Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISM Study Questions B > CISM Practice B Topic 4 > Flashcards

CISM Practice B Topic 4 Flashcards

1
Q

The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:

perform penetration testing.

establish security baselines.

implement vendor default settings.

link policies to an independent standard.

A

establish security baselines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?

User

Network

Operations

Database

A

User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The BEST way to ensure that information security policies are followed is to:

distribute printed copies to all employees.

perform periodic reviews for compliance.

include escalating penalties for noncompliance.

establish an anonymous hotline to report policy abuses.

A

perform periodic reviews for compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The MOST appropriate individual to determine the level of information security needed for a specific business application is the:

system developer.

information security manager.

steering committee.

system data owner.

A

system data owner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his or her password reset?

Performing reviews of password resets

Conducting security awareness programs

Increasing the frequency of password changes

Implementing automatic password syntax checking

A

Conducting security awareness programs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is the MOST likely to change an organization’s culture to one that is more security conscious?

Adequate security policies and procedures

Periodic compliance reviews

Security steering committees

Security awareness campaigns

A

Security awareness campaigns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The BEST way to ensure that an external service provider complies with organizational security policies is to:

Explicitly include the service provider in the security policies.

Receive acknowledgment in writing stating the provider has read all policies.

Cross-reference to policies in the service level agreement

Perform periodic reviews of the service provider.

A

Perform periodic reviews of the service provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When an emergency security patch is received via electronic mail, the patch should FIRST be:

loaded onto an isolated test machine.

decompiled to check for malicious code.

validated to ensure its authenticity.

copied onto write-once media to prevent tampering.

A

validated to ensure its authenticity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?

Applying patches

Changing access rules

Upgrading hardware

Backing up files

A

Changing access rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is the BEST indicator that security awareness training has been effective?

Employees sign to acknowledge the security policy

More incidents are being reported

A majority of employees have completed training

No incidents have been reported in three months

A

More incidents are being reported

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?

Penetration attempts investigated

Violation log reports produced

Violation log entries

Frequency of corrective actions taken

A

Penetration attempts investigated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following change management activities would be a clear indicator that normal operational procedures require examination? A high percentage of:

similar change requests.

change request postponements.

canceled change requests.

emergency change requests.

A

emergency change requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?

User

Security

Operations

Database

A

User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:

  • the third party provides a demonstration on a test system.
  • goals and objectives are clearly defined.
  • the technical staff has been briefed on what to expect.
  • special backups of production servers are taken.
A

goals and objectives are clearly defined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When a departmental system continues to be out of compliance with an information security policy’s password strength requirements, the BEST action to undertake is to:

submit the issue to the steering committee.

conduct an impact analysis to quantify the risks.

isolate the system from the rest of the network.

request a risk acceptance from senior management.

A

conduct an impact analysis to quantify the risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is MOST important to the successful promotion of good security management practices?

Security metrics

Security baselines

Management support

Periodic training

A

Management support

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following environments represents the GREATEST risk to organizational security?

Locally managed file server

Enterprise data warehouse

Load-balanced, web server cluster

Centrally managed data switch

A

Locally managed file server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Nonrepudiation can BEST be assured by using:

delivery path tracing.

reverse lookup translation.

out-of-hand channels.

digital signatures.

A

digital signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:

mandatory access controls.

discretionary access controls.

lattice-based access controls.

role-based access controls.

A

role-based access controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following areas is MOST susceptible to the introduction of security weaknesses?

Database management

Tape backup management

Configuration management

Incident response management

A

Configuration management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Security policies should be aligned MOST closely with:

industry best practices.

organizational needs.

generally accepted standards.

local laws and regulations.

A

organizational needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:

simulate an attack and review IDS performance.

use a honeypot to check for unusual activity.

audit the configuration of the IDS.

benchmark the IDS against a peer site.

A

simulate an attack and review IDS performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The BEST time to perform a penetration test is after:

an attempted penetration has occurred.

an audit has reported weaknesses in security controls.

various infrastructure changes are made.

a high turnover in systems staff.

A

various infrastructure changes are made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Successful social engineering attacks can BEST be prevented through:

preemployment screening.

close monitoring of users’ access patterns.

periodic awareness training.

efficient termination procedures.

A

periodic awareness training.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?

Perform periodic penetration testing

Establish minimum security baselines

Implement vendor default settings

Install a honeypot on the network

A

Install a honeypot on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?

User ad hoc reporting is not logged

Network traffic is through a single switch

Operating system (OS) security patches have not been applied

Database security defaults to ERP settings

A

Operating system (OS) security patches have not been applied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?

Implementing on-screen masking of passwords

Conducting periodic security awareness programs

Increasing the frequency of password changes

Requiring that passwords be kept strictly confidential

A

Conducting periodic security awareness programs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following will BEST ensure that management takes ownership of the decision making process for information security?

Security policies and procedures

Annual self-assessment by management

Security-steering committees

Security awareness campaigns

A

Security-steering committees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?

System analyst

Quality control manager

Process owner

Information security manager

A

Process owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is the BEST way to ensure that contract programmers comply with organizational security policies?

Explicitly refer to contractors in the security standards

Have the contractors acknowledge in writing the security policies

Create penalties for noncompliance in the contracting agreement

Perform periodic security reviews of the contractors

A

Perform periodic security reviews of the contractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?

Applying patches

Changing access rules

Upgrading hardware

Backing up files

A

Backing up files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Security awareness training should be provided to new employees:

on an as-needed basis.

during system user training.

before they have access to data.

along with department staff.

A

before they have access to data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the BEST method to verify that all security patches applied to servers were properly documented?

Trace change control requests to operating system (OS) patch logs

Trace OS patch logs to OS vendor’s update documentation

Trace OS patch logs to change control requests

Review change control documentation for key servers

A

Trace OS patch logs to change control requests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A security awareness program should:

present top management’s perspective.

address details on specific exploits.

address specific groups and roles.

promote security department procedures

A

address specific groups and roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

The PRIMARY objective of security awareness is to:

ensure that security policies are understood.

influence employee behavior.

ensure legal and regulatory compliance.

notify of actions for noncompliance.

A

influence employee behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following will BEST protect against malicious activity by a former employee?

Preemployment screening

Close monitoring of users

Periodic awareness training

Effective termination procedures

A

Effective termination procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following represents a PRIMARY area of interest when conducting a penetration test?

Data mining

Network mapping

Intrusion Detection System (IDS)

Customer data

A

Network mapping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

The return on investment of information security can BEST be evaluated through which of the following?

Support of business objectives

Security metrics

Security deliverables

Process improvement models

A

Support of business objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:

set their accounts to expire in six months or less.

avoid granting system administration roles.

ensure they successfully pass background checks.

ensure their access is approved by the data owner.

A

avoid granting system administration roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Information security policies should:

address corporate network vulnerabilities.

address the process for communicating a violation.

be straightforward and easy to understand.

be customized to specific groups and roles.

A

be straightforward and easy to understand.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?

Utilize an intrusion detection system.

Establish minimum security baselines.

Implement vendor recommended settings.

Perform periodic penetration testing.

A

Perform periodic penetration testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which of the following presents the GREATEST exposure to internal attack on a network?

User passwords are not automatically expired

All network traffic goes through a single switch

User passwords are encoded but not encrypted

All users reside on a single internal subnet

A

User passwords are encoded but not encrypted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements?

Standards

Guidelines

Security metrics

IT governance

A

Standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which of the following are the MOST important individuals to include as members of an information security steering committee?

Direct reports to the chief information officer

IT management and key business process owners

Cross-section of end users and IT professionals

Internal audit and corporate legal departments

A

IT management and key business process owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Security audit reviews should PRIMARILY:

ensure that controls operate as required.

ensure that controls are cost-effective.

focus on preventive controls.

ensure controls are technologically current.

A

ensure that controls operate as required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which of the following is the MOST appropriate method to protect a password that opens a confidential file?

Delivery path tracing

Reverse lookup translation

Out-of-band channels

Digital signatures

A

Out-of-band channels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What is the MOST effective access control method to prevent users from sharing files with unauthorized users?

Mandatory

Discretionary

Walled garden

Role-based

A

Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Which of the following is an inherent weakness of signature-based intrusion detection systems?

A higher number of false positives

New attack methods will be missed

Long duration probing will be missed

Attack profiles can be easily spoofed

A

New attack methods will be missed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Data owners are normally responsible for which of the following?

Applying emergency changes to application data

Administering security over database records

Migrating application code changes to production

Determining the level of application security required

A

Determining the level of application security required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?

System analyst

System user

Operations manager

Data security officer

A

System user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What is the BEST way to ensure users comply with organizational security requirements for password complexity?

Include password construction requirements in the security standards

Require each user to acknowledge the password requirements

Implement strict penalties for user noncompliance

Enable system-enforced password configuration

A

Enable system-enforced password configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?

Batch patches into frequent server updates

Initially load the patches on a test machine

Set up servers to automatically download patches

Automatically push all patches to the servers

A

Initially load the patches on a test machine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Which of the following would present the GREATEST risk to information security?

Virus signature files updates are applied to all servers every day

Security access logs are reviewed within five business days

Critical patches are applied within 24 hours of their release

Security incidents are investigated within five business days

A

Security incidents are investigated within five business days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

The PRIMARY reason for using metrics to evaluate information security is to:

identify security weaknesses.

justify budgetary expenditures.

enable steady improvement.

raise awareness on security issues.

A

enable steady improvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?

Periodic review of network configuration

Review intrusion detection system (IDS) logs for evidence of attacks

Periodically perform penetration tests

Daily review of server logs for evidence of hacker activity

A

Periodically perform penetration tests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Which of the following is MOST important for measuring the effectiveness of a security awareness program?

Reduced number of security violation reports

A quantitative evaluation to ensure user comprehension

Increased interest in focus groups on security issues

Increased number of security violation reports

A

A quantitative evaluation to ensure user comprehension

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?

Request a list of the software to be used

Provide clear directions to IT staff

Monitor intrusion detection system (IDS) and firewall logs closely

Establish clear rules of engagement

A

Establish clear rules of engagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?

Restrict the available drive allocation on all PCs

Disable universal serial bus (USB) ports on all desktop devices

Conduct frequent awareness training with noncompliance penalties

Establish strict access controls to sensitive information

A

Restrict the available drive allocation on all PCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?

Signal strength

Number of administrators

Bandwidth

Encryption strength

A

Number of administrators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Good information security standards should:

define precise and unambiguous allowable limits.

describe the process for communicating violations.

address high-level objectives of the organization.

be updated frequently as new software is released.

A

define precise and unambiguous allowable limits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Good information security procedures should:

define the allowable limits of behavior.

underline the importance of security governance.

describe security baselines for each platform.

be updated frequently as new software is released.

A

be updated frequently as new software is released.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:

all use weak encryption.

are decrypted by the firewall.

may be quarantined by mail filters.

may be corrupted by the receiving mail server.

A

may be quarantined by mail filters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?

Sign a legal agreement assigning them all liability for any breach

Remove all trading partner access until the situation improves

Set up firewall rules restricting network traffic from that location

Send periodic reminders advising them of their noncompliance

A

Set up firewall rules restricting network traffic from that location

64
Q

Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:

define the circumstances where cryptography should be used.

define cryptographic algorithms and key lengths.

describe handling procedures of cryptographic keys.

establish the use of cryptographic solutions.

A

define the circumstances where cryptography should be used.

65
Q

Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?

The number of false positives increases

The number of false negatives increases

Active probing is missed

Attack profiles are ignored

A

The number of false positives increases

66
Q

What is the MOST appropriate change management procedure for the handling of emergency program changes?

Formal documentation does not need to be completed before the change

Business management approval must be obtained prior to the change

Documentation is completed with approval soon after the change

All changes must follow the same process

A

Documentation is completed with approval soon after the change

67
Q

Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?

Information security officer

Security steering committee

Data owner

Data custodian

A

Security steering committee

68
Q

The PRIMARY focus of the change control process is to ensure that changes are:

authorized.

applied.

documented.

tested.

A

authorized

69
Q

An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?

Research best practices

Meet with stakeholders

Establish change control procedures

Identify critical systems

A

Meet with stakeholders

70
Q

A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?

Enable access through a separate device that requires adequate authentication

Implement manual procedures that require password change after each use

Request the vendor to add multiple user IDs

Analyze the logs to detect unauthorized access

A

Enable access through a separate device that requires adequate authentication

71
Q

Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?

User security procedures

Business process flow

IT security policy

Regulatory requirements

A

IT security policy

72
Q

Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?

The right to conduct independent security reviews

A legally binding data protection agreement

Encryption between the organization and the provider

A joint risk assessment of the system

A

The right to conduct independent security reviews

73
Q

Which resource is the MOST effective in preventing physical access tailgating/piggybacking?

Card key door locks

Photo identification

Awareness training

Biometric scanners

A

Awareness training

74
Q

In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:

ensure access to individual functions can be granted to individual users only.

implement role-based access control in the application.

enforce manual procedures ensuring separation of conflicting duties.

create service accounts that can only be used by authorized team members.

A

implement role-based access control in the application.

75
Q

In business-critical applications, user access should be approved by the:

information security manager.

data owner.

data custodian.

business management.

A

data owner.

76
Q

In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:

testing time window prior to deployment.

technical skills of the team responsible.

certification of validity for deployment.

automated deployment to all the servers.

A

testing time window prior to deployment.

77
Q

To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:

end users.

legal counsel.

operational units.

audit management.

A

operational units.

78
Q

An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?

Review the procedures for granting access

Establish procedures for granting emergency access

Meet with data owners to understand business needs

Redefine and implement proper access rights

A

Meet with data owners to understand business needs

79
Q

When security policies are strictly enforced, the initial impact is that:

they may have to be modified more frequently.

they will be less subject to challenge.

the total cost of security is increased.

the need for compliance reviews is decreased.

A

the total cost of security is increased.

80
Q

A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:

an effective control over connectivity and continuity.

a service level agreement (SLA) including code escrow.

a business impact analysis (BIA).

a third-party certification.

A

an effective control over connectivity and continuity.

81
Q

Which of the following should be in place before a black box penetration test begins?

IT management approval

Proper communication and awareness training

A clearly stated definition of scope

An incident response plan

A

A clearly stated definition of scope

82
Q

What is the MOST important element to include when developing user security awareness material?

Information regarding social engineering

Detailed security policies

Senior management endorsement

Easy-to-read and compelling information

A

Easy-to-read and compelling information

83
Q

What is the MOST important success factor in launching a corporate information security awareness program?

Adequate budgetary support

Centralized program management

Top-down approach

Experience of the awareness trainers

A

Top-down approach

84
Q

Which of the following events generally has the highest information security impact?

Opening a new office

Merging with another organization

Relocating the data center

Rewiring the network

A

Merging with another organization

85
Q

The configuration management plan should PRIMARILY be based upon input from:

business process owners.

the information security manager.

the security steering committee.

IT senior management.

A

IT senior management.

86
Q

Which of the following is the MOST effective, positive method to promote security awareness?

Competitions and rewards for compliance

Lock-out after three incorrect password attempts

Strict enforcement of password formats

Disciplinary action for noncompliance

A

Competitions and rewards for compliance

87
Q

An information security program should focus on:

best practices also in place at peer companies.

solutions codified in international standards.

key controls identified in risk assessments.

continued process improvement.

A

key controls identified in risk assessments.

88
Q

Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?

Database administrator (DBA)

Finance department management

Information security manager

IT department management

A

Finance department management

89
Q

Which of the following would be the MOST significant security risk in a pharmaceutical institution?

Compromised customer information

Unavailability of online transactions

Theft of security tokens

Theft of a Research and Development laptop

A

Theft of a Research and Development laptop

90
Q

Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?

The program’s governance oversight mechanisms

Information security periodicals and manuals

The program’s security architecture and design

Training and certification of the information security team

A

The program’s governance oversight mechanisms

91
Q

Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state?

Security audit reports

Balanced scorecard

Capability maturity model (CMM)

Systems and business security architecture

A

Capability maturity model (CMM)

92
Q

Who is responsible for raising awareness of the need for adequate funding for risk action plans?

Chief information officer (CIO)

Chief financial officer (CFO)

Information security manager

Business unit management

A

Information security manager

93
Q

Managing the life cycle of a digital certificate is a role of a(n):

system administrator.

security administrator.

system developer.

independent trusted source.

A

independent trusted source.

94
Q

Which of the following would be MOST critical to the successful implementation of a biometric authentication system?

Budget allocation

Technical skills of staff

User acceptance

Password requirements

A

User acceptance

95
Q

Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?

Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans

Periodic audits of the disaster recovery/business continuity plans

Comprehensive walk-through testing

Inclusion as a required step in the system life cycle process

A

Inclusion as a required step in the system life cycle process

96
Q

When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because:

this is a requirement of the security policy.

software licenses may expire in the future without warning.

the asset inventory must be maintained.

service level agreements may not otherwise be met.

A

service level agreements may not otherwise be met.

97
Q

To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?

Service level agreements (SLAs)

Right to audit clause

Intrusion detection system (IDS) services

Spam filtering services

A

Service level agreements (SLAs)

98
Q

To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to:

create a separate account for the programmer as a power user.

log all of the programmers’ activity for review by supervisor.

have the programmer sign a letter accepting full responsibility.

perform regular audits of the application.

A

log all of the programmers’ activity for review by supervisor.

99
Q

Before engaging outsourced providers, an information security manager should ensure that the organization’s data classification requirements:

are compatible with the provider’s own classification.

are communicated to the provider.

exceed those of the outsourcer.

are stated in the contract.

A

are stated in the contract.

100
Q

What is the GREATEST risk when there is an excessive number of firewall rules?

One rule may override another rule in the chain and create a loophole

Performance degradation of the whole network

The firewall may not support the increasing number of rules due to limitations

The firewall may show abnormal behavior and may crash or automatically shut down

A

One rule may override another rule in the chain and create a loophole

101
Q

Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center?

Mantrap

Biometric lock

Closed-circuit television (CCTV)

Security guard

A

Biometric lock

102
Q

What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?

Provide detailed instructions on how to carry out different types of tasks

Ensure consistency of activities to provide a more stable environment

Ensure compliance to security standards and regulatory requirements

Ensure reusability to meet compliance to quality requirements

A

Ensure consistency of activities to provide a more stable environment

103
Q

What is the BEST way to ensure data protection upon termination of employment?

Retrieve identification badge and card keys

Retrieve all personal computer equipment

Erase all of the employee’s folders

Ensure all logical access is removed

A

Ensure all logical access is removed

104
Q

The MOST important reason for formally documenting security procedures is to ensure:

processes are repeatable and sustainable.

alignment with business objectives.

auditability by regulatory agencies.

objective criteria for the application of metrics.

A

processes are repeatable and sustainable.

105
Q

Which of the following is the BEST approach for an organization desiring to protect its intellectualproperty?

Conduct awareness sessions on intellectual property policy

Require all employees to sign a nondisclosure agreement

Promptly remove all access when an employee leaves the organization

Restrict access to a need-to-know basis

A

Restrict access to a need-to-know basis

106
Q

The “separation of duties” principle is violated if which of the following individuals has update rights to the database access control list (ACL)?

Data owner

Data custodian

Systems programmer

Security administrator

A

Systems programmer

107
Q

An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download non-sensitive production data for software testing purposes. The information security manager should recommend which of the following?

Restrict account access to read only

Log all usage of this account

Suspend the account and activate only when needed

Require that a change request be submitted for each download

A

Restrict account access to read only

108
Q

Which would be the BEST recommendation to protect against phishing attacks?

Install an antispam system

Publish security guidance for customers

Provide security awareness to the organization’s staff

Install an application-level firewall

A

Publish security guidance for customers

109
Q

Which of the following is the BEST indicator that an effective security control is built into an organization?

The monthly service level statistics indicate a minimal impact from security issues.

The cost of implementing a security control is less than the value of the assets.

The percentage of systems that is compliant with security standards.

The audit reports do not reflect any significant findings on security.

A

The monthly service level statistics indicate a minimal impact from security issues.

110
Q

What is the BEST way to alleviate security team understaffing while retaining the capability inhouse?

Hire a contractor that would not be included in the permanent headcount

Outsource with a security services provider while retaining the control internally

Establish a virtual security team from competent employees across the company

Provide cross training to minimize the existing resources gap

A

Establish a virtual security team from competent employees across the company

111
Q

An information security manager wishing to establish security baselines would:

  • include appropriate measurements in the system development life cycle.
  • implement the security baselines to establish information security best practices.
  • implement the security baselines to fulfill laws and applicable regulations in different jurisdictions.
  • leverage information security as a competitive advantage.
A

implement the security baselines to establish information security best practices.

112
Q

Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:

policy.

strategy.

guideline.

baseline.

A

policy.

113
Q

An organization’s information security manager has been asked to hire a consultant to help assess the maturity level of the organization’s information security management. The MOST important element of the request for proposal (RFP) is the:

references from other organizations.

past experience of the engagement team.

sample deliverable.

methodology used in the assessment.

A

methodology used in the assessment.

114
Q

Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:

  • assess the problems and institute rollback procedures, if needed.
  • disconnect the systems from the network until the problems are corrected.
  • immediately uninstall the patches from these systems.
  • immediately contact the vendor regarding the problems that occurred.
A

assess the problems and institute rollback procedures, if needed.

115
Q

When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the:

access control matrix.

encryption strength.

authentication mechanism.

data repository

A

access control matrix.

116
Q

The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:

identifying vulnerabilities in the system.

sustaining the organization’s security posture.

the existing systems that will be affected.

complying with segregation of duties.

A

sustaining the organization’s security posture.It is important to maintain the organization’s security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC)

117
Q

The implementation of continuous monitoring controls is the BEST option where:

  • incidents may have a high impact and frequency
  • legislation requires strong information security controls
  • incidents may have a high impact but low frequency
  • electronic commerce is a primary business driver
A

incidents may have a high impact and frequency

118
Q

A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors?

System monitoring for traffic on network ports

Security code reviews for the entire application

Reverse engineering the application binaries

Running the application from a high-privileged account on a test system

A

Security code reviews for the entire application

119
Q

An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:

source routing.

broadcast propagation.

unregistered ports.

nonstandard protocols.

A

source routing.

120
Q

What is the MOST cost-effective means of improving security awareness of staff personnel?

Employee monetary incentives

User education and training

A zero-tolerance security policy

Reporting of security infractions

A

User education and training

121
Q

Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?

Card-key door locks

Photo identification

Biometric scanners

Awareness training

A

Awareness training

122
Q

Data owners will determine what access and authorizations users will have by:

delegating authority to data custodian.

cloning existing user accounts.

determining hierarchical preferences.

mapping to business needs.

A

mapping to business needs.

123
Q

Which of the following is the MOST likely outcome of a well-designed information security awareness course?

Increased reporting of security incidents to the incident response function

Decreased reporting of security incidents to the incident response function

Decrease in the number of password resets

Increase in the number of identified system vulnerabilities

A

Increased reporting of security incidents to the incident response function

124
Q

Which item would be the BEST to include in the information security awareness training program for new general staff employees?

Review of various security models

Discussion of how to construct strong passwords

Review of roles that have privileged access

Discussion of vulnerability assessment results

A

Review of various security models

125
Q

A critical component of a continuous improvement program for information security is:

  • measuring processes and providing feedback.
  • developing a service level agreement (SLA) for security.
  • tying corporate security standards to a recognized international standard.
  • ensuring regulatory compliance.
A

measuring processes and providing feedback.

126
Q

The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager:

report risks in other departments.

obtain support from other departments.

report significant security risks.

have knowledge of security standards.

A

report significant security risks.

127
Q

An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?

Rule-based

Mandatory

Discretionary

Role-based

A

Role-based

128
Q

An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:

  • an audit of the service provider uncovers no significant weakness.
  • the contract includes a nondisclosure agreement (NDA) to protect the organization’s intellectual property.
  • the contract should mandate that the service provider will comply with security policies.
  • the third-party service provider conducts regular penetration testing.
A

the contract should mandate that the service provider will comply with security policies.

129
Q

Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?

To mitigate technical risks

To have an independent certification of network security

To receive an independent view of security exposures

To identify a complete list of vulnerabilities

A

To receive an independent view of security exposures

130
Q

A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?

Prepare an impact assessment report.

Conduct a penetration test.

Obtain approval from senior management.

Back up the firewall configuration and policy files.

A

Prepare an impact assessment report.

131
Q

An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?

Request that the third-party provider perform background checks on their employees.

Perform an internal risk assessment to determine needed controls.

Audit the third-party provider to evaluate their security controls.

Perform a security assessment to detect security vulnerabilities.

A

Perform an internal risk assessment to determine needed controls.

132
Q

Which of the following would raise security awareness among an organization’s employees?

Distributing industry statistics about security incidents

Monitoring the magnitude of incidents

Encouraging employees to behave in a more conscious manner

Continually reinforcing the security policy

A

Continually reinforcing the security policy

133
Q

Which of the following is the MOST appropriate method of ensuring password strength in a large organization?

Attempt to reset several passwords to weaker values

Install code to capture passwords for periodic audit

Sample a subset of users and request their passwords for review

Review general security settings on each platform

A

Review general security settings on each platform

134
Q

What is the MOST cost-effective method of identifying new vendor vulnerabilities?

External vulnerability reporting sources

Periodic vulnerability assessments performed by consultants

Intrusion prevention software

Honey pots located in the DMZ

A

External vulnerability reporting sources

135
Q

Which of the following is the BEST approach for improving information security management processes?

Conduct periodic security audits.

Perform periodic penetration testing.

Define and monitor security metrics.

Survey business units for feedback.

A

Define and monitor security metrics.

136
Q

An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:

  • validate and sanitize client side inputs.
  • harden the database listener component.
  • normalize the database schema to the third normal form.
  • ensure that the security patches are updated on operating systems.
A

validate and sanitize client side inputs.

137
Q

The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:

  • uses multiple redirects for completing a data commit transaction.
  • has implemented cookies as the sole authentication mechanism.
  • has been installed with a non-legitimate license key.
  • is hosted on a server along with other applications.
A

has implemented cookies as the sole authentication mechanism.

138
Q

Of the following, retention of business records should be PRIMARILY based on:

periodic vulnerability assessment.

regulatory and legal requirements.

device storage capacity and longevity.

past litigation.

A

regulatory and legal requirements.

139
Q

An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?

A due diligence security review of the business partner’s security controls

Ensuring that the business partner has an effective business continuity program

Ensuring that the third party is contractually obligated to all relevant security requirements

Talking to other clients of the business partner to check references for performance

A

Ensuring that the third party is contractually obligated to all relevant security requirements

140
Q

An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?

Right to audit

Nondisclosure agreement

Proper firewall implementation

Dedicated security manager for monitoring compliance

A

Right to audit

141
Q

Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?

Provide security awareness training to the third-party provider’s employees

Conduct regular security reviews of the third-party provider

Include security requirements in the service contract

Request that the third-party provider comply with the organization’s information security policy

A

Conduct regular security reviews of the third-party provider

142
Q

An organization’s operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?

Design a training program for the staff involved to heighten information security awareness

Set role-based access permissions on the shared folder

The end user develops a PC macro program to compare sender and recipient file contents

Shared folder operators sign an agreement to pledge not to commit fraudulent activities

A

Set role-based access permissions on the shared folder

143
Q

Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?

A problem management process

Background screening

A change control process

Business impact analysis (BIA)

A

A change control process

144
Q

Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?

Vulnerability scans

Penetration tests

Code reviews

Security audits

A

Penetration tests

145
Q

In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?

Procedural design

Architectural design

System design specifications

Software development

A

System design specifications

146
Q

Which of the following is generally considered a fundamental component of an information security program?

Role-based access control systems

Automated access provisioning

Security awareness training

Intrusion prevention systems (IPSs)

A

Security awareness training

147
Q

How would an organization know if its new information security program is accomplishing its goals?

Key metrics indicate a reduction in incident impacts.

Senior management has approved the program and is supportive of it.

Employees are receptive to changes that were implemented.

There is an immediate reduction in reported incidents.

A

Key metrics indicate a reduction in incident impacts.ing program, but are not as significant as the key metrics indicator. An immediate reduction in reported incidents, in contrast, may indicate that it is not successful.

148
Q

A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:

it simulates the real-1ife situation of an external security attack.

human intervention is not required for this type of test.

less time is spent on reconnaissance and information gathering.

critical infrastructure information is not revealed to the tester.

A

less time is spent on reconnaissance and information gathering.

149
Q

Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?

Acceptable use policy

Setting low mailbox limits

User awareness training

Taking disciplinary action

A

User awareness training

150
Q

Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?

Passwords stored in encrypted form

User awareness

Strong passwords that are changed periodically

Implementation of lock-out policies

A

Implementation of lock-out policies

151
Q

Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?

Layered defense strategy

System audit log monitoring

Signed acceptable use policy

High-availability systems

A

Signed acceptable use policy

152
Q

The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:

the existence of messages is unknown.

required key sizes are smaller.

traffic cannot be sniffed.

reliability of the data is higher in transit.

A

the existence of messages is unknown.

153
Q

As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:

  • considered at the discretion of the information owner.
  • approved by the next higher person in the organizational structure.
  • formally managed within the information security framework.
  • reviewed and approved by the security manager.
A

formally managed within the information security framework.

154
Q

There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?

Black box pen test

Security audit

Source code review

Vulnerability scan

A

Source code review

155
Q

Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does it always introduce?

Remote buffer overflow

Cross site scripting

Clear text authentication

Man-in-the-middle attack

A

Clear text authentication

156
Q

Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?

Design

Implementation

Application security testing

Feasibility

A

Feasibility

157
Q
A

CISM Study Questions B (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions