Which of the following is the most important in developing security policies?

We weren't able to detect the audio language on your flashcards. Please select the correct language below.

Inhaltsverzeichnis Show

Add to Folders
Upgrade to Cram Premium
Related Essays
Card Range To Study
193 Cards in this Set
What is the most important consideration in developing security policies?
Which of the following elements is most important when developing an information security strategy?
Which of the following is the most important consideration when developing information security objectives?
Which of the following is most important to the successful development of an information security strategy?

Front

audio not yet available for this language

Back

audio not yet available for this language

Cancel Save changes

Flashcards
»
CISM

Cism

by wnisiewi, Nov. 2013

Subjects: it

Click to Rate "Hated It"
Click to Rate "Didn't Like It"
Click to Rate "Liked It"
Click to Rate "Really Liked It"
Click to Rate "Loved It"
4.5 1

Favorite

Introducing Cram Folders! Find out how you can intelligently organize your Flashcards.

Flag

Add to Folders

Please sign in to add to folders.

Don't have an account? Sign Up »

Upgrade to Cram Premium

You have created 2 folders. Pleaseupgrade to Cram Premium to create hundreds of folders!

Upgrade Cancel

flashcards

Flashcards
Memorize
Test
Games new

Risk Management Framework
As part of the overall governance structure established by the organization, the risk management strategy is propagated to organizational officials and contr...
Information Security Risk Analysis
In Humphreys’s (2010) “Information Security Risk Management,” he claims that for a risk assessment to be meaningful to an organization, the “security risks m...
Risk Management: Business Analysis
Risk management is the process of identifying risk, assessing risks, and taking numerous steps to reduce risks to a comfortable level (Snedaker, 2014). Perf...
Security Manager Preparedness
Before a security manager can “sell” a strategy, the manager must first have a keen awareness of what the organization does and how security fits into it. T...
Cyber Attack Case Study
1a. Strategic planning to prevent and/or fight off cyber attacks Preventing Cyber Attack-Identifying Top Risks Strategic planning begins with the preven...
Cyber Incident Response Framework
In today’s society, the rising number of security breaches leaves one to assume that breaches are inevitable and it is better to have a plan in place before ...
Risk Analysis And Risk Management
Risk management can be done by: (1) developing and implementing a risk management plan, (2) implementing security measures, and (3) evaluating and maintainin...
Ccu-Global Risk Management Process
Risk Management Process An enterprise-wide risk management process should be built on an established and recognized framework, based on best-practices and a...
The Importance Of Security Planning For Security
It will also analyze the change control process and identification needed for security for the specific business fields. Process to identify security needs ...
Macville Case Analysis
Risk Management Every organization has pre-defined goals and objectives that give direction to the organization with respect to the market it operates in a...

Shuffle
Toggle On
Toggle Off
Alphabetize
Toggle On
Toggle Off
Front First
Toggle On
Toggle Off
Both Sides
Toggle On
Toggle Off
Read
Toggle On
Toggle Off

Reading...

Front

Card Range To Study

through

Click or Press Spacebar to Begin »

Play button

Progress

1/193

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

Share
Print
Export
Clone

193 Cards in this Set

Front
Back

Q 1. Which of the following is characteristic of centralized information security management?
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests

A 1. B: Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However, turnaround can be slower due to the lack of alignment with business units.

Q 2. Which of the following is MOST appropriate for inclusion in an information security strategy?

A. Business controls designated as key controls
B. Security processes, methods, tools and techniques
C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings
D. Budget estimates to acquire specific security tools

A 2. B: A set of security objectives, processes, methods, tools and techniques together constitute a security strategy. Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy. Additionally, until an information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets, network defaults and intrusion detection system (IDS) settings are technical details subject to periodic change, and are not appropriate content for a strategy document.

Q 3. Security technologies should be selected PRIMARILY on the basis of their:

A. ability to mitigate business risks.
B. evaluations in trade publications.
C. use of new and emerging technologies.
D. benefits in comparison to their costs.

A 3. A: The most fundamental evaluation criterion for the appropriate selection of any security technology is its ability to reduce or eliminate business risks. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over whether they use new or exotic technologies or how they are evaluated in trade publications.

Q 4. Which of the following is the MOST important step before implementing
A. Communicating to employees
B. Training IT staff
C. Identifying relevant technologies for automation
D. Obtaining sign-off from stakeholders

A 4. C: Sign-off must be obtained from all stakeholders since that would signify formal acceptance of all the policy objectives and expectations of the business along with all residual risks. Only after sign-off is obtained can the other mentioned activities begin.

Q 30. Business objectives should be evident in the security strategy by:

A. inferred connections.
B. standardized controls.
C. managed constraints.
D. direct traceability

A 30. The security strategy will be most useful if there is a direct traceable connection with business objectives. Inferred connections to business objectives are not as good as traceable connections. Standardized controls may or may not be relevant to a particular business objective. Addressing and managing constraints alone is not as useful as also defining explicit benefits.

Q 31. A systems approach to managing information security can be a benefit PRIMARILY because it is:

A. able to provide a more integrated, holistic program.
B. an essential aspect of developing a security strategy.
C. a requirement for industry (ISO) certification.
D. a necessary component of organization governance.

A 31. A: A holistic model based on a systems approach can help clarify complex relationships and their interdependencies within an organization, and thus provide a more effective integration of people, processes and technology. While a systems approach is useful for developing a security strategy and for understanding the relationship between people, processes and technology, a systems approach is not essential nor is it a requirement for industry (ISO) certification.

Q 32. Which of the following is MOST likely to remain constant over time? An information security:

A. policy
B. standard
C. strategy
D. procedure

A 32. C: An information security strategy is a reflection of high-level objectives and the direction of the security program, as dictated by business leadership. All information security policies, standards and procedures are derived from the information security strategy.

Q 59. Which of the following should be determined while defining risk management strategies?
A. Risk assessment criteria
B. Organizational objectives and risk appetite
C. IT architecture complexity
D. Enterprise disaster recovery plans

A 59. Defining risk management strategies, one needs to analyze the organization's objectives and risk appetite and define a risk management framework based on this analysis. Some organizations may accept known risks, while others may invest in and apply mitigation controls to reduce risks. Risk assessment criteria would become part of this framework, but only after proper analysis. IT architecture complexity and enterprise disaster recovery plans are more directly related to assessing risks than defining strategies.

q 1. Which of the following is the GREATEST security concern when an incident log is stored on the production database server'?
A. Log information may be lost when the database server crashes.
B. The database administrator may tamper with the log information.
C. The capacity to handle large transactions may be compromised.
D. Sensitive information may inadvertently be written to the log file.

a 1. B: There is a chance that fraud can be committed because the administrator can manipulate the database server. The administrator may alter database transactions and then erase the log. It is best that the log be managed in a separate environment from the production database.

SSl-l Which of the following is the GREATEST security concern when an incident log is stored on the production database server?
A. Log information may be lost when the database server crashes.
B. The database administrator may tamper with the log information.
C. The capacity to handle large transactions may be compromised.
D. Sensitive information may inadvertently be written to the log file.

B. There is a chance that fraud can be committed because the administrator can manipulate the database server. The administrator may alter database transactions and then erase the log. It is best that the log be managed in a separate environment from the production database.

SSl-2 Which of the following will require the MOST effort when supporting an operational information security program?
A. Reviewing and modifying procedures
B. Modifying policies to address changing technologies
C. Writing additional policies to address new regulations
D. Drafting standards to address regional differences

A. When an information security program is operational, few changes to policies or standards will be needed. Procedures, however, are designed at a more granular level and will require reasonably frequent modification. Because procedures are more detailed and can be technology specit1c, there are generally far more procedures than standards or policies. Consequently, review and modification of procedures will consume the majority of effort.

SSI-3 A newly hired information security manager notes that existing information security practices and procedures appear Ad Hoc. Based on this observation, the next action should be to:
A. assess the commitment of senior management to the program.
B. assess the maturity level of the organization.
C. review the c01lJorate standards.
D. review corporate risk management practices.

C. The absence of current, effective standards is a concern that must be addressed promptly.

SSl-4 Compliance with security policies and standards is the responsibility of:
A. the information security manager.
B. executive management.
C. the compliance officer.
D. all organizational units.

D. Compliance responsibilities are usually shared across organizational units and the results shared with executive management and the board of directors audit or compliance committee.

SSI-5 Which of the following is a risk that would MOST likely be overlooked by an information security review during an onsite inspection of an offshore provider?
A. Cultural differences
B. Technical skills
C. Defense in depth
D. Adequate policies

A. Individuals in different cultures often have a different perspective on what information is considered sensitive or confidential and how it should be handled that may not be consistent with the organization's requirements. Cultural norms are not usually an area of consideration in a security review or during an onsite inspection.

SSI-6 Which of the following is the MOST important component of information security governance?
A. Appropriate monitoring and metrics
B. An established strategy for moving forward
C. An information security steering committee
D. Senior management involvement

D. Senior management must champion the process and information security spokespersons to create an effective information security governance framework.

SS 1-7 Which of the following is the MOST important outcome of an information security strategy?
A. Consistent policies and standards
B. Ensuring that residual risk is at an acceptable level
C. An improvement in the threat landscape
D. Controls consistent with international standards

B. Residual risk is the remaining risk after management has implemented a risk response. An important objective of a security strategy is to implement cost-effective controls that ensure that residual risk remains within the organization's risk tolerance levels.

SSI-8 Obtaining senior management support for an information security initiative can BEST be accomplished by:
A. developing and presenting a business case.
B. defining the risk that will be addressed.
C. presenting a financial analysis of benefits.
D. aligning the initiative with organizational objectives.

A. A business case is inclusive of the other options and includes and specifically addresses them.

SSI-9 The PRIMARY focus of information security governance is to:
A. adequately protect the info1ll1ation and knowledge base of the organization.
B. provide assurance to senior management that the security posture is adequate.
C. safeguard the IT systems that store and process business info1ll1ation.
D. optimize the information security strategy to achieve business objectives.

D. Governance ensures that business objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against plans.

SSl-lO The MOST important basis for developing a business case is the:
A. risk that will be addressed.
H. financial analysis of benefits.
C. alignment with organizational objectives.
D. feasibility and value proposition.

D. The feasibility and value proposition are the primary factors in determining whether a project will proceed.

SSI-ll Which of the following is the MOST important consideration when developing an information security strategy?
A. Supporting business objectives
B. Maximizing the effectiveness of available resources
C. Ensuring that legal and regulatory constraints are addressed
D. Determining the effect on the organizational roles and responsibilities

A. The overall objective of an information security strategy is to support business objectives and activities and minimize disruptions.

SSl-12 The MOST important outcome of aligning information security governance with corporate governance is to:
A. show that information security understands the rules.
H. provide regulatory compliance.
C. maximize the cost-effectiveness of controls.
D. minimize the number of rules and regulations required.

C. Corporate governance includes a structure and rules that in most cases are related to managing various types of risk. A lack of alignment can result in potentially duplicate or contradictory controls, which negatively impacts cost-effectiveness.

SSI-16 Which of the following is the MOST cost-effective approach to achieve strategic alignment?
A. Periodically survey management
B. Implement a governance framework
C. Ensure that controls meet objectives
D. Develop an enterprise architecture

A. Achieving and maintaining strategic alignment means that business process owners and managers believe that security is effectively supporting their organizational activities. This can most easily and inexpensively be determined by periodic surveys which will also indicate improvement or degradation over time.

SSI-17 Which of the following is PRIMARILY related to the emergence of governance, risk and compliance (GRC)?
A. The increasing need for general security controls
B. The policy development process
C. The integration of assurance-related activities
D. A model for security program developmcnt

C. GRC is a process to integrate multiple disparate but related activities to improve effectiveness, reduce or eliminate conflicting approaches, and reduce costs.

SSI-18 Which of the following is MOST likely to be responsible for establishing the security requirements over an application?
A. Security steering committee
B. Data owner
C. System owner
D. IS auditor

B. Data owners determine the level of controls deemed necessary to secure data and the applications that store or process the data.

SSI-19 Which of the following BEST supports continuous improvement of the risk management process?
A. Regular review of risk treatment options
B. Classification of assets in order of criticality
C. Adoption of a maturity model
D. integration of assurance functions

C. A maturity model such as the capability maturity model (CMM) can be used to classify an organization as initial, repeatable, defined, managed or optimized. As a result, an organization can easily know where it falls and then start working to reach the optimized state.

SSl-20 Which of the following is MOST important in the development of information security policies?
A. Adopting an established framework
B. Using modular design for easier maintenance
C. Using prevailing industry standards
D. Gathering stakeholder requirements

D. An information security policy must be holistic. It is not just a technical document requiring input mainly from security professionals. Business and other units need to contribute to its development and maintenance.

SSl-21 An organization has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating the access control policy to the employees?
A. Requiring employees to formally acknowledge receipt of the policy
B. Integrating security requirements into job descriptions
C. Making the policy available on the intranet
D. Implementing an annual retreat for employees on information security

A. Requiring employees to formally acknowledge receipt of the policy does not guarantee that the policy has been read or understood, but creates employee attestation. Each communication should identify a point of contact (poc) for follow-up questions.

SSI-22 Which of the following is the M0ST important step in developing a cost-effective information security strategy that is aligned with business requirements?
A. Identification of information assets and resource ownership
B. Valuation of information assets
C. Determination of clearly defined objectives
D. Classification of assets as to criticality and sensitivity

C. Determining the objectives of information security provides the desired outcome of the program, which is a charter for developing a meaningful strategy.

SS 1-23 Which of the following BEST protects confidentiality of information')
A. Information classification
B. Segregation of duties
C. Least privilege
D. Systems monitoring

C. Restricting access to information to those who need to have access is the most effective means of protecting confidentiality.

SSI-24 Systems thinking as it relates to information security is:
A a prescriptive methodology for designing the systems architecture.
B. an understanding that the whole is greater than the sum of its parts.
C. a process that ensures alignment with business objectives.
D. a framework for information security governance.
B is

B. A systems approach for developing information security includes the understanding that the whole is more than the sum of its parts and changes in anyone part affect the rest.

SS2-1 The PRIMARY objective of a vulnerability assessment program is to:
A. reduce risk to the business.
B. ensure compliance with security policies.
C. provide assurance to management.
D. measure efficiency of services provided.

C. A vulnerability assessment identifies vulnerabilities so that they may be considered for mitigation. By giving management a complete picture of the vulnerabilities that exist, a vulnerability assessment program allows management to prioritize those vulnerabilities deemed to pose the greatest risk.

SS2-2 An organization's IT change management process requires that all change requests be approved by the asset owner and the information security manager. The PRIMARY objective of getting the information security manager's approval is to ensure that:
A. changes comply with security policy.
B. risk from proposed changes is managed.
C. rollback to a current status has been considered.
D. changes are initiated by business managers.

B. Changes in the IT infrastructure may have an impact on existing risk. An information security manager must ensure that the proposed changes do not adversely affect the security posture.

SS2-3 An information security manager observed a high degree of noncompliance for a specific control. The business manager explained that noncompliance is necessary for operational efficiency. The information security manager should:
A. evaluate the risk due to noncompliance and suggest an alternate control.
B. ignore the issue of operational efficiency and insist on compliance for the control.
e. change the security policies to reduce the amount of noncompliance risk.
D. conduct an awareness session for the business manager to emphasize compliance.

A. The information security manager must consider the business requirements of the control and assess the risk of noncompliance.

SS2-4 The information security policies of an organization require that all confidential information must be encrypted while communicating to external entities. A regulatory agency insisted that a compliance report must be sent without encryption. The information security manager should:
A. extend the information security awareness program to include employees of the regulatory authority.
B. send the report without encryption on the authority of the regulatory agency.
C. initiate an exception process for sending the report without encryption.
D. refuse to send the report without encryption.

C. The information security manager should first assess the risk in sending the report to the regulatory authority without encryption. The information security manager can consider alternate communication channels that will address the risk and provide for the exception.

SS2-5 Which of the following is the MOST cost-effective approach to test the security of a legacy application?
A. Identify a similar application and refer to its security weaknesses.
B. Recompile the application using the latest library and review the error codes.
C. employ reverse engineering techniques to derive functionalities.
D. Conduct a vulnerability assessment to detect application weaknesses.

D. Identifying vulnerabilities will allow an organization to determine what compensating controls may be needed to continue operating a legacy application where replacement is not an option. Vulnerability assessments are not necessarily comprehensive in all cases, but they are generally effective when planned properly.

SS2-6 An information security manager's MOST effective efforts to manage the inherent risk related to a third-party service provider will be the result of:
A. limiting organizational exposure.
B. a risk assessment and analysis.
C. strong service level agreements (SLAs).
D. independent audits of third parties.

A. It is likely to be more effective to control the organization's vulnerabilities to third-party risk than to control the third party's actions.

SS2-7 The BEST process for assessing an existing risk level is a(n):
A. impact analysis.
B. security review.
C. vulnerability assessment.
D. threat analysis.

B. A security review is used to determine the current state of security for various program components.

SS2-8 Which of the following is the BEST approach to deal with inadequate funding of the information security program?
A. Eliminate low-priority security services.
B. Require management to accept the increased risk.
C. Use third-party providers for low-risk activities.
D. Reduce monitoring and compliance enforcement activities.

C. Outsourcing of some information security activities can cut costs and increase resources for other security activities in a proactive manner, as can automation of some security procedures.

SS2-9 A cost-benefit analysis is performed on any proposed control to:
A. define budget limitations.
B. demonstrate due diligence to the budget committee.
e. verify that the cost of implementing the control is within the security budget.
D. demonstrate the costs are justified by the reduction in risk.

D. Senior management can weigh the cost of the risk against the cost of the control and show that the control will reduce that risk by some measure.

SS2-10 Which of the following BEST describes the key objective of an information security program?
A. Protect information assets using manual and automated controls.
B. Achieve strategic business goals and objectives.
C. Automate information security controls.
D. Eliminate threats to the organization.

A. An information security program primarily focuses on protecting information assets using manual and automated controls.

SS2-11 Addressing risk scenarios at various information system life cycle stages is PRIMARILY a function of:
A. change management.
B. release management.
C. incident management.
D. configuration management.

A. Change management is the overall process to assess and control risk scenarios introduced by changes.

SS2-12 The PRIMARY objective of asset classification is to:
A. maximize resource management.
B. comply with IT policy.
C. define information architecture.
D. determine protection level.

D. Classification allows the appropriate protection level to be assigned to the asset.

SS2-13 A control for protecting an information technology (IT) asset. such as a laptop computer, is BEST selected if the cost of the control is less than the:
A. cost of the asset.
B. impact on the business if the asset is lost or stolen.
C. available budget.
D. net present value (NPV).

B. Controls are selected based on their impact on the business due to the non-availability of the asset rather than on the cost of the asset or the available budget.

SS2-14 The value of tangible assets can he BEST determined by which of the following?
A. The market value minus the book value
R. The book value minus the market value
C. Adding the totals of the asset classification
D. A business impact assessment and analysis

A. The value of tangible assets, such as inventory, is defined as the market value minus the book value.

SS2-15 The information security manager should treat regulatory compliance requirements as:
A. an organizational mandate.
B. a risk management priority.
C. a purely operational issue.
D. just another risk.

D. Many regulations exist that must be considered. Priority should be given to those with the greatest impact, just as other risk is considered with priority given to feasibility, level of enforcement, possible sanctions and costs of compliance.

SS2-16 Management decided that the organization will not achieve compliance with a recently issued set of regulations. Which of the following is the MOST likely reason for the decision?
A. The regulations are ambiguous and difficult to interpret.
B. Management has a lo\v level of risk tolerance.
C. The cost of compliance exceeds the cost of possible sanctions.
D. The regulations are inconsistent with the organizational strategy.

C. Management may decide it is less expensive to deal with possible sanctions than to attempt to be in compliance.

SS2-17 Asset classification should be MOSTLY based on:
A. business value.
B. book value.
C. replacement cost.
D. initial cost.

A. Classification should be based on the value of the asset to the business, generally in terms of revenue production or potential impact on loss or disclosure of sensitive information.

SS2-18 Control baselines are MOST directly related to the:
A. organization's risk appetite.
B. external threat landscape.
C. effectiveness of mitigation options.
D. vulnerability assessment.

A. Control baselines are designed to mitigate risk and will depend on the organization's risk appetite.

SS2-19 The MOST likely reason that management would choose not to mitigate a risk that exceeds the risk appetite is that it:
A. is the residual risk after controls are applied.
B. is a risk that is expensive to mitigate.
C. falls within the risk tolerance level.
D. is a risk of relatively low frequency.

C. Risk tolerance is the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives.

SS2-20 Which of the following is the BEST indicator of the level of acceptable risk in an organization?
A. The proportion of identified risk that has been remediated
B. The ratio of business insurance coverage to its cost
C. The percentage of the IT budget allocated to security
D. The percentage of assets that has been classified

B. The amount of business insurance coverage carried and the cost provide a directly quantifiable indication of the level of risk the organization will accept and at what cost.

SS2- 21 The aspect of governance that is MOST relevant to setting security baselines is:
A. policies.
B. acceptable risk.
C. impacts.
D. standards.

D. Standards taken together define the lowest limits of security, thereby defining the baseline.

SS2-22 Which of the following is the FlRST action to be taken when the information security manager notes that the controls for a critical application are inadequate')
A. Perform a risk assessment to determine the level of exposure.
B. Classify the risk as acceptable to senior management.
C. Deploy additional countermeasures immediately.
D. Transfer the remaining risk to another organization.

A. It is most important to perform a risk assessment to determine the exposure if additional controls are not deployed.

SS2-23 When assessing the maturity of the risk management process, which of the following findings raises the GREATEST concern?
A. Organizational processes are not adequately documented.
B. Multiple frameworks are used to define the desired state.
C. Required security objectives arc not well defined.
D. The desired state is not based on the business objectives.

D. Risk management is about the business. Defining a desired state without consideration of business objectives implies that the stated desired outcome may not be effective, even if attained.
CISM Review

SS2-24 Which of the following is the GREATEST conce1l1 for an organization in which there is a widespread use of mobile devices?
A. There is an undue reliance on public networks.
B. Batteries require constant recharges.
C. There is a lack of operating system standardization.
D. Mobile devices can be easily lost or stolen.

D. Because of their size, mobile devices can be easily lost or stolen and sensitive information disclosed.

SS2-25 Due to limited storage media, an IT operations employee has requested pe1l11ission to overwrite data stored on a magnetic tape. The decision of the authorizing manager will MOST likely be influenced by the data:
A. classification policy.
B. retention policy.
C. creation policy.
D. leakage protection.

B. The data retention policy will specify the time that must lapse before data can be overwritten or deleted.

SS2-26 Which of the following BEST assists the infoTInation security manager in identifying new threats to inf01l11ation security?
A. Performing more frequent reviews of the organization's risk factors
B. Developing more realistic information security risk scenarios
C. Understanding the flow and classification of information used by the organization
D. A process to monitor post incident review reports prepared by IT staff

C. Understanding the business objectives of the organization and how data are to be used by the business assists management in assessing whether an information security event should be considered as a new information security threat.

SS2-27 The effectiveness of segregation of duties may be MOST seriously compromised when:
A. user IDs of terminated staff remain active in application systems.
B. access privileges are accumulated based on previous job functions.
C. application role-based access deviates from the organizational hierarchies.
D. role mining tools are used in the access privilege review.

B. When changing user roles are not adequately managed, access privileges may cross the boundary of segregation of duties. This often happens when a user's role changes as part of a promotion or transfer and they are assigned new system privileges to fulfill the new role, and the privileges of their old role are not removed.

SS2-28 Which of the following is MOST important to achieve proportionality in the protection of enterprise information systems'?
1\. Asset classification
B. Risk assessment
C. Security architecture
D. Configuration management

A. Asset classification is based on the criticality and sensitivity of information assets with the goal of providing the appropriate, and therefore proportional, degree of protection.

SS2-29 From an information security perspective. which of the following poses the MOST important impact concern in a homogenous network)
A. Increased uncertainty
B. Single points failure
C. Cascading risk
D. Aggregated risk

D. A homogenous network of the same devices is subject to compromise from a common threat vector that. while possibly acceptable in a single device, can create an unacceptable or catastrophic impact in the aggregate (collectively).

SS2-30 Highly integrated enterprise IT systems pose a challenge to the information security manager when attempting to set security baselines PRI.\IARILY from the perspective of:
A. increased difficulty in problem management.
B. added complexity in incident management.
C. determining the impact of cascading risk.
D. less t1cxibility in setting service delivery objectives.

C. Highly integrated systems are more susceptible to cascading risk where the failure or compromise of anyone element has the possibility of causing a domino effect of failures.

SS2-31 Which of the following is the MOST important prerequisite to undertaking asset classification?
A. Threat analysis
B. Impact assessment
C. Controls evaluation
D. Penetration testing

B. Impact assessments are needed to determine criticality and sensitivity, which is the basis for the classification level.

SS2-32 Measuring risk in quantitative terms:
A. is a superior, but more difficult, approach.
B. is a more accurate measurement method.
e. improves control implementation.
D. is inherently subjective.

D. Even when quantitative methods are used, the choice of approach and interpretation of the measurement is subjective.

SS2-33 An appropriate risk treatment method is:
A. the method that minimizes risk to the greatest extent.
B. based on the organization's risk tolerance.
C. an efficient approach to achieve control objectives.
D. the method that maximizes risk mitigation.

e. Control objectives will have been determined based on acceptable risk and the least costly or most efficient approach to do so will be the most appropriate.

SS3-1 The FIRST consideration when developing information security metrics is whether they:
A. are meaningful to the recipient.
B. are reliable and accurate.
C. impact productivity.
D. are scalable and cost-effective.

A. Information provided by metrics that are not meaningful to the recipient are of little value.

SS3-2 The reason that a certificate authority (CA) is needed in a public key infrastructure (PKI) is to:
A. provide proof of the integrity of data.
B. prevent the denial of specific transactions.
C. attest to the validity of a user's public key.
D. store a user's private key.

C. The CA is a trusted third party that attests to the authenticity of a user's public key by digitally signing it with the CA's private key.

SS3-3 A physical control that fails securc:
A. is an example of effective risk management.
B. can pose an unacceptable safety risk in emergencies.
C. should generally be deployed in secure data centers.
D. is an example of a strong mandatory access control (MAC).

B. Physical controls, such as electrically actuated door locks that lock during a power outage or other failure, can pose an unacceptable safety risk to personnel in case of tire or other event.

SS3-4 A mandatory access control (MAC) should be used:
A. in organizations that have a high risk tolerance.
S. when delegation of rights is contrary to policy.
C. when the control policy specifies continuous oversight.
D. when access is permitted, unless explicitly denied.

B. With MAC, the security policy is centrally controlled by a security policy administrator, and users do not have the ability to delegate rights.

SS3-5 In which phase of system development should security risk first be assessed?
A. When developing the business case
B. During the system design phase
C. As part of the requirements phase
D. As part of user acceptance testing (UAT)

A. Security must be considered when developing the initial business case because it will impact the feasibility of the project, its costs, design requirements, etc.

SS3-6 The BEST evidence of a mature information security program is:
A. a comprehensive risk assessment and analysis.
B. the development of a physical security architecture.
C. completion of a controls statement of applicability.
D. an effective information security strategy.

D. The process of developing information security governance structures, achieving organizational adoption and developing a strategy to implement will define the scope and responsibilities of the security program.

SS3-7 The IT department has been tasked with developing a new transaction processing system for online account management. At which stage should the information security department become involved?
A. Feasibility
B. Requirements
C. Design
D. Uscr acceptance tcsting (UAT)

A. Involve the security department as early as possible. Security considerations will affect feasibility. Security that is added later in the process often is not nearly as effective as security that is considered from end to end.

SS3-8 Which of the following activities will MOST effectively foster effective security behavior?
A. Implementing a security awareness program
B. Rewarding compliance with security policies and guidelines
C. Implementing a discipline and reward system
D. Implementing a whistle-blower hotline

C. The success of incentivizing people to achieve desired behavior depends to a great extent on the adequacy of the chosen incentives for the cultural background. Positive incentives work within certain cultures whereas negative incentives are effective in other cultures. In order to achieve a positive security culture and behavior, it is necessary to consider differences in the cultural background of the individual employees and to adjust the incentives accordingly.

SS3-9 The MAIN objective of integrating the information security process into the system development life cycle (SDLC) is that it:
A. ensures audit compliance.
B. ensures that appropriate controls are implemented.
C. delineates roles and responsibilities.
D. establishes the foundation for development or acquisition.

B. Establishing information security processes at the front end of any development project ensures that the appropriate security controls are implemented based on the review and assessment completed by security staff.

SS3-10 Which of the following is the MAIN reason for implementing a corporate infom1ation security education and awareness program?
A. To achieve commitment from the board and senior management
B. To assign roles and responsibility for information security
C. To establish a culture that is conducive to effective security
D. To meet information security policy and regulatory requirements

C. Education, training and awareness help in the dissemination of information on the necessity of information security and in building a conducive environment for secure and reliable business operations.

SS3-
11 Which of the following is the MOST appropriate description of an organization's information security baseline'? Information security baselines:
A. are the minimum acceptable protection level provided to information assets.
B. are independent of the sensitivity and criticality of technology assets.
C. express a widely accepted global standard for information security.
D. arc a set of procedures to be executed while deploying information technology.

A. Organizations develop information security baselines to define the minimum level of protection to be provided to information assets.

SS3-12 Monitoring the information security program primarily ensures that:
A. the security strategy is aligned with the business strategy.
B. information security objectives are achieved.
C. resources are performing efficiently.
D. accepted risk is monitored effectively.

B. The primary objective of the monitoring process is to ensure that information security objectives, as defined by the security strategy and policies, are achieved and that corrective action is taken if gaps are observed.

553-13 An information security manager should haw a sound understanding of information technology PRII\IARILY to:
A. prevent IT personnel from misleading the information security manager.
B. implement supplemental information security technologies.
C. understand requirements of a conceptual information security architecture.
D. understand the IT issues related to achieving adequate information security.

D. The information security manager must understand information technology in enough depth to make informed decisions about technologies and the risk that must be addressed.

SS3-14 A PRIMARY objective of conducting information security awareness training for all users is to:
A. help managel11ent in changing the organization's culture.
B. achieve acceptable compliance with the security policy.
C. build a eOl11l11on understanding of information security.
D. establish communication between management and staff.

C. Security awareness training helps in building a common understanding about information security across the organization, including among the management and staff.

SS3-15 The BEST way to prevent phishing attacks is with:
A. current antivirus definitions.
B. email filtering.
C. an intrusion detection system (IDS).
D. security awareness training.

D. How users respond to phishing attempts determines whether the attacks succeed. Security awareness is the best way to reduce the risk of phishing attacks being successful.

SS3-16 The PRIMARY goal of developing an information security program is to:
A. implement the strategy.
B. optimize resources.
C. deliver on metrics.
D. achieve assurance.

A. The development of an information security program is usually seen as a manifestation of the information security strategy. Thus, the goal of developing the information security program is to implement the strategy.

SS3-17 Achieving effective information security management is MOST often affected by:
A. an adequate budget.
B. senior level authority.
C. a robust technology.
D. effective business relationships.

D. Support for information security from senior managers is essential for an effective security program. This requires developing good relationships throughout the organization and particularly with influential managers.

SS3-18 When should a request for proposal (RFP) be issued?
A. At the project feasibility stage
B. Upon management project approval
C. Prior to developing a project budget
D. When developing the business case

C. Development of a project budget depends on the responses to an RFP.

SS3-19 Which of the following is the MOST effective method for ensuring that outsourced opcrations comply with the company's information security posture?
A. The vendor is provided with audit documentation.
B. A comprehensive contract is written with service level metrics and penalties.
C. Periodic onsite visits are made to the vendor's site.
D. An onsite audit and compliance review is performed.

O. The vendor is an extension of the company's computing capabilities and should conform to the company's existing information security requirements.

SS3-20 When providing encryption keys to a large number of individuals, the public key infrastructure (PKI) model is preferred PRIMARILY because it:
A. is computationally more efficient.
B. is more scalable than a symmetric key.
C. is less costly to maintain than a symmetric key approach.
D. provides greater encryption strength than a secret key model.

B. Symmetric or secret key encryption requires a key for each pair of individuals who wish to have confidential communication, resulting in an exponential increase in the number of keys in intractable distribution and thus creating storage problems. This makes PKT more appealing from a scalability point of view.

SS3-21 Information on regulatory and legal compliance requirements that has an effect on information security is MOST likely to come from the:
A. corporate legal officer.
B. enterprise risk manager.
C. compliance officer.
D. affected departments.

D. Information on new and changing regulatory and legal requirements and their impacts is typically provided by affected departments, such as finance or IT.

SS3-22 Serious security incidents typically lead to renewed focus by management on information security that then usually tildes over time. To BEST utilize this renewed focus, the information security manager should make the case to:
A. improve the integration of business and information security processes.
B. increase information security budgets and staffing levels.
C. develop tighter controls and stronger compliance efforts.
D. acquire better supplemental technical security controls.

A. Close integration of information security governance with overall enterprise governance is likely to provide better long-term information security by institutionalizing activities and increasing visibility in all organizational activities.

SS3-23 Which of the following factors will MOST affect the extent to which controls should be layered?
A. The degree of homogeneity
B. The impact on productivity
C. The maintenance cost of controls
D. Controls that fail closed

A. The degree of homogeneity in existing controls must be addressed by adding or modifying controls to manage the aggregate risk of total control failure. A high degree of homogeneity is less secure because it is susceptible to the same threat.

SS3-24 A certificate authority (CA) is required for a public key infrastructure (PK I):
A. ill cases in which confidentiality is an issue.
B. \\hen challenge/response authentication is used.
C. except where users attest to each other's identity.
D. in role-based access control (RHAC) deployments.

C. The role of the CA is not needed in implementations such as those classified as having a pretty good privacy (PCP) program in which the authenticity of the users' public keys are attested to by others in a "circle of trust."

SS3-25 When selecting a public cloud vendor to provide outsourced infrastructure and software, an organization's information security manager should:
A. insist on strict service level agreements (SLAs) to guarantee application availability.
B. verity that the vendor's security architecture meets the organization's requirements.
C. update the organization's security policies to reflect the vendor agreement.
D. consult a third party to provide an audit report to assess the vendor's security program.

B. Risk can never be transferred. When considering a cloud implementation, an information security manager must verify that a chosen vendor will meet the organization's security requirements: the manager cannot change the organization's requirements to match what the vendor can deliver managers should be aware that true verification of a vendor's security architecture may be difficult to obtain.

SS4-1 The purpose of incident management and response is to:
A. recover an activity interrupted by an emergency or disaster. within a defined time and cost.
B. perform a walk-through of the steps required to recover from an adverse event.
C. reduce business disruption insurance premiums for the business.
D. address disruptive events with the objective of controlling impacts within acceptable levels.

D. Incident management and response is a component of business continuity planning. As a "first response" to adverse events, the objective of incident management and response is to prevent incidents from becoming problems, and to prevent problems from becoming disasters.

SS4-2 For global organizations, which often following is MOST essential to the continuity of operations in an emergency situation?
A. A documented succession plan
8. Distribution of key process documents
C. A reciprocal agreement with an alternate site
D. Strong senior management leadership

B. Many factors come into play during contingency situations, but continuity is possible only when personnel who are able to resume key processes have the knowledge of how to do so. '''hen key process documentation is distributed to contingency locations, it is available for the use of any staff who report to these locations during contingencies, and so long as that documentation is up to date, it may be used even by those who may not typically be involved in performing those functions.

SS4-3 The PRIMARY objective of continuous monitoring is to:
A. minimize the magnitude of impact.
B. align the security program with IT goals.
C. identify critical information assets.
D. reduce the number of policy exceptions.

A. Continuous monitoring helps an organization identify adverse events in a timely manner. The reduced lag time to take steps to contain damage results in minimizing the impact.

SS4-4 Which of the following is the FIRST step in developing an incident response plan?
A. Set the minimum time required to respond to incidents.
B. Establish a process to report incidents to senior management.
C. Ensure the availability of skilled resources.
D. Categorize incidents based on likelihood and impact.

D. Incidents with higher likelihood and impact warrant more attention.

SS4-5 A security operations center detected an attempted structured query language (SQL) injection, but could not determine if it was successful Which of the following resources should the information security manager approach to assess the possible impact?
A. Application support team
S. Business process owner
C. Network management team
D. System administrator

A. SQL injection is an application-based attack. Since the security operations center has detected an attempt of SQL injection and could not determine if it was successful, the information security manager should approach the application support group that has access to data in order to identify the impact.

SS4-6 Which of the following is the FIRST step after the intrusion detection system (IDS) sends out an alert about a possible attack?
A. Assess the type and severity of the attack.
B. Determine whether it is an actual incident.
C. Contain the damage to minimize the risk.
D. Minimize the disruption of computer resources.

B. An administrator conducting regular maintenance activities may trigger a false-positive alarm from the IDS. One must validate a real incident before taking any action.

SS4-7 After a service interruption of a critical system, the incident response team finds that it needs to activate the warm recovery site. Discovering that throughput is only half of the primary site, the team nevertheless notifies management that it has restored the critical system. This is MOST likely because it has achieved the:
A. recovery point objective (RPO).
B. recovery time objective (RTO).
C. service delivery objective (SDO).
D. maximum tolerable outage (MTO).

C. The SDO is the agreed-on level of service required to resume acceptable operations.

SS4-8 The MOST timely and effective approach to detccting nontechnical security violations in an organization is:
A. the development of organization wide communication channels.
B. periodic third-party auditing of incident rep0l1ing logs.
C. an automated policy compliance monitoring system.
D. deployment of suggestion boxes throughout the organization.

A. Timely reporting of all security-related activities provides the information needed to monitor and respond to information security governance issues. Effective communication channels also are important for disseminating security-related information to the organization.

SS4-9 The \IOST important PUl110se of implementing an incident response plan is to:
A. prevent the occurrence of incidents.
B. ensure business continuity.
C. train users on resolution of incidents.
D. promote business resiliency.

D. Business resilience refers to the ability of the business to withstand disruption. An effective incident response plan minimizes the impact of an incident to the level that it ideally is transparent to end users and business partners.

SS4-10 Which of the following gives the MOST assurance of the effectiveness of an organization's disaster IT Recovery plan (DRP),?
A. Checklist test
B. Tabletop exercise
C. Full interruption test
D. Simulation test

C. A full interruption test gives the organization the best assurance because it is the closest test to an actual disaster. It generally involves shutting d(m n operations at the primary site and shifting them to the recovery site in accordance with the recovery plan; this is the most rigorous form of testing.

SS4-11 An information security manager has been notified that a server that is utilized within the entire organization has been breached. What is the FIRST step to take?
A. Inform management.
B. Notify users.
C. Isolate the server.
D. Verity the information.

D. Before any action is taken, the information security manager should verify that there has been a breach.

SS4-12 Which of the following is MOST likely to improve the effectiveness of the incident response team?
A. Briefing team members on the nature of new threats to IS security
B. Periodic testing and updates to incorporate lessons learned
C. Ensuring that all members have a good understanding of IS technology
D. A nonhierarchical structure to ensure that team members can share ideas

B. Periodic testing and updates to incorporate lessons learned will ensure that implementation of the incident management response plan is aligned and kept current with the business priorities set by business management.

SS4-13 Which of the following is the BEST way to confirm that disaster recovery planning is current?
A. Audits or the business process changes
B. Maintenance of the latest configurations
C. Regular testing of the disaster recovery plan (DRP)
D. Maintenance of the personnel contact list

C. When a DRP is properly tested, the results of the tests will reveal shortcomings and opportunities for improvement.

SS4-14 Which of the following activities MOST increases the probability that an organization will be able to resume operations after a disaster'!
i\. Restoration testing
B. Establishment of a h\\arm site"
C. Daily data backups
O. An incident response plan

A. A demonstrated ability to restore data is the best way to ensure that data can be restored after a disaster, and data drive the majority of business processes. If an organization is unable to restore its data, it will be of little value to have other considerations in place. On the other hand, if data can be restored, the organization can likely find work-arounds for other challenges that it may face.

D. Before any action is taken, the information security manager should verify that there has been a breach.

SS4-13 Which of the following is the BEST way to confim1 that disaster recovery planning is current"
A. Audits of the business process changes
R. Maintenance of the latest con figurations
C. Regular testing of the disaster recovery plan (DRP)
D. Maintenance of the personnel contact list

C. When a DRP is properly tested, the results of the tests will reveal shortcomings and opportunities for improvement.

SS4-14 Which of the following activities MOST increases the probability that an organization will be able to resume operations after a disaster?
A. Restoration testing
B. Establishment of a "'warm site"
C. Daily data backups
D. An incident response plan

SS4-15 Which of the following BEST contributes to the design of data restoration plans?
A. Transaction turnaround time
13. Mean time between failures (I'v1TBf)
C. Service delivery objectives (SDOs)
D. The duration of the data restoration job

C. The SDO relates directly to the business needs; SDO is the level of services to be reached during the alternate process mode until the normal situation is restored.

SS4-16 Which of the following contributes J\IOST to incident response team efficiency')
A. Security policies and procedures
B. Defined roles and responsibilities
C. Digital forensic analysis skills
D. Reporting line structure

B. Incident response team members need to work in a disrupted environment; therefore, it is essential that they be clearly aware of roles and responsibility prior to engagement.

SS4-17 Which of the following needs to be MOST seriously considered when designing a risk-based incident response management program')
A. The chance of collusion among staff
B. Degradation of investigation quality
C. Minimization of false-positive alerts
D. Monitoring repeated low-risk e\'ents

D. A risk-based approach focuses on high-risk items. Those attempting to commit fraud may take advantage of its weaknesses. When risk-based monitoring is in place, there is a higher chance of overlooking low-risk activities. Even though the impact of a low-risk event is small, it may not be possible to ignore the accumulated damage from its repeated occurrence. Therefore, it also is essential to review the chance of the repeated occurrence of low-risk events.

SS4-18 What is the MOST appropriate IT incident response management approach for an organization that has outsourced its IT and incident management function?
A. A tested plan and a team to provide oversight
B. An individual to serve as the liaison between the parties
C. Clear notification and reporting channels
D. A periodic audit of the provider's capabilities

A. An approved and tested plan will provide assurance of the provider's ability to address incidents within an acceptable recovery time and an internal team to provide oversight and liaison functions to ensure that the response is according to plan.

Q 60. When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider?

A. Preserving the confidentiality of sensitive data
B. Establishing international security standards for data sharing
C. Adhering to corporate privacy standards
D. Establishing system manager responsibility for information security

A 60. A: The goal of information security is to protect the organization's information assets. International security standards are situational, depending upon the company and its business. Adhering to corporate privacy standards is important, but those standards must be appropriate and adequate and are not the most important factor to consider. All employees are responsible for information security, but it is not the most important factor to consider.

Q 61. Priority should be given to which of the following to ensure effective implementation of information security governance?

A. Consultation
B. Negotiation
C. Facilitation
D. Planning

A 61. D: Planning is the key to effective implementation of information security governance. Consultation, negotiation and facilitation come after planning.

Q 88. Which of the following is the MOST important step before implementing a security policy?

A. Communicating to employees
B. Training IT staff
C. Identifying relevant technologies for automation
D. Obtaining sign-off from stakeholders

A 88. D: Sign-off must be obtained from all stakeholders since that would signify formal acceptance of all the policy objectives and expectations of the business along with all residual risks. Only after sign-off is obtained can the other mentioned activities begin.

Q 89. When security policies are strictly enforced, the initial impact is that:

A. they may have to be modified more frequently.
B. they will be less subject to challenge.
C. the total cost of security is increased.
D. the need for compliance reviews is decreased.

A 89. C: When security policies are strictly enforced, more resources are initially required, thereby increasing the total cost of security. There would be less need for frequent modification. Challenges would be rare and the need for compliance reviews would not necessarily be less.

Q 90. When implementing regulatory compliance, the PRIMARY controls for defining senior management guidance and intent are:

A. guidelines.
B. standards.
C. policies.
D. procedures

A 90. C: Policies are statements of intent, expectations and direction, and are owned by senior management. Policies regarding regulatory compliance set broad organizational definitions for compliance and indicate management's position on regulatory compliance. Guidelines are more granular than policies and they are not mandatory, so they are not typically used to represent high-level guidance.

Q 117. An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
A. corporate data privacy policy.
B. data privacy policy where data are collected.
C. data privacy policy of the headquarters' country.
D. data privacy directive applicable globally

A 117. B: As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a groupwide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.

Q 118. A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A. meet with stakeholders to decide how to comply.
B. analyze key risks in the compliance process.
C. assess whether existing controls meet the regulation.
D. update the existing security/privacy policy

A 118. C: If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.

Q 119. When personal information is transmitted across networks, there MUST be adequate controls over:
A. change management.
B. privacy protection.
C. consent to data transfer.
D. encryption devices.

A 119. B: Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data. Change management primarily protects only the information, not the privacy of the individuals. Consent is one of the protections that is frequently, but not always, required. Encryption is a method of achieving the actual control, but controls over the devices may not ensure adequate privacy protection and, therefore, is a partial answer.

Q 146. The BEST way to obtain senior management commitment and support for information security investments is to:
A. link security risk to organization business objectives.
B. explain the technical risk to the organization.
C. include industry best practices as they relate to information security.
D. detail successful attacks against a competitor

A 146. A: Senior management seeks to understand the business justification for investing in security. Support can be best obtained by linking security to key business objectives. Senior management will not be as interested in technical risk or examples of successful attacks against a competitor if they are not linked to the impact on business environment and objectives. Industry best practices are important to senior management, but management will give the right level of importance to the best practices when they are presented in terms of key business objectives

Q 147. The MOST important requirement for gaining management commitment to the information security program is to:
A. benchmark a number of successful organizations.
B. demonstrate potential losses and other impacts that can result from a lack of support.
C. inform management of the legal requirements of due care.
D. demonstrate support for desired outcomes

A 147. D: To persuasively demonstrate how the program will help achieve the desired outcomes. This can be done by providing specific business support in areas of operational predictability and regulatory compliance, and by improving resource allocation and meaningful performance metrics. While benchmarking similar organizations can be helpful in some instances to make a case for management support of the information security program, benchmarking by itself is not sufficient. Due care should also be covered with the desired outcomes.

Q 148. Serious security incidents typically lead to renewed focus on information security by management. To BEST utilize this attention, the information security manager should make the case for:
A. improving integration of business and information security processes.
B. increasing information security budgets and staffing levels.
C. developing tighter controls and stronger compliance efforts.
D. acquiring better supplemental technical security controls.

A 148. A: Close integration of information security governance with overall organization governance is likely to provide better long-term security by institutionalizing its activities and increasing visibility in all organization activities.

Q 176. Who is in the BEST position to implement and monitor a balanced scorecard (BSC) for the information systems (IS) security program?
A. Executive management
B. The chief information security officer (CISO)
C. The director of auditing
D. The chief information officer (CIO)

A 176. B: An IT BSC demonstrates IT value, facilitates IT governance, and acts as a decision support tool for IT management. The CISO develops, implements and monitors the performance metrics as part of the information security governance framework.

Q 177. Which of the following is the MOST important factor on which to rely to successfully assign cross-organizational responsibility to integrate an information security program?
A. The ease of information security technologies
B. Open channels of communication
C. The roles of different job functions
D. Qualified information security professionals in each department

A 177. C: Job functions across the organization must be taken into consideration before assigning responsibility within the information security program. The transparency of information security technologies and processes is important at the end-user level to ensure that information security does not reduce the efficiency of existing work practices, encouraging work-arounds or other actions that render controls ineffective.

Q 204. Which of the following would be the MOST relevant factor when defining the information classification policy?
A. Quantity of information
B. Available IT infrastructure
C. Benchmarking
D. Requirements of data owners

A 204. D: When defining the information classification policy, the requirements of the data owners need to be identified. The quantity of information, availability of IT infrastructure and benchmarking may be part of the scheme after the fact and would be less relevant.

Q 205. Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
A. Manager
B. Custodian
C. User
D. Owner

A 205. D: The information owner role has the responsibility for determining information classification levels.

Q 206. The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
A. determining the scope for inclusion in an information security program.
B. defining the level of access controls.
C. justifying costs for information resources.
D. determining the overall budget of an information security program.

A 206. B: The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.

Q 233. Legal and regulatory requirements pertaining to information security should be addressed by the information security manager:
A. as a mandate that requires organization compliance.
B. based on the level of risk they pose to the organization.
C. by developing policies that address the requirements.
D. to ensure that guidelines meet the requirements

A 233. B: Legal and regulatory requirements should be assessed for the risk and impact of non- or partial compliance compared to the cost of compliance and the organization's risk tolerance. Policies should not address particular regulations because regulations are subject to change. Policies should only address the need to assess regulatory requirements and deal with them appropriately based on risk, risk tolerance and impact. Guidelines would normally not address regulations, but standards might be based on management's determination of the appropriate level of compliance.

Q 234. The information security manager should treat regulatory compliance requirements as:
A. an organizational mandate.
B. a risk management priority.
C. a purely operational issue.
D. just another risk.

A 234. D: Many regulations exist that must be considered. Priority should be given to those with the greatest impact, just as other risk is considered with priority given to feasibility, level of enforcement, possible sanctions and costs of compliance.

Q 235. Management decided that the organization will not achieve compliance with a recently issued set of regulations. Which of the following is the MOST likely reason for the decision?
A. The regulations are ambiguous and difficult to interpret.
B. Management has a low level of risk tolerance.
C. The cost of compliance exceeds the cost of possible sanctions.
D. The regulations are inconsistent with the organizational strategy.

A 235. C: Management may decide it is less expensive to deal with possible sanctions than to attempt to be in compliance.

Q 262. A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area net . work (LAN). What should the security manager do FIRST?
A. Understand the business requirements of the developer portal
B. Perform a vulnerability assessment of the developer portal
C. Install an intrusion detection system (IDS)
D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

A 262. A: The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal. Performing a vulnerability assessment of the developer portal and installing an intrusion detection system (IDS) are best practices but are subsequent to understanding the requirements. Obtaining a signed nondisclosure agreement will not take care of the risks inherent in the organization's application.

Q 263. A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
A. A penetration test
B. A security baseline review
C. A risk assessment
D. A business impact analysis (BIA)

A 263. C: A risk assessment will identify the business impact of such vulnerability being exploited and is, thus, the correct process. A penetration test or a security baseline review may identify the vulnerability but not the remedy. A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.

Q 264. Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:
A. conduct a risk assessment and allow or disallow based on the outcome.
B. recommend a risk assessment and implementation only if the residual risks are accepted.
C. recommend against implementation because it violates the company's policies.
D. recommend revision of current policy

A 264. B: Whenever the company's policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take.

Q 291. Value at risk (VAR) can be used:
A. as a qualitative approach to evaluating risk.
B. to determine maximum probable loss over a period of time.
C. for risk analysis applicable only to financial organizations.
D. as a useful tool to expedite the assessment process

A 291. B: VAR provides a quantitative value of the maximum probable loss in a given time period—typically at 95 or 99 percent certainty. VAR is an analysis tool, not an assessment tool and is quantitative rather than qualitative. While primarily being used by financial organizations, applicability to information security has been demonstrated. VAR calculations are typically complex and time consuming.

Q 292. Once the objective of performing a security review has been defined, the NEXT step for the information security manager is to determine:
A. constraints.
B. approach.
C. scope.
D. results.

A 292. C: The next step in a security review is to determine scope—followed by constraints, approach and results.

Q 293. The fact that an organization may suffer a significant disruption as the result of a distributed denial of service (DDoS) attack is considered:
A. an intrinsic risk.
B. a systemic risk.
C. a residual risk.
D. an operational risk.

A 293. D: Operational risk is the risk to an organization as a result of its internal and external operations.

Q 320. Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
A. Cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy (ALE) calculation

A 320. A: the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but, alone, will not justify a control.

Q 321. An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
A. eliminating the risk.
B. transferring the risk.
C. mitigating the risk.
D. accepting the risk.

A 321. C: Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.

Q 322. A risk management approach to information protection is:
A. managing risks to an acceptable level, commensurate with goals and objectives.
B. accepting the security posture provided by commercial security products.
C. implementing a training program to educate individuals on information protection and risks.
D. managing risk tools to ensure that they assess all information protection vulnerabilities.

A 322. A: Risk management is identifying all risks within an organization, establishing an acceptable level of risk and effectively managing risks which may include mitigation or transfer.

Q 349. When implementing security controls, an information security manager must PRIMARILY focus on:
A. minimizing operational impacts.
B. eliminating all vulnerabilities.
C. usage by similar organizations.
D. certification from a third party.

A 349. A: Security controls must be compatible with business needs. It is not feasible to eliminate all vulnerabilities. Usage by similar organizations does not guarantee that controls are adequate. Certification by a third party is important, but not a primary concern.

Q 350. The PRIMARY objective when selecting controls and countermeasures is to:
A. protect against all threats.
B. reduce costs.
C. optimize protection and usability.
D. restrict employee access.

A 350. C: Optimized controls are understood to be cost-effective and should provide the appropriate level of protection. It is not feasible to protect against all threats. Business needs could require more expensive controls. Restriction of employee access may be part of a control, but it is not the objective of a control.

Q 351. Segregation of duties assists with:
A. employee monitoring.
B. reduced supervisory requirements.
C. fraud prevention.
D. enhanced compliance.

A 351. C: Segregation of duties is primarily used to discourage fraudulent activities

Q 378. Which of the following is the BEST indicator of the level of acceptable risk in an organization?
A. The proportion of identified risk that has been remediated
B. The ratio of business insurance coverage to its cost
C. The percentage of the IT budget allocated to security
D. The percentage of assets that has been classified

A 378. B. The amount of business insurance coverage carried and the cost provide a directly quantifiable indication of the level of risk the organization will accept and at what cost.

Q 379. When assessing the maturity of the risk management process, which of the following findings raises the GREATEST concern?
A. Organizational processes are not adequately documented.
B. Multiple frameworks are used to define the desired state.
C. Required security objectives are not well defined.
D. The desired state is not based on the business objectives.

A 379. D: Risk management is about the business. Defining a desired state without consideration of business objectives implies that the stated desired outcome may not be effective, even if attained.

Q 380. During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
A. Feasibility
B. Design
C. Development
D. Testing

A 380. A: Risk should be addressed as early in the development of a new application system as possible. In some cases, identified risks could be mitigated through design changes. If needed changes are not identified until design has already commenced, such changes become more expensive. For this reason, beginning risk assessment during the design, development or testing phases is not the best solution.

Q 407. The information security policies of an organization require that all confidential information must be encrypted while communicating to external entities. A regulatory agency insisted that a compliance report must be sent without encryption. The information security manager should:
A. extend the information security awareness program to include employees of the regulatory authority.
B. send the report without encryption on the authority of the regulatory agency.
C. initiate an exception process for sending the report without encryption.
D. refuse to send the report without encryption.

A 407. C. The information security manager should first assess the risk in sending the report to the regulatory authority without encryption. The information security manager can consider alternate communication channels that will address the risk and provide for the exception.

Q 408. Who can BEST advocate the development of and ensure the success of an information security program?
A. Internal auditor
B. Chief operating officer (COO)
C. Steering committee
D. IT management

A 408. C: Senior management represented in the security steering committee is in the best position to advocate the establishment of and continued support for an information security program. The chief operating officer (COO) will be a member of that committee. An internal auditor is a good advocate but is secondary to the influence of senior management. IT management has a lesser degree of influence and would also be part of the steering committee.

Q 409. The effectiveness of virus detection software is MOST dependent on which of the following?
A. Packet filtering
B. Intrusion detection
C. Software upgrades
D. Definition files

A 409. D: The effectiveness of virus detection software depends on virus signatures which are stored in virus definition files. Software upgrades are related to the periodic updating of the program code, which would not be as critical. Intrusion detection and packet filtering do not focus on virus detection.

Q 436. During an audit, an information security manager discovered that sales representatives are sending sensitive customer information through email messages. Which of the following is the BEST course of action to address the issue?
A. Review the finding with the sales manager to evaluate the risk and impact.
B. Report the issue to senior management immediately.
C. Request that the sales representatives stop emailing sensitive information.
D. Provide security awareness training to the sales representatives.

A 436. B: It is always good practice to engage the management of the business unit when addressing security threats and risks. The input from business unit management is critical in formulating the next step.

Q 437. When developing an information security program, what is the MOST useful source of information for determining available resources?
A. Proficiency test
B. Job descriptions
C. Organization chart
D. Skills inventory

A 437. D: A skills inventory would help identify the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.

Q 438. Which of the following is an advantage of a centralized information security organizational structure?
A. It is easier to promote security awareness.
B. It is easier to manage and control.
C. It is more responsive to business unit needs.
D. It provides a faster turnaround for security requests.

A 438. B: It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.

Q 465. Which of the following devices should be placed within a DMZ?
A. Router
B. Firewall
C. Mail relay
D. Authentication server

A 465. C: A mail relay should normally be placed within a demilitarized zone (DMZ) to shield the internal network. An authentication server, due to its sensitivity, should always be placed on the internal network, never on a DMZ that is subject to compromise. Both routers and firewalls may bridge a DMZ to another network, but do not technically reside within the DMZ network segment.

Q 466. An intrusion detection system should be placed:
A. outside the firewall.
B. on the firewall server.
C. on a screened subnet.
D. on the external router.

A 466. C: On a screened subnet, which is a demilitarized zone (DMZ). Placing it on the Internet side of the firewall is not advised because the system will generate alerts on all malicious traffic—even though 99 percent will be stopped by the firewall and never reach the internal network. The same would be true of placing it on the external router, if such a thing were feasible. Since firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to install the IDS on the same physical device.

Q 467. The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:
A. provide in-depth defense.
B. separate test and production.
C. permit traffic load balancing.
D. prevent a denial-of-service attack

A 467. C: Having two entry points, each guarded by a separate firewall, is desirable to permit traffic load balancing. As they both connect to the Internet and to the same demilitarized zone (DMZ), such an arrangement is not practical for separating test from production or preventing a denial-of-service attack.

Q 494. Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?
A. Encrypting first by receiver's private key and second by sender's public key
B. Encrypting first by sender's private key and second by receiver's public key
C. Encrypting first by sender's private key and second decrypting by sender's public key
D. Encrypting first by sender's public key and second by receiver's private key

A 494. B: Encrypting by the sender's private key ensures authentication. By being able to decrypt with the sender's public key, the receiver would know that the message is sent by the sender only and the sender cannot deny/repudiate the message. By encrypting with the sender's public key secondly, only the sender will be able to decrypt the message and confidentiality is assured. In the case of encrypting first by the sender's private key and, second, decrypting by the sender's public key, confidentiality is not ensured since the message can be decrypted by anyone using the sender's public key.

Q 495. In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:
A. a strong authentication.
B. IP antispoofing filtering.
C. network encryption protocol.
D. access lists of trusted devices.

A 495. A: Strong authentication will provide adequate assurance on the identity of the users, while IP antispoofing is aimed at the device rather than the user. Encryption protocol ensures data confidentiality and authenticity while access lists of trusted devices are easily exploited by spoofed identity of the clients.

Q 496. The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
A. ensure the confidentiality of sensitive material.
B. provide a high assurance of identity.
C. allow deployment of the active directory.
D. implement secure sockets layer (SSL) encryption.

A 4966. B: The primary purpose of a public key infrastructure (PKI) is to provide strong authentication. Confidentiality is a function of the session keys distributed by the PKI. An active directory can use PKI for authentication as well as using other means. Even though secure sockets layer (SSL) encryption requires keys to authenticate, it is not the main reason for deploying PKI.

Q 523. Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
A. Passwords stored in encrypted form
B. User awareness
C. Strong passwords that are changed periodically
D. Implementation of lock-out policies

A 523. D: Implementation of account lock-out policies significantly inhibits brute-force attacks. In cases where this is not possible, strong passwords that are changed periodically would be an appropriate choice. Passwords stored in encrypted form will not defeat an online brute-force attack if the password itself is easily guessed. User awareness would help but is not the best approach of the options given.

Q 524. The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:
A. the existence of messages is unknown.
B. required key sizes are smaller.
C. traffic cannot be sniffed.
D. reliability of the data is higher in transit.

A 524. A: The existence of messages is hidden when using steganography. This is the greatest risk. Keys are relevant for encryption and not for steganography. Sniffing of steganographic traffic is also possible. Option D is not relevant

Q 525. Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does it always introduce?
A. Remote buffer overflow
B. Cross site scripting
C. Clear text authentication
D. Man-in-the-middle attack

A 525. C: One of the main problems with using SNMP v1 and v2 is the clear text “community string” that it uses to authenticate. It is easy to sniff and reuse. Most times, the SNMP community string is shared throughout the organization's servers and routers, making this authentication problem a serious threat to security.

Q 552. Which of the following factors will MOST affect the extent to which controls should be layered?
A. The degree of homogeneity
B. The impact on productivity
C. The maintenance cost of controls
D. Controls that fail closed

A 552. A: The degree of homogeneity in existing controls must be addressed by adding or modifying controls to manage the aggregate risk of total control failure. A high degree of homogeneity is less secure because it is susceptible to the same threat.

Q 553. A certificate authority (CA) is required for a public key infrastructure (PKI):
A. in cases in which confidentiality is an issue.
B. when challenge/response authentication is used.
C. except where users attest to each other's identity.
D. in role-based access control (RBAC) deployments.

A 553. C: The role of the CA is not needed in implementations such as those classified as having a pretty good privacy (PGP) program in which the authenticity of the users' public keys are attested to by others in a “circle of trust.”

Q 554. Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?
A. Never use open source tools
B. Focus only on production servers
C. Follow a linear process for attacks
D. Do not interrupt production processes

A 554. D: The first rule of scanning for security exposures is to not break anything. This includes the interruption of any running processes. Open source tools are an excellent resource for performing scans. Scans should focus on both the test and production environments since, if compromised, the test environment could be used as a platform from which to attack production servers. Finally, the process of scanning for exposures is more of a spiral process than a linear process.

Q 581. Which of the following is the MOST effective way to ensure that noncompliance to information security standards is resolved?

A. Periodic audits of noncompliant areas
B. An ongoing vulnerability scanning program
C. Annual security awareness training
D. Regular reports to executive management

A 581.D: The concern of having their area of responsibility reported as noncompliant to their peers and executives is generally the most effective motivation for management to take action. Periodic audits and ongoing vulnerability scanning can be effective, but only when combined with reporting. Training can increase management's awareness regarding information security, but awareness training is generally not as compelling to management as having their names highlighted on a compliance report.

Q 582. An information security manager has instructed a system database administrator (DBA) to implement native database auditing in order to meet regulatory requirements for privileged user monitoring. Which of the following is the PRIMARY reason that the DBA would be concerned? Native database auditing:

A. interferes with policy-driven event logging.
B. affects production database performance.
C. requires development of supplementary tools.
D. impairs flexibility in configuration management.

A 582. B: Many database products come with a native audit log function. Although it can be easily activated, there is a risk that it may negatively impact the performance of the database. The other choices are potential concerns, but are secondary to performance impact.

Q 583. Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?

A. Baseline security standards
B. System access violation logs
C. Role-based access controls
D. Exit routines

A 583. C: Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Violation logs are detective and do not prevent unauthorized access. Baseline security standards do not prevent unauthorized access. Exit routines are dependent upon appropriate role-based access.

Q 610. Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain email messages?

A. Acceptable use policy
B. Setting low mailbox limits
C. User awareness training
D. Taking disciplinary action

A 610. C: User awareness training would help in reducing the incidents of employees forwarding spam and chain emails since users would understand the risks of doing so and the impact on the organization's information system. An acceptable use policy, signed by employees, would legally address the requirements but merely having a policy is not the best measure. Setting low mailbox limits and taking disciplinary action are a reactive approach and may not help in obtaining proper support from employees.

Q 611. Which of the following would be the BEST way to improve employee attitude toward and commitment to information security?

A. Implement restrictive controls.
B. Customize methods training to the audience.
C. Apply administrative penalties.
D. Initiate stronger supervision.

A 611. B: Cultural differences will dictate the best behavior modification techniques. For example, some cultures value relationships over monetary rewards. The other choices may work in certain circumstances, enterprises and geographic locations, but not in others.

Q 612. In a large enterprise, an information security awareness program will be MOST effective if it is:

A. developed by a professional training company.
B. embedded into the orientation process.
C. customized to the audience using the appropriate delivery channel.
D. required by the information security policy

A 612. C: An awareness program should be customized for different types of audiences, e.g., for new employees, system administration, sales and delivery channels such as posters or e-learning.

Q 639. What is the BEST method to verify that all security patches applied to servers were properly documented?

A. Trace change control requests to operating system (OS) patch logs
B. Trace OS patch logs to OS vendor's update documentation
C. Trace OS patch logs to change control requests
D. Review change control documentation for key servers

A 639. C: To ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS) patch logs as a starting point and then check to see if change control documents are on file for each of these changes. Tracing from the documentation to the patch log will not indicate if some patches were applied without being documented. Similarly, reviewing change control documents for key servers or comparing patches applied to those recommended by the OS vendor's web site does not confirm that these security patches were properly approved and documented

Q 640. Which of the following will BEST protect against malicious activity by a former employee?

A. Pre-employment screening
B. Close monitoring of users
C. Periodic awareness training
D. Effective termination procedures

A 640. D: The former employee may attempt to use their credentials to perform unauthorized or malicious activity. Accordingly, it is important to ensure timely revocation of all access at the time an individual is terminated. Security awareness training, preemployment screening and monitoring of users are all important but are not as effective in preventing this type of situation.

Q 641. To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:

A. set their accounts to expire in six months or less.
B. avoid granting system administration roles.
C. ensure they successfully pass background checks.
D. ensure their access is approved by the data owner.

A 641. B: Contract personnel should not be given job duties that provide them with power user or other administrative roles that they could then use to grant themselves access to sensitive files.

Q 668. Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
It is important to maintain the organization's security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC).
C. immediately uninstall the patches from these systems.
D. immediately contact the vendor regarding the problems that occurred.

A 668. A: Assessing the problems and instituting rollback procedures as needed would be the best course of action. Choices B and C would not identify where the problem was, and may in fact make the problem worse. Choice D is part of the assessment.

Q 669. The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:
A. identifying vulnerabilities in the system.
B. sustaining the organization's security posture.
C. the existing systems that will be affected.
D. complying with segregation of duties.

A 669. B: It is important to maintain the organization's security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC).

Q 670. Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
A. Card-key door locks
B. Photo identification
C. Biometric scanners
D. Awareness training

A 670. D: Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee. The other choices are physical controls which by themselves would not be effective against tailgating.

Q 697. The IT department has been tasked with developing a new transaction processing system for online account management. At which stage should the information security department become involved?
A. Feasibility
B. Requirements
C. Design
D. User acceptance testing (UAT)

A 697. A: Involve the security department as early as possible. Security considerations will affect feasibility. Security that is added later in the process often is not nearly as effective as security that is considered from end to end

Q 698. The MAIN objective of integrating the information security process into the system development life cycle (SDLC) is that it:
A. ensures audit compliance.
B. ensures that appropriate controls are implemented.
C. delineates roles and responsibilities.
D. establishes the foundation for development or acquisition.

A 698. B: Establishing information security processes at the front end of any development project ensures that the appropriate security controls are implemented based on the review and assessment completed by security staff.

Q 699. Information on regulatory and legal compliance requirements that has an effect on information security is MOST likely to come from the:
A. corporate legal officer.
B. enterprise risk manager.
C. compliance officer.
D. affected departments.

A 699. D: Information on new and changing regulatory and legal requirements and their impacts is typically provided by affected departments, such as finance or IT.

Q 726. The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
A. Laws and regulations of the country of origin may not be enforceable in the foreign country.
B. A security breach notification might get delayed due to the time difference.
C. Additional network intrusion detection sensors should be installed, resulting in an additional cost.
D. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

A 726. A: A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Choice B is not a problem. Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Choice C is a manageable problem that requires additional funding, but can be addressed. Choice D is a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns.

Q 727. Which of the following is the MOST important aspect that needs to be considered from a security perspective when payroll processes are outsourced to an external service provider?
A. A cost-benefit analysis has been completed.
B. Privacy requirements are met.
C. The service provider ensures a secure data transfer.
D. No significant security incident occurred at the service provider.

A 727. B: Applicable privacy requirements may be a matter of law or policy and will require consideration when outsourcing processes that involve personal information. A cost-benefit analysis should be undertaken from a business perspective, but not from a security perspective. When data are transferred, it may be necessary to ensure data security, but there are many other privacy and security issues to consider. Past incidents may not reflect the current security posture of the service provider, nor do they reflect applicable security requirements.

Q 728. Which one of the following considerations is MOST likely to be overlooked when conducting an information security review of a potential outsourcing service provider?
A. Cultural differences
B. Technical competency
C. Adequate controls
D. Information security policies

A 728. A: Individuals in different cultures often have dissimilar perspectives on what information is considered sensitive or confidential and how it should be handled. These perspectives may not be consistent with the customer's security requirements. Cultural norms are not usually an area of consideration in an information security review or during an onsite inspection, but they are an important risk consideration and may require mitigation.

Q 755. Which of the following activities MOST increases the probability that an organization will be able to resume operations after a disaster?
A. Restoration testing
B. Establishment of a “warm site”
C. Daily data backups
D. An incident response plan

A 755. A: A demonstrated ability to restore data is the best way to ensure that data can be restored after a disaster, and data drive the majority of business processes. If an organization is unable to restore its data, it will be of little value to have other considerations in place. On the other hand, if data can be restored, the organization can likely find work-arounds for other challenges that it may face.

Q 756. Which of the following BEST contributes to the design of data restoration plans?
A. Transaction turnaround time
B. Mean time between failures (MTBF)
C. Service delivery objectives (SDOs)
D. The duration of the data restoration job

A 758. C: The SDO relates directly to the business needs; SDO is the level of services to be reached during the alternate process mode until the normal situation is restored.

Q 757. Which of the following actions should be taken when an online trading company discovers a network attack in progress?
A. Shut off all network access points
B. Dump all event logs to removable media
C. Isolate the affected network segment
D. Enable trace logging on all events

A 757. C: Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing.

Q 784. The PRIMARY objective of incident response is to:
A. investigate and report results of the incident to management.
B. gather evidence.
C. minimize business disruptions.
D. assist law enforcement in investigations.

A 784. C: The primary role of incident response is to detect, respond to and contain incidents so that impact to business operations is minimized. Choice A is a responsibility of incident response teams, but not the primary objective. Choices B and D are activities that an incident response team may conduct, depending on circumstances, but neither is a primary objective.

Q 785. An employee's computer has been infected with a new virus. What should be the FIRST action?
A. Execute the virus scan.
B. Report the incident to senior management.
C. Format the hard disk.
D. Disconnect the computer from the network.

A 785. D: The first action should be containing the risk, i.e., disconnecting the computer so that it will not infect other computers on the network. The virus may start infecting other computers while the virus scan is running. Only when the impact to the IT environment is significant should it be reported to senior management. A case of virus infection does not warrant the action. Formatting the hard disk is the last resort.

Q 786. Security-related breaches are assessed and contained through:
A. disaster recovery.
B. incident response.
C. a forensic analysis.
D. the IT support team.

A 786. B: The incident response plan must be activated when an incident occurs.

Q 813. If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:
A. obtaining evidence as soon as possible.
B. preserving the integrity of the evidence.
C. disconnecting all IT equipment involved.
D. reconstructing the sequence of events.

A 813. B: The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law). All other options are part of the investigative procedure, but they are not as important as preserving the integrity of the evidence.

Q 814. Which of the following is the MOST critical consideration when collecting and preserving admissible evidence during an incident response?
A. Unplugging the systems
B. Chain of custody
C. Separation of duties
D. Clock synchronization

A 814. B: Admissible evidence must be collected and preserved by “chain of custody.” Unplugging the systems can cause potential loss of information critical to the investigation. Separation of duties is not necessary in evidence collection and preservation since the entire process can be done by a single person. Clock synchronization is not as important for the collection and preservation of admissible evidence.

Q 815. In a forensic investigation, which of the following would be the MOST important factor?
A. Operation of a robust incident management process
B. Identification of areas of responsibility
C. Involvement of law enforcement
D. Expertise of resources

A 815. D: The most important factor in a forensic investigation is the expertise of the resources participating in the project due to the inherent complexity.

Q 842. When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
A. the information security steering committee.
B. customers who may be impacted.
C. data owners who may be impacted.
D. regulatory agencies overseeing privacy.

A 842. C: The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team. Other parties will be notified later as required by corporate policy and regulatory requirements

Q 842. Which of the following would a security manager establish to determine the target for restoration of normal processing?
A. Recovery time objective (RTO)
B. Maximum tolerable outage (MTO)
C. Recovery point objectives (RPOs)
D. Services delivery objectives (SDOs)

A 843. A: Recovery time objective (RTO) is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level. Maximum tolerable outage (MTO) is the maximum time for which an organization can operate in a reduced mode. Recovery point objectives (RPOs) relate to the age of the data required for recovery. Services delivery objectives (SDOs) are the levels of service required in reduced mode.

Q 844. Major security events with serious legal implications should be communicated to:
A. appropriate civil authorities when there has been a crime committed.
B. management after the incident has been verified and the severity determined.
C. all affected stakeholders, including legal and the insurance carrier.
D. only to human resources (HR) and the legal department for appropriate action.

A 844. B: Communication regarding security events, particularly ones that have legal implications, is a business decision that is the responsibility of management. There are few, if any, circumstances where the information security manager should contact external authorities directly.

What is the most important consideration in developing security policies?

One of the most important considerations when developing security policies is to ensure that they set realistic and achievable security objectives within the organization.

Which of the following elements is most important when developing an information security strategy?

Which of the following elements is MOST important when developing an information security strategy? Information security policy development should PRIMARILY be based on: threats.

Which of the following is the most important consideration when developing information security objectives?

Effectively managing information risk to acceptable levels (in alignment with the business objectives) is the most important overall consideration of an information security strategy.

Which of the following is most important to the successful development of an information security strategy?

The MOST important factor in ensuring the success of an information security program is effective: alignment with organizational goals and objectives .

important developing security policies

Which of the following is the most important in developing security policies?

Add to Folders

Upgrade to Cram Premium

Card Range To Study

193 Cards in this Set

What is the most important consideration in developing security policies?

Which of the following elements is most important when developing an information security strategy?

Which of the following is the most important consideration when developing information security objectives?

Which of the following is most important to the successful development of an information security strategy?

zusammenhängende Posts

What important points should you consider when using nonverbal communication?

What is the single most important strategy to prevent the spread of infection?

Why is it important for estheticians to have a basic knowledge of electricity?

Which is the most important factor contributing to place in the marketing mix?

Which of the following is the least important quality of an effective trainer?

Which of the following is an important appeal of a related diversification strategy?

Why is it important to understand the relationship between culture and health?

Which are important changes that resulted from the formation of wire services?

What is it important to understand the vision and mission of the Organisation?

Which of the following is an important factor in making a forecasting model selection

Werbung

NEUESTEN NACHRICHTEN

Wie lange gilt man mit johnson als vollständig geimpft

Wie kann man Batterie in Prozent anzeigen iPhone 13?

Which of the following is considered effective for both upward and downward influence?

Which of the following statements is true regarding impression management IM techniques?

Auf der grünen Wiese liegt der Theodor

In which of the following ways can effective communicators protect goodwill?

Was ist der unterschied zwichen feil und richard

In welchem Alter sterben die meisten Männer in Deutschland

Wo liegt der unterschied zwischen job und beruf

By definition the speaker and the audience cannot be part of the same public

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

Which of the following is the most important in developing security policies?

Add to Folders

Upgrade to Cram Premium

Related Essays

Card Range To Study

193 Cards in this Set

What is the most important consideration in developing security policies?

Which of the following elements is most important when developing an information security strategy?

Which of the following is the most important consideration when developing information security objectives?

Which of the following is most important to the successful development of an information security strategy?

zusammenhängende Posts

Werbung

NEUESTEN NACHRICHTEN

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial