Information Security Program Development and Management Flashcards
An additional security control request was submitted by a business after the user requirements phase had just been closed. Which of the following would the information security manager MOST likely recommend to avoid this type of inefficiency?
A.Relevant stakeholders are invited to requirements analysis.
B.An adequate system development method is applied to the project.
C.Deliverables are aligned with business objectives.
D.Escalation procedures are supported by project staff.
A is the correct answer.
Justification
If key stakeholders are not invited to the requirements analysis, it may not be possible to identify key security control features. In such cases, the lack of security controls may surface in a later stage of project. To prevent this type of problem, it is best to ensure that key stakeholders are all invited at the start of the project.
Assuring the presence and the participation of the stockholders is a necessity regardless of which development method will be used.
Although deliverables are aligned with business objectives, late requirements will continue to arise unless key stakeholders are invited to the project from the start. This could result in focusing on functionality aspects while disregarding security aspects.
Escalation steps are required when any suspicious activities are observed among project staff. Additional requirements are more likely an indication of missing involvement than suspicious activity.
What is the initial step that an information security manager would take during the requirements gathering phase of an IT project to avoid project failure?
A.Develop a comprehensive methodology that defines and documents project needs.
B.Build security requirements into the design of the system with consideration of enterprise security needs.
C.Ensure that the business problem is clearly understood before working on the solution.
D.Create a project plan based on the principles of agile development methodology.
C is the correct answer.
Justification
Developing a methodology is a step separate from defining requirements.
The question relates to requirements-gathering phase of the project, not the design phase. Therefore, it would be too early to start building the requirement into the design.
The key to successful requirements gathering is to focus initially on the business problem before trying to develop a solution. Otherwise, the solution may address the wrong problem.
An agile development methodology first requires the determination of business requirements.
Which of the following choices is the MOST significant single point of failure in a public key infrastructure?
A.A certificate authority’s (CA) public key
B.A relying party’s private key
C.A CA’s private key
D.A relying party’s public key
C is the correct answer.
Justification
The certificate authority’s (CA) public key is published and poses no risk.
If destroyed, lost or compromised, the private key of any relying party affects only that party.
The CA’s private key is the single point of failure for the entire public key infrastructure (PKI) because it is unpublished and the system cannot function if the key is destroyed, lost or compromised.
The public key is published and poses no risk.
Which of the following practices completely prevents a man-in-the-middle attack between two hosts?
A.Use security tokens for authentication.
B.Connect through an IP Security v6 virtual private network.
C.Use Hypertext Transfer Protocol Secure with a server-side certificate.
D.Enforce static media access control addresses.
B is the correct answer.
Justification
Using token-based authentication does not prevent a man-in-the-middle attack; however, it may help eliminate reusability of stolen cleartext credentials.
IP Security v6 effectively prevents man-in-the-middle attacks by including source and destination Internet Protocols within the encrypted portion of the packet. The protocol is resilient to man-in-the-middle attacks.
A Hypertext Transfer Protocol Secure session can be intercepted through Domain Name System (DNS) or Address Resolution Protocol (ARP) poisoning.
ARP poisoning—a specific kind of man-in-the-middle attack—may be prevented by setting static media access control addresses. Nevertheless, DNS and NetBIOS resolution can still be attacked to deviate traffic.
Which of the following should the information security manager implement to protect a network against unauthorized external connections to corporate systems?
A.Strong authentication
B.Internet Protocol anti-spoofing filtering
C.Network encryption protocol
D.Access lists of trusted devices
A is the correct answer.
Justification
Strong authentication will provide adequate assurance of user identities.
Internet Protocol anti-spoofing is aimed at the device rather than the user.
Encryption protocol ensures data confidentiality and authenticity.
Access lists of trusted devices are easily exploited by spoofed client identities.
Which of the following devices could potentially stop a structured query language injection attack?
A.An intrusion prevention system
B.An intrusion detection system
C.A host-based intrusion detection system
D.A host-based firewall
A is the correct answer.
Justification
Structured query language (SQL) injection attacks occur at the application layer. Most intrusion prevention systems will detect at least basic sets of SQL injection and will be able to stop them.
Intrusion detection systems will detect but not prevent.
Host-based intrusion detection systems will be unaware of SQL injection problems.
A host-based firewall, whether on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.
What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
A.Authentication
B.Encryption
C.Prohibit employees from copying data to USB devices
D.Limit the use of USB devices
B is the correct answer.
Justification
Authentication protects access to the data but does not protect the data once the authentication is compromised.
Encryption provides the most effective protection of data on mobile devices.
Prohibiting employees from copying data to universal serial bus (USB) devices does not prevent copying data and offers minimal protection.
Limiting the use of USB devices does not secure the data on them.
Which one of the following combinations offers the STRONGEST encryption and authentication method for 802.11 wireless networks?
A.Wired equivalent privacy with 128-bit pre-shared key authentication
B.Temporal Key Integrity Protocol-Message Integrity Check with the RC4 cipher
C.Wi-Fi Protected Access 2 (WPA2) and pre-shared key authentication
D.WPA2 and 802.1x authentication
D is the correct answer.
Justification
Wired Equivalent Privacy (WEP) with 128-bit pre-shared key authentication can be easily cracked with open source tools. WEP is easily compromised and is no longer recommended for secure wireless networks.
Temporal Key Integrity Protocol-Message Integrity Check (TKIP-MIC) with the RC4 cipher is not as strong as WPA2 with 802.1x authentication.
Wi-Fi Protected Access 2 (WPA2) with pre-shared keys uses the strongest level of encryption, but the authentication is more easily compromised.
WPA2 and 802.1x authentication is the strongest form of wireless authentication currently available. WPA2 combined with 802.1x forces the user to authenticate using strong Advanced Encryption Standard encryption.
Which one of the following types of detection is NECESSARY to mitigate a denial or distributed denial-of-service attack?
A.Signature-based detection
B.Deep packet inspection
C.Virus detection
D.Anomaly-based detection
D is the correct answer.
Justification
Signature-based detection cannot react to a distributed denial-of-service (DDoS) attack because it does not have any insight into increases in traffic levels.
Deep packet inspection allows a protocol to be inspected and is not related to denial-of-service (DoS) attacks.
Virus detection would have no effect on DDoS detection or mitigation.
Anomaly-based detection establishes normal traffic patterns and then detects any deviation from that baseline. Traffic baselines are greatly exceeded when under a DDoS attack and are quickly identified by anomaly-based detection.
A certificate authority is required for a public key infrastructure:
A.in cases where confidentiality is an issue.
B.when challenge/response authentication is used.
C.except where users attest to each other’s identity.
D.in role-based access control deployments.
C is the correct answer.
Justification
The requirement of confidentiality is not relevant to the certificate authority (CA) other than to provide an authenticated user’s public key.
Challenge/response authentication is not a process used in a public key infrastructure (PKI).
The role of the CA is not needed in implementations such as Pretty Good Privacy, where the authenticity of the users’ public keys are attested to by others in a circle of trust.
If the role-based access control is PKI-based, either a CA is required or other trusted parties will have to attest to the validity of users.
The MOST effective technical approach to mitigate the risk of confidential information being disclosed in outgoing email attachments is to implement:
A.content filtering.
B.data classification.
C.information security awareness.
D.encryption for all attachments.
A is the correct answer.
Justification
Content filtering provides the ability to examine the content of attachments and prevent information containing certain words or phrases, or of certain identifiable classifications, from being sent out of the enterprise.
Data classification helps identify the material that should not be transmitted via email attachments but by itself will not prevent it.
Information security awareness training also helps limit confidential material from being disclosed via email as long as personnel are aware of what information should not be exposed and willingly comply with the requirements, but it is not as effective as outgoing content filtering.
Encrypting all attachments is not effective because it does not limit the content and may actually obscure confidential information contained in the email.
Which of the following BEST ensures nonrepudiation?
A.Strong passwords
B.A digital hash
C.Symmetric encryption
D.Digital signatures
D is the correct answer.
Justification
Strong passwords only ensure authentication to the system and cannot be used for nonrepudiation involving two or more parties.
A digital hash in itself helps in ensuring integrity of the contents but not nonrepudiation.
Symmetric encryption would not help in nonrepudiation because the keys are always shared between parties.
Digital signatures use a private and public key pair, authenticating both parties. The integrity of the contents exchanged is controlled through the hashing mechanism that is signed by the private key of the exchanging party.
Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?
A.Design
B.Implementation
C.Application security testing
D.Feasibility
D is the correct answer.
Justification
Security requirements must be defined before doing design specification, although changes in design may alter these requirements later on.
Security requirements defined during system implementation are typically costly add-ons that are frequently ineffective.
Application security testing occurs after security has been implemented.
Information security should be considered at the earliest possible stage because it may affect feasibility of the project.
What would be the MOST significant security risk when using wireless local area network technology?
A.Man-in-the-middle attack
B.Spoofing of data packets
C.Rogue access point
D.Session hijacking
C is the correct answer.
Justification
Man-in-the-middle attacks can occur in any media and are not dependent on the use of a wireless local area network (WLAN) technology.
Spoofing of data packets is not dependent on the use of a WLAN technology.
A rogue access point masquerades as a legitimate access point. The risk is that legitimate users may connect through this access point and have their traffic monitored.
Session hijacking is not dependent on the use of a WLAN technology.
For virtual private network access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
A.Biometrics
B.Symmetric encryption keys
C.Secure Sockets Layer-based authentication
D.Two-factor authentication
D is the correct answer.
Justification
While biometrics provides unique authentication, it is not strong by itself, unless a personal identification number (PIN) or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks.
A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a typical authentication mechanism for end users. The private key could still be compromised.
Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. If SSL is used with a client certificate and a password, it is two-factor authentication.
Two-factor authentication requires more than one type of user authentication, typically something you know and something you have, such as a PIN and smart card.
How does the development of an information security program begin?
A.Risk is assessed and analyzed.
B.The security architecture is developed.
C.The controls statement of applicability is completed.
D.Required outcomes are defined.
D is the correct answer.
Justification
Assessing and analyzing risk is required to develop a strategy and will provide some of the information needed to develop the strategy that will achieve the desired outcomes, but it will not define the scope and charter of the security program.
A security architecture is a part of implementation after developing the strategy.
The applicability statement is a part of strategy implementation using International Organization for Standardization (ISO) 27001 or 27002 after determining the scope and responsibilities of the program.
After management has determined the desired outcomes of the information security program, development of a strategy can begin, together with initiating the process of developing information security governance structures, achieving organizational adoption and developing an implementation strategy that will define the scope and responsibilities of the security program.
Which of the following BEST protects confidentiality of information?
A.Information classification
B.Segregation of duties
C.Least privilege
D.Systems monitoring
C is the correct answer.
Justification
While classifying information can help focus the assignment of privileges, classification itself does not provide enforcement.
Only in very specific situations does segregation of duties safeguard confidentiality of information.
Restricting access to information to those who need to have access is the most effective means of protecting confidentiality.
Systems monitoring is a detective control rather than a preventive control.
Requirements for an information security program should be based PRIMARILY on which of the following choices?
A.Governance policies
B.Desired outcomes
C.Specific objectives
D.The security strategy
B is the correct answer.
Justification
Policies are one of the resources used to develop the strategy, which is based on specific objectives that meet the requirements.
The desired outcomes for the security program will be high-level achievements related to acceptable risk across the enterprise and will determine the requirements that must be met to achieve those outcomes.
Objectives are the steps required to achieve the desired outcomes.
The security strategy is the road map to achieve the objectives that result in the desired outcomes.
Which of the following is the BEST approach for an enterprise desiring to protect its intellectual property?
A.Conduct awareness sessions on intellectual property policy.
B.Require all employees to sign a nondisclosure agreement.
C.Promptly remove all access when an employee leaves the enterprise.
D.Restrict access to a need-to-know basis.
D is the correct answer.
Justification
Security awareness regarding intellectual property policy will not prevent violations of this policy.
Requiring all employees to sign a nondisclosure agreement is a good control but not as effective as restricting access to a need-to-know basis.
Removing all access on termination does not protect intellectual property prior to an employee leaving.
Restricting access to a need-to-know basis is the most effective approach to protecting intellectual property.
What is the MOST common protocol to ensure confidentiality of transmissions in a business-to-customer financial web application?
A.Secure Sockets Layer
B.Secure Shell
C.IP Security
D.Secure/Multipurpose Internet Mail Extensions
A is the correct answer.
Justification
Secure Sockets Layer is a cryptographic protocol that provides secure communications, providing end point authentication and communications privacy over the Internet. In typical use, all data transmitted between the customer and the business are, therefore, encrypted by the business’s web server and remain confidential.
Secure Shell (SSH) File Transfer Protocol is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer.
IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode.
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of email encapsulated in MIME; it is not a web transaction protocol.
What human resources (HR) activity is MOST crucial in managing mobile devices supplied by the enterprise? HR provides:
A.termination notices.
B.background checks.
C.reporting structures.
D.awareness support.
A is the correct answer.
Justification
When the human resources (HR) department provides staff termination notices, security management can perform deprovisioning of mobile devices.
Background checks generally do not help the management of mobile devices.
Reporting structures generally do not affect the management of mobile devices.
HR could support information security awareness programs. However, from the management perspective, device deprovisioning upon staff termination will be more important.
A web-based business application is being migrated from test to production. Which of the following is the MOST important management sign-off for this migration?
A.User
B.Network
C.Operations
D.Database
A is the correct answer.
Justification
As owners of the system, user management sign-off is the most important. If a system does not meet the needs of the business, then it has not met its primary objective.
The needs of the network are secondary to the needs of the business.
The needs of operations are secondary to the needs of the business.
The needs of database management are secondary to the needs of the business.
Which of the following is the BEST justification to convince management to invest in an information security program?
A.Cost reduction
B.Compliance with company policies
C.Protection of business assets
D.Increased business value
D is the correct answer.
Justification
Cost reduction by itself is rarely the motivator for implementing an information security program.
Compliance is secondary to business value and cannot be the best justification, as the company may already be in compliance as managed by the legal team.
Protection of business assets is not the best justification, as management can counter it by stating that it can ensure protection of assets.
Investing in an information security program would increase business value as a result of fewer business disruptions, fewer losses, increased productivity and stronger brand reputation.
An enterprise is implementing intrusion protection in its demilitarized zone (DMZ). Which of the following steps is necessary to make sure that the intrusion prevention system (IPS) can view all traffic in the DMZ?
A.Ensure that intrusion prevention is placed in front of the firewall.
B.Ensure that all devices that are connected can easily see the IPS in the network.
C.Ensure that all encrypted traffic is decrypted prior to being processed by the IPS.
D.Ensure that traffic to all devices is mirrored to the IPS.
C is the correct answer.
Justification
An intrusion prevention system (IPS) placed in front of the firewall will almost certainly continuously detect potential attacks, creating endless false-positives and directing the firewall to block many sites needlessly. Most of actual attacks would be intercepted by the firewall in any case.
All connected devices do not need to see the IPS.
For the IPS to detect attacks, the data cannot be encrypted; therefore, all encryption should be terminated to allow all traffic to be viewed by the IPS. The encryption should be terminated at a hardware Secure Sockets Layer accelerator or virtual private network server to allow all traffic to be monitored.
Traffic to all devices is not mirrored to the IPS.
Which of the following is the MOST effective security measure to protect data held on mobile computing devices?
A.Biometric access control
B.Encryption of stored data
C.Power-on passwords
D.Protection of data being transmitted
B is the correct answer.
Justification
Biometric access control limits access but does not protect stored data once access has been breached.
Encryption of stored data will help ensure that the actual data cannot be recovered without the encryption key.
Power-on passwords do not protect data effectively.
Protecting data stored on mobile computing devices does not relate to protecting data in transmission.
What is the BEST approach to implement adequate segregation of duties in business-critical applications if shared access to elevated privileges by a small group is necessary?
A.Ensure access to individual functions can be granted to individual users only.
B.Implement role-based access control in the application.
C.Enforce manual procedures ensuring separation of conflicting duties.
D.Create service accounts that can only be used by authorized team members.
B is the correct answer.
Justification
Access to individual functions will not ensure appropriate segregation of duties (SoD).
Role-based access control is the best way to implement appropriate SoD. Roles will have to be defined once, and then the user can be changed from one role to another without redefining the content of the role each time.
Giving a user access to all functions and implementing, in parallel, a manual procedure ensuring SoD is not an effective method, and it would be difficult to enforce and monitor.
Creating service accounts that can be used by authorized team members would not provide any help unless their roles were properly segregated.
The use of public key encryption for the purpose of providing encryption keys for a large number of individuals is preferred PRIMARILY because:
A.public key encryption is computationally more efficient.
B.scaling is less problematic than using a symmetrical key.
C.public key encryption is less costly to maintain than symmetrical keys for small groups.
D.public key encryption provides greater encryption strength than secret key options.
B is the correct answer.
Justification
Public key encryption is computationally intensive due to the long key lengths required.
Symmetrical or secret key encryption requires a key for each pair of individuals who wish to have confidential communications resulting in an exponential increase in the number of keys resulting in intractable distribution and storage problems.
Public key infrastructure is more costly for small groups but less costly to maintain as the participant numbers increase. It is the only manageable option for large groups, which is why it is preferable.
Secret key encryption requires much shorter key lengths to achieve equivalent strength.
Obtaining another party’s public key is required to initiate which of the following activities?
A.Authorization
B.Digital signing
C.Authentication
D.Nonrepudiation
C is the correct answer.
Justification
Authorization is not a public key infrastructure function.
A private key is used for signing.
The counterparty’s public key is used for authentication.
The private key is used for nonrepudiation.
Which of the following considerations is the MOST important one in the use of a vulnerability scanning tool?
A.Multiple functions
B.Regular updates
C.Graphical user interface
D.Real-time virus deletion
B is the correct answer.
Justification
Multiple functionalities cannot replace the importance of a scanner being kept current with the latest vulnerabilities.
A vulnerability scanner is as good as its last update.
The graphical user interface addresses ease of use rather than the effectiveness of the scanner.
A vulnerability scanner does not need to have the ability to delete viruses.
Which information security liaison is PRIMARILY responsible for providing assurance of policy compliance and identifying risk?
A. Information technology
B. Privacy
C. IT audit
D. Legal
C is the correct answer.
Justification
Information technology has a critical role as the hands-on implementer and operator of information processing systems.
The privacy department coordinates with information security to discuss compliance to avoid potential sanctions for violations to privacy regulations.
IT audit is generally charged with providing assurance of policy compliance and identifying risk.
Legal works with information security to oversee corporate responsibility, contract review, and due diligence, protecting the firm from legal liability.
Which of the following guarantees that data in a file have not changed?
A.Inspecting the modified date of the file
B.Encrypting the file with symmetric encryption
C.Using stringent access control to prevent unauthorized access
D.Creating a hash of the file, then comparing the file hashes
D is the correct answer.
Justification
The modified date can be modified to reflect any date.
Encrypting the file will make it difficult to modify but does not ensure it has not been corrupted.
Access control cannot ensure that file data has not been changed.
A hashing algorithm can be used to mathematically ensure that data have not been changed by hashing a file and comparing the hashes after a suspected change.
What is an advantage of sending messages using steganographic techniques as opposed to using encryption?
A.The existence of messages is unknown
B.Required key sizes are smaller.
C.Traffic cannot be sniffed.
D.Reliability of the data is higher in transit.
A is the correct answer.
Justification
The existence of messages is hidden in another file, such as a JPEG image, when using steganography.
Some implementations count on security through obscurity and others require keys, which may or may not be smaller.
Sniffing of steganographic traffic is possible.
The reliability of the data is not relevant.
In which of the following system development life cycle phases are access control and encryption algorithms chosen?
A.Procedural design
B.Architectural design
C.System design specifications
D.Software development
C is the correct answer.
Justification
The procedural design converts structural components into a procedural description of the software.
The architectural design is the phase that identifies the overall system design but not the specifics
The system design specifications phase that identifies security specifications.
Software development is too late a stage because during this phase the system is already being coded.
When a user employs a client-side digital certificate to authenticate to a web server through Secure Sockets Layer, confidentiality is MOST vulnerable to which of the following?
A.Internet Protocol spoofing
B.Man-in-the-middle attack
C.Repudiation
D.Trojan
D is the correct answer.
Justification
Internet Protocol spoofing will not work because the IP is not used as an authentication mechanism.
Man-in-the-middle attacks are not possible if using Secure Sockets Layer with client-side certificates.
Repudiation is unlikely because client-side certificates authenticate the user.
A Trojan is a program that can give the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user.
An enterprise is planning to deliver subscription-based educational services to customers online that will require customers to log in with their user IDs and passwords. Which of the following is the BEST method to validate passwords entered by a customer before access to educational resources is granted?
A.Encryption
B.Content filtering
C.Database hardening
D.Hashing
D is the correct answer.
Justification
Encryption is the application of an algorithm that converts the plaintext password to the encrypted form, but using encrypted passwords requires that they be decrypted for authentication—this would expose the actual password. Also, the authentication mechanism would need to have access to the encryption key in order to decrypt the password for authentication. This would allow anyone with the appropriate access to the server to decrypt user passwords, which is not typically acceptable and is not a secure practice.
Content filtering is not a component of password validation.
Database hardening helps in enhancing the security of a database but does not assist with password validation.
Hashing refers to a one-way algorithm that always creates the same output if applied to the same input. When hashing passwords, only the password’s hash value (output) is stored, not the actual password (input). When a user logs in and enters the password, the hash is applied to the password by the authentication mechanism and compared to the stored hash. If the hash matches, then access is granted. The actual password cannot be derived from the hash (because it is a one-way algorithm), so there is no chance of the password being compromised from the hash values stored on the server.
Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?
A.Never use open source tools.
B.Focus only on production servers.
C.Follow a linear process for attacks.
D.Do not interrupt production processes.
D is the correct answer.
Justification
Open source tools are an excellent resource for performing scans.
Scans should focus on both the test and production environments because, if compromised, the test environment could be used as a platform for attacks on production servers.
The process of scanning for exposures is a spiral process rather than a linear process.
The first rule of scanning for security exposures is to not break anything. This includes interrupting any running production processes.
Which of the following mechanisms is the MOST secure way to implement a secure wireless network?
A.Filter media access control addresses.
B.Use a Wi-Fi Protected Access protocol.
C.Use a Wired Equivalent Privacy key.
D.Use web-based authentication.
B is the correct answer.
Justification
Media access control (MAC) address filtering by itself is not a good security mechanism because allowed MAC addresses can be easily sniffed and then spoofed to get into the network.
Wi-Fi Protected Access (WPA2) protocol is currently one of the most secure authentication and encryption protocols for mainstream wireless products.
Wired Equivalent Privacy (WEP) is no longer a secure encryption mechanism for wireless communications. The WEP key can be easily broken within minutes using widely available software. Once the WEP key is obtained, all communications of every other wireless client are exposed.
A web-based authentication mechanism can be used to prevent unauthorized user access to a network, but it will not solve the wireless network’s main security issues, such as preventing network sniffing.
Which of the following choices is the WEAKEST link in the authorized user registration process?
A.The certificate authority’s private key
B.The registration authority’s private key
C.The relying party’s private key
D.A secured communication private key
B is the correct answer.
Justification
The certificate authority’s (CA’s) private key is heavily secured both electronically and physically and is extremely difficult to access by anyone.
The registration authority’s (RA’s) private key is in the possession of the RA, often stored on a smart card or laptop, and is typically protected by a password and, therefore, is potentially accessible. If the RA’s private key is compromised, it can be used to register anyone for a certificate using any identity, compromising the entire public key infrastructure for that CA.
The relying party’s private key, if compromised, only puts that party at risk.
The private key used for secure communication will only pose a risk to the parties communicating.
What is a desirable sensitivity setting for a biometric access control system that protects a high-security data center?
A.A high false reject rate
B.A high false acceptance rate
C.Lower than the crossover error rate
D.The exact crossover error rate
A is the correct answer.
Justification
Biometric access control systems are not infallible. When tuning the solution, one has to adjust the sensitivity level to give preference either to false reject rate (FRR) (type I error rate) making the system more prone to err denying access to a valid user, or to err allow access to an invalid user. The preferable setting will be in the FRR region of sensitivity.
A high false acceptance rate (FAR) will marginalize security by allowing too much unauthorized access. In systems in which the possibility of false rejects is a problem, it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
As the sensitivity of the biometric system is adjusted, the FRR and FAR change inversely. At one point, the two values intersect and are equal. This condition creates the crossover error rate, which is a measure of the system accuracy. Lower than the crossover error rate will create too high a FAR for a high-security data center.
The crossover rate is sometimes referred to as equal error rate. In a very sensitive system, it may be desirable to minimize the number of false accepts—the number of unauthorized persons allowed access. To do this, the system is tuned to be more sensitive with a lower FAR, which causes the FRR—the number of authorized persons disallowed access—to increase.
Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?
A.Ease of installation
B.Product documentation
C.Available support
D.System overhead
D is the correct answer.
Justification
Ease of installation, while important, would be secondary.
Product documentation, while important, would be secondary.
Available support, while important, would be secondary.
Monitoring products can impose a significant impact on system overhead for servers and networks.
Which of the following is the BEST approach to deal with inadequate funding of the information security program?
A.Eliminate low-priority security services.
B.Require management to accept the increased risk.
C.Use third-party providers for low-risk activities.
D.Reduce monitoring and compliance enforcement activities.
C is the correct answer.
Justification
Prioritizing information security activities is always useful, but eliminating even low-priority security services is a last resort.
If budgets are seriously constrained, management is already addressing increases in other risk and is likely to be aware of the issue. A proactive approach to doing more with less will be well-received.
Outsourcing of some information security activities can cut costs and increase resources for other security activities proactively, as can automation of some security procedures.
Reducing monitoring activities may unnecessarily increase risk when lower-cost options to perform those functions may be available.
A newly appointed security manager has innovative plans for the information security management program. What is the MOST critical factor to ensure the success of the proposed changes? Ensuring that:
A. senior leadership buys into the proposed changes.
B. all employees understand the proposed changes and are trained.
C. risk reduction efforts are quantified, documented, and communicated to the CISO.
D. policies, procedures, baselines, and guidelines reflect the proposed changes.
A is the correct answer.
Justification
Senior leadership support is the most important factor when building or changing an information security program, as management support will ensure that other resources are made available for the program to succeed.
Employee understanding and training are important but come after program design and implementation. However, without senior leadership support, the program will not even get to that stage.
While communicating to the CISO on risk reduction due to the program, it is important to ensure continued support; broad senior management support is vital to initiate the program.
Policies, procedures, baselines, and guidelines are outcomes of the program after management commitment is secured.
When setting up an information classification scheme, the role of the information owner is to:
A.ensure that all data on an information system are protected according to the classification policy.
B.determine the classification of information across the information owner’s scope of responsibility.
C.identify all information that requires backup according to its criticality and classification.
D.delegate the classification of information to responsible information custodians.
B is the correct answer.
Justification
The information system owner is responsible for protecting data on an information system according to the information security policy and the mandate and classification of the information. The classification would have been set up earlier.
The information owner must determine the classification of information across the role’s scope of responsibility and ensure that information is classified consistently.
Identification of all information that requires backup according to classification will happen after the information classification scheme has been set up. Ensuring backup of data is the role of the information custodian and operations group.
The information owner may delegate the classification to another responsible manager however this is not the advised role in setting up the classification scheme.
Which of the following factors BEST helps determine the appropriate protection level for an information asset?
A.The cost of acquisition and implementation of the asset
B.Knowledge of vulnerabilities present in the asset
C.The degree of exposure to known threats
D.The criticality of the business function supported by the asset
D is the correct answer.
Justification
The criticality of the asset is determined by the business value of the asset, not just the cost of the asset. The value is determined by the cost of acquisition and implementation of the asset.
Knowledge of vulnerabilities helps in determining the protection method; however, protection is implemented based on the business value of the asset compared with the cost of the protection method.
The degree of exposure may require certain treatment options, but the degree and extent of protection is still determined by criticality.
Although all the options may help in determining the protection level of the asset, the criticality of the business function supported by the asset is the most important because nonavailability might affect the delivery of services.
Asset classification should be MOSTLY based on:
A.business value.
B.book value.
C.replacement cost.
D.initial cost.
A is the correct answer.
Justification
Classification should be based on the value of the asset to the business, generally in terms of revenue production or potential impact on loss or disclosure of sensitive information.
Book value is not an appropriate basis for classification.
Replacement cost is not an appropriate basis for classification.
Initial cost is not an appropriate basis for classification.
Which of the following activities is MOST effective for developing a data classification schema?
A.Classifying critical data based on protection levels
B.Classifying data based on the possibility of leakage
C.Aligning the schema with data leak prevention tools
D.Building awareness of the benefit of data classification
D is the correct answer.
Justification
Data protection levels are decided based on classification or business value.
Data are classified on business value and not on the possibility of leakage. Protection of the data may well be based on the possibility of leakage.
Aligning the schema with data leak prevention (DLP) tools may help while automating protection, but the data classification schema already has to exist for it to align with DLP.
While developing a data classification schema, it is most important that all users are made aware of the need for accurate data classification to reduce the cost of overprotection and the risk of underprotection of information assets.
A company recently developed a breakthrough technology. Because this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?
A.Access control policy
B.Data classification policy
C.Encryption standards
D.Acceptable use policy
B is the correct answer.
Justification
Without a mandated ranking of degree of protection, it is difficult to determine what access controls should be in place.
Data classification policies define the level of protection to be provided for each category of data based on business value.
Without a mandated ranking of degree of protection, it is difficult to determine what levels of encryption should be in place.
An acceptable use policy is oriented more toward the end user and, therefore, would not specifically address what controls should be in place to adequately protect information.
Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a publicly traded, multinational enterprise?
A.Strategic business plan
B.Upcoming financial results
C.Customer personal information
D.Previous financial results
D is the correct answer.
Justification
The strategic business plan is private information and should only be accessed by authorized entities.
Upcoming financial results are private information and should only be accessed by authorized entities.
Customer personal information is private information and should only be accessed by authorized entities.
Previous financial results are public; all the other choices are private information and should only be accessed by authorized entities.
The PRIMARY objective of asset classification is to:
A.maximize resource management.
B.comply with IT policy.
C.define information architecture.
D.determine protection level.
D is the correct answer.
Justification
Classification is one of many parts of resource management.
The IT policy of an enterprise is determined based on business policies.
Asset classification is an input to information architecture.
Classification allows the appropriate protection level to be assigned to the asset.
What is the PRIMARY benefit of performing an information asset classification?
A.It links security requirements to business objectives.
B.It identifies controls commensurate with impact.
C.It defines access rights.
D.It establishes asset ownership.
B is the correct answer.
Justification
Asset classification indirectly links security to business objectives on the basis of business value of assets.
Classification levels are based on the business value (or potential impact) of assets and the stronger controls needed for higher classification.
Classification does not define access rights.
Classification does not establish ownership.
When initially establishing an information security program, it is MOST important that managers:
A.examine and understand the culture within the enterprise.
B.analyze and understand the control system of the enterprise.
C.identify and evaluate the overall risk exposure of the enterprise.
D.examine and assess the security resources of the enterprise.
C is the correct answer.
Justification
Examining and understanding the culture within the enterprise is an important step in the overall evaluation process.
Analyzing and understanding the control system is an essential step to determine what risk is addressed and what control objectives are currently in place.
Identifying and evaluating the overall risk is most important, because it includes the other three elements, in addition to others.
Examining and assessing security resources is important information in determining and evaluating overall risk and exposure of an enterprise.
Which of the following is MOST important to achieve proportionality in the protection of enterprise information systems?
A.Asset classification
B.Risk assessment
C.Security architecture
D.Configuration management
A is the correct answer.
Justification
Asset classification is based on the criticality and sensitivity of information assets with the goal of providing the appropriate and, therefore, proportional degree of protection.
Proper risk assessment requires assets to be classified; asset classification most directly impacts the mitigation efforts an enterprise will implement.
Security architecture will be affected by asset classification and, to some extent, may affect how assets are classified; asset classification most directly impacts the mitigation efforts an enterprise will implement.
Configuration management is likely to be affected by asset classification levels but is not directly related to information security.
Assuming that the value of information assets is known, which of the following gives the information security manager the MOST objective basis for determining that the information security program is delivering value?
A.Number of controls
B.Cost of achieving control objectives
C.Effectiveness of controls
D.Test results of controls
B is the correct answer.
Justification
Number of controls has no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated.
A comparison of the cost of achievement of control objectives with the corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery.
Effectiveness of controls has no correlation with the value of assets unless their costs are also evaluated.
Test results of controls may determine their effectiveness but has no correlation with the value of assets.
Which of the following is the PRIMARY prerequisite to implementing data classification within an enterprise?
A.Defining job roles
B.Performing a risk assessment
C.Identifying data owners
D.Establishing data retention policies
C is the correct answer.
Justification
Defining job roles is not relevant.
Performing a risk assessment is important but will require the participation of data owners (who must first be identified).
Identifying the data owners is the first step and is essential to implementing data classification.
Establishing data retention policies may occur at any time.
Which of the following choices BEST helps determine appropriate levels of information resource protection?
A.A business case
B.A vulnerability assessment
C.Asset classification
D.Asset valuation
C is the correct answer.
Justification
A business case may be useful to support the need for asset classification but does not by itself provide a basis for assignment at the individual resource level.
Vulnerability assessment does not take into account criticality or sensitivity, which is the basis for assigning levels of information resource protection.
Asset classification based on criticality and sensitivity provides the best basis for assigning levels of information resource protection.
Asset valuation is not an adequate basis for determining the needed level of protection. For example, an asset can be very valuable from a cost standpoint but be neither critical to operations nor sensitive if exposed.
An information security manager has two identical servers in the network subject to a viable threat but decides to harden only one of them. The MOST likely reason for this choice is that the second server:
A.handles only unimportant information.
B.will be unable to perform required tasks.
C.is placed so that it has no exposure.
D.has constant monitoring that precludes attack.
C is the correct answer.
Justification
Unimportant information may require less protection, but it is unlikely that it should be totally unprotected because it may provide an avenue into the rest of the network.
It is unlikely that hardening a server will render it incapable of performing required tasks.
If the second server has no exposure, there is no probability that a compromise can occur.
Monitoring may indicate when an attack occurs but will not preclude an attack.
Why is asset classification important to a successful information security program?
A.It determines the priority and extent of risk mitigation efforts.
B.It determines the amount of insurance needed in case of loss.
C.It determines the appropriate level of protection to the asset.
D.It determines how protection levels compare to peer enterprises.
C is the correct answer.
Justification
Classification does not determine the priority and extent of the risk mitigation efforts; prioritization of risk mitigation efforts is generally based on risk analysis or a business impact analysis.
Classification does not establish the amount of insurance needed; insurance is often not a viable option.
Classification is based on the value of the asset to the enterprise and helps establish the protection level in proportion to the value of the asset.
Classification schemes differ from enterprise to enterprise and are often not suitable for benchmarking.
Which of the following is the BEST method to determine classification of data?
A.Assessment of impact associated with compromise of data by the data owner
B.Compliance requirements defined in the information security policy
C.Requirements based on the protection level implemented for different datasets
D.Assessment of risk of data loss by the information security manager
A is the correct answer.
Justification
The classification of data is based upon the potential impact from loss or corruption.
Compliance requirements are used as an input to risk assessment by considering risk associated with noncompliance.
The protection level is determined based on the classification of data and not the other way around.
Classification is not based upon risk; it is based upon impact (criticality or sensitivity or business value). The data owner determines the classification level.
When creating an effective data-protection strategy, the information security manager must understand the flow of data and its protection at various stages. This is BEST achieved with:
A.a third-party vulnerability assessment.
B.a tailored methodology based on exposure.
C.an insurance policy for accidental data losses.
D.a tokenization system set up in a secure network environment.
B is the correct answer.
Justification
Vulnerability assessments, third-party or otherwise, do not provide information about data flow, risk or threats that is needed to create a data protection strategy.
Enterprises classify data according to business value and risk exposure. The enterprise can then develop a sensible plan to invest budget and effort to create the data protection strategy based on the information gathered about the data assets.
An insurance policy is a risk treatment option for the transfer/sharing of risk and does not provide the information necessary for creating a data protection strategy.
Tokenization is a technique used to protect data, and not a method to ascertain data flow or other attributes relevant and necessary to create the data protection strategy.
Which of the following BEST supports the principle of security proportionality?
A.Release management
B.Ownership schema
C.Resource dependency analysis
D.Asset classification
D is the correct answer.
Justification
Release management provides no indication that protection is proportionate to the value of the asset.
An implemented ownership schema is one step in achieving proportionality, but other steps must also occur.
Resource dependency analysis can reveal the level of protection afforded a particular system, but that may be unrelated to the level of protection of other assets.
Classification provides the basis for protecting resources in relation to their importance to the enterprise; more important assets get a proportionally higher level of protection.
The classification level of an asset must be PRIMARILY based on which of the following choices?
A.Criticality and sensitivity
B.Likelihood and impact
C.Valuation and replacement cost
D.Threat vector and exposure
A is the correct answer.
Justification
The extent to which an asset is critical to business operations or can damage the enterprise if disclosed is the primary consideration for the level of protection required.
Asset classification is driven by criticality and sensitivity, not likelihood of compromise.
Probability and frequency are considerations of risk and not the main consideration of asset classification.
Threat vector and exposure together do not provide information on impact needed for classification.
The information classification scheme should:
A.consider possible impact of a security breach.
B.classify personal information in electronic form.
C.be performed by the information security manager.
D.be based on a risk assessment.
A is the correct answer.
Justification
Data classification is determined by the business value of the asset (i.e., the potential impact on the business of the loss, corruption or disclosure of information).
Classification of personal information in electronic form is an incomplete answer because it addresses a subset of organizational data.
Information classification is performed by the data owner based on accepted security criteria.
The risk to a particular asset is not the basis for classification, rather the potential impact from compromise is the basis.
Which of the following is the MOST important element of information asset classification?
A.Residual risk
B.Segregation of duties
C.Potential impact
D.Need to know
C is the correct answer.
Justification
Residual risk is unrelated to asset classification.
Segregation of duties is a control unrelated to asset classification.
Classification levels must be based on the level of impact that would occur as a result of compromise.
Need to know is a control indirectly related to asset classification.
Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?
A.Database administrator
B.Finance department management
C.Information security manager
D.IT department management
B is the correct answer.
Justification
The database administrator is the custodian of the data who would apply the appropriate security levels for the classification.
Data owners are responsible for determining data classification; in this case, management of the finance department would be the owner of accounting ledger data.
The security manager would act as an advisor and enforcer.
The IT management is the custodian of the data who would apply the appropriate security levels for the classification.
Who is accountable for ensuring that information is categorized and that specific protective measures are taken?
A.The security officer
B.Senior management
C.The end user
D.The custodian
B is the correct answer.
Justification
The security officer assumes responsibility, as this role supports and implements information security to achieve senior management objectives.
While routine administration and operations of all aspects of security may be delegated, top management must retain overall accountability.
The end user is not responsible for ensuring that information is categorized and that specific protective measures are taken.
The custodian supports and implements information security measures as directed and is not responsible for ensuring that information is categorized and that specific protective measures are taken.
Which of the following would be the BEST indicator of an asset’s value to an enterprise?
A.Risk assessment
B.Security audit
C.Certification
D.Classification
D is the correct answer.
Justification
Assessing the risk to resources will not determine their importance to the business.
Security audits may provide an indication of the importance of particular resources but will be more focused on risk, vulnerabilities and compliance.
Certification is the process of assessing compliance with a standard.
Classification is the process of determining criticality and sensitivity of information resources (i.e., business value).
Which of the following poses the GREATEST challenge to an enterprise seeking to prioritize risk management activities?
A.An incomplete catalog of information assets
B.A threat assessment that is not comprehensive
C.A vulnerability assessment that is outdated
D.An inaccurate valuation of information assets
D is the correct answer.
Justification
Enterprises are only able to prioritize items they know to exist. An incomplete catalog of information assets introduces the possibility that prioritization is overlooking assets that may have substantial value, unintentionally resulting in the implicit acceptance of risk that may exceed the risk appetite and tolerance. However, inaccurate valuation of known assets has a greater negative impact on prioritization than the possibility of certain high-value assets not being properly taken into account.
Evaluating the threat environment is the most challenging aspect of risk assessment, and it is nearly always the case that a threat assessment excludes one or more threats. As a result, any prioritization effort must assume that the threat assessment is not comprehensive.
It is common for a vulnerability assessment to be outdated at the start of each cycle of a risk management program prior to the start of risk management activities, but the influence of outdated vulnerability information is less a concern than inaccurate valuation of assets.
Although prioritization on the basis of risk requires knowledge of threat, vulnerability and potential consequence, it is this last factor expressed in terms of value that is most influential when prioritizing risk management activities. If assets are valued incorrectly, otherwise justifiable decisions of how to prioritize activities may be incorrect.
Which program element should be implemented FIRST in asset classification and control?
A.Risk assessment
B.Classification
C.Valuation
D.Risk mitigation
C is the correct answer.
Justification
Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation.
Classification is a step following valuation.
Valuation is performed first to identify and understand the value of assets needing protection.
Risk mitigation is a step following valuation based on the valuation.
Which of the following is the MOST important to keep in mind when assessing the value of information?
A.The potential financial loss
B.The cost of recreating the information
C.The cost of insurance coverage
D.Regulatory requirements
A is the correct answer.
Justification
The potential for financial loss is always a key factor when assessing the value of information.
The cost of recreating the information may be a contributor but not the key factor.
The cost of insurance coverage may be a contributor but not the key factor.
Regulatory requirements may be a contributor but not the key factor.
Which of the following is the MOST important prerequisite to undertaking asset classification?
A.Threat analysis
B.Impact assessment
C.Controls evaluation
D.Penetration testing
B is the correct answer.
Justification
Threat analysis only identifies the threats that exist against enterprise assets. However, threat and impact need to be taken into account.
The classification level is an indication of the value or importance of the asset to the enterprise. Impact assessments are needed to determine criticality and sensitivity, which form the basis for the classification level.
Controls evaluation is needed after classification levels have been determined to ensure that the asset is protected according to the classification level.
Penetration testing is not one of the prerequisites for conducting asset classification.
Which of the following items is the BEST basis for determining the value of intangible assets?
A.Contribution to revenue generation
B.A business impact analysis
C.Threat assessment
D.Replacement costs
A is the correct answer.
Justification
The value of any business asset is generally based on its contribution to generating revenues for the enterprise, both in the present and in the future.
A business impact analysis (BIA) is a process to determine the impact of losing the support of any resource. The BIA study will establish the escalation of that loss over time. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision. It may not take into account the long-term impact to revenue of losing intangible assets.
Threat analysis is an evaluation of the type, scope and nature of events or actions that can result in adverse consequences; it provides identification of the threats that exist against enterprise assets. The threat analysis usually defines the level of threat and the likelihood of it materializing. Threat assessment is not concerned with asset value but with the probability of compromise.
The replacement cost of intangible assets such as trade secrets typically cannot be calculated because replacement is impossible.
From an information security perspective, information that no longer supports the main purpose of the business should be:
A.analyzed under the retention policy.
B.protected under the information classification policy.
C.analyzed under the backup policy.
D.assessed by a business impact analysis.
A is the correct answer.
Justification
Information analyzed under the retention policy will determine whether the enterprise is required to maintain the data for business, legal or regulatory reasons. Keeping data that are no longer required consumes resources unnecessarily and, in the case of sensitive personal information, can increase the risk of data compromise.
Whether information is protected under the information classification policy is an attribute that should be considered in the destruction and retention policy.
There is no reason to back up information that is no longer of use to the enterprise, and it should be considered as part of the retention policy.
A business impact analysis could help determine whether information supports the main objective of the business but would not indicate the action to take.
Most standard frameworks for information security show the development of an information security program as starting with:
A.policy development and implementation of process.
B.an internal audit and remediation of findings.
C.a risk assessment and control objectives.
D.resource identification and budgetary requirements.
C is the correct answer.
Justification
Policies are written to support objectives, which are determined by business requirements.
Audits are conducted to determine compliance with control objectives.
An information security program is established to close the gap between the existing state of controls (as identified by a risk assessment) and the state desired on the basis of business requirements, which will be obtained through the meeting of control objectives.
A program must have objectives before resources can be allocated in pursuit of those objectives.
What should documented standards/procedures for the use of cryptography across the enterprise achieve?
A.They should define the circumstances in which cryptography should be used.
B.They should define cryptographic algorithms and key lengths.
C.They should describe handling procedures of cryptographic keys.
D.They should establish the use of cryptographic solutions.
A is the correct answer.
Justification
There should be documented standards/procedures for the use of cryptography across the enterprise; they should define the circumstances in which cryptography should be used.
Procedures should cover the selection of cryptographic algorithms and key lengths but should not define them precisely.
Procedures should address the handling of cryptographic keys. However, this is secondary to how and when cryptography should be used.
The use of cryptographic solutions should be addressed but this is a secondary consideration.
Which of the following control measures BEST addresses integrity?
A.Nonrepudiation
B.Time stamps
C.Biometric scanning
D.Encryption
A is the correct answer.
Justification
Nonrepudiation is a control technique that addresses the integrity of information by ensuring that the originator of a message or transaction cannot repudiate (deny or reject) the message, so the message or transaction can be considered authorized, authentic and valid.
Using time stamps is a control that addresses only one component of message integrity.
Biometric scanning is a control that addresses access.
Encryption is a control that addresses confidentiality; it may be an element of a data integrity scheme, but it is not sufficient to achieve the same level of integrity as the set of measures used to ensure nonrepudiation.
One of the MAIN benefits of reviewing the enterprise security architecture when developing an enterprise information security program is to:
A. create strong security awareness among the decision-making entities.
B. implement effective and efficient value-added security controls.
C. enable compliance with security- and information-related regulations.
D. facilitate the acceptance of information security roles and responsibilities.
B is the correct answer.
Justification
Every information security program is comprised of information security awareness campaigns and initiatives, and enterprise information security architecture (EISA) consists of people and process dimensions, thus helping to create a security-aware culture. However, these concepts are included as part of implementing the value-added controls.
Information security programs include any activities or initiatives that protect and maintain enterprise information, technology, processes, and resources. Most information security program development activities involve designing, testing, and deploying strategic, technical, and operational controls that achieve risk management objectives, which is the main purpose of information security programs. An information security architecture showing current and future assets and scopes (technology, business, people, applications, processes, etc.) helps the enterprise build the most effective and efficient security controls.
Although applicable information-related compliance requirements are part of business requirements and the information security program should address compliance with those requirements, this is not one of the main reasons to review the EISA during development of an information security program.
Security architectures help with communication and collaboration among stakeholders, but information security management frameworks facilitate the information security stakeholders’ understanding of their roles, responsibilities, and expectations.
What is the PRIMARY goal of developing an information security program?
A.To implement the strategy
B.To optimize resources
C.To deliver on metrics
D.To achieve assurance
A is the correct answer.
Justification
The development of an information security program is usually seen as a manifestation of the information security strategy. Thus, the goal of developing the information security program is to implement the strategy.
Optimizing resources can be achieved in an information security program once the program has been aligned to the strategy.
Delivery of the metrics is a subset of strategic alignment with the information security program in an enterprise.
Assurance of information security occurs upon the strategic alignment of the information security program.
What is the GREATEST benefit of decentralized security management?
A.Reduction of the total cost of ownership
B.Improved compliance with organizational policies and standards
C.Better alignment of security with business needs
D.Easier administration
C is the correct answer.
Justification
Reduction of the total cost of ownership is a benefit of centralized security management.
Improved compliance is a benefit of centralized security management.
Better alignment of security with business needs is the only answer that fits because the other choices are benefits of centralized security management.
Easier administration is a benefit of centralized security management.
Which of the following security controls addresses availability?
A.Least privilege
B.Public key infrastructure
C.Role-based access
D.Contingency planning
D is the correct answer.
Justification
Least privilege is an access control that is concerned with confidentiality.
Public key infrastructure is concerned with confidentiality and integrity.
Role-based access limits access but does not directly address availability.
Contingency planning ensures that the system and data are available in the event of a problem.
Which of the following challenges associated with information security documentation is MOST likely to affect a large, established enterprise?
A.Standards change more slowly than the environment.
B.Policies change faster than they can be distributed.
C.Procedures are ignored to meet operational requirements.
D.Policies remain unchanged for long periods of time.
A is the correct answer.
Justification
Large, established enterprises tend to have numerous layers of review and approval associated with changes to standards. These review mechanisms are likely to be outpaced by changes in technology and the risk environment.
Policies are meant to reflect strategic goals and objectives. In small or immature enterprises, the policy model may be poorly implemented, resulting in rapid changes to policies that are treated more like standards, but this situation is unlikely to arise in a large, established enterprise.
Large, established enterprises typically have formal training programs and internal controls that keep activities substantially in line with published procedures.
Although policies should be subject to periodic review and not be regarded as static, properly written policies should require significant changes only when there are substantial changes in strategic goals and objectives. It is reasonable that a large, established enterprise would experience policy changes only rarely.
A control policy is MOST likely to address which of the following implementation requirements?
A.Specific metrics
B.Operational capabilities
C.Training requirements
D.Failure modes
D is the correct answer.
Justification
A control policy may specify a requirement for monitoring or metrics but will not define specific metrics.
Operational capabilities will likely be defined in specific requirements or in a design document rather than in the control policy.
There may be a general requirement for training but not control-specific training, which will be dependent on the particular control.
A control policy will state the required failure modes in terms of whether a control fails open or fails closed, which has implications for safety, confidentiality and availability.
Information security should:
A.focus on eliminating all risk.
B.balance technical and business requirements.
C.be driven by regulatory requirements.
D.be defined by the board of directors.
B is the correct answer.
Justification
It is not practical or feasible to eliminate all risk.
Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements.
The extent of compliance with regulatory requirements is a business decision and must be defined by management.
Defining information security is an executive and operational function, not a board function.
What is the MAIN objective for developing an information security program?
A.To create the information security policy
B.To maximize system uptime
C.To develop strong controls
D.To implement the strategy
D is the correct answer.
Justification
The policy should not be written for its own sake. To be effective, the policy must address the threat and risk landscape that is usually the basis for strategy development.
The degree of uptime required will be defined as a part of strategy development balanced against costs.
Not all controls need to be strong, and the degree of control must be determined by cost-effectiveness, impact on productivity and other factors.
The information security strategy provides a development road map to which the program is built.
The MOST direct way to accurately determine the control baseline in an IT system is to do which of the following activities?
A.Review standards and system compliance.
B.Sample hardware and software configurations.
C.Review system and server logs for anomalies.
D.Perform internal and external penetration tests.
A is the correct answer.
Justification
A control baseline is obtained by reviewing the standards to determine whether the baseline falls within the boundaries set by the standards.
Sampling hardware configurations without knowing the control requirements reflected in the standards provides information on the current state but not on how that state relates to the intended state.
Anomalies in system logs do not necessarily indicate that baseline security is incorrect, nor does an absence of abnormalities mean that the baseline is correct.
Penetration tests that reveal vulnerabilities must be evaluated in the context of the control requirements set by the standard.
When corporate standards change due to new technology, which of the following choices is MOST likely to be impacted?
A.Organizational policies
B.The risk assessment approach
C.Control objectives
D.Systems security baselines
D is the correct answer.
Justification
Properly developed organizational policies are not likely to require any change when corporate standards change due to new technology.
Risk assessment is a process used to identify and evaluate risk and its potential effects. Approaches to assessing risk probably will not need to change when corporate standards change due to new technology.
A control objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular process. Properly developed control objectives are not likely to require any changes when corporate standards change due to new technology.
Because security baselines are set by standards, it is most likely that a change in some standards will necessitate a review and possible changes in baseline security.
Which of the following is an advantage of a centralized information security organizational structure?
A.It is easier to promote security awareness.
B.It is easier to manage and control.
C.It is more responsive to business unit needs.
D.It provides a faster turnaround for security requests.
B is the correct answer.
Justification
Decentralization allows the of use field security personnel as security missionaries or ambassadors to spread the security awareness message.
It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization.
Decentralized operations allow security administrators to be more responsive.
Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
The requirement for due diligence is MOST closely associated with which of the following?
A.The right to audit
B.Service level agreements
C.Appropriate standard of care
D.Periodic security reviews
C is the correct answer.
Justification
The right to audit is an important consideration when evaluating an enterprise but is not as closely related to the concept of due diligence.
Service level agreements are an important consideration when evaluating an enterprise but are not as closely related to the concept of due diligence.
The standard of care is most closely related to due diligence. It is based on the legal notion of the steps that would be taken by a person of similar competency in similar circumstances.
Periodic security reviews is not as closely related to due diligence.
Information security frameworks can be MOST useful for the information security manager because they:
A.provide detailed processes and methods.
B.are designed to achieve specific outcomes.
C.provide structure and guidance.
D.provide policy and procedure.
C is the correct answer.
Justification
Frameworks are general structures and will not provide detailed processes and methods.
Frameworks do not specify particular outcomes but may provide the structure to assess outcomes against requirements.
Frameworks are like a skeleton; they provide the outlines and basic structure but not the specifics of process and outcomes.
Frameworks do not specify or provide policies and procedures. The creation of policy/procedure documents is left to the implementer who may follow a documentation framework.
Which of the following measures is the MOST effective deterrent against disgruntled staff abusing their privileges?
A.Layered defense strategy
B.System audit log monitoring
C.Signed acceptable use policy
D.High-availability systems
C is the correct answer.
Justification
A layered defense strategy would only prevent those activities that are outside the user’s privileges.
System audit log monitoring is after the fact and may not be effective.
A signed acceptable use policy is often an effective deterrent against malicious activities because of the stated potential for termination of employment and/or legal actions being taken against the individual.
High-availability systems do not deter staff abusing privileges.
Which of the following will BEST prevent an employee from using a universal serial bus (USB) drive to copy files from desktop computers?
A.Restrict the available drive allocation on all personal computers.
B.Disable USB ports on all desktop devices.
C.Conduct frequent awareness training with noncompliance penalties.
D.Establish strict access controls to sensitive information.
A is the correct answer.
Justification
Restricting the ability of a personal computer to allocate new drive letters ensures that universal serial bus (USB) drives or even compact disc-writers cannot be attached because they would not be recognized by the operating system.
Disabling USB ports on all machines is not practical because mice and other peripherals depend on these connections.
Awareness training does not prevent copying of information.
Access controls do not prevent copying.
The effectiveness of segregation of duties may be MOST seriously compromised when:
A.user IDs of terminated staff remain active in application systems.
B.access privileges are accumulated based on previous job functions.
C.application role-based access deviates from the organizational hierarchies.
D.role mining tools are used in the access privilege review.
B is the correct answer.
Justification
It is not desirable to leave user IDs of terminated personnel or contractors active in the systems because it increases the potential for unauthorized access. However, the risk related to not effectively managing terminated users is an access management issue, not a segregation of duties issue.
When the changing of user roles is not adequately managed, access privileges may cross the boundary of segregation of duties. This often happens when a user’s role changes as part of a promotion or transfer, and the user is assigned new system privileges to fulfill the new role but the privileges of the previous role are not removed.
Role-based access is built on the premise that users are granted those privileges that they need to perform their daily job functions (roles). These may not necessarily be aligned with the organizational hierarchies.
Using role mining tools in the access entitlement review may enhance the efficiency and effectiveness of the process, particularly in large and complex environments.
Which item would be the BEST to include in the information security awareness training program for new general staff employees?
A.Review of various security models
B.Discussion of how to construct strong password
C.Review of roles that have privileged access
D.Discussion of vulnerability assessment results
B is the correct answer.
Justification
A review of various security models would not be applicable to general staff employees.
All new employees will need to understand techniques for the construction of strong passwords.
A review of roles that have privileged access would not be applicable to general staff employees.
A discussion of vulnerability assessment results would not be applicable to general staff employees.
The MOST effective way to limit actual and potential impacts of e-discovery in the event of litigation is to:
A.implement strong encryption of all sensitive documentation.
B.ensure segregation of duties and limited access to sensitive data.
C.enforce a policy of not writing or storing potentially sensitive information.
D.develop and enforce comprehensive retention policies.
D is the correct answer.
Justification
Encryption will not prevent the legal requirements to produce documents in the event of legal conflicts.
Limiting access to sensitive information based on the need to know may limit which personnel can testify during legal proceedings but will not limit the requirement to produce existing documents.
While some enterprises have practiced a policy of not committing to writing issues of dubious legality, it is not a sound practice and may violate a variety of laws.
Compliance with legally acceptable defined retention policies will limit exposure to the often difficult and costly demands for documentation during legal proceedings such as lawsuits.
Which of the following tasks should the information security manager do FIRST when business information has to be shared with external entities?
A.Execute a nondisclosure agreement.
B.Review the information classification.
C.Establish a secure communication channel.
D.Enforce encryption of information
B is the correct answer.
Justification
Execution of a nondisclosure agreement may be needed after the classification of the data to be shared is determined.
The information security manager should first determine whether sharing the information poses a risk for the enterprise based on the information classification.
Whether a secure channel is needed is a function of the classification of data to be shared.
Encryption requirements will be determined as a function of the classification of data to be shared.
A newly hired information security manager notes that existing information security practices and procedures appear ad hoc. Based on this observation, the next action should be to:
A.assess the commitment of senior management to the program.
B.assess the maturity level of the enterprise.
C.review the corporate standards.
D.review corporate risk management practices.
C is the correct answer.
Justification
While management may not be exercising due care, it is concerned enough to engage a new information security manager. Assessing the commitment of senior management will not address the immediate concern of ad hoc practices and procedures.
It is evident from the initial review that maturity is very low and efforts required for a complete assessment are not warranted. It may be better to address the immediate problem of ad hoc practices and procedures.
The absence of current, effective standards is a concern that must be addressed promptly.
It is apparent that risk management is not being practiced; establishing an effective program will take time. A more prudent initial activity is to implement basic controls.
What is the PRIMARY purpose of segregation of duties?
A.Employee monitoring
B.Reduced supervisory requirements
C.Fraud prevention
D.Enhanced compliance
C is the correct answer.
Justification
Segregation of duties (SoD) is unrelated to monitoring.
As a secondary benefit, some reduction in supervision may be possible.
SoD is primarily used to prevent fraudulent activities.
If SoD is a policy requirement, then a secondary benefit is enhanced compliance. However, the policy exists to reduce fraud.
Who should be involved in the design of information security procedures to ensure they are functional and accurate?
A.End users
B.Legal counsel
C.Operational units
D.Audit management
C is the correct answer.
Justification
End users are normally not involved in procedure development other than testing.
Legal counsel is normally not involved in procedure development.
Procedures at the operational level must be developed by or with the involvement of operational units that will use them. This will ensure that they are functional and accurate.
Audit management generally oversees information security operations but does not get involved at the procedural level.
Which of the following is the PRIMARY reason to change policies during program development?
A.The policies must comply with new regulatory and legal mandates.
B.Appropriate security baselines are no longer set in the policies.
C.The policies no longer reflect management intent and direction.
D.Employees consistently ignore the policies.
C is the correct answer.
Justification
Regulatory requirements typically are better addressed with standards and procedures than with high-level policies.
Standards set security baselines, not policies.
Policies must reflect management intent and direction. Policies should be changed only when management determines that there is a need to address new business requirements.
Employees not abiding by policies is a compliance and enforcement issue rather than a reason to change the policies.
The PRIMARY reason for initiating a policy exception process is when:
A.operations are too busy to comply.
B.the risk is justified by the benefit.
C.policy compliance would be difficult to enforce.
D.users may initially be inconvenienced.
B is the correct answer.
Justification
Being busy is not a justification for policy exceptions.
Exceptions to policy are warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
The fact that compliance cannot be enforced is not a justification for policy exceptions.
User inconvenience is not a reason to automatically grant exception to a policy.
The enactment of policies and procedures for preventing hacker intrusions is an example of an activity that belongs to:
A.risk management.
B.compliance.
C.IT management.
D.governance.
D is the correct answer.
Justification
Risk management is about identifying risk and adequate countermeasures and would be concerned if such policies and procedures were necessary, based on a risk analysis. However, the enactment does not fall into the area of risk management.
Compliance would be concerned with the adequacy of the policies and procedures to achieve the control objectives and whether employees acted according to the policies and procedures.
IT management would be concerned about setting the policies into operation (e.g., by providing training and resources).
Governance is concerned with implementing adequate mechanisms for ensuring that organizational goals and objectives can be achieved. Policies and procedures are common governance mechanisms.
Who has the inherent authority to grant an exception to information security policy?
A.The business process owner
B.The departmental manager
C.The policy approver
D.The information security manager
C is the correct answer.
Justification
The business process owner is typically required to enforce the policy and would not normally have the authority to grant an exception.
The departmental manager cannot approve an exception to policy because the role is not responsible for the policy delivering its promised results.
The person or body empowered to approve a policy is empowered to grant exceptions to it because in approving it, the individual assumed responsibility for the results that it promises to deliver.
The information security manager cannot approve an exception to policy because the role is not responsible for the policy delivering its promised results.
The relationship between policies and corporate standards can BEST be described by which of the following associations?
A.Standards and policies have only an indirect relationship.
B.Standards provide a detailed description of the meaning of a policy.
C.Standards provide direction on achieving compliance with policy intent.
D.Standards can exist without a relationship to any particular policy.
C is the correct answer.
Justification
In most cases, there is a direct relationship between policy and corporate standards.
Corporate standards generally do not provide details on the meaning of policy, rather on the acceptable limits needed to comply with policy intent.
Corporate standards set the allowable limits and boundaries for people, processes and technology as an expression of policy intent and, therefore, provide direction on policy compliance.
It would be a poor practice to have corporate standards not directly expressing the intent of a particular policy. To the extent that they exist, they should rely on an implicit policy.
Which of the following choices is MOST strongly supported by effective management of information assets?
A.An information/data dictionary
B.A data classification program
C.An information-based security culture
D.A business-oriented risk policy
D is the correct answer.
Justification
An information/data dictionary is a useful management tool but is only one aspect of holistic information asset management.
A data classification program helps to prioritize asset protection based on business value, but management of information assets goes beyond asset protection.
The security culture of an enterprise does not drive the effectiveness or efficiency of information assets.
A risk policy that is oriented to business needs promotes the achievement of organizational objectives. The holistic risk-based approach to the management of information assets includes and addresses a broad range of factors such as data linkages, privacy, business orientation and risk relevance, which in turn help the assets to be managed in an effective and efficient manner.
What is the MOST important item to be included in an information security policy?
A.The definition of roles and responsibilities
B.The scope of the security program
C.The key objectives of the security program
D.Reference to procedures and standards of the security program
C is the correct answer.
Justification
The definition of roles and responsibilities is part of implementing an information security governance framework.
The scope of the security program should be defined in the charter of the information security program.
Stating the objectives of the security program is the most important element to ensure alignment with business goals.
Reference to standards that interpret the policy may be included, but the multitude of procedures controlled by those standards would not normally be referenced.
Which of the following do security policies need to be MOST closely aligned with?
A.Industry good practices
B.Organizational needs
C.Generally accepted standards
D.Local laws and regulations
B is the correct answer.
Justification
Good practices are generally a substitute for a clear understanding of what exactly is needed in a specific enterprise and may be too much or too little.
Policies must support the needs of the enterprise.
Generally accepted standards do not exist; they are always tailored to the requirements of the enterprise.
Local law and regulation compliance may be identified in policies but would only be a small part of overall policies that must support the needs of the enterprise.
Which of the following is the MOST likely outcome of a well-designed information security awareness course?
A.Increased reporting of security incidents to the incident response function
B.Decreased reporting of security incidents to the incident response function
C.Decrease in the number of password resets
D.Increase in the number of identified system vulnerabilities
A is the correct answer.
Justification
A well-organized information security awareness course informs all employees of existing security policies, the importance of following safe practices for data security, and the need to report any possible security incidents to the appropriate individuals in the enterprise.
Decreased reporting of security incidents would not be a likely outcome.
A decrease in the number of password resets would not be a likely outcome.
An increase in the number of identified system vulnerabilities would not be a likely outcome.
What is the MOST cost-effective means of improving security awareness of staff personnel?
A.Employee monetary incentives
B.User education and training
C.A zero-tolerance security policy
D.Reporting of security infractions
B is the correct answer.
Justification
Incentives perform poorly without user education and training.
User education and training is the most cost-effective means of influencing staff to improve security because personnel are the weakest link in security.
Unless users are aware of the security requirements, a zero-tolerance security policy would not be as good as education and training.
Users would not have the knowledge to accurately interpret and report violations without user education and training.
Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
A.Card key door locks
B.Photo identification
C.Biometric scanners
D.Awareness training
D is the correct answer.
Justification
Card key door locks are a physical control that by itself would not be effective against tailgating.
Photo identification is a detective control that by itself would not prevent tailgating.
Biometric scanners would not prevent tailgating.
Awareness training is more likely to result in any attempted tailgating being challenged by the authorized employee.
Due to limited storage media, an IT operations employee has requested permission to overwrite data stored on a magnetic tape. The decision of the authorizing manager will MOST likely be influenced by the data:
A.classification policy.
B.retention policy.
C.creation policy.
D.leakage protection.
B is the correct answer.
Justification
The data classification policy addresses who can access or modify data. It is more focused on ensuring that confidential data do not fall into the wrong hands.
The data retention policy will specify the time that must lapse before data can be overwritten or deleted.
Security architecture will be affected by asset classification and, to some extent, may affect how assets are classified; asset classification most directly impacts the mitigation efforts an enterprise will implement.
Leakage protection ensures confidentiality of corporate data.
Policies regarding the use of bring your own device (BYOD) should include:
A.the need to return the device when leaving the enterprise.
B.the requirement to protect sensitive data on the device.
C.limitations on which applications can be installed on the device.
D.the ability for security to seize the device as part of an investigation.
B is the correct answer.
Justification
Because it is a personal device, it is unlikely that the enterprise can require it to be returned.
The enterprise must proactively ensure that data on personal devices are protected.
The enterprise may require the use of a virtual environment on the personal device to provide isolation, but the enterprise cannot control the personal applications loaded onto the device.
In the event of an investigation, the device may be seized by law enforcement, but it is not expected that security will have the authority to seize the device. Varying standards of privacy and other forms of legal protection around the world make it difficult to apply common standards to private seizure of personal devices even if an internal investigation may be warranted.
The MOST important characteristic of good security policies is that they:
A.state expectations of IT management.
B.state only one general security mandate.
C.are aligned with organizational goals.
D.govern the creation of procedures and guidelines.
C is the correct answer.
Justification
Stating expectations of IT management omits addressing overall organizational goals and objectives.
Stating only one general security mandate is the next best option because policies should be clear; otherwise, policies may be confusing and difficult to understand and enforce.
The most important characteristic of good security policies is that they are aligned with organizational goals. Failure to align policies and goals makes them ineffective and potentially misleading in governing the creation of standards and procedures.
Policies are created with the objective to govern the creation of procedures and guidelines by design
Which of the following will the data backup policy contain?
A.Criteria for data backup
B.Personnel responsible for backup
C.A data backup schedule
D.A list of systems to be backed up
A is the correct answer.
Justification
A policy is a high-level statement of management intent and will essentially contain the criteria to be followed for backing up any data such as critical data, confidential data and project data, and the frequency of backup.
A list of personnel responsible for backup is a procedural detail and will not be included in the data backup policy.
A data backup schedule is a procedural detail and will not be included in the data backup policy.
A list of systems to be backed up is a procedural detail and will not be included in the data backup policy.
Which of the following will require the MOST effort when supporting an operational information security program?
A.Reviewing and modifying procedures
B.Modifying policies to address changing technologies
C.Writing additional policies to address new regulations
D.Drafting standards to address regional differences
A is the correct answer.
Justification
When an information security program is operational, few changes to policies or standards will be needed. Procedures, however, are designed at a more granular level and will require reasonably frequent modification. Because procedures are more detailed and can be technology specific, there are generally far more procedures than standards or policies. Consequently, review and modification of procedures will consume the majority of effort.
While technology does change, it is relatively rare for a technology shift to be so disruptive as to require a modification of policy. Most technological changes should be addressed at lower levels (e.g., in standards or procedures).
New regulations may require the creation of a new policy, but this does not happen nearly as often or consume as much time in an operational program as the review and modification of procedures.
Global enterprises may need to customize policy through the use of regional standards, but an operational program will already have most of these standards in place. Even where they need to be drafted, the level of effort required to customize policy by region is less than what will be needed to review and modify the vast body of procedures that change more frequently.
What is the MOST likely reason that an organizational policy can be eliminated?
A.There is no credible threat.
B.The policy is ignored by staff.
C.Underlying standards are obsolete.
D.The policy is not required by regulatory requirements.
A is the correct answer.
Justification
If it is certain that there is no threat, then there is no risk and a policy is not needed to address it.
Noncompliance is not a good reason to eliminate a policy.
If the standards are obsolete, then they should be brought current, but that is not a reason to eliminate the policy.
If there is a potential risk, then there is a reason to have the policy, independent of whether regulation mandates that particular control.
What is the BEST means to standardize security configurations in similar devices?
A.Policies
B.Procedures
C.Technical guides
D.Baselines
D is the correct answer.
Justification
Policies set high-level direction, not technical details.
Procedures are used to provide instructions on accomplishing specific tasks.
Technical guides provide support but not necessarily the requirements.
Baselines describe the minimum configuration requirements across similar devices, activities or resources.
Which of the following areas BEST addresses the interaction among systems and their relation to the core business process of an enterprise?
A. Business architecture
B. Data architecture
C. Application architecture
D. Technical architecture
C is the correct answer.
Justification
Business architecture defines the business strategy, governance, organization, and key business processes of the enterprise.
Data architecture describes the structure of an enterprise’s logical and physical data assets and the associated data management resources.
Application architecture provides a blueprint for the individual application systems to be deployed, the interaction among the application systems, and their relationship to the core business processes of the enterprise with the frameworks for services to be exposed as business functions for integration.
Technical architecture describes the hardware, software, and network infrastructure needed to support the deployment of core mission-critical applications.
Which of the following is the MOST appropriate control to address compliance with specific regulatory requirements?
A.Policies
B.Standards
C.Procedures
D.Guidelines
B is the correct answer.
Justification
Policies are a statement of management intent, expectations and direction and should not address the specifics of regulatory compliance.
Standards set the allowable boundaries for technologies, procedures and practices and thus are the appropriate documentation to define compliance requirements.
Procedures are developed in order to provide instruction for meeting standards but cannot be developed without established standards.
Guidelines are not mandatory and will not normally address issues of regulatory compliance.
Which of the following should be included in a good privacy statement?
A.A notification of liability on accuracy of information
B.A notification that information will be encrypted
C.A statement of what the company will do with information it collects
D.A description of the information classification process
C is the correct answer.
Justification
A notification of liability on accuracy of information should be located in the website’s disclaimer.
Although encryption may be applied, this is not generally disclosed.
Most privacy laws and regulations require disclosure on how information will be used.
Information classification is unrelated to privacy statements and would be contained in a separate policy.
Which of the following is the MOST important information to include in an information security standard?
A.Creation date
B.Author name
C.Initial draft approval date
D.Last review date
D is the correct answer.
Justification
The creation date is not that important.
The name of the author is not that important.
The initial draft date is not that important.
The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard.
An information security manager determines that management of risk is inconsistent across a mature enterprise, creating a weak link in overall protection. The MOST appropriate initial response for the information security manager is to:
A.escalate to the steering committee.
B.review compliance with standards.
C.write more stringent policies.
D.increase enforcement.
B is the correct answer.
Justification
The steering committee may be able to assist in achieving better compliance after it has been established by audit. The steering committee is an executive management-level committee that assists in the delivery of the security strategy, oversees day-to-day management of service delivery and IT projects, and focuses on implementation.
A mature enterprise will have a complete suite of policies and standards, and inconsistent risk treatment is most likely to be inconsistent compliance with standards.
Policies need to be reviewed to determine whether they are adequate. The problem may be with enforcement.
Enforcement can only be as effective as the policies it supports. Increasing enforcement prior to determining the issues would not be the best initial response.
An enterprise has decided to implement bring your own device (BYOD) for laptops and mobile phones. What should the information security manager focus on FIRST?
A.Advising against implementing BYOD because of a security risk
B.Preparing a business case for new security tools for BYOD
C.Updating the security awareness program to include BYOD
D.Determining an information security strategy for BYOD
D is the correct answer.
Justification
The enterprise has already made the decision to implement bring your own device (BYOD). The security manager’s role is to identify and communicate the risk and determine how to implement this decision in the most secure way.
A business case can be prepared if new tools are required for implementing BYOD; however, this requirement will be based on the security strategy.
The security strategy must take into account BYOD before the security awareness program may be updated to include it.
The information security manager should determine whether the existing strategy can accommodate BYOD and, if not, then what changes are needed. A risk assessment and other tools may be part of this process.
The output of the risk management process is an input for making:
A.business plans.
B.audit charters.
C.security policy decisions.
D.software design decisions.
C is the correct answer.
Justification
Business plans are an output of management translating strategic aspirations into attainable business goals. Business plans provide background, goal statements and plans for reaching those goals.
Audit charters are documents describing the purpose, rights and responsibilities of the audit function. They do not rely on the risk assessment process.
The risk management process detects changes in the risk landscape and leads to changes in security policy decisions.
Software design decisions are based on stakeholder needs, not on the risk management process.
Which of the following is the BEST resource to ensure the proper handling and destruction of data?
A. Data classification policy
B. Information security policy
C. Data retention policy
D. Acceptable use policy
C is the correct answer.
Justification
A data classification policy outlines a framework for classifying data based on its criticality and sensitivity to the organization.
An information security policy outlines how assets should be used and protected.
An organization’s records retention policy will outline how to handle data, including how long to retain the data, and what to do with the data when the retention limit has been reached.
An acceptable use policy outlines appropriate use of assets and data.
Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position’s sensitivity level and subject to personnel screening is an example of a security:
A.policy.
B.strategy.
C.guideline.
D.baseline.
A is the correct answer.
Justification
A security policy is a general statement to define management objectives with respect to security.
The security strategy is the plan to achieve security objectives and it does not provide guidance at the employee/contractor level.
Guidelines are optional actions and helpful narrative and do not provide guidance at the employee/contractor level.
A security baseline is a set of minimum security requirements that is acceptable to an enterprise and it does not provide guidance at the employee/contractor level.
Sensitive data must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure” is a statement that would MOST likely be found in a:
A.guideline.
B.policy.
C.procedure.
D.standard.
B is the correct answer.
Justification
A guideline is a suggested action that is not mandatory.
A policy is a principle that is used to set direction in an enterprise. It can be a course of action to steer and influence decisions. The wording of the policy must make the course of action mandatory and it must set the direction.
A procedure is a particular way of accomplishing something.
A standard sets the allowable boundaries for people, processes and technologies that must be met to meet the intent of the policy.
Which of the following are seldom changed in response to technological changes?
A.Standards
B.Procedures
C.Policies
D.Guidelines
C is the correct answer.
Justification
Security standards must be revised and updated based on the impact of technology changes.
Procedures must be revised and updated based on the impact of technology or standards changes.
Policies are high-level statements of management intent and direction, which is not likely to be affected by technological changes.
Guidelines must be revised and updated based on the impact of technology changes.
The formal declaration of organizational information security goals and objectives should be found in the:
A.information security procedures.
B.information security principles.
C.employee code of conduct.
D.information security policy.
D is the correct answer.
Justification
Security procedures are usually detailed as step-by-step actions to ensure that activities meet a given standard and cannot be considered as a formal declaration of organizational information security goals.
Security principles are not always enterprise-specific and cannot be considered as a formal declaration of organizational information security goals.
An employee code of conduct is a declaration of procedural requirements that may encompass more guidance than information security.
The information security policy is management’s formal declaration of security goals and objectives.
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
A.Ethics
B.Proportionality
C.Integration
D.Accountability
B is the correct answer.
Justification
Ethics is expected to be part of all job roles but has no relation to types of data access. Ethics has no relevance to mapping a job description to types of data access.
Information security controls, including access, should be proportionate to the criticality and/or sensitivity of the asset (i.e., the potential impact of compromise). This is termed the principle of proportionality.
Principles of integration are not relevant to mapping a job description to types of data access.
The principle of accountability would be the second most-adhered-to principle because people with access to data may not always be accountable.
How will data owners determine what access and authorizations users will have?
A.Delegating authority to data custodian
B.Cloning existing user accounts
C.Determining hierarchical preferences
D.Mapping to business needs
D is the correct answer.
Justification
Data custodians implement the decisions made by data owners.
Access and authorizations are not to be assigned by cloning existing user accounts. By cloning, users may obtain more access rights and privileges than are required to do their job.
Access and authorizations should be based on a need-to-know basis. Hierarchical preferences may be based on individual preferences and not on business needs.
Access and authorizations should be based on business needs.
Information security policy development should PRIMARILY be based on:
A.vulnerabilities.
B.exposures.
C.threats.
D.impacts.
C is the correct answer.
Justification
Absent a threat, vulnerabilities do not pose a risk. Vulnerability is defined as a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse impacts from threat events.
Exposure is only important if there is a threat. Exposure is defined as the potential loss to an area due to the occurrence of an adverse event.
Policies are developed in response to perceived threats. If there is no perceived threat, there is no need for a policy. A threat is defined as anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.
Impact is not an issue if no threat exists. The impact is generally quantified as a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term.
What is the MOST important reason for formally documenting security procedures?
A.Ensure processes are repeatable and sustainable.
B.Ensure alignment with business objectives.
C.Ensure auditability by regulatory agencies.
D.Ensure objective criteria for the application of metrics.
A is the correct answer.
Justification
Without formal documentation, it would be difficult to ensure that security processes are performed correctly and consistently.
Alignment with business objectives is not a function of formally documenting security procedures.
Processes should not be formally documented merely to satisfy an audit requirement.
Although potentially useful in the development of metrics, creating formal documentation to assist in the creation of metrics is a secondary objective.
What is the BEST method to verify that all security patches applied to servers were properly documented?
A.Trace operating system (OS) patch logs to OS vendor’s update documentation.
B.Trace change control requests to OS patch logs.
C.Trace OS patch logs to change control requests.
D.Review change control documentation for key servers.
C is the correct answer.
Justification
Comparing patches applied to those recommended by the OS vendor’s website does not confirm that the security patches were properly approved and documented.
Tracing from the documentation to the patch log will not indicate if some patches were applied without being documented.
To ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS) patch logs as a starting point and then check to see if change control documents are on file for each of the changes.
Reviewing change control documents for key servers does not confirm that security patches were properly approved and documented.
How would an enterprise know if its new information security program is accomplishing its goals?
A.Key metrics indicate a reduction in incident impacts.
B.Senior management has approved the program and is supportive of it.
C.Employees are receptive to changes that were implemented.
D.There is an immediate reduction in reported incidents.
A is the correct answer.
Justification
An effective security program will show a trend in impact reduction.
Senior management support may result from a performing program but is not as significant as key metrics indicating a reduction in incident impacts.
Receptive employees may result from a performing program but are not as significant as key metrics indicating a reduction in incident impacts.
An immediate reduction in reported incidents is likely to be from other causes and not a good indicator of the program achieving its goals.
An enterprise has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating the access control policy to the employees?
A.Requiring employees to formally acknowledge receipt of the policy
B.Integrating security requirements into job descriptions
C.Making the policy available on the intranet
D.Implementing an annual retreat for employees on information security
A is the correct answer.
Justification
Requiring employees to formally acknowledge receipt of the policy does not guarantee that the policy has been read or understood but establishes employee acknowledgment of the existence of the new policy. Each communication should identify a point of contact for follow-up questions.
Current employees do not necessarily reread job descriptions that would contain the new policy.
Making the policy available on the intranet does not ensure that the document has been read, nor does it create an audit trail that establishes that employees have been made aware of the policy.
An annual event may not be timely and may not rectify significant gaps in awareness.
Which of the following are likely to be updated MOST frequently?
A.Procedures for hardening database servers
B.Standards for password length and complexity
C.Policies addressing information security governance
D.Standards for document retention and destruction
A is the correct answer.
Justification
Procedures, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace.
Standards should generally be more static and less subject to frequent change.
Well-conceived, mature policies will rarely require change.
Standards regarding document retention and destruction will rarely need to be changed.
The newly appointed chief information security officer (CISO) of a pharmaceutical company is given the task of creating information security procedures for all departments in the company. Which one of the following groups should the CISO initially approach to write the procedures?
A.Legal department
B.End users
C.Senior management
D.Operations department
D is the correct answer.
Justification
The legal department is not typically involved in writing procedures, except for its own procedures.
End users are not typically involved in writing procedures.
Senior management would not be directly involved in the writing of security procedures.
The operations group has firsthand knowledge of organizational processes and responsibilities and should ensure that all procedures that are written are functionally sound.
The corporate information security policy should:
A.address corporate network vulnerabilities.
B.address the process for communicating a violation.
C.be straightforward and easy to understand.
D.be customized to specific target audiences.
C is the correct answer.
Justification
Information security policies are high level documents and will not address network vulnerabilities or functional issues directly.
Information security policies are high-level documents and do not address the process for communicating a violation.
As high-level statements, information security policies should be straightforward and easy to understand.
As policies, information security policies should provide a uniform message to all groups and user roles.
What is the BEST way to ensure that information security policies are followed?
A.Distribute printed copies to all employees.
B.Perform periodic reviews for compliance.
C.Include escalating penalties for noncompliance.
D.Establish an anonymous hotline to report policy abuses.
B is the correct answer.
Justification
Distributing printed copies will not motivate individuals as much as the consequences of being found in noncompliance.
The best way to ensure that information security policies are followed is to periodically review levels of compliance.
Escalating penalties will first require a compliance review.
Establishing an abuse hotline will not motivate individuals as much as the consequences of being found in noncompliance.
Which of the following is MOST likely to be discretionary?
A.Policies
B.Procedures
C.Guidelines
D.Standards
C is the correct answer.
Justification
Policies define management’s security goals and expectations for an enterprise. These are defined in more specific terms within standards and procedures and cannot be discretionary.
Procedures describe how work is to be done and, as they are a defined set of actions, they cannot be discretionary.
Guidelines provide recommendations that business management must consider in developing practices within their areas of control; therefore, they are most likely to be discretionary.
Standards establish the allowable operational boundaries for people, processes and technology and cannot be discretionary.
What is the MOST appropriate change management procedure for the handling of emergency program changes?
A.Formal documentation does not need to be completed.
B.Business management approval must be obtained prior to the change.
C.Documentation is completed with approval soon after the change.
D.Emergency changes eliminate certain documentation requirements.
C is the correct answer.
Justification
Formal documentation is still required as soon as possible after the emergency changes have been implemented.
Obtaining business approval prior to the change is ideal but not always possible.
Even in the case of an emergency change, all change management procedure steps should be completed as in the case of normal changes. The difference lies in the timing of certain events. With an emergency change, it is permissible to obtain certain approvals and other documentation after the emergency has been satisfactorily resolved.
Emergency changes require the same process as regular changes, but the process may be delayed until the emergency has been resolved.
In a financial institution, under which of the following circumstances will policies MOST likely need modification?
A.Current access controls have been insufficient to prevent a series of serious network breaches.
B.The information security manager has determined that compliance with configuration standards is inadequate.
C.The results of an audit have identified a going concern issue with the enterprise.
D.Management has mandated compliance with a newly enacted set of information security requirements.
D is the correct answer.
Justification
Necessary modifications to access controls are most likely going to be reflected in standards, not policy.
Compliance with existing standards is not likely to require a policy change; better enforcement may be needed.
If the viability of the enterprise is in doubt (going concern), it is not likely that a change in policy will solve the problem.
A new set of regulations requiring significant changes to the information security program most likely will be reflected in modifications of policy.
The MOST important consideration when determining how a control policy is implemented is:
A.the risk of compromise.
B.the safety of personnel.
C.the mean time between failures.
D.the nature of a threat.
B is the correct answer.
Justification
The risk of compromise is a major consideration in the level of protection required, but not at the expense of safety. Only in very rare circumstances does risk of compromise outweigh life safety, and even then it is the risk to a larger population that justifies a fail secure configuration.
Safety of personnel is always the first consideration. For example, even if a data center has highly confidential data, failure of physical access controls should not fail closed and prevent emergency exit. Only in very rare circumstances does risk of compromise outweigh life safety, and even then it is the risk to a larger population that justifies a fail secure configuration.
The mean time between failure is a consideration for technical or mechanical controls and must be considered from a safety perspective.
The nature of a threat is a consideration for the type and strength of controls.
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
A.Review the procedures for granting access.
B.Establish procedures for granting emergency access.
C.Meet with data owners to understand business needs.
D.Redefine and implement proper access rights.
C is the correct answer.
Justification
Reviewing the procedures for granting access could be correct depending on the priorities set by the business unit, but this would follow understanding the business needs.
Procedures for granting emergency access require first understanding business needs.
An information security manager must understand the business needs that motivated the change prior to taking any unilateral action.
Redefining and implementing proper access rights would follow understanding the business needs.
Which of the following is the MOST important step before implementing a security policy?
A.Communicating to employees
B.Training IT staff
C.Identifying relevant technologies for automation
D.Obtaining sign-off from stakeholders
D is the correct answer.
Justification
Only after sign-off is obtained can communicating to employees begin.
Only after sign-off is obtained can training IT staff begin.
Only after sign-off is obtained can identifying relevant technologies for automation begin.
Sign-off must be obtained from all stakeholders because that would signify formal acceptance of all the policy objectives and expectations of the business along with all residual risk.
Which of the following would be the MOST relevant factor when defining the information classification policy?
A.Quantity of information
B.Available IT infrastructure
C.Benchmarking
D.Requirements of data owners
D is the correct answer.
Justification
The quantity of information is not a factor in defining the information classification policy.
The availability of IT infrastructure would not be a significant factor in determining the policy.
Benchmarking would not be a factor in defining the classification policy.
When defining the information classification policy, the requirements of the data owners need to be identified.
The MOST important aspect in establishing good information security policies is to ensure that they:
A.have the consensus of all concerned groups.
B.are easy to access by all employees.
C.capture the intent of management.
D.have been approved by the internal audit department.
C is the correct answer.
Justification
Having the consensus of all concerned groups is desirable but is not the most important aspect of good policies, which express the intent and direction of senior management.
Easy availability of policies is important but not an indicator of good information security content and guidance.
Policies should reflect the intent and direction of senior management, and this is the most important aspect of establishing good information security policies.
The internal audit department tests compliance with policy, but it does not write the policies.
Which of the following is MOST important in the development of information security policies?
A.Adopting an established framework
B.Using modular design for easier maintenance
C.Using prevailing industry standards
D.Gathering stakeholder requirements
D is the correct answer.
Justification
A framework will not be effective without including the management intent and direction provided by policies.
While using a modular design should be a key consideration, it is not as important as considering stakeholder input. Stakeholder input not only promotes policy completeness, it also facilitates stakeholder buy-in.
Prevailing industry standards are important but may not be appropriate or suitable to address unique or specific issues in an enterprise.
The primary stakeholders in policies are management, and policies are the primary governance tool employed in an enterprise; therefore, the policies must reflect management intent and direction.
In a mature enterprise, it would be expected that the security baseline could be approximated by which of the following?
A.Organizational policies are in place.
B.Enterprise architecture is documented.
C.Control objectives are being met.
D.Compliance requirements are addressed.
C is the correct answer.
Justification
Policies, as a statement of management intent and direction, will only indicate the security baseline in general sense.
Enterprise architecture may or may not provide an indication of some of the controls implemented.
The control objectives, when achieved, set the security baselines.
Compliance requirements will indicate some of the controls required indicative of what the baseline should be but only in the areas related to specific regulations.
It is essential to determine the forces that drive the business need for the information security program. Determining drivers is critical to:
A.establish the basis for the development of metrics.
B.establish the basis for security controls.
C.report risk results to senior management.
D.develop security awareness training modules.
A is the correct answer.
Justification
Determining the drivers of a program establishes objectives and is essential to developing relevant metrics for the enterprise.
Determining drivers may establish objectives of a program, but the controls are determined by risk and impact.
Risk reporting goes beyond specific drivers and will encompass all organizational risk.
Drivers may indirectly provide subject matter for training, but security awareness goes beyond the drivers alone.
What is a critical component of a continuous improvement program for information security?
A.Program metrics
B.Developing a service level agreement for security
C.Tying corporate security standards to a recognized international standard
D.Ensuring regulatory compliance
A is the correct answer.
Justification
If an enterprise is unable to take measurements over time that provide data regarding key aspects of its security program, then continuous improvement is not likely.
Although desirable, developing a service level agreement for security is not a critical component for a continuous improvement program.
Tying corporate security standards to a recognized international standard is not a critical component for a continuous improvement program.
Ensuring regulatory compliance is a separate issue and is not a critical component for a continuous improvement program.
What is the PRIMARY reason for using metrics to evaluate information security?
A.To identify security weaknesses
B.To justify budgetary expenditures
C.To enable steady improvement
D.To raise awareness of security issues
C is the correct answer.
Justification
Metrics may not identify vulnerabilities.
Metrics can be used to justify budgetary expenditures, but that is not their primary purpose.
A primary purpose for metrics is to facilitate and track continuous improvement in security posture.
Metrics may serve to raise awareness of security issues, but that would be for the purpose of improving security.
Which of the following would be the BEST indicator that an enterprise has good governance?
A.Risk assessments
B.Maturity level
C.Audit reports
D.Loss history
B is the correct answer.
Justification
While it is likely that good results on risk assessments will align with good governance, they are only indirectly correlated with good governance, and many other factors are involved such as industry sector, exposure, etc.
A high score on the capability maturity model (CMM) scale is a good indicator of good governance.
Audit reports generally deal with specifics of compliance and specific risk rather than overall governance.
Loss history will be affected by many factors other than governance.
Which of the following choices is the BEST indication that the information security manager is achieving the objective of value delivery?
A.Having a high resource utilization
B.Reducing the budget requirements
C.Utilizing the lowest cost vendors
D.Minimizing the loaded staff cost
A is the correct answer.
Justification
Value delivery means that good rates of return and a high utilization of resources are achieved.
The budget level is not an indication of value delivery.
The lowest cost vendors may not present the best value.
Staff-associated overhead costs by themselves are not an indicator of value delivery.
Achieving compliance with a particular process in an information security standard selected by management would BEST be demonstrated by:
A.key goal indicators.
B.critical success factors.
C.key performance indicators.
D.business impact analysis.
C is the correct answer.
Justification
A key goal indicator defines a clear objective sought by an enterprise. A key goal indicator is defined as a measure that tells management, after the fact, whether an IT process has achieved its business requirements, usually expressed in terms of information criteria.
Critical success factors are steps that must be achieved to accomplish high-level goals. A critical success factor is defined as the most important issue or action for management to achieve control over its IT processes.
A key performance indicator (KPI) indicates how well a process is progressing according to expectations. Another definition for a key performance indicator is a measure that determines how well the process is performing in enabling the goal to be reached.
A business impact analysis defines risk impact; its main purpose is not to achieve compliance. It is defined as an exercise that determines the impact of losing the support of any resource to an enterprise. It establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.
To BEST improve the alignment of the information security objectives in an enterprise, the chief information security officer should:
A.revise the information security program.
B.evaluate a business balanced scorecard.
C.conduct regular user awareness sessions.
D.perform penetration tests.
B is the correct answer.
Justification
Revising the information security program may be a solution, but it is not the best solution to improve alignment of the information security objectives.
The business balanced scorecard (BSC) can track how effectively an enterprise executes it information security strategy and determine areas of improvement.
User awareness is just one of the areas the enterprise must track through the business BSC.
Performing penetration tests does not affect alignment with information security objectives.
Which of the following will be MOST important in calculating accurate return on investment in information security?
A.Excluding qualitative risk for accuracy in calculated figures
B.Establishing processes to ensure cost reductions
C.Measuring monetary values consistently
D.Treating security investment as a profit center
C is the correct answer.
Justification
If something is an important risk factor, an attempt should be made to quantify it even though it may not be highly accurate.
Establishing processes to ensure cost reductions is not relevant to calculating return on investment (ROI).
There must be consistency in metrics in order to have reasonably accurate and consistent results. In assessing security risk, it is not a good idea to simply exclude qualitative risk because of the difficulties in measurement.
Whether security investment is treated as a profit center does not affect ROI calculations.
Which of the following information security metrics is the MOST difficult to quantify?
A.Percentage of controls mapped to industry frameworks
B.Extent of employee security awareness
C.Proportion of control costs to asset value
D.Cost of security incidents prevented
D is the correct answer.
Justification
Determining the percentage of controls mapped to industry frameworks is relatively easy to do by reviewing the controls portfolio and checking controls documentation.
While security awareness can be challenging to measure, focusing on behavior change is an option. For example, conducting phishing simulations can help measure how well employees identify and report those types of attacks.
A business impact analysis combined with a financial analysis can facilitate a comparison of asset values to the costs of those assets.
Measuring something that does not occur is inherently difficult, if not impossible. So many variables are theoretical that arriving at a reliable estimate is a guessing game.
Which of the following indicators is MOST likely to be of strategic value?
A.Number of users with privileged access
B.Trends in incident frequency
C.Annual network downtime
D.Vulnerability scan results
B is the correct answer.
Justification
The number of users with privileged access, if excessive, can pose unnecessary risk but is more of an operational metric.
Trends in incident frequency will show whether the information security program is improving and heading in the right direction.
Network downtime is a relevant operational metric in terms of service level agreements but, without trends over time, it is not a useful strategic metric.
Vulnerability scans are an operational metric.
Decisions regarding information security are BEST supported by:
A.statistical analysis.
B.expert advice.
C.benchmarking.
D.effective metrics.
D is the correct answer.
Justification
A statistical analysis of metrics can be helpful but only if the underlying metrics are sound.
Expert advice may be useful, but effective metrics are a better indication.
Other enterprises would typically only provide some guidance, but decisions should be based on effective metrics.
Effective metrics are essential to provide information needed to make decisions. Metrics are a quantifiable entity that allows the measurement of the achievement of a process goal.
Who would be the PRIMARY user of metrics regarding the number of email messages quarantined due to virus infection versus the number of infected email messages that were not caught?
A.The security steering committee
B.The board of directors
C.IT managers
D.The information security manager
D is the correct answer.
Justification
Metrics support decisions. Knowing the number of email messages blocked due to viruses would not on its own be an actionable piece of information for the steering committee.
The board of directors would have no use for the information.
IT managers would be interested, but it would not be in their purview to address the issue.
Information regarding the effectiveness of the current email antivirus control is most useful to the information security manager and staff because they can use the information to initiate an investigation to determine why the control is not performing as expected and to determine whether there are other factors contributing to the failure of the control. When these determinations are made, the information security manager can use these metrics, along with data collected during the investigation, to support decisions to alter processes or add to (or change) the controls in place.
Which of the following is the MOST critical success factor of an information security program?
A.Developing information security policies and procedures
B.Senior management commitment
C.Conducting security training and awareness for all users
D.Establishing an information security management system
B is the correct answer.
Justification
Developing policies and procedures is important, but without senior management commitment, implementation will be difficult.
Without senior management commitment, it would be difficult to implement a successful information security program.
Conducting training and awareness exercises is not the most critical success factor.
Establishing an information security management system is essential, but without management support and commitment, it is unlikely to be successful.
Which of the following is one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
A.Number of controls implemented
B.Percent of control objectives accomplished
C.Percent of compliance with the security policy
D.Reduction in the number of reported security incidents
B is the correct answer.
Justification
Number of controls implemented does not have a direct relationship with the results of a security program.
Control objectives are directly related to business objectives; therefore, they would be the best metrics.
Percent in compliance with the security policy is a useful metric but says nothing about achieving control objectives.
A reduction in the number of security incidents has no direct bearing on whether control objectives are being achieved.
Senior management has expressed some concern about the effectiveness of the information security program. What can the information security manager do to gain the support of senior management for the program?
A.Rebuild the program based on a recognized, auditable standard.
B.Calculate the cost-benefit analysis of the existing controls that are in place.
C.Interview senior managers to address their concerns with the program.
D.Present a report from the steering committee supporting the program.
C is the correct answer.
Justification
The key to gaining support from senior management is understanding its concerns and making sure that those concerns are addressed. Replacing the entire program as a response to general concerns would not be appropriate without more information.
A cost-benefit analysis of controls demonstrates that the controls that have been put in place were preferable to alternative methods of risk treatment, but this evidence does not address the question of overall program effectiveness.
It is not uncommon for senior managers to have concerns. An effective information security manager will discuss these concerns and make changes as needed to address them.
The steering committee generally reports to senior management, so if senior managers express concern regarding the effectiveness of the program, the concern may be directed in part at the steering committee.
Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?
A.Security compliant servers trend report
B.Percentage of security compliant servers
C.Number of security patches applied
D.Security patches applied trend report
A is the correct answer.
Justification
The overall trend of security compliant servers provides a metric of the effectiveness of the IT security program.
The percentage of compliant servers will be a relevant indicator of the risk exposure of the infrastructure. However, the percentage is less relevant than the overall trend.
The number of patches applied would be less relevant, as this would depend on the number of vulnerabilities identified and patches provided by vendors.
The security patches applied trend report is a metric indicating the degree of improvement in patching but provides a less complete picture of the effectiveness of the security program.
What should metrics be based on when measuring and monitoring information security programs?
A.Residual risk
B.Levels of security
C.Security objectives
D.Statistics of security incidents
C is the correct answer.
Justification
Metrics are used to measure not only the results of the security controls (residual risk) but also the attributes of the control implementation.
Levels of security are only relevant in relation to the security objectives.
Metrics should be developed based on security objectives, so they can measure the effectiveness and efficiency of information security controls in relation to the defined objectives.
Statistics of security incidents provide a general basis for determining if overall outcomes are meeting expectations, but they do not provide a basis for the achievement of individual objectives.
Which of the following attributes would be MOST essential to developing effective metrics?
A.Easily implemented
B.Meaningful to the recipient
C.Quantifiably represented
D.Meets regulatory requirements
B is the correct answer.
Justification
Ease of implementation is valuable when developing metrics, but not essential. Metrics are most effective when they are meaningful to the person receiving the information.
Metrics will only be effective if the recipient can take appropriate action based upon the results, in other words—the metrics have to be meaningful to the recipient and provide business value.
Quantifiable representations can be useful, but qualitative measures are often just as useful.
Meeting legal and regulatory requirements may be important, but this is not always essential when developing metrics for meeting business goals.
Which of the following choices would provide the BEST measure of the effectiveness of the security strategy?
A.Minimizing risk across the enterprise
B.Countermeasures existing for all known threats
C.Losses consistent with annual loss expectations
D.The extent to which control objectives are met
D is the correct answer.
Justification
Minimizing risk is not the objective. The objective is achieving control objectives and thereby achieving acceptable risk levels. Risk reduction beyond the acceptable level is likely to not be cost-effective and to be a waste of resources.
There are some threats for which no countermeasures exist (e.g., comet strikes).
The extent of losses is not a reliable indication of the effectiveness of the strategy. Losses may or may not exceed expectations for a variety of reasons and relate to impacts rather than to risk levels.
Control objectives are developed to achieve acceptable levels of risk. To the extent those levels are achieved, control objectives are a good measure of the effectiveness of the strategy.
An enterprise is implementing an information security program. During which phase of the implementation should metrics be established to assess the effectiveness of the program over time?
A.Testing
B.Initiation
C.Design
D.Development
C is the correct answer.
Justification
The testing phase is too late because the system has already been developed and is in production testing.
In the initiation phase, the basic security objective of the project is acknowledged.
In the design phase, security checkpoints are defined and a test plan is developed.
Development is the coding phase and is too late to consider test plans.
Which of the following criteria is the MOST essential for operational metrics?
A.Timeliness of the reporting
B.Relevance to the recipient
C.Accuracy of the measurement
D.The cost of obtaining the metrics
B is the correct answer.
Justification
Timeliness of reporting is important, but secondary to relevance.
Unless the metric is relevant to the recipient and the recipient understands what the metric means and what action to take, if any, all other criteria are of little importance.
A high degree of accuracy is not essential as long as the metric is reliable and indications are within an acceptable range.
Cost is always a consideration, but secondary to the others.
Why is it important to develop an information security baseline? The security baseline helps define:
A.critical information resources needing protection.
B.a security policy for the entire enterprise.
C.the minimum acceptable security to be implemented.
D.required physical and logical access controls.
C is the correct answer.
Justification
Before determining the security baseline, an information security manager must identify criticality levels of the enterprise’s information resources.
The security policy helps define the security baseline.
Developing an information security baseline helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality/classification levels.
The security baseline defines the control objectives but not the specific controls required.
What is the most significant attribute of a good information security metric?
A.It is meaningful to the recipient.
B.It is reliable and accurate.
C.It impacts productivity.
D.It is scalable and cost-effective.
A is the correct answer.
Justification
Information provided by metrics that are not meaningful to the recipient is of little value.
Reliability and accuracy are important criteria for selecting information security metrics, but it must first be determined that the information provided helps recipients accomplish their tasks.
The impact on productivity must be balanced against the usefulness of the metric; however, it is a valid consideration.
Cost-effectiveness must be balanced against the usefulness of the metric; however, it is a valid consideration. Scalability of metrics—in most situations—is more of a nice-to-have criterion than a selection criterion.
Which of the following is the MOST important reason that information security objectives should be defined?
A.Tool for measuring effectiveness
B.General understanding of goals
C.Consistency with applicable standards
D.Management sign-off and support initiatives
A is the correct answer.
Justification
The creation of objectives can be used in part as a source of measurement of the effectiveness of information security management by the extent those objectives have been achieved, which feeds into the overall state of governance.
General understanding of goals is useful but is not the primary reasons for having clearly defined objectives.
The standards should be consistent with the objectives, not the other way around.
Gaining management sign-off and support is important but by itself will not provide the structure for security governance.
Controls that fail closed (secure) will present a risk to:
A.confidentiality
B.integrity.
C.authenticity
D.availability.
D is the correct answer.
Justification
The blocked access will not generally impact confidentiality.
The blocked access will not generally impact integrity.
The blocked access will not generally impact authenticity.
A control (such as a firewall) that fails in a closed condition will typically prevent access to resources behind it, thus impacting availability.
Objectives for preventive controls should be developed PRIMARILY based on:
A.risk levels aligned with the enterprise risk appetite.
B.technical requirements directed by industry standards.
C.threat levels as established by monitoring tools.
D.uptime targets specified in service level agreements.
A is the correct answer.
Justification
Controls are designed and implemented to produce levels of risk aligned with the enterprise risk appetite.
Industry standards offer managers and engineers direction on how desired objectives might be achieved, but enterprises adopt them only when doing so aligns with business objectives and the enterprise risk appetite.
Monitored threat levels do not provide a comprehensive basis for the design and implementation of preventive controls.
The need to meet uptime targets specified in service level agreements is only one of many considerations taken into account when developing preventive controls.
A permissive controls policy would be reflected in which one of the following implementations?
A.Access is allowed unless explicitly denied.
B.IT systems are configured to fail closed.
C.Individuals can delegate privileges.
D.Control variations are permitted within defined limits.
A is the correct answer.
Justification
A permissive controls policy allows activities that are not explicitly denied.
Configuration to fail closed is a restrictive controls policy.
Delegation of privileges refers to discretionary access control.
Standards permit control variations within defined limits.
Abnormal server communication from inside the enterprise to external parties may be monitored to:
A.record the trace of advanced persistent threats.
B.evaluate the process resiliency of server operations.
C.verify the effectiveness of an intrusion detection system.
D.support a nonrepudiation framework in e-commerce.
A is the correct answer.
Justification
The most important feature of target attacks as seen in advanced persistent threats is that malware secretly sends information back to a command and control server. Therefore, monitoring of outbound server communications that do not follow predefined routes will be the best control to detect such security events.
Server communications are usually not monitored to evaluate the resiliency of server operations.
The effectiveness of an intrusion detection system may not be verified by monitoring outbound server communications.
Nonrepudiation may be supported by technology, such as a digital signature. Server communication itself does not support the effectiveness of an e-commerce framework.
What is the MOST important reason that an information security manager must have an understanding of information technology?
A.To ensure the proper configuration of the devices that store and process information
B.To understand the risk of technology and its contribution to security objectives
C.To assist and advise on the acquisition and deployment of information technology
D.To improve communication between information security and business functions
B is the correct answer.
Justification
The configuration of the devices is not the primary responsibility of the information security manager. The security manager will work through technical staff to ensure that configurations are appropriate.
Knowledge of information technology helps the information security manager understand how changes in the technical environment affect the security posture and its contribution to control objectives.
Advising on acquisition and deployment regarding security issues is a secondary function of the information security manager.
Information security decisions can be made most effectively when they are understood by people in business functions, but this is secondary to understanding the relationship between technology and information security.
Which of the following is the BEST method to provide a new user with their initial password for email system access?
A.Provide a system-generated complex password by interoffice mail with 30 days expiration.
B.Provide a temporary password over the telephone set for immediate expiration.
C.Require no password but force the user to set their own in 10 days.
D.Set initial password equal to the user ID with expiration in 30 days.
B is the correct answer.
Justification
Documenting the password on paper is not the best method even if sent through interoffice mail—if the password is complex and difficult to memorize, the user will likely keep the printed password, and this creates a security concern.
A temporary password that will need to be changed upon first logon is the best method because it is reset immediately and is replaced with the user’s choice of password, which will make it easier for the user to remember. If it is given to the wrong person, the legitimate user will likely notify security if still unable to access the system; therefore, the security risk is low.
Setting an account with no initial password is a security concern even if it is just for a few days.
This provides the greatest security threat because user IDs are typically known by both users and security staff, thus compromising access for up to 30 days.
What is the BEST risk response for risk scenarios where the likelihood of a disruptive event for an asset is very low, but the potential financial impact is very high?
A.Accept the high cost of protection.
B.Implement detective controls.
C.Ensure that asset exposure is low.
D.Transfer the risk to a third party.
D is the correct answer.
Justification
It will not be appropriate to invest in high cost of protection for a low likelihood of an event. The enterprise can opt for another way to address the issue.
A detective control alone does nothing to limit the impact.
The fact that the likelihood is low suggests that exposure is already minimal. Additional reductions to exposure would do nothing to limit impact.
High-impact, low-likelihood situations are typically most cost-effectively covered by transferring the risk to a third party (e.g., insurance).
A company has installed biometric fingerprint scanners at all entrances in response to a management requirement for better access control. Due to the large number of employees coupled with a slow system response, it takes a substantial amount of time for all workers to gain access to the building and workers are increasingly piggybacking. What is the BEST course of action for the information security manager to address this issue?
A.Replace the system for better response time.
B.Escalate the issue to management.
C.Revert to manual entry control procedures.
D.Increase compliance enforcement.
B is the correct answer.
Justification
Upgrading the system is likely to be a costly option and is a management issue.
It is a business decision how management wants to deal with the problem, not directly a security issue. Conflicts of this nature are best addressed by management.
Given that management has set the requirement, it is unlikely that going back to a manual entry control system will be acceptable.
Increasing compliance efforts does not address the underlying issue. Regardless, such a choice should be made by management.
Which of the following authentication methods prevents authentication replay?
A.Password hash implementation
B.Challenge/response mechanism
C.Wired equivalent privacy encryption usage
D.Hypertext Transfer Protocol basic authentication
B is the correct answer.
Justification
Capturing the authentication handshake and replaying it through the network will not work. Using hashes by itself will not prevent a replay.
A challenge/response mechanism prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge.
A wired equivalent privacy key will not prevent sniffing, but it will take the attacker longer to break the WEP key if they do not already have it. Therefore, it will not be able to prevent recording and replaying an authentication handshake.
Hypertext Transfer Protocol basic authentication is cleartext and has no mechanisms to prevent replay.
Which of the following BEST mitigates a situation in which an application programmer requires access to production data?
A.Create a separate account for the programmer as a power user.
B.Log all the programmers’ activity for review by supervisor.
C.Have the programmer sign a letter accepting full responsibility.
D.Perform regular audits of the application.
B is the correct answer.
Justification
Creating a separate account for the programmer as a power user does not solve the problem.
It is not always possible to provide adequate segregation of duties between programming and operations in order to meet certain business requirements. A mitigating control is to record all the programmers’ actions for later review by their supervisor, which would detect any inappropriate action on the part of the programmer.
Having the programmer sign a letter accepting full responsibility is not an effective control.
Performing regular audits of the application is not relevant to determine if programmer activities are appropriate.
Which of the following is the BEST approach to mitigate online brute force attacks on user accounts?
A.Passwords stored in encrypted form
B.User awareness
C.Strong passwords that are changed periodically
D.Implementation of lockout policies
D is the correct answer.
Justification
Passwords stored in encrypted form will not defeat an online brute force attack if the password itself is easily guessed.
User awareness would help to inform users to use strong passwords but would not mitigate an online brute force attack.
In cases where implementation of account lockout policies is not possible, strong passwords that are changed periodically would be an appropriate choice.
Implementation of account lockout policies significantly inhibits brute force attacks.
What is the MAIN advantage of implementing automated password synchronization?
A.It reduces the overall administrative workload.
B.It increases security between multi-tier systems.
C.It allows passwords to be changed less frequently.
D.It reduces the need for two-factor authentication.
A is the correct answer.
Justification
Automated password synchronization reduces the overall administrative workload of resetting passwords.
Automated password synchronization does not increase security between multi-tier systems.
Automated password synchronization does not allow passwords to be changed less frequently.
Automated password synchronization does not reduce the need for two-factor authentication.
Assuming all options are technically feasible, which of the following would be the MOST effective approach for the information security manager to address excessive exposure of a critical customer-facing server?
A.Develop an incident response plan
B.Reduce the attack vectors
C.Initiate compartmentalization
D.Implement compensating controls
B is the correct answer.
Justification
Even the most effective incident response plan is unlikely to reduce exposure as effectively as reducing the attack surface.
The attack vectors determine the extent of exposure. Reducing the attack vectors by limiting entry points, ports and protocols and taking other precautions reduces the exposure.
Compartmentalization may limit the degree to which impact sustained by one customer results in increased vulnerability or impact for another customer, but the per-customer exposure would not be affected.
Compensating controls are appropriate if existing controls are incapable of reducing risk to acceptable levels.
Which of the following attacks is BEST mitigated by using strong passwords?
A.Man-in-the-middle attack
B.Brute force attack
C.Remote buffer overflow
D.Root kit
B is the correct answer.
Justification
Man-in-the-middle attacks intercept network traffic and must be protected by encryption.
Strong passwords mitigate brute force attacks.
Buffer overflow attacks may not be protected by passwords.
Root kits hook into the operating system’s kernel and, therefore, operate underneath any authentication mechanism.
Segregation of duties (SoD) has been designed and introduced into an accounts payable system. Which of the following should be in place to BEST maintain the effectiveness of SoD?
A.A strong password rule is assigned to disbursement staff.
B.Security awareness is publicized by the compliance department.
C.An operational role matrix is aligned with the organizational chart.
D.Access privilege is reviewed when an operator’s role changes.
D is the correct answer.
Justification
Password strength is important for each staff member, but complexity of passwords does not ensure effectiveness of segregation of duties (SoD).
Effective SoD is not based on self-governance, so security awareness is an inadequate control for the same.
It is not uncommon for staff to have ancillary roles beyond what is shown on the organizational chart, so aligning a role matrix with the organizational chart is not sufficiently granular to maintain the effectiveness of SoD.
In order to maintain the effectiveness of SoD established in an application system, user access privilege must be reviewed whenever an operator’s role changes. If this effort is neglected, there is a risk that a single staff member could acquire excessive operational capabilities. For instance, if a cash disbursement staff member accidentally acquires a trade input role, this person is technically able to accomplish an illegal payment operation.
What is the purpose of a corrective control?
A.To reduce adverse events
B.To identify a compromise
C.To mitigate impact
D.To ensure compliance
C is the correct answer.
Justification
Preventive controls, such as firewalls, reduce the occurrence of adverse events.
Compromise can be detected by detective controls, such as intrusion detection systems.
Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities.
Compliance can be ensured by preventive controls, such as access controls.
Why is public key infrastructure the preferred model when providing encryption keys to a large number of individuals?
A.It is computationally more efficient.
B.It is more scalable than a symmetric key.
C.It is less costly to maintain than a symmetric key approach.
D.It provides greater encryption strength than a secret key model.
B is the correct answer.
Justification
Public key cryptography is computationally intensive due to the long key lengths required.
Symmetric or secret key encryption requires a separate key for each pair of individuals who wish to have confidential communication, resulting in an exponential increase in the number of keys as the number of users increase, creating an intractable distribution and storage problems. Public key infrastructure keys increase arithmetically, making it more practical from a scalability point of view.
Public key cryptography typically requires more maintenance and is more costly than a symmetric key approach in small scale implementations.
Secret key encryption requires shorter key lengths to achieve equivalent strength.
Which of the following will BEST prevent external security attacks?
A.Static Internet Protocol addressing
B.Network address translation
C.Background checks for temporary employees
D.Securing and analyzing system access logs
B is the correct answer.
Justification
Static Internet Protocol addressing is helpful to an attacker.
Network address translation is helpful by having internal addresses that are non-routable.
Background checks of temporary employees are more likely to prevent an attack launched from within the enterprise.
Writing all computer logs to removable media does not prevent an attack.
An information security manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT help desk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A.conflicting security controls with organizational needs.
B.strong protection of information resources.
C.implementing appropriate controls to reduce risk.
D.proving information security’s protective abilities.
A is the correct answer.
Justification
The needs of the enterprise were not considered, so there is a conflict.
This example is not strong protection as it pertains to enabling restrictions and not safeguards.
A control that significantly restricts the ability of users to do their job is not appropriate.
Proving protection abilities at an unacceptable cost or performance is a poor strategy. This control does not prove the ability to protect but proves the ability to interfere with business.
An enterprise has a network of suppliers that it allows to remotely access an important database that contains critical supply chain data. What is the BEST control to ensure that the individual supplier representatives who have access to the system do not improperly access or modify information within this system?
A.User access rights
B.Biometric access controls
C.Password authentication
D.Two-factor authentication
A is the correct answer.
Justification
User access rights limit the access and rights that users have to a network, file system or database once they have been authenticated.
Biometric access controls is a method of user access control that manages user access to an overall system, not generally to a specific set of files or records.
Password authentication controls access but not rights once the system is accessed.
Two-factor authentication controls access but not rights once the system is accessed.
Which of the following constitutes the MAIN project activities undertaken in developing an information security program?
A.Controls design and deployment
B.Security enterprise development
C.Logical and conceptual architecture design
D.Development of risk management objectives
A is the correct answer.
Justification
The majority of program development activities will involve designing, testing and deploying controls that achieve the risk management objectives.
The security enterprise should be fairly well-developed prior to attempting to implement a security program.
Conceptual and logical architecture designs should have been completed as a part of strategy and road map development.
Risk management objectives are part of strategy development.
The MOST important factors to consider when prioritizing control development are:
A.threat and vulnerability.
B.cost and frequency.
C.risk appetite and tolerance.
D.probability and impact.
D is the correct answer.
Justification
Threat and vulnerability are factors in determining probability, but without knowing the magnitude of loss (or impact) associated with a particular event, knowing its probability is an inadequate basis for prioritizing control development.
Cost is always a consideration, and resource constraints may lead to certain controls being delayed, but prioritization occurs even among controls of comparable cost.
These are considerations when developing control objectives but do not factor into the prioritization of controls.
The probability that an adverse event will occur and the consequent impact provide an effective quantitative basis for prioritizing the development of controls.
The IT department has been tasked with developing a new transaction processing system for online account management. At which stage should the information security department become involved?
A.Feasibility
B.Requirements
C.Design
D.User acceptance testing
A is the correct answer.
Justification
Involve the security department as early as possible. Security considerations will affect feasibility. Security that is added later in the process often is not nearly as effective as security that is considered from end to end.
The requirements stage is too late in the process, and the introduction of security requirements will potentially cause delays or incur other costs that are neither budgeted nor anticipated by stakeholders.
The design stage is too late in the process, and the introduction of security requirements will potentially cause delays or incur other costs that are neither budgeted nor anticipated by stakeholders.
The user acceptance testing stage is too late in the process, and the introduction of security requirements will potentially cause delays or incur other costs that are neither budgeted nor anticipated by stakeholders.
Which of the following approaches is the BEST for designing role-based access controls?
A.Create a matrix of work functions.
B.Apply persistent data labels.
C.Enable multifactor authentication.
D.Use individual logon scripts.
A is the correct answer.
Justification
A matrix that documents the functions associated with particular kinds of work, typically referred to as a segregation of duties matrix, shows which roles are required or need various permissions.
Persistent data labels apply to mandatory access control environments where permissions are brokered by the classification levels of objects themselves. They do not factor into role-based access controls.
Multifactor authentication deals with how users authenticate their identities, which helps to ensure that people are who they claim to be. It does not determine the permissions that they are assigned, particularly in a role-based access control model, where permissions are assigned to roles rather than individual users.
Using automated logon scripts is practical in some environments, but assigning permissions to individual accounts is contrary to the intent of role-based access controls.
A security baseline can BEST be used for:
A.securing unstable environments.
B.establishing uniform system hardening.
C.prioritizing security objectives.
D.establishing a corporate security policy.
B is the correct answer.
Justification
The stability of an environment is not necessarily related to baselines; the application of a security baseline can sometimes even destabilize an environment by conflicting with existing software.
A security baseline establishes a uniform security standard to be applied across similar systems.
A baseline does not prioritize security objectives.
Baselines are established as the result of a policy; they are not part of the policy development.
What is the BEST method for detecting and monitoring a hacker’s activities without exposing information assets to unnecessary risk?
A.Firewalls
B.Bastion hosts
C.Decoy files
D.Screened subnets
C is the correct answer.
Justification
Firewalls attempt to keep the hacker out.
Bastion hosts attempt to keep the hacker out.
Decoy files, often referred to as honeypots, are the best choice for diverting a hacker away from critical files and alerting security of the hacker’s presence.
Screened subnets or demilitarized zones provide a middle ground between the trusted internal network and the external untrusted Internet but do not help detect hacker activities.
Which is the FIRST thing that should be determined by the information security manager when developing an information security program?
A.The control objectives
B.The strategic aims
C.The desired outcomes
D.The logical architecture
C is the correct answer.
Justification
Control objectives cannot be determined until desired outcomes have been determined and subsequent specific objectives defined.
Without determining the desired outcomes of the security program, the strategic aims that would lead to the desired outcomes cannot be determined.
Without determining the desired outcomes of the security program, it will be difficult or impossible to determine a viable strategy, control objectives and logical architecture.
Architecture is the physical manifestation of policy which is developed after and in support of strategy development.
In which of the following situations is continuous monitoring the BEST option?
A.Where incidents may have a high impact and frequency
B.Where legislation requires strong information security controls
C.Where incidents may have a high impact but low frequency
D.Where e-commerce is a primary business driver
A is the correct answer.
Justification
Continuous monitoring control initiatives are expensive, so they should be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Regulations and legislation that require tight IT security measures focus on requiring enterprises to establish an IT security governance structure that manages IT security with a risk-based approach, so each enterprise decides which kinds of controls are implemented. Continuous monitoring is not necessarily a requirement.
Measures such as contingency planning or insurance are commonly used when incidents rarely happen but have a high impact each time they happen. Continuous monitoring is unlikely to be necessary.
Continuous control monitoring initiatives are not needed in all e-commerce environments. There are some e-commerce environments where the impact of incidents is not high enough to support the implementation of this kind of initiative.
Which of the following is the BEST way to erase confidential information stored on magnetic tapes?
A.Performing a low-level format
B.Rewriting with zeros
C.Burning them
D.Degaussing them
D is the correct answer.
Justification
Performing a low-level format may be adequate but is a slow process, and with the right tools, data can still be recovered.
Rewriting with zeros will not overwrite information located in the disk slack space.
Burning destroys the tapes and does not allow their reuse.
Degaussing the magnetic tapes would quickly dispose of all information because the magnetic domains are thoroughly scrambled and would not allow reuse.
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
A.Number of attacks detected
B.Number of successful attacks
C.Ratio of false positives to false negatives
D.Ratio of successful to unsuccessful attacks
C is the correct answer.
Justification
The number of attacks detected does not indicate how many attacks were not detected; therefore, it is no indication of effectiveness.
The number of successful attacks cannot be used as a metric to evaluate the effectiveness of an intrusion detection mechanism.
The ratio of false positives to false negatives will indicate the effectiveness of the intrusion detection system.
Without knowing whether attacks were detected or not, the ratio of successful attacks to unsuccessful attacks indicates nothing about the effectiveness of the IDS.
A new business application requires deviation from the standard configuration of the operating system (OS). Which of the following steps should the security manager take FIRST?
A.Contact the vendor to modify the application.
B.Assess risk and identify compensating controls.
C.Approve an exception to the policy to meet business needs.
D.Review and update the OS baseline configuration.
B is the correct answer.
Justification
The security manager would contact the vendor to modify the application only after assessing the risk and identifying compensating controls.
Before approving any exception, the security manager should first check for compensating controls and assess the possible risk due to deviation.
The security manager may make a case for deviation from the policy, but this would be based on a risk assessment and compensating controls. The deviation itself would be approved in accordance with a defined process.
Updating the baseline configuration is not associated with requests for deviations.
An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. Assuming all options are possible, which of the following should the information security manager recommend?
A.Restrict account access to read-only.
B.Log all usage of this account.
C.Suspend the account and activate only when needed.
D.Require that a change request be submitted for each download.
A is the correct answer.
Justification
Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Restricting the account to read-only access will ensure that file integrity can be maintained while permitting access.
Logging all usage of the account is a detective control and will not reduce the exposure created by this excessive level of access.
Suspending the account and activating only when needed will not reduce the exposure created by this excessive level of access.
Requiring that a change request be submitted for each download would be excessively burdensome and will not reduce the exposure created by this excessive level of access.
Which of the following project activities is the MAIN activity in developing an information security program?
A.Security organization development
B.Conceptual and logical architecture designs
C.Development of risk management objectives
D.Control design and deployment
D is the correct answer.
Justification
The security organization is developed to meet the needs of the security program and may evolve over time, based on evolving requirements.
Conceptual and logical architecture designs should have been completed as a part of strategy and road map development.
Risk management objectives are a part of strategy development.
The majority of program development activities will involve designing, testing and deploying controls that achieve the risk management objectives.
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent a successful brute force attack of the account?
A.Prevent the system from being accessed remotely.
B.Create a strong random password.
C.Ask for a vendor patch.
D.Track usage of the account by audit trails.
B is the correct answer.
Justification
Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risk.
Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required.
Vendor patches are not always available.
Tracking usage is a detective control and will not prevent an attack.
Outsourcing combined with indemnification:
A.reduces legal responsibility but leaves financial risk relatively unchanged.
B.is more cost-effective as a means of risk transfer than purchasing insurance.
C.eliminates the reputational risk present when operations remain in-house.
D.reduces financial risk but leaves legal responsibility generally unchanged.
D is the correct answer.
Justification
Although indemnification clauses are intended to deflect liability, the legal consequences associated with compromises in information security cannot be fully transferred.
The cost-effectiveness of various forms of risk transfer depends on many factors, such as the scope of operations, limits of liability, specialized knowledge that may be required for implementation and criteria for indemnification.
Clients deal directly with the enterprise, not its supply chain. Outsourcing generally has no effect on reputational risk, which remains associated with the enterprise’s own brand regardless of outsourcing arrangements or indemnification clauses.
Indemnification clauses can transfer operational risk and financial impacts associated with that risk; however, legal responsibility for the consequences of compromise generally remains with the original entity.
What is the PRIMARY basis for the selection of controls and countermeasures?
A.Eliminating IT risk
B.Cost-benefit balance
C.Resource management
D.The number of assets protected
B is the correct answer.
Justification
The focus must include procedural, operational and other risk—not just IT risk.
The balance between cost and benefits should direct controls selection.
Resource management is not directly related to controls.
The implementation of controls is based on the impact and risk, not on the number of assets.
The director of auditing has recommended a specific information security monitoring solution to the information security manager. What should the information security manager do FIRST?
A.Obtain comparative pricing bids and complete the transaction with the vendor offering the best deal.
B.Add the purchase to the budget during the next budget preparation cycle to account for costs.
C.Perform an assessment to determine correlation with business goals and objectives.
D.Form a project team to plan the implementation.
C is the correct answer.
Justification
Comparative pricing bids and completing the transaction with the vendor offering the best deal is not necessary until a determination has been made regarding whether the product fits the goals and objectives of business.
Adding the purchase to the budget is not necessary until a determination has been made regarding whether the product fits the goals and objectives of business.
An assessment must be made first to determine that the proposed solution is aligned with business goals and objectives.
Forming a project team for implementation is not necessary until a determination has been made regarding whetherthe product fits the goals and objectives of business.
An enterprise has implemented an enterprise resource planning system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
A.Rule-based
B.Mandatory
C.Discretionary
D.Role-based
D is the correct answer.
Justification
Rule-based access control needs to define the individual access rules, which is troublesome and error prone in large enterprises.
In mandatory access control, the individual’s access to information resources is based on a clearance level that needs to be defined, which is troublesome in large enterprises.
In discretionary access control, users have access to resources based on delegation of rights by someone with the proper authority, which requires a significant amount of administration and overhead.
Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
Which of the following is the MOST important consideration when choosing between automated fire suppression systems?
A.Probability of fire
B.Cost of maintenance
C.Damage to resources
D.Ownership of the new system
C is the correct answer.
Justification
Probability is part of the justification for adopting an automated fire suppression system, but which system is most appropriate depends on other factors.
The cost of maintenance is an important consideration, but because damage is likely to be much more costly than maintenance, it is a later consideration.
Fire suppression systems may be harmful to resources; therefore, automated systems that release gas or water automatically have their own pros and cons. Gas-based systems are harmful to human life, whereas water-based systems may damage IT resources. Hence, the selection and implementation must consider these aspects.
Ownership of assets, including the new system to be acquired, is required to determine the protection levels of resources. However, it will be based on the enterprise’s roles and responsibility definitions. In any case, resource protection will take priority in considering the choice of solutions.
Which of the following is the MOST effective solution for preventing individuals external to the enterprise from modifying sensitive information on a corporate database?
A.Screened subnets
B.Information classification policies and procedures
C.Role-based access control
D.Intrusion detection system
A is the correct answer.
Justification
Screened subnets are demilitarized zones and are oriented toward preventing attacks on an internal network by external users.
The policies and procedures to classify information will ultimately result in better protection, but they will not prevent actual modification.
Role-based access controls help ensure that users only have access to files and systems appropriate for their job role.
Intrusion detection systems are useful to detect invalid attempts, but they will not prevent attempts.
The cost of implementing and operating a security control should not exceed the:
A.annual loss expectancy.
B.cost of an incident.
C.asset value.
D.acceptable loss level.
C is the correct answer.
Justification
The annual loss expectancy is the monetary loss for an asset due to specific risk over a single year.
A security mechanism may cost more than the cost of a single incident and still be cost-effective.
The cost of implementing security controls should not exceed the business value of the asset.
The cost of a control may well exceed the acceptable loss level in order to achieve the loss level objective.
Which one of the following factors affects the extent to which controls should be layered?
A.Impact on productivity
B.Common failure modes
C.Maintenance cost of controls
D.Controls that fail in a closed condition
B is the correct answer.
Justification
A negative impact on productivity could indicate that controls may be too restrictive, but it is not a consideration for layering.
Common failure modes in existing controls must be addressed by adding or modifying controls so they fail under different conditions. This is done to manage the aggregate risk of total control failure.
Excessive maintenance costs will probably increase and not be addressed by layering additional controls.
Controls that fail closed pose a risk to availability, but layering would not always address this risk.
To improve the security of an enterprise’s human resources system, an information security manager was presented with a choice to either implement an additional packet filtering firewall OR a heuristics-based intrusion detection system. How should the security manager with a limited budget choose between the two technologies?
A.Risk analysis
B.Business impact analysis
C.Return on investment analysis
D.Cost-benefit analysis
D is the correct answer.
Justification
Risk analysis identifies the risk and treatment options.
A business impact analysis identifies the impact from the loss of systems or enterprise functions.
Return on investment analysis compares the magnitude and timing of investment gains directly with the magnitude and timing of investment costs.
Cost-benefit analysis measures the cost of a safeguard versus the benefit it provides and includes risk assessment. The cost of a control should not exceed the benefit to be derived from it. The degree of control employed is a matter of good business judgment.
Which of the following is a preventive measure?
A.A warning banner
B.Audit trails
C.An access control
D.An alarm system
C is the correct answer.
Justification
A warning banner is a deterrent control, which provides a warning that can deter potential compromise.
Audit trails are an example of a detective control.
Preventive controls inhibit attempts to violate security policies. An example of such a control is an access control.
An alarm system is an example of a detective control.
When recommending a control to protect enterprise applications against structured query language injection, the information security manager is MOST likely to suggest:
A.hardening of web servers.
B.consolidating multiple sites into a single portal.
C.coding standards and reviewing code.
D.using Hypertext Transfer Protocol Secure (HTTPS) in place of HTTP.
C is the correct answer.
Justification
Hardening of web servers does not reduce this type of vulnerability.
Consolidating multiple sites into a single portal does not reduce this type of vulnerability.
Implementing secure coding standards and peer review as part of the enterprise’s system development life cycle (SDLC) are controls that address structured query language injection.
Using Hypertext Transfer Protocol Secure (HTTPS) instead of HTTP does not reduce this type of vulnerability.
Which of the following is BEST used to define minimum requirements for database security settings?
A.Procedures
B.Guidelines
C.Baselines
D.Policies
C is the correct answer.
Justification
Procedures determine the steps, not the configuration requirements.
Guidelines are not enforceable.
Baselines set the minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity and availability protection.
Policies determine direction but not detailed configurations.
Which of the following BEST ensures that information transmitted over the Internet will remain confidential?
A.A virtual private network
B.Firewalls and routers
C.Biometric authentication
D.Two-factor authentication
A is the correct answer.
Justification
Encryption of data in a virtual private network ensures that transmitted information is not readable, even if intercepted.
Firewalls and routers protect access to data resources inside the network but do not protect traffic in the public network.
Biometric authentication alone would not prevent a message from being intercepted and read.
Two-factor authentication alone would not prevent a message from being intercepted and read.
The MOST effective approach to ensure the continued effectiveness of information security controls is by:
A.ensuring inherent control strength.
B.ensuring strategic alignment.
C.using effective life cycle management.
D.using effective change management.
C is the correct answer.
Justification
Inherent strength will not ensure that controls do not degrade over time.
Maintaining strategic alignment will help identify life cycle stages of controls but by itself will not address control degradation.
Managing controls over their life cycle will allow for compensation of decreased effectiveness over time.
Change management strongly supports life cycle management but by itself does not address the complete cycle.
Which of the following is the BEST way to mitigate the risk of the database administrator reading sensitive data from the database?
A.Log all access to sensitive data.
B.Employ application-level encryption.
C.Install a database monitoring solution.
D.Develop a data security policy.
B is the correct answer.
Justification
Access logging can be easily turned off by the database administrator.
Data encrypted at the application level that is stored in a database cannot be viewed in cleartext by the database administrator.
A database monitoring solution can be bypassed by the database administrator.
A security policy will only be effective if the database administrator chooses to adhere to the policy.
Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?
A.Patch management
B.Change management
C.Security baselines
D.Acquisition management
A is the correct answer.
Justification
Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion.
Change management controls the process of introducing changes to systems.
Security baselines provide minimum required settings.
Acquisition management controls the purchasing process.
If a defined threat needs to be addressed and a preventive control is not feasible, the next BEST option is to do which of the following activities?
A.Use a deterrent control.
B.Reduce exposure.
C.Use a compensating control.
D.Reassess the risk.
B is the correct answer.
Justification
Using a deterrent control will have only a limited effect on the possibility of compromise.
Reducing exposure reduces the probability that a risk can be exploited.
Using a compensating control will serve to limit impact, but do nothing to prevent exploitation.
Reassessing risk may provide a clearer picture of the risk but does nothing to reduce exploitation.
How should an information security manager determine the selection of controls required to meet business objectives?
A.Prioritize the use of role-based access controls.
B.Focus on key controls.
C.Restrict controls to critical applications.
D.Focus on automated controls.
B is the correct answer.
Justification
Prioritizing the use of role-based access controls could be an example of possible key controls but is only one of the typical key controls.
Key controls are the essential controls to reduce risk and are most effective for the protection of information assets.
Controls cannot be restricted to critical applications because, in many cases, noncritical applications can provide access to critical ones.
Focusing on automated controls would eliminate many essential non-automated key controls such as policies, standards, procedures and necessary physical controls.
Which of the following will BEST protect an enterprise from insider security attacks?
A.Static Internet Protocol addressing
B.Internal address translation
C.Prospective employee background checks
D.Employee awareness certification program
C is the correct answer.
Justification
Static Internet Protocol addressing does little to prevent an insider attack.
Internal address translation using non-routable addresses is useful against external attacks but not against insider attacks.
Because past performance is a strong predictor of future performance, background checks of prospective employees best prevent attacks from originating within an enterprise.
Employees who certify that they have read security policies are desirable, but this does not guarantee that the employees behave honestly.
A social media application system has a process to scan posted comments in search of inappropriate disclosures. Which of the following choices would circumvent this control?
A.An elaborate font setting
B.Use of a stolen identity
C.An anonymous posting
D.A misspelling in the text
D is the correct answer.
Justification
Depending on the font style, text messages may become illegible; however, character codes stay the same behind the scenes. Therefore, scanning may not be affected by font settings.
Even when a message is posted using a stolen identity, scanning will be able to catch an inappropriate posting by checking text against a predefined vocabulary table.
Absence of the identity of the user who posted an inappropriate message may not be a major issue in conducting the scanning of posted information.
Intentional misspellings are hard to detect by fixed rules or keyword search because it is difficult for the system to consider the possible misspellings. The computer may ignore misspelled items. Because humans can understand the context, it is rather easy for humans to sense the true intention hidden behind the misspelling.
A company uses a single employee to update the servers, review the audit logs and maintain access controls. Which of the following choices is the BEST compensating control?
A.Verify that only approved changes are made.
B.Perform quarterly penetration tests.
C.Perform monthly vulnerability scans.
D.Implement supervisor review of log files.
A is the correct answer.
Justification
Where segregation of duties is not possible, additional procedures are needed to ensure that a single person with access is not able to abuse that access.
Penetration tests do not address insider threat.
Vulnerability scans only check hardware and software for changes against set requirements. There is no correlation to unauthorized activities.
A sufficiently knowledgeable administrator may be able to manipulate the log files and hide their activities from the supervisor.
A project manager is developing a developer portal and requests that the security manager assign a public Internet Protocol address so that it can be accessed by in-house staff and by external consultants outside the enterprise’s local area network. What should the security manager do FIRST?
A.Understand the business requirements of the developer portal.
B.Perform a vulnerability assessment of the developer portal.
C.Install an intrusion detection system.
D.Obtain a signed nondisclosure agreement from the external consultants before allowing external access to the server.
A is the correct answer.
Justification
The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal.
Performing a vulnerability assessment of developer portal is prudent but it should follow understanding the requirements.
Installing an intrusion detection system may be useful but not as essential as understanding the requirements.
Obtaining a signed nondisclosure agreement is a prudent practice but is secondary to understanding requirements.
Senior management is reluctant to budget for the acquisition of an intrusion prevention system. The chief information security officer should do which of the following activities?
A.Develop and present a business case for the project.
B.Seek the support of the users and information asset custodians.
C.Invite the vendor for a proof-of-concept demonstration.
D.Organize security awareness training for management.
A is the correct answer.
Justification
Senior management needs to understand the link between the acquisition of an intrusion prevention system (IPS) and the enterprise’s business objectives. A business case is the best way to present this information.
Stakeholder buy-in is an important part of the acquisition and implementation process, but senior management needs to see the value of budgeting for the purchase before moving ahead and making approvals.
Senior managers probably believe that the IPS will do what it promises, but they are usually not tech-savvy. A proof-of-concept will demonstrate the functional features but may not be able to provide the understanding for senior management to approve the purchase.
Security awareness training may provide some insight into the value of security tools in general, but the decision to allocate funds for an IPS will be made only on the basis of the specific value that the IPS provides.
Which of the following is the PRIMARY driver for initial implementation of a risk-based information security program?
A.Prioritization
B.Motivation
C.Optimization
D.Standardization
A is the correct answer.
Justification
Because enterprises rarely have adequate resources to address all concerns, a risk-based information security program is typically implemented to provide a basis for efficient allocation of limited resources.
Motivation is useful in getting the job done but is not necessarily a result of implementing a risk-based information security program.
Optimization is a long-term benefit associated with a mature risk-based program. It does not present itself during initial implementation.
Standardization is a technique that offers numerous benefits and may support risk management activities. It is not the result of a focus on risk.
What is the MAIN objective of integrating the information security process into the system development life cycle?
A.It ensures audit compliance.
B.It ensures that appropriate controls are implemented.
C.It delineates roles and responsibilities.
D.It establishes the foundation for development or acquisition.
B is the correct answer.
Justification
Simply integrating information security processes into the system development life cycle (SDLC) will not ensure audit success; it is merely a piece of the compliance puzzle that must be reviewed by the auditor.
Establishing information security processes at the front end of any development project and using the process at each stage of the SDLC ensures that the appropriate security controls are implemented, based on the review and assessment completed by security staff.
The purpose of integrating the information security process at the front end of any SDLC project is to reduce the risk of delays or rework rather than to identify roles and responsibilities for information security in the project.
The information security process should be performed at each phase of the SDLC to ensure that appropriate controls are in place. However, integration of information security does not establish the foundation for the make-versus-buy decision.
A virtual desktop infrastructure enables remote access. The benefit of this approach from a security perspective is to:
A.optimize the IT resource budget by reducing physical maintenance to remote personal computers (PCs).
B.establish segregation of personal and organizational data while using a remote PC.
C.enable the execution of data wipe operations into a remote PC environment.
D.terminate the update of the approved antivirus software list for remote PCs.
B is the correct answer.
Justification
Physical maintenance is reduced in a virtual desktop infrastructure (VDI) environment, but cost reduction is not the benefit of VDI from a security perspective.
The major benefit of introducing a VDI is to establish remote desktop hosting while keeping personal areas in a client personal computer (PC) separate. This serves as a control against unauthorized copies of business data on a user PC.
Remote data wiping is not possible in a VDI.
Termination of antivirus updates may represent a cost savings to the enterprise, but the presence or absence of antivirus software on a remote PC is irrelevant in a VDI context
What is the GREATEST risk when there are an excessive number of firewall rules?
A.One rule may override another rule in the chain and create a loophole.
B.Performance degradation of the whole network may occur.
C.The firewall may not support the increasing number of rules due to limitations.
D.The firewall may show abnormal behavior and may crash or automatically shut down.
A is the correct answer.
Justification
If there are many firewall rules, there is a chance that a particular rule may allow an external connection although other associated rules are overridden. Due to the increasing number of rules, it becomes complex to test them and, over time, a loophole may occur.
Excessive firewall rules may impact network performance, but this is a secondary concern.
It is unlikely that the capacity to support rules will exceed capacity and it is not a significant risk.
There is a slight risk that the firewall will behave erratically, but that is not the greatest risk.
Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when:
A.assessing overall system risk.
B.developing a controls policy.
C.determining treatment options.
D.developing a classification scheme.
B is the correct answer.
Justification
Overall risk is not affected by determining which element of the triad is of the greatest importance because overall risk is constructed from all known risk, regardless of the components of the triad to which each risk applies.
Because preventive controls necessarily must fail in either an open or closed state (i.e., fail safe or fail secure), and failing open favors availability while failing closed favors confidentiality—each at the expense of the other—a clear prioritization of the triad components is needed to develop a controls policy.
Although it is feasible that establishing a control that bolsters one component of the triad may diminish another, treatment options may be determined without a clear prioritization of the triad.
Classification is based on the potential impact of compromise and is not a function of prioritization within the confidentiality, integrity and availability (CIA) triad.
Which of the following is the BEST method for ensuring that temporary employees do not receive excessive access rights?
A.Mandatory access controls
B.Discretionary access controls
C.Lattice-based access controls
D.Role-based access controls
D is the correct answer.
Justification
Mandatory access controls require users to have a clearance at or above the level of asset classification, but providing clearances for temporary employees is time-consuming and expensive.
Discretionary access control allows delegation based on the individual but requires administrative action to grant and remove access.
Lattice-based access control is a mandatory access model based on the interaction between any combination of objects (such as resources, computers and applications) and subjects.
Role-based access controls will grant temporary employee access based on the job function to be performed. This provides a better means of ensuring that the access is not more or less than what is required, and removing access requires less effort.
What is the PRIMARY basis for the prioritization of security spending and budgeting?
A.The identified levels of risk
B.Industry trends
C.An increased cost of service
D.The allocated revenue of the enterprise
A is the correct answer.
Justification
The first required action is to conduct a risk assessment of the enterprise’s key processes to identify control gaps and determine where investments should be made to mitigate risk and to determine order of prioritization. This must be conducted with consideration of enterprise goals and strategy.
Prioritization should not be based on the trends at other enterprises because each enterprise has unique requirements and business objectives.
Prioritization by cost alone is not aligned with a risk-based approach.
Although the revenue may increase, it is not wise to link the IT budget to a fixed percentage of revenue because this could lead to spending more or less than is necessary to effectively address risk.
Which of the following vulnerabilities is commonly introduced when using Simple Network Management Protocol v2 (SNMP v2) to monitor networks?
A.Remote buffer overflow
B.Cross-site scripting
C.Cleartext authentication
D.Man-in-the-middle attack
C is the correct answer.
Justification
There have been some isolated cases of remote buffer overflows against Simple Network Management Protocol (SNMP) daemons, but generally that is not a problem.
Cross-site scripting is a web application vulnerability that is not related to SNMP.
One of the main problems with using SNMP v1 and v2 is the cleartext community string that it uses to authenticate. It is easy to sniff and reuse. Most times, the SNMP community string is shared throughout the enterprise’s servers and routers, making this authentication problem a serious threat to security.
A man-in-the-middle attack against a User Datagram Protocol makes no sense since there is no active session; every request has the community string and is answered independently.
Inherent control strength is PRIMARILY a function of which of the following?
A.Implementation
B.Design
C.Testing
D.Policy
B is the correct answer.
Justification
Improper implementation can affect design control strength; however, even good implementation is not likely to overcome poor design.
Inherent control strength is mainly achieved by proper design.
Testing is important to determine whether design strength has been achieved but will generally not solve design problems.
Policy support for appropriate controls is important but is generally too high level to ensure that a design has inherent control strength.
A control for protecting an IT asset, such as a laptop computer, is BEST selected if the cost of the control is less than the:
A.cost of the asset.
B.impact on the business if the asset is lost or stolen.
C.available budget.
D.net present value.
B is the correct answer.
Justification
While the control may be more expensive than the cost of the physical asset, such as a laptop computer, the impact to the business may be much higher and thus justify the cost of the control.
Controls are selected based on their impact on the business due to the nonavailability of the asset rather than on the cost of the asset or the available budget.
Budget availability is a consideration; however, this is not as important as the overall impact to the business if the asset is compromised.
Net present value (NPV) calculations are not useful to determine the cost of a control. While a laptop computer might be fully amortized (or even expensed), the impact of the loss of the asset may be much higher than its NPV.
