A security strategy is important for an organization PRIMARILY because it provides
basis for determining the best logical security architecture for the organization
management intent and direction for security activities
provides users guidance on how to operate securely in everyday tasks
helps IT auditors ensure compliance
The MOST important reason to make sure there is good communication about security throughout the organization is:
to make security more palatable to resistant employees
because people are the biggest security risk
to inform business units about security strategy
to conform to regulations requiring all employees are informed about security
The regulatory environment for most organizations mandates a variety of security-related activities. It is MOST important that the information security manager:
rely on corporate counsel to advise which regulations are relevant
stay current with all relevant regulations and request legal interpretation
involve all impacted departments and treat regulations as just another risk
ignore many of the regulations that have no teeth
The MOST important consideration in developing security policies is that:
they are based on a threat profile
they are complete and no detail is let out
management signs off on them
all employees read and understand them
The PRIMARY security objective in creating good procedures is
to make sure they work as intended
that they are unambiguous and meet the standards
that they be written in plain language
that compliance can be monitored
The assignment of roles and responsibilities will be MOST effective if:
there is senior management support
the assignments are consistent with proficiencies
roles are mapped to required competencies
responsibilities are undertaken on a voluntary basis
The PRIMARY benefit organizations derive from effective information security governance is:
ensuring appropriate regulatory compliance
ensuring acceptable levels of disruption
prioritizing allocation of remedial resources
maximizing return on security investments
From an information security manager’s perspective, the MOST important factors regarding data retention are:
business and regulatory requirements
document integrity and destruction
media availability and storage
data confidentiality and encryption
Which role is in the BEST position to review and confirm the appropriateness of a user access list?
data owner
information security manager
domain administrator
business manager
In implementing information security governance, the information security manager is PRIMARILY responsible for:
developing the security strategy
reviewing the security strategy
communicating the security strategy
approving the security strategy
The overall objective of risk management is to:
eliminate all vulnerabilities, if possible
determine the best way to transfer risk
reduce risks to an acceptable level
implement effective countermeasures
The statement „risk = value x vulnerability x threat“ indicates that:
risk can be quantified using annual loss expectancy (ALE)
approximate risk can be estimated, provided probability is computed
the level of risk is greater when more threats meet more vulnerabilities
without knowing value, risk cannot be calculated
To address changes in risk, an effective risk management program should:
ensure that continuous monitoring processes are in place
establish proper security baselines for all information resources
implement a complete data classification process
change security policies on a timely basis to address changing risks
Information classification is important to properly manage risk PRIMARILY because:
it ensures accountability for information resources as required by roles and responsibilities
it is legal requirement under various regulations
there is no other way to meet the requirements for availability, integrity and auditability
it is used to identify the sensitivity and criticality of information to the organization
Vulnerabilities discovered during an assessment should be:
handled as a risk, even though there is no threat
prioritized for remediation solely based on impact
a basis for analyzing the effectiveness of controls
evaluated for threat and impact in addition to cost of mitigation
Indemnity (Schadensersatz) agreements can be used to:
ensure an agreed-upon level of service
reduce impacts on critical resources
transfer responsibility to a third party
provide an effective countermeasure to threats
Residual risks can be determined by:
determining remaining vulnerabilities after countermeasures are in place
a threat analysis
a risk assessment
transferring all risks
Data owners are PRIMARILY responsible for creating risk mitigation strategies to address which of the following areas?
platform security
entitlement changes
intrusion detection
antivirus controls
A risk analysis should:
limit the scope to a benchmark of similar companies
assume an equal degree of protection for all assets
address the potential size and likelihood of loss
give more weight to the likelihood vs. the size of the loss
Which of the following is BEST for preventing an external attack?
static IP addresses
network address translation
background checks for temporary employees
writing computer logs to removable media
Who is in the BEST position to develop the priorities and identify what risks and impacts would occur if there were a loss or corruption of the organization‘s information resources?
internal auditors
security management
business process owners
external regulatory agencies
The MOST important single concept for an information security architect to keep in mind is:
plan do check act
confidentiality, integrity, availablility
prevention, detection, correction
tone at the top
Which of the following is the BEST method of limiting the impact of vulnerabilities inherent to wireless networks?
require private, key based encryption to connect to the wireless network
enable auditing on every host that connects to a wireless network
require that every host that connects to this network is have a well tested recovery plan
enable auditing on every connection to the wireless network
In an environment that practises defense in depth, an Internet application that requires a login for a user to access it would also require which of the following additional controls?
user authentication
user audit trails
network load balancing
network authentication
If an information security manager has responsibility for application security review, which of the following additional responsibilities present a conflict of interest in performing the review?
operation system recovery
application administration
network change control
host based intrusion detection
Which of the following BEST promotes accountability?
compliance monitoring
awareness training
secure implementation
documented policy
Which of the following conclusions render the sentence MOST accurate? Vulnerabilities combined with threats:
always results in damage
require controls to avoid damage
allow exploits that may cause damage
always results in exploits
In which state of the systems development life cycle (SDLC) should the information security manager create a list of security issues presented by the functional description of a newly planned system?
feasibility
requirements
design
development
What is the FIRST step in designing a secure client server environment?
identify all data access points
establish operating system security on all platforms
require hard passwords
place a firewall between the server and clients
What BEST represents the hierarchy of access control strength, from weakest to strongest?
what you have, what you are, what you know
what you know, what you have, what you are
what you are, what you have, what you know
what you are, what you know, what you have information Security Program
