CISM Practice B Topic 2 Flashcards
A risk mitigation report would include recommendations for:
assessment.
acceptance.
evaluation.
quantification.
acceptance
A risk management program should reduce risk to:
zero.
an acceptable level.
an acceptable percent of revenue.
an acceptable probability of occurrence.
an acceptable level.
\The MOST important reason for conducting periodic risk assessments is because:
- risk assessments are not always precise.
- security risks are subject to frequent change.
- reviewers can optimize and reduce the cost of controls.
- it demonstrates to senior management that the security function can add value.
security risks are subject to frequent change.
Which of the following BEST indicates a successful risk management practice?
Overall risk is quantified
Inherent risk is eliminated
Residual risk is minimized
Control risk is tied to business units
Residual risk is minimized
Which of the following would generally have the GREATEST negative impact on an organization?
Theft of computer software
Interruption of utility services
Loss of customer confidence
Internal fraud resulting in monetary loss
Loss of customer confidence
A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
Risk analysis results
Audit report findings
Penetration test results
Amount of IT budget available
Risk analysis results
Which of the following will BEST protect an organization from internal security attacks?
Static IP addressing
Internal address translation
Prospective employee background checks
Employee awareness certification program
Prospective employee background checks
For risk management purposes, the value of an asset should be based on:
original cost.
net cash flow.
net present value.
replacement cost.
replacement cost.
In a business impact analysis, the value of an information system should be based on the overall cost:
of recovery.
to recreate.
if unavailable.
of emergency operations.
if unavailable.
Acceptable risk is achieved when:
residual risk is minimized.
transferred risk is minimized.
control risk is minimized.
inherent risk is minimized.
residual risk is minimized.
The value of information assets is BEST determined by:
individual business managers.
business systems analysts.
information security management.
industry averages benchmarking.
individual business managers.
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
Feasibility
Design
Development
Testing
Feasibility
The MOST effective way to incorporate risk management practices into existing production systems is through:
policy development.
change management.
awareness training.
regular monitoring.
change management.
Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?
Gap analysis
Regression analysis
Risk analysis
Business impact analysis
Business impact analysis
The recovery time objective (RTO) is reached at which of the following milestones?
Disaster declaration
Recovery of the backups
Restoration of the system
Return to business as usual processing
Restoration of the system
Which of the following results from the risk assessment process would BEST assist risk management decision making?
Control risk
Inherent risk
Risk exposure
Residual risk
Residual risk
The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?
Mitigating controls
Visibility of impact
Likelihood of occurrence
Incident frequency
Visibility of impact
Risk acceptance is a component of which of the following?
Assessment
Mitigation
Evaluation
Monitoring
Mitigation
Risk management programs are designed to reduce risk to:
a level that is too small to be measurable.
the point at which the benefit exceeds the expense.
a level that the organization is willing to accept.
a rate of return that equals the current cost of capital.
a level that the organization is willing to accept.
A risk assessment should be conducted:
once a year for each business process and subprocess.
every three to six months for critical business processes.
by external parties to maintain objectivity.
annually or whenever there is a significant change.
annually or whenever there is a significant change.
The MOST important function of a risk management program is to:
quantify overall risk.
minimize residual risk.
eliminate inherent risk.
maximize the sum of all annualized loss expectancies (ALEs).
minimize residual risk.
Which of the following risks would BEST be assessed using qualitative risk assessment techniques?
Theft of purchased software
Power outage lasting 24 hours
Permanent decline in customer confidence
Temporary loss of e-mail due to a virus attack
Permanent decline in customer confidence
Which of the following will BEST prevent external security attacks?
Static IP addressing
Network address translation
Background checks for temporary employees
Securing and analyzing system access logs
Network address translation
In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:
original cost to acquire.
cost of the software stored.
annualized loss expectancy (ALE).
cost to obtain a replacement.
cost to obtain a replacement.
A business impact analysis (BIA) is the BEST tool for calculating:
total cost of ownership.
priority of restoration.
annualized loss expectancy (ALE).
residual risk.
priority of restoration.
When residual risk is minimized:
acceptable risk is probable.
transferred risk is acceptable.
control risk is reduced.
risk is transferable.
acceptable risk is probable.
Quantitative risk analysis is MOST appropriate when assessment data:
include customer perceptions.
contain percentage estimates.
do not contain specific details.
contain subjective information.
contain percentage estimates.
Which of the following is the MOST appropriate use of gap analysis?
Evaluating a business impact analysis (BIA)
Developing a balanced business scorecard
Demonstrating the relationship between controls
Measuring current state vs. desired future state
Measuring current state vs. desired future state
Identification and prioritization of business risk enables project managers to:
establish implementation milestones.
reduce the overall amount of slack time.
address areas with most significance.
accelerate completion of critical paths.
address areas with most significance.
A risk analysis should:
- include a benchmark of similar companies in its scope.
- assume an equal degree of protection for all assets.
- address the potential size and likelihood of loss.
- give more weight to the likelihood vs. the size of the loss.
address the potential size and likelihood of loss.
The recovery point objective (RPO) requires which of the following?
Disaster declaration
Before-image restoration
System restoration
After-image processing
Before-image restoration
Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?
Systems operation procedures are not enforced
Change management procedures are poor
Systems development is outsourced
Systems capacity management is not performed
Change management procedures are poor
Which of the following BEST describes the scope of risk analysis?
Key financial systems
Organizational activities
Key systems and infrastructure
Systems subject to regulatory compliance
Organizational activities
The decision as to whether a risk has been reduced to an acceptable level should be determined by:
organizational requirements.
information systems requirements.
information security requirements.
international standards.
organizational requirements.
Which of the following is the PRIMARY reason for implementing a risk management program?
Allows the organization to eliminate risk
Is a necessary part of management’s due diligence
Satisfies audit and regulatory requirements
Assists in incrementing the return on investment (ROI)
Is a necessary part of management’s due diligence
Which of the following groups would be in the BEST position to perform a risk analysis for a business?
External auditors
A peer group within a similar business
Process owners
A specialized management consultant
Process owners
A successful risk management program should lead to:
optimization of risk reduction efforts against cost.
containment of losses to an annual budgeted amount.
identification and removal of all man-made threats.
elimination or transference of all organizational risks.
optimization of risk reduction efforts against cost.
Which of the following risks would BEST be assessed using quantitative risk assessment techniques?
Customer data stolen
An electrical power outage
A web site defaced by hackers
Loss of the software development team
An electrical power outage
The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:
hourly billing rate charged by the carrier.
value of the data transmitted over the network.
aggregate compensation of all affected business users.
financial losses incurred by affected business units.
financial losses incurred by affected business units.
Which of the following is the MOST usable deliverable of an information security risk analysis?
Business impact analysis (BIA) report
List of action items to mitigate risk
Assignment of risks to process owners
Quantification of organizational risk
List of action items to mitigate risk
Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?
Tree diagrams
Venn diagrams
Heat charts
Bar charts
Heat charts
Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?
Business continuity coordinator
Chief operations officer (COO)
Information security manager
Internal audit
Chief operations officer (COO)
Which two components PRIMARILY must be assessed in an effective risk analysis?
Visibility and duration
Likelihood and impact
Probability and frequency
Financial impact and duration
Likelihood and impact
Information security managers should use risk assessment techniques to:
justify selection of risk mitigation strategies.
maximize the return on investment (ROI).
provide documentation for auditors and regulators.
quantify risks that would otherwise be subjective.
justify selection of risk mitigation strategies.
In assessing risk, it is MOST essential to:
provide equal coverage for all asset types.
use benchmarking data from similar organizations.
consider both monetary value and likelihood of loss.
focus primarily on threats and recent business losses.
consider both monetary value and likelihood of loss.
When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
the information security steering committee.
customers who may be impacted.
data owners who may be impacted.
regulatory agencies overseeing privacy.
data owners who may be impacted.
Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?
Platform security
Entitlement changes
Intrusion detection
Antivirus controls
Entitlement changes
The PRIMARY goal of a corporate risk management program is to ensure that an organization’s:
IT assets in key business functions are protected.
business risks are addressed by preventive controls.
stated objectives are achievable.
IT facilities and systems are always available.
stated objectives are achievable.
It is important to classify and determine relative sensitivity of assets to ensure that:
cost of protection is in proportion to sensitivity.
highly sensitive assets are protected.
cost of controls is minimized.
countermeasures are proportional to risk.
countermeasures are proportional to risk.
The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should:
ensure the provider is made liable for losses.
recommend not renewing the contract upon expiration.
recommend the immediate termination of the contract.
determine the current level of security.
determine the current level of security.
An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:
threat.
loss.
vulnerability.
probability.
vulnerability.
When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss?
Evaluate productivity losses
Assess the impact of confidential data disclosure
Calculate the value of the information or asset
Measure the probability of occurrence of each threat
Calculate the value of the information or asset
Before conducting a formal risk assessment of an organization’s information resources, an information security manager should FIRST:
map the major threats to business objectives.
review available sources of risk information.
identify the value of the critical assets.
determine the financial impact if threats materialize
map the major threats to business objectives.
The valuation of IT assets should be performed by:
an IT security manager.
an independent security consultant.
the chief financial officer (CFO).
the information owner
the information owner
The PRIMARY objective of a risk management program is to:
minimize inherent risk.
eliminate business risk.
implement effective controls.
minimize residual risk.
minimize residual risk.
After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?
Senior management
Business manager
IT audit manager
Information security officer (ISO)
Business manager
When performing an information risk analysis, an information security manager should FIRST:
establish the ownership of assets.
evaluate the risks to the assets.
take an asset inventory.
categorize the assets.
take an asset inventory.
The PRIMARY benefit of performing an information asset classification is to:
link security requirements to business objectives.
identify controls commensurate to risk.
define access rights.
establish ownership
identify controls commensurate to risk.
Which of the following is MOST essential for a risk management program to be effective?
Flexible security budget
Sound risk baseline
New risks detection
Accurate risk reporting
New risks detection
Which of the following attacks is BEST mitigated by utilizing strong passwords?
Man-in-the-middle attack
Brute force attack
Remote buffer overflow
Root kit
Brute force attack
Phishing is BEST mitigated by which of the following?
Security monitoring software
Encryption
Two-factor authentication
User awareness
User awareness
The security responsibility of data custodians in an organization will include:
assuming overall protection of information assets.
determining data classification levels.
implementing security controls in products they install.
ensuring security measures are consistent with policy.
ensuring security measures are consistent with policy.
A security risk assessment exercise should be repeated at regular intervals because:
business threats are constantly changing.
omissions in earlier assessments can be addressed.
repetitive assessments allow various methodologies.
they help raise awareness on security in the business.
business threats are constantly changing.
Which of the following steps in conducting a risk assessment should be performed FIRST?
Identity business assets
Identify business risks
Assess vulnerabilities
Evaluate key controls
Identity business assets
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
periodically testing the incident response plans.
regularly testing the intrusion detection system (IDS).
establishing mandatory training of all personnel.
periodically reviewing incident response procedures.
periodically testing the incident response plans.
Which of the following risks is represented in the risk appetite of an organization?
Control
Inherent
Residual
Audit
Residual
Which of the following would a security manager establish to determine the target for restoration of normal processing?
Recovery time objective (RTO)
Maximum tolerable outage (MTO)
Recovery point objectives (RPOs)
Services delivery objectives (SDOs)
Recovery time objective (RTO)
A risk management program would be expected to:
remove all inherent risk.
maintain residual risk at an acceptable level.
implement preventive controls for every threat.
reduce control risk to zero.
maintain residual risk at an acceptable level.
Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
Programming
Specification
User testing
Feasibility
Feasibility
Which of the following would help management determine the resources needed to mitigate a risk to the organization?
Risk analysis process
Business impact analysis (BIA)
Risk management balanced scorecard
Risk-based audit program
Business impact analysis (BIA)
A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:
- there are sufficient safeguards in place to prevent this risk from happening.
- the needed countermeasure is too complicated to deploy.
- the cost of countermeasure outweighs the value of the asset and potential loss.
- the likelihood of the risk occurring is unknown.
the cost of countermeasure outweighs the value of the asset and potential loss.
Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
Number of controls implemented
Percent of control objectives accomplished
Percent of compliance with the security policy
Reduction in the number of reported security incidents
Percent of control objectives accomplished
Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?
Strategic business plan
Upcoming financial results
Customer personal information
Previous financial results
Previous financial results
The PRIMARY purpose of using risk analysis within a security program is to:
justify the security expenditure.
help businesses prioritize the assets to be protected.
inform executive management of residual risk value.
assess exposures and plan remediation.
assess exposures and plan remediation.
Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?
Defining job roles
Performing a risk assessment
Identifying data owners
Establishing data retention policies
Identifying data owners
An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:
- mitigate the impact by purchasing insurance.
- implement a circuit-level firewall to protect the network.
- increase the resiliency of security measures in place.
- implement a real-time intrusion detection system.
mitigate the impact by purchasing insurance.
What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?
Business impact analyses
Security gap analyses
System performance metrics
Incident response processes
Security gap analyses
A common concern with poorly written web applications is that they can allow an attacker to:
gain control through a buffer overflow.
conduct a distributed denial of service (DoS) attack.
abuse a race condition.
inject structured query language (SQL) statements.
inject structured query language (SQL) statements.
Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?
Historical cost of the asset
Acceptable level of potential business impacts
Cost versus benefit of additional mitigating controls
Annualized loss expectancy (ALE)
Cost versus benefit of additional mitigating controls
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization’s local area network (LAN). What should the security manager do FIRST?
Understand the business requirements of the developer portal
Perform a vulnerability assessment of the developer portal
Install an intrusion detection system (IDS)
Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
Understand the business requirements of the developer portal
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?
Prevent the system from being accessed remotely
Create a strong random password
Ask for a vendor patch
Track usage of the account by audit trails
Create a strong random password
Attackers who exploit cross-site scripting vulnerabilities take advantage of:
- a lack of proper input validation controls.
- weak authentication controls in the web application layer.
- flawed cryptographic secure sockets layer (SSL) implementations and short key lengths.
- implicit web application trust relationships.
a lack of proper input validation controls.
Which of the following would BEST address the risk of data leakage?
File backup procedures
Database integrity checks
Acceptable use policies
Incident response procedures
Acceptable use policies
A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?
Access control policy
Data classification policy
Encryption standards
Acceptable use policy
Data classification policy
What is the BEST technique to determine which security controls to implement with a limited budget?
Risk analysis
Annualized loss expectancy (ALE) calculations
Cost-benefit analysis
Impact analysis
Cost-benefit analysis
A company’s mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
A penetration test
A security baseline review
A risk assessment
A business impact analysis (BIA)
A risk assessment
Which of the following measures would be MOST effective against insider threats to confidential information?
Role-based access control
Audit trail monitoring
Privacy policy
Defense-in-depth
Role-based access control
Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company’s policies. An information security manager should:
- conduct a risk assessment and allow or disallow based on the outcome.
- recommend a risk assessment and implementation only if the residual risks are accepted.
- recommend against implementation because it violates the company’s policies.
- recommend revision of current policy
recommend a risk assessment and implementation only if the residual risks are accepted.
After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
- increase its customer awareness efforts in those regions.
- implement monitoring techniques to detect and react to potential fraud.
- outsource credit card processing to a third party.
- make the customer liable for losses if they fail to follow the bank’s advice.
implement monitoring techniques to detect and react to potential fraud.
The criticality and sensitivity of information assets is determined on the basis of:
threat assessment.
vulnerability assessment.
resource dependency assessment.
impact assessment
impact assessment
Which program element should be implemented FIRST in asset classification and control?
Risk assessment
Classification
Valuation
Risk mitigation
Valuation
When performing a risk assessment, the MOST important consideration is that:
- management supports risk mitigation efforts.
- annual loss expectations (ALEs) have been calculated for critical assets.
- assets have been identified and appropriately valued.
- attack motives, means and opportunities be understood.
assets have been identified and appropriately valued.
The MAIN reason why asset classification is important to a successful information security program is because classification determines:
the priority and extent of risk mitigation efforts.
the amount of insurance needed in case of loss.
the appropriate level of protection to the asset.
how protection levels compare to peer organizations.
the appropriate level of protection to the asset.
The BEST strategy for risk management is to:
- achieve a balance between risk and organizational goals.
- reduce risk to an acceptable level.
- ensure that policy development properly considers organizational risks.
- ensure that all unmitigated risks are accepted by management.
reduce risk to an acceptable level.
Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?
Disclosure of personal information
Sufficient coverage of the insurance policy for accidental losses
Intrinsic value of the data stored on the equipment
Replacement cost of the equipment
Intrinsic value of the data stored on the equipment
An organization has to comply with recently published industry regulatory requirements - compliance that potentially has high implementation costs. What should the information security manager do FIRST?
Implement a security committee.
Perform a gap analysis.
Implement compensating controls.
Demand immediate compliance.
Perform a gap analysis.
Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
Annual loss expectancy (ALE) of incidents
Frequency of incidents
Total cost of ownership (TCO)
Approved budget for the project
Total cost of ownership (TCO)
One way to determine control effectiveness is by determining:
whether it is preventive, detective or compensatory.
the capability of providing notification of failure.
the test results of intended objectives.
the evaluation and analysis of reliability.
the test results of intended objectives.
What does a network vulnerability assessment intend to identify?
0-day vulnerabilities
Malicious software and spyware
Security design flaws
Misconfiguration and missing updates
Misconfiguration and missing updates
Who is responsible for ensuring that information is classified?
Senior management
Security manager
Data owner
Custodian
Data owner
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:
transferred.
treated.
accepted.
terminated.
accepted.
When a significant security breach occurs, what should be reported FIRST to senior management?
A summary of the security logs that illustrates the sequence of events
An explanation of the incident and corrective action taken
An analysis of the impact of similar attacks at other organizations
A business case for implementing stronger logical access controls
An explanation of the incident and corrective action taken
The PRIMARY reason for initiating a policy exception process is when:
operations are too busy to comply.
the risk is justified by the benefit.
policy compliance would be difficult to enforce.
users may initially be inconvenienced.
the risk is justified by the benefit.
Which of the following would be the MOST relevant factor when defining the information classification policy?
Quantity of information
Available IT infrastructure
Benchmarking
Requirements of data owners
Requirements of data owners
To determine the selection of controls required to meet business objectives, an information security manager should:
prioritize the use of role-based access controls.
focus on key controls.
restrict controls to only critical applications.
focus on automated controls.
focus on key controls.
The MOST appropriate owner of customer data stored in a central database, used only by an organization’s sales department, would be the:
sales department.
database administrator.
chief information officer (CIO).
head of the sales department.
head of the sales department.
In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:
- develop an operational plan for achieving compliance with the legislation.
- identify systems and processes that contain privacy components.
- restrict the collection of personal information until compliant.
- identify privacy legislation in other countries that may contain similar requirements.
identify systems and processes that contain privacy components.
Risk assessment is MOST effective when performed:
- at the beginning of security program development.
- on a continuous basis.
- while developing the business case for the security program.
- during the business change process.
on a continuous basis.
Which of the following is the MAIN reason for performing risk assessment on a continuous basis?
Justification of the security budget must be continually made.
New vulnerabilities are discovered every day.
The risk environment is constantly changing.
Management needs to be continually informed about emerging risks.
The risk environment is constantly changing.
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
Identify the vulnerable systems and apply compensating controls
Minimize the use of vulnerable systems
Communicate the vulnerability to system users
Update the signatures database of the intrusion detection system (IDS)
Identify the vulnerable systems and apply compensating controls
Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?
Business impact analysis (BIA)
Penetration testing
Audit and review
Threat analysis
Penetration testing
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
Countermeasure cost-benefit analysis
Penetration testing
Frequent risk assessment programs
Annual loss expectancy (ALE) calculation
Countermeasure cost-benefit analysis
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
eliminating the risk.
transferring the risk.
mitigating the risk.
accepting the risk.
mitigating the risk.
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
Manager
Custodian
User
Owner
Owner
The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
- determining the scope for inclusion in an information security program.
- defining the level of access controls.
- justifying costs for information resources.
- determining the overall budget of an information security program.
defining the level of access controls.
An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?
Key performance indicators (KPIs)
Business impact analysis (BIA)
Gap analysis
Technical vulnerability assessment
Gap analysis
When performing a qualitative risk analysis, which of the following will BEST produce reliable results?
Estimated productivity losses
Possible scenarios with threats and impacts
Value of information assets
Vulnerability assessment
Possible scenarios with threats and impacts
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
User assessments of changes
Comparison of the program results with industry standards
Assignment of risk within the organization
Participation by all members of the organization
Participation by all members of the organization
The MOST effective use of a risk register is to:
- identify risks and assign roles and responsibilities for mitigation.
- identify threats and probabilities.
- facilitate a thorough review of all IT-related risks on a periodic basis.
- record the annualized financial amount of expected losses due to risks.
facilitate a thorough review of all IT-related risks on a periodic basis.
After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?
Define security metrics
Conduct a risk assessment
Perform a gap analysis
Procure security tools
Conduct a risk assessment
Which of the following are the essential ingredients of a business impact analysis (BIA)?
Downtime tolerance, resources and criticality
Cost of business outages in a year as a factor of the security budget
Business continuity testing methodology being deployed
Structure of the crisis management team
Downtime tolerance, resources and criticality
A risk management approach to information protection is:
- managing risks to an acceptable level, commensurate with goals and objectives.
- accepting the security posture provided by commercial security products.
- implementing a training program to educate individuals on information protection and risks.
- managing risk tools to ensure that they assess all information protection vulnerabilities.
managing risks to an acceptable level, commensurate with goals and objectives.
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?
Implement countermeasures.
Eliminate the risk.
Transfer the risk.
Accept the risk.
Transfer the risk.
To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRST crucial step an information security manager would take in ensuring business continuity planning?
Conducting a qualitative and quantitative risk analysis.
Assigning value to the assets.
Weighing the cost of implementing the plan vs. financial loss.
Conducting a business impact analysis (BIA).
Conducting a business impact analysis (BIA).
An information security organization should PRIMARILY:
- support the business objectives of the company by providing security-related support services.
- be responsible for setting up and documenting the information security responsibilities of the information security team members.
- ensure that the information security policies of the company are in line with global best practices and standards.
- ensure that the information security expectations are conveyed to employees.
support the business objectives of the company by providing security-related support services.
When implementing security controls, an information security manager must PRIMARILY focus on:
minimizing operational impacts.
eliminating all vulnerabilities.
usage by similar organizations.
certification from a third party.
minimizing operational impacts.
All risk management activities are PRIMARILY designed to reduce impacts to:
- a level defined by the security manager.
- an acceptable level based on organizational risk tolerance.
- a minimum level consistent with regulatory requirements.
- the minimum level possible.
an acceptable level based on organizational risk tolerance.
After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?
Information security officer
Chief information officer (CIO)
Business owner
Chief executive officer (CEO)
Business owner
The purpose of a corrective control is to:
reduce adverse events.
indicate compromise.
mitigate impact.
ensure compliance.
mitigate impact.
Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
Performing a business impact analysis (BIA)
Considering personal information devices as part of the security policy
Initiating IT security training and familiarization
Basing the information security infrastructure on risk assessment
Basing the information security infrastructure on risk assessment
Previously accepted risk should be:
- re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
- accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
- avoided next time since risk avoidance provides the best protection to the company.
- removed from the risk log once it is accepted.
re-assessed periodically since the risk can be escalated to an unacceptable level due to revised
An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:
- perform a comprehensive assessment of the organization’s exposure to the hacker’s techniques.
- initiate awareness training to counter social engineering.
- immediately advise senior management of the elevated risk.
- increase monitoring activities to provide early detection of intrusion.
immediately advise senior management of the elevated risk.
Which of the following steps should be performed FIRST in the risk assessment process?
Staff interviews
Threat identification
Asset identification and valuation
Determination of the likelihood of identified risks
Asset identification and valuation
Which of the following authentication methods prevents authentication replay?
Password hash implementation
Challenge/response mechanism
Wired Equivalent Privacy (WEP) encryption usage
HTTP Basic Authentication
Challenge/response mechanism
An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?
Nothing, since a risk assessment was completed during development.
A vulnerability assessment should be conducted.
A new risk assessment should be performed.
The new vendor’s SAS 70 type II report should be reviewed.
A new risk assessment should be performed.