CISM Practice C Topic 3

Question 1

Who can BEST advocate the development of and ensure the success of an information security program?

Answer 1

Steering committee

Question 2

Which of the following BEST ensures that information transmitted over the Internet will remain confidential?

Answer 2

Virtual private network (VPN)

Question 3

The effectiveness of virus detection software is MOST dependent on which of the following?

Answer 3

Definition tables

Question 4

Which of the following is the MOST effective type of access control?

Answer 4

Role-based

Question 5

Which of the following devices should be placed within a DMZ?

Answer 5

Mail relay

Question 6

An intrusion detection system should be placed:

Answer 6

on a screened subnet.

Question 7

The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:

Answer 7

permit traffic load balancing.

Question 8

An extranet server should be placed:

Answer 8

on a screened subnet.

Question 9

Which of the following is the BEST metric for evaluating the effectiveness of security awareness twining?

Answer 9

reported incidents.

Question 10

Security monitoring mechanisms should PRIMARILY:

Answer 10

focus on business-critical information.

Question 11

Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?

Answer 11

Computer-based certification training (CBT)

Question 12

When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:

Answer 12

service level agreement (SLA).

Question 13

Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?

Answer 13

Ratio of false positives to false negatives

Question 14

Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?

Answer 14

Change management

Question 15

Which of the following tools is MOST appropriate for determining how long a security project will take to implement?

Answer 15

Critical path

Question 16

Which of the following is MOST effective in preventing security weaknesses in operating systems?

Answer 16

Patch management

Question 17

When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:

Answer 17

calculating the residual risk.

Question 18

Who can BEST approve plans to implement an information security governance framework?

Answer 18

Steering committee

Question 19

Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?

Answer 19

Role-based access controls

Question 20

Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?

Answer 20

Embedded digital signature

Question 21

Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?

Answer 21

Daily

Question 22

Which of the following devices should be placed within a demilitarized zone (DMZ)?

Answer 22

Web server

Question 23

On which of the following should a firewall be placed?

Answer 23

Domain boundary

Question 24

An intranet server should generally be placed on the:

Answer 24

internal network.

Question 25

Access control to a sensitive intranet application by mobile users can BEST be implemented through:

Answer 25

two-factor authentication.

Question 26

When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?

Answer 26

Centralizing security management

Question 27

Security awareness training is MOST likely to lead to which of the following?

Answer 27

Increase in reported incidents

Question 28

The information classification scheme should:

Answer 28

consider possible impact of a security breach.

Question 29

Which of the following is the BEST method to provide a new user with their initial password for email system access?

Answer 29

Give a dummy password over the telephone set for immediate expiration

Question 30

An information security program should be sponsored by:

Answer 30

key business process owners.

Question 31

Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?

Answer 31

Service levels

Question 32

The BEST metric for evaluating the effectiveness of a firewall is the:

Answer 32

number of attacks blocked.

Question 33

Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?

Answer 33

Patch management

Question 34

The MAIN advantage of implementing automated password synchronization is that it:

Answer 34

reduces overall administrative workload.

Question 35

Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?

Answer 35

Balanced scorecard

Question 36

Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?

Answer 36

Change management

Question 37

An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?

Answer 37

Compensate for not installing the patch with mitigating controls

Question 38

Which of the following is MOST important to the success of an information security program?

Answer 38

Senior management sponsorship

Question 39

Which of the following is MOST important for a successful information security program?

Answer 39

Executive management commitment

Question 40

Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?

Answer 40

Screened subnets

Question 41

Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?

Answer 41

Two-factor authentication

Question 42

What is an appropriate frequency for updating operating system (OS) patches on production servers?

Answer 42

Whenever important security patches are released

Question 43

Which of the following devices should be placed within a DMZ?

Answer 43

Application server

Question 44

A border router should be placed on which of the following?

Answer 44

Domain boundary

Question 45

An e-commerce order fulfillment web server should generally be placed on which of the following?

Answer 45

Demilitarized zone (DMZ)

Question 46

Secure customer use of an e-commerce application can BEST be accomplished through:

Answer 46

data encryption.

Question 47

What is the BEST defense against a Structured Query Language (SQL) injection attack?

Answer 47

Strict controls on input fields

Question 48

Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?

Answer 48

Tuning

Question 49

Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?

Answer 49

Encryption

Question 50

Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required?

Answer 50

Establish predetermined automatic expiration dates

Question 51

Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the:

Answer 51

key business process owners.

Question 52

Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?

Answer 52

System overhead

Question 53

Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?

Answer 53

Do not interrupt production processes

Question 54

Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?

Answer 54

Change management

Question 55

The advantage of Virtual Private Network (VPN) tunneling for remote users is that it:

Answer 55

helps ensure that communications are secure.

Question 56

Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?

Answer 56

Strong encryption

Question 57

Which of the following is MOST effective in protecting against the attack technique known as phishing?

Answer 57

Security awareness training

Question 58

When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?

Answer 58

Access control should fall back to no synchronized mode

Question 59

Which of the following is the MOST important risk associated with middleware in a client-server environment?

Answer 59

System integrity may be affected

Question 60

An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?

Answer 60

Security in storage and transmission of sensitive data

Question 61

Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization’s network?

Answer 61

Safeguards over keys

Question 62

In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation?

Answer 62

Encryption

Question 63

The MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:

Answer 63

generate false alarms from varying user or system actions.

Question 64

An information security manager uses security metrics to measure the:

Answer 64

performance of the information security program.

Question 65

The MOST important success factor to design an effective IT security awareness program is to:

Answer 65

customize the content to the target audience.

Question 66

Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?

Answer 66

Connect through an IPSec VPN

Question 67

Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?

Answer 67

Certificate-based authentication of web client

Question 68

The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:

Answer 68

Secure Sockets Layer (SSL).

Question 69

A message that has been encrypted by the sender’s private key and again by the receiver’s public key achieves:

Answer 69

confidentiality and nonrepudiation.

Question 70

When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?

Answer 70

Trojan

Question 71

Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?

Answer 71

Security compliant servers trend report

Question 72

It is important to develop an information security baseline because it helps to define:

Answer 72

the minimum acceptable security to be implemented.

Question 73

Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?

Answer 73

Public key infrastructure (PKI)

Question 74

Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?

Answer 74

Regular review of access control lists

Question 75

To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should:

Answer 75

evaluate a balanced business scorecard.

Question 76

What is the MOST important item to be included in an information security policy?

Answer 76

The key objectives of the security program

Question 77

In an organization, information systems security is the responsibility of:

Answer 77

all personnel.

Question 78

An organization without any formal information security program that has decided to implement information security best practices should FIRST:

Answer 78

define high-level business security requirements.

Question 79

When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?

Answer 79

Cost of achieving control objectives

Question 80

Which of the following would be the BEST metric for the IT risk management process?

Answer 80

Percentage of critical assets with budgeted remedial

Question 81

Which of the following is a key area of the ISO 27001 framework?

Answer 81

Business continuity management

Question 82

The MAIN goal of an information security strategic plan is to:

Answer 82

protect information assets and resources.

Question 83

Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?

Answer 83

Encrypting first by sender’s private key and second by receiver’s public key

Question 84

The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:

Answer 84

rebuild the system from the original installation medium.

Question 85

The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:

Answer 85

verify the decision with the business units.

Question 86

A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?

Answer 86

Traffic sniffing

Question 87

The PRIMARY objective of an Internet usage policy is to prevent:

Answer 87

disruption of Internet access.

Question 88

An internal review of a web-based application system finds the ability to gain access to all employees’ accounts by changing the employee’s ID on the URL used for accessing the account. The vulnerability identified is:

Answer 88

broken authentication.

Question 89

A test plan to validate the security controls of a new system should be developed during which phase of the project?

Answer 89

Design

Question 90

The MOST effective way to ensure that outsourced service providers comply with the organization’s information security policy would be:

Answer 90

periodically auditing.

Question 91

In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:

Answer 91

a strong authentication.

Question 92

The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:

Answer 92

contribute cost-effective expertise not available internally.

Question 93

Priority should be given to which of the following to ensure effective implementation of information security governance?

Answer 93

Planning

Question 94

The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:

Answer 94

provide a high assurance of identity.

Question 95

Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?

Answer 95

Protective switch covers

Question 96

Which of the following is the MOST important reason why information security objectives should be defined?

Answer 96

Tool for measuring effectiveness

Question 97

What is the BEST policy for securing data on mobile universal serial bus (USB) drives?

Answer 97

Encryption

Question 98

When speaking to an organization’s human resources department about information security, an information security manager should focus on the need for:

Answer 98

security awareness training for employees.

Question 99

Which of the following would BEST protect an organization’s confidential data stored on a laptop computer from unauthorized access?

Answer 99

Encrypted hard drives

Question 100

What is the MOST important reason for conducting security awareness programs throughout an organization?

Answer 100

Reducing the human risk

Question 101

At what stage of the applications development process would encryption key management initially be addressed?

Answer 101

Requirements development

Question 102

The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization’s security requirements is:

Answer 102

messages displayed at every logon.

Question 103

Which of the following would be the BEST defense against sniffing?

Answer 103

Encrypt the data being transmitted

Question 104

A digital signature using a public key infrastructure (PKI) will:

Answer 104

rely on the extent to which the certificate authority (CA) is trusted.

Question 105

When configuring a biometric access control system that protects a high-security data center, the system’s sensitivity level should be set:

Answer 105

to a higher false reject rate (FRR).

Question 106

Which of the following is the BEST method to securely transfer a message?

Answer 106

Using public key infrastructure (PKI) encryption

Question 107

Which of the following would be the FIRST step in establishing an information security program?

Answer 107

Develop the security plan.

Question 108

An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross-training. Which type of authorization policy would BEST address this practice?

Answer 108

Role-based

Question 109

Which of the following is the MOST important reason for an information security review of contracts?

Answer 109

appropriate controls are included.

Question 110

For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?

Answer 110

Two-factor authentication

Question 111

Which of the following guarantees that data in a file have not changed?

Answer 111

Creating a hash of the file, then comparing the file hashes

Question 112

Which of the following mechanisms is the MOST secure way to implement a secure wireless network?

Answer 112

Use a Wi-Fi Protected Access (WPA2) protocol

Question 113

Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?

Answer 113

An intrusion prevention system (IPS)

Question 114

Nonrepudiation can BEST be ensured by using:

Answer 114

digital signatures.