CISM Practice B Topic 4 Flashcards
The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
perform penetration testing.
establish security baselines.
implement vendor default settings.
link policies to an independent standard.
establish security baselines.
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
User
Network
Operations
Database
User
The BEST way to ensure that information security policies are followed is to:
distribute printed copies to all employees.
perform periodic reviews for compliance.
include escalating penalties for noncompliance.
establish an anonymous hotline to report policy abuses.
perform periodic reviews for compliance.
The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
system developer.
information security manager.
steering committee.
system data owner.
system data owner.
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his or her password reset?
Performing reviews of password resets
Conducting security awareness programs
Increasing the frequency of password changes
Implementing automatic password syntax checking
Conducting security awareness programs
Which of the following is the MOST likely to change an organization’s culture to one that is more security conscious?
Adequate security policies and procedures
Periodic compliance reviews
Security steering committees
Security awareness campaigns
Security awareness campaigns
The BEST way to ensure that an external service provider complies with organizational security policies is to:
Explicitly include the service provider in the security policies.
Receive acknowledgment in writing stating the provider has read all policies.
Cross-reference to policies in the service level agreement
Perform periodic reviews of the service provider.
Perform periodic reviews of the service provider.
When an emergency security patch is received via electronic mail, the patch should FIRST be:
loaded onto an isolated test machine.
decompiled to check for malicious code.
validated to ensure its authenticity.
copied onto write-once media to prevent tampering.
validated to ensure its authenticity.
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
Applying patches
Changing access rules
Upgrading hardware
Backing up files
Changing access rules
Which of the following is the BEST indicator that security awareness training has been effective?
Employees sign to acknowledge the security policy
More incidents are being reported
A majority of employees have completed training
No incidents have been reported in three months
More incidents are being reported
Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?
Penetration attempts investigated
Violation log reports produced
Violation log entries
Frequency of corrective actions taken
Penetration attempts investigated
Which of the following change management activities would be a clear indicator that normal operational procedures require examination? A high percentage of:
similar change requests.
change request postponements.
canceled change requests.
emergency change requests.
emergency change requests.
Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?
User
Security
Operations
Database
User
Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:
- the third party provides a demonstration on a test system.
- goals and objectives are clearly defined.
- the technical staff has been briefed on what to expect.
- special backups of production servers are taken.
goals and objectives are clearly defined.
When a departmental system continues to be out of compliance with an information security policy’s password strength requirements, the BEST action to undertake is to:
submit the issue to the steering committee.
conduct an impact analysis to quantify the risks.
isolate the system from the rest of the network.
request a risk acceptance from senior management.
conduct an impact analysis to quantify the risks.
Which of the following is MOST important to the successful promotion of good security management practices?
Security metrics
Security baselines
Management support
Periodic training
Management support
Which of the following environments represents the GREATEST risk to organizational security?
Locally managed file server
Enterprise data warehouse
Load-balanced, web server cluster
Centrally managed data switch
Locally managed file server
Nonrepudiation can BEST be assured by using:
delivery path tracing.
reverse lookup translation.
out-of-hand channels.
digital signatures.
digital signatures.
Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:
mandatory access controls.
discretionary access controls.
lattice-based access controls.
role-based access controls.
role-based access controls.
Which of the following areas is MOST susceptible to the introduction of security weaknesses?
Database management
Tape backup management
Configuration management
Incident response management
Configuration management
Security policies should be aligned MOST closely with:
industry best practices.
organizational needs.
generally accepted standards.
local laws and regulations.
organizational needs.
The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:
simulate an attack and review IDS performance.
use a honeypot to check for unusual activity.
audit the configuration of the IDS.
benchmark the IDS against a peer site.
simulate an attack and review IDS performance.
The BEST time to perform a penetration test is after:
an attempted penetration has occurred.
an audit has reported weaknesses in security controls.
various infrastructure changes are made.
a high turnover in systems staff.
various infrastructure changes are made.
Successful social engineering attacks can BEST be prevented through:
preemployment screening.
close monitoring of users’ access patterns.
periodic awareness training.
efficient termination procedures.
periodic awareness training.
What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?
Perform periodic penetration testing
Establish minimum security baselines
Implement vendor default settings
Install a honeypot on the network
Install a honeypot on the network
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
User ad hoc reporting is not logged
Network traffic is through a single switch
Operating system (OS) security patches have not been applied
Database security defaults to ERP settings
Operating system (OS) security patches have not been applied
In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?
Implementing on-screen masking of passwords
Conducting periodic security awareness programs
Increasing the frequency of password changes
Requiring that passwords be kept strictly confidential
Conducting periodic security awareness programs
Which of the following will BEST ensure that management takes ownership of the decision making process for information security?
Security policies and procedures
Annual self-assessment by management
Security-steering committees
Security awareness campaigns
Security-steering committees
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
System analyst
Quality control manager
Process owner
Information security manager
Process owner
What is the BEST way to ensure that contract programmers comply with organizational security policies?
Explicitly refer to contractors in the security standards
Have the contractors acknowledge in writing the security policies
Create penalties for noncompliance in the contracting agreement
Perform periodic security reviews of the contractors
Perform periodic security reviews of the contractors
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?
Applying patches
Changing access rules
Upgrading hardware
Backing up files
Backing up files
Security awareness training should be provided to new employees:
on an as-needed basis.
during system user training.
before they have access to data.
along with department staff.
before they have access to data.
What is the BEST method to verify that all security patches applied to servers were properly documented?
Trace change control requests to operating system (OS) patch logs
Trace OS patch logs to OS vendor’s update documentation
Trace OS patch logs to change control requests
Review change control documentation for key servers
Trace OS patch logs to change control requests
A security awareness program should:
present top management’s perspective.
address details on specific exploits.
address specific groups and roles.
promote security department procedures
address specific groups and roles.
The PRIMARY objective of security awareness is to:
ensure that security policies are understood.
influence employee behavior.
ensure legal and regulatory compliance.
notify of actions for noncompliance.
influence employee behavior.
Which of the following will BEST protect against malicious activity by a former employee?
Preemployment screening
Close monitoring of users
Periodic awareness training
Effective termination procedures
Effective termination procedures
Which of the following represents a PRIMARY area of interest when conducting a penetration test?
Data mining
Network mapping
Intrusion Detection System (IDS)
Customer data
Network mapping
The return on investment of information security can BEST be evaluated through which of the following?
Support of business objectives
Security metrics
Security deliverables
Process improvement models
Support of business objectives
To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:
set their accounts to expire in six months or less.
avoid granting system administration roles.
ensure they successfully pass background checks.
ensure their access is approved by the data owner.
avoid granting system administration roles.
Information security policies should:
address corporate network vulnerabilities.
address the process for communicating a violation.
be straightforward and easy to understand.
be customized to specific groups and roles.
be straightforward and easy to understand.
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?
Utilize an intrusion detection system.
Establish minimum security baselines.
Implement vendor recommended settings.
Perform periodic penetration testing.
Perform periodic penetration testing.
Which of the following presents the GREATEST exposure to internal attack on a network?
User passwords are not automatically expired
All network traffic goes through a single switch
User passwords are encoded but not encrypted
All users reside on a single internal subnet
User passwords are encoded but not encrypted
Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements?
Standards
Guidelines
Security metrics
IT governance
Standards
Which of the following are the MOST important individuals to include as members of an information security steering committee?
Direct reports to the chief information officer
IT management and key business process owners
Cross-section of end users and IT professionals
Internal audit and corporate legal departments
IT management and key business process owners
Security audit reviews should PRIMARILY:
ensure that controls operate as required.
ensure that controls are cost-effective.
focus on preventive controls.
ensure controls are technologically current.
ensure that controls operate as required.
Which of the following is the MOST appropriate method to protect a password that opens a confidential file?
Delivery path tracing
Reverse lookup translation
Out-of-band channels
Digital signatures
Out-of-band channels
What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
Mandatory
Discretionary
Walled garden
Role-based
Mandatory
Which of the following is an inherent weakness of signature-based intrusion detection systems?
A higher number of false positives
New attack methods will be missed
Long duration probing will be missed
Attack profiles can be easily spoofed
New attack methods will be missed
Data owners are normally responsible for which of the following?
Applying emergency changes to application data
Administering security over database records
Migrating application code changes to production
Determining the level of application security required
Determining the level of application security required
Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
System analyst
System user
Operations manager
Data security officer
System user
What is the BEST way to ensure users comply with organizational security requirements for password complexity?
Include password construction requirements in the security standards
Require each user to acknowledge the password requirements
Implement strict penalties for user noncompliance
Enable system-enforced password configuration
Enable system-enforced password configuration
Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?
Batch patches into frequent server updates
Initially load the patches on a test machine
Set up servers to automatically download patches
Automatically push all patches to the servers
Initially load the patches on a test machine
Which of the following would present the GREATEST risk to information security?
Virus signature files updates are applied to all servers every day
Security access logs are reviewed within five business days
Critical patches are applied within 24 hours of their release
Security incidents are investigated within five business days
Security incidents are investigated within five business days
The PRIMARY reason for using metrics to evaluate information security is to:
identify security weaknesses.
justify budgetary expenditures.
enable steady improvement.
raise awareness on security issues.
enable steady improvement.
What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
Periodic review of network configuration
Review intrusion detection system (IDS) logs for evidence of attacks
Periodically perform penetration tests
Daily review of server logs for evidence of hacker activity
Periodically perform penetration tests
Which of the following is MOST important for measuring the effectiveness of a security awareness program?
Reduced number of security violation reports
A quantitative evaluation to ensure user comprehension
Increased interest in focus groups on security issues
Increased number of security violation reports
A quantitative evaluation to ensure user comprehension
Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?
Request a list of the software to be used
Provide clear directions to IT staff
Monitor intrusion detection system (IDS) and firewall logs closely
Establish clear rules of engagement
Establish clear rules of engagement
Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?
Restrict the available drive allocation on all PCs
Disable universal serial bus (USB) ports on all desktop devices
Conduct frequent awareness training with noncompliance penalties
Establish strict access controls to sensitive information
Restrict the available drive allocation on all PCs
Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?
Signal strength
Number of administrators
Bandwidth
Encryption strength
Number of administrators
Good information security standards should:
define precise and unambiguous allowable limits.
describe the process for communicating violations.
address high-level objectives of the organization.
be updated frequently as new software is released.
define precise and unambiguous allowable limits.
Good information security procedures should:
define the allowable limits of behavior.
underline the importance of security governance.
describe security baselines for each platform.
be updated frequently as new software is released.
be updated frequently as new software is released.
What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:
all use weak encryption.
are decrypted by the firewall.
may be quarantined by mail filters.
may be corrupted by the receiving mail server.
may be quarantined by mail filters.
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
Sign a legal agreement assigning them all liability for any breach
Remove all trading partner access until the situation improves
Set up firewall rules restricting network traffic from that location
Send periodic reminders advising them of their noncompliance
Set up firewall rules restricting network traffic from that location
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
define the circumstances where cryptography should be used.
define cryptographic algorithms and key lengths.
describe handling procedures of cryptographic keys.
establish the use of cryptographic solutions.
define the circumstances where cryptography should be used.
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?
The number of false positives increases
The number of false negatives increases
Active probing is missed
Attack profiles are ignored
The number of false positives increases
What is the MOST appropriate change management procedure for the handling of emergency program changes?
Formal documentation does not need to be completed before the change
Business management approval must be obtained prior to the change
Documentation is completed with approval soon after the change
All changes must follow the same process
Documentation is completed with approval soon after the change
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
Information security officer
Security steering committee
Data owner
Data custodian
Security steering committee
The PRIMARY focus of the change control process is to ensure that changes are:
authorized.
applied.
documented.
tested.
authorized
An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
Research best practices
Meet with stakeholders
Establish change control procedures
Identify critical systems
Meet with stakeholders
A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?
Enable access through a separate device that requires adequate authentication
Implement manual procedures that require password change after each use
Request the vendor to add multiple user IDs
Analyze the logs to detect unauthorized access
Enable access through a separate device that requires adequate authentication
Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?
User security procedures
Business process flow
IT security policy
Regulatory requirements
IT security policy
Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?
The right to conduct independent security reviews
A legally binding data protection agreement
Encryption between the organization and the provider
A joint risk assessment of the system
The right to conduct independent security reviews
Which resource is the MOST effective in preventing physical access tailgating/piggybacking?
Card key door locks
Photo identification
Awareness training
Biometric scanners
Awareness training
In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
ensure access to individual functions can be granted to individual users only.
implement role-based access control in the application.
enforce manual procedures ensuring separation of conflicting duties.
create service accounts that can only be used by authorized team members.
implement role-based access control in the application.
In business-critical applications, user access should be approved by the:
information security manager.
data owner.
data custodian.
business management.
data owner.
In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:
testing time window prior to deployment.
technical skills of the team responsible.
certification of validity for deployment.
automated deployment to all the servers.
testing time window prior to deployment.
To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:
end users.
legal counsel.
operational units.
audit management.
operational units.
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
Review the procedures for granting access
Establish procedures for granting emergency access
Meet with data owners to understand business needs
Redefine and implement proper access rights
Meet with data owners to understand business needs
When security policies are strictly enforced, the initial impact is that:
they may have to be modified more frequently.
they will be less subject to challenge.
the total cost of security is increased.
the need for compliance reviews is decreased.
the total cost of security is increased.
A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:
an effective control over connectivity and continuity.
a service level agreement (SLA) including code escrow.
a business impact analysis (BIA).
a third-party certification.
an effective control over connectivity and continuity.
Which of the following should be in place before a black box penetration test begins?
IT management approval
Proper communication and awareness training
A clearly stated definition of scope
An incident response plan
A clearly stated definition of scope
What is the MOST important element to include when developing user security awareness material?
Information regarding social engineering
Detailed security policies
Senior management endorsement
Easy-to-read and compelling information
Easy-to-read and compelling information
What is the MOST important success factor in launching a corporate information security awareness program?
Adequate budgetary support
Centralized program management
Top-down approach
Experience of the awareness trainers
Top-down approach
Which of the following events generally has the highest information security impact?
Opening a new office
Merging with another organization
Relocating the data center
Rewiring the network
Merging with another organization
The configuration management plan should PRIMARILY be based upon input from:
business process owners.
the information security manager.
the security steering committee.
IT senior management.
IT senior management.
Which of the following is the MOST effective, positive method to promote security awareness?
Competitions and rewards for compliance
Lock-out after three incorrect password attempts
Strict enforcement of password formats
Disciplinary action for noncompliance
Competitions and rewards for compliance
An information security program should focus on:
best practices also in place at peer companies.
solutions codified in international standards.
key controls identified in risk assessments.
continued process improvement.
key controls identified in risk assessments.
Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?
Database administrator (DBA)
Finance department management
Information security manager
IT department management
Finance department management
Which of the following would be the MOST significant security risk in a pharmaceutical institution?
Compromised customer information
Unavailability of online transactions
Theft of security tokens
Theft of a Research and Development laptop
Theft of a Research and Development laptop
Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?
The program’s governance oversight mechanisms
Information security periodicals and manuals
The program’s security architecture and design
Training and certification of the information security team
The program’s governance oversight mechanisms
Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state?
Security audit reports
Balanced scorecard
Capability maturity model (CMM)
Systems and business security architecture
Capability maturity model (CMM)
Who is responsible for raising awareness of the need for adequate funding for risk action plans?
Chief information officer (CIO)
Chief financial officer (CFO)
Information security manager
Business unit management
Information security manager
Managing the life cycle of a digital certificate is a role of a(n):
system administrator.
security administrator.
system developer.
independent trusted source.
independent trusted source.
Which of the following would be MOST critical to the successful implementation of a biometric authentication system?
Budget allocation
Technical skills of staff
User acceptance
Password requirements
User acceptance
Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?
Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans
Periodic audits of the disaster recovery/business continuity plans
Comprehensive walk-through testing
Inclusion as a required step in the system life cycle process
Inclusion as a required step in the system life cycle process
When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because:
this is a requirement of the security policy.
software licenses may expire in the future without warning.
the asset inventory must be maintained.
service level agreements may not otherwise be met.
service level agreements may not otherwise be met.
To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?
Service level agreements (SLAs)
Right to audit clause
Intrusion detection system (IDS) services
Spam filtering services
Service level agreements (SLAs)
To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to:
create a separate account for the programmer as a power user.
log all of the programmers’ activity for review by supervisor.
have the programmer sign a letter accepting full responsibility.
perform regular audits of the application.
log all of the programmers’ activity for review by supervisor.
Before engaging outsourced providers, an information security manager should ensure that the organization’s data classification requirements:
are compatible with the provider’s own classification.
are communicated to the provider.
exceed those of the outsourcer.
are stated in the contract.
are stated in the contract.
What is the GREATEST risk when there is an excessive number of firewall rules?
One rule may override another rule in the chain and create a loophole
Performance degradation of the whole network
The firewall may not support the increasing number of rules due to limitations
The firewall may show abnormal behavior and may crash or automatically shut down
One rule may override another rule in the chain and create a loophole
Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center?
Mantrap
Biometric lock
Closed-circuit television (CCTV)
Security guard
Biometric lock
What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?
Provide detailed instructions on how to carry out different types of tasks
Ensure consistency of activities to provide a more stable environment
Ensure compliance to security standards and regulatory requirements
Ensure reusability to meet compliance to quality requirements
Ensure consistency of activities to provide a more stable environment
What is the BEST way to ensure data protection upon termination of employment?
Retrieve identification badge and card keys
Retrieve all personal computer equipment
Erase all of the employee’s folders
Ensure all logical access is removed
Ensure all logical access is removed
The MOST important reason for formally documenting security procedures is to ensure:
processes are repeatable and sustainable.
alignment with business objectives.
auditability by regulatory agencies.
objective criteria for the application of metrics.
processes are repeatable and sustainable.
Which of the following is the BEST approach for an organization desiring to protect its intellectualproperty?
Conduct awareness sessions on intellectual property policy
Require all employees to sign a nondisclosure agreement
Promptly remove all access when an employee leaves the organization
Restrict access to a need-to-know basis
Restrict access to a need-to-know basis
The “separation of duties” principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
Data owner
Data custodian
Systems programmer
Security administrator
Systems programmer
An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download non-sensitive production data for software testing purposes. The information security manager should recommend which of the following?
Restrict account access to read only
Log all usage of this account
Suspend the account and activate only when needed
Require that a change request be submitted for each download
Restrict account access to read only
Which would be the BEST recommendation to protect against phishing attacks?
Install an antispam system
Publish security guidance for customers
Provide security awareness to the organization’s staff
Install an application-level firewall
Publish security guidance for customers
Which of the following is the BEST indicator that an effective security control is built into an organization?
The monthly service level statistics indicate a minimal impact from security issues.
The cost of implementing a security control is less than the value of the assets.
The percentage of systems that is compliant with security standards.
The audit reports do not reflect any significant findings on security.
The monthly service level statistics indicate a minimal impact from security issues.
What is the BEST way to alleviate security team understaffing while retaining the capability inhouse?
Hire a contractor that would not be included in the permanent headcount
Outsource with a security services provider while retaining the control internally
Establish a virtual security team from competent employees across the company
Provide cross training to minimize the existing resources gap
Establish a virtual security team from competent employees across the company
An information security manager wishing to establish security baselines would:
- include appropriate measurements in the system development life cycle.
- implement the security baselines to establish information security best practices.
- implement the security baselines to fulfill laws and applicable regulations in different jurisdictions.
- leverage information security as a competitive advantage.
implement the security baselines to establish information security best practices.
Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:
policy.
strategy.
guideline.
baseline.
policy.
An organization’s information security manager has been asked to hire a consultant to help assess the maturity level of the organization’s information security management. The MOST important element of the request for proposal (RFP) is the:
references from other organizations.
past experience of the engagement team.
sample deliverable.
methodology used in the assessment.
methodology used in the assessment.
Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
- assess the problems and institute rollback procedures, if needed.
- disconnect the systems from the network until the problems are corrected.
- immediately uninstall the patches from these systems.
- immediately contact the vendor regarding the problems that occurred.
assess the problems and institute rollback procedures, if needed.
When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the:
access control matrix.
encryption strength.
authentication mechanism.
data repository
access control matrix.
The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:
identifying vulnerabilities in the system.
sustaining the organization’s security posture.
the existing systems that will be affected.
complying with segregation of duties.
sustaining the organization’s security posture.It is important to maintain the organization’s security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC)
The implementation of continuous monitoring controls is the BEST option where:
- incidents may have a high impact and frequency
- legislation requires strong information security controls
- incidents may have a high impact but low frequency
- electronic commerce is a primary business driver
incidents may have a high impact and frequency
A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors?
System monitoring for traffic on network ports
Security code reviews for the entire application
Reverse engineering the application binaries
Running the application from a high-privileged account on a test system
Security code reviews for the entire application
An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:
source routing.
broadcast propagation.
unregistered ports.
nonstandard protocols.
source routing.
What is the MOST cost-effective means of improving security awareness of staff personnel?
Employee monetary incentives
User education and training
A zero-tolerance security policy
Reporting of security infractions
User education and training
Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
Card-key door locks
Photo identification
Biometric scanners
Awareness training
Awareness training
Data owners will determine what access and authorizations users will have by:
delegating authority to data custodian.
cloning existing user accounts.
determining hierarchical preferences.
mapping to business needs.
mapping to business needs.
Which of the following is the MOST likely outcome of a well-designed information security awareness course?
Increased reporting of security incidents to the incident response function
Decreased reporting of security incidents to the incident response function
Decrease in the number of password resets
Increase in the number of identified system vulnerabilities
Increased reporting of security incidents to the incident response function
Which item would be the BEST to include in the information security awareness training program for new general staff employees?
Review of various security models
Discussion of how to construct strong passwords
Review of roles that have privileged access
Discussion of vulnerability assessment results
Review of various security models
A critical component of a continuous improvement program for information security is:
- measuring processes and providing feedback.
- developing a service level agreement (SLA) for security.
- tying corporate security standards to a recognized international standard.
- ensuring regulatory compliance.
measuring processes and providing feedback.
The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager:
report risks in other departments.
obtain support from other departments.
report significant security risks.
have knowledge of security standards.
report significant security risks.
An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
Rule-based
Mandatory
Discretionary
Role-based
Role-based
An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:
- an audit of the service provider uncovers no significant weakness.
- the contract includes a nondisclosure agreement (NDA) to protect the organization’s intellectual property.
- the contract should mandate that the service provider will comply with security policies.
- the third-party service provider conducts regular penetration testing.
the contract should mandate that the service provider will comply with security policies.
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
To mitigate technical risks
To have an independent certification of network security
To receive an independent view of security exposures
To identify a complete list of vulnerabilities
To receive an independent view of security exposures
A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?
Prepare an impact assessment report.
Conduct a penetration test.
Obtain approval from senior management.
Back up the firewall configuration and policy files.
Prepare an impact assessment report.
An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?
Request that the third-party provider perform background checks on their employees.
Perform an internal risk assessment to determine needed controls.
Audit the third-party provider to evaluate their security controls.
Perform a security assessment to detect security vulnerabilities.
Perform an internal risk assessment to determine needed controls.
Which of the following would raise security awareness among an organization’s employees?
Distributing industry statistics about security incidents
Monitoring the magnitude of incidents
Encouraging employees to behave in a more conscious manner
Continually reinforcing the security policy
Continually reinforcing the security policy
Which of the following is the MOST appropriate method of ensuring password strength in a large organization?
Attempt to reset several passwords to weaker values
Install code to capture passwords for periodic audit
Sample a subset of users and request their passwords for review
Review general security settings on each platform
Review general security settings on each platform
What is the MOST cost-effective method of identifying new vendor vulnerabilities?
External vulnerability reporting sources
Periodic vulnerability assessments performed by consultants
Intrusion prevention software
Honey pots located in the DMZ
External vulnerability reporting sources
Which of the following is the BEST approach for improving information security management processes?
Conduct periodic security audits.
Perform periodic penetration testing.
Define and monitor security metrics.
Survey business units for feedback.
Define and monitor security metrics.
An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:
- validate and sanitize client side inputs.
- harden the database listener component.
- normalize the database schema to the third normal form.
- ensure that the security patches are updated on operating systems.
validate and sanitize client side inputs.
The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:
- uses multiple redirects for completing a data commit transaction.
- has implemented cookies as the sole authentication mechanism.
- has been installed with a non-legitimate license key.
- is hosted on a server along with other applications.
has implemented cookies as the sole authentication mechanism.
Of the following, retention of business records should be PRIMARILY based on:
periodic vulnerability assessment.
regulatory and legal requirements.
device storage capacity and longevity.
past litigation.
regulatory and legal requirements.
An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
A due diligence security review of the business partner’s security controls
Ensuring that the business partner has an effective business continuity program
Ensuring that the third party is contractually obligated to all relevant security requirements
Talking to other clients of the business partner to check references for performance
Ensuring that the third party is contractually obligated to all relevant security requirements
An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?
Right to audit
Nondisclosure agreement
Proper firewall implementation
Dedicated security manager for monitoring compliance
Right to audit
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
Provide security awareness training to the third-party provider’s employees
Conduct regular security reviews of the third-party provider
Include security requirements in the service contract
Request that the third-party provider comply with the organization’s information security policy
Conduct regular security reviews of the third-party provider
An organization’s operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?
Design a training program for the staff involved to heighten information security awareness
Set role-based access permissions on the shared folder
The end user develops a PC macro program to compare sender and recipient file contents
Shared folder operators sign an agreement to pledge not to commit fraudulent activities
Set role-based access permissions on the shared folder
Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?
A problem management process
Background screening
A change control process
Business impact analysis (BIA)
A change control process
Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
Vulnerability scans
Penetration tests
Code reviews
Security audits
Penetration tests
In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
Procedural design
Architectural design
System design specifications
Software development
System design specifications
Which of the following is generally considered a fundamental component of an information security program?
Role-based access control systems
Automated access provisioning
Security awareness training
Intrusion prevention systems (IPSs)
Security awareness training
How would an organization know if its new information security program is accomplishing its goals?
Key metrics indicate a reduction in incident impacts.
Senior management has approved the program and is supportive of it.
Employees are receptive to changes that were implemented.
There is an immediate reduction in reported incidents.
Key metrics indicate a reduction in incident impacts.ing program, but are not as significant as the key metrics indicator. An immediate reduction in reported incidents, in contrast, may indicate that it is not successful.
A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:
it simulates the real-1ife situation of an external security attack.
human intervention is not required for this type of test.
less time is spent on reconnaissance and information gathering.
critical infrastructure information is not revealed to the tester.
less time is spent on reconnaissance and information gathering.
Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?
Acceptable use policy
Setting low mailbox limits
User awareness training
Taking disciplinary action
User awareness training
Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
Passwords stored in encrypted form
User awareness
Strong passwords that are changed periodically
Implementation of lock-out policies
Implementation of lock-out policies
Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?
Layered defense strategy
System audit log monitoring
Signed acceptable use policy
High-availability systems
Signed acceptable use policy
The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:
the existence of messages is unknown.
required key sizes are smaller.
traffic cannot be sniffed.
reliability of the data is higher in transit.
the existence of messages is unknown.
As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:
- considered at the discretion of the information owner.
- approved by the next higher person in the organizational structure.
- formally managed within the information security framework.
- reviewed and approved by the security manager.
formally managed within the information security framework.
There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?
Black box pen test
Security audit
Source code review
Vulnerability scan
Source code review
Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does it always introduce?
Remote buffer overflow
Cross site scripting
Clear text authentication
Man-in-the-middle attack
Clear text authentication
Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?
Design
Implementation
Application security testing
Feasibility
Feasibility
