Practice tests Flashcards

Question

``` Jane needs to determine an assets value. What would be the BEST source for her to use? Business mgr. for the asset Infosec mgr. Business analyst for the asset Average industry cost ```

Answer 1

Business mgr. for the asset The business manager for the asset (also often the system owner) would be the person who would be best at assigning the real asset value. They have the in-depth knowledge of what the system does and how critical it is. We may need to assist them with quantifying the value, but they are the best resource. The business analyst knows how the system works, but not the value, and average industry costs is never something we should use for asset value. Our systems are unique, our organization is unique, we would at best use the industry average as a benchmark.

Answer 2

Our business strategy Governance is directly tied back to the organization's strategy, vision and mission. Our technological constraints, the legal requirements, and the potential for lawsuits is important, but the primary driver is our strategy.

Answer 3

Our security architecture Our security architecture would define how we use and the relationships of different security mechanisms. The security metrics would show improvement in our security practices. The process improvement models are focused on us improve our processes but does nothing to explain the relationship between our security mechanisms. Our network topology would show us our network layout, but not how our security mechanisms relate.

Answer 4

The materials are easy to read and understand It is critical that the information is easy to read and understand. If it is too confusing or use too many technical words, many employees will either not read it at all or forget it almost right away. We would want senior managements buy-in, but for the materials to be effective, it is more important they are easy to understand. Staff should learn about social engineering and our policies, but in a simplified language they can understand and relate to.

Answer 5

Residual risk Senior management sets our risk appetite and residual risk is what is what is left after we have implemented the countermeasures and senior management has decided it is not worth mitigating the risk anymore. Inherent risk is the unmitigated risk, control risk is when control fail, and audit risk is how auditors approach their work.

Answer 6

X Our business strategy Our retention is dictated by our business strategy. We can chose not to comply with regulations if the cost of compliance is higher than the penalties for instance. Just like anything else we do a cost-benefit analysis. Business case and value analysis would be based on our strategy, making strategy a MORE right answer. How easy it is to use or the capacity on our data stores should never be a deciding factor.

Answer 7

The process owners Our process owners would be the group best suited for performing the risk analysis, they have the most accurate overview of the risks to their areas. Management consultants, our peers, or external auditors may be able to help in other aspects, but they would not be the BEST risk analysis for our organization.

Answer 8

X A power outage We would be able to quantify the financial loss we would see after a power outage. The loss of customer data and confidence, our website being defaced or how it would impact us if we lose half of your marketing team would be hard to quantify, for those we would probably use qualitative risk analysis.

Answer 9

X On a screened subnet We would place our IDSs on our screened subnet (our DMZ (demilitarized zone)). Placing them outside our firewalls would leave them vulnerable to attacks, the same if we placed them on external routers. Placing them on the firewall would not be appropriate since the firewall is a hardened device and adding non-firewall services to it would weaken its security posture.

Answer 10

Risk acceptance Part of the risk mitigation report would be risk acceptance, either as an alternative to the mitigation or after the mitigation, we would consider accepting the residual risk. Risk assessments, evaluations and quantifications would be part of the risk analysis we did to make the risk mitigation report, but not part of the report itself.

Answer 11

Do a risk analysis Any discrepancy between our objectives and policies should be resolved by a risk analysis. What is the potential gain and loss from changing the policy or the objective? As part of our due diligence we would never just let policy or objective be updated without doing the proper analysis. We may choose to accept the risk, but that would be after the analysis.

Answer 12

On our internal network We would want the intranet server on our internal network, where it would be accessible for our employees and inaccessible to external sources. It would not be appropriate to place the intranet server attached to a firewall, behind an external router, or in the DMZ, we would want in further inside our internal network and not so close to the external network.

Answer 13

It can align our risk with the cost of countermeasures When our risk management process is successful, we are able to align our risk reduction with the cost of the countermeasure. We can never eliminate or transfer all organizational risks or man-made risks. We can also not budget with risk losses with any degree of certainty.

Answer 14

He should establish good communication with the steering committee Bassam should establish good communication with the steering committee first. They make most of the Information Security decisions and prioritization. While he may at some point need to develop the security architecture, do an enterprise wide risk analysis or hire more staff, we have no information about the need for any of those in the question and regardless we would always want to build report and communication channels with the steering committee and senior management.

Answer 15

Our org When a risk is reduced to an acceptable level is determined by our organizational requirements. We would never base it on the requirements of our IT systems, Information Security or international standards. Those factors may guide us, but they would never be the determining factor.

Answer 16

X Objectives are achievable The PRIMARY goal of our risk management program is to ensure the business objectives are achievable. We are there to make sure the business is successful and reaches its objectives, by having an efficient and effective risk management program. Part of that could be protecting our critical IT assets, having IT systems always available and us having preventative controls for the business risks we face. They are however not the PRIMARY goal.

Answer 17

Determining the required levels of security for the data The data owner would be responsible for determining the level of security required, the classification of the data, and who has access to it. The patches, deploying security controls, and moving updated applications from development to production would be performed by different data custodians.

Answer 18

Explain the organizational risk For senior leadership it is important to understand Information Security in relations to organizational risk, and we would often use a cost benefit analysis for this. We may use enterprise metrics, but it would be possibly be part of the organizational risk. The needs of organizational units or Information Security would have to tie back to the organizational risk and the cost benefit analysis.

Answer 19

Assess if existing controls fulfill the new requirements The first thing we should assess is if our current controls are sufficient. If they are there is no need to meet with the financial or legal teams, nor update any policies or procedures. Risk analysis of the compliance would come much later, if we decide our current countermeasures are not sufficient.

Answer 20

A clear understanding of how to map Infosec tech to the needs of the org Information Security should always be aligned to the organizational needs, a clear understanding of what those needs are is critical for a new CISO. They should also know the technologies, the regulatory requirements and be able to effective lead their team, but MOST important is understanding our mission, vision and goals.

Answer 21

The goals and objectives are clearly defined It is MOST important to have very clearly defined goals and objectives for the penetration test. We would also possibly have certain timeframes the attackers are allowed to use, certain IP ranges, and also clear guidance on what they are not allowed to do. We may have them try to access a test system, but that is after the clear goals and objectives. On top of that test systems often do not have the same posture as production systems, being able to get access to a test system may not mean they can access our production systems. We may inform the IT staff, but not always. Senior management HAS to know about the penetration test, they sign off on it, and they are ultimately liable.

Answer 22

The loss of customer confidence One of the most valuable assets to any business is the confidence our customers have in us. If we lose it, it can be very hard to repair. Internal fraud, a power outage and stolen software are all problems, but ones we can most likely fix without a lot of problems.

Answer 23

X The asset value The cost of the security control should not exceed the asset value. If the cost of a countermeasure is greater than the asset value, we would not implement. We always base our security controls on a cost-benefit analysis. We would use the ALE and the cost of an incident in the analysis, but we would not base the decision on just those. The cost of the security control not exceeding the benefit from the implementation doesn't even make sense.

Answer 24

Use WPA-2 (Wi-Fi Protected Access-2) Of the options here WPA-2 (Wi-Fi Protected Access-2) is the most secure protocol to implement on our new wireless network. Hiding our SSID does very little, since it still broadcasts, it takes a few seconds to find it regardless of it being hidden. Adding MAC filtering on our switch ports is also easy to bypass, the attacker would just have to spoof the MAC address of a trusted divide on a specific port and they would have network access. Finally, WEP is very easy break today, there are weaknesses in the algorithm, even very long complex passwords can be broken in less than 10 minutes.

Answer 25

Cost benefit analysis Any risk reduction control should be based on a cost benefit analysis. We would probably use quantitative and qualitative risk analysis as input to the cost benefit analysis, but they are not the BEST at determining if we should implement the control. Penetration testing could also assist but would be part of a bigger analysis and auditing.

Answer 26

Transfer the risk We would most often transfer risks with low probability and high impact. This could be flooding of our data center. If we chose to implement countermeasures it is often cost prohibitive. We may not be able to eliminate the risk and accepting the risk could have a catastrophic impact if it actualized.

Answer 27

Define our security strategy The FIRST step would be for us to define our security strategy, we would then use that to make our security policies, and baselines, we may use best practices for our industry as well.

Answer 28

To ensure our security controls operate as they should The main focus of our security audits is to ensure our security controls operate as they should. We would want cost-effective controls, but that is not the purpose of the security audit. It is possible we would want to use the latest technology, but again not something the security audit would look at. Security reviews should look at all controls, not just preventative ones.

Answer 29

When they start to define the detailed requirements for the sw Information Security should be involved from the very beginning and security should be a requirement just like the functionality of the software. If we wait for the software developers to contact us, we will wait forever, software testing is at the very end of the development process and when they start programming is also too late, at this point they already have all the requirements and changes will be duct-tape solutions.

Answer 30

X The data privacy policies where we collect the data Our local offices have to comply with the local law, where the data is collected. Our corporate data privacy policy, the policy where our headquarters are located, or the global data directives never supersede the local laws and regulations.

Answer 31

X Limit the number of available mappable drives to one The BEST option would be to limit the number of drives on the workstations. Users can insert the USB drives, but they would not be registered as a drive. We would not want to disable all USB ports; they are also used for mice and keyboards. Training should be conducted, but it is more efficient to lock down the workstations. Mandatory Access Control would do nothing in this scenario.

Answer 32

Hash the original file and compare the hashes If we want to ensure the data has not been altered, the best way to do that is to compare a hash of the original file and a hash of the current file. The 2 hashes should be identical, if they are not the data was altered. We would not be able to tell what was changed, just that something was. The file size can easily be made to look the same as the original even if the data was altered. Using symmetric encryption can give us confidentiality, but not an integrity check. If the file is important, we would most likely use strong access control, but again it would not tell us if the file was altered, only that it would be difficult to access.

Answer 33

X The ratio of false positives to false negatives Looking at the ratio of false positives to false negatives would be the BEST metric to determine how effective our IDSs are. If it is configured to be as effective as possible, we would have minimal false positives (alert on allowed traffic), and minimal false negatives (no alert on malicious traffic). The number of attacks we detect, and number of successful attacks, or the ratio of successful to unsuccessful attacks in themselves are not enough to determine if our IDS is effective

Answer 34

X New risk detection We would want all of these for our risk management program, but us being able to detect new risks would be the MOST helpful.

Answer 35

A business impact analysis We get the RTO from our business impact analysis, and it is part of our MTD (Maximum tolerable downtime). What is the maximum amount we can have a system or function down before we are severely impacted? A GAP analysis we use to map a path from our current state to our desired state. A SWOT analysis is analyzing the Strengths, Weaknesses, Opportunities and Threats of our organization. The risk analysis would be part of the business impact analysis, but not what we use for the RTO.

Answer 36

X All organizational activities We do risk analysis on ALL our organizational activities; we would never limit it to specific systems or infrastructure. We need that holistic approach and protection profile.

Answer 37

A value analysis We do all our Information Security investments on value analysis. How will this benefit the organization? In most cases it is not revenue gained, but it is loss minimized to an acceptable level. We might look at the audits, the business climate and the vulnerability assessments, but we would still do a value analysis to justify the cost. We want that positive ROI.

Answer 38

Risk analysis results The amount of resources we would use on a mitigation would be based on our risk analysis. Everything we do is based on a positive ROI (return on investment). We may use audit reports and penetration testing in our risk analysis, but they are by themselves to incomplete to determine the amount of resources we should use on mitigation. How much is left of the Information Security budget is something we need to consider but should not be how we determine how much we spend on mitigation.

Answer 39

Quantitative When we want to put actual numbers and dollar amounts on both the risks and the mitigations; we would use Quantitative risk analysis (think quantity - it is a specific number). Qualitative risk analysis is where we rate risks on likelihood and impact, we then use that to determine which assets are high enough risk to move to quantitative risk analysis. Our risk analysis is iterative, but there is no risk analysis approach that is named iterative risk analysis. There is also no adaptive risk analysis.

Answer 40

To not interrupt production environments It is MOST important that Bob does not disrupt any production environments or processes. If we have to run intrusive tests, they would be done off-hours and in a service window. There is not good reason to not use open source scanners, some of the better ones are open source. We would want to scan all environments, not just production. We would not follow the normal attack cycle; this is just scanning.

Answer 41

X To measure the effectiveness We need our Information Security objectives to be clearly defined, so we can measure how effective they are. If our objectives are vague, we will have no clue how good or bad we are doing. We do need to clearly understand the objectives but measuring the effectiveness of them is more important. The objectives being clearly defined will help with getting the buy-in from our staff, but again those are secondary objectives.

Answer 42

To be in better alignment with business unit needs Decentralized information security management would normally give us better alignment with business unit needs. It would also often give us less uniform quality of service, deviate more from our policies and cost us more.

Answer 43

Chief Operating Officer (COO) The chief operating officer (COO) is ideally whom you should report to. They are high enough in the organization and they have the 30,000ft view of both business operations and objectives. If not the COO, it should be the CEO, but that is not an answer option here, even if it was the COO would still be first choice. Legal counsel, auditors, and the Information Security manager would be key members of the steering committee, but none of them should sponsor the committee.

Answer 44

Buy insurance With the residual risk ALWAYS being too high, the only option is to buy insurance and transfer the risk. The SOC, Pen testing and firewalls may minimize the incidences, but all those are irrelevant in this question, since senior management has determined it is never enough.

Answer 45

A lessons learned document The result of the post-incident review would be our lessons learned report. What went well, what went wrong, and what can we do next time to improve our incident response. The electronic evidence, the areas effected and possibly who attacked us would already be covered reporting and possibly in response.

Answer 46

They can be more cost effective and have expertise we do not internally The BEST reason would be for us to get cost effective assistance who has skills we do not have within the organization. We still need internal key stakeholders who have the detailed knowledge of our organization but getting outside help can help us deliver a better product sooner. Even if we contract external people, they might be responsible for producing a result, but as the Information Security manager or director it is your responsibility to deliver the program. In this case getting outside help would not help with employee redundancy, they are there to help us in areas where we lack the skilled employees. They may, or may not, be able to deliver the program with their knowledge, we simply do not have enough information to see determine if this is a viable option. Even if they could, the questions said, "Best reason", which is the cost effective and knowledge we do not have internally.

Answer 47

Make a bit-level copy of the memory When we do forensics, we always work from MOST volatile to LEAST volatile, meaning we would start with the memory. We would never reboot the server, that would clear volatile memory and possibly any evidence. We would later do the bit-level copy of the hard drives and look at the logs, but we would examine the memory FIRST.

Answer 48

Do a self-assessment using the guidelines for that type of audit Doing a self-assessment would be the best way to prepare for the annual audit/review. We would also assign someone as liaison, look at the previous reports, and involve our legal department, but the question was BEST way.

Answer 49

Tuning it The most important thing when implementing a heuristic IDS is tuning it. If it is not tuned right, we would get a lot of false positives (permitted traffic is denied), and false negatives (malicious traffic is not detected). We would apply patches when they are released, but they are not the MOST important thing. Encryption and packet filtering in this case are distractors, they would not be appropriate.

Answer 50

Calculate the risk We should always base decisions on a risk analysis, even when we consider deviating from our security standards. After we do the risk analysis and the risk is calculated, we may choose to enforce the security standard, make changes to the proposed system change, or add mitigating controls, but we would need the risk analysis to determine if any of those are suitable. We would never just do any of them without the proper analysis.

Answer 51

Making sure the plans are accessible during a disaster If we move our BCP to an automated solution it is critical we are able to access it during a disaster. If we place it on our intranet it may not be available during a disaster. The other options are important, but not as critical as the availability of the plans during a disaster. We would want the correct versioning, if we do not have correct versioning staff may use old information making the disaster even worse. If the plan has web links, they should be accessible through alternative means, but again if we can't access the plan at all the web links are less important. Integrating the plan with an user authentication system with content-based access control is smart, users gets access to exactly what they need and no more, and we would want the system to give user access when new users join and remove access when employees leave our organization; all this is still secondary to the availability of the plan.

Answer 52

Data retention Data Retention: Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).

Answer 53

``` NIDS Only alert (intrusion detection) and DDOS would be network based, so NIDS. ```

Answer 54

X Review them | The security team would review the patches and approve them before the server team applies them.

Answer 55

Senior mgmt. Governance, This is C-level Executives. Stakeholder needs, conditions and options are evaluated to define: Balanced agreed-upon enterprise objectives to be achieved. Setting direction through prioritization and decision making. Monitoring performance and compliance against agreed-upon direction and objectives. Risk appetite – Aggressive, neutral, adverse.

Answer 56

A risk analysis matrix Qualitative Risk Analysis: This is vague, guessing, based on a feeling, and relatively quick to do. We add all our assets to a matrix and assign them values on "how likely is it to happen and how bad is it if it happens?" It is often done to know where to focus the Quantitative Risk Analysis.

Answer 57

Makes the traffic secure VPNs allow our staff to connect securely, because the traffic is encrypted in the VPN tunnel. We would want 2FA with the VPN, and we definitely do not want to remove it. We would not want to have less complex passwords, and VPN's may or may not reduce administrative overhead, for this question it is irrelevant.

Answer 58

Requirements development We need to start looking at encryption key management in the initiation or planning phase of the project, when we develop our project requirements. If we do not do it until programming, deployment or debugging, we are doing it after the fact, and it will be bolt-on security. It will never be as secure as security designed in as a functional requirement.

Answer 59

Feasibility We should address risk as early on in the project as possible, of the phases listed here that would be feasibility. In the programming or the user testing phase is way too late, if the feasibility phase was not an option, then we would do it in specifications, but feasibility is much better.

Answer 60

NAT (Network Address Translation) NAT is the only option that may help us against external security threats. Local IP addresses are not routable. Using static Is would really do nothing, background checks would be for our internal employees, and the WORM media may prevent the attacker from deleting the logs, it will do nothing to protect us against attackers.

Answer 61

X Critical path We would look at the critical path to determine how long a project would take to complete. The critical path is the longest distance between the start and the finish of your project, including all the tasks, their duration, which gives you a clear picture of the project's actual schedule. We would use SWOT analysis to determine our strengths, weaknesses, opportunities, and threats. The Gannt chart is used to estimate required resources and resource allocation, as well as task sequencing. Ideal path is not a project management term.

Answer 62

COO As the CISO of our organization, you should ideally report as high up in the organization as possible. That would at best be the CEO but given the options in the question the COO (Chief Operations Officer) would be the best choice.

Answer 63

2FA (Two-factor authentication) 2FA would make it the MOST secure, the user would most likely use Type 1 and Type 2 authentication (something you know and something you have). The IDS would detect attacks, but not attackers pretending to be authorized users. Challenge response would make the connection more secure, but 2FA is much more secure. SSO makes it easier for users but does nothing for user authentication.

Answer 64

X List of actionable items on how to mitigate risks All of these are important deliverables of our risk analysis, but the MOST important is the actionable items we can do to mitigate our risk to an acceptable level. We use the BIA to determine mitigations, the process owners need to know they are responsible for their risks, and we want the clear quantification of organizational risks, but they are all secondary to the actionable items we need to minimize our risks to acceptable levels.

Answer 65

Send the message using PKI The MOST secure way to send messages today based on the answer options would be using (PKI) Public Key Infrastructure. Hashing would not make it secure, that would just provide integrity checks. Password protected portable media would be secure, but nowhere near as secure as using PKI. Steganography is hiding a message in an image or audio file; it is mostly security through obscurity.

Answer 66

X Very strong key storage We would want a very strong key storage, if the attackers can get to our encryption keys, most of the other security measures are irrelevant. Most encryption today is strong enough to not be breakable with current technologies, making it stronger does often not make it significantly more secure. Complex firewall rules do not mean more secure, and in this example is a distractor. We would want user authentication in all applications, but not relevant for this question.

Answer 67

X Minimize residual risk Of the answer options the PRIMARY goal of our risk management program is to minimize our residual risk. We can never eliminate business risk completely. We may not be able to minimize inherent risk. We want to implement effective controls, but we do that to minimize residual risk.

Answer 68

Criteria for escalation Our incident response policy is like any other policies high-level and vague. It would have the criteria for escalation; who can do it and when can they do it, what has to have happened? It would not contain call trees, press releases or specific backup information.

Answer 69

Technical The technical requirements are the lowest priority, technology is there to enable the business requirements, and often we adhere to regulations and privacy requirements and make them part of our business requirements.

Answer 70

Input field restrictions Adding input field restrictions would be the best way to protect against SQL injections. We would only allow the needed amount of characters for names, phone numbers, social security numbers and drop-down menus for country and state. Only certain characters would be allowed. We want proper change control, but it does not directly help with SQL injections. The IPS for protecting against other types of attacks. We would have referential integrity checks on our SQL, but that is a backend check we perform to optimize and remove data errors from the SQL database.

Answer 71

It is part of our management's due diligence The primary reason for implementing a risk management program is for our management to do their due diligence. Being in compliance with regulatory requirements is important, but not the primary reason. The program may provide a positive ROI, but that is not the purpose. It is impossible to eliminate risks completely; we can however manage them to an acceptable level.

Answer 72

X Rewards and competitions for users and business units who are able to act on the infosec awareness training Rewarding employees for good behavior is much more effective than punishing them for bad behavior. Highlighting the competitions and getting different business units to compete with each other is a great way for employees to keep each other accountable for good Information Security practices. Warnings, locking accounts, and reports sent to the managers may be needed, but it should never be the first or second course of action.

Answer 73

Transference The BEST mitigation to recommend senior management would be risk transference (We buy flooding insurance). Senior management were clear, they did not want risk acceptance, they wanted to mitigate. Risk rejection is knowing the risk is there but ignoring it (never OK). Senior management did also not want risk avoidance, we could have done that by not building the data center in the area that is prone to flooding.

Answer 74

Authorize changes The PRIMARY reason for the change control process is for us to approve and authorize changes to our environment. It is secondary that the changes are applied, documented and tested. Those 3 are still important, but they are not the primary reason for change control.

Answer 75

Multifactor auth Multifactor authentication would be the BEST type of access control to implement for mobile users. In this case we would most likely use Type 1 (Something you know), and Type 2 (something you have) authentication here. That could be username/password and a security token. Data encryption, digital signature, and strong passwords would help with the security posture, but multifactor authentication would be BEST.

Answer 76

Support the business objectives The business objectives of our organization are always the most important consideration, that is what everything else is there to enable. The security metrics, goals, performance monitoring, and training and awareness are all there to support the business objectives. Legal and regulatory requirement are important and often part policies and procedures, but they are still not the primary goal of our Information Security strategy.

Answer 77

Confidentiality and non-repudiation Encrypting with the receiver's public key gives us confidentiality, because only they can decrypt the message. Encrypting with the sender's private key gives us non-repudiation. Remember the public key can decrypt the private key for either user or vice versa. Since the receiver has their own private key and the sender's public key, they can decrypt the entire message.

Answer 78

Role-based access control If we want staff rotation, cross training and minimize the risk of fraud, the type of access control that is best for that would be role-based access control. Here rights are assigned based on job role, and as part of that we can use job rotation and mandatory vacations to cross train and lower the risk of fraud. Discretionary access control is based on the data owner's discretion and does nothing for what we are trying to do here. The same goes for rule-based access control, that is what our older firewalls use, IF this, THEN that.

Answer 79

Acquisition of a competing org Acquiring a competing organization would have the largest impact on Information Security impact. We would need to integrate their staff, hardware, software, and everything else they have into our organization. We need to ensure everything in their organization is at the same high level of security standards as we have. This can often take months or years to ensure they are as secure as we are, and first then would we possibly connect the networks. Building a new office, moving a data center or upgrading our firewalls would still have Information Security impacts, but we already have procedures and policies in place to deal with events such as these.

Answer 80

Security awareness For us to implement our password policies in the MOST effective way, we would need to raise user awareness about Information Security and proper password complexity and why we do it. Audits and penalizing employees can help, but them understanding how to do it right and why we do it is much more efficient. Single sign on (SSO) would make access to systems easier for users, but it also comes with some inherent security issues.

Answer 81

Gray box If the penetration tester has an internal regular user account/knowledge, they are conducting a gray box penetration test. Black box would be no knowledge or access. White box would be administrator access and detailed knowledge of our network. There is no blue box penetration testing, we do however use red and blue team in testing. Red team are the attackers and blue team the defenders.

Answer 82

User awareness training The best protection against any type of phishing (normal, spear, whale, vishing) is user awareness training. We would also implement the email filtering, and it would help, but it is less effective than user awareness. Limiting emails to the internal network would not do anything to prevent phishing, neither would firewall filtering.

Answer 83

Number of security incidents reported If our staff is trained sufficiently, and we have raised their awareness, we would see an increase of reported security incidents. While this may at first seem counter intuitive, we see the increase because our staff understands what to report to us. Before we raised their awareness, we would have less reports because they did not know what to report to us. Password resets and failed login attempts would not be an effective metric in measuring our awareness training, users still forget passwords or enter credentials incorrectly. The number of resolved security incidences does not have to correlate to the raised awareness.

Answer 84

Accept When the cost of mitigation is higher than the benefit, we should recommend risk acceptance. We want exactly enough Information Security, no more, no less, and the decision is based on cost vs. benefit. We would never reject a risk, that is us knowing it is there and doing nothing, in this case we already did the analysis, so we are past that point. Risk transference and mitigation makes little sense here, we already determined it was not cost effective to do any other risk responses.

Answer 85

Consider the size and likelihood of the loss In our risk analysis, we would look at the size and likelihood of a loss, we need to quantify it to design appropriate countermeasures. What similar organizations do is to us unimportant, every environment is unique. We would never give the same protection profile to all our assets, they are not created equally, we need to give them the protection profile that matches what we discovered in the risk analysis. The potential size of the loss is always more important than how likely the incident is to happen. Us losing $1,000,000 in one incident is much worse than us having 100 incidences costing us $10.

Answer 86

``` X The system hw is restored The RTO (Recovery time objective) is when we have restored the system hardware. Us getting the system back into production is the MTD (Maximum Tolerable Downtime). When the system is completely offline is a distractor, and when the system software is restored is the WRT (Work Recovery Time). The maximum amount of time we can be down, must not exceed the time it takes us to rebuild the hardware, install the software and test the system (MTD ≥ RTO + WRT). ```

Answer 87

Residual risk is minimized Successful risk management is when our residual risk is minimized to an acceptable level. We would our overall risk quantified, but only so we can minimize it. We can't eliminate inherent risk and we never want to maximize our risk.

Answer 88

It can contain hidden data Slack space is leftover space from when a file does not need the entire cluster for the data it is storing. The slack space is whatever is left over of the cluster, it may contain old data, or can be used intentionally by attackers to hide information. The slack space could technically contain login information or log files, but hidden data is MORE correct. Sectors can contain slack space, not the other way around.

Answer 89

Meet with the data owner to understand the business need The Information Security manager should meet with the data owner to understand the business needs, and why an entire department has access. There may be a good reason for it, we just need to ensure it is there. We would never restrict access without investigation. We may later want to change the access right policies, but we would advise, and senior management would decide. If we find access is being granted incorrectly or without proper security, we may review the procedures, but not at this stage.

Answer 90

Refer security risks back to the key business objectives It is always important to speak to senior management in a language they understand, we need to tie what we do back to the goals, the vision and mission of the business. We can also use cost/benefit analysis, ROI or other big picture terms they are used to. As Information Security managers/CISOs we need to be the translating link between Senior management and the techies. If we start talking about successful attacks, technical risks, or security best practices, that is not information they can relate to. We need to talk their language.

Answer 91

Systems are vulnerable to any new viruses found between updates Signatures should not be updated only once a week; the update schedule should be much more aggressive. If we only update once a week, we would be vulnerable to new viruses for up to 7 days. Even if we do minor or major changes over the weekend, we would still have users, testers, and helpdesk if needed available after the change, in the case of antivirus however it is critical we push updates either as soon as they are released or shortly after we test them in our test environment.

Answer 92

X Security architecture Our minimum standards for securing our IT infrastructure would be defined in our security architecture document. Our strategy would be our high-level plans and visions, the security guidelines are suggestions, and we would use publications to educate ourselves or others.

Answer 93

X It is required by regulatory compliance Regulatory can be something that would force us to update our Information Security governance without any further justification. Being aligned with best practices is nice but would need further justification. BCP and it benefitting us financially would be drivers, but they would on their own not make us update governance without further justification.

Answer 94

Annually or whenever we have significant change The risks to our organization change all the time, we should at least do risk assessments every year or whenever there is a significant change, that can be to both our organization and outside influences. External auditors would not do risk assessments, they would do audits. Doing assessments every quarter may be too aggressive, we do not have enough information in the question to justify it, and annually for each business unit may not be enough if there are significant changes.

Answer 95

X Isolate the affected network segments We would isolate the affected networking segments FIRST, we need to contain the attack and ensure it does not spread. The rest of our network can keep functioning, but with heightened monitoring. We would never just shut off all external access, we would segment FIRST, and only as a very last resort shut external access. Logging should already be enabled, and it should write to a centralized logging server as well as WORM media. During an attack we have more important things to worry about than enabling logging, it should have been done when we moved the system into our production environment.

Answer 96

Assess our current business strategy Everything we do in Information Security refers back to the business goals and strategy. Since the question was what we do FIRST when developing an IS plan, we need to know the business strategy, goals and vision. The BIA, vulnerabilities and awareness is something we would look at much later.

Answer 97

X An assessment of our system to determine their status We would FIRST do an assessment to determine the status of our systems. We would not isolate the subnets, that would be done during the attack and not after as the question asked. Restoring systems would make no sense, this was a DDOS attack, no servers should have been compromised other than their availability. We would do an impact analysis of the attack, but it is definitely not what we would do FIRST.

Answer 98

Aligned with business strategy Any planning for information security should be properly aligned with the needs of the business. We would possibly update it when significant changes happen, but not make it agile, it should align with the plan for all of IT, because it should be aligned with the business plan. It is also normal to use tech refresh cycles for all of IT, but it is not the most thing in our strategic Information Security plan.

Answer 99

Data owner John should notify the data owner FIRST. They can with our help determine how bad the damage is, and with the incident response team determine the appropriate corrective actions. We will later inform the steering committee, the customers and the regulatory agencies, if it is appropriate based on our internal policies and the regulations and laws we need to adhere to.

Answer 100

X How we handle notifications Our privacy policies have to have notifications and opt-out provisions. Policies are high level directions, they would most often not address warranties, the area they cover or our liabilities. Also, keyword MOST.

Answer 101

Policies We would very rarely change our policies due to technology changes; they are the very high-level documents that we use to build the more specific, and at times technical procedures, standards and guidelines. We would update our procedures, standards, and guidelines to reflect technology changes.

Answer 102

Ensure appropriate controls are included When our organization signs contracts with other entities, we need to ensure that the proper security controls are in place. Some contracts would have confidential information included, we can't eliminate it completely, but we should limit it to what is strictly needed. We would possibly also reserve the right to audit, but not always, and it is less important than the security controls. If both parties can fulfil their obligations is important, but it is rarely a security concern.

Answer 103

Calculating the ROI Our business cases and ultimately our Information Security decisions and purchasing should be based on the ROI (Return on investment). We would use how it could help us mitigate, and the cost of the control failures as part of the ROI calculation, but they in themselves is not what we base our decisions on. What other similar organizations spend is a benchmark, but also not something we would make decisions on, every organization is unique.

Answer 104

Identify data owners It is MOST important that we know who all the data owners are, they would know how to classify their information. We would classify the data and do a risk assessment, but we need the data owners for that. Job roles is a distractor and has nothing to do with the question.

Answer 105

Good termination procedures The only one of these that would possibly protect us against former employees would be the good termination procedures. We would obviously still do the background checks, monitoring of activity, and possibly the non-compete clause, but all those are done before or during employment, not after.

Answer 106

Missing patches We do vulnerability assessments to find known vulnerabilities on our network, that could often be missing patches, misconfigurations, open default ports or user accounts and passwords. 0-day are unknown, malware would be found with antivirus and antimalware and security design flaws would be found it we did an architectural audit.

Answer 107

Do a risk analysis We would not just change standards or refuse the new technology without proper risk analysis. We do that first and depending on the risk analysis we may recommend to senior management that we change the standard, or we enforce the standard. Research better technology may also be a compromise, but it would happen after the risk analysis.

Answer 108

Reconnaissance Reconnaissance is one of the phases of an attack or penetration testing, it is not a form of social engineering. Vishing (voice phishing), authority, and scarcity are all types of social engineering.

Answer 109

Reduce human risk The primary purpose of security training is to raise staff awareness and reduce the risk that staff poses. Most often the biggest security risk is our employees, and training and awareness can help with that. We do also need to be in compliance with training and we need our staff to know how to react in a security incidence, but for this it is a secondary objective.

Answer 110

Infosec risks often change The threat landscape is constantly changing and with that the risk we have to protect against. While previous risk assessments may not be accurate it is not the MOST important reason to do it, neither would optimizing, that is an added bonus. We would never do a risk assessment just to prove we are needed, we do that by giving valuable information that senior management can act on.

Answer 111

X Regular testing of the incident response plan The best way to improve on incident performance and consistent employee responses would be to test the plan. Testing the IDS/IPS is good to do but would have done nothing in this situation. A review of the incident procedures may have helped, but the testing is much more efficient. Us making mandatory Information Security training is also good but would not have done anything in this case.

Answer 112

Mail relays We would place our mail relay in the DMZ, it is a simple mail server that accepts emails, and filter them based on a pre-defined set of criteria, then delivers the emails to another server. Our routers and firewalls would not be in the DMZ, but they may be on the edge of it. Authentication servers would keep behind the DMZ in our internal network.

Answer 113

Containment Our first priority should always be containment, we need to stop the attack from propagating through our network. Monitoring should already be in place. Documentation is done in our lessons learned after the attack. Restoration is done when the attack is contained, and we have determined how and what was compromised. We fix the flaws and then restore systems and system access.

Answer 114

What percent of our control objectives we have achieved Our control objectives relate to our business objectives, making then the best metric. Everything we do should tie back to our business vision, mission and objectives. How many controls we have implemented, the percentage of our policy compliance and reduction in incidences are all indicators, but control objectives achieved is the better answer.

Answer 115

Cost of additional mitigation compared to the benefit We should always choose to reduce risk by implementing new countermeasures all the way until the cost of the mitigation is higher than mitigation benefit. We would use the TCO, the asset value and the business impact in our analysis, but they would not be of the GREATEST importance, they would be contributing factors.

Answer 116

Senior management buy-in The MOST important thing in the success of our information security program is senior managements buy-in. The other answer options are secondary to senior management. We would need the awareness training, the achievable goals and objectives, and initial budget and staff, but they are less important. If we do not have the buy-in from senior management, we are less likely to succeed.

Answer 117

Set automatic expiration dates Before the contractor or temporary employee starts, we would know how long their contract is set for. We would use that and set automatic expiration dates on their access. If the contract is extended, the overseeing manager would request an extension (with a new automatic expiration). Requesting the overseeing manager to send an email when the contractor is done, will often not happen, automation is always better than remembering. We may send the audit and have the contractors sign and NDA, but neither of those would help with access removal, once the contract is completed.

Answer 118

Validate the patch to ensure it is authentic We FIRST need to confirm it is a real patch from the actual company that made the software. We do this before anything else. If we confirm it is from the company that made the software and it is critical, we would do proper change management, and if the patch was approved, we would deploy to our test environment first. If no issues we would either do another change management or deploy to production. It is very unlikely we would do (or be able to) do any code review of a patch.

Answer 119

Pick which order we would work on security initiatives The steering committee would prioritize our security efforts. They are the high-level governance over Information Security. It would be the IT manager and team that would interview technical Information Security personnel, they would also develop the awareness program. The approval for user access to any system would be approved by the data owner.

Answer 120

X Mandatory access control If we want to ensure no file sharing with unauthorized users, we would use MAC (Mandatory Access Control). Users without proper access would not be able to access the files, and other users with the proper access can't share them. File sharing with unauthorized users is possible with DAC (Discretionary access control), RBAC (Role-based access control), ABAC (Attribute-based access control).

Answer 121

X High FRR (False rejection rate) For areas that are considered critical or high security, we would want a higher than normal FRR (False rejection rate). This means that we may reject slightly more authorized employees, but it is worth it because we also get a lot less FAR (False accept rate) errors. Lower or exactly at the CER (Crossover Error Rate), we would want for normal security areas, but for not for areas that are high or critical security.

Answer 122

How easy it is to maintain and how often signature updates are released It is MOST important that the antivirus software's signatures are updated frequently, and it is easy to use. How often the software vendor releases major updates is irrelevant, so is their feature roadmap. The antivirus solution should work with our other security hardware and software, but in most places, they would report back to our SIEM, and their interrelationship is secondary to the signature release frequency. The TCO is important, but again not as important as how often they update their signatures. Market share could be an indicator but is never a deciding factor.

Answer 123

X Vulnerabilities When we implement more restrictive preventative controls, that would reduce our vulnerabilities. The threats would still be there, we would just not be susceptible to those specific threats. Our loss or the likelihood of an incident may or may not be reduced, but it is not what PRIMARILY would be affected.

Answer 124

Guidelines Our policies, procedures and standards are mandatory, making them non-discretionary. The guidelines are recommendations on how to do a certain task and we would use those in making our practices, they are discretionary. A way to remember it, is if it has "line" in it, it is discretionary (baseline, guideline)

Answer 125

X Its adherence to our policies Having a centralized information security management system will give us more predictable results and it will allow us to follow our policies much easier. Centralized systems are often cheaper than decentralized, but they are often less aligned with business unit's needs, since we apply the same posture across the entire enterprise.

Answer 126

Establish baseline standards for all locations and then add additional standards for locations that require more security It is most efficient to make a standard baseline and add additional standards to locations that need higher security. It could be an issue if we implemented the maximum standards in every location, best practices are nice, but we have no clue if they would be enough, and just implementing what every location has in common is never enough.

Answer 127

After significant system changes If we have significant changes to our environment, we would most likely want to do a penetration test. The changes could easily have introduced new vulnerabilities. After an audit, we would fix the vulnerabilities they found and then maybe do a penetration test, but not right after. The same with the intrusion, we would fix any issues and then maybe do a penetration test. High staff turnover in itself is not a reason for a penetration test.

Answer 128

PKI When we use PKI (Public Key Infrastructure), we can get message integrity, sender authentication, and non-repudiation. If we used symmetric encryption, we would get confidentiality, hashing can provide integrity and confidentiality, and linear crypt analysis is a form of breaking the encryption, not applying it.

Answer 129

Add IPSs Of the options here the IPS (Intrusion Prevention System) would have the greatest chance of stopping an SQL injection attack. The IDS and HIDS both detect and possibly alert, they do not prevent anything. SQL injection attacks happen on OSI layer 7, meaning a host-based firewall would not check the packets on the application layer.

Answer 130

Business process owner The business process owner should assign the recovery times and cost estimates, they have the most in-depth knowledge about the system or application and the impacts of an outage. The BCP coordinator would coordinate our efforts in an incident or disaster. The Information Security manager is there to make sure we follow the plans and the steering committee would prioritize the systems and applications, but neither the Information Security manager or the steering committee has the in-depth knowledge needed to assign the recovery times and cost estimates.

Answer 131

Make an asset inventory We first need to have a complete asset inventory before we can do any of the other options. If we don't know what all our assets are, how can we classify, evaluate risks or determine ownership of them?

Answer 132

Start using application firewalls Application layer firewalls are on the 7th OSI Layer. The key benefit of application layer firewalls is that they can understand certain applications and protocols. They see the entire packet; the packet isn't decrypted until layer 6; any other firewall can only inspect the packet, but not the payload. They can detect if an unwanted application or service is attempting to bypass the firewall using a protocol on an allowed port, or detect if a protocol is being used any malicious way.

Answer 133

To pick and choose which parts of the standard or framework we went to implement Scoping is determining which portion of a standard we will deploy in our organization. We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.

Answer 134

Notify the org immediately The tester should never act or fix anything on our network, if they notice an attack they need to let us know right away so we can act on it.

Answer 135

Password and username Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.

Answer 136

X Non-specific but can contain patches, updates, strong encryption Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”