CISM Test Bank Quiz With Complete Solution

The PRIMARY selection criterion for an offsite media storage facility is: Select an answer: A. that the primary and offsite facilities not be subject to the same environmental disasters. B. that the offsite storage facility be in close proximity to the primary site. C. the overall storage and maintenance costs of the offsite facility. D. the availability of cost-effective media transportation services.>>> You are correct, the answer is A. It is important to prevent a disaster that could affect both sites. The distance between sites may be important in cases of widespread disasters; however, this is covered by choice A. The costs should not be the primary criteria to selection. A cost-effective media transport service may be a consideration, but is not the main concern. In which of the following areas are data owners PRIMARILY responsible for establishing risk mitigation? Select an answer: A. Platform security B. Entitlement changes C. Intrusion detection D. Antivirus controls>>> You are correct, the answer is B. Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible. Platform security, intrusion detection and antivirus controls are all within the responsibility of the information security manager. Which of the following is the BEST justification to convince management to invest in an information security program? Select an answer: A. Cost reduction B. Compliance with company policies C. Protection of business assets D. Increased business value>>> You answered C. The correct answer is D. Investing in an information security program should increase business value and confidence. Cost reduction by itself is rarely the motivator for implementing an information security program. Compliance is secondary to business value. Increasing business value may include protection of business assets. To improve the security of an organization's human resources (HR) system, an information security manager was presented with a choice to either implement an additional packet filtering firewall OR a heuristics-based intrusion detection system (IDS). How should the security manager with a limited budget choose between the two technologies? Select an answer: A. Risk analysis B. Business impact analysis (BIA) C. Return on investment (ROI) analysis D. Cost-benefit analysis>>> You answered A. The correct answer is D. Cost-benefit analysis measures the cost of a safeguard versus the benefit it provides, and does include risk assessment. The cost of a control should not exceed the benefit to be derived from it. The degree of control employed is a matter of good business judgment. Risk analysis identifies the risk and appropriate mitigation strategies. A BIA identifies the impact from the loss of systems. ROI analysis compares the magnitude and timing of investment gains directly with the magnitude and timing of investment costs. An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. What is the MOST important element of the request for proposal (RFP)? Select an answer: A. References from other organizations B. Past experience of the engagement team C. Sample deliverable D. Methodology to be used in the assessment>>> You answered C. The correct answer is D. Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverables only tell how the assessment is presented, not the process. An organization is implementing intrusion protection in their demilitarized zone (DMZ). Which of the following steps is necessary to make sure that the intrusion prevention system (IPS) can view all traffic in the DMZ? Select an answer: A. Ensure that intrusion prevention is placed in front of the firewall. B. Ensure that all devices that are connected can easily see the IPS in the network. C. Ensure that all encrypted traffic is decrypted prior to being processed by the IPS. D. Ensure that traffic to all devices is mirrored to the IPS.>>> You answered A. The correct answer is C. All encryption should be terminated to allow all traffic to be viewed by the IPS. The encryption should be terminated at a hardware Secure Sockets Layer (SSL) accelerator or virtual private network (VPN) server to allow all traffic to be monitored since encrypted traffic is unreadable. Which of the following are likely to be updated MOST frequently? Select an answer: A. Procedures for hardening database servers B. Standards for password length and complexity C. Policies addressing information security governance D. Standards for document retention and destruction>>> You answered C. The correct answer is A. Policies and standards should generally be more static and less subject to frequent change. Procedures on the other hand, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace. When performing a qualitative risk analysis, which of the following will BEST produce reliable results? Select an answer: A. Estimated productivity losses B. Possible scenarios with threats and impacts C. Value of information assets D. Vulnerability assessment>>> You answered C. The correct answer is B. Listing all possible scenarios that could occur, along with threats and impacts, will best frame the range of risks and facilitate a more informed discussion and decision. Estimated productivity losses, value of information assets and vulnerability assessments would not be sufficient on their own. Addressing production risks is PRIMARILY a function of: Select an answer: A. release management. B. incident management. C. change management. D. configuration management.>>> You are correct, the answer is C. Change management is the overall process to assess and control risks introduced by changes. Release management is the specific process to manage risks of production system deployment. Incident management is not directly relevant to life-cycle stages. Configuration management is the specific process to manage risks associated with system configuration. Which of the following requirements would have the lowest level of priority in information security? Select an answer: A. Technical B. Regulatory C. Privacy D. Business>>> You are correct, the answer is A. Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are government-mandated and, therefore, not subject to override. The needs of the business should always take precedence in deciding information security priorities. The MOST important component of a privacy policy is: Select an answer: A. notifications. B. warranties. C. liabilities. D. geographic coverage.>>> You answered C. The correct answer is A. Privacy policies must contain notifications and opt-out provisions; they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific. Which of the following groups would be in the BEST position to perform a risk analysis for a business? Select an answer: A. External auditors B. A peer group within a similar business C. Process owners D. A specialized management consultant>>> You are correct, the answer is C. Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business. Obtaining senior management support for an information security initiative can BEST be accomplished by: Select an answer: A. developing and presenting a business case. B. defining the risk that will be addressed. C. presenting a financial analysis of benefits. D. aligning the initiative with organizational objectives.>>> You are correct, the answer is A. A. A business case is inclusive of the other options and includes and specifically addresses them. B. A business case must enumerate the risk that the initiative will address. C. The value proposition is an essential part of the business case that addresses the financial aspects of the initiative. D. The business case must show how the initiative will align with and support organizational objectives. Which of the following training mechanisms is the MOST effective means of promoting an organizational security culture? Select an answer: A. Choose a subset of influential people to promote the benefits of the security program. B. Hold structured training in small groups on an annual basis. C. Require each employee to complete a self-paced training module once per year. D. Deliver training to all employees across the organization via streaming video.>>> You answered C. The correct answer is A. A. Certain people are either individually inclined or required by their positions to have greater interest in promoting security than others. By selecting these people and offering them broad, diverse opportunities for security education, they are able to act as ambassadors to their respective teams and departments, imparting a gradual and significant change in an organizational culture toward security. B. Structured training rarely aligns with the interests of individual employees when chosen at random to fill a small-group setting. C. Computer-based training is a common approach to annual information awareness, but there is no evidence that employees retain the information or adopt it into their regular activities. D. Streaming-video "webinars" are among the least effective means of presenting information, requiring very little interaction from end users. Data owners are PRIMARILY responsible for: Select an answer: A. providing access to systems. B. approving access to systems. C. establishing authorization and authentication. D. handling identity management.>>> You are correct, the answer is B. Approving access to systems is the only answer that fits since choices A and C are the work of data custodians and choice D is the work of the information security staff. Which of the following are the MOST important individuals to include as members of an information security steering committee? Select an answer: A. Direct reports to the chief information officer B. IT management and key business process owners C. Cross-section of end users and IT professionals D. Internal audit and corporate legal departments>>> You answered D. The correct answer is B. Security steering committees provide a forum for management to express its opinion and take some ownership in the decision making process. It is imperative that business process owners be included in this process. None of the other choices includes input by business process owners. Which one of the following measures will BEST indicate the effectiveness of an incident response process? Select an answer: A. Number of open incidents B. Reduction of the number of security incidents C. Reduction of the average response time to an incident D. Number of incidents handled per month>>> You are correct, the answer is C. Of the list provided, the best measure of incident response effectiveness is the reduction of average response time to an incident. Reduction of response time helps minimize the impact of the incident. The total number of open incidents is not an indicator of incident response effectiveness because the team does not have direct control over the number of incidents it must handle at any given time. Reduction of the number of security incidents generally cannot be attributed to the effectiveness of the response team, but rather to improved controls. The number of incidents handled per month would not be a direct indicator of team effectiveness. The BEST way to obtain senior management commitment and support for information security investments is to: Select an answer: A. link security risk to organization business objectives. B. explain the technical risk to the organization. C. include industry best practices as they relate to information security. D. detail successful attacks against a competitor.>>> You are correct, the answer is A. Senior management seeks to understand the business justification for investing in security. Support can be best obtained by linking security to key business objectives. Senior management will not be as interested in technical risk or examples of successful attacks against a competitor if they are not linked to the impact on business environment and objectives. Industry best practices are important to senior management, but management will give the right level of importance to the best practices when they are presented in terms of key business objectives. When securing wireless access points, which of the following controls would BEST assure confidentiality? Select an answer: A. Implementing wireless intrusion prevention systems B. Not broadcasting the service set IDentifier (SSID) C. Implementing wired equivalent privacy (WEP) authentication D. Enforcing a virtual private network (VPN) over wireless>>> You are correct, the answer is D. Enforcing a VPN over wireless is the best option to enforce strong authentication and encryption of the sessions. Implementing wireless intrusion prevention systems is a detective system and would not prevent wireless sniffing. Not broadcasting the SSID does not reduce the risk of wireless packets being captured. WEP authentication is known to be weak and does not protect individual confidentiality. Who should PRIMARILY provide direction on the impact of new regulatory requirements that may lead to major application system changes? Select an answer: A. The internal audit department B. System developers/analysts C. Key business process owners D. Corporate legal counsel>>> You are correct, the answer is C. Business process owners are in the best position to understand how new regulatory requirements may affect their systems. Legal counsel and infrastructure management, as well as internal auditors, would not be in as good a position to fully understand all ramifications. Which of the following choices will MOST influence how the information security program will be designed and implemented? Select an answer: A. Type and nature of risk B. Organizational culture C. Overall business objectives D. Lines of business>>> You answered A. The correct answer is B. A. The specific risk faced by the organization will affect the security program, but how this risk is perceived and dealt with depends on the organizational culture. B. The organizational culture generally influences risk appetite and risk tolerance, which in turn have significant influence over how an information security program should be designed and implemented. C. Business objectives will determine the specific kinds of risk to be addressed, but will not greatly influence the actual program development and implementation. D. The lines of business will affect the specific kinds of risk to be addressed, but will not greatly influence the actual program development and implementation. The relationship between policies and corporate standards can BEST be described by which of the following associations? Select an answer: A. Standards and policies have only an indirect relationship. B. Standards provide a detailed description of the meaning of a policy. C. Standards provide direction on achieving compliance with policy intent. D. Standards can exist without a relationship to any particular policy.>>> You answered B. The correct answer is C. A. In most cases, there is a direct relationship between policy and corporate standards. B. Corporate standards generally do not provide details on the meaning of policy, rather on the acceptable limits needed to comply with policy intent. C. Corporate standards set the allowable limits and boundaries for people, processes and technology as an expression of policy intent, and therefore provide direction on policy compliance. D. It would be a poor practice to have corporate standards not directly expressing the intent of a particular policy. To the extent that they exist, they should rely on an implicit policy. Which one of the following factors of a risk assessment typically involves the GREATEST amount of speculation? Select an answer: A. Exposure B. Impact C. Vulnerability D. Likelihood>>> You answered A. The correct answer is D. The likelihood of a threat encountering a susceptible vulnerability can only be estimated statistically. Exposure, impact and vulnerability can be determined within a range. Which of the following is a key component of an incident response policy? Select an answer: A. Updated call trees B. Escalation criteria C. Press release templates D. Critical backup files inventory>>> You answered D. The correct answer is B. Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained within an incident response policy. Telephone trees, press release templates and lists of critical backup files are too detailed to be included in a policy document. The MOST complete business case for security solutions is one that: Select an answer: A. includes appropriate justification. B. explains the current risk profile. C. details regulatory requirements. D. identifies incidents and losses.>>> You are correct, the answer is A. Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy. What is the MOST essential attribute of an effective key risk indicator (KRI)? Select an answer: A. The KRI is accurate and reliable. B. The KRI provides quantitative metrics. C. The KRI indicates required action. D. The KRI is predictive of a risk event.>>> You answered A. The correct answer is D. A. Key risk indicators (KRIs) are usually indicators that risk is developing and typically are neither accurate nor reliable in the sense that they indicate what the actual risk is. B. Key risk indicators (KRIs) typically do not provide quantitative metrics about risk. C. Key risk indicators (KRIs) will not indicate that any particular action is required other than to investigate further. D. A key risk indicator (KRI) should indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk. Which of the following is MOST effective in protecting against the attack technique known as phishing? Select an answer: A. Firewall blocking rules B. Up-to-date signature files C. Security awareness training D. Intrusion detection monitoring>>> You are correct, the answer is C. Phishing relies on social engineering techniques. Providing good security awareness training will best reduce the likelihood of such an attack being successful. Firewall rules, signature files and intrusion detection system (IDS) monitoring will be largely unsuccessful at blocking this kind of attack. The acceptability of a partial system recovery after a security incident is MOST likely to be based on the: Select an answer: A. ability to resume normal operations. B. maximum tolerable outage (MTO). C. service delivery objective (SDO). D. acceptable interruption window (AIW).>>> You answered D. The correct answer is C. A prior determination of acceptable levels of operation in the event of an outage is the SDO. The SDO may be set at less than normal operation levels, but sufficient to sustain essential business functions. The ability to resume normal operations is situational and would not be a standard for acceptability. While the MTO and the AIW, in addition to many other factors, are parts of an SDO, neither the MTO nor the AIW, by itself, addresses the acceptability of a specific level of operational recovery. Which of the following presents the GREATEST exposure to internal attack on a network? Select an answer: A. User passwords are not automatically expired B. All network traffic goes through a single switch C. User passwords are encoded but not encrypted D. All users reside on a single internal subnet>>> You answered D. The correct answer is C. When passwords are sent over the internal network in an encoded format, they can easily be converted to cleartext. All passwords should be encrypted to provide adequate security. Not automatically expiring user passwords does create an exposure, but not as great as having unencrypted passwords. Using a single switch or subnet does not present a significant exposure. Which of the following is the MOST important aspect that needs to be considered from a security perspective when payroll processes are outsourced to an external service provider? Select an answer: A. A cost-benefit analysis has been completed. B. Privacy requirements are met. C. The service provider ensures a secure data transfer. D. No significant security incident occurred at the service provider.>>> You are correct, the answer is B. Applicable privacy requirements may be a matter of law or policy and will require consideration when outsourcing processes that involve personal information. A cost- benefit analysis should be undertaken from a business perspective, but not from a security perspective. When data are transferred, it may be necessary to ensure data security, but there are many other privacy and security issues to consider. Past incidents may not reflect the current security posture of the service provider, nor do they reflect applicable security requirements. Which of the following BEST supports continuous improvement of the risk management process? Select an answer: A. Regular review of risk treatment options B. Classification of assets in order of criticality C. Adoption of a maturity model D. Integration of assurance functions>>> You answered B. The correct answer is C. A. Risk treatment is an element of the risk management process. Other elements such as risk identification, risk communication and acceptance also need to be considered. B. Classification of assets is important, but is an element of the risk management process and is not sufficient to ensure continuous improvement. C. A maturity model such as the capability maturity model (CMM) can be used to classify an organization as initial, repeatable, defined, managed or optimized. As a result, an organization can easily know where it falls and then start working to reach the optimized state. D. There are many benefits from integrating assurance functions. However, this is not a holistic approach because the best of assurance functions will be reactive if risk management does not cascade through the entire organization. Measures must be taken to ensure that the entire staff, rather than only the assurance functions, is risk conscious. Who would be the PRIMARY user of metrics regarding the number of email messages quarantined due to virus infection versus the number of infected email messages that were not caught? Select an answer: A. The security steering committee B. The board of directors C. IT managers D. The information security manager>>> You are correct, the answer is D. Metrics support decisions. Knowing the number of email messages blocked due to viruses would not on its own be an actionable piece of information for senior management (choices A and B) or for IT management (choice C). Information regarding the effectiveness of the current email antivirus control is most useful to the information security manager and staff because they can use the information to initiate an investigation to determine why the control is not performing as expected and to determine whether there are other factors contributing to the failure of the control. When these determinations are made, the information security manager can use these metrics, along with data collected during the investigation, to support decisions to alter processes or add to (or change) the controls in place. Which of the following is the MOST effective way to measure strategic alignment of an information security program? Select an answer: A. Survey business stakeholders B. Track audits over time C. Evaluate incident losses D. Analyze business cases>>> You answered B. The correct answer is A. The best indicator of strategic alignment is the opinion of the business stakeholders— and the best way to obtain this information is to ask them. The other choices do not have a direct correlation with the effectiveness of the information security program to support business goals and objectives. Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following? Select an answer: A. Tree diagrams B. Venn diagrams C. Heat charts D. Bar charts>>> You answered D. The correct answer is C. Heat charts, sometimes referred to as stoplight charts, quickly and clearly show the current status of remediation efforts. Venn diagrams show the connection between sets; tree diagrams are useful for decision analysis; and bar charts show relative size. Which of the following is the MAIN objective in contracting with an external company to perform penetration testing? Select an answer: A. To mitigate technical risks B. To have an independent certification of network security C. To receive an independent view of security exposures D. To identify a complete list of vulnerabilities>>> You are correct, the answer is C. Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure. Mitigating technical risks is not a direct result of a penetration test. A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities. The MOST effective approach to ensure the continued effectiveness of information security controls is by: Select an answer: A. ensuring inherent control strength. B. ensuring strategic alignment. C. utilizing effective life cycle management. D. utilizing effective change management.>>> You answered D. The correct answer is C. Managing controls over their life cycle will allow for compensation of decreased effectiveness over time. Inherent strength will not ensure that controls do not degrade over time. Maintaining strategic alignment will help identify life cycle stages of controls, but by itself will not address control degradation. Change management strongly supports life cycle management, but by itself does not address the complete cycle. Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application? Select an answer: A. User security procedures B. Business process flow C. IT security standards D. Regulatory requirements>>> You answered A. The correct answer is C. IT management should ensure that mechanisms are implemented in line with IT security standards. Procedures are determined by the policy. A user security procedure does not describe the access control mechanism in place. The business process flow is not relevant to the access control mechanism. The organization's own policy and procedures should take into account regulatory requirements. The IT function has declared that it is not necessary to update the business impact analysis (BIA) when putting a new application into production because it does not produce modifications in the business processes. The information security manager should: Select an answer: A. verify the decision with the business units. B. check the system's risk analysis. C. recommend update after postimplementation review. D. request an audit review.>>> You are correct, the answer is A. Verifying the decision with the business units is the correct answer because it is not the IT function's responsibility to decide whether a new application modifies business processes. Choice B does not consider the change in the applications. Choices C and D delay the update. Information security governance is PRIMARILY driven by: Select an answer: A. technology constraints. B. regulatory requirements. C. litigation potential. D. business strategy.>>> You are correct, the answer is D. Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy. The FIRST step in developing an information security management program is to: Select an answer: A. identify business risk that affects the organization. B. establish the need for creating the program. C. assign responsibility for the program. D. assess adequacy of existing controls.>>> You answered A. The correct answer is B. In developing an information security management program, the first step is to establish the need for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After establishing the need, the other choices are assigned and acted on. A privacy statement on a company's e-commerce web site should include: Select an answer: A. a statement regarding what the company will do with the information it collects. B. a disclaimer regarding the accuracy of information on its web site. C. technical information regarding how information is protected. D. a statement regarding where the information is being hosted.>>> You are correct, the answer is A. Most privacy laws and regulations require disclosure on how information will be used. A disclaimer is not necessary since it does not refer to data privacy. Technical details regarding how information is protected are not mandatory to publish on the web site and in fact would not be desirable. It is not mandatory to say where information is being hosted. What are the essential elements of risk? Select an answer: A. Impact and threat B. Likelihood and consequence C. Threat and exposure D. Sensitivity and exposure>>> You are correct, the answer is B. A. Threat is an element of risk only in combination with vulnerability. B. Risk is the combination of the probability of an event and its consequence. (ISO/IEC 73) The probability of an event is threat exploiting a vulnerability. C. Threat and exposure are insufficient to determine risk. D. Sensitivity is a measure of consequence, but does not take into account probability. Exposure moderates risk, but is not in itself a component of risk. From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities? Select an answer: A. Enhanced policy compliance B. Improved procedure flows C. Segregation of duties D. Better accountability>>> You answered C. The correct answer is D. Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties. What action should the security manager take FIRST when incident reports from different organizational units are inconsistent and highly inaccurate? Select an answer: A. Ensure that a clear organizational incident definition and severity hierarchy exists. B. Initiate a companywide incident identification training and awareness program. C. Escalate the issue to the security steering committee for appropriate action. D. Involve human resources (HR) in implementing a reporting enforcement program.>>> You are correct, the answer is A. A. The first action is to validate that clear incident definition and severity criteria are established and communicated throughout the organization. B. A training program will not be effective until clear incident identification and severity criteria have been established. C. The steering committee may become involved after incident criteria have been clearly established and communicated. D. Enforcement activities will not be effective unless incident criteria have been clearly established and communicated. What is the BIGGEST concern for an information security manager reviewing firewall rules? Select an answer: A. The firewall allows source routing. B. The firewall allows broadcast propagation. C. The firewall allows unregistered ports. D. The firewall allows nonstandard protocols.>>> You are correct, the answer is A. If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) IP addresses of the organization. Broadcast propagation, unregistered ports and nonstandard protocols do not create a significant security exposure. Which of the following is the MOST important reason for an information security review of contracts? Select an answer: A. To help ensure the parties to the agreement can perform B. To help ensure confidential data are not included in the agreement C. To help ensure appropriate controls are included D. To help ensure the right to audit is a requirement>>> You answered D. The correct answer is C. Agreements with external parties can expose an organization to information security risks that must be assessed and appropriately mitigated. The ability of the parties to perform is normally the responsibility of legal and the business operation involved. Confidential information may be in the agreement by necessity and, while the information security manager can advise and provide approaches to protect the information, the responsibility rests with the business and legal. Audit rights may be one of many possible controls to include in a third-party agreement, but is not necessarily a contract requirement, depending on the nature of the agreement. Logging is an example of which type of defense against systems compromise? Select an answer: A. Containment B. Detection C. Reaction D. Recovery>>> You are correct, the answer is B. Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans. Which of the following would be the MOST important goal of an information security governance program? Select an answer: A. Review of internal control mechanisms B. Effective involvement in business decision making C. Total elimination of risk factors D. Ensuring trust in data>>> You answered B. The correct answer is D. The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted. Which of the following is the FIRST step after the intrusion detection system (IDS) sends out an alert about a possible attack? Select an answer: A. Assess the type and severity of the attack. B. Determine whether it is an actual incident. C. Contain the damage to minimize the risk. D. Minimize the disruption of computer resources.>>> You are correct, the answer is B. A. The type and severity of the attack should be studied once it is concluded that the incident is valid. B. An administrator conducting regular maintenance activities may trigger a false- positive alarm from the IDS. One must validate a real incident before taking any action. C. Damage should be contained and risk minimized after confirming a valid incident, thus discovering the type and severity of the attack. D. One of the goals of incident response is to minimize the disruption of computer resources. Which of the following devices should be placed within a demilitarized zone (DMZ)? Select an answer: A. Network switch B. Web server C. Database server D. File/print server>>> You are correct, the answer is B. A web server should normally be placed within a demilitarized zone (DMZ) to shield the internal network. Database and file/print servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise. Switches may bridge a DMZ to another network but do not technically reside within the DMZ network segment. Which of the following BEST protects confidentiality of information? Select an answer: A. Information classification B. Segregation of duties C. Least privilege D. Systems monitoring>>> You answered A. The correct answer is C. A. While classifying information can help focus the assignment of privileges, classification itself does not provide enforcement. B. Only in very specific situations does segregation of duties safeguard confidentiality of information. C. Restricting access to information to those who need to have access is the most effective means of protecting confidentiality. D. Systems monitoring is a detective control rather than a preventive control. What is the MOST cost-effective method of identifying new vendor vulnerabilities? Select an answer: A. External vulnerability reporting sources B. Periodic vulnerability assessments performed by consultants C. Intrusion prevention software D. Honeypots located in the DMZ>>> You are correct, the answer is A. External vulnerability sources are going to be the most cost-effective method of identifying these vulnerabilities. The cost involved in choices B and C would be much higher, especially if performed at regular intervals. Honeypots would not identify all vendor vulnerabilities. In addition, honeypots located in the DMZ can create a security risk if the production network is not well protected from traffic from compromised honeypots. Which one of the following measures will BEST indicate the effectiveness of an incident response process? Select an answer: A. Number of open incidents B. Reduction of the number of security incidents C. Reduction of the average response time to an incident D. Number of incidents handled per month>>> You are correct, the answer is C. Of the list provided, the best measure of incident response effectiveness is the reduction of average response time to an incident. Reduction of response time helps minimize the impact of the incident. The total number of open incidents is not an indicator of incident response effectiveness because the team does not have direct control over the number of incidents it must handle at any given time. Reduction of the number of security incidents generally cannot be attributed to the effectiveness of the response team, but rather to improved controls. The number of incidents handled per month would not be a direct indicator of team effectiveness. What is the MOST important factor in the successful implementation of an enterprisewide information security program? Select an answer: A. Realistic budget estimates B. Security awareness C. Support of senior management D. Recalculation of the work factor>>> You are correct, the answer is C. Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management. An organization's IT change management process requires that all change requests be approved by the asset owner and the information security manager. The PRIMARY objective of getting the information security manager's approval is to ensure that: Select an answer: A. changes comply with security policy. B. risk from proposed changes is managed. C. rollback to a current status has been considered. D. changes are initiated by business managers.>>> You answered A. The correct answer is B. A. A change affecting a security policy is not handled by an IT change process. B. Changes in the IT infrastructure may have an impact on existing risk. An information security manager must ensure that the proposed changes do not adversely affect the security posture. C. Rollback to a current state may cause a security risk event and is normally part of change management, but is not the primary reason that security is involved in the review. D. The person who initiates a change has no effect on the person who reviews and authorizes an actual change. The MOST important purpose of implementing an incident response plan is to: Select an answer: A. prevent the occurrence of incidents. B. ensure business continuity. C. train users on resolution of incidents. D. promote business resiliency.>>> You answered B. The correct answer is D. A. The incident response plan is a means to respond to an event, but does not prevent the occurrence. B. Business continuity plans (BCPs), not incident response plans, are designed to restore business operations after a disaster; they cannot assure the actual outcome. C. The incident management plan may address training users, but the incident response plan does not. D. Business resilience refers to the ability of the business to withstand disruption. An effective incident response plan minimizes the impact of an incident to the level that it ideally is transparent to end users and business partners. Which one of the following groups has final responsibility for the effectiveness of security controls? Select an answer: A. The security administrator who implemented the controls B. The organization's chief information security officer (CISO) C. The organization's senior management D. The information systems (IS) auditor who recommended the controls>>> You are correct, the answer is C. Senior management holds ultimate responsibility for the effectiveness of security controls. Which of the following factors will MOST affect the extent to which controls should be layered? Select an answer: A. The extent to which controls are procedural B. The extent to which controls are subject to the same threat C. The total cost of ownership for existing controls D. The extent to which controls fail in a closed condition>>> You answered A. The correct answer is B. To manage the aggregate risk of total risk, common failure modes in existing controls must be addressed by adding or modifying controls so that they fail under different conditions. Whether controls are procedural or technical will not affect layering requirements. Excessive total cost of ownership is unlikely to be reduced by adding additional controls. Controls that fail in a closed condition pose a risk to availability, whereas controls that fail in an open condition may require additional control layers to prevent compromise. What is the PRIMARY focus if an organization considers taking legal action on a security incident? Select an answer: A. Obtaining evidence as soon as possible B. Preserving the integrity of the evidence C. Disconnecting all IT equipment involved D. Reconstructing the sequence of events>>> You are correct, the answer is B. The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law). All other options are part of the investigative procedure, but they are not as important as preserving the integrity of the evidence. The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to: Select an answer: A. change the root password of the system. B. implement multifactor authentication. C. rebuild the system from the original installation medium. D. disconnect the mail server from the network.>>> You are correct, the answer is C. Rebuilding the system from the original installation medium is the only way to ensure all security vulnerabilities and potential stealth malicious programs have been destroyed. Changing the root password of the system does not ensure the integrity of the mail server. Implementing multifactor authentication is an aftermeasure and does not clear existing security threats. Disconnecting the mail server from the network is an initial step, but does not guarantee security. From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities? Select an answer: A. Enhanced policy compliance B. Improved procedure flows C. Segregation of duties D. Better accountability>>> You are correct, the answer is D. Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties. An information security manager is in the process of investigating a network intrusion. One of the enterprise's employees is a suspect. The manager has just obtained the suspect's computer and hard drive. Which of the following is the BEST next step? Select an answer: A. Create an image of the hard drive. B. Encrypt the data on the hard drive. C. Examine the original hard drive. D. Create a logical copy of the hard drive.>>> You are correct, the answer is A. One of the first steps in an investigation is to create an image of the original hard drive. A physical copy will copy the data, block by block, including any hidden data blocks and hidden partitions that can be used to conceal evidence. Encryption is not required. Examining the hard drive is not good practice. A logical copy will only copy the files and folders and may not copy the necessary data to properly examine the hard drive for forensic evidence. Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee? Select an answer: A. Security compliant servers trend report B. Percentage of security compliant servers C. Number of security patches applied D. Security patches applied trend report>>> You are correct, the answer is A. The percentage of compliant servers will be a relevant indicator of the risk exposure of the infrastructure. However, the percentage is less relevant than the overall trend, which would provide a measurement of the efficiency of the IT security program. The number of patches applied would be less relevant, as this would depend on the number of vulnerabilities identified and patches provided by vendors. Which of the following elements are the MOST essential to develop an information security strategy? Select an answer: A. Complete policies and standards B. An appropriate governance framework C. Current state and objectives D. Management intent and direction>>> You answered D. The correct answer is C. A. Policies and standards are some of the primary tools to implement a strategy and are subsequent steps in the process. B. Implementing the information security strategy is the activity that populates or develops the governance framework. C. Because a strategy is essentially a plan to achieve an objective, it is essential to know the current state of information security and the desired future state or objectives. D. Management intent and direction is essential to developing objectives; the current state is also required. Which of the following is the BEST way to erase confidential information stored on magnetic tapes? Select an answer: A. Performing a low-level format B. Rewriting with zeros C. Burning them D. Degaussing them>>> You are correct, the answer is D. Degaussing the magnetic tapes would best dispose of confidential information since information is completely destroyed due to the magnetic effect of the degaussing process. Performing a low-level format and rewriting with zeros may still help, but some forensic tools can be used to retrieve information. Rewriting with zeros is dependent on the procedure used. Burning destroys the tapes and does not allow their reuse. Which of the following is the MAIN reason for performing risk assessment on a continuous basis? Select an answer: A. Justification of the security budget must be continually made. B. New vulnerabilities are discovered every day. C. The risk environment is constantly changing. D. Management needs to be continually informed about emerging risks.>>> You are correct, the answer is C. The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed. A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that: Select an answer: A. it simulates the real-life situation of an external security attack. B. human intervention is not required for this type of test. C. less time is spent on reconnaissance and information gathering. D. critical infrastructure information is not revealed to the tester.>>> You are correct, the answer is C. Data and information required for penetration are shared with the testers, thus eliminating time that would otherwise have been spent on reconnaissance and gathering of information. Blind (black box) penetration testing is closer to real life than full disclosure (white box) testing. There is no evidence to support that human intervention is not required for this type of test. A full disclosure (white box) methodology requires the knowledge of the subject being tested. Which of the following is the BEST indicator of the level of acceptable risk in an organization? Select an answer: A. The proportion of identified risk that has been remediated B. The ratio of business insurance coverage to its cost C. The percentage of the IT budget allocated to security D. The percentage of assets that has been classified>>> You answered A. The correct answer is B. A. The proportion of unremediated risk may be an indicator, but there are many other factors unrelated to acceptable risk such as treatment feasibility, availability of controls, etc. B. The amount of business insurance coverage carried and the cost provide a directly quantifiable indication of the level of risk the organization will accept and at what cost. C. The percentage of the IT budget allocated to security is an indicator, but does not quantify acceptable levels of risk. D. Classifying assets will indicate which assets are more important than others, but does not quantify the acceptability of risk. Which web application attack facilitates unauthorized access to a database? Select an answer: A. Cross site request forgery B. Structured Query Language (SQL) injection C. Metasploit D. Cross site scripting>>> You are correct, the answer is B. SQL injection is a vulnerability that enables an attacker to execute commands through the web application, directly into the database. By accessing the database, data can potentially be read and altered. Cross site request forgery and cross site scripting attacks occur in the victim's web browser and have no access to database data. Metasploit is an exploit development suite that could allow access to a database by using one of its buffer overflow attacks, but this would not be a web application layer attack. Which of the following is an advantage of a centralized information security organizational structure? Select an answer: A. It is easier to promote security awareness. B. It is easier to manage and control. C. It is more responsive to business unit needs. D. It provides a faster turnaround for security requests.>>> You are correct, the answer is B. It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation. Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files? Select an answer: A. Verify the date that signature files were last pushed out B. Use a recently identified benign virus to test if it is quarantined C. Research the most recent signature file and compare to the console D. Check a sample of servers that the signature files are current>>> You answered A. The correct answer is D. The only accurate way to check the signature files is to look at a sample of servers. The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server. Checking the vendor information to the management console would still not be indicative as to whether the file was properly loaded on the server. Personnel should never release a virus, no matter how benign. A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take? Select an answer: A. Enforce the existing security standard B. Change the standard to permit the deployment C. Perform a risk analysis to quantify the risk D. Perform research to propose use of a better technology>>> You are correct, the answer is C. Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment. IT-related risk management activities are MOST effective when they are: Select an answer: A. treated as a distinct process. B. conducted by the IT department. C. integrated within business processes. D. communicated to all employees.>>> You are correct, the answer is C. IT-related risk management activities are more likely to be executed as part of a business process. The scope of IT-related risk management encompasses more than IT processes. Communication alone does not necessarily correlate with successful execution of the process. Which of the following BEST defines the relationships among security technologies? Select an answer: A. Security metrics B. Network topology C. Security architecture D. Process improvement models>>> You are correct, the answer is C. Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies. Which of the following is generally considered a fundamental component of an information security program? Select an answer: A. Role-based access control systems B. Automated access provisioning C. Security awareness training D. Intrusion prevention systems (IPSs)>>> You answered A. The correct answer is C. Without security awareness training, many components of the security program may not be effectively implemented. The other options may or may not be necessary, but are discretionary. After a service interruption of a critical system, the incident response team finds that it needs to activate the warm recovery site. Discovering that throughput is only half of the primary site, the team nevertheless notifies management that it has restored the critical system. This is MOST likely because it has achieved the: Select an answer: A. recovery point objective (RPO). B. recovery time objective (RTO). C. service delivery objective (SDO). D. maximum tolerable outage (MTO).>>> You answered B. The correct answer is C. A. The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. B. The RTO is the target time to restore services to either the SDO or normal operations. C. The SDO is the agreed-on level of service required to resume acceptable operations. D. MTO is the maximum length of time that the organization can operate at the recovery site. Which of the following is the MOST critical consideration when collecting and preserving admissible evidence during an incident response? Select an answer: A. Unplugging the systems B. Chain of custody C. Separation of duties D. Clock synchronization>>> You answered A. The correct answer is B. Admissible evidence must be collected and preserved by "chain of custody." Unplugging the systems can cause potential loss of information critical to the investigation. Separation of duties is not necessary in evidence collection and preservation since the entire process can be done by a single person. Clock synchronization is not as important for the collection and preservation of admissible evidence. The BEST defense against successful phishing attacks is: Select an answer: A. application hardening. B. spam filters. C. an intrusion detection system (IDS). D. end user awareness.>>> You are correct, the answer is D. Phishing attacks are due to social engineering attacks and are best defended by user awareness training. Application hardening, spam filters and IDSs are inadequate since the phishing attacks usually don't have the same patterns or unique signatures. Which of the following is MOST likely to improve the effectiveness of the incident response team? Select an answer: A. Briefing team members on the nature of new threats to IS security B. Periodic testing and updates to incorporate lessons learned C. Ensuring that all members have a good understanding of IS technology D. A nonhierarchical structure to ensure that team members can share ideas>>> You are correct, the answer is B. A. The fact that threats can materialize into an incident requires the presence of system vulnerabilities. It is the vulnerabilities that should be the focus of analysis when considering incident management procedures. B. Periodic testing and updates to incorporate lessons learned will ensure that implementation of the incident management response plan is aligned and kept current with the business priorities set by business management. C. All of the members of the incident management response team do not need to have IS skills. Members who take charge of implementing the incident management response plan should be able to utilize different skills to ensure alignment with the organization's procedures and policies. D. It is important that someone take ownership of implementing the incident management plan; for instance, to formally declare that such a plan needs to be put into place after an incident. A nonhierarchical structure can introduce ambiguity as to who is responsible for what aspects of the incident management response plan. An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do? Select an answer: A. Research best practices B. Meet with stakeholders C. Establish change control procedures D. Identify critical systems>>> You are correct, the answer is B. No new process will be successful unless it is adhered to by all stakeholders; to the extent stakeholders have input, they can be expected to follow the process. Without consensus agreement from the stakeholders, the scope of the research is too wide; input on the current environment is necessary to focus research effectively. It is premature to implement procedures without stakeholder consensus and research. Without knowing what the process will be, the parameters to baseline are unknown as well. An organization is using a vendor-supplied critical application which has a maximum password length that does not comply with organizational security standards. Which of the following approaches BEST helps mitigate the weakness? Select an answer: A. Shorten the password validity period. B. Encourage the use of special characters. C. Strengthen segregation of duties (SoD). D. Introduce compensatory controls.>>> You are correct, the answer is D. A. Periodic change of password is a good control against password theft. However, it would not compensate for the shortcoming in password length. B. Use of special characters will enhance password complexity. However, it will not fully replace the shortcoming in password length. C. Segregation of duties (SoD) will tighten the control against fraud. However, it will not resolve password noncompliance. D. Vendor systems are sometimes unable to provide a security control that meets the policy of the organization. In such cases, compensating controls should be sought, e.g., password lockout on failed attempts. The information classification scheme should: Select an answer: A. consider possible impact of a security breach. B. classify personal information in electronic form. C. be performed by the information security manager. D. classify systems according to the data processed.>>> You answered D. The correct answer is A. Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information. Data classification must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager. Classification of personal information in electronic form is an incomplete answer because it addresses a subset of organizational data. Systems are not classified per se, but the data they