CISM Practice C Topic 4 Flashcards
The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
establish security baselines.
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
User
The BEST way to ensure that information security policies are followed is to:
perform periodic reviews for compliance.
The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
system data owner.
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his or her password reset?
Conducting security awareness programs
Which of the following is the MOST likely to change an organization’s culture to one that is more security conscious?
Security awareness campaigns
The BEST way to ensure that an external service provider complies with organizational security policies is to:
Perform periodic reviews of the service provider.
When an emergency security patch is received via electronic mail, the patch should FIRST be:
validated to ensure its authenticity.
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
Changing access rules
Which of the following is the BEST indicator that security awareness training has been effective?
More incidents are being reported
Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?
Penetration attempts investigated
Which of the following change management activities would be a clear indicator that normal operational procedures require examination?
emergency change requests.
Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?
User
Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:
goals and objectives are clearly defined.
When a departmental system continues to be out of compliance with an information security policy’s password strength requirements, the BEST action to undertake is to:
conduct an impact analysis to quantify the risks.
Which of the following is MOST important to the successful promotion of good security management practices?
Management support
Which of the following environments represents the GREATEST risk to organizational security?
Locally managed file server
Nonrepudiation can BEST be assured by using:
digital signatures.
Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:
role-based access controls.
Which of the following areas is MOST susceptible to the introduction of security weaknesses?
Configuration management
Security policies should be aligned MOST closely with:
organizational needs.
The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:
simulate an attack and review IDS performance.
The BEST time to perform a penetration test is after:
various infrastructure changes are made.
Successful social engineering attacks can BEST be prevented through:
periodic awareness training.
What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?
Install a honeypot on the network
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
Operating system (OS) security patches have not been applied
In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?
Conducting periodic security awareness programs
Which of the following will BEST ensure that management takes ownership of the decision making process for information security?
Security-steering committees
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
Process owner
What is the BEST way to ensure that contract programmers comply with organizational security policies?
Perform periodic security reviews of the contractors
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?
Backing up files
Security awareness training should be provided to new employees:
before they have access to data.
What is the BEST method to verify that all security patches applied to servers were properly documented?
Trace OS patch logs to change control requests
A security awareness program should:
address specific groups and roles.
The PRIMARY objective of security awareness is to:
influence employee behavior.
Which of the following will BEST protect against malicious activity by a former employee?
Effective termination procedures
Which of the following represents a PRIMARY area of interest when conducting a penetration test?
Network mapping
The return on investment of information security can BEST be evaluated through which of the following?
Support of business objectives
To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:
avoid granting system administration roles.
Information security policies should:
be straightforward and easy to understand.
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?
Perform periodic penetration testing.
Which of the following presents the GREATEST exposure to internal attack on a network?
User passwords are encoded but not encrypted
Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements?
Standards
Which of the following are the MOST important individuals to include as members of an information security steering committee?
IT management and key business process owners
Security audit reviews should PRIMARILY:
ensure that controls operate as required.
Which of the following is the MOST appropriate method to protect a password that opens a confidential file?
Out-of-band channels
What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
Mandatory
Which of the following is an inherent weakness of signature-based intrusion detection systems?
New attack methods will be missed
Data owners are normally responsible for which of the following?
Determining the level of application security required
Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
System user
What is the BEST way to ensure users comply with organizational security requirements for password complexity?
Enable system-enforced password configuration
Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?
Initially load the patches on a test machine
Which of the following would present the GREATEST risk to information security?
Security incidents are investigated within five business days
The PRIMARY reason for using metrics to evaluate information security is to:
enable steady improvement.
What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
Periodically perform penetration tests
Which of the following is MOST important for measuring the effectiveness of a security awareness program?
A quantitative evaluation to ensure user comprehension
Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?
Establish clear rules of engagement
Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?
Restrict the available drive allocation on all PCs
Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?
Number of administrators
Good information security standards should:
define precise and unambiguous allowable limits.
Good information security procedures should:
be updated frequently as new software is released.
What is the MAIN drawback of e-mailing password-protected zip files across the Internet?
may be quarantined by mail filters.
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
Set up firewall rules restricting network traffic from that location
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
define the circumstances where cryptography should be used.
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?
The number of false positives increases
What is the MOST appropriate change management procedure for the handling of emergency program changes?
Documentation is completed with approval soon after the change
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
Security steering committee
The PRIMARY focus of the change control process is to ensure that changes are:
authorized
An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
Meet with stakeholders
A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?
Enable access through a separate device that requires adequate authentication
Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?
IT security policy
Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?
The right to conduct independent security reviews
Which resource is the MOST effective in preventing physical access tailgating/piggybacking?
Awareness training
In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
implement role-based access control in the application.
In business-critical applications, user access should be approved by the:
data owner.
In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:
testing time window prior to deployment.
To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:
operational units.
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
Meet with data owners to understand business needs
When security policies are strictly enforced, the initial impact is that:
the total cost of security is increased.
A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:
an effective control over connectivity and continuity.
Which of the following should be in place before a black box penetration test begins?
A clearly stated definition of scope
What is the MOST important element to include when developing user security awareness material?
Easy-to-read and compelling information
What is the MOST important success factor in launching a corporate information security awareness program?
Top-down approach
Which of the following events generally has the highest information security impact?
Merging with another organization
The configuration management plan should PRIMARILY be based upon input from:
IT senior management.
Which of the following is the MOST effective, positive method to promote security awareness?
Competitions and rewards for compliance
An information security program should focus on:
key controls identified in risk assessments.
Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?
Finance department management
Which of the following would be the MOST significant security risk in a pharmaceutical institution?
Theft of a Research and Development laptop
Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?
The program’s governance oversight mechanisms
Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state?
Capability maturity model (CMM)
Who is responsible for raising awareness of the need for adequate funding for risk action plans?
Information security manager
Managing the life cycle of a digital certificate is a role of a(n):
independent trusted source.
Which of the following would be MOST critical to the successful implementation of a biometric authentication system?
User acceptance
Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?
Inclusion as a required step in the system life cycle process
When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because:
service level agreements may not otherwise be met.
To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?
Service level agreements (SLAs)
To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to:
log all of the programmers’ activity for review by supervisor.
Before engaging outsourced providers, an information security manager should ensure that the organization’s data classification requirements:
are stated in the contract.
What is the GREATEST risk when there is an excessive number of firewall rules?
One rule may override another rule in the chain and create a loophole
Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center?
Biometric lock
What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?
Ensure consistency of activities to provide a more stable environment
What is the BEST way to ensure data protection upon termination of employment?
Ensure all logical access is removed
The MOST important reason for formally documenting security procedures is to ensure:
processes are repeatable and sustainable.
Which of the following is the BEST approach for an organization desiring to protect its intellectualproperty?
Restrict access to a need-to-know basis
The “separation of duties” principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
Systems programmer
An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download non-sensitive production data for software testing purposes. The information security manager should recommend which of the following?
Restrict account access to read only
Which would be the BEST recommendation to protect against phishing attacks?
Publish security guidance for customers
Which of the following is the BEST indicator that an effective security control is built into an organization?
The monthly service level statistics indicate a minimal impact from security issues.
What is the BEST way to alleviate security team understaffing while retaining the capability inhouse?
Establish a virtual security team from competent employees across the company
An information security manager wishing to establish security baselines would:
implement the security baselines to establish information security best practices.
Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:
policy.
An organization’s information security manager has been asked to hire a consultant to help assess the maturity level of the organization’s information security management. The MOST important element of the request for proposal (RFP) is the:
methodology used in the assessment.
Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
assess the problems and institute rollback procedures, if needed.
When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the:
access control matrix.
The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:
sustaining the organization’s security posture.It is important to maintain the organization’s security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC)
The implementation of continuous monitoring controls is the BEST option where:
incidents may have a high impact and frequency
A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors?
Security code reviews for the entire application
An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:
source routing.
What is the MOST cost-effective means of improving security awareness of staff personnel?
User education and training
Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
Awareness training
Data owners will determine what access and authorizations users will have by:
mapping to business needs.
Which of the following is the MOST likely outcome of a well-designed information security awareness course?
Increased reporting of security incidents to the incident response function
Which item would be the BEST to include in the information security awareness training program for new general staff employees?
Review of various security models
A critical component of a continuous improvement program for information security is:
measuring processes and providing feedback.
The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager:
report significant security risks.
An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
Role-based
An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:
the contract should mandate that the service provider will comply with security policies.
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
To receive an independent view of security exposures
A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?
Prepare an impact assessment report.
An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?
Perform an internal risk assessment to determine needed controls.
Which of the following would raise security awareness among an organization’s employees?
Continually reinforcing the security policy
Which of the following is the MOST appropriate method of ensuring password strength in a large organization?
Review general security settings on each platform
What is the MOST cost-effective method of identifying new vendor vulnerabilities?
External vulnerability reporting sources
Which of the following is the BEST approach for improving information security management processes?
Define and monitor security metrics.
An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:
validate and sanitize client side inputs.
The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:
has implemented cookies as the sole authentication mechanism.
Of the following, retention of business records should be PRIMARILY based on:
regulatory and legal requirements.
An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
Ensuring that the third party is contractually obligated to all relevant security requirements
An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?
Right to audit
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
Conduct regular security reviews of the third-party provider
An organization’s operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?
Set role-based access permissions on the shared folder
Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?
A change control process
Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
Penetration tests
In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
System design specifications
Which of the following is generally considered a fundamental component of an information security program?
Security awareness training
How would an organization know if its new information security program is accomplishing its goals?
Key metrics indicate a reduction in incident impacts.ing program, but are not as significant as the key metrics indicator. An immediate reduction in reported incidents, in contrast, may indicate that it is not successful.
A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:
less time is spent on reconnaissance and information gathering.
Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?
User awareness training
Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
Implementation of lock-out policies
Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?
Signed acceptable use policy
The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:
the existence of messages is unknown.
As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:
formally managed within the information security framework.
There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?
Source code review
Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does it always introduce?
Clear text authentication
Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?
Feasibility
