CISM Practice C Topic 5 Flashcards

1
Q

Which of the following should be determined FIRST when establishing a business continuity program?

A

Incremental daily cost of the unavailability of systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A desktop computer that was involved in a computer security incident should be secured as evidence by:

A

disconnecting the computer from all power sources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability?

A

The provider services all major companies in the area

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following actions should be taken when an online trading company discovers a network attack in progress?

A

Isolate the affected network segment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The BEST method for detecting and monitoring a hacker’s activities without exposing information assets to unnecessary risk is to utilize:

A

decoy files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The FIRST priority when responding to a major security incident is:

A

containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is the MOST important to ensure a successful recovery?

A

Backup media is stored offsite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?

A

Business management actively participates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor’s hot site facility?

A

Erase data and software from devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An incident response policy must contain:

A

escalation criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The BEST approach in managing a security incident involving a successful penetration should be to:

A

allow business processes to continue during the response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A post-incident review should be conducted by an incident management team to determine:

A

lessons learned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An organization with multiple data centers has designated one of its own facilities as the recovery site. The MOST important concern is the:

A

current processing capacity loads at data centers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is MOST important in determining whether a disaster recovery test is successful?

A

Critical business processes are duplicated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site?

A

Infrastructure complexity and system sensitivity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat?

A

Block all e-mails containing picture file attachments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken?

A

Monitor the probe and isolate the affected segment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?

A

All equipment is provided “at time of disaster, not on floor”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?

A

Conduct an assessment to determine system status

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?

A

Detailed technical recovery plans are maintained offsite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The business continuity policy should contain which of the following?

A

Recovery criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:

A

potential attacks on the internal network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?

A

Ensuring accessibility should a disaster occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files?

A

Check a sample of servers that the signature files are current

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter?

A

Check IDS logs and monitor for any active attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following are the MOST important criteria when selecting virus protection software?

A

Ease of maintenance and frequency of updates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23:00 hrs.)?

A

Systems are vulnerable to new viruses during the intervening week

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates?

A

Business process owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following is MOST closely associated with a business continuity program?

A

Developing recovery time objectives (RTOs) for critical functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following application systems should have the shortest recovery time objective (RTO)?

A

E-commerce web site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?

A

Severity criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:

A

weaknesses in network and server security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation?

A

kept in the tape library pending further analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?

A

Incident response plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Isolation and containment measures for a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step?

A

Make a copy of the whole system’s memory

36
Q

Why is “slack space” of value to an information security manager as part of an incident investigation?

A

Hidden data may be stored there

37
Q

What is the PRIMARY objective of a post-event review in incident response?

A

Improve the response process

38
Q

Detailed business continuity plans should be based PRIMARILY on:

A

strategies validated by senior management.

39
Q

A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:

A

rebuild the server with original media and relevant patches.

40
Q

Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?

A

A bit-level copy of all hard drive data

41
Q

In the course of responding to an information security incident, the BEST way to treat evidence for possible legal action is defined by:

A

local regulations.

42
Q

Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and:

A

reducing the extent of operational damage.

43
Q

Which of the following actions should lake place immediately after a security breach is reported to an information security manager?

A

Confirm the incident

44
Q

When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the:

A

recovery window.

45
Q

In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the:

A

recovery point objective (RPO).

46
Q

An intrusion detection system (IDS) should:

A

run continuously

47
Q

The PRIORITY action to be taken when a server is infected with a virus is to:

A

isolate the infected server(s) from the network.

48
Q

Which of the following provides the BEST confirmation that the business continuity/disaster recovery plan objectives have been achieved?

A

The recovery time objective (RTO) was not exceeded during testing

49
Q

Which of the following situations would be the MOST concern to a security manager?

A

A Trojan was found to be installed on a system administrator’s laptop

50
Q

A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to:

A

confirm the incident.

51
Q

A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:

A

take an image copy of the media.

52
Q

When collecting evidence for forensic analysis, it is important to:

A

ensure the assignment of qualified personnel.

53
Q

What is the BEST method for mitigating against network denial of service (DoS) attacks?

A

Employ packet filtering to drop suspect packets

54
Q

To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?

A

Possible business benefits from incident impact reduction

55
Q

A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?

A

Invalid logon attempts

56
Q

Which of the following is an example of a corrective control?

A

Diverting incoming traffic upon responding to the denial of service (DoS) attack

57
Q

To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?

A

Time server

58
Q

An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:

A

install an intrusion detection system (IDS),

59
Q

A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager?

A

Obtain guidance from the firewall manufacturer

60
Q

An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:

A

retrieve the tapes from the warm site and test them.

61
Q

Which of the following processes is critical for deciding prioritization of actions in a business continuity plan?

A

Business impact analysis (BIA)

62
Q

In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?

A

Copies of the business continuity plan

63
Q

An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:

A

assess the likelihood of incidents from the reported cause.

64
Q

Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?

A

Communicating specially drafted messages by an authorized person

65
Q

During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should:

A

report this situation to the data owner.

66
Q

If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:

A

preserving the integrity of the evidence.

67
Q

Which of the following has the highest priority when defining an emergency response plan?

A

Safety of personnel

68
Q

The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to:

A

enable independent and objective review of the root cause of the incidents.

69
Q

The MOST important objective of a post incident review is to:

A

capture lessons learned to improve the process.

70
Q

Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?

A

Post incident review

71
Q

The FIRST step in an incident response plan is to:

A

validate the incident.

72
Q

An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?

A

Determine the extent of the compromise.

73
Q

The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:

A

business requirements.

74
Q

What task should be performed once a security incident has been verified:

A

Contain the incident.

75
Q

An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?

A

Initiate the incident response process.

76
Q

An unauthorized user gained access to a merchant’s database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?

A

Isolate the server from the network.

77
Q

Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)?

A

Aligning with recovery time objectives (RTOs)

78
Q

Which of the following would be MOST appropriate for collecting and preserving evidence?

A

Proven forensic processes

79
Q

Of the following, which is the MOST important aspect of forensic investigations?

A

Chain of custody

80
Q

In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process?

A

Perform a bit-by-bit image of the original media source onto new media.

81
Q

Which of the following recovery strategies has the GREATEST chance of failure?

A

Reciprocal arrangement

82
Q

Recovery point objectives (RPOs) can be used to determine which of the following?

A

Maximum tolerable period of data loss

83
Q

Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan?

A

Preparedness tests

84
Q

When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?

A

Locating the data and preserving the integrity of the data

85
Q

When creating a forensic image of a hard drive, which of the following should be the FIRST step?

A

Establish a chain of custody log.