Practice tests Flashcards
Who in our organization would be the BEST person to set the RPO (Recovery Point Objective) for our business applications? InfoSec Manager COO Internal Audit Manager Business continuity coordinator
COO
Of the people listed the COO would be the person BEST suited to set the RPO. We would ideally want the data owner to set it, but if they are not available the COO would be the person who would be most suited. The Information Security manager, audit manager or the business continuity coordinator should not determine the RPOs for business applications.
Which of these would be an indicator that we need to take a look at our change request procedures? A lot of emergency change requests A lot of postponed change requests A lot of similar change requests A lot of canceled change requests
A lot of emergency change requests
If we get a lot of emergency change request, we should take another look at our change procedures and processes. Emergency change request will happen, but they should be the exception, not the rule. With emergency change requests we rarely have the required time to test the change properly. Changes being postponed, canceled, or many of them being similar is what we would want to see. They are all indicators of a well-functioning change management process.
Who in our organization is responsible for us being in compliance with the legal and regulatory requirements for our line of business? CISO Chief Legal Counsel (CLC) Infosec steering committee Board of directors and senior mgmt
Board of directors and senior mgmt
The board of directors and senior management are always ultimately responsible (and liable). The steering committee would be the ones who chose which Information Security measures we implement, the CISO and CLC may also responsible, but the board/senior management is MORE correct.
With how rapidly Information Security is evolving we often need to update our documentation, standards, and procedures. Which of these would we update MOST often?
Server hardening procedures
Standards for password complexity
Standards for data retention and destruction
Policies for Infosec governance
Server hardening procedures
We would update our server hardening procedures MOST often, they need to be constantly updated to reflect the latest patches and updates. We would still update our standards, and policies, but not very often, and definitely not as often as our specific procedures.
Why is it important to classify and determine the sensitivity of our assets?
Ensure very sensitive assets are protected
Ensure the cost of controls are minimized
Cost of protections should be proportionate with the sensitivity of the asset
Ensure countermeasures are appropriate to the risk
X Ensure countermeasures are appropriate to the risk
We always implement countermeasures that are appropriate for the risk, that is why we clearly classify and determine the sensitivity of our assets. Protection cost being appropriate for sensitivity makes no sense, we base the appropriate cost on the risk. Naturally we want risks to be minimized and sensitive assets are protected, but that is not why we do the classification.
What would be BEST protection against data loss from a stolen laptop? Strong passwords Multifactor authentication Encrypted hard drives Real time network backups
X Encrypted hard drives
The best protection against data loss on a stolen laptop would be if we had the drives encrypted. Strong passwords can be bypassed if a skilled hacker, and multifactor authentication can often be bypassed if we remove the drives and add them to another computer. Backups would do nothing to protect the data, it would just give us a copy of it.
We are deploying VPN (Virtual Private Network) access for our remote employees. As part of the project requirements we need to ensure we have strong authentication. Which of these is the STRONGEST authentication method available? Biometric readers SSL (Secure Socket Layer) authentication Symmetric encryption 2FA (2-factor authentication)
X 2FA (2-factor authentication) 2FA (2-factor authentication) is considered more secure than any of the other answers. That means 2 types of authentication (something you know (type 1), something you have (type 2), or something you are (type 3 or biometrics). Symmetric encryption is normally not used for authentication, neither is SSL normally. Biometrics is an authentication type, but it is not as strong as 2FA (2-factor authentication) by itself.
We use both IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems) in our environment. What is the MAIN purpose of the IDSs?
To alert on true negatives
To identify potential attacks on our internal network
To block traffic seen as malicious
To identify network misconfigurations
To identify potential attacks on our internal network
IDSs (Intrusion Detection Systems) are detection systems, they do not act, and their MAIN purpose is to identify potential attacks on our internal network. They do not block malicious traffic, that would be an IPSs (Intrusion Prevention Systems). We could discover potential misconfigurations with vulnerability scanners, not IDSs. Finally, an IDS would alert on “True Positives” (which is good); an attack is happening, and the system detected it, and “False Positives” the system sees normal traffic as malicious (which is bad). The system would not alert on “True Negatives”; that is normal traffic and the system seeing it as such.
Which type of access control is the MOST efficient? Centralized Decentralized Discretionary Role-based
Role-based
Role based access control would be the most efficient type of access control based on the answer options. Access is assigned to job roles reducing administrative overhead and making it more efficient. Decentralized would require more administrative overhead, so would discretionary access control, where the data owner would assign access at their discretion. Centralized access control is more efficient than decentralized, but in this example, we do not have enough information for it to the be the right answer.
Bassam is using GAP analysis to prepare for a board meeting presentation. Which of these MOST accurately describes a GAP analysis?
Analysis of current state versus desired state
analysis on the control objects we have to ensure they align with business goals
evaluating the BIA (business impact analysis) to make sure it is aligned with our business goals
Analysis on what we as an org is good at and see if we can use that to our advantage
Analysis of current state versus desired state
A GAP analysis is used for mapping our current state versus our desired state. We would use the GAP analysis to plan out the actionable steps we need to take to get from our current to desired state. The BIA is us analyzing the impact of a certain incident. The analysis where we look at what we are good at is SWOT analysis, and obviously control objects should align with business objectives, but that was not the question here.
Which of these could be MOST effective against internal threats to our confidential information? Defense in depth A privacy policy Role-based access control Monitoring of our audit trails
Role-based access control
Of the options available here, role-based access control would protect our information from internal threats the BEST. A privacy policy is not related to risk, defense in depth is mostly focused on outsider threats and audit trails is detective controls we use after the fact.
Out credit card database has been compromised; what should we do FIRST?
Verify there was an incident
Notify the data owner
Notify the Infosec steering committee
Start containment and network segmentation
Verify there was an incident
Our first step should be to confirm the incident actually happened. After we confirm the incident, then we would contain, segment and notify the data owner and leadership. The sequence is very important, it is possible the incident was a false positive (normal traffic seen as malicious).
We are a large multinational organization with offices in Europe, the US, Asia, Australia, Russia and Africa. Which type of information would we expect to have the LOWEST level of security protection? Previous financial results Strategic plan Upcoming financial results Customer PII
Previous financial results
Our previous financial results would have the LOWEST level of protection, they are already public. Exposing our strategic plan, our upcoming financial results or customer PII would have adverse effects.
A new regulatory requirement has been published for our industry. It looks like the implementation cost will be very high. What should you as the Information Security manager do FIRST? Implement immediate countermeasures Implement compensating controls Start and Infosec steering committee Do a gap analysis
Do a gap analysis
We would start with a GAP analysis, what is our current state, and what is our desired state? Then we would plan how to get from current to desired state. The steering committee would choose which initiatives we move forward with and would not be a FIRST step. Compensating controls, we may implement later, after we know more. We can’t implement immediate countermeasures; we need to do the analysis first.
Who would be responsible in our organization for classifying our information? Data owner CISO DB administrator Data custodian
Data owner
The owner of the data is always responsible for classifying the data, they know the best how sensitive (or not) their data is. The data custodian would do the practical things (patches, security, updates), but never classify anything. The CISO or the DBA are not appropriate for assigning sensitivity, they may have no clue what the data is or how sensitive the data is.
In order to mitigate newly discovered security vulnerabilities in an operating system, we would use which of these processes to address the vulnerability in a timely manner? Patch mgmt Security vulnerability mgmt Change mgmt Server mgmt
Patch mgmt
We would use patch management to address new operating system security vulnerabilities. Change management is the control process we have in place to ensure changes to our environment are planned, tested, and implemented properly; patch management would be part of our change management process. Server management is the management of everything regarding the server, and security vulnerability management is managing vulnerabilities on a server, including patch management, but patch management is a MORE right answer.
Which of these would be the MOST important for our security policies to do?
Be in clear and easily understood language
Be tailored to each business unit
Have verbiage about our network vulnerabilities
Address the process for communication internally and externally during a security incident.
Be in clear and easily understood language
Our security policies should be clear and easy to understand, they should be available to our entire staff. We would not have network vulnerabilities in our policies, and we do not want our entire organization to know about them. The process for communication would be in our DRP (Disaster Recovery Plan) or CCP (Crisis Communication Plan). The security policies are high level and vague, we would never want to have tailored versions for each business unit. The security policies are built from the vision and mission of the business, they should be consistent across the organization.
Our organization is spread across many smaller offices across the country. Which of these would present the LARGEST security risk?
System operations are not being followed
System capacity mgmt process are not being followed
Software dev is outsources
Change mgmt process are not being followed
X Change mgmt process are not being followed
If our branches do not follow proper change management, it is a cause for concern. Implementing fixes and solutions without proper change control can introduce a lot of security risks. System operating procedures and capacity management procedures should always be followed, but they are not as severe as lack of proper change management. We often outsource our software development, it in itself poses no security risk, as long as security is designed into the software and we do proper change control and management.
If we want to protect our organization against internal security threats, which of these would be the BEST to use? User training Server hardening Background checks Static IP addresses
Background checks
Background checks is the best way to protect against internal security threats of the options, their past behavior and actions are good indicators how and what they will do in the future. Server hardening may help, but we have no clue which type of internal threat we are dealing with. Static IPs really do nothing to protect us against internal security threats. User training is us giving them the training, in itself it does nothing. What we want is to raise their awareness, which is them acting on the knowledge and doing the right thing.
We want to ensure non-repudiation. Which of these would be the BEST for that? Collisions resistant hashes Digital signatures Strong complex passwords Symmetric encryption
Digital signatures Digital signatures (or PKI (Public Key Infrastructure) would be the BEST to ensure non-repudiation. You should be the only person with your private key; if a file was signed with your private key, you would have a very hard time proving you didn't. Strong passwords would possibly make us more secure, hashes would ensure integrity, and symmetric encryption can possibly ensure confidentiality, but none of them would give us non-repudiation.
One of our critical systems has an administrator account, the account prevents account locking, privileges and name changes. What could we implement that would protect us BEST against brute force password attacks?
Make a strong random password for the account
Don’t allow the system to be accessed from outside our org
Log all account usage
Request a patch from the vendor
Make a strong random password for the account
Since we are unable to lock the account, our best option is to create a very strong random password. It may not be an option to only allow internal access, and even if we do, attackers could get onto our network and brute force from there. We can request a patch, but we have no way making them provide it, and logging usage is a detective control and does not prevent attacks.
We are doing audits on our firewalls. What would be the best metric for measuring their effectiveness?
How many firewall rules we have configured on each firewall
The number of attacks they have blocked
The average throughput
The number of packets they have dropped
X The number of attacks they have blocked
Of the options available the best metric to evaluate the effectiveness of our firewalls would be how many attacks they have blocked. How many packets they dropped, the throughput, and how many rules we have configured are not indicators of the effectiveness of the firewall.
Bob has been tasked with integrating our new risk management processes into our existing production systems. What would be the BEST way to do that? Process monitoring Update our policies Change management User training
X Change management
We would use our change management to integrate new processes into exciting production systems. We would also as part of the integration do user training, update our policies and possibly monitor the processes, but they are not the BEST way to integrate.
As the Information Security Director, you are assisting the Information Security steering committee and the application owners in assigning RTO's (Recovery Time Objectives) for the applications we use in our organization. Which of these should have the SHORTEST RTO? Our intranet Our change mgmt system Our VPN access for remote contractors Our e-commerce website
Our e-commerce website
Of the systems listed here, the e-commerce system would have the SHORTEST RTO. We would want it to be back to at least limited capacity within less than an hour. In most cases we should have a true redundant solution in place with no downtime. Our change management system would have procedures in place in case of a change management outage, it is non-critical. Our intranet is possibly important depending on our work process flow, but it is not as important as our e-commerce. The same with our VPN access for contractors, it is important, but not as important as e-commerce.