CISM 2014 Questions - 3

A. Security metrics

B. Security baselines

C. Management support

D. Periodic training

A. Configuration of firewalls

B. Strength of encryption algorithms

C. Authentication within application

D. Safeguards over keys

A. reduce risk to the business.

B. ensure compliance with security policies.

C. provide assurance to management.

D. measure efficiency of services provided.

A. There is an undue reliance on public networks.

B. Batteries require constant recharges.

C. There is a lack of operating system standardization.

D. Mobile devices can be easily lost or stolen.

A. Obtain comparative pricing bids and complete the transaction with the vendor offering the best deal.

B. Add the purchase to the budget during the next budget preparation cycle to account for costs.

C. Perform an assessment to determine correlation with business goals and objectives.

D. Form a project team to plan the implementation.

A. The policies must comply with new regulatory and legal mandates.

B. Appropriate security baselines are no longer set in the policies.

C. The policies no longer reflect management intent and direction.

D. Employees consistently ignore the policies.

A. Periodic audits of noncompliant areas

B. An ongoing vulnerability scanning program

C. Annual security awareness training

D. Regular reports to executive management

A. To identify weaknesses in network security

B. To identify patterns of suspicious access

C. To identify how an attack was launched on the network

D. To identify potential attacks on the internal network

A. use illustrative examples of successful attacks.

B. explain the technical risks to the organization.

C. evaluate the organization against best security practices.

D. tie security risks to key business objectives.

A. Disaster declaration

B. Recovery of the backups

C. Restoration of the system

D. Return to business as usual processing

A. All significant vulnerabilities must be mitigated in a timely fashion.

B. Treatment should be based on threat, impact and cost considerations.

C. Compensatory controls must be implemented for major vulnerabilities.

D. Mitigation options should be proposed for management approval.

A. It shows senior management that you understand their needs.

B. It provides a basis for redistributing resources to mitigate risk outside the risk tolerance.

C. It requires continuous monitoring because the entire risk environment is constantly changing.

D. It facilitates communication with management about the importance of security.

A. Threat analysis

B. Impact assessment

C. Controls evaluation

D. Penetration testing

A. Minimize inherent risk.

B. Eliminate business risk.

C. Implement effective controls.

D. Reduce residual risk to acceptable levels.

A. In policies

B. In the architecture

C. In the strategy

D. In procedures

A. Confirm the incident

B. Determine impact

C. Notify affected stakeholders

D. Isolate the incident

A. A formal methodology makes incident management more flexible.

B. A formal methodology is more reliant on business continuity activities.

C. Each incident responder is able to get broad-based experience.

D. Evidence of due diligence supports legal and liability claims.

A. The independence of the investigator

B. Timely intervention

C. Identifying the perpetrator

D. Chain of custody

A. as a qualitative approach to evaluating risk.

B. to determine maximum probable loss over a period of time.

C. for risk analysis applicable only to financial organizations.

D. as a useful tool to expedite the assessment process.

A. Identify a similar application and refer to its security weaknesses.

B. Recompile the application using the latest library and review the error codes.

C. Employ reverse engineering techniques to derive functionalities.

D. Conduct a vulnerability assessment to detect application weaknesses.

A. It should be based on the threat to each of the elements.

B. Availability is most important.

C. It should be based on the risk to each of the elements.

D. All elements are equally important.

A. aggregated risk.

B. systemic risk.

C. operational risk.

D. cascading risk.

A. Feasibility

B. Design

C. Development

D. Testing

A. Create a separate account for the programmer as a power user.

B. Log all of the programmer's activity for review by their supervisor.

C. Have the programmer sign a letter accepting full responsibility.

D. Perform regular audits of the application.

A. Capture lessons learned to improve the process.

B. Develop a process for continuous improvement.

C. Develop a business case for the security program budget.

D. Identify new incident management tools.

A. Number of attacks detected

B. Number of successful attacks

C. Ratio of false positives to false negatives

D. Ratio of successful to unsuccessful attacks

A. cost of recovery.

B. cost to recreate.

C. opportunity cost.

D. cost of emergency operations.

A. Identify the assets.

B. Conduct a risk assessment.

C. Define the scope.

D. Perform a business impact analysis (BIA).

A. Assessed risk is below acceptable levels.

B. Risk cannot be determined.

C. The control cost is high.

D. The control is not effective.

A. Secure Sockets Layer (SSL)

B. Secure Shell (SSH)

C. IP Security (IPSec)

D. Secure/Multipurpose Internet Mail Extensions (S/MIME)

A. Regulatory requirements

B. Technical expert advisories

C. State-of-the-art technology

D. A risk assessment

A. Eliminating IT risk

B. Cost-benefit balance

C. Resource management

D. The number of assets protected

A. Track audits over time.

B. Evaluate incident losses.

C. Analyze business cases.

D. Interview business owners.

A. The cost of acquisition and implementation of the asset

B. Knowledge of vulnerabilities present in the asset

C. The degree of exposure to known threats

D. The criticality of the business function supported by the asset

A. Through analysis of the network traffic history

B. Through stateful inspection of firewall packets

C. Through identification of zero-day attacks

D. Through vulnerability assessments

A. Laws and regulations of the country of origin may not be enforceable in the foreign country.

B. A security breach notification might get delayed due to the time difference.

C. Additional network intrusion detection sensors should be installed, resulting in an additional cost.

D. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

A. Patch management

B. Change management

C. Security baselines

D. Acquisition management

A. user IDs of terminated staff remain active in application systems.

B. access privileges are accumulated based on previous job functions.

C. application role-based access deviates from the organizational hierarchies.

D. role mining tools are used in the access privilege review.

A. Potential impact is a central element of risk.

B. Potential impact is related to asset value.

C. Potential impact affects the extent of mitigation.

D. Potential impact helps determine the exposure.

A. notify law enforcement.

B. start containment.

C. make an image copy of the media.

D. isolate affected servers.

A. Performing more frequent reviews of the organization's risk factors

B. Developing more realistic information security risk scenarios

C. Understanding the flow and classification of information used by the organization

D. A process to monitor postincident review reports prepared by IT staff

A. Contain the file.

B. Delete the file.

C. Verify whether the file is malicious.

D. Report the suspicious file to management.

A. Ensure that the third party provides a demonstration on a test system.

B. Ensure that goals and objectives are clearly defined.

C. Ensure that technical staff has been briefed on what to expect.

D. Ensure that special backups of production servers are taken.

A. Penetration attempts investigated

B. Violation log reports produced

C. Violation log entries

D. Frequency of corrective actions taken

A. Senior management commitment

B. Information security framework

C. Information security organizational structure

D. Information security policy

A. Reassess the maximum tolerable outage (MTO).

B. Conduct a business impact assessment (BIA) and update the plan.

C. Increase the service delivery objective (SDO).

D. Take no action; maximum tolerable outage (MTO) is not related to AIW.

A. A high percentage of similar change requests

B. A high percentage of change request postponements

C. A high percentage of canceled change requests

D. A high percentage of emergency change requests

A. To reduce the cost of system development

B. To aid in strategy and policy development

C. To effectively manage complexity

D. To determine areas that will be a problem

A. managing risk relative to business objectives.

B. managing risk to a zero level and minimizing insurance premiums.

C. avoiding occurrence of risks so that insurance is not required.

D. transferring most risks to insurers and saving on control costs.

A. justify selection of risk mitigation strategies.

B. maximize the return on investment (ROI).

C. provide documentation for auditors and regulators.

D. quantify risks that would otherwise be subjective.

A. total cost of ownership.

B. priority of restoration.

C. annualized loss expectancy (ALE).

D. residual risk.

A. The system developer

B. The information security manager

C. The system custodian

D. The data owner

A. conducting a business impact assessment.

B. conducting a table-top business continuity test.

C. developing disaster recovery metrics.

D. selecting an alternate recovery site.

A. ensure information security covers all business functions.

B. ensure information security aligns with business goals.

C. raise information security awareness across the organization.

D. implement all decisions on security management across the organization.

A. Technical platform interfaces

B. Scalability of the network

C. Development methodologies

D. Stakeholder requirements

A. Senior management support

B. Budget for security activities

C. Regular vulnerability assessments

D. Knowledgeable security administrators

A. On the internal network

B. On the firewall server

C. On the external router

D. On the primary domain controller

A. Ensure the data classification requirements are compatible with the provider's own classification.

B. Ensure the data classification requirements are communicated to the provider.

C. Ensure the data classification requirements exceed those of the outsourcer.

D. Ensure the data classification requirements are stated in the contract.

A. 0-day vulnerabilities

B. Malicious software and spyware

C. Security design flaws

D. Misconfiguration and missing updates

A. Ensure processes are repeatable and sustainable.

B. Ensure alignment with business objectives.

C. Ensure auditability by regulatory agencies.

D. Ensure objective criteria for the application of metrics.

A. Password hash implementation

B. Challenge/response mechanism

C. Wired Equivalent Privacy (WEP) encryption usage

D. HTTP Basic Authentication

A. Adjust budget provisioning

B. Preserve forensic data

C. Improve the response process

D. Ensure the incident is fully documented

A. The impact on critical IT assets

B. A detailed business case

C. Steering committee approval

D. User acceptance

A. risk that will be addressed.

B. financial analysis of benefits.

C. alignment with organizational objectives.

D. feasibility and value proposition.

A. Ease of installation

B. Product documentation

C. Available support

D. System overhead

A. Tests are scheduled on weekends

B. Network IP addresses are predefined

C. Equipment at the hot site is identical

D. Business management actively participates

A. System analyst

B. System user

C. Operations manager

D. Data security officer

A. the development of organizationwide communication channels.

B. periodic third-party auditing of incident reporting logs.

C. an automated policy compliance monitoring system.

D. deployment of suggestion boxes throughout the organization.

A. to the extent that they impact the enterprise.

B. by implementing international standards.

C. by developing policies that address the requirements.

D. to ensure that guidelines meet the requirements.

A. Adequate security policies and procedures

B. Periodic compliance reviews

C. Security steering committees

D. Security awareness campaigns

A. Ensuring accessibility should a disaster occur

B. Versioning control as plans are modified

C. Broken hyperlinks to resources stored elsewhere

D. Tracking changes in personnel and plan assets

A. Review the finding with the sales manager to evaluate the risk and impact.

B. Report the issue to senior management immediately.

C. Request that the sales representatives stop emailing sensitive information.

D. Provide security awareness training to the sales representatives.

A. Inform senior management.

B. Determine the extent of the compromise.

C. Report the incident to the authorities.

D. Communicate with the affected customers.

A. transferred.

B. treated.

C. accepted.

D. terminated.

A. before system development begins.

B. at system deployment.

C. before developing a business case.

D. at each stage of the software development life cycle (SDLC).

A. Logon banners displayed at every logon

B. Periodic security-related email messages

C. An intranet web site for information security

D. Circulating the information security policy

A. The system administrator should be monitored by a separate reviewer.

B. All activity on the network should be monitored.

C. No additional monitoring is needed in this situation.

D. Monitoring should be done only by the information security manager.

A. Static IP addressing

B. Internal address translation

C. Prospective employee background checks

D. Employee awareness certification program

A. Corporate legal officer

B. Enterprise risk manager

C. Compliance officer

D. Affected departments

A. A hot site facility will be shared in multiple disaster declarations

B. All equipment is provided "at time of disaster, not on floor"

C. The facility is subject to a "first-come, first-served" policy

D. Equipment may be substituted with equivalent models

A. Audit logs are not enabled on a production server

B. The logon ID for a terminated systems analyst still exists on the system

C. The help desk has received numerous results of users receiving phishing emails

D. A Trojan was found to be installed on a system administrator's laptop

A. Timeliness of the reporting

B. Relevance to the recipient

C. Accuracy of the measurement

D. The cost of obtaining the metrics

A. A notification of liability on accuracy of information

B. A notification that information will be encrypted

C. A statement of what the company will do with information it collects

D. A description of the information classification process

A. A warning banner

B. Audit trails

C. An access control

D. An alarm system

A. Flexible security budget

B. Sound risk baseline

C. Detection of new risk

D. Accurate risk reporting

A. outside the firewall.

B. on the firewall server.

C. on a screened subnet.

D. on the external router.

A. Number of controls

B. Cost of achieving control objectives

C. Effectiveness of controls

D. Test results of controls

A. The increasing need for controls

B. The policy development process

C. The integration of assurance-related activities

D. A model for information security program development

A. Simulate an attack and review IDS performance.

B. Use a honeypot to check for unusual activity.

C. Audit the configuration of the IDS.

D. Benchmark the IDS against a peer site.

A. Applying emergency changes to application data

B. Administering security over database records

C. Migrating application code changes to production

D. Determining the level of application security required

A. Quantity of information

B. Available IT infrastructure

C. Benchmarking

D. Requirements of data owners

A. Identify a recognized forensics software tool to create the image.

B. Establish a chain of custody log.

C. Connect the hard drive to a write blocker.

D. Generate a cryptographic hash of the hard drive contents.

A. Isolate the infected server(s) from the network.

B. Identify all potential damage caused by the infection.

C. Ensure that the virus database files are current.

D. Establish security weaknesses in the firewall.

A. External audit and network penetration testers

B. Board of directors and the organization's regulators

C. External trade union representatives and key security vendors

D. Leadership from IT, human resources and the sales department

A. Criteria for data backup

B. Personnel responsible for backup

C. A data backup schedule

D. A list of systems to be backed up

A. Copy to the same disk model as the original.

B. Make a dual backup of the original disk.

C. Keep the digital hash from both hard disks.

D. Perform a restoration test after replication.

A. Include password construction requirements in the security standards

B. Require each user to acknowledge the password requirements

C. Implement strict penalties for user noncompliance

D. Enable system-enforced password configuration

A. Reviewing and modifying access rights

B. Assigning new security responsibilities

C. Conducting specific training for the new role

D. Knowledge of security weaknesses in last department

A. Ensure access to individual functions can be granted to individual users only.

B. Implement role-based access control in the application.

C. Enforce manual procedures ensuring separation of conflicting duties.

D. Create service accounts that can only be used by authorized team members.

A. Assign an information security administrator as regulatory liaison.

B. Perform self-assessments using regulatory guidelines and reports.

C. Assess previous regulatory reports with process owners input.

D. Ensure all regulatory inquiries are sanctioned by the legal department.

A. Assigning responsibility for acquiring the data

B. Locating the data and preserving the integrity of the data

C. Creating a forensically sound image

D. Issuing a litigation hold to all affected parties

A. Risk analysis results

B. Audit report findings

C. Penetration test results

D. Amount of IT budget available

A. Business impact analysis (BIA) report

B. List of action items to mitigate risk

C. Assignment of risks to process owners

D. Quantification of organizational risk

A. An adequate budget

B. Senior level authority

C. A robust technology

D. Effective business relationships

A. Remote buffer overflow

B. Cross site scripting

C. Clear text authentication

D. Man-in-the-middle attack

A. Data encryption

B. Digital signatures

C. Strong passwords

D. Two-factor authentication

A. escalate issues to an external third party for resolution.

B. ensure that senior management provide authority for security to address the issues.

C. insist that managers or units not in agreement with the security solution accept the risk.

D. refer the issues to senior management along with any security recommendations.

A. The recovery time objective (RTO) was not exceeded during testing

B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently

C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing

D. Information assets have been valued and assigned to owners per the business continuity plan/disaster recovery plan

A. To identify relevant electronic evidence

B. To identify lessons learned

C. To identify the hacker's identity

D. To identify affected areas

A. conduct a cost-benefit analysis.

B. develop a business case.

C. calculate return on investment (ROI).

D. evaluate loss history.

A. Man-in-the-middle attack

B. Brute force attack

C. Remote buffer overflow

D. Root kit

A. The right to audit

B. Service level agreements (SLAs)

C. Appropriate standard of care

D. Periodic security reviews

A. Defined objectives

B. Time frames for delivery

C. Adoption of a control framework

D. Complete policies

A. Request a list of the software to be used

B. Provide clear directions to IT staff

C. Monitor intrusion detection system (IDS) and firewall logs closely

D. Establish clear rules of engagement

A. Data custodian

B. Database administrator

C. Information security officer

D. Data owner

A. an organizational mandate.

B. a risk management priority.

C. a purely operational issue.

D. just another risk.

A. Define security metrics

B. Conduct a risk assessment

C. Perform a gap analysis

D. Procure security tools

A. During contract negotiation

B. Upon request for assistance from the business unit

C. When requirements are being established

D. When a security incident occurs

A. Diverting incoming traffic as a response to a denial of service (DoS) attack

B. Filtering network traffic

C. Examining inbound network traffic for viruses

D. Logging inbound network traffic

A. Reboot the border router connected to the firewall

B. Check IDS logs and monitor for any active attacks

C. Update IDS software to the latest available version

D. Enable server trace logging on the DMZ segment

A. Staff interviews

B. Threat identification

C. Asset identification and valuation

D. Determination of the likelihood of identified risks

A. A threat assessment

B. A vulnerability assessment

C. A resource dependency assessment

D. An impact assessment

A. Procedural design

B. Architectural design

C. System design specifications

D. Software development

A. conflicting security controls with organizational needs.

B. strong protection of information resources.

C. implementing appropriate controls to reduce risk.

D. proving information security's protective abilities.

A. Employees sign to acknowledge the security policy

B. More incidents are being reported

C. A majority of employees have completed training

D. No incidents have been reported in three months

A. Release management

B. Ownership schema

C. Resource dependency analysis

D. Asset classification

A. Strategic business plan

B. Upcoming financial results

C. Customer personal information

D. Previous financial results

A. senior management directing the information security program.

B. periodic risk analysis and treatment.

C. a security steering committee with representatives from all business functions.

D. regular security audits and ongoing monitoring.

A. Initiate the exception process.

B. Modify policy to address the risk.

C. Increase compliance enforcement.

D. Perform a risk assessment.

A. Risk should be reassessed periodically because risk changes over time.

B. Accepted risk should be flagged to avoid future reassessment efforts.

C. Risk should be avoided next time to optimize the risk profile.

D. Risk should be removed from the risk log after it is accepted.

A. Implementation

B. Design

C. Testing

D. Policy

A. Patch management

B. Change management

C. Security baselines

D. Virus detection

A. Strengthen existing controls.

B. Reassess the risk.

C. Set new control objectives.

D. Modify security baselines.

A. Service level agreements (SLAs)

B. Right-to-audit clause

C. Intrusion detection system (IDS) services

D. Spam filtering services

A. Technical input requirements for IT security staff

B. Evaluating training program effectiveness

C. A diverse culture and varied technical abilities of end users

D. Availability of users either on weekends or after office hours

A. Attempt to reset several passwords to weaker values

B. Install code to capture passwords for periodic audit

C. Sample a subset of users and request their passwords for review

D. Install strong password settings on each platform

A. Eliminate low-priority security services.

B. Require management to accept the increased risk.

C. Prioritize risk mitigation and educate management.

D. Reduce monitoring and compliance enforcement activities.

A. Developing information security policies and procedures

B. Senior management commitment

C. Conducting security training and awareness for all users

D. Establishing an information security management system

A. Security monitoring software

B. Encryption

C. Two-factor authentication

D. User awareness

A. Utilize an intrusion detection system.

B. Establish minimum security baselines.

C. Implement vendor recommended settings.

D. Perform periodic penetration testing.

A. A cost-benefit analysis of budgeted resources

B. All of the resources that are recommended by the business

C. Total cost of ownership (TCO)

D. Baseline comparisons

A. show that information security understands the rules.

B. provide regulatory compliance.

C. maximize the cost-effectiveness of controls.

D. minimize the number of rules and regulations required.

A. Information security strategy

B. Information security guidelines

C. Information security model

D. Information security architecture

A. Annual loss expectancy (ALE) of incidents

B. Frequency of incidents

C. Total cost of ownership (TCO)

D. Approved budget for the project

A. When the organization has a high risk tolerance

B. When delegation of rights is contrary to policy

C. When the control policy specifies continuous oversight

D. When access is permitted, unless explicitly denied

A. Simple Mail Transfer Protocol (SMTP)

B. File Transfer Protocol (FTP)

C. Post Office Protocol (POP3)

D. Simple Network Management Protocol (SNMP v3)

A. The magnitude of impact

B. Risk tolerance

C. The replacement cost of assets

D. The book value of assets

A. Security in storage and transmission of sensitive data

B. Provider's level of compliance with industry standards

C. Security technologies in place at the facility

D. Results of the latest independent security review

A. It reduces threat.

B. It reduces criticality.

C. It reduces sensitivity.

D. It reduces exposure.

A. Formal training

B. Mentoring

C. On-the-job training

D. Induction

A. assess the impact of the loss and determine mitigating steps.

B. communicate the best practices in protecting laptops to all laptop users.

C. instruct the erring employees to pay a penalty for the lost laptops.

D. recommend that management report the incident to the police and file for insurance.