Practice tests Flashcards

Question 1

Q

Who in our organization would be the BEST person to set the RPO (Recovery Point Objective) for our business applications?
InfoSec Manager
COO
Internal Audit Manager
Business continuity coordinator

Answer

A

COO
Of the people listed the COO would be the person BEST suited to set the RPO. We would ideally want the data owner to set it, but if they are not available the COO would be the person who would be most suited. The Information Security manager, audit manager or the business continuity coordinator should not determine the RPOs for business applications.

Question 2

Q

Which of these would be an indicator that we need to take a look at our change request procedures?
A lot of emergency change requests
A lot of postponed change requests
A lot of similar change requests
A lot of canceled change requests

Answer

A

A lot of emergency change requests
If we get a lot of emergency change request, we should take another look at our change procedures and processes. Emergency change request will happen, but they should be the exception, not the rule. With emergency change requests we rarely have the required time to test the change properly. Changes being postponed, canceled, or many of them being similar is what we would want to see. They are all indicators of a well-functioning change management process.

Question 3

Q

Who in our organization is responsible for us being in compliance with the legal and regulatory requirements for our line of business?
CISO
Chief Legal Counsel (CLC)
Infosec steering committee
Board of directors and senior mgmt

Answer

A

Board of directors and senior mgmt
The board of directors and senior management are always ultimately responsible (and liable). The steering committee would be the ones who chose which Information Security measures we implement, the CISO and CLC may also responsible, but the board/senior management is MORE correct.

Question 4

Q

With how rapidly Information Security is evolving we often need to update our documentation, standards, and procedures. Which of these would we update MOST often?
Server hardening procedures
Standards for password complexity
Standards for data retention and destruction
Policies for Infosec governance

Answer

A

Server hardening procedures
We would update our server hardening procedures MOST often, they need to be constantly updated to reflect the latest patches and updates. We would still update our standards, and policies, but not very often, and definitely not as often as our specific procedures.

Question 5

Q

Why is it important to classify and determine the sensitivity of our assets?
Ensure very sensitive assets are protected
Ensure the cost of controls are minimized
Cost of protections should be proportionate with the sensitivity of the asset
Ensure countermeasures are appropriate to the risk

Answer

A

X Ensure countermeasures are appropriate to the risk
We always implement countermeasures that are appropriate for the risk, that is why we clearly classify and determine the sensitivity of our assets. Protection cost being appropriate for sensitivity makes no sense, we base the appropriate cost on the risk. Naturally we want risks to be minimized and sensitive assets are protected, but that is not why we do the classification.

Question 6

Q

What would be BEST protection against data loss from a stolen laptop?
Strong passwords
Multifactor authentication
Encrypted hard drives
Real time network backups

Answer

A

X Encrypted hard drives
The best protection against data loss on a stolen laptop would be if we had the drives encrypted. Strong passwords can be bypassed if a skilled hacker, and multifactor authentication can often be bypassed if we remove the drives and add them to another computer. Backups would do nothing to protect the data, it would just give us a copy of it.

Question 7

Q

We are deploying VPN (Virtual Private Network) access for our remote employees. As part of the project requirements we need to ensure we have strong authentication. Which of these is the STRONGEST authentication method available?
Biometric readers
SSL (Secure Socket Layer) authentication
Symmetric encryption
2FA (2-factor authentication)

Answer

A

X 2FA (2-factor authentication)
2FA (2-factor authentication) is considered more secure than any of the other answers. That means 2 types of authentication (something you know (type 1), something you have (type 2), or something you are (type 3 or biometrics). Symmetric encryption is normally not used for authentication, neither is SSL normally. Biometrics is an authentication type, but it is not as strong as 2FA (2-factor authentication) by itself.

Question 8

Q

We use both IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems) in our environment. What is the MAIN purpose of the IDSs?
To alert on true negatives
To identify potential attacks on our internal network
To block traffic seen as malicious
To identify network misconfigurations

Answer

A

To identify potential attacks on our internal network
IDSs (Intrusion Detection Systems) are detection systems, they do not act, and their MAIN purpose is to identify potential attacks on our internal network. They do not block malicious traffic, that would be an IPSs (Intrusion Prevention Systems). We could discover potential misconfigurations with vulnerability scanners, not IDSs. Finally, an IDS would alert on “True Positives” (which is good); an attack is happening, and the system detected it, and “False Positives” the system sees normal traffic as malicious (which is bad). The system would not alert on “True Negatives”; that is normal traffic and the system seeing it as such.

Question 9

Q

Which type of access control is the MOST efficient?
Centralized
Decentralized
Discretionary
Role-based

Answer

A

Role-based
Role based access control would be the most efficient type of access control based on the answer options. Access is assigned to job roles reducing administrative overhead and making it more efficient. Decentralized would require more administrative overhead, so would discretionary access control, where the data owner would assign access at their discretion. Centralized access control is more efficient than decentralized, but in this example, we do not have enough information for it to the be the right answer.

Question 10

Q

Bassam is using GAP analysis to prepare for a board meeting presentation. Which of these MOST accurately describes a GAP analysis?
Analysis of current state versus desired state
analysis on the control objects we have to ensure they align with business goals
evaluating the BIA (business impact analysis) to make sure it is aligned with our business goals
Analysis on what we as an org is good at and see if we can use that to our advantage

Answer

A

Analysis of current state versus desired state
A GAP analysis is used for mapping our current state versus our desired state. We would use the GAP analysis to plan out the actionable steps we need to take to get from our current to desired state. The BIA is us analyzing the impact of a certain incident. The analysis where we look at what we are good at is SWOT analysis, and obviously control objects should align with business objectives, but that was not the question here.

Question 11

Q

Which of these could be MOST effective against internal threats to our confidential information?
Defense in depth
A privacy policy
Role-based access control
Monitoring of our audit trails

Answer

A

Role-based access control
Of the options available here, role-based access control would protect our information from internal threats the BEST. A privacy policy is not related to risk, defense in depth is mostly focused on outsider threats and audit trails is detective controls we use after the fact.

Question 12

Q

Out credit card database has been compromised; what should we do FIRST?
Verify there was an incident
Notify the data owner
Notify the Infosec steering committee
Start containment and network segmentation

Answer

A

Verify there was an incident
Our first step should be to confirm the incident actually happened. After we confirm the incident, then we would contain, segment and notify the data owner and leadership. The sequence is very important, it is possible the incident was a false positive (normal traffic seen as malicious).

Question 13

Q

We are a large multinational organization with offices in Europe, the US, Asia, Australia, Russia and Africa. Which type of information would we expect to have the LOWEST level of security protection?
Previous financial results
Strategic plan
Upcoming financial results
Customer PII

Answer

A

Previous financial results
Our previous financial results would have the LOWEST level of protection, they are already public. Exposing our strategic plan, our upcoming financial results or customer PII would have adverse effects.

Question 14

Q

A new regulatory requirement has been published for our industry. It looks like the implementation cost will be very high. What should you as the Information Security manager do FIRST?
Implement immediate countermeasures
Implement compensating controls
Start and Infosec steering committee
Do a gap analysis

Answer

A

Do a gap analysis
We would start with a GAP analysis, what is our current state, and what is our desired state? Then we would plan how to get from current to desired state. The steering committee would choose which initiatives we move forward with and would not be a FIRST step. Compensating controls, we may implement later, after we know more. We can’t implement immediate countermeasures; we need to do the analysis first.

Question 15

Q

Who would be responsible in our organization for classifying our information?
Data owner
CISO
DB administrator
Data custodian

Answer

A

Data owner
The owner of the data is always responsible for classifying the data, they know the best how sensitive (or not) their data is. The data custodian would do the practical things (patches, security, updates), but never classify anything. The CISO or the DBA are not appropriate for assigning sensitivity, they may have no clue what the data is or how sensitive the data is.

Question 16

Q

In order to mitigate newly discovered security vulnerabilities in an operating system, we would use which of these processes to address the vulnerability in a timely manner?
Patch mgmt
Security vulnerability mgmt
Change mgmt
Server mgmt

Answer

A

Patch mgmt
We would use patch management to address new operating system security vulnerabilities. Change management is the control process we have in place to ensure changes to our environment are planned, tested, and implemented properly; patch management would be part of our change management process. Server management is the management of everything regarding the server, and security vulnerability management is managing vulnerabilities on a server, including patch management, but patch management is a MORE right answer.

Question 17

Q

Which of these would be the MOST important for our security policies to do?
Be in clear and easily understood language
Be tailored to each business unit
Have verbiage about our network vulnerabilities
Address the process for communication internally and externally during a security incident.

Answer

A

Be in clear and easily understood language
Our security policies should be clear and easy to understand, they should be available to our entire staff. We would not have network vulnerabilities in our policies, and we do not want our entire organization to know about them. The process for communication would be in our DRP (Disaster Recovery Plan) or CCP (Crisis Communication Plan). The security policies are high level and vague, we would never want to have tailored versions for each business unit. The security policies are built from the vision and mission of the business, they should be consistent across the organization.

Question 18

Q

Our organization is spread across many smaller offices across the country. Which of these would present the LARGEST security risk?
System operations are not being followed
System capacity mgmt process are not being followed
Software dev is outsources
Change mgmt process are not being followed

Answer

A

X Change mgmt process are not being followed
If our branches do not follow proper change management, it is a cause for concern. Implementing fixes and solutions without proper change control can introduce a lot of security risks. System operating procedures and capacity management procedures should always be followed, but they are not as severe as lack of proper change management. We often outsource our software development, it in itself poses no security risk, as long as security is designed into the software and we do proper change control and management.

Question 19

Q

If we want to protect our organization against internal security threats, which of these would be the BEST to use?
User training
Server hardening
Background checks
Static IP addresses

Answer

A

Background checks
Background checks is the best way to protect against internal security threats of the options, their past behavior and actions are good indicators how and what they will do in the future. Server hardening may help, but we have no clue which type of internal threat we are dealing with. Static IPs really do nothing to protect us against internal security threats. User training is us giving them the training, in itself it does nothing. What we want is to raise their awareness, which is them acting on the knowledge and doing the right thing.

Question 20

Q

We want to ensure non-repudiation. Which of these would be the BEST for that?
Collisions resistant hashes
Digital signatures
Strong complex passwords
Symmetric encryption

Answer

A

Digital signatures
Digital signatures (or PKI (Public Key Infrastructure) would be the BEST to ensure non-repudiation. You should be the only person with your private key; if a file was signed with your private key, you would have a very hard time proving you didn't. Strong passwords would possibly make us more secure, hashes would ensure integrity, and symmetric encryption can possibly ensure confidentiality, but none of them would give us non-repudiation.

Question 21

Q

One of our critical systems has an administrator account, the account prevents account locking, privileges and name changes. What could we implement that would protect us BEST against brute force password attacks?
Make a strong random password for the account
Don’t allow the system to be accessed from outside our org
Log all account usage
Request a patch from the vendor

Answer

A

Make a strong random password for the account
Since we are unable to lock the account, our best option is to create a very strong random password. It may not be an option to only allow internal access, and even if we do, attackers could get onto our network and brute force from there. We can request a patch, but we have no way making them provide it, and logging usage is a detective control and does not prevent attacks.

Question 22

Q

We are doing audits on our firewalls. What would be the best metric for measuring their effectiveness?
How many firewall rules we have configured on each firewall
The number of attacks they have blocked
The average throughput
The number of packets they have dropped

Answer

A

X The number of attacks they have blocked
Of the options available the best metric to evaluate the effectiveness of our firewalls would be how many attacks they have blocked. How many packets they dropped, the throughput, and how many rules we have configured are not indicators of the effectiveness of the firewall.

Question 23

Q

Bob has been tasked with integrating our new risk management processes into our existing production systems. What would be the BEST way to do that?
Process monitoring
Update our policies
Change management
User training

Answer

A

X Change management
We would use our change management to integrate new processes into exciting production systems. We would also as part of the integration do user training, update our policies and possibly monitor the processes, but they are not the BEST way to integrate.

Question 24

Q

As the Information Security Director, you are assisting the Information Security steering committee and the application owners in assigning RTO's (Recovery Time Objectives) for the applications we use in our organization. Which of these should have the SHORTEST RTO?
Our intranet
Our change mgmt system
Our VPN access for remote contractors
Our e-commerce website

Answer

A

Our e-commerce website
Of the systems listed here, the e-commerce system would have the SHORTEST RTO. We would want it to be back to at least limited capacity within less than an hour. In most cases we should have a true redundant solution in place with no downtime. Our change management system would have procedures in place in case of a change management outage, it is non-critical. Our intranet is possibly important depending on our work process flow, but it is not as important as our e-commerce. The same with our VPN access for contractors, it is important, but not as important as e-commerce.

Question 25

Q

Jane needs to determine an assets value. What would be the BEST source for her to use?
Business mgr. for the asset
Infosec mgr.
Business analyst for the asset
Average industry cost

Answer

A

Business mgr. for the asset
The business manager for the asset (also often the system owner) would be the person who would be best at assigning the real asset value. They have the in-depth knowledge of what the system does and how critical it is. We may need to assist them with quantifying the value, but they are the best resource. The business analyst knows how the system works, but not the value, and average industry costs is never something we should use for asset value. Our systems are unique, our organization is unique, we would at best use the industry average as a benchmark.

Question 26

Q

What is our Information Security governance PRIMARILY driven by?
The potential of lawsuits
Our business strategy
Regulatory requirements in our industry
Technology constraints we face today

Answer

A

Our business strategy
Governance is directly tied back to the organization’s strategy, vision and mission. Our technological constraints, the legal requirements, and the potential for lawsuits is important, but the primary driver is our strategy.

Question 27

Q

The relationship between different security technologies would BEST be defined in which of these?
The process improvement models we use
Our security architecture
Our network topology
Our security metrics

Answer

A

Our security architecture
Our security architecture would define how we use and the relationships of different security mechanisms. The security metrics would show improvement in our security practices. The process improvement models are focused on us improve our processes but does nothing to explain the relationship between our security mechanisms. Our network topology would show us our network layout, but not how our security mechanisms relate.

Question 28

Q

We are making an entirely new set of user awareness training materials. Which of these is the MOST important element?
The materials are easy to read and understand
Detailed info about social engineering
Buy-in from the infosec steering committee
Detailed info about our security policies and consequences for not following them

Answer

A

The materials are easy to read and understand
It is critical that the information is easy to read and understand. If it is too confusing or use too many technical words, many employees will either not read it at all or forget it almost right away. We would want senior managements buy-in, but for the materials to be effective, it is more important they are easy to understand. Staff should learn about social engineering and our policies, but in a simplified language they can understand and relate to.

Question 29

Q

Our organizations risk appetite is represented by which of these?
Audit risk
Control risk
Residual risk
Inherent risk

Answer

A

Residual risk
Senior management sets our risk appetite and residual risk is what is what is left after we have implemented the countermeasures and senior management has decided it is not worth mitigating the risk anymore. Inherent risk is the unmitigated risk, control risk is when control fail, and audit risk is how auditors approach their work.

Question 30

Q

What should the retention of our business records PRIMARILY be based on?
A business case and value analysis
Our storage capacity and how long we are keeping the data for
Our business strategy
The regulatory and legal requirements we need to adhere to

Answer

A

X Our business strategy
Our retention is dictated by our business strategy. We can chose not to comply with regulations if the cost of compliance is higher than the penalties for instance. Just like anything else we do a cost-benefit analysis. Business case and value analysis would be based on our strategy, making strategy a MORE right answer. How easy it is to use or the capacity on our data stores should never be a deciding factor.

Question 31

Q

Which group of people would be the BEST for performing risk analysis on our organization?
The process owners
External auditors
An external mgmt. consultant specialized on our line of business
A group of peers from our competitors

Answer

A

The process owners
Our process owners would be the group best suited for performing the risk analysis, they have the most accurate overview of the risks to their areas. Management consultants, our peers, or external auditors may be able to help in other aspects, but they would not be the BEST risk analysis for our organization.

Question 32

Q

Jane is working on risk analysis for all of our systems, facilities, and applications. Where would it be BEST to use quantitative risk analysis?
A power outage
To deal with stolen customer data
Half of our marketing department leaving our or to work for a competing business
When our ecommerce website is defaced by hackers

Answer

A

X A power outage
We would be able to quantify the financial loss we would see after a power outage. The loss of customer data and confidence, our website being defaced or how it would impact us if we lose half of your marketing team would be hard to quantify, for those we would probably use qualitative risk analysis.

Question 33

Q

Jane is building a business case for adding IDSs (Intrusion Detection Systems) to our network. Where would it be BEST to place those?
On a screened subnet
Outside of our firewalls
On an external router
On the firewall

Answer

A

X On a screened subnet
We would place our IDSs on our screened subnet (our DMZ (demilitarized zone)). Placing them outside our firewalls would leave them vulnerable to attacks, the same if we placed them on external routers. Placing them on the firewall would not be appropriate since the firewall is a hardened device and adding non-firewall services to it would weaken its security posture.

Question 34

Q

Bob is making a risk mitigation report; the report would include recommendations for which of these?
Risk evaluation
Risk acceptance
Risk quantification
Risk assessment

Answer

A

Risk acceptance
Part of the risk mitigation report would be risk acceptance, either as an alternative to the mitigation or after the mitigation, we would consider accepting the residual risk. Risk assessments, evaluations and quantifications would be part of the risk analysis we did to make the risk mitigation report, but not part of the report itself.

Question 35

Q

When a security standard conflicts with a business objective, the situation should be resolved by:
Do a risk analysis
Make updates to the security standard to match the business objective
Accept the risk
Make updates to the business objective to match the security standard

Answer

A

Do a risk analysis
Any discrepancy between our objectives and policies should be resolved by a risk analysis. What is the potential gain and loss from changing the policy or the objective? As part of our due diligence we would never just let policy or objective be updated without doing the proper analysis. We may choose to accept the risk, but that would be after the analysis.

Question 36

Q

The server team is building an intranet server. As the Information Security member of the project team, where should Bob recommend the server is placed?
On our internal network
Behind an external router
Attached to a firewall
In the DMZ

Answer

A

On our internal network
We would want the intranet server on our internal network, where it would be accessible for our employees and inaccessible to external sources. It would not be appropriate to place the intranet server attached to a firewall, behind an external router, or in the DMZ, we would want in further inside our internal network and not so close to the external network.

Question 37

Q

Bassam is finishing up this iteration of our risk management program. What is the BIGGEST benefit of the program?
It can align our risk with the cost of countermeasures
It can identify and remove all threats posed by people
It can bring our losses in alignment with what we have budgeted for
In can eliminate or transfer all organizational risks

Answer

A

It can align our risk with the cost of countermeasures
When our risk management process is successful, we are able to align our risk reduction with the cost of the countermeasure. We can never eliminate or transfer all organizational risks or man-made risks. We can also not budget with risk losses with any degree of certainty.

Question 38

Q

Bassam has just been hired as our new CISO (Chief Information Security Officer). Which of these options should Bassam focus on FIRST?
He should develop a new security architecture
He should hire a highly skilled staff
He should establish good communication with the steering committee
He should do a risk analysis on the entire enterprise and present that to senior management

Answer

A

He should establish good communication with the steering committee
Bassam should establish good communication with the steering committee first. They make most of the Information Security decisions and prioritization. While he may at some point need to develop the security architecture, do an enterprise wide risk analysis or hire more staff, we have no information about the need for any of those in the question and regardless we would always want to build report and communication channels with the steering committee and senior management.

Question 39

Q

We want to reduce risk to an acceptable level, what is that determined by the requirements of:
International standards
Our org
Our IT systems
Information Security

Answer

A

Our org
When a risk is reduced to an acceptable level is determined by our organizational requirements. We would never base it on the requirements of our IT systems, Information Security or international standards. Those factors may guide us, but they would never be the determining factor.

Question 40

Q

In any organization the PRIMARY goal of the risk management program is to ensure that:
Critical IT assets are protected
Business risks we face are acted on with preventative controls
Objectives are achievable
IT systems are always available

Answer

A

X Objectives are achievable
The PRIMARY goal of our risk management program is to ensure the business objectives are achievable. We are there to make sure the business is successful and reaches its objectives, by having an efficient and effective risk management program. Part of that could be protecting our critical IT assets, having IT systems always available and us having preventative controls for the business risks we face. They are however not the PRIMARY goal.

Question 41

Q

What would the data owner be responsible for?
Deploying security controls
Moving updated application changes from dev to prod
Determining the required levels of security for the data
Applying emergency patches

Answer

A

Determining the required levels of security for the data
The data owner would be responsible for determining the level of security required, the classification of the data, and who has access to it. The patches, deploying security controls, and moving updated applications from development to production would be performed by different data custodians.

Question 42

Q

As the CISO of our organization, it is one of Jane's responsibilities to get senior management's commitment and support for Information Security. Which of these would be the MOST effective for Jane to do?
Explain the need for Infosec
User enterprise wide metrics
Explain the needs of the operation units
Explain the organizational risk

Answer

A

Explain the organizational risk
For senior leadership it is important to understand Information Security in relations to organizational risk, and we would often use a cost benefit analysis for this. We may use enterprise metrics, but it would be possibly be part of the organizational risk. The needs of organizational units or Information Security would have to tie back to the organizational risk and the cost benefit analysis.

Question 43

Q

We are a financial institution and changes are being made to some of the security aspects of the PCI-DSS standard. What should our Information Security manager do FIRST?
Assess if existing controls fulfill the new requirements
Meet with the financial and legal leadership teams and decide how to comply
Update our current security and privacy policies
Analyze the key risks in the compliance

Answer

A

Assess if existing controls fulfill the new requirements
The first thing we should assess is if our current controls are sufficient. If they are there is no need to meet with the financial or legal teams, nor update any policies or procedures. Risk analysis of the compliance would come much later, if we decide our current countermeasures are not sufficient.

Question 44

Q

Which of these is the MOST important ability we should look for when we are interviewing candidates for a new CISO (Chief Information Security Officer) for our organization?
A clear understanding of how to map Infosec tech to the needs of the org
A clear understanding of the regulatory and legal requirements that are relevant to our industry and our org
Knowledge about he latest IT technology platforms, trends and development methodologies
The ability to lead a diverse group of employees efficiently and effectively

Answer

A

A clear understanding of how to map Infosec tech to the needs of the org
Information Security should always be aligned to the organizational needs, a clear understanding of what those needs are is critical for a new CISO. They should also know the technologies, the regulatory requirements and be able to effective lead their team, but MOST important is understanding our mission, vision and goals.

Question 45

Q

Which of these is MOST important to ensure is in place before we have outside contractors do a penetration test on our organization?
Everyone including senior mgmt. is unaware of the penetration test to ensure the pen test is as close to a real attack as possible
The goals and objectives are clearly defined
Out IT staff has been inform about the pen test
The pen testers show us what the plan to do on a test system

Answer

A

The goals and objectives are clearly defined
It is MOST important to have very clearly defined goals and objectives for the penetration test. We would also possibly have certain timeframes the attackers are allowed to use, certain IP ranges, and also clear guidance on what they are not allowed to do. We may have them try to access a test system, but that is after the clear goals and objectives. On top of that test systems often do not have the same posture as production systems, being able to get access to a test system may not mean they can access our production systems. We may inform the IT staff, but not always. Senior management HAS to know about the penetration test, they sign off on it, and they are ultimately liable.

Question 46

Q

We have had a year with a lot of security incidences, we have experienced all of these. Which of them would have the MOST negative impact?
A power outage at our data center
Internal fraud with monetary loss
The loss of customer confidence
Stolen software

Answer

A

The loss of customer confidence
One of the most valuable assets to any business is the confidence our customers have in us. If we lose it, it can be very hard to repair. Internal fraud, a power outage and stolen software are all problems, but ones we can most likely fix without a lot of problems.

Question 47

Q

When we are implementing a security control, the cost should NOT exceed what?
The financial benefit gained from the implementation
Annual loss expectancy (ALE)
The asset value
The cost of an incident

Answer

A

X The asset value
The cost of the security control should not exceed the asset value. If the cost of a countermeasure is greater than the asset value, we would not implement. We always base our security controls on a cost-benefit analysis. We would use the ALE and the cost of an incident in the analysis, but we would not base the decision on just those. The cost of the security control not exceeding the benefit from the implementation doesn’t even make sense.

Question 48

Q

We are implementing wireless networks at our new corporate office. Which of these would be the MOST secure way of doing so?
Use WPA-2 (Wi-Fi Protected Access-2)
Filter traffic based on MAC addresses
Hide our SSIDs
Use WEP (Wired Equivalent Privacy)

Answer

A

Use WPA-2 (Wi-Fi Protected Access-2)
Of the options here WPA-2 (Wi-Fi Protected Access-2) is the most secure protocol to implement on our new wireless network. Hiding our SSID does very little, since it still broadcasts, it takes a few seconds to find it regardless of it being hidden. Adding MAC filtering on our switch ports is also easy to bypass, the attacker would just have to spoof the MAC address of a trusted divide on a specific port and they would have network access. Finally, WEP is very easy break today, there are weaknesses in the algorithm, even very long complex passwords can be broken in less than 10 minutes.

Question 49

Q

We are considering implementing a risk reduction control. Which of these would BEST determine if the control should be implemented?
Qualitative risk analysis
Cost benefit analysis
Penetration testing
Quantitative risk analysis

Answer

A

Cost benefit analysis
Any risk reduction control should be based on a cost benefit analysis. We would probably use quantitative and qualitative risk analysis as input to the cost benefit analysis, but they are not the BEST at determining if we should implement the control. Penetration testing could also assist but would be part of a bigger analysis and auditing.

Question 50

Q

What would be the BEST way to treat a natural disaster risk with a low probability and high impact?
Transfer the risk
Implement countermeasures
Eliminate the risk
Accept the risk

Answer

A

Transfer the risk
We would most often transfer risks with low probability and high impact. This could be flooding of our data center. If we chose to implement countermeasures it is often cost prohibitive. We may not be able to eliminate the risk and accepting the risk could have a catastrophic impact if it actualized.

Question 51

Q

What should we do FIRST when we are implementing Information Security governance in our organization?
Make our security policies
Adopt security best practices for our industry
Determine our security baselines
Define our security strategy

Answer

A

Define our security strategy
The FIRST step would be for us to define our security strategy, we would then use that to make our security policies, and baselines, we may use best practices for our industry as well.

Question 52

Q

What is the MAIN focus of security audits?
To ensure our security controls operate as they should
The ensure our security controls are based on the latest technology
To ensure our security controls are cost-effective
To ensure our security controls focus on preventative measures

Answer

A

To ensure our security controls operate as they should
The main focus of our security audits is to ensure our security controls operate as they should. We would want cost-effective controls, but that is not the purpose of the security audit. It is possible we would want to use the latest technology, but again not something the security audit would look at. Security reviews should look at all controls, not just preventative ones.

Question 53

Q

We are wanting to build new software for our organization, at what stage of the software development lifecycle should we involve Information Security?
When they start programming the software
When the sw dev team starts testing the sw
When they start to define the detailed requirements for the sw
When requested by the sw dev team

Answer

A

When they start to define the detailed requirements for the sw
Information Security should be involved from the very beginning and security should be a requirement just like the functionality of the software. If we wait for the software developers to contact us, we will wait forever, software testing is at the very end of the development process and when they start programming is also too late, at this point they already have all the requirements and changes will be duct-tape solutions.

Question 54

Q

Bassam is the Information Security manager of our organization. With us having offices across the globe, Bassam has to ensure that our local security program is in compliance with what?
The data privacy directives that are applicable across the world
The data privacy policies where our headquarters are located
Our corporate data privacy policy
The data privacy policies where we collect the data

Answer

A

X The data privacy policies where we collect the data
Our local offices have to comply with the local law, where the data is collected. Our corporate data privacy policy, the policy where our headquarters are located, or the global data directives never supersede the local laws and regulations.

Question 55

Q

Which of these would be the BEST option if we wanted to prevent employees from copying files from their workstation to a USB drive?
Disable all USB ports on all workstations
Limit the number of available mappable drives to one
Implement Mandatory Access Control
Do frequent user training

Answer

A

X Limit the number of available mappable drives to one
The BEST option would be to limit the number of drives on the workstations. Users can insert the USB drives, but they would not be registered as a drive. We would not want to disable all USB ports; they are also used for mice and keyboards. Training should be conducted, but it is more efficient to lock down the workstations. Mandatory Access Control would do nothing in this scenario.

Question 56

Q

Which of these would be BEST to ensure the data in a file has not been altered?
Look at the file size
Encrypt the file using symmetric encryption
Use strong access control to ensure the file can’t be accessed by anyone with out the proper permissions
Hash the original file and compare the hashes

Answer

A

Hash the original file and compare the hashes
If we want to ensure the data has not been altered, the best way to do that is to compare a hash of the original file and a hash of the current file. The 2 hashes should be identical, if they are not the data was altered. We would not be able to tell what was changed, just that something was. The file size can easily be made to look the same as the original even if the data was altered. Using symmetric encryption can give us confidentiality, but not an integrity check. If the file is important, we would most likely use strong access control, but again it would not tell us if the file was altered, only that it would be difficult to access.

Question 57

Q

In order to evaluate the effectiveness our IDSs (Intrusion Detection Systems), which of these would be the BEST metric to use?
The number of attacks we detect
The ration of successful attacks to unsuccessful attacks
The number of successful attacks
The ratio of false positives to false negatives

Answer

A

X The ratio of false positives to false negatives
Looking at the ratio of false positives to false negatives would be the BEST metric to determine how effective our IDSs are. If it is configured to be as effective as possible, we would have minimal false positives (alert on allowed traffic), and minimal false negatives (no alert on malicious traffic). The number of attacks we detect, and number of successful attacks, or the ratio of successful to unsuccessful attacks in themselves are not enough to determine if our IDS is effective

Question 58

Q

Which of these would help us the MOST to ensure our risk management program to be as effective as possible?
A solid risk baseline
A flexible Infosec budget
Accurate risk reporting
New risk detection

Answer

A

X New risk detection
We would want all of these for our risk management program, but us being able to detect new risks would be the MOST helpful.

Question 59

Q

What would be MOST useful for Jane, when she is working on RTOs (Recovery time objectives) for some of our critical system?
A risk analysis
A gap analysis
A business impact analysis
A SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis

Answer

A

A business impact analysis
We get the RTO from our business impact analysis, and it is part of our MTD (Maximum tolerable downtime). What is the maximum amount we can have a system or function down before we are severely impacted? A GAP analysis we use to map a path from our current state to our desired state. A SWOT analysis is analyzing the Strengths, Weaknesses, Opportunities and Threats of our organization. The risk analysis would be part of the business impact analysis, but not what we use for the RTO.

Question 60

Q

As the CISO (Chief Information Security Officer) Bob is overseeing risk analysis. Which of these BEST describes what is in scope?
All critical systems and infrastructure
Anything subject to regulatory compliance
All our critical financial systems
All organizational activities

Answer

A

X All organizational activities
We do risk analysis on ALL our organizational activities; we would never limit it to specific systems or infrastructure. We need that holistic approach and protection profile.

Question 61

Q

When we make investments in Information Security technologies, what should those investments be based on?
The business climate
Vulnerability assessments
Recommendations from our audits
A value analysis

Answer

A

A value analysis
We do all our Information Security investments on value analysis. How will this benefit the organization? In most cases it is not revenue gained, but it is loss minimized to an acceptable level. We might look at the audits, the business climate and the vulnerability assessments, but we would still do a value analysis to justify the cost. We want that positive ROI.

Question 62

Q

What would we use to determine the amount of resources we use to mitigate risks?
How much is left in the infosec budget
Pen test results
Audit reports
Risk analysis results

Answer

A

Risk analysis results
The amount of resources we would use on a mitigation would be based on our risk analysis. Everything we do is based on a positive ROI (return on investment). We may use audit reports and penetration testing in our risk analysis, but they are by themselves to incomplete to determine the amount of resources we should use on mitigation. How much is left of the Information Security budget is something we need to consider but should not be how we determine how much we spend on mitigation.

Question 63

Q

We use risk analysis to determine how to protect our assets the best and mitigate risks as much as it makes sense. We have already rated incidences on likelihood and impact, now we want to get more precise numbers assigned to our assets that got a "High Risk" score. Which of these risk analysis approaches would be the BEST to use?
Quantitative
Qualitative
Iterative
Adaptive

Answer

A

Quantitative
When we want to put actual numbers and dollar amounts on both the risks and the mitigations; we would use Quantitative risk analysis (think quantity - it is a specific number). Qualitative risk analysis is where we rate risks on likelihood and impact, we then use that to determine which assets are high enough risk to move to quantitative risk analysis. Our risk analysis is iterative, but there is no risk analysis approach that is named iterative risk analysis. There is also no adaptive risk analysis.

Question 64

Q

Bob is scanning our internal network for security vulnerabilities. What is the MOST important thing Bob should ensure?
To not interrupt production environments
To not use open sources vulnerability scanners
To follow the normal attack cycle
To only scan production environments

Answer

A

To not interrupt production environments
It is MOST important that Bob does not disrupt any production environments or processes. If we have to run intrusive tests, they would be done off-hours and in a service window. There is not good reason to not use open source scanners, some of the better ones are open source. We would want to scan all environments, not just production. We would not follow the normal attack cycle; this is just scanning.

Answer 65

A

X To measure the effectiveness
We need our Information Security objectives to be clearly defined, so we can measure how effective they are. If our objectives are vague, we will have no clue how good or bad we are doing. We do need to clearly understand the objectives but measuring the effectiveness of them is more important. The objectives being clearly defined will help with getting the buy-in from our staff, but again those are secondary objectives.

Answer 66

A

To be in better alignment with business unit needs
Decentralized information security management would normally give us better alignment with business unit needs. It would also often give us less uniform quality of service, deviate more from our policies and cost us more.

Answer 67

A

Chief Operating Officer (COO)
The chief operating officer (COO) is ideally whom you should report to. They are high enough in the organization and they have the 30,000ft view of both business operations and objectives. If not the COO, it should be the CEO, but that is not an answer option here, even if it was the COO would still be first choice. Legal counsel, auditors, and the Information Security manager would be key members of the steering committee, but none of them should sponsor the committee.

Answer 68

A

Buy insurance
With the residual risk ALWAYS being too high, the only option is to buy insurance and transfer the risk. The SOC, Pen testing and firewalls may minimize the incidences, but all those are irrelevant in this question, since senior management has determined it is never enough.

Answer 69

A

A lessons learned document
The result of the post-incident review would be our lessons learned report. What went well, what went wrong, and what can we do next time to improve our incident response. The electronic evidence, the areas effected and possibly who attacked us would already be covered reporting and possibly in response.

Answer 70

A

They can be more cost effective and have expertise we do not internally
The BEST reason would be for us to get cost effective assistance who has skills we do not have within the organization. We still need internal key stakeholders who have the detailed knowledge of our organization but getting outside help can help us deliver a better product sooner. Even if we contract external people, they might be responsible for producing a result, but as the Information Security manager or director it is your responsibility to deliver the program. In this case getting outside help would not help with employee redundancy, they are there to help us in areas where we lack the skilled employees. They may, or may not, be able to deliver the program with their knowledge, we simply do not have enough information to see determine if this is a viable option. Even if they could, the questions said, “Best reason”, which is the cost effective and knowledge we do not have internally.

Answer 71

A

Make a bit-level copy of the memory
When we do forensics, we always work from MOST volatile to LEAST volatile, meaning we would start with the memory. We would never reboot the server, that would clear volatile memory and possibly any evidence. We would later do the bit-level copy of the hard drives and look at the logs, but we would examine the memory FIRST.

Answer 72

A

Do a self-assessment using the guidelines for that type of audit
Doing a self-assessment would be the best way to prepare for the annual audit/review. We would also assign someone as liaison, look at the previous reports, and involve our legal department, but the question was BEST way.

Answer 73

A

Tuning it
The most important thing when implementing a heuristic IDS is tuning it. If it is not tuned right, we would get a lot of false positives (permitted traffic is denied), and false negatives (malicious traffic is not detected). We would apply patches when they are released, but they are not the MOST important thing. Encryption and packet filtering in this case are distractors, they would not be appropriate.

Answer 74

A

Calculate the risk
We should always base decisions on a risk analysis, even when we consider deviating from our security standards. After we do the risk analysis and the risk is calculated, we may choose to enforce the security standard, make changes to the proposed system change, or add mitigating controls, but we would need the risk analysis to determine if any of those are suitable. We would never just do any of them without the proper analysis.

Answer 75

A

Making sure the plans are accessible during a disaster
If we move our BCP to an automated solution it is critical we are able to access it during a disaster. If we place it on our intranet it may not be available during a disaster. The other options are important, but not as critical as the availability of the plans during a disaster. We would want the correct versioning, if we do not have correct versioning staff may use old information making the disaster even worse. If the plan has web links, they should be accessible through alternative means, but again if we can’t access the plan at all the web links are less important. Integrating the plan with an user authentication system with content-based access control is smart, users gets access to exactly what they need and no more, and we would want the system to give user access when new users join and remove access when employees leave our organization; all this is still secondary to the availability of the plan.

Answer 76

A

Data retention
Data Retention: Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).

Answer 77

A

NIDS
Only alert (intrusion detection) and DDOS would be network based, so NIDS.

Answer 78

A

X Review them

The security team would review the patches and approve them before the server team applies them.

Answer 79

A

Senior mgmt.
Governance, This is C-level Executives. Stakeholder needs, conditions and options are evaluated to define: Balanced agreed-upon enterprise objectives to be achieved. Setting direction through prioritization and decision making. Monitoring performance and compliance against agreed-upon direction and objectives. Risk appetite – Aggressive, neutral, adverse.

Answer 80

A

A risk analysis matrix
Qualitative Risk Analysis: This is vague, guessing, based on a feeling, and relatively quick to do. We add all our assets to a matrix and assign them values on “how likely is it to happen and how bad is it if it happens?” It is often done to know where to focus the Quantitative Risk Analysis.

Answer 81

A

Makes the traffic secure
VPNs allow our staff to connect securely, because the traffic is encrypted in the VPN tunnel. We would want 2FA with the VPN, and we definitely do not want to remove it. We would not want to have less complex passwords, and VPN’s may or may not reduce administrative overhead, for this question it is irrelevant.

Answer 82

A

Requirements development
We need to start looking at encryption key management in the initiation or planning phase of the project, when we develop our project requirements. If we do not do it until programming, deployment or debugging, we are doing it after the fact, and it will be bolt-on security. It will never be as secure as security designed in as a functional requirement.

Answer 83

A

Feasibility
We should address risk as early on in the project as possible, of the phases listed here that would be feasibility. In the programming or the user testing phase is way too late, if the feasibility phase was not an option, then we would do it in specifications, but feasibility is much better.

Answer 84

A

NAT (Network Address Translation)
NAT is the only option that may help us against external security threats. Local IP addresses are not routable. Using static Is would really do nothing, background checks would be for our internal employees, and the WORM media may prevent the attacker from deleting the logs, it will do nothing to protect us against attackers.

Answer 85

A

X Critical path
We would look at the critical path to determine how long a project would take to complete. The critical path is the longest distance between the start and the finish of your project, including all the tasks, their duration, which gives you a clear picture of the project’s actual schedule. We would use SWOT analysis to determine our strengths, weaknesses, opportunities, and threats. The Gannt chart is used to estimate required resources and resource allocation, as well as task sequencing. Ideal path is not a project management term.

Answer 86

A

COO
As the CISO of our organization, you should ideally report as high up in the organization as possible. That would at best be the CEO but given the options in the question the COO (Chief Operations Officer) would be the best choice.

Answer 87

A

2FA (Two-factor authentication)
2FA would make it the MOST secure, the user would most likely use Type 1 and Type 2 authentication (something you know and something you have). The IDS would detect attacks, but not attackers pretending to be authorized users. Challenge response would make the connection more secure, but 2FA is much more secure. SSO makes it easier for users but does nothing for user authentication.

Answer 88

A

X List of actionable items on how to mitigate risks
All of these are important deliverables of our risk analysis, but the MOST important is the actionable items we can do to mitigate our risk to an acceptable level. We use the BIA to determine mitigations, the process owners need to know they are responsible for their risks, and we want the clear quantification of organizational risks, but they are all secondary to the actionable items we need to minimize our risks to acceptable levels.

Answer 89

A

Send the message using PKI
The MOST secure way to send messages today based on the answer options would be using (PKI) Public Key Infrastructure. Hashing would not make it secure, that would just provide integrity checks. Password protected portable media would be secure, but nowhere near as secure as using PKI. Steganography is hiding a message in an image or audio file; it is mostly security through obscurity.

Answer 90

A

X Very strong key storage
We would want a very strong key storage, if the attackers can get to our encryption keys, most of the other security measures are irrelevant. Most encryption today is strong enough to not be breakable with current technologies, making it stronger does often not make it significantly more secure. Complex firewall rules do not mean more secure, and in this example is a distractor. We would want user authentication in all applications, but not relevant for this question.

Answer 91

A

X Minimize residual risk
Of the answer options the PRIMARY goal of our risk management program is to minimize our residual risk. We can never eliminate business risk completely. We may not be able to minimize inherent risk. We want to implement effective controls, but we do that to minimize residual risk.

Answer 92

A

Criteria for escalation
Our incident response policy is like any other policies high-level and vague. It would have the criteria for escalation; who can do it and when can they do it, what has to have happened? It would not contain call trees, press releases or specific backup information.

Answer 93

A

Technical
The technical requirements are the lowest priority, technology is there to enable the business requirements, and often we adhere to regulations and privacy requirements and make them part of our business requirements.

Answer 94

A

Input field restrictions
Adding input field restrictions would be the best way to protect against SQL injections. We would only allow the needed amount of characters for names, phone numbers, social security numbers and drop-down menus for country and state. Only certain characters would be allowed. We want proper change control, but it does not directly help with SQL injections. The IPS for protecting against other types of attacks. We would have referential integrity checks on our SQL, but that is a backend check we perform to optimize and remove data errors from the SQL database.

Answer 95

A

It is part of our management’s due diligence
The primary reason for implementing a risk management program is for our management to do their due diligence. Being in compliance with regulatory requirements is important, but not the primary reason. The program may provide a positive ROI, but that is not the purpose. It is impossible to eliminate risks completely; we can however manage them to an acceptable level.

Answer 96

A

X Rewards and competitions for users and business units who are able to act on the infosec awareness training
Rewarding employees for good behavior is much more effective than punishing them for bad behavior. Highlighting the competitions and getting different business units to compete with each other is a great way for employees to keep each other accountable for good Information Security practices. Warnings, locking accounts, and reports sent to the managers may be needed, but it should never be the first or second course of action.

Answer 97

A

Transference
The BEST mitigation to recommend senior management would be risk transference (We buy flooding insurance). Senior management were clear, they did not want risk acceptance, they wanted to mitigate. Risk rejection is knowing the risk is there but ignoring it (never OK). Senior management did also not want risk avoidance, we could have done that by not building the data center in the area that is prone to flooding.

Answer 98

A

Authorize changes
The PRIMARY reason for the change control process is for us to approve and authorize changes to our environment. It is secondary that the changes are applied, documented and tested. Those 3 are still important, but they are not the primary reason for change control.

Answer 99

A

Multifactor auth
Multifactor authentication would be the BEST type of access control to implement for mobile users. In this case we would most likely use Type 1 (Something you know), and Type 2 (something you have) authentication here. That could be username/password and a security token. Data encryption, digital signature, and strong passwords would help with the security posture, but multifactor authentication would be BEST.

Answer 100

A

Support the business objectives
The business objectives of our organization are always the most important consideration, that is what everything else is there to enable. The security metrics, goals, performance monitoring, and training and awareness are all there to support the business objectives. Legal and regulatory requirement are important and often part policies and procedures, but they are still not the primary goal of our Information Security strategy.

Answer 101

A

Confidentiality and non-repudiation
Encrypting with the receiver’s public key gives us confidentiality, because only they can decrypt the message. Encrypting with the sender’s private key gives us non-repudiation. Remember the public key can decrypt the private key for either user or vice versa. Since the receiver has their own private key and the sender’s public key, they can decrypt the entire message.

Answer 102

A

Role-based access control
If we want staff rotation, cross training and minimize the risk of fraud, the type of access control that is best for that would be role-based access control. Here rights are assigned based on job role, and as part of that we can use job rotation and mandatory vacations to cross train and lower the risk of fraud. Discretionary access control is based on the data owner’s discretion and does nothing for what we are trying to do here. The same goes for rule-based access control, that is what our older firewalls use, IF this, THEN that.

Answer 103

A

Acquisition of a competing org
Acquiring a competing organization would have the largest impact on Information Security impact. We would need to integrate their staff, hardware, software, and everything else they have into our organization. We need to ensure everything in their organization is at the same high level of security standards as we have. This can often take months or years to ensure they are as secure as we are, and first then would we possibly connect the networks. Building a new office, moving a data center or upgrading our firewalls would still have Information Security impacts, but we already have procedures and policies in place to deal with events such as these.

Answer 104

A

Security awareness
For us to implement our password policies in the MOST effective way, we would need to raise user awareness about Information Security and proper password complexity and why we do it. Audits and penalizing employees can help, but them understanding how to do it right and why we do it is much more efficient. Single sign on (SSO) would make access to systems easier for users, but it also comes with some inherent security issues.

Answer 105

A

Gray box
If the penetration tester has an internal regular user account/knowledge, they are conducting a gray box penetration test. Black box would be no knowledge or access. White box would be administrator access and detailed knowledge of our network. There is no blue box penetration testing, we do however use red and blue team in testing. Red team are the attackers and blue team the defenders.

Answer 106

A

User awareness training
The best protection against any type of phishing (normal, spear, whale, vishing) is user awareness training. We would also implement the email filtering, and it would help, but it is less effective than user awareness. Limiting emails to the internal network would not do anything to prevent phishing, neither would firewall filtering.

Answer 107

A

Number of security incidents reported
If our staff is trained sufficiently, and we have raised their awareness, we would see an increase of reported security incidents. While this may at first seem counter intuitive, we see the increase because our staff understands what to report to us. Before we raised their awareness, we would have less reports because they did not know what to report to us. Password resets and failed login attempts would not be an effective metric in measuring our awareness training, users still forget passwords or enter credentials incorrectly. The number of resolved security incidences does not have to correlate to the raised awareness.

Answer 108

A

Accept
When the cost of mitigation is higher than the benefit, we should recommend risk acceptance. We want exactly enough Information Security, no more, no less, and the decision is based on cost vs. benefit. We would never reject a risk, that is us knowing it is there and doing nothing, in this case we already did the analysis, so we are past that point. Risk transference and mitigation makes little sense here, we already determined it was not cost effective to do any other risk responses.

Answer 109

A

Consider the size and likelihood of the loss
In our risk analysis, we would look at the size and likelihood of a loss, we need to quantify it to design appropriate countermeasures. What similar organizations do is to us unimportant, every environment is unique. We would never give the same protection profile to all our assets, they are not created equally, we need to give them the protection profile that matches what we discovered in the risk analysis. The potential size of the loss is always more important than how likely the incident is to happen. Us losing $1,000,000 in one incident is much worse than us having 100 incidences costing us $10.

Answer 110

A

X The system hw is restored
The RTO (Recovery time objective) is when we have restored the system hardware. Us getting the system back into production is the MTD (Maximum Tolerable Downtime). When the system is completely offline is a distractor, and when the system software is restored is the WRT (Work Recovery Time). The maximum amount of time we can be down, must not exceed the time it takes us to rebuild the hardware, install the software and test the system (MTD ≥ RTO + WRT).

Answer 111

A

Residual risk is minimized
Successful risk management is when our residual risk is minimized to an acceptable level. We would our overall risk quantified, but only so we can minimize it. We can’t eliminate inherent risk and we never want to maximize our risk.

Answer 112

A

It can contain hidden data
Slack space is leftover space from when a file does not need the entire cluster for the data it is storing. The slack space is whatever is left over of the cluster, it may contain old data, or can be used intentionally by attackers to hide information. The slack space could technically contain login information or log files, but hidden data is MORE correct. Sectors can contain slack space, not the other way around.

Answer 113

A

Meet with the data owner to understand the business need
The Information Security manager should meet with the data owner to understand the business needs, and why an entire department has access. There may be a good reason for it, we just need to ensure it is there. We would never restrict access without investigation. We may later want to change the access right policies, but we would advise, and senior management would decide. If we find access is being granted incorrectly or without proper security, we may review the procedures, but not at this stage.

Answer 114

A

Refer security risks back to the key business objectives
It is always important to speak to senior management in a language they understand, we need to tie what we do back to the goals, the vision and mission of the business. We can also use cost/benefit analysis, ROI or other big picture terms they are used to. As Information Security managers/CISOs we need to be the translating link between Senior management and the techies. If we start talking about successful attacks, technical risks, or security best practices, that is not information they can relate to. We need to talk their language.

Answer 115

A

Systems are vulnerable to any new viruses found between updates
Signatures should not be updated only once a week; the update schedule should be much more aggressive. If we only update once a week, we would be vulnerable to new viruses for up to 7 days. Even if we do minor or major changes over the weekend, we would still have users, testers, and helpdesk if needed available after the change, in the case of antivirus however it is critical we push updates either as soon as they are released or shortly after we test them in our test environment.

Answer 116

A

X Security architecture
Our minimum standards for securing our IT infrastructure would be defined in our security architecture document. Our strategy would be our high-level plans and visions, the security guidelines are suggestions, and we would use publications to educate ourselves or others.

Answer 117

A

X It is required by regulatory compliance
Regulatory can be something that would force us to update our Information Security governance without any further justification. Being aligned with best practices is nice but would need further justification. BCP and it benefitting us financially would be drivers, but they would on their own not make us update governance without further justification.

Answer 118

A

Annually or whenever we have significant change
The risks to our organization change all the time, we should at least do risk assessments every year or whenever there is a significant change, that can be to both our organization and outside influences. External auditors would not do risk assessments, they would do audits. Doing assessments every quarter may be too aggressive, we do not have enough information in the question to justify it, and annually for each business unit may not be enough if there are significant changes.

Answer 119

A

X Isolate the affected network segments
We would isolate the affected networking segments FIRST, we need to contain the attack and ensure it does not spread. The rest of our network can keep functioning, but with heightened monitoring. We would never just shut off all external access, we would segment FIRST, and only as a very last resort shut external access. Logging should already be enabled, and it should write to a centralized logging server as well as WORM media. During an attack we have more important things to worry about than enabling logging, it should have been done when we moved the system into our production environment.

Answer 120

A

Assess our current business strategy
Everything we do in Information Security refers back to the business goals and strategy. Since the question was what we do FIRST when developing an IS plan, we need to know the business strategy, goals and vision. The BIA, vulnerabilities and awareness is something we would look at much later.

Answer 121

A

X An assessment of our system to determine their status
We would FIRST do an assessment to determine the status of our systems. We would not isolate the subnets, that would be done during the attack and not after as the question asked. Restoring systems would make no sense, this was a DDOS attack, no servers should have been compromised other than their availability. We would do an impact analysis of the attack, but it is definitely not what we would do FIRST.

Answer 122

A

Aligned with business strategy
Any planning for information security should be properly aligned with the needs of the business. We would possibly update it when significant changes happen, but not make it agile, it should align with the plan for all of IT, because it should be aligned with the business plan. It is also normal to use tech refresh cycles for all of IT, but it is not the most thing in our strategic Information Security plan.

Answer 123

A

Data owner
John should notify the data owner FIRST. They can with our help determine how bad the damage is, and with the incident response team determine the appropriate corrective actions. We will later inform the steering committee, the customers and the regulatory agencies, if it is appropriate based on our internal policies and the regulations and laws we need to adhere to.

Answer 124

A

X How we handle notifications
Our privacy policies have to have notifications and opt-out provisions. Policies are high level directions, they would most often not address warranties, the area they cover or our liabilities. Also, keyword MOST.

Answer 125

A

Policies
We would very rarely change our policies due to technology changes; they are the very high-level documents that we use to build the more specific, and at times technical procedures, standards and guidelines. We would update our procedures, standards, and guidelines to reflect technology changes.

Answer 126

A

Ensure appropriate controls are included
When our organization signs contracts with other entities, we need to ensure that the proper security controls are in place. Some contracts would have confidential information included, we can’t eliminate it completely, but we should limit it to what is strictly needed. We would possibly also reserve the right to audit, but not always, and it is less important than the security controls. If both parties can fulfil their obligations is important, but it is rarely a security concern.

Answer 127

A

Calculating the ROI
Our business cases and ultimately our Information Security decisions and purchasing should be based on the ROI (Return on investment). We would use how it could help us mitigate, and the cost of the control failures as part of the ROI calculation, but they in themselves is not what we base our decisions on. What other similar organizations spend is a benchmark, but also not something we would make decisions on, every organization is unique.

Answer 128

A

Identify data owners
It is MOST important that we know who all the data owners are, they would know how to classify their information. We would classify the data and do a risk assessment, but we need the data owners for that. Job roles is a distractor and has nothing to do with the question.

Answer 129

A

Good termination procedures
The only one of these that would possibly protect us against former employees would be the good termination procedures. We would obviously still do the background checks, monitoring of activity, and possibly the non-compete clause, but all those are done before or during employment, not after.

Answer 130

A

Missing patches
We do vulnerability assessments to find known vulnerabilities on our network, that could often be missing patches, misconfigurations, open default ports or user accounts and passwords. 0-day are unknown, malware would be found with antivirus and antimalware and security design flaws would be found it we did an architectural audit.

Answer 131

A

Do a risk analysis
We would not just change standards or refuse the new technology without proper risk analysis. We do that first and depending on the risk analysis we may recommend to senior management that we change the standard, or we enforce the standard. Research better technology may also be a compromise, but it would happen after the risk analysis.

Answer 132

A

Reconnaissance
Reconnaissance is one of the phases of an attack or penetration testing, it is not a form of social engineering. Vishing (voice phishing), authority, and scarcity are all types of social engineering.

Answer 133

A

Reduce human risk
The primary purpose of security training is to raise staff awareness and reduce the risk that staff poses. Most often the biggest security risk is our employees, and training and awareness can help with that. We do also need to be in compliance with training and we need our staff to know how to react in a security incidence, but for this it is a secondary objective.

Answer 134

A

Infosec risks often change
The threat landscape is constantly changing and with that the risk we have to protect against. While previous risk assessments may not be accurate it is not the MOST important reason to do it, neither would optimizing, that is an added bonus. We would never do a risk assessment just to prove we are needed, we do that by giving valuable information that senior management can act on.

Answer 135

A

X Regular testing of the incident response plan
The best way to improve on incident performance and consistent employee responses would be to test the plan. Testing the IDS/IPS is good to do but would have done nothing in this situation. A review of the incident procedures may have helped, but the testing is much more efficient. Us making mandatory Information Security training is also good but would not have done anything in this case.

Answer 136

A

Mail relays
We would place our mail relay in the DMZ, it is a simple mail server that accepts emails, and filter them based on a pre-defined set of criteria, then delivers the emails to another server. Our routers and firewalls would not be in the DMZ, but they may be on the edge of it. Authentication servers would keep behind the DMZ in our internal network.

Answer 137

A

Containment
Our first priority should always be containment, we need to stop the attack from propagating through our network. Monitoring should already be in place. Documentation is done in our lessons learned after the attack. Restoration is done when the attack is contained, and we have determined how and what was compromised. We fix the flaws and then restore systems and system access.

Answer 138

A

What percent of our control objectives we have achieved
Our control objectives relate to our business objectives, making then the best metric. Everything we do should tie back to our business vision, mission and objectives. How many controls we have implemented, the percentage of our policy compliance and reduction in incidences are all indicators, but control objectives achieved is the better answer.

Answer 139

A

Cost of additional mitigation compared to the benefit
We should always choose to reduce risk by implementing new countermeasures all the way until the cost of the mitigation is higher than mitigation benefit. We would use the TCO, the asset value and the business impact in our analysis, but they would not be of the GREATEST importance, they would be contributing factors.

Answer 140

A

Senior management buy-in
The MOST important thing in the success of our information security program is senior managements buy-in. The other answer options are secondary to senior management. We would need the awareness training, the achievable goals and objectives, and initial budget and staff, but they are less important. If we do not have the buy-in from senior management, we are less likely to succeed.

Answer 141

A

Set automatic expiration dates
Before the contractor or temporary employee starts, we would know how long their contract is set for. We would use that and set automatic expiration dates on their access. If the contract is extended, the overseeing manager would request an extension (with a new automatic expiration). Requesting the overseeing manager to send an email when the contractor is done, will often not happen, automation is always better than remembering. We may send the audit and have the contractors sign and NDA, but neither of those would help with access removal, once the contract is completed.

Answer 142

A

Validate the patch to ensure it is authentic
We FIRST need to confirm it is a real patch from the actual company that made the software. We do this before anything else. If we confirm it is from the company that made the software and it is critical, we would do proper change management, and if the patch was approved, we would deploy to our test environment first. If no issues we would either do another change management or deploy to production. It is very unlikely we would do (or be able to) do any code review of a patch.

Answer 143

A

Pick which order we would work on security initiatives
The steering committee would prioritize our security efforts. They are the high-level governance over Information Security. It would be the IT manager and team that would interview technical Information Security personnel, they would also develop the awareness program. The approval for user access to any system would be approved by the data owner.

Answer 144

A

X Mandatory access control
If we want to ensure no file sharing with unauthorized users, we would use MAC (Mandatory Access Control). Users without proper access would not be able to access the files, and other users with the proper access can’t share them. File sharing with unauthorized users is possible with DAC (Discretionary access control), RBAC (Role-based access control), ABAC (Attribute-based access control).

Answer 145

A

X High FRR (False rejection rate)
For areas that are considered critical or high security, we would want a higher than normal FRR (False rejection rate). This means that we may reject slightly more authorized employees, but it is worth it because we also get a lot less FAR (False accept rate) errors. Lower or exactly at the CER (Crossover Error Rate), we would want for normal security areas, but for not for areas that are high or critical security.

Answer 146

A

How easy it is to maintain and how often signature updates are released
It is MOST important that the antivirus software’s signatures are updated frequently, and it is easy to use. How often the software vendor releases major updates is irrelevant, so is their feature roadmap. The antivirus solution should work with our other security hardware and software, but in most places, they would report back to our SIEM, and their interrelationship is secondary to the signature release frequency. The TCO is important, but again not as important as how often they update their signatures. Market share could be an indicator but is never a deciding factor.

Answer 147

A

X Vulnerabilities
When we implement more restrictive preventative controls, that would reduce our vulnerabilities. The threats would still be there, we would just not be susceptible to those specific threats. Our loss or the likelihood of an incident may or may not be reduced, but it is not what PRIMARILY would be affected.

Answer 148

A

Guidelines
Our policies, procedures and standards are mandatory, making them non-discretionary. The guidelines are recommendations on how to do a certain task and we would use those in making our practices, they are discretionary. A way to remember it, is if it has “line” in it, it is discretionary (baseline, guideline)

Answer 149

A

X Its adherence to our policies
Having a centralized information security management system will give us more predictable results and it will allow us to follow our policies much easier. Centralized systems are often cheaper than decentralized, but they are often less aligned with business unit’s needs, since we apply the same posture across the entire enterprise.

Answer 150

A

Establish baseline standards for all locations and then add additional standards for locations that require more security
It is most efficient to make a standard baseline and add additional standards to locations that need higher security. It could be an issue if we implemented the maximum standards in every location, best practices are nice, but we have no clue if they would be enough, and just implementing what every location has in common is never enough.

Answer 151

A

After significant system changes
If we have significant changes to our environment, we would most likely want to do a penetration test. The changes could easily have introduced new vulnerabilities. After an audit, we would fix the vulnerabilities they found and then maybe do a penetration test, but not right after. The same with the intrusion, we would fix any issues and then maybe do a penetration test. High staff turnover in itself is not a reason for a penetration test.

Answer 152

A

PKI
When we use PKI (Public Key Infrastructure), we can get message integrity, sender authentication, and non-repudiation. If we used symmetric encryption, we would get confidentiality, hashing can provide integrity and confidentiality, and linear crypt analysis is a form of breaking the encryption, not applying it.

Answer 153

A

Add IPSs
Of the options here the IPS (Intrusion Prevention System) would have the greatest chance of stopping an SQL injection attack. The IDS and HIDS both detect and possibly alert, they do not prevent anything. SQL injection attacks happen on OSI layer 7, meaning a host-based firewall would not check the packets on the application layer.

Answer 154

A

Business process owner
The business process owner should assign the recovery times and cost estimates, they have the most in-depth knowledge about the system or application and the impacts of an outage. The BCP coordinator would coordinate our efforts in an incident or disaster. The Information Security manager is there to make sure we follow the plans and the steering committee would prioritize the systems and applications, but neither the Information Security manager or the steering committee has the in-depth knowledge needed to assign the recovery times and cost estimates.

Answer 155

A

Make an asset inventory
We first need to have a complete asset inventory before we can do any of the other options. If we don’t know what all our assets are, how can we classify, evaluate risks or determine ownership of them?

Answer 156

A

Start using application firewalls
Application layer firewalls are on the 7th OSI Layer. The key benefit of application layer firewalls is that they can understand certain applications and protocols. They see the entire packet; the packet isn’t decrypted until layer 6; any other firewall can only inspect the packet, but not the payload. They can detect if an unwanted application or service is attempting to bypass the firewall using a protocol on an allowed port, or detect if a protocol is being used any malicious way.

Answer 157

A

To pick and choose which parts of the standard or framework we went to implement
Scoping is determining which portion of a standard we will deploy in our organization. We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.

Answer 158

A

Notify the org immediately
The tester should never act or fix anything on our network, if they notice an attack they need to let us know right away so we can act on it.

Answer 159

A

Password and username
Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.

Answer 160

A

X Non-specific but can contain patches, updates, strong encryption
Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”

Brainscape's Knowledge GenomeTM

Practice tests Flashcards

Brainscape's Knowledge Genome^TM