CISM Test Bank Quiz With Complete Solution

Document Content and Description Below

CISM Test Bank Quiz With Complete Solution The PRIMARY selection criterion for an offsite media storage facility is: Select an answer: A. that the primary and offsite facilities not be subject ... to the same environmental disasters. B. that the offsite storage facility be in close proximity to the primary site. C. the overall storage and maintenance costs of the offsite facility. D. the availability of cost-effective media transportation services.>>> You are correct, the answer is A. It is important to prevent a disaster that could affect both sites. The distance between sites may be important in cases of widespread disasters; however, this is covered by choice A. The costs should not be the primary criteria to selection. A cost-effective media transport service may be a consideration, but is not the main concern. In which of the following areas are data owners PRIMARILY responsible for establishing risk mitigation? Select an answer: A. Platform security B. Entitlement changes C. Intrusion detection D. Antivirus controls>>> You are correct, the answer is B. Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible. Platform security, intrusion detection and antivirus controls are all within the responsibility of the information security manager. Which of the following is the BEST justification to convince management to invest in an information security program? Select an answer: A. Cost reduction B. Compliance with company policies C. Protection of business assets D. Increased business value>>> You answered C. The correct answer is D. Investing in an information security program should increase business value and confidence. Cost reduction by itself is rarely the motivator for implementing an information security program. Compliance is secondary to business value. Increasing business value may include protection of business assets. To improve the security of an organization's human resources (HR) system, an information security manager was presented with a choice to either implement an additional packet filtering firewall OR a heuristics-based intrusion detection system (IDS). How should the security manager with a limited budget choose between the two technologies? Select an answer: A. Risk analysis B. Business impact analysis (BIA) C. Return on investment (ROI) analysis D. Cost-benefit analysis>>> You answered A. The correct answer is D. Cost-benefit analysis measures the cost of a safeguard versus the benefit it provides, and does include risk assessment. The cost of a control should not exceed the benefit to be derived from it. The degree of control employed is a matter of good business judgment. Risk analysis identifies the risk and appropriate mitigation strategies. A BIA identifies the impact from the loss of systems. ROI analysis compares the magnitude and timing of investment gains directly with the magnitude and timing of investment costs. An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. What is the MOST important element of the request for proposal (RFP)? Select an answer: A. References from other organizations B. Past experience of the engagement team C. Sample deliverable D. Methodology to be used in the assessment>>> You answered C. The correct answer is D. Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverables only tell how the assessment is presented, not the process. An organization is implementing intrusion protection in their demilitarized zone (DMZ). Which of the following steps is necessary to make sure that the intrusion prevention system (IPS) can view all traffic in the DMZ? Select an answer: A. Ensure that intrusion prevention is placed in front of the firewall. B. Ensure that all devices that are connected can easily see the IPS in the network. C. Ensure that all encrypted traffic is decrypted prior to being processed by the IPS. D. Ensure that traffic to all devices is mirrored to the IPS.>>> You answered A. The correct answer is C. All encryption should be terminated to allow all traffic to be viewed by the IPS. The encryption should be terminated at a hardware Secure Sockets Layer (SSL) accelerator or virtual private network (VPN) server to allow all traffic to be monitored since encrypted traffic is unreadable. Which of the following are likely to be updated MOST frequently? Select an answer: A. Procedures for hardening database servers B. Standards for password length and complexity C. Policies addressing information security governance D. Standards for document retention and destruction>>> You answered C. The correct answer is A. Policies and standards should generally be more static and less subject to frequent change. Procedures on the other hand, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace. When performing a qualitative risk analysis, which of the following will BEST produce reliable results? Select an answer: A. Estimated productivity losses B. Possible scenarios with threats and impacts C. Value of information assets D. Vulnerability assessment>>> You answered C. The correct answer is B. Listing all possible scenarios that could occur, along with threats and impacts, will best frame the range of risks and facilitate a more informed discussion and decision. Estimated productivity losses, value of information assets and vulnerability assessments would not be sufficient on their own. Addressing production risks is PRIMARILY a function of: Select an answer: A. release management. B. incident management. C. change management. D. configuration management.>>> You are correct, the answer is C. Change management is the overall process to assess and control risks introduced by changes. Release management is the specific process to manage risks of production system deployment. Incident management is not directly relevant to life-cycle stages. Configuration management is the specific process to manage risks associated with system configuration. Which of the following requirements would have the lowest level of priority in information security? Select an answer: A. Technical B. Regulatory C. Privacy D. Business>>> You are correct, the answer is A. Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are government-mandated and, therefore, not subject to override. The needs of the business should always take precedence in deciding information security priorities. The MOST important component of a privacy policy is: Select an answer: A. notifications. B. warranties. C. liabilities. D. geographic coverage.>>> You answered C. The correct answer is A. Privacy policies must contain notifications and opt-out provisions; they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific. Which of the following groups would be in the BEST position to perform a risk analysis for a business? Select an answer: A. External auditors B. A peer group within a similar business C. Process owners D. A specialized management consultant>>> You are correct, the answer is C. Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business. Obtaining senior management support for an information security initiative can BEST be accomplished by: Select an answer: A. developing and presenting a business case. B. defining the risk that will be addressed. C. presenting a financial analysis of benefits. D. aligning the initiative with organizational objectives.>>> You are correct, the answer is A. A. A business case is inclusive of the other options and includes and specifically addresses them. B. A business case must enumerate the risk that the initiative will address. C. The value proposition is an essential part of the business case that addresses the financial aspects of the initiative. D. The business case must show how the initiative will align with and support organizational objectives. Which of the following training mechanisms is the MOST effective means of promoting an organizational security culture? Select an answer: A. Choose a subset of influential people to promote the benefits of the security program. B. Hold structured training in small groups on an annual basis. C. Require each employee to complete a self-paced training module once per year. D. Deliver training to all employees across the organization via streaming video.>>> You answered C. The correct answer is A. A. Certain people are either individually inclined or required by their positions to have greater interest in promoting security than others. By selecting these people and offering them broad, diverse opportunities for security education, they are able to act as ambassadors to their respective teams and departments, imparting a gradual and significant change in an organizational culture toward security. B. Structured training rarely aligns with the interests of individual employees when chosen at random to fill a small-group setting. C. Computer-based training is a common approach to annual information awareness, but there is no evidence that employees retain the information or adopt it into their regular activities. D. Streaming-video "webinars" are among the least effective means of presenting information, requiring very little interaction from end users. Data owners are PRIMARILY responsible for: Select an answer: A. providing access to systems. B. approving access to systems. C. establishing authorization and authentication. D. handling identity management.>>> You are correct, the answer is B. Approving access to systems is the only answer that fits since choices A and C are the work of data custodians and choice D is the work of the information security staff. Which of the following are the MOST important individuals to include as members of an information security steering committee? Select an answer: A. Direct reports to the chief information officer B. IT management and key business process owners C. Cross-section of end users and IT professionals D. Internal audit and corporate legal departments>>> You answered D. The correct answer is B. Security steering committees provide a forum for management to express its opinion and take some ownership in the decision making process. It is imperative that business process owners be included in this process. None of the other choices includes input by business process owners. Which one of the following measures will BEST indicate the effectiveness of an incident response process? Select an answer: A. Number of open incidents B. Reduction of the number of security incidents C. Reduction of the average response time to an incident D. Number of incidents handled per month>>> You are correct, the answer is C. Of the list provided, the best measure of incident response effectiveness is the reduction of average response time to an incident. Reduction of response time helps minimize the impact of the incident. The total number of open incidents is not an indicator of incident response effectiveness because the team does not have direct control over the number of incidents it must handle at any given time. Reduction of the number of security incidents generally cannot be attributed to the effectiveness of the response team, but rather to improved controls. The number of incidents handled per month would not be a direct indicator of team effectiveness. The BEST way to obtain senior management commitment and support for information security investments is to: Select an answer: A. link security risk to organization business objectives. B. explain the technical risk to the organization. C. include industry best practices as they relate to information security. D. detail successful attacks against a competitor.>>> You are correct, the answer is A. Senior management seeks to understand the business justification for investing in security. Support can be best obtained by linking security to key business objectives. Senior management will not be as interested in technical risk or examples of successful attacks against a competitor if they are not linked to the impact on business environment and objectives. Industry best practices are important to senior management, but management will give the right level of importance to the best practices when they are presented in terms of key business objectives. When securing wireless access points, which of the following controls would BEST assure confidentiality? Select an answer: A. Implementing wireless intrusion prevention systems B. Not broadcasting the service set IDentifier (SSID) C. Implementing wired equivalent privacy (WEP) authentication D. Enforcing a virtual private network (VPN) over wireless>>> You are correct, the answer is D. Enforcing a VPN over wireless is the best option to enforce strong authentication and encryption of the sessions. Implementing wireless intrusion prevention systems is a detective system and would not prevent wireless sniffing. Not broadcasting the SSID does not reduce the risk of wireless packets being captured. WEP authentication is known to be weak and does not protect individual confidentiality. Who should PRIMARILY provide direction on the impact of new regulatory requirements that may lead to major application system changes? Select an answer: A. The internal audit department B. System developers/analysts C. Key business process owners D. Corporate legal counsel>>> You are correct, the answer is C. Business process owners are in the best position to understand how new regulatory requirements may affect their systems. Legal counsel and infrastructure management, as well as internal auditors, would not be in as good a position to fully understand all ramifications. Which of the following choices will MOST influence how the information security program will be designed and implemented? Select an answer: A. Type and nature of risk B. Organizational culture C. Overall business objectives D. Lines of business>>> You answered A. The correct answer is B. A. The specific risk faced by the organization will affect the security program, but how this risk is perceived and dealt with depends on the organizational culture. B. The organizational culture generally influences risk appetite and risk tolerance, which in turn have significant influence over how an information security program should be designed and implemented. C. Business objectives will determine the specific kinds of risk to be addressed, but will not greatly influence the actual program development and implementation. D. The lines of business will affect the specific kinds of risk to be addressed, but will not greatly influence the actual program development and implementation. The relationship between policies and corporate standards can BEST be described by which of the following associations? Select an answer: A. Standards and policies have only an indirect relationship. B. Standards provide a detailed description of the meaning of a policy. C. Standards provide direction on achieving compliance with policy intent. D. Standards can exist without a relationship to any particular policy.>>> You answered B. The correct answer is C. A. In most cases, there is a direct relationship between policy and corporate standards. B. Corporate standards generally do not provide details on the meaning of policy, rather on the acceptable limits needed to comply with policy intent. C. Corporate standards set the allowable limits and boundaries for people, processes and technology as an expression of policy intent, and therefore provide direction on policy compliance. D. It would be a poor practice to have corporate standards not directly expressing the intent of a particular policy. To the extent that they exist, they should rely on an implicit policy. Which one of the following factors of a risk assessment typically involves the GREATEST amount of speculation? Select an answer: A. Exposure B. Impact C. Vulnerability D. Likelihood>>> You answered A. The correct answer is D. The likelihood of a threat encountering a susceptible vulnerability can only be estimated statistically. Exposure, impact and vulnerability can be determined within a range. Which of the following is a key component of an incident response policy? Select an answer: A. Updated call trees B. Escalation criteria C. Press release templates D. Critical backup files inventory>>> You answered D. The correct answer is B. Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained within an incident response policy. Telephone trees, press release templates and lists of critical backup files are too detailed to be included in a policy document. The MOST complete business case for security solutions is one that: Select an answer: A. includes appropriate justification. B. explains the current risk profile. C. details regulatory requirements. D. identifies incidents and losses.>>> You are correct, the answer is A. Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy. What is the MOST essential attribute of an effective key risk indicator (KRI)? Select an answer: A. The KRI is accurate and reliable. B. The KRI provides quantitative metrics. C. The KRI indicates required action. D. The KRI is predictive of a risk event.>>> You answered A. The correct answer is D. A. Key risk indicators (KRIs) are usually indicators that risk is developing and typically are neither accurate nor reliable in the sense that they indicate what the actual risk is. B. Key risk indicators (KRIs) typically do not provide quantitative metrics about risk. C. Key risk indicators (KRIs) will not indicate that any particular action is required other than to investigate further. D. A key risk indicator (KRI) should indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk. Which of the following is MOST effective in protecting against the attack technique known as phishing? Select an answer: A. Firewall blocking rules B. Up-to-date signature files C. Security awareness training D. Intrusion detection monitoring>>> You are correct, the answer is C. Phishing relies on social engineering techniques. Providing good security awareness training will best reduce the likelihood of such an attack being successful. Firewall rules, signature files and intrusion detection system (IDS) monitoring will be largely unsuccessful at blocking this kind of attack. The acceptability of a partial system recovery after a security incident is MOST likely to be based on the: Select an answer: A. ability to resume normal operations. B. maximum tolerable outage (MTO). C. service delivery objective (SDO). D. acceptable interruption window (AIW).>>> You answered D. The correct answer is C. A prior determination of acceptable levels of operation in the event of an outage is the SDO. The SDO may be set at less than normal operation levels, but sufficient to sustain essential business functions. The ability to resume normal operations is situational and would not be a standard for acceptability. While the MTO and the AIW, in addition to many other factors, are parts of an SDO, neither the MTO nor the AIW, by itself, addresses the acceptability of a specific level of operational recovery. Which of the following presents the GREATEST exposure to internal attack on a network? Select an answer: A. User passwords are not automatically expired B. All network traffic goes through a single switch C. User passwords are encoded but not encrypted D. All users reside on a single internal subnet>>> You answered D. The correct answer is C. When passwords are sent over the internal network in an encoded format, they can easily be converted to cleartext. All passwords should be encrypted to provide adequate security. Not automatically expiring user passwords does create an exposure, but not as great as having unencrypted passwords. Using a single switch or subnet does not present a significant exposure. Which of the following is the MOST important aspect that needs to be considered from a security perspective when payroll processes are outsourced to an external service provider? Select an answer: A. A cost-benefit analysis has been completed. B. Privacy requirements are met. C. The service provider ensures a secure data transfer. D. No significant security incident occurred at the service provider.>>> You are correct, the answer is B. Applicable privacy requirements may be a matter of law or policy and will require consideration when outsourcing processes that involve personal information. A cost-benefit analysis should be undertaken from a business perspective, but not from a security perspective. When data are transferred, it may be necessary to ensure data security, but there are many other privacy and security issues to consider. Past incidents may not reflect the current security posture of the service provider, nor do they reflect applicable security requirements. Which of the following BEST supports continuous improvement of the risk management process? Select an answer: A. Regular review of risk treatment options B. Classification of assets in order of criticality C. Adoption of a maturity model D. Integration of assurance functions>>> You answered B. The correct answer is C. A. Risk treatment is an element of the risk management process. Other elements such as risk identification, risk communication and acceptance also need to be considered. B. Classification of assets is important, but is an element of the risk management process and is not sufficient to ensure continuous improvement. C. A maturity model such as the capability maturity model (CMM) can be used to classify an organization as initial, repeatable, defined, managed or optimized. As a result, an organization can easily know where it falls and then start working to reach the optimized state. D. There are many benefits from integrating assurance functions. However, this is not a holistic approach because the best of assurance functions will be reactive if risk management does not cascade through the entire organization. Measures must be taken to ensure that the entire staff, rather than only the assurance functions, is risk conscious. Who would be the PRIMARY user of metrics regarding the number of email messages quarantined due to virus infection versus the number of infected email messages that were not caught? Select an answer: A. The security steering committee B. The board of directors C. IT managers D. The information security manager>>> You are correct, the answer is D. Metrics support decisions. Knowing the number of email messages blocked due to viruses would not on its own be an actionable piece of information for senior management (choices A and B) or for IT management (choice C). Information regarding the effectiveness of the current email antivirus control is most useful to the information security manager and staff because they can use the information to initiate an investigation to determine why the control is not performing as expected and to determine whether there are other factors contributing to the failure of the control. When these determinations are made, the information security manager can use these metrics, along with data collected during the investigation, to support decisions to alter processes or add to (or change) the controls in place. Which of the following is the MOST effective way to measure strategic alignment of an information security program? Select an answer: A. Survey business stakeholders B. Track audits over time C. Evaluate incident losses D. Analyze business cases>>> You answered B. The correct answer is A. The best indicator of strategic alignment is the opinion of the business stakeholders—and the best way to obtain this information is to ask them. The other choices do not have a direct correlation with the effectiveness of the information security program to support business goals and objectives. Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following? Select an answer: A. Tree diagrams B. Venn diagrams C. Heat charts D. Bar charts>>> You answered D. The correct answer is C. Heat charts, sometimes referred to as stoplight charts, quickly and clearly show the current status of remediation efforts. Venn diagrams show the connection between sets; tree diagrams are useful for decision analysis; and bar charts show relative size. Which of the following is the MAIN objective in contracting with an external company to perform penetration testing? Select an answer: A. To mitigate technical risks B. To have an independent certification of network security C. To receive an independent view of security exposures D. To identify a complete list of vulnerabilities>>> You are correct, the answer is C. Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure. Mitigating technical risks is not a direct result of a penetration test. A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities. The MOST effective approach to ensure the continued effectiveness of information security controls is by: Select an answer: A. ensuring inherent control strength. B. ensuring strategic alignment. C. utilizing effective life cycle management. D. utilizing effective change management.>>> You answered D. The correct answer is C. Managing controls over their life cycle will allow for compensation of decreased effectiveness over time. Inherent strength will not ensure that controls do not degrade over time. Maintaining strategic alignment will help identify life cycle stages of controls, but by itself will not address control degradation. Change management strongly supports life cycle management, but by itself does not address the complete cycle. Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application? Select an answer: A. User security procedures B. Business process flow C. IT security standards D. Regulatory requirements>>> You answered A. The correct answer is C. IT management should ensure that mechanisms are implemented in line with IT security standards. Procedures are determined by the policy. A user security procedure does not describe the access control mechanism in place. The business process flow is not relevant to the access control mechanism. The organization's own policy and procedures should take into account regulatory requirements. The IT function has declared that it is not necessary to update the business impact analysis (BIA) when putting a new application into production because it does not produce modifications in the business processes. The information security manager should: Select an answer: A. verify the decision with the business units. B. check the system's risk analysis. C. recommend update after postimplementation review. D. request an audit review.>>> You are correct, the answer is A. Verifying the decision with the business units is the correct answer because it is not the IT function's responsibility to decide whether a new application modifies business processes. Choice B does not consider the change in the applications. Choices C and D delay the update. Information security governance is PRIMARILY driven by: Select an answer: A. technology constraints. B. regulatory requirements. C. litigation potential. D. business strategy.>>> You are correct, the answer is D. Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy. The FIRST step in developing an information security management program is to: Select an answer: A. identify business risk that affects the organization. B. establish the need for creating the program. C. assign responsibility for the program. D. assess adequacy of existing controls.>>> You answered A. The correct answer is B. In developing an information security management program, the first step is to establish the need for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After establishing the need, the other choices are assigned and acted on. A privacy statement on a company's e-commerce web site should include: Select an answer: A. a statement regarding what the company will do with the information it collects. B. a disclaimer regarding the accuracy of information on its web site. C. technical information regarding how information is protected. D. a statement regarding where the information is being hosted.>>> You are correct, the answer is A. Most privacy laws and regulations require disclosure on how information will be used. A disclaimer is not necessary since it does not refer to data privacy. Technical details regarding how information is protected are not mandatory to publish on the web site and in fact would not be desirable. It is not mandatory to say where information is being hosted. What are the essential elements of risk? Select an answer: A. Impact and threat B. Likelihood and consequence C. Threat and exposure D. Sensitivity and exposure>>> You are correct, the answer is B. A. Threat is an element of risk only in combination with vulnerability. B. Risk is the combination of the probability of an event and its consequence. (ISO/IEC 73) The probability of an event is threat exploiting a vulnerability. C. Threat and exposure are insufficient to determine risk. D. Sensitivity is a measure of consequence, but does not take into account probability. Exposure moderates risk, but is not in itself a component of risk. From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities? Select an answer: A. Enhanced policy compliance B. Improved procedure flows C. Segregation of duties D. Better accountability>>> You answered C. The correct answer is D. Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties. What action should the security manager take FIRST when incident reports from different organizational units are inconsistent and highly inaccurate? Select an answer: A. Ensure that a clear organizational incident definition and severity hierarchy exists. B. Initiate a companywide incident identification training and awareness program. C. Escalate the issue to the security steering committee for appropriate action. D. Involve human resources (HR) in implementing a reporting enforcement program.>>> You are correct, the answer is A. A. The first action is to validate that clear incident definition and severity criteria are established and communicated throughout the organization. B. A training program will not be effective until clear incident identification and severity criteria have been established. C. The steering committee may become involved after incident criteria have been clearly established and communicated. D. Enforcement activities will not be effective unless incident criteria have been clearly established and communicated. What is the BIGGEST concern for an information security manager reviewing firewall rules? Select an answer: A. The firewall allows source routing. B. The firewall allows broadcast propagation. C. The firewall allows unregistered ports. D. The firewall allows nonstandard protocols.>>> You are correct, the answer is A. If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) IP addresses of the organization. Broadcast propagation, unregistered ports and nonstandard protocols do not create a significant security exposure. Which of the following is the MOST important reason for an information security review of contracts? Select an answer: A. To help ensure the parties to the agreement can perform B. To help ensure confidential data are not included in the agreement C. To help ensure appropriate controls are included D. To help ensure the right to audit is a requirement>>> You answered D. The correct answer is C. Agreements with external parties can expose an organization to information security risks that must be assessed and appropriately mitigated. The ability of the parties to perform is normally the responsibility of legal and the business operation involved. Confidential information may be in the agreement by necessity and, while the information security manager can advise and provide approaches to protect the information, the responsibility rests with the business and legal. Audit rights may be one of many possible controls to include in a third-party agreement, but is not necessarily a contract requirement, depending on the nature of the agreement. Logging is an example of which type of defense against systems compromise? Select an answer: A. Containment B. Detection C. Reaction D. Recovery>>> You are correct, the answer is B. Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans. Which of the following would be the MOST important goal of an information security governance program? Select an answer: A. Review of internal control mechanisms B. Effective involvement in business decision making C. Total elimination of risk factors D. Ensuring trust in data>>> You answered B. The correct answer is D. The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted. Which of the following is the FIRST step after the intrusion detection system (IDS) sends out an alert about a possible attack? Select an answer: A. Assess the type and severity of the attack. B. Determine whether it is an actual incident. C. Contain the damage to minimize the risk. D. Minimize the disruption of computer resources.>>> You are correct, the answer is B. A. The type and severity of the attack should be studied once it is concluded that the incident is valid. B. An administrator conducting regular maintenance activities may trigger a false-positive alarm from the IDS. One must validate a real incident before taking any action. C. Damage should be contained and risk minimized after confirming a valid incident, thus discovering the type and severity of the attack. D. One of the goals of incident response is to minimize the disruption of computer resources. Which of the following devices should be placed within a demilitarized zone (DMZ)? Select an answer: A. Network switch B. Web server C. Database server D. File/print server>>> You are correct, the answer is B. A web server should normally be placed within a demilitarized zone (DMZ) to shield the internal network. Database and file/print servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise. Switches may bridge a DMZ to another network but do not technically reside within the DMZ network segment. Which of the following BEST protects confidentiality of information? Select an answer: A. Information classification B. Segregation of duties C. Least privilege D. Systems monitoring>>> You answered A. The correct answer is C. A. While classifying information can help focus the assignment of privileges, classification itself does not provide enforcement. B. Only in very specific situations does segregation of duties safeguard confidentiality of information. C. Restricting access to information to those who need to have access is the most effective means of protecting confidentiality. D. Systems monitoring is a detective control rather than a preventive control. What is the MOST cost-effective method of identifying new vendor vulnerabilities? Select an answer: A. External vulnerability reporting sources B. Periodic vulnerability assessments performed by consultants C. Intrusion prevention software D. Honeypots located in the DMZ>>> You are correct, the answer is A. External vulnerability sources are going to be the most cost-effective method of identifying these vulnerabilities. The cost involved in choices B and C would be much higher, especially if performed at regular intervals. Honeypots would not identify all vendor vulnerabilities. In addition, honeypots located in the DMZ can create a security risk if the production network is not well protected from traffic from compromised honeypots. Which one of the following measures will BEST indicate the effectiveness of an incident response process? Select an answer: A. Number of open incidents B. Reduction of the number of security incidents C. Reduction of the average response time to an incident D. Number of incidents handled per month>>> You are correct, the answer is C. Of the list provided, the best measure of incident response effectiveness is the reduction of average response time to an incident. Reduction of response time helps minimize the impact of the incident. The total number of open incidents is not an indicator of incident response effectiveness because the team does not have direct control over the number of incidents it must handle at any given time. Reduction of the number of security incidents generally cannot be attributed to the effectiveness of the response team, but rather to improved controls. The number of incidents handled per month would not be a direct indicator of team effectiveness. What is the MOST important factor in the successful implementation of an enterprisewide information security program? Select an answer: A. Realistic budget estimates B. Security awareness C. Support of senior management D. Recalculation of the work factor>>> You are correct, the answer is C. Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management. An organization's IT change management process requires that all change requests be approved by the asset owner and the information security manager. The PRIMARY objective of getting the information security manager's approval is to ensure that: Select an answer: A. changes comply with security policy. B. risk from proposed changes is managed. C. rollback to a current status has been considered. D. changes are initiated by business managers.>>> You answered A. The correct answer is B. A. A change affecting a security policy is not handled by an IT change process. B. Changes in the IT infrastructure may have an impact on existing risk. An information security manager must ensure that the proposed changes do not adversely affect the security posture. C. Rollback to a current state may cause a security risk event and is normally part of change management, but is not the primary reason that security is involved in the review. D. The person who initiates a change has no effect on the person who reviews and authorizes an actual change. [Show More]

Last updated: 1 year ago

Preview 1 out of 287 pages