ISACA questions Flashcards
Which of the following would be the BEST indicator of effective infosec governance within an org?
A. The steering committee approves security projects
B. Security policy training is provided to all managers
C. Security training is available to all employees on the intranet
D. IT personnel are trained in testing and applying required patches
A
A. The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. To ensure that all stakeholders impacted by security considerations are involved, many orgs us a steering committee comprised of senior representatives of affected groups This composition helps to achieve consensus on priorities and trade-offs and serves as an effective communication channel for ensuring the alignment of the security program with business objectives.
B. Security policy training is important at all levels of the org and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee to ensure all parts of the org are aware of the policies.
XC. The availability of security training, while beneficial to the overalls security program, does not ensure that employees are following the program and have the required level of awareness without a process to enforce awareness and compliance.
D. Even orgs with little overall governance may be effective in patching system sin a timely manner; this is not an indication of effective governance.
What is the MOST essential attribute of an effective key risk indicator (KRI)? It: A. is acurate and reliable B. Provides quantitative metrics C. Indicates required action D. Is predictive of a risk event.
D
XA. KRIs usually signal developing risk but do not indicate what the actual risk is. In that context, they are neither accurate nor reliable.
B. KRIs typically no not provide quantitative metric about risk.
C. KRIs will not indicate that any particular action is required other than to investigate further.
D. A KRI should indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk.
Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when:
a. assessing overall system risk
b. developing a controls policy
c. determining treatment options
d. developing a classification scheme
B
Xa. Overall risk is not affected by determining which element of the triad is of greatest importance because overall risk is constructed from all known risk, regardless of the components of the triad to which each risk applies.
b. Because preventive controls necessarily must fail in either an open or closed state (fail safe or fail secure), and failing open favors availability while failing closed favors confidentiality - each at the expense of the other - a clear prioritization of the triad components is needed to develop a controls policy.
c. Although it is possible that establishing a control that bolsters one component of the triad may diminish another, treatment options may be determined without a clear prioritization of the triad.
d. Classification is based on the potential impact of compromise and is not a function of prioritization within the triad.
Which of the following is MOST appropriate for inclusion in an infosec strategy?
a. Business controls designated as key controls
b. security processes, methods, tools and techniques
c. firewall rule sets, network defaults and intrusion detection system settings
d. budget estimates to acquire specific security tools
B
Xa. Key business controls are only one part of a security strategy and must be related to biz objectives.
b. A set of security objectives supported by processes, methods, tools and techniques together are the elements that constitute a security strategy.
c. Firewall rule sets, network defaults and intrusion detection system settings are technical details subject to periodic change and are not appropriate content for a strategy document.
d. Budgets will generally not be included in an infosec strategy. Until the strategy is formulated and implemented, specific tools will be be identified and specific cost estimate will not be available.
Which of the following situations must be corrected FIRST to ensure successful infosec governance w/in an org?
a. The infosec department has difficulty filling vacancies
b. the COO approved security policy changes
c. the infosec oversight committee only meets quarterly
d. the data center manager has final sign-off on all security projects.
D
Xa. Difficulty in filling vacancies is not uncommon due to the shortage of qualified infosec professionals.
b. It is important to have senior mgmt approve security policies to ensure that they meet mgmt. intent and direction.
c. It is not inappropriate for an oversight or steering committee to meet quarterly.
d. A steering committee should be in place to approve all security projects. the fact that the data center mgr. has final sign-off indicates that a steering committee is not being used and that infosec is relegated to a subordinate place in the org. The would indicate a failure of infosec governance.
Which of the following is MOST likely to be discretionary?
a. policies
b. procedures
c. guidelines
d. standards
C
a. Policies define management’s security goals and expectations for an org. These are defined in more specific terms within standards and procedures.
Xb. Procedures describe how works is to be done.
c. Guidelines provide recommendations that business mgmt. must consider in developing practices within their areas of control; as such, they are discretionary.
d. Standards establish the allowable operational boundaries for people, processes and technology.
Which of the following seldom change in response to technological changes?
a. standards
b. procedures
c. policies
d. guidelines
C
a. Security standards must be revised and updated based on the impact of technology changes.
b. Procedures must be revised and updated based on the impact of technology changes.
c. Policies are high-level statements of mgmt. intent and direction, which is not likely to be affected by tech changes.
Xd. Guidelines must be revised and updated based on the impact of technology changes.
When creating an effective data-protection strategy, the infosec mgr. must understand the flow of data n dis protection at various stages. This is BEST achieved with:
a. a third-party vulnerability assessment
b. a tailored methodology based on exposure
c an insurance policy for accidental data losses
d. a tokenization system set up in a secure network environment
B
Xa. Vulnerability assessments, third-party or otherwise, do not take into account threat and other factors that influence risk treatment.
b. Orgs classify data according to their value and exposure. The org can then develop a sensible plan to invest budget and effort where they matter most.
c. An insurance policy is a risk treatment option for the transfer/sharing of risk. Whether it is an appropriate action requires a cost-benefit analysis and a more complete understanding of the risk involved.
d. Tokenization is a technique used to protect data but whether it is appropriate cannot be known w/out an understanding of the various exposures to which the data re subject.
Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global org?
a. Chief security officer
b. Chief operating officer
c. Chief privacy officer
d. Chief legal counsel
B
Xa. Although the chief security knows what is needed, the sponsor for this task should be someone with far-reaching influence across the org.
b. The COO is the most knowledgeable about biz ops and objectives
c. The chief privacy officer may not have the knowledge of the day-to-day biz ops and overall security requirements to ensure proper guidance.
d. The chief legal counsel will typically have a narrow legal focus on contracts and stock and other regulatory requirements and have little knowledge of overall org security requirements.
The MOST important element(s) to consider when developing a biz case for a project is the:
a. feasibility and value proposition
b. resource and time requirements
c. financial analysis of benefits
d. alignment with org objectives
A
a. Feasibility and whether the value proposition makes sense will be major considerations of whether a project will proceed.
b. Resources and time needed are important but will be a component of the value proposition in terms of costs.
c. Financial analysis of benefits is a component of the value proposition but there would typically be other benefits that should be proposed.
Xd. The value proposition would, as a matter of course, have to include alignment with the org’s objectives.
Senior mgmt. commitment and support for infosec can BEST be enhanced through:
a. a formal security policy sponsored by the CEO
b. regular security awareness training for employees
c. periodic review of alignment with biz mgmt. goals
d. senior mgmt. signoff on the infosec strategy
C.
a. Although having the CEO sign off on the security policy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete even that may be quickly forgotten by senior mgmt.
b. Security awareness training for employees will not have as much effect on senior mgmt. commitment as alignment with biz goals.
Ensuring that security activities continue to be aligned and support biz goals is critical to obtaining mgmt. support.
Xd. Although having senior mgmt. sign off on the security policy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete even that may be quickly forgotten by senior mgmt.
The infosec mgr. receives a report showing an increase in the number of security events. The MOST likely explanation is:
a. exploitation of a vulnerability in the information system
b. threat actors targeting the org in greater numbers
c. failure of a previously deployed detective control
d. approval of a new exception for noncompliance by mgmt.
A
a. Exploitation of a vulnerability is likely to generate security events.
b. Absent a change in vulnerability, an increase in the number of threat actors targeting the org would not explain an increase in security events.
c. An increase in the number of security events that appear on reports suggests that detective controls are likely working properly.
xd. Exceptions approved by mgmt. may result in a higher number of security events on reports if notices of the exceptions is not provided to infosec to allow updates to monitoring. However, exceptions are typically communicated to the infosec mgr. so this is an unlikely explanation for the increase.
Which of the following is the MOST important info to include in a strategic plan for infosec?
a. Infosec staffing requirements
b. current stat and desired future state
c. IT capital investment requirements
d. infosec mission statement
B
a. Staffing requirements stem from the implementation time lines and requirements of the strategic plan.
b. If is most important to present a vision for the future and then create a road map from the current state to the desired future state based on a gap analysis of the requirements to achieve the desired future state.
c. IT capital investment requirements are generally not determined at the strategic plan level but rather as a result of fap analysis and the options on how to achieve the objectives of the strategic plan.
xd. The mission statement is typically a short, high-level aspirational statement of overall organizational objective and only directly affects the infosec strategy in a very limited way.
An infosec mgr. mapping a job description to types of data access is MOST likely to adhere to which of the following infosec principles?
a. ethics
b. proportionality
c. integration
d. accountability
B
a. Ethics have the least to do with mapping a job description to types of data access.
b. Information security controls, including access, should be proportionate to the criticality and/or sensitivity of the asset (i.e. the potential impact of compromise).
c. Principles of integration are not relevant to this task.
xd. The principle of accountability would be the second most adhered-to principle because people with access to data my not always be accountable.
Which of the following is the MOST important prerequisite for establishing infosec mgmt. w/in an org?
a. senior mgmt. commitment
b. Infosec framework
c. infosec org structure
d. infosec policy
A
a. Senior mgmt. commitment is necessary in order for each other other elements to succeed. W/out senior mgmt. commitment, the other elements will likely be ignored w/in the org.
Xb. W/out senior mgmt. commitment, an infosec framework is not likely to be implemented.
c. W/out senior mgmt. commitment, it isn’t likely that there is support for developing an infosec org structure.
d. The development of effective policies as a statement of mgmt. intent and direction is likely to be inadequate w/out senior mgmt. commitment to infosec.
The FIRST step in developing an infosec mgmt. program is to:
a. identify biz risk that affects the org
b. establish the need for creating the program
c. assign responsibility for the program
d. assess adequacy of existing controls
B
xa. The task of identifying biz risk that affects the org is assigned and acted on after establishing the need for creating the program.
b. In developing an infosec mgmt. program, the first step is to establish the need for creating the program. This is a biz decision based more on judgment than on any specific quantitative measures. The other choices are assigned and acted on after establishing the need.
There is a concern that lack of detail in the recovery plan may prevent an org from meeting its required time objectives when a security incident strikes. Which of the following is MOST likely to ensure the RTOs would be met?
a. establishment of distributed operation centers
b. delegation of authority in recovery execution
c. outsourcing of the biz restoration process
d. incremental backups of voluminous dbs
B
a. This doesn’t compensate for a lack of detail in the recovery plan.
b. When recovery is underway in response to an incident, there are many cases where decisions need to be made at each mgmt. level. This may take up considerable time due to escalation procedures. Therefore, it is desirable that delegation of authority becomes effective during the recovery process. Scope of delegation of authority in recovery execution may be assessed beforehand and document in BC policies and procedures.
c. Outsourcing will not resolve any failure to meet RTOs unless the recovery strategy includes a clear line of authority and adequate detail in the plan.
xd. Incremental backup of voluminous dbs may be recommended to expedite the data backup process. However, it generally increased the time needed to recover.
Which of the following is the BEST justification to convince mgmt. to invest in an infosec program?
a. cost reduction
b. compliance with company policies
c. protection of biz assets
d. increased biz value
D
a. This is rarely the motivator by itself.
b. Compliance is secondary to biz value.
xc. Increasing biz value may include protection of biz assets.
d. Investing in an infosec program should increase biz value as a result of fewer biz disruptions, fewer losses and increased productivity.
Which of the following is the MIST important consideration when developing the security strategy of a company operating in different countries?
a. diverse attitudes toward security by employees and mgmt.
b. time differences and the ability to reach security officers
c. a coherent implementation of security policies and procedures in all countries
d. Compliance with diverse laws and governmental regulation
D
a. Attitudes among employees and mgrs. may vary by country and this will impact implementation of a security policy. However the impact is not nearly as significant as the variance in national laws.
xd. In addition to laws varying from one country to another, they can also conflict, making it difficult for an org to create an overarching enterprise security policy that adequately addressed the requirements in each nation. The repercussions of failing to adhere to multiple legal frameworks at the same time go well beyond the impacts of the other considerations listed.
The enactment of policies and procedures for preventing hacker intrusions is an example of an activity that belongs to:
a. risk mgmt.
b. compliance
c. IT mgmt.
d. governance
D
xa. Risk mgmt. is about identifying risk and adequate counter measures and would be concerned if such policies and procedures are necessary based on a risk analysis. However the enactment would not fall into the area of risk mgmt.
b. Compliance would be concerned with the adequacy of the policies and procedures to achiever the control objectives and whether employees act according to the policies and procedures.
c. IT mgmt. would be concerned about setting the policies into operation (e.g. by providing training and resource).
d. Governance is concerned with implementing adequate mechanisms for ensuring that org’al goals ad objectives can be achieved. Policies and procedures are common governance mechanisms.
Which of the following recommendations is the BEST one to promote a positive infosec governance culture w/in an org?
a. strong oversight by the audit committee
b. organizational governance transparency
c. collaboration across biz lines
d. positive governance ratings by stock analysts
C
a. Supervision by the audit committee is unlikely to occur and would be of little help.
xb. Governance transparency may contribute to the security mgmt. practice but is not directly liked to the establishment of a positive governance culture.
c. To promote a positive governance culture, it is essential to establish collaboration across biz lines. In this way, line mgmt. will speak a common language and share the same goals.
What is the MAIN risk when there is no user mgmt. representation no the infosec steering committee?
a. Functional reqmts. are not adequately considered
b. User training programs may be inadequate
b. budgets allocated to biz units are not appropriate
d. infosec plans are not aligned with biz reqmts.
D
xa. Functional reqmts. and user training programs are considered to be part of project devmt but are not the main risk.
d. The steering committee usually controls the execution of the infosec strategy, and lacking representation of user mgmt., the committee may fail to consider impact on productivity and adequate user controls.