CISM Practice C Topic 4

Question 1

The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:

Answer 1

establish security baselines.

Question 2

A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?

Answer 2

User

Question 3

The BEST way to ensure that information security policies are followed is to:

Answer 3

perform periodic reviews for compliance.

Question 4

The MOST appropriate individual to determine the level of information security needed for a specific business application is the:

Answer 4

system data owner.

Question 5

Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his or her password reset?

Answer 5

Conducting security awareness programs

Question 6

Which of the following is the MOST likely to change an organization’s culture to one that is more security conscious?

Answer 6

Security awareness campaigns

Question 7

The BEST way to ensure that an external service provider complies with organizational security policies is to:

Answer 7

Perform periodic reviews of the service provider.

Question 8

When an emergency security patch is received via electronic mail, the patch should FIRST be:

Answer 8

validated to ensure its authenticity.

Question 9

In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?

Answer 9

Changing access rules

Question 10

Which of the following is the BEST indicator that security awareness training has been effective?

Answer 10

More incidents are being reported

Question 11

Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?

Answer 11

Penetration attempts investigated

Question 12

Which of the following change management activities would be a clear indicator that normal operational procedures require examination?

Answer 12

emergency change requests.

Question 13

Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?

Answer 13

User

Question 14

Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:

Answer 14

goals and objectives are clearly defined.

Question 15

When a departmental system continues to be out of compliance with an information security policy’s password strength requirements, the BEST action to undertake is to:

Answer 15

conduct an impact analysis to quantify the risks.

Question 16

Which of the following is MOST important to the successful promotion of good security management practices?

Answer 16

Management support

Question 17

Which of the following environments represents the GREATEST risk to organizational security?

Answer 17

Locally managed file server

Question 18

Nonrepudiation can BEST be assured by using:

Answer 18

digital signatures.

Question 19

Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:

Answer 19

role-based access controls.

Question 20

Which of the following areas is MOST susceptible to the introduction of security weaknesses?

Answer 20

Configuration management

Question 21

Security policies should be aligned MOST closely with:

Answer 21

organizational needs.

Question 22

The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:

Answer 22

simulate an attack and review IDS performance.

Question 23

The BEST time to perform a penetration test is after:

Answer 23

various infrastructure changes are made.

Question 24

Successful social engineering attacks can BEST be prevented through:

Answer 24

periodic awareness training.

Question 25

What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?

Answer 25

Install a honeypot on the network

Question 26

Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?

Answer 26

Operating system (OS) security patches have not been applied

Question 27

In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?

Answer 27

Conducting periodic security awareness programs

Question 28

Which of the following will BEST ensure that management takes ownership of the decision making process for information security?

Answer 28

Security-steering committees

Question 29

Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?

Answer 29

Process owner

Question 30

What is the BEST way to ensure that contract programmers comply with organizational security policies?

Answer 30

Perform periodic security reviews of the contractors

Question 31

Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?

Answer 31

Backing up files

Question 32

Security awareness training should be provided to new employees:

Answer 32

before they have access to data.

Question 33

What is the BEST method to verify that all security patches applied to servers were properly documented?

Answer 33

Trace OS patch logs to change control requests

Question 34

A security awareness program should:

Answer 34

address specific groups and roles.

Question 35

The PRIMARY objective of security awareness is to:

Answer 35

influence employee behavior.

Question 36

Which of the following will BEST protect against malicious activity by a former employee?

Answer 36

Effective termination procedures

Question 37

Which of the following represents a PRIMARY area of interest when conducting a penetration test?

Answer 37

Network mapping

Question 38

The return on investment of information security can BEST be evaluated through which of the following?

Answer 38

Support of business objectives

Question 39

To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:

Answer 39

avoid granting system administration roles.

Question 40

Information security policies should:

Answer 40

be straightforward and easy to understand.

Question 41

Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?

Answer 41

Perform periodic penetration testing.

Question 42

Which of the following presents the GREATEST exposure to internal attack on a network?

Answer 42

User passwords are encoded but not encrypted

Question 43

Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements?

Answer 43

Standards

Question 44

Which of the following are the MOST important individuals to include as members of an information security steering committee?

Answer 44

IT management and key business process owners

Question 45

Security audit reviews should PRIMARILY:

Answer 45

ensure that controls operate as required.

Question 46

Which of the following is the MOST appropriate method to protect a password that opens a confidential file?

Answer 46

Out-of-band channels

Question 47

What is the MOST effective access control method to prevent users from sharing files with unauthorized users?

Answer 47

Mandatory

Question 48

Which of the following is an inherent weakness of signature-based intrusion detection systems?

Answer 48

New attack methods will be missed

Question 49

Data owners are normally responsible for which of the following?

Answer 49

Determining the level of application security required

Question 50

Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?

Answer 50

System user

Question 51

What is the BEST way to ensure users comply with organizational security requirements for password complexity?

Answer 51

Enable system-enforced password configuration

Question 52

Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?

Answer 52

Initially load the patches on a test machine

Question 53

Which of the following would present the GREATEST risk to information security?

Answer 53

Security incidents are investigated within five business days

Question 54

The PRIMARY reason for using metrics to evaluate information security is to:

Answer 54

enable steady improvement.

Question 55

What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?

Answer 55

Periodically perform penetration tests

Question 56

Which of the following is MOST important for measuring the effectiveness of a security awareness program?

Answer 56

A quantitative evaluation to ensure user comprehension

Question 57

Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?

Answer 57

Establish clear rules of engagement

Question 58

Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?

Answer 58

Restrict the available drive allocation on all PCs

Question 59

Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?

Answer 59

Number of administrators

Question 60

Good information security standards should:

Answer 60

define precise and unambiguous allowable limits.

Question 61

Good information security procedures should:

Answer 61

be updated frequently as new software is released.

Question 62

What is the MAIN drawback of e-mailing password-protected zip files across the Internet?

Answer 62

may be quarantined by mail filters.

Question 63

A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?

Answer 63

Set up firewall rules restricting network traffic from that location

Question 64

Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:

Answer 64

define the circumstances where cryptography should be used.

Question 65

Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?

Answer 65

The number of false positives increases

Question 66

What is the MOST appropriate change management procedure for the handling of emergency program changes?

Answer 66

Documentation is completed with approval soon after the change

Question 67

Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?

Answer 67

Security steering committee

Question 68

The PRIMARY focus of the change control process is to ensure that changes are:

Answer 68

authorized

Question 69

An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?

Answer 69

Meet with stakeholders

Question 70

A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?

Answer 70

Enable access through a separate device that requires adequate authentication

Question 71

Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?

Answer 71

IT security policy

Question 72

Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?

Answer 72

The right to conduct independent security reviews

Question 73

Which resource is the MOST effective in preventing physical access tailgating/piggybacking?

Answer 73

Awareness training

Question 74

In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:

Answer 74

implement role-based access control in the application.

Question 75

In business-critical applications, user access should be approved by the:

Answer 75

data owner.

Question 76

In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:

Answer 76

testing time window prior to deployment.

Question 77

To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:

Answer 77

operational units.

Question 78

An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?

Answer 78

Meet with data owners to understand business needs

Question 79

When security policies are strictly enforced, the initial impact is that:

Answer 79

the total cost of security is increased.

Question 80

A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:

Answer 80

an effective control over connectivity and continuity.

Question 81

Which of the following should be in place before a black box penetration test begins?

Answer 81

A clearly stated definition of scope

Question 82

What is the MOST important element to include when developing user security awareness material?

Answer 82

Easy-to-read and compelling information

Question 83

What is the MOST important success factor in launching a corporate information security awareness program?

Answer 83

Top-down approach

Question 84

Which of the following events generally has the highest information security impact?

Answer 84

Merging with another organization

Question 85

The configuration management plan should PRIMARILY be based upon input from:

Answer 85

IT senior management.

Question 86

Which of the following is the MOST effective, positive method to promote security awareness?

Answer 86

Competitions and rewards for compliance

Question 87

An information security program should focus on:

Answer 87

key controls identified in risk assessments.

Question 88

Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?

Answer 88

Finance department management

Question 89

Which of the following would be the MOST significant security risk in a pharmaceutical institution?

Answer 89

Theft of a Research and Development laptop

Question 90

Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?

Answer 90

The program’s governance oversight mechanisms

Question 91

Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state?

Answer 91

Capability maturity model (CMM)

Question 92

Who is responsible for raising awareness of the need for adequate funding for risk action plans?

Answer 92

Information security manager

Question 93

Managing the life cycle of a digital certificate is a role of a(n):

Answer 93

independent trusted source.

Question 94

Which of the following would be MOST critical to the successful implementation of a biometric authentication system?

Answer 94

User acceptance

Question 95

Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?

Answer 95

Inclusion as a required step in the system life cycle process

Question 96

When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because:

Answer 96

service level agreements may not otherwise be met.

Question 97

To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?

Answer 97

Service level agreements (SLAs)

Question 98

To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to:

Answer 98

log all of the programmers’ activity for review by supervisor.

Question 99

Before engaging outsourced providers, an information security manager should ensure that the organization’s data classification requirements:

Answer 99

are stated in the contract.

Question 100

What is the GREATEST risk when there is an excessive number of firewall rules?

Answer 100

One rule may override another rule in the chain and create a loophole

Question 101

Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center?

Answer 101

Biometric lock

Question 102

What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?

Answer 102

Ensure consistency of activities to provide a more stable environment

Question 103

What is the BEST way to ensure data protection upon termination of employment?

Answer 103

Ensure all logical access is removed

Question 104

The MOST important reason for formally documenting security procedures is to ensure:

Answer 104

processes are repeatable and sustainable.

Question 105

Which of the following is the BEST approach for an organization desiring to protect its intellectualproperty?

Answer 105

Restrict access to a need-to-know basis

Question 106

The “separation of duties” principle is violated if which of the following individuals has update rights to the database access control list (ACL)?

Answer 106

Systems programmer

Question 107

An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download non-sensitive production data for software testing purposes. The information security manager should recommend which of the following?

Answer 107

Restrict account access to read only

Question 108

Which would be the BEST recommendation to protect against phishing attacks?

Answer 108

Publish security guidance for customers

Question 109

Which of the following is the BEST indicator that an effective security control is built into an organization?

Answer 109

The monthly service level statistics indicate a minimal impact from security issues.

Question 110

What is the BEST way to alleviate security team understaffing while retaining the capability inhouse?

Answer 110

Establish a virtual security team from competent employees across the company

Question 111

An information security manager wishing to establish security baselines would:

Answer 111

implement the security baselines to establish information security best practices.

Question 112

Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:

Answer 112

policy.

Question 113

An organization’s information security manager has been asked to hire a consultant to help assess the maturity level of the organization’s information security management. The MOST important element of the request for proposal (RFP) is the:

Answer 113

methodology used in the assessment.

Question 114

Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:

Answer 114

assess the problems and institute rollback procedures, if needed.

Question 115

When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the:

Answer 115

access control matrix.

Question 116

The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:

Answer 116

sustaining the organization’s security posture.It is important to maintain the organization’s security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC)

Question 117

The implementation of continuous monitoring controls is the BEST option where:

Answer 117

incidents may have a high impact and frequency

Question 118

A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors?

Answer 118

Security code reviews for the entire application

Question 119

An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:

Answer 119

source routing.

Question 120

What is the MOST cost-effective means of improving security awareness of staff personnel?

Answer 120

User education and training

Question 121

Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?

Answer 121

Awareness training

Question 122

Data owners will determine what access and authorizations users will have by:

Answer 122

mapping to business needs.

Question 123

Which of the following is the MOST likely outcome of a well-designed information security awareness course?

Answer 123

Increased reporting of security incidents to the incident response function

Question 124

Which item would be the BEST to include in the information security awareness training program for new general staff employees?

Answer 124

Review of various security models

Question 125

A critical component of a continuous improvement program for information security is:

Answer 125

measuring processes and providing feedback.

Question 126

The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager:

Answer 126

report significant security risks.

Question 127

An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?

Answer 127

Role-based

Question 128

An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:

Answer 128

the contract should mandate that the service provider will comply with security policies.

Question 129

Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?

Answer 129

To receive an independent view of security exposures

Question 130

A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?

Answer 130

Prepare an impact assessment report.

Question 131

An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?

Answer 131

Perform an internal risk assessment to determine needed controls.

Question 132

Which of the following would raise security awareness among an organization’s employees?

Answer 132

Continually reinforcing the security policy

Question 133

Which of the following is the MOST appropriate method of ensuring password strength in a large organization?

Answer 133

Review general security settings on each platform

Question 134

What is the MOST cost-effective method of identifying new vendor vulnerabilities?

Answer 134

External vulnerability reporting sources

Question 135

Which of the following is the BEST approach for improving information security management processes?

Answer 135

Define and monitor security metrics.

Question 136

An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:

Answer 136

validate and sanitize client side inputs.

Question 137

The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:

Answer 137

has implemented cookies as the sole authentication mechanism.

Question 138

Of the following, retention of business records should be PRIMARILY based on:

Answer 138

regulatory and legal requirements.

Question 139

An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?

Answer 139

Ensuring that the third party is contractually obligated to all relevant security requirements

Question 140

An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?

Answer 140

Right to audit

Question 141

Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?

Answer 141

Conduct regular security reviews of the third-party provider

Question 142

An organization’s operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?

Answer 142

Set role-based access permissions on the shared folder

Question 143

Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?

Answer 143

A change control process

Question 144

Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?

Answer 144

Penetration tests

Question 145

In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?

Answer 145

System design specifications

Question 146

Which of the following is generally considered a fundamental component of an information security program?

Answer 146

Security awareness training

Question 147

How would an organization know if its new information security program is accomplishing its goals?

Answer 147

Key metrics indicate a reduction in incident impacts.ing program, but are not as significant as the key metrics indicator. An immediate reduction in reported incidents, in contrast, may indicate that it is not successful.

Question 148

A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:

Answer 148

less time is spent on reconnaissance and information gathering.

Question 149

Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?

Answer 149

User awareness training

Question 150

Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?

Answer 150

Implementation of lock-out policies

Question 151

Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?

Answer 151

Signed acceptable use policy

Question 152

The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:

Answer 152

the existence of messages is unknown.

Question 153

As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:

Answer 153

formally managed within the information security framework.

Question 154

There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?

Answer 154

Source code review

Question 155

Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does it always introduce?

Answer 155

Clear text authentication

Question 156

Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?

Answer 156

Feasibility