CISM Practice C Topic 5 Flashcards
Which of the following should be determined FIRST when establishing a business continuity program?
Incremental daily cost of the unavailability of systems
A desktop computer that was involved in a computer security incident should be secured as evidence by:
disconnecting the computer from all power sources.
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability?
The provider services all major companies in the area
Which of the following actions should be taken when an online trading company discovers a network attack in progress?
Isolate the affected network segment
The BEST method for detecting and monitoring a hacker’s activities without exposing information assets to unnecessary risk is to utilize:
decoy files.
The FIRST priority when responding to a major security incident is:
containment
Which of the following is the MOST important to ensure a successful recovery?
Backup media is stored offsite
Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?
Business management actively participates
At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor’s hot site facility?
Erase data and software from devices
An incident response policy must contain:
escalation criteria.
The BEST approach in managing a security incident involving a successful penetration should be to:
allow business processes to continue during the response.
A post-incident review should be conducted by an incident management team to determine:
lessons learned.
An organization with multiple data centers has designated one of its own facilities as the recovery site. The MOST important concern is the:
current processing capacity loads at data centers.
Which of the following is MOST important in determining whether a disaster recovery test is successful?
Critical business processes are duplicated
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site?
Infrastructure complexity and system sensitivity
A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat?
Block all e-mails containing picture file attachments
When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken?
Monitor the probe and isolate the affected segment
Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?
All equipment is provided “at time of disaster, not on floor”
Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?
Conduct an assessment to determine system status
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?
Detailed technical recovery plans are maintained offsite
The business continuity policy should contain which of the following?
Recovery criteria
The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:
potential attacks on the internal network.
When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?
Ensuring accessibility should a disaster occur
Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files?
Check a sample of servers that the signature files are current
Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter?
Check IDS logs and monitor for any active attacks
Which of the following are the MOST important criteria when selecting virus protection software?
Ease of maintenance and frequency of updates
Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23:00 hrs.)?
Systems are vulnerable to new viruses during the intervening week
When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates?
Business process owners
Which of the following is MOST closely associated with a business continuity program?
Developing recovery time objectives (RTOs) for critical functions
Which of the following application systems should have the shortest recovery time objective (RTO)?
E-commerce web site
A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?
Severity criteria
The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:
weaknesses in network and server security.
Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation?
kept in the tape library pending further analysis.
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
Incident response plan
Isolation and containment measures for a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step?
Make a copy of the whole system’s memory
Why is “slack space” of value to an information security manager as part of an incident investigation?
Hidden data may be stored there
What is the PRIMARY objective of a post-event review in incident response?
Improve the response process
Detailed business continuity plans should be based PRIMARILY on:
strategies validated by senior management.
A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:
rebuild the server with original media and relevant patches.
Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?
A bit-level copy of all hard drive data
In the course of responding to an information security incident, the BEST way to treat evidence for possible legal action is defined by:
local regulations.
Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and:
reducing the extent of operational damage.
Which of the following actions should lake place immediately after a security breach is reported to an information security manager?
Confirm the incident
When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the:
recovery window.
In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the:
recovery point objective (RPO).
An intrusion detection system (IDS) should:
run continuously
The PRIORITY action to be taken when a server is infected with a virus is to:
isolate the infected server(s) from the network.
Which of the following provides the BEST confirmation that the business continuity/disaster recovery plan objectives have been achieved?
The recovery time objective (RTO) was not exceeded during testing
Which of the following situations would be the MOST concern to a security manager?
A Trojan was found to be installed on a system administrator’s laptop
A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to:
confirm the incident.
A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:
take an image copy of the media.
When collecting evidence for forensic analysis, it is important to:
ensure the assignment of qualified personnel.
What is the BEST method for mitigating against network denial of service (DoS) attacks?
Employ packet filtering to drop suspect packets
To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?
Possible business benefits from incident impact reduction
A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?
Invalid logon attempts
Which of the following is an example of a corrective control?
Diverting incoming traffic upon responding to the denial of service (DoS) attack
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?
Time server
An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:
install an intrusion detection system (IDS),
A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager?
Obtain guidance from the firewall manufacturer
An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:
retrieve the tapes from the warm site and test them.
Which of the following processes is critical for deciding prioritization of actions in a business continuity plan?
Business impact analysis (BIA)
In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?
Copies of the business continuity plan
An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:
assess the likelihood of incidents from the reported cause.
Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?
Communicating specially drafted messages by an authorized person
During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should:
report this situation to the data owner.
If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:
preserving the integrity of the evidence.
Which of the following has the highest priority when defining an emergency response plan?
Safety of personnel
The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to:
enable independent and objective review of the root cause of the incidents.
The MOST important objective of a post incident review is to:
capture lessons learned to improve the process.
Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?
Post incident review
The FIRST step in an incident response plan is to:
validate the incident.
An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?
Determine the extent of the compromise.
The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:
business requirements.
What task should be performed once a security incident has been verified:
Contain the incident.
An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?
Initiate the incident response process.
An unauthorized user gained access to a merchant’s database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?
Isolate the server from the network.
Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)?
Aligning with recovery time objectives (RTOs)
Which of the following would be MOST appropriate for collecting and preserving evidence?
Proven forensic processes
Of the following, which is the MOST important aspect of forensic investigations?
Chain of custody
In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process?
Perform a bit-by-bit image of the original media source onto new media.
Which of the following recovery strategies has the GREATEST chance of failure?
Reciprocal arrangement
Recovery point objectives (RPOs) can be used to determine which of the following?
Maximum tolerable period of data loss
Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan?
Preparedness tests
When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?
Locating the data and preserving the integrity of the data
When creating a forensic image of a hard drive, which of the following should be the FIRST step?
Establish a chain of custody log.
