or process that has been successfully used by multiple enterprises.
Best practices
Formal inspection and verification to check whether a standard or set of guidelines is being followed,
records are accurate, or efficiency and effectiveness targets are being met
Audit
Automatic or manual process designed and established to continue critical business processes from
point-of-failure to return-to-normal.
Alternate process
A process to determine the impact of losing the support of any resource.
Business impact analysis
Adherence to, and the ability to demonstrate adherence to, mandated requirements defined by laws
and regulations, as well as voluntary requirements resulting from contractual obligations and internal
policies
Compliance
A recovery strategy that involves two active sites, each capable of taking over the other’s workload in
the event of a disaster.
Active recovery site (Mirrored)
A legal principle regarding the validity and integrity of evidence. It requires accountability for
anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for
from the time it was collected until the time it is presented in a court of
law
Chain of custody
The net effect, positive or negative, on the achievement of business objectives.
Business impact
Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives.
Answer : D
Explanation: Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.
Description of the fundamental underlying design of the components of the business system, or of
one element of the business system (e.g., technology), the relationships among them, and the
manner in which they support enterprise objectives.
Architecture
Provides centralized access control for managing remote access dial-up services
Access server
A type of malicious exploit of a web site whereby unauthorized commands are transmitted from a
user that the web site trusts (also known as a one-click attack or session riding); acronym pronounced
“sea-surf”.
Cross-site request forgery (CSRF)
Most implementations of asymmetric ciphers combine a widely distributed public key and a closely held, protected private key.
Asymmetric cipher
Method to select a portion of a population based on the presence or absence of a certain
characteristic
Attribute sampling
A process of identifying resources critical to the operation of a business process.
Business dependency assessment
Any event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout) that
disrupts the normal course of business operations at an enterprise.
Business interruption
A document approved by those charged with governance that defines the purpose, authority and
responsibility of the internal audit activity
Audit Charter
A term derived from “robot network;” is a large automated and distributed network of previously
compromised computers that can be simultaneously controlled to launch large-scale attacks such as a
denial-of-service attack on selected victims
Botnet
A probable situation with uncertain frequency and magnitude of loss (or gain).
Business Risk
An instrument for checking the continued validity of the certificates for which the certification
authority (CA) has responsibility
Certificate revocation list (CRL)
The MOST complete business case for security solutions is one that. A. includes appropriate justification. B. explains the current risk profile. C. details regulatory requirements. D. identifies incidents and losses
Answer : A
Explanation: Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy.
The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence
to regulations and management policies.
Administrative control
A class of algorithms that repeatedly try all possible combinations until a solution is found.
Brute force
Component of an infrastructure-or an item, such as a request for change, associated with an infrastructure-which is (or is to be) under the control of configuration
management
Configuration Item (CI)
A further development of the business goals into tactical targets and desired results and outcomes.
Business objective
The art of designing, analyzing and attacking cryptographic schemes
Cryptography
Measure of interconnectivity among structure of software programs. Coupling depends on the
interface complexity between modules.
Coupling
The method used to identify the location of a participant in a network.
Addressing
The main actions taken to operate the COBIT process.
Activity
Interfaces at the physical layer of the open systems interconnection (OSI) reference model, data terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier networks
Channel service unit/digital service unit (CSU/DSU)
A plan used by an enterprise or business unit to respond to a specific systems failure or disruption
Contingency Plan
A means of regaining access to a compromised system by installing software or configuring existing
software to enable remote access under attacker-defined conditions
Backdoor
Testing an application with large quantities of data to evaluate its performance during peak periods.
Also called volume testing.
Capacity Stress Testing
A type of injection, in which malicious scripts are injected into otherwise benign and trusted web
sites
Cross-site scripting (XSS)
The point in an emergency procedure when the elapsed time passes a threshold and the interruption
is not resolved.
Alert situation
The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objective
Acceptable interruption window
The boundary defining the scope of control authority for an entity
Control perimeter
Preserving authorized restrictions on access and disclosure, including means for protecting privacy
and proprietary information.
Confidentiality
The PRIMARY benefit of performing an information asset classification is to:
A. link security requirements to business objectives.
B. identify controls commensurate to risk.
C. define access rights.
D. establish ownership
Answer : B
Explanation: All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process
Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle
Business case
A test that has been designed to evaluate the performance of a system
Benchmark
Unusual or statistically rare.
Anomaly
A recurring journal entry used to allocate revenues or costs
Allocation entry
A distributed, protected journaling and ledger system. Use of blockchain technologies can enable
anything from digital currency (e.g. Bitcoin) to any other value-bearning transaction.
Blockchain
The control of changes to a set of configuration items over a system life cycle.
Configuration Management
Data that is not encrypted. Also known as plaintext
Cleartext
A plan containing the nature, timing and extent of audit procedures to be performed by
engagement team members in order to obtain sufficient appropriate audit evidence to form an
opinion.
Audit Plan
The risk that a material error exists that would not be prevented or detected on a timely basis by the
system of internal controls
Control Risk
A policy that establishes an agreement between users and the enterprise and defines for all parties the range of use that are approved before gaining access to a network or the internet
Acceptable Use Policy
Contains the essential elements of effective processes for one or more disciplines.It also describes
an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes
with improved quality and effectiveness
Capability Maturity Model (CMM)
In the Open Systems Interconnection (OSI) communications model, the application layer provides
services for an application program to ensure that effective communication with another application
program in a network is possible
Application layer
Responsible for coordinating the planning, development, implementation, maintenance and
monitoring of the information security program.
Corporate Security Officer (CSO)
The permission or privileges granted to users, programs or workstations to create, change, delete or
view data and files within a system, as defined by rules established by data owners and the
information security policy.
Access rights
Nonstop service, with no lapse in service; the highest level of service in which no downtime is
allowed.
Continuous availability
A standardized body of data created for testing purposes.
Base case
An adversary that possesses sophisticated levels of expertise and significant resources which allow it
to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-
61).
Advanced persistent threat (APT)
The senior executive responsible for managing the day-to-day operations of a company or other institution.
Chief Operating Officer (COO)
An application service provider (ASP) that also provides outsourcing of business processes such as
payment processing, sales order processing and application development.
Business service provider (BSP)
Reduction of signal strength during transmission
Attenuation
______ is now used only as the acronym in its fifth iteration. A complete, internationally accepted framework for governing and managing enterprise information and technology (IT) that supports enterprise
executives and management in their definition and achievement of business goals and related IT
goals. _____ describes five principles and seven enablers that support enterprises in the
development, implementation, and continuous improvement and monitoring of good IT-related
governance and management practices
COBIT
The ability to map a given activity or event back to the responsible party
Accountability
The logical route that an end user takes to access computerized
information.<br></br><br></br><strong>Scope Notes: </strong>Typically includes a route through the
operating system, telecommunications software, selected application software and the access control
system.
Access path
The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).
Bandwidth
Locations and infrastructures from which emergency or backup processes are executed, when the
main premises are unavailable or destroyed.
Alternate facilities
A software package that automatically plays, displays or downloads advertising material to a
computer after the software is installed on it or while the application is being
used.
Adware
A holistic and business-oriented model that supports enterprise governance and management
information security, and provides a common language for information security professionals and
business management.
Business Model for Information Security (BMIS)
Actions taken to limit exposure after an incident has been identified and confirmed
Containment
A message kept in the web browser for the purpose of identifying users and possibly preparing
customized web pages for them
Cookie
The individual who focuses on technical issues in an enterprise
Chief technology officer (CTO)
The number of distinct locations that may be referred to with the machine address.
Address space
A discussion document that sets out an “enterprise governance model” focusing strongly on both the
enterprise business goals and the information technology enablers that facilitate good enterprise
governance, published by the Information Systems Audit and Control Foundation in 1999.
Control Objectives for Enterprise Governance
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.
Answer : B
Explanation: The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided
A code whose representation is limited to 0 and 1.
Binary code
Information generated by an encryption algorithm to protect the plaintext and that is unintelligible to
the unauthorized reader.
Ciphertext
_______ is a process of determining the dependency of a business on certain information resources.
Business dependency assessment
An investigator of activities related to computer crime.
Cybercop
The person usually responsible for all security matters both physical and digital in an enterprise
Chief Information Security Officer (CSO)
An expenditure that is recorded as an asset because it is expected to benefit more than the current
period. The asset is then depreciated or amortized over the expected useful life of the asset
Capital expenditure/expense (CAPEX)
A response in which the system either automatically, or in concert with the user, blocks or otherwise
affects the progress of a detected attack.
Active response
Activities conducted in the name of security, business, politics or technology to find information that
ought to remain secret. It is not inherently military.
Cyberespionage
The calendar can contain “real” accounting periods and/or adjusting accounting periods. The “real”
accounting periods must not overlap and cannot have any gaps between them. Adjusting accounting
periods can overlap with other accounting periods.
Adjusting period
The individual responsible for identifying process requirements, approving process design and
managing process performance.
Business Process Owner
Within computer storage, the code used to designate the location of a specific piece of data
Address
System heavily fortified against attacks
Bastion
A holistic and proactive approach to managing the transition from a current to a desired
organizational state, focusing specifically on the critical human or “soft” elements of
change
Change management
A group of people integrated at the enterprise with clear lines of reporting and responsibilities for
standby support in case of an information systems emergency.This group will act as an efficient
corrective control, and should also act as a single point of contact for all incidents and issues related
to information systems.
Computer emergency response team (CERT)
A plan used by an enterprise to respond to disruption of critical business processes. Depends on the
contingency plan for restoration of critical systems.
Business continuity plan (BCP)
Occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
Buffer overflow
The PRIMARY benefit of performing an information asset classification is to:
A. link security requirements to business objectives.
B. identify controls commensurate to risk.
C. define access rights.
D. establish ownership
Answer : B
Explanation: All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process
A transmission signal that varies continuously in amplitude and time and is generated in wave
formation.
Analog
The act of verifying identity, i.e., user, system.
Authentication
A technique of reading a computer file while bypassing the internal file/data set label. This process
could result in bypassing of the security access control system.
Bypass label processing (BLP)
The person in charge of information security within the enterprise
Chief Information Security Officer (CISO)
Members of the operations area who are responsible for the collection, logging and submission of
input for the various user groups.
Control Group
Memory reserved to temporarily hold data to offset differences between the operating speeds of
different devices, such as a printer and a computer.
Buffer
Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?
A. An intrusion prevention system (IPS)
B. An intrusion detection system (IDS)
C. A host-based intrusion detection system (HIDS)
D. A host-based firewall
Answer : A
Explanation: SQL injection attacks occur at the application layer. Most IPS vendors will detect at least basic sets of SQL injection and will be able to stop them. IDS will detect, but not prevent I IIDS will be unaware of SQL injection problems. A host-based firewall, be it on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.
The recovery point objective (RPO) requires which of the following? A. Disaster declaration B. Before-image restoration C. System restoration D. After-image processing
Answer : B
Explanation: The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Disaster declaration is independent of this processing checkpoint. Restoration of the system can occur at a later date, as does the return to normal, after-image processing.
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A. meet with stakeholders to decide how to comply.
B. analyze key risks in the compliance process.
C. assess whether existing controls meet the regulation.
D. update the existing security/privacy policy.
Answer : C
Explanation: If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A. Regular review of access control lists
B. Security guard escort of visitors
C. Visitor registry log at the door
D. A biometric coupled with a PIN
Answer : A
Explanation: A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy. Visitors accompanied by a guard will also provide assurance but may not be cost effective. A visitor registry is the next cost-effective control. A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed
Who is responsible for ensuring that information is categorized and that specific protective measures are taken? A. The security officer B. Senior management C. The end user D. The custodian
Answer : B
Explanation: Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.
An organization’s information security manager has been asked to hire a consultant to help assess the maturity level of the organization’s information security management. The MOST important element of the request for proposal (RIP) is the:
A. references from other organizations.
B. past experience of the engagement team.
C. sample deliverable.
D. methodology used in the assessment
Answer : D
Explanation: Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverable s only tell how the assessment is presented, not the process.
Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?
A. Daily
B. Weekly
C. Concurrently with O/S patch updates
D. During scheduled change control updates
Answer : A
Explanation: New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Patches may occur less frequently. Weekly updates may potentially allow new viruses to infect the system.
Which of the following would be the MOST significant security risk in a pharmaceutical institution?
A. Compromised customer information
B. Unavailability of online transactions
C. Theft of security tokens
D. Theft of a Research and Development laptop
Answer : D
Explanation: The research and development department is usually the most sensitive area of the pharmaceutical organization, Theft of a laptop from this area could result in the disclosure of sensitive formulas and other intellectual property which could represent the greatest security breach. A pharmaceutical organization does not normally have direct contact with end customers and their transactions are not time critical: therefore, compromised customer information and unavailability of online transactions are not the most significant security risks. Theft of security tokens would not be as significant since a pin would still be required for their use.
Who should be responsible for enforcing access rights to application data?
a. Data Owners
b. Business process owners
c. The security steering committee
d. Security Administrators
Answer: D
As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for
approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement
