CISM Practice C Topic 5

Question 1

Which of the following should be determined FIRST when establishing a business continuity program?

Answer 1

Incremental daily cost of the unavailability of systems

Question 2

A desktop computer that was involved in a computer security incident should be secured as evidence by:

Answer 2

disconnecting the computer from all power sources.

Question 3

A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability?

Answer 3

The provider services all major companies in the area

Question 4

Which of the following actions should be taken when an online trading company discovers a network attack in progress?

Answer 4

Isolate the affected network segment

Question 5

The BEST method for detecting and monitoring a hacker’s activities without exposing information assets to unnecessary risk is to utilize:

Answer 5

decoy files.

Question 6

The FIRST priority when responding to a major security incident is:

Answer 6

containment

Question 7

Which of the following is the MOST important to ensure a successful recovery?

Answer 7

Backup media is stored offsite

Question 8

Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?

Answer 8

Business management actively participates

Question 9

At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor’s hot site facility?

Answer 9

Erase data and software from devices

Question 10

An incident response policy must contain:

Answer 10

escalation criteria.

Question 11

The BEST approach in managing a security incident involving a successful penetration should be to:

Answer 11

allow business processes to continue during the response.

Question 12

A post-incident review should be conducted by an incident management team to determine:

Answer 12

lessons learned.

Question 13

An organization with multiple data centers has designated one of its own facilities as the recovery site. The MOST important concern is the:

Answer 13

current processing capacity loads at data centers.

Question 14

Which of the following is MOST important in determining whether a disaster recovery test is successful?

Answer 14

Critical business processes are duplicated

Question 15

Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site?

Answer 15

Infrastructure complexity and system sensitivity

Question 16

A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat?

Answer 16

Block all e-mails containing picture file attachments

Question 17

When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken?

Answer 17

Monitor the probe and isolate the affected segment

Question 18

Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?

Answer 18

All equipment is provided “at time of disaster, not on floor”

Question 19

Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?

Answer 19

Conduct an assessment to determine system status

Question 20

Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?

Answer 20

Detailed technical recovery plans are maintained offsite

Question 21

The business continuity policy should contain which of the following?

Answer 21

Recovery criteria

Question 22

The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:

Answer 22

potential attacks on the internal network.

Question 23

When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?

Answer 23

Ensuring accessibility should a disaster occur

Question 24

Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files?

Answer 24

Check a sample of servers that the signature files are current

Question 25

Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter?

Answer 25

Check IDS logs and monitor for any active attacks

Question 26

Which of the following are the MOST important criteria when selecting virus protection software?

Answer 26

Ease of maintenance and frequency of updates

Question 27

Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23:00 hrs.)?

Answer 27

Systems are vulnerable to new viruses during the intervening week

Question 28

When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates?

Answer 28

Business process owners

Question 29

Which of the following is MOST closely associated with a business continuity program?

Answer 29

Developing recovery time objectives (RTOs) for critical functions

Question 30

Which of the following application systems should have the shortest recovery time objective (RTO)?

Answer 30

E-commerce web site

Question 31

A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?

Answer 31

Severity criteria

Question 32

The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:

Answer 32

weaknesses in network and server security.

Question 33

Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation?

Answer 33

kept in the tape library pending further analysis.

Question 34

When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?

Answer 34

Incident response plan

Question 35

Isolation and containment measures for a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step?

Answer 35

Make a copy of the whole system’s memory

Question 36

Why is “slack space” of value to an information security manager as part of an incident investigation?

Answer 36

Hidden data may be stored there

Question 37

What is the PRIMARY objective of a post-event review in incident response?

Answer 37

Improve the response process

Question 38

Detailed business continuity plans should be based PRIMARILY on:

Answer 38

strategies validated by senior management.

Question 39

A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:

Answer 39

rebuild the server with original media and relevant patches.

Question 40

Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?

Answer 40

A bit-level copy of all hard drive data

Question 41

In the course of responding to an information security incident, the BEST way to treat evidence for possible legal action is defined by:

Answer 41

local regulations.

Question 42

Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and:

Answer 42

reducing the extent of operational damage.

Question 43

Which of the following actions should lake place immediately after a security breach is reported to an information security manager?

Answer 43

Confirm the incident

Question 44

When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the:

Answer 44

recovery window.

Question 45

In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the:

Answer 45

recovery point objective (RPO).

Question 46

An intrusion detection system (IDS) should:

Answer 46

run continuously

Question 47

The PRIORITY action to be taken when a server is infected with a virus is to:

Answer 47

isolate the infected server(s) from the network.

Question 48

Which of the following provides the BEST confirmation that the business continuity/disaster recovery plan objectives have been achieved?

Answer 48

The recovery time objective (RTO) was not exceeded during testing

Question 49

Which of the following situations would be the MOST concern to a security manager?

Answer 49

A Trojan was found to be installed on a system administrator’s laptop

Question 50

A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to:

Answer 50

confirm the incident.

Question 51

A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:

Answer 51

take an image copy of the media.

Question 52

When collecting evidence for forensic analysis, it is important to:

Answer 52

ensure the assignment of qualified personnel.

Question 53

What is the BEST method for mitigating against network denial of service (DoS) attacks?

Answer 53

Employ packet filtering to drop suspect packets

Question 54

To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?

Answer 54

Possible business benefits from incident impact reduction

Question 55

A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?

Answer 55

Invalid logon attempts

Question 56

Which of the following is an example of a corrective control?

Answer 56

Diverting incoming traffic upon responding to the denial of service (DoS) attack

Question 57

To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?

Answer 57

Time server

Question 58

An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:

Answer 58

install an intrusion detection system (IDS),

Question 59

A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager?

Answer 59

Obtain guidance from the firewall manufacturer

Question 60

An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:

Answer 60

retrieve the tapes from the warm site and test them.

Question 61

Which of the following processes is critical for deciding prioritization of actions in a business continuity plan?

Answer 61

Business impact analysis (BIA)

Question 62

In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?

Answer 62

Copies of the business continuity plan

Question 63

An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:

Answer 63

assess the likelihood of incidents from the reported cause.

Question 64

Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?

Answer 64

Communicating specially drafted messages by an authorized person

Question 65

During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should:

Answer 65

report this situation to the data owner.

Question 66

If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:

Answer 66

preserving the integrity of the evidence.

Question 67

Which of the following has the highest priority when defining an emergency response plan?

Answer 67

Safety of personnel

Question 68

The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to:

Answer 68

enable independent and objective review of the root cause of the incidents.

Question 69

The MOST important objective of a post incident review is to:

Answer 69

capture lessons learned to improve the process.

Question 70

Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?

Answer 70

Post incident review

Question 71

The FIRST step in an incident response plan is to:

Answer 71

validate the incident.

Question 72

An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?

Answer 72

Determine the extent of the compromise.

Question 73

The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:

Answer 73

business requirements.

Question 74

What task should be performed once a security incident has been verified:

Answer 74

Contain the incident.

Question 75

An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?

Answer 75

Initiate the incident response process.

Question 76

An unauthorized user gained access to a merchant’s database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?

Answer 76

Isolate the server from the network.

Question 77

Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)?

Answer 77

Aligning with recovery time objectives (RTOs)

Question 78

Which of the following would be MOST appropriate for collecting and preserving evidence?

Answer 78

Proven forensic processes

Question 79

Of the following, which is the MOST important aspect of forensic investigations?

Answer 79

Chain of custody

Question 80

In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process?

Answer 80

Perform a bit-by-bit image of the original media source onto new media.

Question 81

Which of the following recovery strategies has the GREATEST chance of failure?

Answer 81

Reciprocal arrangement

Question 82

Recovery point objectives (RPOs) can be used to determine which of the following?

Answer 82

Maximum tolerable period of data loss

Question 83

Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan?

Answer 83

Preparedness tests

Question 84

When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?

Answer 84

Locating the data and preserving the integrity of the data

Question 85

When creating a forensic image of a hard drive, which of the following should be the FIRST step?

Answer 85

Establish a chain of custody log.