CISM Practice C Topic 3 Flashcards
Who can BEST advocate the development of and ensure the success of an information security program?
Steering committee
Which of the following BEST ensures that information transmitted over the Internet will remain confidential?
Virtual private network (VPN)
The effectiveness of virus detection software is MOST dependent on which of the following?
Definition tables
Which of the following is the MOST effective type of access control?
Role-based
Which of the following devices should be placed within a DMZ?
Mail relay
An intrusion detection system should be placed:
on a screened subnet.
The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:
permit traffic load balancing.
An extranet server should be placed:
on a screened subnet.
Which of the following is the BEST metric for evaluating the effectiveness of security awareness twining?
reported incidents.
Security monitoring mechanisms should PRIMARILY:
focus on business-critical information.
Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?
Computer-based certification training (CBT)
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:
service level agreement (SLA).
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
Ratio of false positives to false negatives
Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?
Change management
Which of the following tools is MOST appropriate for determining how long a security project will take to implement?
Critical path
Which of the following is MOST effective in preventing security weaknesses in operating systems?
Patch management
When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:
calculating the residual risk.
Who can BEST approve plans to implement an information security governance framework?
Steering committee
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?
Role-based access controls
Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?
Embedded digital signature
Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?
Daily
Which of the following devices should be placed within a demilitarized zone (DMZ)?
Web server
On which of the following should a firewall be placed?
Domain boundary
An intranet server should generally be placed on the:
internal network.
Access control to a sensitive intranet application by mobile users can BEST be implemented through:
two-factor authentication.
When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?
Centralizing security management
Security awareness training is MOST likely to lead to which of the following?
Increase in reported incidents
The information classification scheme should:
consider possible impact of a security breach.
Which of the following is the BEST method to provide a new user with their initial password for email system access?
Give a dummy password over the telephone set for immediate expiration
An information security program should be sponsored by:
key business process owners.
Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?
Service levels
The BEST metric for evaluating the effectiveness of a firewall is the:
number of attacks blocked.
Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?
Patch management
The MAIN advantage of implementing automated password synchronization is that it:
reduces overall administrative workload.
Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?
Balanced scorecard
Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?
Change management
An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?
Compensate for not installing the patch with mitigating controls
Which of the following is MOST important to the success of an information security program?
Senior management sponsorship
Which of the following is MOST important for a successful information security program?
Executive management commitment
Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?
Screened subnets
Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?
Two-factor authentication
What is an appropriate frequency for updating operating system (OS) patches on production servers?
Whenever important security patches are released
Which of the following devices should be placed within a DMZ?
Application server
A border router should be placed on which of the following?
Domain boundary
An e-commerce order fulfillment web server should generally be placed on which of the following?
Demilitarized zone (DMZ)
Secure customer use of an e-commerce application can BEST be accomplished through:
data encryption.
What is the BEST defense against a Structured Query Language (SQL) injection attack?
Strict controls on input fields
Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?
Tuning
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?
Encryption
Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required?
Establish predetermined automatic expiration dates
Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the:
key business process owners.
Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?
System overhead
Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?
Do not interrupt production processes
Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?
Change management
The advantage of Virtual Private Network (VPN) tunneling for remote users is that it:
helps ensure that communications are secure.
Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?
Strong encryption
Which of the following is MOST effective in protecting against the attack technique known as phishing?
Security awareness training
When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?
Access control should fall back to no synchronized mode
Which of the following is the MOST important risk associated with middleware in a client-server environment?
System integrity may be affected
An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?
Security in storage and transmission of sensitive data
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization’s network?
Safeguards over keys
In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation?
Encryption
The MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:
generate false alarms from varying user or system actions.
An information security manager uses security metrics to measure the:
performance of the information security program.
The MOST important success factor to design an effective IT security awareness program is to:
customize the content to the target audience.
Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?
Connect through an IPSec VPN
Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?
Certificate-based authentication of web client
The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:
Secure Sockets Layer (SSL).
A message that has been encrypted by the sender’s private key and again by the receiver’s public key achieves:
confidentiality and nonrepudiation.
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?
Trojan
Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?
Security compliant servers trend report
It is important to develop an information security baseline because it helps to define:
the minimum acceptable security to be implemented.
Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?
Public key infrastructure (PKI)
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
Regular review of access control lists
To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should:
evaluate a balanced business scorecard.
What is the MOST important item to be included in an information security policy?
The key objectives of the security program
In an organization, information systems security is the responsibility of:
all personnel.
An organization without any formal information security program that has decided to implement information security best practices should FIRST:
define high-level business security requirements.
When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?
Cost of achieving control objectives
Which of the following would be the BEST metric for the IT risk management process?
Percentage of critical assets with budgeted remedial
Which of the following is a key area of the ISO 27001 framework?
Business continuity management
The MAIN goal of an information security strategic plan is to:
protect information assets and resources.
Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?
Encrypting first by sender’s private key and second by receiver’s public key
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
rebuild the system from the original installation medium.
The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:
verify the decision with the business units.
A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?
Traffic sniffing
The PRIMARY objective of an Internet usage policy is to prevent:
disruption of Internet access.
An internal review of a web-based application system finds the ability to gain access to all employees’ accounts by changing the employee’s ID on the URL used for accessing the account. The vulnerability identified is:
broken authentication.
A test plan to validate the security controls of a new system should be developed during which phase of the project?
Design
The MOST effective way to ensure that outsourced service providers comply with the organization’s information security policy would be:
periodically auditing.
In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:
a strong authentication.
The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:
contribute cost-effective expertise not available internally.
Priority should be given to which of the following to ensure effective implementation of information security governance?
Planning
The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
provide a high assurance of identity.
Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?
Protective switch covers
Which of the following is the MOST important reason why information security objectives should be defined?
Tool for measuring effectiveness
What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
Encryption
When speaking to an organization’s human resources department about information security, an information security manager should focus on the need for:
security awareness training for employees.
Which of the following would BEST protect an organization’s confidential data stored on a laptop computer from unauthorized access?
Encrypted hard drives
What is the MOST important reason for conducting security awareness programs throughout an organization?
Reducing the human risk
At what stage of the applications development process would encryption key management initially be addressed?
Requirements development
The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization’s security requirements is:
messages displayed at every logon.
Which of the following would be the BEST defense against sniffing?
Encrypt the data being transmitted
A digital signature using a public key infrastructure (PKI) will:
rely on the extent to which the certificate authority (CA) is trusted.
When configuring a biometric access control system that protects a high-security data center, the system’s sensitivity level should be set:
to a higher false reject rate (FRR).
Which of the following is the BEST method to securely transfer a message?
Using public key infrastructure (PKI) encryption
Which of the following would be the FIRST step in establishing an information security program?
Develop the security plan.
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross-training. Which type of authorization policy would BEST address this practice?
Role-based
Which of the following is the MOST important reason for an information security review of contracts?
appropriate controls are included.
For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
Two-factor authentication
Which of the following guarantees that data in a file have not changed?
Creating a hash of the file, then comparing the file hashes
Which of the following mechanisms is the MOST secure way to implement a secure wireless network?
Use a Wi-Fi Protected Access (WPA2) protocol
Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?
An intrusion prevention system (IPS)
Nonrepudiation can BEST be ensured by using:
digital signatures.
