CISM Practice B Topic 4 Flashcards by Nancy Taylor

The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:

perform penetration testing.

establish security baselines.

implement vendor default settings.

link policies to an independent standard.

establish security baselines.

How well did you know this?

Not at all

Perfectly

A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?

User

Network

Operations

Database

User

How well did you know this?

Not at all

Perfectly

The BEST way to ensure that information security policies are followed is to:

distribute printed copies to all employees.

perform periodic reviews for compliance.

include escalating penalties for noncompliance.

establish an anonymous hotline to report policy abuses.

perform periodic reviews for compliance.

How well did you know this?

Not at all

Perfectly

The MOST appropriate individual to determine the level of information security needed for a specific business application is the:

system developer.

information security manager.

steering committee.

system data owner.

How well did you know this?

Not at all

Perfectly

Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his or her password reset?

Performing reviews of password resets

Conducting security awareness programs

Increasing the frequency of password changes

Implementing automatic password syntax checking

Conducting security awareness programs

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST likely to change an organization’s culture to one that is more security conscious?

Adequate security policies and procedures

Periodic compliance reviews

Security steering committees

Security awareness campaigns

How well did you know this?

Not at all

Perfectly

The BEST way to ensure that an external service provider complies with organizational security policies is to:

Explicitly include the service provider in the security policies.

Receive acknowledgment in writing stating the provider has read all policies.

Cross-reference to policies in the service level agreement

Perform periodic reviews of the service provider.

How well did you know this?

Not at all

Perfectly

When an emergency security patch is received via electronic mail, the patch should FIRST be:

loaded onto an isolated test machine.

decompiled to check for malicious code.

validated to ensure its authenticity.

copied onto write-once media to prevent tampering.

validated to ensure its authenticity.

How well did you know this?

Not at all

Perfectly

In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?

Applying patches

Changing access rules

Upgrading hardware

Backing up files

Changing access rules

How well did you know this?

Not at all

Perfectly

Which of the following is the BEST indicator that security awareness training has been effective?

Employees sign to acknowledge the security policy

More incidents are being reported

A majority of employees have completed training

No incidents have been reported in three months

More incidents are being reported

How well did you know this?

Not at all

Perfectly

Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?

Penetration attempts investigated

Violation log reports produced

Violation log entries

Frequency of corrective actions taken

Penetration attempts investigated

How well did you know this?

Not at all

Perfectly

Which of the following change management activities would be a clear indicator that normal operational procedures require examination? A high percentage of:

similar change requests.

change request postponements.

canceled change requests.

emergency change requests.

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?

User

Security

Operations

Database

User

How well did you know this?

Not at all

Perfectly

Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:

the third party provides a demonstration on a test system.
goals and objectives are clearly defined.
the technical staff has been briefed on what to expect.
special backups of production servers are taken.

goals and objectives are clearly defined.

How well did you know this?

Not at all

Perfectly

When a departmental system continues to be out of compliance with an information security policy’s password strength requirements, the BEST action to undertake is to:

submit the issue to the steering committee.

conduct an impact analysis to quantify the risks.

isolate the system from the rest of the network.

request a risk acceptance from senior management.

conduct an impact analysis to quantify the risks.

How well did you know this?

Not at all

Perfectly

Which of the following is MOST important to the successful promotion of good security management practices?

Security metrics

Security baselines

Management support

Periodic training

Management support

How well did you know this?

Not at all

Perfectly

Which of the following environments represents the GREATEST risk to organizational security?

Locally managed file server

Enterprise data warehouse

Load-balanced, web server cluster

Centrally managed data switch

Locally managed file server

How well did you know this?

Not at all

Perfectly

Nonrepudiation can BEST be assured by using:

delivery path tracing.

reverse lookup translation.

out-of-hand channels.

digital signatures.

How well did you know this?

Not at all

Perfectly

Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:

mandatory access controls.

discretionary access controls.

lattice-based access controls.

role-based access controls.

How well did you know this?

Not at all

Perfectly

Which of the following areas is MOST susceptible to the introduction of security weaknesses?

Database management

Tape backup management

Configuration management

Incident response management

Configuration management

How well did you know this?

Not at all

Perfectly

Security policies should be aligned MOST closely with:

industry best practices.

organizational needs.

generally accepted standards.

local laws and regulations.

organizational needs.

How well did you know this?

Not at all

Perfectly

The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:

simulate an attack and review IDS performance.

use a honeypot to check for unusual activity.

audit the configuration of the IDS.

benchmark the IDS against a peer site.

simulate an attack and review IDS performance.

How well did you know this?

Not at all

Perfectly

The BEST time to perform a penetration test is after:

an attempted penetration has occurred.

an audit has reported weaknesses in security controls.

various infrastructure changes are made.

a high turnover in systems staff.

various infrastructure changes are made.

How well did you know this?

Not at all

Perfectly

Successful social engineering attacks can BEST be prevented through:

preemployment screening.

close monitoring of users’ access patterns.

periodic awareness training.

efficient termination procedures.

periodic awareness training.

How well did you know this?

Not at all

Perfectly

What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted? Perform periodic penetration testing Establish minimum security baselines Implement vendor default settings Install a honeypot on the network

Install a honeypot on the network

Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system? User ad hoc reporting is not logged Network traffic is through a single switch Operating system (OS) security patches have not been applied Database security defaults to ERP settings

Operating system (OS) security patches have not been applied

In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources? Implementing on-screen masking of passwords Conducting periodic security awareness programs Increasing the frequency of password changes Requiring that passwords be kept strictly confidential

Conducting periodic security awareness programs

Which of the following will BEST ensure that management takes ownership of the decision making process for information security? Security policies and procedures Annual self-assessment by management Security-steering committees Security awareness campaigns

Security-steering committees

Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application? System analyst Quality control manager Process owner Information security manager

Process owner

What is the BEST way to ensure that contract programmers comply with organizational security policies? Explicitly refer to contractors in the security standards Have the contractors acknowledge in writing the security policies Create penalties for noncompliance in the contracting agreement Perform periodic security reviews of the contractors

Perform periodic security reviews of the contractors

Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected? Applying patches Changing access rules Upgrading hardware Backing up files

Backing up files

Security awareness training should be provided to new employees: on an as-needed basis. during system user training. before they have access to data. along with department staff.

before they have access to data.

What is the BEST method to verify that all security patches applied to servers were properly documented? Trace change control requests to operating system (OS) patch logs Trace OS patch logs to OS vendor's update documentation Trace OS patch logs to change control requests Review change control documentation for key servers

Trace OS patch logs to change control requests

A security awareness program should: present top management's perspective. address details on specific exploits. address specific groups and roles. promote security department procedures

address specific groups and roles.

The PRIMARY objective of security awareness is to: ensure that security policies are understood. influence employee behavior. ensure legal and regulatory compliance. notify of actions for noncompliance.

influence employee behavior.

Which of the following will BEST protect against malicious activity by a former employee? Preemployment screening Close monitoring of users Periodic awareness training Effective termination procedures

Effective termination procedures

Which of the following represents a PRIMARY area of interest when conducting a penetration test? Data mining Network mapping Intrusion Detection System (IDS) Customer data

Network mapping

The return on investment of information security can BEST be evaluated through which of the following? Support of business objectives Security metrics Security deliverables Process improvement models

Support of business objectives

To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY: set their accounts to expire in six months or less. avoid granting system administration roles. ensure they successfully pass background checks. ensure their access is approved by the data owner.

avoid granting system administration roles.

Information security policies should: address corporate network vulnerabilities. address the process for communicating a violation. be straightforward and easy to understand. be customized to specific groups and roles.

be straightforward and easy to understand.

Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack? Utilize an intrusion detection system. Establish minimum security baselines. Implement vendor recommended settings. Perform periodic penetration testing.

Perform periodic penetration testing.

Which of the following presents the GREATEST exposure to internal attack on a network? User passwords are not automatically expired All network traffic goes through a single switch User passwords are encoded but not encrypted All users reside on a single internal subnet

User passwords are encoded but not encrypted

Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements? Standards Guidelines Security metrics IT governance

Standards

Which of the following are the MOST important individuals to include as members of an information security steering committee? Direct reports to the chief information officer IT management and key business process owners Cross-section of end users and IT professionals Internal audit and corporate legal departments

IT management and key business process owners

Security audit reviews should PRIMARILY: ensure that controls operate as required. ensure that controls are cost-effective. focus on preventive controls. ensure controls are technologically current.

ensure that controls operate as required.

Which of the following is the MOST appropriate method to protect a password that opens a confidential file? Delivery path tracing Reverse lookup translation Out-of-band channels Digital signatures

Out-of-band channels

What is the MOST effective access control method to prevent users from sharing files with unauthorized users? Mandatory Discretionary Walled garden Role-based

Mandatory

Which of the following is an inherent weakness of signature-based intrusion detection systems? A higher number of false positives New attack methods will be missed Long duration probing will be missed Attack profiles can be easily spoofed

New attack methods will be missed

Data owners are normally responsible for which of the following? Applying emergency changes to application data Administering security over database records Migrating application code changes to production Determining the level of application security required

Determining the level of application security required

Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process? System analyst System user Operations manager Data security officer

System user

What is the BEST way to ensure users comply with organizational security requirements for password complexity? Include password construction requirements in the security standards Require each user to acknowledge the password requirements Implement strict penalties for user noncompliance Enable system-enforced password configuration

Enable system-enforced password configuration

Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers? Batch patches into frequent server updates Initially load the patches on a test machine Set up servers to automatically download patches Automatically push all patches to the servers

Initially load the patches on a test machine

Which of the following would present the GREATEST risk to information security? Virus signature files updates are applied to all servers every day Security access logs are reviewed within five business days Critical patches are applied within 24 hours of their release Security incidents are investigated within five business days

Security incidents are investigated within five business days

The PRIMARY reason for using metrics to evaluate information security is to: identify security weaknesses. justify budgetary expenditures. enable steady improvement. raise awareness on security issues.

enable steady improvement.

What is the BEST method to confirm that all firewall rules and router configuration settings are adequate? Periodic review of network configuration Review intrusion detection system (IDS) logs for evidence of attacks Periodically perform penetration tests Daily review of server logs for evidence of hacker activity

Periodically perform penetration tests

Which of the following is MOST important for measuring the effectiveness of a security awareness program? Reduced number of security violation reports A quantitative evaluation to ensure user comprehension Increased interest in focus groups on security issues Increased number of security violation reports

A quantitative evaluation to ensure user comprehension

Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test? Request a list of the software to be used Provide clear directions to IT staff Monitor intrusion detection system (IDS) and firewall logs closely Establish clear rules of engagement

Establish clear rules of engagement

Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers? Restrict the available drive allocation on all PCs Disable universal serial bus (USB) ports on all desktop devices Conduct frequent awareness training with noncompliance penalties Establish strict access controls to sensitive information

Restrict the available drive allocation on all PCs

Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network? Signal strength Number of administrators Bandwidth Encryption strength

Number of administrators

Good information security standards should: define precise and unambiguous allowable limits. describe the process for communicating violations. address high-level objectives of the organization. be updated frequently as new software is released.

define precise and unambiguous allowable limits.

Good information security procedures should: define the allowable limits of behavior. underline the importance of security governance. describe security baselines for each platform. be updated frequently as new software is released.

be updated frequently as new software is released.

What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They: all use weak encryption. are decrypted by the firewall. may be quarantined by mail filters. may be corrupted by the receiving mail server.

may be quarantined by mail filters.

A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation? Sign a legal agreement assigning them all liability for any breach Remove all trading partner access until the situation improves Set up firewall rules restricting network traffic from that location Send periodic reminders advising them of their noncompliance

Set up firewall rules restricting network traffic from that location

Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY: define the circumstances where cryptography should be used. define cryptographic algorithms and key lengths. describe handling procedures of cryptographic keys. establish the use of cryptographic solutions.

define the circumstances where cryptography should be used.

Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value? The number of false positives increases The number of false negatives increases Active probing is missed Attack profiles are ignored

The number of false positives increases

What is the MOST appropriate change management procedure for the handling of emergency program changes? Formal documentation does not need to be completed before the change Business management approval must be obtained prior to the change Documentation is completed with approval soon after the change All changes must follow the same process

Documentation is completed with approval soon after the change

Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken? Information security officer Security steering committee Data owner Data custodian

Security steering committee

The PRIMARY focus of the change control process is to ensure that changes are: authorized. applied. documented. tested.

authorized

An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do? Research best practices Meet with stakeholders Establish change control procedures Identify critical systems

Meet with stakeholders

A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this? Enable access through a separate device that requires adequate authentication Implement manual procedures that require password change after each use Request the vendor to add multiple user IDs Analyze the logs to detect unauthorized access

Enable access through a separate device that requires adequate authentication

Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application? User security procedures Business process flow IT security policy Regulatory requirements

IT security policy

Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider? The right to conduct independent security reviews A legally binding data protection agreement Encryption between the organization and the provider A joint risk assessment of the system

The right to conduct independent security reviews

Which resource is the MOST effective in preventing physical access tailgating/piggybacking? Card key door locks Photo identification Awareness training Biometric scanners

Awareness training

In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to: ensure access to individual functions can be granted to individual users only. implement role-based access control in the application. enforce manual procedures ensuring separation of conflicting duties. create service accounts that can only be used by authorized team members.

implement role-based access control in the application.

In business-critical applications, user access should be approved by the: information security manager. data owner. data custodian. business management.

data owner.

In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the: testing time window prior to deployment. technical skills of the team responsible. certification of validity for deployment. automated deployment to all the servers.

testing time window prior to deployment.

To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of: end users. legal counsel. operational units. audit management.

operational units.

An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST? Review the procedures for granting access Establish procedures for granting emergency access Meet with data owners to understand business needs Redefine and implement proper access rights

Meet with data owners to understand business needs

When security policies are strictly enforced, the initial impact is that: they may have to be modified more frequently. they will be less subject to challenge. the total cost of security is increased. the need for compliance reviews is decreased.

the total cost of security is increased.

A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is: an effective control over connectivity and continuity. a service level agreement (SLA) including code escrow. a business impact analysis (BIA). a third-party certification.

an effective control over connectivity and continuity.

Which of the following should be in place before a black box penetration test begins? IT management approval Proper communication and awareness training A clearly stated definition of scope An incident response plan

A clearly stated definition of scope

What is the MOST important element to include when developing user security awareness material? Information regarding social engineering Detailed security policies Senior management endorsement Easy-to-read and compelling information

Easy-to-read and compelling information

What is the MOST important success factor in launching a corporate information security awareness program? Adequate budgetary support Centralized program management Top-down approach Experience of the awareness trainers

Top-down approach

Which of the following events generally has the highest information security impact? Opening a new office Merging with another organization Relocating the data center Rewiring the network

Merging with another organization

The configuration management plan should PRIMARILY be based upon input from: business process owners. the information security manager. the security steering committee. IT senior management.

IT senior management.

Which of the following is the MOST effective, positive method to promote security awareness? Competitions and rewards for compliance Lock-out after three incorrect password attempts Strict enforcement of password formats Disciplinary action for noncompliance

Competitions and rewards for compliance

An information security program should focus on: best practices also in place at peer companies. solutions codified in international standards. key controls identified in risk assessments. continued process improvement.

key controls identified in risk assessments.

Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department? Database administrator (DBA) Finance department management Information security manager IT department management

Finance department management

Which of the following would be the MOST significant security risk in a pharmaceutical institution? Compromised customer information Unavailability of online transactions Theft of security tokens Theft of a Research and Development laptop

Theft of a Research and Development laptop

Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization? The program's governance oversight mechanisms Information security periodicals and manuals The program's security architecture and design Training and certification of the information security team

The program's governance oversight mechanisms

Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state? Security audit reports Balanced scorecard Capability maturity model (CMM) Systems and business security architecture

Capability maturity model (CMM)

Who is responsible for raising awareness of the need for adequate funding for risk action plans? Chief information officer (CIO) Chief financial officer (CFO) Information security manager Business unit management

Information security manager

Managing the life cycle of a digital certificate is a role of a(n): system administrator. security administrator. system developer. independent trusted source.

independent trusted source.

Which of the following would be MOST critical to the successful implementation of a biometric authentication system? Budget allocation Technical skills of staff User acceptance Password requirements

User acceptance

Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following? Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans Periodic audits of the disaster recovery/business continuity plans Comprehensive walk-through testing Inclusion as a required step in the system life cycle process

Inclusion as a required step in the system life cycle process

When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because: this is a requirement of the security policy. software licenses may expire in the future without warning. the asset inventory must be maintained. service level agreements may not otherwise be met.

service level agreements may not otherwise be met.

To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include? Service level agreements (SLAs) Right to audit clause Intrusion detection system (IDS) services Spam filtering services

Service level agreements (SLAs)

To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to: create a separate account for the programmer as a power user. log all of the programmers' activity for review by supervisor. have the programmer sign a letter accepting full responsibility. perform regular audits of the application.

log all of the programmers' activity for review by supervisor.

Before engaging outsourced providers, an information security manager should ensure that the organization's data classification requirements: are compatible with the provider's own classification. are communicated to the provider. exceed those of the outsourcer. are stated in the contract.

are stated in the contract.

What is the GREATEST risk when there is an excessive number of firewall rules? One rule may override another rule in the chain and create a loophole Performance degradation of the whole network The firewall may not support the increasing number of rules due to limitations The firewall may show abnormal behavior and may crash or automatically shut down

One rule may override another rule in the chain and create a loophole

Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center? Mantrap Biometric lock Closed-circuit television (CCTV) Security guard

Biometric lock

What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective? Provide detailed instructions on how to carry out different types of tasks Ensure consistency of activities to provide a more stable environment Ensure compliance to security standards and regulatory requirements Ensure reusability to meet compliance to quality requirements

Ensure consistency of activities to provide a more stable environment

What is the BEST way to ensure data protection upon termination of employment? Retrieve identification badge and card keys Retrieve all personal computer equipment Erase all of the employee's folders Ensure all logical access is removed

Ensure all logical access is removed

The MOST important reason for formally documenting security procedures is to ensure: processes are repeatable and sustainable. alignment with business objectives. auditability by regulatory agencies. objective criteria for the application of metrics.

processes are repeatable and sustainable.

Which of the following is the BEST approach for an organization desiring to protect its intellectualproperty? Conduct awareness sessions on intellectual property policy Require all employees to sign a nondisclosure agreement Promptly remove all access when an employee leaves the organization Restrict access to a need-to-know basis

Restrict access to a need-to-know basis

The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)? Data owner Data custodian Systems programmer Security administrator

Systems programmer

An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download non-sensitive production data for software testing purposes. The information security manager should recommend which of the following? Restrict account access to read only Log all usage of this account Suspend the account and activate only when needed Require that a change request be submitted for each download

Restrict account access to read only

Which would be the BEST recommendation to protect against phishing attacks? Install an antispam system Publish security guidance for customers Provide security awareness to the organization's staff Install an application-level firewall

Publish security guidance for customers

Which of the following is the BEST indicator that an effective security control is built into an organization? The monthly service level statistics indicate a minimal impact from security issues. The cost of implementing a security control is less than the value of the assets. The percentage of systems that is compliant with security standards. The audit reports do not reflect any significant findings on security.

The monthly service level statistics indicate a minimal impact from security issues.

What is the BEST way to alleviate security team understaffing while retaining the capability inhouse? Hire a contractor that would not be included in the permanent headcount Outsource with a security services provider while retaining the control internally Establish a virtual security team from competent employees across the company Provide cross training to minimize the existing resources gap

Establish a virtual security team from competent employees across the company

An information security manager wishing to establish security baselines would: * include appropriate measurements in the system development life cycle. * implement the security baselines to establish information security best practices. * implement the security baselines to fulfill laws and applicable regulations in different jurisdictions. * leverage information security as a competitive advantage.

implement the security baselines to establish information security best practices.

Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security: policy. strategy. guideline. baseline.

policy.

An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. The MOST important element of the request for proposal (RFP) is the: references from other organizations. past experience of the engagement team. sample deliverable. methodology used in the assessment.

methodology used in the assessment.

Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to: * assess the problems and institute rollback procedures, if needed. * disconnect the systems from the network until the problems are corrected. * immediately uninstall the patches from these systems. * immediately contact the vendor regarding the problems that occurred.

assess the problems and institute rollback procedures, if needed.

When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the: access control matrix. encryption strength. authentication mechanism. data repository

access control matrix.

The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for: identifying vulnerabilities in the system. sustaining the organization's security posture. the existing systems that will be affected. complying with segregation of duties.

sustaining the organization's security posture.It is important to maintain the organization's security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC)

The implementation of continuous monitoring controls is the BEST option where: * incidents may have a high impact and frequency * legislation requires strong information security controls * incidents may have a high impact but low frequency * electronic commerce is a primary business driver

incidents may have a high impact and frequency

A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors? System monitoring for traffic on network ports Security code reviews for the entire application Reverse engineering the application binaries Running the application from a high-privileged account on a test system

Security code reviews for the entire application

An information security manager reviewing firewall rules will be MOST concerned if the firewall allows: source routing. broadcast propagation. unregistered ports. nonstandard protocols.

source routing.

What is the MOST cost-effective means of improving security awareness of staff personnel? Employee monetary incentives User education and training A zero-tolerance security policy Reporting of security infractions

User education and training

Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)? Card-key door locks Photo identification Biometric scanners Awareness training

Awareness training

Data owners will determine what access and authorizations users will have by: delegating authority to data custodian. cloning existing user accounts. determining hierarchical preferences. mapping to business needs.

mapping to business needs.

Which of the following is the MOST likely outcome of a well-designed information security awareness course? Increased reporting of security incidents to the incident response function Decreased reporting of security incidents to the incident response function Decrease in the number of password resets Increase in the number of identified system vulnerabilities

Increased reporting of security incidents to the incident response function

Which item would be the BEST to include in the information security awareness training program for new general staff employees? Review of various security models Discussion of how to construct strong passwords Review of roles that have privileged access Discussion of vulnerability assessment results

Review of various security models

A critical component of a continuous improvement program for information security is: * measuring processes and providing feedback. * developing a service level agreement (SLA) for security. * tying corporate security standards to a recognized international standard. * ensuring regulatory compliance.

measuring processes and providing feedback.

The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager: report risks in other departments. obtain support from other departments. report significant security risks. have knowledge of security standards.

report significant security risks.

An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate? Rule-based Mandatory Discretionary Role-based

Role-based

An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that: * an audit of the service provider uncovers no significant weakness. * the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property. * the contract should mandate that the service provider will comply with security policies. * the third-party service provider conducts regular penetration testing.

the contract should mandate that the service provider will comply with security policies.

Which of the following is the MAIN objective in contracting with an external company to perform penetration testing? To mitigate technical risks To have an independent certification of network security To receive an independent view of security exposures To identify a complete list of vulnerabilities

To receive an independent view of security exposures

A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes? Prepare an impact assessment report. Conduct a penetration test. Obtain approval from senior management. Back up the firewall configuration and policy files.

Prepare an impact assessment report.

An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST? Request that the third-party provider perform background checks on their employees. Perform an internal risk assessment to determine needed controls. Audit the third-party provider to evaluate their security controls. Perform a security assessment to detect security vulnerabilities.

Perform an internal risk assessment to determine needed controls.

Which of the following would raise security awareness among an organization's employees? Distributing industry statistics about security incidents Monitoring the magnitude of incidents Encouraging employees to behave in a more conscious manner Continually reinforcing the security policy

Continually reinforcing the security policy

Which of the following is the MOST appropriate method of ensuring password strength in a large organization? Attempt to reset several passwords to weaker values Install code to capture passwords for periodic audit Sample a subset of users and request their passwords for review Review general security settings on each platform

Review general security settings on each platform

What is the MOST cost-effective method of identifying new vendor vulnerabilities? External vulnerability reporting sources Periodic vulnerability assessments performed by consultants Intrusion prevention software Honey pots located in the DMZ

External vulnerability reporting sources

Which of the following is the BEST approach for improving information security management processes? Conduct periodic security audits. Perform periodic penetration testing. Define and monitor security metrics. Survey business units for feedback.

Define and monitor security metrics.

An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to: * validate and sanitize client side inputs. * harden the database listener component. * normalize the database schema to the third normal form. * ensure that the security patches are updated on operating systems.

validate and sanitize client side inputs.

The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application: * uses multiple redirects for completing a data commit transaction. * has implemented cookies as the sole authentication mechanism. * has been installed with a non-legitimate license key. * is hosted on a server along with other applications.

has implemented cookies as the sole authentication mechanism.

Of the following, retention of business records should be PRIMARILY based on: periodic vulnerability assessment. regulatory and legal requirements. device storage capacity and longevity. past litigation.

regulatory and legal requirements.

An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform? A due diligence security review of the business partner's security controls Ensuring that the business partner has an effective business continuity program Ensuring that the third party is contractually obligated to all relevant security requirements Talking to other clients of the business partner to check references for performance

Ensuring that the third party is contractually obligated to all relevant security requirements

An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract? Right to audit Nondisclosure agreement Proper firewall implementation Dedicated security manager for monitoring compliance

Right to audit

Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services? Provide security awareness training to the third-party provider's employees Conduct regular security reviews of the third-party provider Include security requirements in the service contract Request that the third-party provider comply with the organization's information security policy

Conduct regular security reviews of the third-party provider

An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution? Design a training program for the staff involved to heighten information security awareness Set role-based access permissions on the shared folder The end user develops a PC macro program to compare sender and recipient file contents Shared folder operators sign an agreement to pledge not to commit fraudulent activities

Set role-based access permissions on the shared folder

Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made? A problem management process Background screening A change control process Business impact analysis (BIA)

A change control process

Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities? Vulnerability scans Penetration tests Code reviews Security audits

Penetration tests

In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen? Procedural design Architectural design System design specifications Software development

System design specifications

Which of the following is generally considered a fundamental component of an information security program? Role-based access control systems Automated access provisioning Security awareness training Intrusion prevention systems (IPSs)

Security awareness training

How would an organization know if its new information security program is accomplishing its goals? Key metrics indicate a reduction in incident impacts. Senior management has approved the program and is supportive of it. Employees are receptive to changes that were implemented. There is an immediate reduction in reported incidents.

Key metrics indicate a reduction in incident impacts.ing program, but are not as significant as the key metrics indicator. An immediate reduction in reported incidents, in contrast, may indicate that it is not successful.

A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that: it simulates the real-1ife situation of an external security attack. human intervention is not required for this type of test. less time is spent on reconnaissance and information gathering. critical infrastructure information is not revealed to the tester.

less time is spent on reconnaissance and information gathering.

Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages? Acceptable use policy Setting low mailbox limits User awareness training Taking disciplinary action

User awareness training

Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts? Passwords stored in encrypted form User awareness Strong passwords that are changed periodically Implementation of lock-out policies

Implementation of lock-out policies

Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges? Layered defense strategy System audit log monitoring Signed acceptable use policy High-availability systems

Signed acceptable use policy

The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that: the existence of messages is unknown. required key sizes are smaller. traffic cannot be sniffed. reliability of the data is higher in transit.

the existence of messages is unknown.

As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be: * considered at the discretion of the information owner. * approved by the next higher person in the organizational structure. * formally managed within the information security framework. * reviewed and approved by the security manager.

formally managed within the information security framework.

There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor? Black box pen test Security audit Source code review Vulnerability scan

Source code review

Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does it always introduce? Remote buffer overflow Cross site scripting Clear text authentication Man-in-the-middle attack

Clear text authentication

Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project? Design Implementation Application security testing Feasibility

Feasibility

CISM Practice B Topic 4 Flashcards

(157 cards)