CISM Practice B Topic 3 Flashcards
Who can BEST advocate the development of and ensure the success of an information security program?
Internal auditor
Chief operating officer (COO)
Steering committee
IT management
Steering committee
Which of the following BEST ensures that information transmitted over the Internet will remain confidential?
Virtual private network (VPN)
Firewalls and routers
Biometric authentication
Two-factor authentication
Virtual private network (VPN)
The effectiveness of virus detection software is MOST dependent on which of the following?
Packet filtering
Intrusion detection
Software upgrades
Definition tables
Definition tables
Which of the following is the MOST effective type of access control?
Centralized
Role-based
Decentralized
Discretionary
Role-based
Which of the following devices should be placed within a DMZ?
Router
Firewall
Mail relay
Authentication server
Mail relay
An intrusion detection system should be placed:
outside the firewall.
on the firewall server.
on a screened subnet.
on the external router.
on a screened subnet.
The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:
provide in-depth defense.
separate test and production.
permit traffic load balancing.
prevent a denial-of-service attack.
permit traffic load balancing.
An extranet server should be placed:
outside the firewall.
on the firewall server.
on a screened subnet.
on the external router.
on a screened subnet.
Which of the following is the BEST metric for evaluating the effectiveness of security awareness twining? The number of:
password resets.
reported incidents.
incidents resolved.
access rule violations.
reported incidents.
Security monitoring mechanisms should PRIMARILY:
focus on business-critical information.
assist owners to manage control risks.
focus on detecting network intrusions.
record all security violations.
focus on business-critical information.
Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?
Periodic focus group meetings
Periodic compliance reviews
Computer-based certification training (CBT)
Employee’s signed acknowledgement
Computer-based certification training (CBT)
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:
right-to-terminate clause.
limitations of liability.
service level agreement (SLA).
financial penalties clause.
service level agreement (SLA).
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
Number of attacks detected
Number of successful attacks
Ratio of false positives to false negatives
Ratio of successful to unsuccessful attacks
Ratio of false positives to false negatives
Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?
Patch management
Change management
Security baselines
Virus detection
Change management
Which of the following tools is MOST appropriate for determining how long a security project will take to implement?
Gantt chart
Waterfall chart
Critical path
Rapid Application Development (RAD)
Critical path
Which of the following is MOST effective in preventing security weaknesses in operating systems?
Patch management
Change management
Security baselines
Configuration management
Patch management
When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:
calculating the residual risk.
enforcing the security standard.
redesigning the system change.
implementing mitigating controls.
calculating the residual risk.
Who can BEST approve plans to implement an information security governance framework?
Internal auditor
Information security management
Steering committee
Infrastructure management
Steering committee
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?
Baseline security standards
System access violation logs
Role-based access controls
Exit routines
Role-based access controls
Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?
Biometric authentication
Embedded steganographic
Two-factor authentication
Embedded digital signature
Embedded digital signature
Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?
Daily
Weekly
Concurrently with O/S patch updates
During scheduled change control updates
Daily
Which of the following devices should be placed within a demilitarized zone (DMZ)?
Network switch
Web server
Database server
File/print server
Web server
On which of the following should a firewall be placed?
Web server
Intrusion detection system (IDS) server
Screened subnet
Domain boundary
Domain boundary
An intranet server should generally be placed on the:
internal network.
firewall server.
external router.
primary domain controller.
internal network.
Access control to a sensitive intranet application by mobile users can BEST be implemented through:
data encryption.
digital signatures.
strong passwords.
two-factor authentication.
two-factor authentication.
When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?
Centralizing security management
Implementing sanctions for noncompliance
Policy enforcement by IT management
Periodic compliance reviews
Centralizing security management
Security awareness training is MOST likely to lead to which of the following?
Decrease in intrusion incidents
Increase in reported incidents
Decrease in security policy changes
Increase in access rule violations
Increase in reported incidents
The information classification scheme should:
consider possible impact of a security breach.
classify personal information in electronic form.
be performed by the information security manager.
classify systems according to the data processed.
consider possible impact of a security breach.
Which of the following is the BEST method to provide a new user with their initial password for email system access?
Interoffice a system-generated complex password with 30 days expiration
Give a dummy password over the telephone set for immediate expiration
Require no password but force the user to set their own in 10 days
Set initial password equal to the user ID with expiration in 30 days
Give a dummy password over the telephone set for immediate expiration
An information security program should be sponsored by:
infrastructure management.
the corporate audit department.
key business process owners.
information security management.
key business process owners.
Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?
Termination conditions
Liability limits
Service levels
Privacy restrictions
Service levels
The BEST metric for evaluating the effectiveness of a firewall is the:
number of attacks blocked.
number of packets dropped.
average throughput rate.
number of firewall rules
number of attacks blocked.
Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?
Patch management
Change management
Security baselines
Acquisition management
Patch management
The MAIN advantage of implementing automated password synchronization is that it:
reduces overall administrative workload.
increases security between multi-tier systems.
allows passwords to be changed less frequently.
reduces the need for two-factor authentication.
reduces overall administrative workload.
Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?
SWOT analysis
Waterfall chart
Gap analysis
Balanced scorecard
Balanced scorecard
Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?
Patch management
Change management
Security metrics
Version control
Change management
An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?
Rewrite the application to conform to the upgraded operating system
Compensate for not installing the patch with mitigating controls
Alter the patch to allow the application to run in a privileged state
Run the application on a test platform; tune production to allow patch and application
Compensate for not installing the patch with mitigating controls
Which of the following is MOST important to the success of an information security program?
Security awareness training
Achievable goals and objectives
Senior management sponsorship
Adequate start-up budget and staffing
Senior management sponsorship
Which of the following is MOST important for a successful information security program?
Adequate training on emerging security technologies
Open communication with key process owners
Adequate policies, standards and procedures
Executive management commitment
Executive management commitment
Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?
Screened subnets
Information classification policies and procedures
Role-based access controls
Intrusion detection system (IDS)
Screened subnets
Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?
Intrusion detection system (IDS)
IP address packet filtering
Two-factor authentication
Embedded digital signature
Two-factor authentication
What is an appropriate frequency for updating operating system (OS) patches on production servers?
During scheduled rollouts of new applications
According to a fixed security patch management schedule
Concurrently with quarterly hardware maintenance
Whenever important security patches are released
Whenever important security patches are released
Which of the following devices should be placed within a DMZ?
Proxy server
Application server
Departmental server
Data warehouse server
Application server
A border router should be placed on which of the following?
Web server
IDS server
Screened subnet
Domain boundary
Domain boundary
An e-commerce order fulfillment web server should generally be placed on which of the following?
Internal network
Demilitarized zone (DMZ)
Database server
Domain controller
Demilitarized zone (DMZ)
Secure customer use of an e-commerce application can BEST be accomplished through:
data encryption.
digital signatures.
strong passwords.
two-factor authentication.
data encryption.
What is the BEST defense against a Structured Query Language (SQL) injection attack?
Regularly updated signature files
A properly configured firewall
An intrusion detection system
Strict controls on input fields
Strict controls on input fields
Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?
Tuning
Patching
Encryption
Packet filtering
Tuning
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?
Authentication
Hardening
Encryption
Nonrepudiation
Encryption
Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required?
Log all account usage and send it to their manager
Establish predetermined automatic expiration dates
Require managers to e-mail security when the user leaves
Ensure each individual has signed a security acknowledgement
Establish predetermined automatic expiration dates
Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the:
corporate internal auditor.
system developers/analysts.
key business process owners.
corporate legal counsel.
key business process owners.
Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?
Ease of installation
Product documentation
Available support
System overhead
System overhead
Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?
Never use open source tools
Focus only on production servers
Follow a linear process for attacks
Do not interrupt production processes
Do not interrupt production processes
Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?
Stress testing
Patch management
Change management
Security baselines
Change management
The advantage of Virtual Private Network (VPN) tunneling for remote users is that it:
helps ensure that communications are secure.
increases security between multi-tier systems.
allows passwords to be changed less frequently.
eliminates the need for secondary authentication.
helps ensure that communications are secure.
Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?
Boundary router
Strong encryption
Internet-facing firewall
Intrusion detection system (IDS)
Strong encryption
Which of the following is MOST effective in protecting against the attack technique known as phishing?
Firewall blocking rules
Up-to-date signature files
Security awareness training
Intrusion detection monitoring
Security awareness training
When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?
The firewall should block all inbound traffic during the outage
All systems should block new logins until the problem is corrected
Access control should fall back to no synchronized mode
System logs should record all user activity for later analysis
Access control should fall back to no synchronized mode
Which of the following is the MOST important risk associated with middleware in a client-server environment?
Server patching may be prevented
System backups may be incomplete
System integrity may be affected
End-user sessions may be hijacked
System integrity may be affected
An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?
Security in storage and transmission of sensitive data
Provider’s level of compliance with industry standards
Security technologies in place at the facility
Results of the latest independent security review
Security in storage and transmission of sensitive data
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization’s network?
Configuration of firewalls
Strength of encryption algorithms
Authentication within application
Safeguards over keys
Safeguards over keys
In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation?
Encryption
Digital certificate
Digital signature
Hashing algorithm
Encryption
The MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:
create more overhead than signature-based IDSs.
cause false positives from minor changes to system variables.
generate false alarms from varying user or system actions.
cannot detect new types of attacks.
generate false alarms from varying user or system actions.
An information security manager uses security metrics to measure the:
performance of the information security program.
performance of the security baseline.
effectiveness of the security risk analysis.
effectiveness of the incident response team.
performance of the information security program.
The MOST important success factor to design an effective IT security awareness program is to:
customize the content to the target audience.
ensure senior management is represented.
ensure that all the staff is trained.
avoid technical content but give concrete examples.
customize the content to the target audience.
Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?
Use security tokens for authentication
Connect through an IPSec VPN
Use https with a server-side certificate
Enforce static media access control (MAC) addresses
Connect through an IPSec VPN
Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?
Certificate-based authentication of web client
Certificate-based authentication of web server
Data confidentiality between client and web server
Multiple encryption algorithms
Certificate-based authentication of web client
The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:
Secure Sockets Layer (SSL).
Secure Shell (SSH).
IP Security (IPSec).
Secure/Multipurpose Internet Mail Extensions (S/MIME).
Secure Sockets Layer (SSL).
A message that has been encrypted by the sender’s private key and again by the receiver’s public key achieves:
authentication and authorization.
confidentiality and integrity.
confidentiality and nonrepudiation.
authentication and nonrepudiation.
confidentiality and nonrepudiation.
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?
IP spoofing
Man-in-the-middle attack
Repudiation
Trojan
Trojan
Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?
Security compliant servers trend report
Percentage of security compliant servers
Number of security patches applied
Security patches applied trend report
Security compliant servers trend report
It is important to develop an information security baseline because it helps to define:
critical information resources needing protection.
a security policy for the entire organization.
the minimum acceptable security to be implemented.
required physical and logical access controls.
the minimum acceptable security to be implemented.
Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?
Symmetric cryptography
Public key infrastructure (PKI)
Message hashing
Message authentication code
Public key infrastructure (PKI)
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
Regular review of access control lists
Security guard escort of visitors
Visitor registry log at the door
A biometric coupled with a PIN
Regular review of access control lists
To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should:
revise the information security program.
evaluate a balanced business scorecard.
conduct regular user awareness sessions.
perform penetration tests.
evaluate a balanced business scorecard.
What is the MOST important item to be included in an information security policy?
The definition of roles and responsibilities
The scope of the security program
The key objectives of the security program
Reference to procedures and standards of the security program
The key objectives of the security program
In an organization, information systems security is the responsibility of:
all personnel.
information systems personnel.
information systems security personnel.
functional personnel.
all personnel.
An organization without any formal information security program that has decided to implement information security best practices should FIRST:
invite an external consultant to create the security strategy.
allocate budget based on best practices.
benchmark similar organizations.
define high-level business security requirements.
define high-level business security requirements.
When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?
Number of controls
Cost of achieving control objectives
Effectiveness of controls
Test results of controls
Cost of achieving control objectives
Which of the following would be the BEST metric for the IT risk management process?
Number of risk management action plans
Percentage of critical assets with budgeted remedial
Percentage of unresolved risk exposures
Number of security incidents identified
Percentage of critical assets with budgeted remedial
Which of the following is a key area of the ISO 27001 framework?
Operational risk assessment
Financial crime metrics
Capacity management
Business continuity management
Business continuity management
The MAIN goal of an information security strategic plan is to:
develop a risk assessment plan.
develop a data protection plan.
protect information assets and resources.
establish security governance.
protect information assets and resources.
Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?
Encrypting first by receiver’s private key and second by sender’s public key
Encrypting first by sender’s private key and second by receiver’s public key
Encrypting first by sender’s private key and second decrypting by sender’s public key
Encrypting first by sender’s public key and second by receiver’s private key
Encrypting first by sender’s private key and second by receiver’s public key
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
change the root password of the system.
implement multifactor authentication.
rebuild the system from the original installation medium.
disconnect the mail server from the network.
rebuild the system from the original installation medium.
The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:
verify the decision with the business units.
check the system’s risk analysis.
recommend update after post implementation review.
request an audit review.
verify the decision with the business units.
A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?
Denial of service (DoS) attacks
Traffic sniffing
Virus infections
IP address spoofing
Traffic sniffing
The PRIMARY objective of an Internet usage policy is to prevent:
access to inappropriate sites.
downloading malicious code.
violation of copyright laws.
disruption of Internet access.
disruption of Internet access.
An internal review of a web-based application system finds the ability to gain access to all employees’ accounts by changing the employee’s ID on the URL used for accessing the account. The vulnerability identified is:
broken authentication.
unvalidated input.
cross-site scripting.
structured query language (SQL) injection.
broken authentication.
A test plan to validate the security controls of a new system should be developed during which phase of the project?
Testing
Initiation
Design
Development
Design
The MOST effective way to ensure that outsourced service providers comply with the organization’s information security policy would be:
service level monitoring.
penetration testing.
periodically auditing.
security awareness training.
periodically auditing.
In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:
a strong authentication.
IP anti-spoofing filtering.
network encryption protocol.
access lists of trusted devices.
a strong authentication.
The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:
- contribute cost-effective expertise not available internally.
- be made responsible for meeting the security program requirements.
- replace the dependence on internal resources.
- deliver more effectively on account of their knowledge.
contribute cost-effective expertise not available internally.
Priority should be given to which of the following to ensure effective implementation of information security governance?
Consultation
Negotiation
Facilitation
Planning
Planning
The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
ensure the confidentiality of sensitive material.
provide a high assurance of identity.
allow deployment of the active directory.
implement secure sockets layer (SSL) encryption.
provide a high assurance of identity.
Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?
Redundant power supplies
Protective switch covers
Shutdown alarms
Biometric readers
Protective switch covers
Which of the following is the MOST important reason why information security objectives should be defined?
Tool for measuring effectiveness
General understanding of goals
Consistency with applicable standards
Management sign-off and support initiatives
Tool for measuring effectiveness
What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
Authentication
Encryption
Prohibit employees from copying data to USB devices
Limit the use of USB devices
Encryption
When speaking to an organization’s human resources department about information security, an information security manager should focus on the need for:
an adequate budget for the security program.
recruitment of technical IT employees.
periodic risk assessments.
security awareness training for employees.
security awareness training for employees.
Which of the following would BEST protect an organization’s confidential data stored on a laptop computer from unauthorized access?
Strong authentication by password
Encrypted hard drives
Multifactor authentication procedures
Network-based data backup
Encrypted hard drives
What is the MOST important reason for conducting security awareness programs throughout an organization?
Reducing the human risk
Maintaining evidence of training records to ensure compliance
Informing business units about the security strategy
Training personnel in security incident response
Reducing the human risk
At what stage of the applications development process would encryption key management initially be addressed?
Requirements development
Deployment
Systems testing
Code reviews
Requirements development
The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization’s security requirements is:
messages displayed at every logon.
periodic security-related e-mail messages.
an Intranet web site for information security.
circulating the information security policy.
messages displayed at every logon.
Which of the following would be the BEST defense against sniffing?
Password protect the files
Implement a dynamic IP address scheme
Encrypt the data being transmitted
Set static mandatory access control (MAC) addresses
Encrypt the data being transmitted
A digital signature using a public key infrastructure (PKI) will:
- not ensure the integrity of a message.
- rely on the extent to which the certificate authority (CA) is trusted.
- require two parties to the message exchange.
- provide a high level of confidentiality.
rely on the extent to which the certificate authority (CA) is trusted.
When configuring a biometric access control system that protects a high-security data center, the system’s sensitivity level should be set:
to a higher false reject rate (FRR).
to a lower crossover error rate.
to a higher false acceptance rate (FAR).
exactly to the crossover error rate
to a higher false reject rate (FRR).
Which of the following is the BEST method to securely transfer a message?
Password-protected removable media
Facsimile transmission in a secured room
Using public key infrastructure (PKI) encryption
Steganography
Using public key infrastructure (PKI) encryption
Which of the following would be the FIRST step in establishing an information security program?
Develop the security policy.
Develop security operating procedures.
Develop the security plan.
Conduct a security controls study.
Develop the security plan.
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross-training. Which type of authorization policy would BEST address this practice?
Multilevel
Role-based
Discretionary
Attribute-based
Role-based
Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:
the parties to the agreement can perform.
confidential data are not included in the agreement.
appropriate controls are included.
the right to audit is a requirement.
appropriate controls are included.
For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
Biometrics
Symmetric encryption keys
Secure Sockets Layer (SSL)-based authentication
Two-factor authentication
Two-factor authentication
Which of the following guarantees that data in a file have not changed?
Inspecting the modified date of the file
Encrypting the file with symmetric encryption
Using stringent access control to prevent unauthorized access
Creating a hash of the file, then comparing the file hashes
Creating a hash of the file, then comparing the file hashes
Which of the following mechanisms is the MOST secure way to implement a secure wireless network?
Filter media access control (MAC) addresses
Use a Wi-Fi Protected Access (WPA2) protocol
Use a Wired Equivalent Privacy (WEP) key
Web-based authentication
Use a Wi-Fi Protected Access (WPA2) protocol
Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?
An intrusion prevention system (IPS)
An intrusion detection system (IDS)
A host-based intrusion detection system (HIDS)
A host-based firewall
An intrusion prevention system (IPS)
Nonrepudiation can BEST be ensured by using:
strong passwords.
a digital hash.
symmetric encryption.
digital signatures.
digital signatures.