CISM Definitions Flashcards by Host Mom

_____ is a binary-to-text encoding process that converts long bit sequences into
alphanumeric text.

Base64 Encoding

How well did you know this?

Not at all

Perfectly

Description of the logical grouping of capabilities that manage the objects necessary to process
information and support the enterprise’s objectives.

Application architecture

How well did you know this?

Not at all

Perfectly

A tool for managing organizational strategy that uses weighted measures for the areas of financial
performance (lag) indicators, internal operations, customer measurements, learning and growth
(lead) indicators, combined to rate the enterprise

Business balanced scorecard

How well did you know this?

Not at all

Perfectly

An application software deployed at multiple points in an IT architecture. It is designed to detect and
potentially eliminate virus code before damage is done and repair or quarantine files that have
already been infected.

Antivirus software

How well did you know this?

Not at all

Perfectly

Logical and physical controls to define a perimeter between the organization and the outside world

Boundary

How well did you know this?

Not at all

Perfectly

Preventing, mitigating and recovering from disruption

Continuity

How well did you know this?

Not at all

Perfectly

The translation of the enterprise’s mission from a statement of intention into performance targets
and results

Business goal

How well did you know this?

Not at all

Perfectly

An algorithm to perform encryption

Cipher

How well did you know this?

Not at all

Perfectly

All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes.

Bus configuration

How well did you know this?

Not at all

Perfectly

The technique used for selecting records in a file, one at a time, for processing, retrieval or
storage.The access method is related to, but distinct from, the file organization, which determines
how the records are stored.

Access Method

How well did you know this?

Not at all

Perfectly

_____ is a way to identify, acquire and retain customers. _____ is also an industry term for software solutions
that help an enterprise manage customer relationships in an organized manner.

Customer relationship management (CRM)

How well did you know this?

Not at all

Perfectly

Any process that directly reduces a threat or vulnerability.

Countermeasure

How well did you know this?

Not at all

Perfectly

An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing.

Abend

How well did you know this?

Not at all

Perfectly

A mechanism that is used to isolate applications from each other within the context of a running
operating system instance.

Application containerization

How well did you know this?

Not at all

Perfectly

The examination of ratios, trends, and changes in balances and other values between periods to
obtain a broad understanding of the enterprise’s financial or operational position and to identify
areas that may require further or closer investigation

Analytical technique

How well did you know this?

Not at all

Perfectly

Automatic or manual process designed and established to continue critical business processes from point-of-failure to return-to-normal.

Alternative routing

How well did you know this?

Not at all

Perfectly

The process of cost allocation that assigns the original cost of an intangible asset to the periods benefited; calculated in the same way as depreciation.

Amortization

How well did you know this?

Not at all

Perfectly

A third party that delivers and manages applications and computer services, including security
services to multiple users via the Internet or a private network.

Application or managed service provider (ASP/MSP)

How well did you know this?

Not at all

Perfectly

Device that performs the functions of both a bridge and a router.

Brouter

How well did you know this?

Not at all

Perfectly

An internal computerized table of access rules regarding the levels of computer access permitted to logon ID and computer terminals. Also referred to as conrol tables

Access Control List (ACL)

How well did you know this?

Not at all

Perfectly

A program that translates programming language (source code) into machine executable instructions
(object code).

Compiler

How well did you know this?

Not at all

Perfectly

A method/process by which management and staff of all levels collectively identify and evaluate risk
and controls with their business areas. This may be under the guidance of a facilitator such as an
auditor or risk manager.

Control risk self-assessment

How well did you know this?

Not at all

Perfectly

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life.
B. regulatory and legal requirements.
C. business strategy and direction.
D. application systems and media.

Answer : D
Explanation: Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and
shelf life are important but secondary issues

How well did you know this?

Not at all

Perfectly

Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives.

Balanced scorecard (BSC)

How well did you know this?

Not at all

Perfectly

A public algorithm that operates on plaintext in blocks (strings or groups) of bits

Cipher

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals.

Access control table

A process for protecting very-high value assets or in environments where trust is an issue. Access to an asset requires two or more processes, controls or individuals.

Compartmentalization

A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message

Asymmetric key (public key)

A trusted third party that serves authentication infrastructures or enterprises and registers entities and issues them certificates

Certificate (Certification) authority (CA)

Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system

Business impact analysis/assessment (BIA)

The process of establishing the effective design and operation of automated controls within an application.

Application benchmarking

The individual accountable for delivering the benefits and value of an IT-enabled business investment program to the enterprise.

Business sponsor

``` A method of user authentication that is carried out through use of the Challenge Handshake Authentication Protocol (CHAP). ```

Challenge/response token

An alternate facility to continue IT/IS operations when the primary data processing (DP) center is unavailable.

Backup center

The system by which enterprises are directed and controlled. The board of directors is responsible for the governance of their enterprise. It consists of the leadership and organizational structures and processes that ensure the enterprise sustains and extends strategies and objectives.

Corporate Governance

A public algorithm that supports keys from 128 bits to 256 bits in size

Advanced Encryption Standard (AES)

The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings.

Business process reengineering (BPR)

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that a business process will achieve its objectives.

Business process control

The individual, group or entity that is ultimately responsible for a subject matter, process or scope.

Accountable party

The processes, rules, and deployment mechanisms that control access to the information systems, resources, and physical access to premises

Access Control

The risk of reaching an incorrect conclusion based upon audit findings.

Audit risk

A type of challenge-response test used in computing to ensure that the response is not generated by a computer. An example is the site request for web site users to recognize and type a phrase posted using various challenging-to-read fonts

Completely Automated Public Touring test to tell Computers and Humans Apart (CAPTCHA)

A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly by the receiver without errors, or that the receiver is now ready to accept a transmission.

Acknowledgment (ACK)

This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.

Continuous audit approach

Process of developing advance arrangements and procedures that enable an enterprise to respond to an event that could occur by chance or unforeseen circumstances.

Contingency Planning

The highest ranking individual in an enterprise

Chief executive officer (CEO)

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected.

Business control

An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place.

Cold site

The individual primarily responsible for managing the financial risk of an enterprise.

Chief financial officer (CFO)

Which of the following is the BEST method or technique to ensure the effective implementation of an information security program? A. Obtain the support of the board of directors. B. Improve the content of the information security awareness program. C. Improve the employees' knowledge of security policies. D. Implement logical access controls to the information systems.

Answer : A Explanation: It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (' are measures proposed to ensure the efficiency of the information security program implementation, but are of less significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program

The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources

Chief information officer (CIO)

Common path or channel between hardware devices.

Bus

A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process.

Control objective

A catalogue of attack patterns as “an abstraction mechanism for helping describe how an attack against vulnerable systems or networks is executed” published by the MITRE Corporation

Common Attack Pattern Enumeration and Classification (CAPEC)

The consolidation in 1998 of the "Cadbury," "Greenbury" and "Hampel" Reports

Combined Code on Corporate Governance

``` An outcome of effective security governance is: A. business dependency assessment B. strategic alignment. C. risk assessment. D. planning ```

Answer : B Explanation: Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.

The existing description of the fundamental underlying design of the components of the business system before entering a cycle of architecture review and redesign

Baseline architecture

Any formal declaration or set of declarations about the subject matter made by management.

Assertion

The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature

Control

A service that connects programs running on internal networks to services on exterior networks by creating two connections, one from the requesting client and another to the destination service

Application proxy

______ is a binary-to-text encoding process that converts long bit sequences into alphanumeric text, which is easier for users

Base58 Encoding

Who is ultimately responsible for the organization's information? A. Data custodian B. Chief information security officer (CISO) C. Board of directors D. Chief information officer (CIO)

Answer : C Explanation: The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management's directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.

The Committee on the Financial Aspects of Corporate Governance, set up in May 1991 by the UK Financial Reporting Council, the London Stock Exchange and the UK accountancy profession, was chaired by Sir Adrian Cadbury and produced a report on the subject commonly known in the UK as the Cadbury Report.

Cadbury

Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage.

Batch control

A proven activity or process that has been successfully used by multiple enterprises.

Best practices

Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met

Audit

Automatic or manual process designed and established to continue critical business processes from point-of-failure to return-to-normal.

Alternate process

A process to determine the impact of losing the support of any resource.

Business impact analysis

Adherence to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies

Compliance

A recovery strategy that involves two active sites, each capable of taking over the other's workload in the event of a disaster.

Active recovery site (Mirrored)

A legal principle regarding the validity and integrity of evidence. It requires accountability for anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for from the time it was collected until the time it is presented in a court of law

Chain of custody

The net effect, positive or negative, on the achievement of business objectives.

Business impact

Senior management commitment and support for information security can BEST be obtained through presentations that: A. use illustrative examples of successful attacks. B. explain the technical risks to the organization. C. evaluate the organization against best security practices. D. tie security risks to key business objectives.

Answer : D Explanation: Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.

Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support enterprise objectives.

Architecture

Provides centralized access control for managing remote access dial-up services

Access server

A type of malicious exploit of a web site whereby unauthorized commands are transmitted from a user that the web site trusts (also known as a one-click attack or session riding); acronym pronounced "sea-surf".

Cross-site request forgery (CSRF)

Most implementations of asymmetric ciphers combine a widely distributed public key and a closely held, protected private key.

Asymmetric cipher

Method to select a portion of a population based on the presence or absence of a certain characteristic

Attribute sampling

A process of identifying resources critical to the operation of a business process.

Business dependency assessment

Any event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout) that disrupts the normal course of business operations at an enterprise.

Business interruption

A document approved by those charged with governance that defines the purpose, authority and responsibility of the internal audit activity

Audit Charter

A term derived from “robot network;” is a large automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks such as a denial-of-service attack on selected victims

Botnet

A probable situation with uncertain frequency and magnitude of loss (or gain).

Business Risk

An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility

Certificate revocation list (CRL)

``` The MOST complete business case for security solutions is one that. A. includes appropriate justification. B. explains the current risk profile. C. details regulatory requirements. D. identifies incidents and losses ```

Answer : A Explanation: Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy.

The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies.

Administrative control

A class of algorithms that repeatedly try all possible combinations until a solution is found.

Brute force

Component of an infrastructure-or an item, such as a request for change, associated with an infrastructure-which is (or is to be) under the control of configuration management

Configuration Item (CI)

A further development of the business goals into tactical targets and desired results and outcomes.

Business objective

The art of designing, analyzing and attacking cryptographic schemes

Cryptography

Measure of interconnectivity among structure of software programs. Coupling depends on the interface complexity between modules.

Coupling

The method used to identify the location of a participant in a network.

Addressing

The main actions taken to operate the COBIT process.

Activity

``` Interfaces at the physical layer of the open systems interconnection (OSI) reference model, data terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier networks ```

Channel service unit/digital service unit (CSU/DSU)

A plan used by an enterprise or business unit to respond to a specific systems failure or disruption

Contingency Plan

A means of regaining access to a compromised system by installing software or configuring existing software to enable remote access under attacker-defined conditions

Backdoor

Testing an application with large quantities of data to evaluate its performance during peak periods. Also called volume testing.

Capacity Stress Testing

A type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites

Cross-site scripting (XSS)

The point in an emergency procedure when the elapsed time passes a threshold and the interruption is not resolved.

Alert situation

The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objective

Acceptable interruption window

The boundary defining the scope of control authority for an entity

Control perimeter

Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information.

Confidentiality

The PRIMARY benefit of performing an information asset classification is to: A. link security requirements to business objectives. B. identify controls commensurate to risk. C. define access rights. D. establish ownership

Answer : B Explanation: All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process

Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle

Business case

A test that has been designed to evaluate the performance of a system

Benchmark

Unusual or statistically rare.

Anomaly

A recurring journal entry used to allocate revenues or costs

Allocation entry

A distributed, protected journaling and ledger system. Use of blockchain technologies can enable anything from digital currency (e.g. Bitcoin) to any other value-bearning transaction.

Blockchain

The control of changes to a set of configuration items over a system life cycle.

Configuration Management

Data that is not encrypted. Also known as plaintext

Cleartext

A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion.

Audit Plan

The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls

Control Risk

A policy that establishes an agreement between users and the enterprise and defines for all parties the range of use that are approved before gaining access to a network or the internet

Acceptable Use Policy

Contains the essential elements of effective processes for one or more disciplines.It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness

Capability Maturity Model (CMM)

In the Open Systems Interconnection (OSI) communications model, the application layer provides services for an application program to ensure that effective communication with another application program in a network is possible

Application layer

Responsible for coordinating the planning, development, implementation, maintenance and monitoring of the information security program.

Corporate Security Officer (CSO)

The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy.

Access rights

Nonstop service, with no lapse in service; the highest level of service in which no downtime is allowed.

Continuous availability

A standardized body of data created for testing purposes.

Base case

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800- 61).

Advanced persistent threat (APT)

The senior executive responsible for managing the day-to-day operations of a company or other institution.

Chief Operating Officer (COO)

An application service provider (ASP) that also provides outsourcing of business processes such as payment processing, sales order processing and application development.

Business service provider (BSP)

Reduction of signal strength during transmission

Attenuation

______ is now used only as the acronym in its fifth iteration. A complete, internationally accepted framework for governing and managing enterprise information and technology (IT) that supports enterprise executives and management in their definition and achievement of business goals and related IT goals. _____ describes five principles and seven enablers that support enterprises in the development, implementation, and continuous improvement and monitoring of good IT-related governance and management practices

COBIT

The ability to map a given activity or event back to the responsible party

Accountability

The logical route that an end user takes to access computerized information.

Scope Notes: Typically includes a route through the operating system, telecommunications software, selected application software and the access control system.

Access path

The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).

Bandwidth

Locations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyed.

Alternate facilities

A software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used.

Adware

A holistic and business-oriented model that supports enterprise governance and management information security, and provides a common language for information security professionals and business management.

Business Model for Information Security (BMIS)

Actions taken to limit exposure after an incident has been identified and confirmed

Containment

A message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them

The individual who focuses on technical issues in an enterprise

Chief technology officer (CTO)

The number of distinct locations that may be referred to with the machine address.

Address space

A discussion document that sets out an "enterprise governance model" focusing strongly on both the enterprise business goals and the information technology enablers that facilitate good enterprise governance, published by the Information Systems Audit and Control Foundation in 1999.

Control Objectives for Enterprise Governance

The PRIMARY concern of an information security manager documenting a formal data retention policy would be: A. generally accepted industry best practices. B. business requirements. C. legislative and regulatory requirements. D. storage availability.

Answer : B Explanation: The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided

A code whose representation is limited to 0 and 1.

Binary code

Information generated by an encryption algorithm to protect the plaintext and that is unintelligible to the unauthorized reader.

Ciphertext

_______ is a process of determining the dependency of a business on certain information resources.

Business dependency assessment

An investigator of activities related to computer crime.

Cybercop

The person usually responsible for all security matters both physical and digital in an enterprise

Chief Information Security Officer (CSO)

An expenditure that is recorded as an asset because it is expected to benefit more than the current period. The asset is then depreciated or amortized over the expected useful life of the asset

Capital expenditure/expense (CAPEX)

A response in which the system either automatically, or in concert with the user, blocks or otherwise affects the progress of a detected attack.

Active response

Activities conducted in the name of security, business, politics or technology to find information that ought to remain secret. It is not inherently military.

Cyberespionage

The calendar can contain "real" accounting periods and/or adjusting accounting periods. The "real" accounting periods must not overlap and cannot have any gaps between them. Adjusting accounting periods can overlap with other accounting periods.

Adjusting period

The individual responsible for identifying process requirements, approving process design and managing process performance.

Business Process Owner

Within computer storage, the code used to designate the location of a specific piece of data

Address

System heavily fortified against attacks

Bastion

A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or "soft" elements of change

Change management

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency.This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.

Computer emergency response team (CERT)

A plan used by an enterprise to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems.

Business continuity plan (BCP)

Occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

Buffer overflow

Answer : B Explanation: All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process

A transmission signal that varies continuously in amplitude and time and is generated in wave formation.

Analog

The act of verifying identity, i.e., user, system.

Authentication

A technique of reading a computer file while bypassing the internal file/data set label. This process could result in bypassing of the security access control system.

Bypass label processing (BLP)

The person in charge of information security within the enterprise

Chief Information Security Officer (CISO)

Members of the operations area who are responsible for the collection, logging and submission of input for the various user groups.

Control Group

Memory reserved to temporarily hold data to offset differences between the operating speeds of different devices, such as a printer and a computer.

Buffer

Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack? A. An intrusion prevention system (IPS) B. An intrusion detection system (IDS) C. A host-based intrusion detection system (HIDS) D. A host-based firewall

Answer : A Explanation: SQL injection attacks occur at the application layer. Most IPS vendors will detect at least basic sets of SQL injection and will be able to stop them. IDS will detect, but not prevent I IIDS will be unaware of SQL injection problems. A host-based firewall, be it on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.

``` The recovery point objective (RPO) requires which of the following? A. Disaster declaration B. Before-image restoration C. System restoration D. After-image processing ```

Answer : B Explanation: The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Disaster declaration is independent of this processing checkpoint. Restoration of the system can occur at a later date, as does the return to normal, after-image processing.

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST: A. meet with stakeholders to decide how to comply. B. analyze key risks in the compliance process. C. assess whether existing controls meet the regulation. D. update the existing security/privacy policy.

Answer : C Explanation: If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.

Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices? A. Regular review of access control lists B. Security guard escort of visitors C. Visitor registry log at the door D. A biometric coupled with a PIN

Answer : A Explanation: A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy. Visitors accompanied by a guard will also provide assurance but may not be cost effective. A visitor registry is the next cost-effective control. A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed

``` Who is responsible for ensuring that information is categorized and that specific protective measures are taken? A. The security officer B. Senior management C. The end user D. The custodian ```

Answer : B Explanation: Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.

An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. The MOST important element of the request for proposal (RIP) is the: A. references from other organizations. B. past experience of the engagement team. C. sample deliverable. D. methodology used in the assessment

Answer : D Explanation: Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverable s only tell how the assessment is presented, not the process.

Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers? A. Daily B. Weekly C. Concurrently with O/S patch updates D. During scheduled change control updates

Answer : A Explanation: New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Patches may occur less frequently. Weekly updates may potentially allow new viruses to infect the system.

Which of the following would be the MOST significant security risk in a pharmaceutical institution? A. Compromised customer information B. Unavailability of online transactions C. Theft of security tokens D. Theft of a Research and Development laptop

Answer : D Explanation: The research and development department is usually the most sensitive area of the pharmaceutical organization, Theft of a laptop from this area could result in the disclosure of sensitive formulas and other intellectual property which could represent the greatest security breach. A pharmaceutical organization does not normally have direct contact with end customers and their transactions are not time critical: therefore, compromised customer information and unavailability of online transactions are not the most significant security risks. Theft of security tokens would not be as significant since a pin would still be required for their use.

Who should be responsible for enforcing access rights to application data? a. Data Owners b. Business process owners c. The security steering committee d. Security Administrators

Answer: D As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement