Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISM Study Questions B > CISM Practice B Topic 3 > Flashcards

CISM Practice B Topic 3 Flashcards

1
Q

Who can BEST advocate the development of and ensure the success of an information security program?

Internal auditor

Chief operating officer (COO)

Steering committee

IT management

A

Steering committee

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following BEST ensures that information transmitted over the Internet will remain confidential?

Virtual private network (VPN)

Firewalls and routers

Biometric authentication

Two-factor authentication

A

Virtual private network (VPN)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The effectiveness of virus detection software is MOST dependent on which of the following?

Packet filtering

Intrusion detection

Software upgrades

Definition tables

A

Definition tables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is the MOST effective type of access control?

Centralized

Role-based

Decentralized

Discretionary

A

Role-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following devices should be placed within a DMZ?

Router

Firewall

Mail relay

Authentication server

A

Mail relay

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An intrusion detection system should be placed:

outside the firewall.

on the firewall server.

on a screened subnet.

on the external router.

A

on a screened subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:

provide in-depth defense.

separate test and production.

permit traffic load balancing.

prevent a denial-of-service attack.

A

permit traffic load balancing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An extranet server should be placed:

outside the firewall.

on the firewall server.

on a screened subnet.

on the external router.

A

on a screened subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is the BEST metric for evaluating the effectiveness of security awareness twining? The number of:

password resets.

reported incidents.

incidents resolved.

access rule violations.

A

reported incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security monitoring mechanisms should PRIMARILY:

focus on business-critical information.

assist owners to manage control risks.

focus on detecting network intrusions.

record all security violations.

A

focus on business-critical information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?

Periodic focus group meetings

Periodic compliance reviews

Computer-based certification training (CBT)

Employee’s signed acknowledgement

A

Computer-based certification training (CBT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:

right-to-terminate clause.

limitations of liability.

service level agreement (SLA).

financial penalties clause.

A

service level agreement (SLA).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?

Number of attacks detected

Number of successful attacks

Ratio of false positives to false negatives

Ratio of successful to unsuccessful attacks

A

Ratio of false positives to false negatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?

Patch management

Change management

Security baselines

Virus detection

A

Change management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following tools is MOST appropriate for determining how long a security project will take to implement?

Gantt chart

Waterfall chart

Critical path

Rapid Application Development (RAD)

A

Critical path

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is MOST effective in preventing security weaknesses in operating systems?

Patch management

Change management

Security baselines

Configuration management

A

Patch management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:

calculating the residual risk.

enforcing the security standard.

redesigning the system change.

implementing mitigating controls.

A

calculating the residual risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Who can BEST approve plans to implement an information security governance framework?

Internal auditor

Information security management

Steering committee

Infrastructure management

A

Steering committee

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?

Baseline security standards

System access violation logs

Role-based access controls

Exit routines

A

Role-based access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?

Biometric authentication

Embedded steganographic

Two-factor authentication

Embedded digital signature

A

Embedded digital signature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?

Daily

Weekly

Concurrently with O/S patch updates

During scheduled change control updates

A

Daily

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following devices should be placed within a demilitarized zone (DMZ)?

Network switch

Web server

Database server

File/print server

A

Web server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

On which of the following should a firewall be placed?

Web server

Intrusion detection system (IDS) server

Screened subnet

Domain boundary

A

Domain boundary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

An intranet server should generally be placed on the:

internal network.

firewall server.

external router.

primary domain controller.

A

internal network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Access control to a sensitive intranet application by mobile users can BEST be implemented through:

data encryption.

digital signatures.

strong passwords.

two-factor authentication.

A

two-factor authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?

Centralizing security management

Implementing sanctions for noncompliance

Policy enforcement by IT management

Periodic compliance reviews

A

Centralizing security management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Security awareness training is MOST likely to lead to which of the following?

Decrease in intrusion incidents

Increase in reported incidents

Decrease in security policy changes

Increase in access rule violations

A

Increase in reported incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The information classification scheme should:

consider possible impact of a security breach.

classify personal information in electronic form.

be performed by the information security manager.

classify systems according to the data processed.

A

consider possible impact of a security breach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following is the BEST method to provide a new user with their initial password for email system access?

Interoffice a system-generated complex password with 30 days expiration

Give a dummy password over the telephone set for immediate expiration

Require no password but force the user to set their own in 10 days

Set initial password equal to the user ID with expiration in 30 days

A

Give a dummy password over the telephone set for immediate expiration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An information security program should be sponsored by:

infrastructure management.

the corporate audit department.

key business process owners.

information security management.

A

key business process owners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?

Termination conditions

Liability limits

Service levels

Privacy restrictions

A

Service levels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The BEST metric for evaluating the effectiveness of a firewall is the:

number of attacks blocked.

number of packets dropped.

average throughput rate.

number of firewall rules

A

number of attacks blocked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?

Patch management

Change management

Security baselines

Acquisition management

A

Patch management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

The MAIN advantage of implementing automated password synchronization is that it:

reduces overall administrative workload.

increases security between multi-tier systems.

allows passwords to be changed less frequently.

reduces the need for two-factor authentication.

A

reduces overall administrative workload.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?

SWOT analysis

Waterfall chart

Gap analysis

Balanced scorecard

A

Balanced scorecard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?

Patch management

Change management

Security metrics

Version control

A

Change management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?

Rewrite the application to conform to the upgraded operating system

Compensate for not installing the patch with mitigating controls

Alter the patch to allow the application to run in a privileged state

Run the application on a test platform; tune production to allow patch and application

A

Compensate for not installing the patch with mitigating controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Which of the following is MOST important to the success of an information security program?

Security awareness training

Achievable goals and objectives

Senior management sponsorship

Adequate start-up budget and staffing

A

Senior management sponsorship

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which of the following is MOST important for a successful information security program?

Adequate training on emerging security technologies

Open communication with key process owners

Adequate policies, standards and procedures

Executive management commitment

A

Executive management commitment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?

Screened subnets

Information classification policies and procedures

Role-based access controls

Intrusion detection system (IDS)

A

Screened subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?

Intrusion detection system (IDS)

IP address packet filtering

Two-factor authentication

Embedded digital signature

A

Two-factor authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is an appropriate frequency for updating operating system (OS) patches on production servers?

During scheduled rollouts of new applications

According to a fixed security patch management schedule

Concurrently with quarterly hardware maintenance

Whenever important security patches are released

A

Whenever important security patches are released

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which of the following devices should be placed within a DMZ?

Proxy server

Application server

Departmental server

Data warehouse server

A

Application server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

A border router should be placed on which of the following?

Web server

IDS server

Screened subnet

Domain boundary

A

Domain boundary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

An e-commerce order fulfillment web server should generally be placed on which of the following?

Internal network

Demilitarized zone (DMZ)

Database server

Domain controller

A

Demilitarized zone (DMZ)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Secure customer use of an e-commerce application can BEST be accomplished through:

data encryption.

digital signatures.

strong passwords.

two-factor authentication.

A

data encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What is the BEST defense against a Structured Query Language (SQL) injection attack?

Regularly updated signature files

A properly configured firewall

An intrusion detection system

Strict controls on input fields

A

Strict controls on input fields

48
Q

Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?

Tuning

Patching

Encryption

Packet filtering

A

Tuning

49
Q

Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?

Authentication

Hardening

Encryption

Nonrepudiation

A

Encryption

50
Q

Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required?

Log all account usage and send it to their manager

Establish predetermined automatic expiration dates

Require managers to e-mail security when the user leaves

Ensure each individual has signed a security acknowledgement

A

Establish predetermined automatic expiration dates

51
Q

Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the:

corporate internal auditor.

system developers/analysts.

key business process owners.

corporate legal counsel.

A

key business process owners.

52
Q

Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?

Ease of installation

Product documentation

Available support

System overhead

A

System overhead

53
Q

Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?

Never use open source tools

Focus only on production servers

Follow a linear process for attacks

Do not interrupt production processes

A

Do not interrupt production processes

54
Q

Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?

Stress testing

Patch management

Change management

Security baselines

A

Change management

55
Q

The advantage of Virtual Private Network (VPN) tunneling for remote users is that it:

helps ensure that communications are secure.

increases security between multi-tier systems.

allows passwords to be changed less frequently.

eliminates the need for secondary authentication.

A

helps ensure that communications are secure.

56
Q

Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?

Boundary router

Strong encryption

Internet-facing firewall

Intrusion detection system (IDS)

A

Strong encryption

57
Q

Which of the following is MOST effective in protecting against the attack technique known as phishing?

Firewall blocking rules

Up-to-date signature files

Security awareness training

Intrusion detection monitoring

A

Security awareness training

58
Q

When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?

The firewall should block all inbound traffic during the outage

All systems should block new logins until the problem is corrected

Access control should fall back to no synchronized mode

System logs should record all user activity for later analysis

A

Access control should fall back to no synchronized mode

59
Q

Which of the following is the MOST important risk associated with middleware in a client-server environment?

Server patching may be prevented

System backups may be incomplete

System integrity may be affected

End-user sessions may be hijacked

A

System integrity may be affected

60
Q

An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?

Security in storage and transmission of sensitive data

Provider’s level of compliance with industry standards

Security technologies in place at the facility

Results of the latest independent security review

A

Security in storage and transmission of sensitive data

61
Q

Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization’s network?

Configuration of firewalls

Strength of encryption algorithms

Authentication within application

Safeguards over keys

A

Safeguards over keys

62
Q

In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation?

Encryption

Digital certificate

Digital signature

Hashing algorithm

A

Encryption

63
Q

The MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:

create more overhead than signature-based IDSs.

cause false positives from minor changes to system variables.

generate false alarms from varying user or system actions.

cannot detect new types of attacks.

A

generate false alarms from varying user or system actions.

64
Q

An information security manager uses security metrics to measure the:

performance of the information security program.

performance of the security baseline.

effectiveness of the security risk analysis.

effectiveness of the incident response team.

A

performance of the information security program.

65
Q

The MOST important success factor to design an effective IT security awareness program is to:

customize the content to the target audience.

ensure senior management is represented.

ensure that all the staff is trained.

avoid technical content but give concrete examples.

A

customize the content to the target audience.

66
Q

Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?

Use security tokens for authentication

Connect through an IPSec VPN

Use https with a server-side certificate

Enforce static media access control (MAC) addresses

A

Connect through an IPSec VPN

67
Q

Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?

Certificate-based authentication of web client

Certificate-based authentication of web server

Data confidentiality between client and web server

Multiple encryption algorithms

A

Certificate-based authentication of web client

68
Q

The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:

Secure Sockets Layer (SSL).

Secure Shell (SSH).

IP Security (IPSec).

Secure/Multipurpose Internet Mail Extensions (S/MIME).

A

Secure Sockets Layer (SSL).

69
Q

A message that has been encrypted by the sender’s private key and again by the receiver’s public key achieves:

authentication and authorization.

confidentiality and integrity.

confidentiality and nonrepudiation.

authentication and nonrepudiation.

A

confidentiality and nonrepudiation.

70
Q

When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?

IP spoofing

Man-in-the-middle attack

Repudiation

Trojan

A

Trojan

71
Q

Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?

Security compliant servers trend report

Percentage of security compliant servers

Number of security patches applied

Security patches applied trend report

A

Security compliant servers trend report

72
Q

It is important to develop an information security baseline because it helps to define:

critical information resources needing protection.

a security policy for the entire organization.

the minimum acceptable security to be implemented.

required physical and logical access controls.

A

the minimum acceptable security to be implemented.

73
Q

Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?

Symmetric cryptography

Public key infrastructure (PKI)

Message hashing

Message authentication code

A

Public key infrastructure (PKI)

74
Q

Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?

Regular review of access control lists

Security guard escort of visitors

Visitor registry log at the door

A biometric coupled with a PIN

A

Regular review of access control lists

75
Q

To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should:

revise the information security program.

evaluate a balanced business scorecard.

conduct regular user awareness sessions.

perform penetration tests.

A

evaluate a balanced business scorecard.

76
Q

What is the MOST important item to be included in an information security policy?

The definition of roles and responsibilities

The scope of the security program

The key objectives of the security program

Reference to procedures and standards of the security program

A

The key objectives of the security program

77
Q

In an organization, information systems security is the responsibility of:

all personnel.

information systems personnel.

information systems security personnel.

functional personnel.

A

all personnel.

78
Q

An organization without any formal information security program that has decided to implement information security best practices should FIRST:

invite an external consultant to create the security strategy.

allocate budget based on best practices.

benchmark similar organizations.

define high-level business security requirements.

A

define high-level business security requirements.

79
Q

When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?

Number of controls

Cost of achieving control objectives

Effectiveness of controls

Test results of controls

A

Cost of achieving control objectives

80
Q

Which of the following would be the BEST metric for the IT risk management process?

Number of risk management action plans

Percentage of critical assets with budgeted remedial

Percentage of unresolved risk exposures

Number of security incidents identified

A

Percentage of critical assets with budgeted remedial

81
Q

Which of the following is a key area of the ISO 27001 framework?

Operational risk assessment

Financial crime metrics

Capacity management

Business continuity management

A

Business continuity management

82
Q

The MAIN goal of an information security strategic plan is to:

develop a risk assessment plan.

develop a data protection plan.

protect information assets and resources.

establish security governance.

A

protect information assets and resources.

83
Q

Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?

Encrypting first by receiver’s private key and second by sender’s public key

Encrypting first by sender’s private key and second by receiver’s public key

Encrypting first by sender’s private key and second decrypting by sender’s public key

Encrypting first by sender’s public key and second by receiver’s private key

A

Encrypting first by sender’s private key and second by receiver’s public key

84
Q

The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:

change the root password of the system.

implement multifactor authentication.

rebuild the system from the original installation medium.

disconnect the mail server from the network.

A

rebuild the system from the original installation medium.

85
Q

The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:

verify the decision with the business units.

check the system’s risk analysis.

recommend update after post implementation review.

request an audit review.

A

verify the decision with the business units.

86
Q

A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?

Denial of service (DoS) attacks

Traffic sniffing

Virus infections

IP address spoofing

A

Traffic sniffing

87
Q

The PRIMARY objective of an Internet usage policy is to prevent:

access to inappropriate sites.

downloading malicious code.

violation of copyright laws.

disruption of Internet access.

A

disruption of Internet access.

88
Q

An internal review of a web-based application system finds the ability to gain access to all employees’ accounts by changing the employee’s ID on the URL used for accessing the account. The vulnerability identified is:

broken authentication.

unvalidated input.

cross-site scripting.

structured query language (SQL) injection.

A

broken authentication.

89
Q

A test plan to validate the security controls of a new system should be developed during which phase of the project?

Testing

Initiation

Design

Development

A

Design

90
Q

The MOST effective way to ensure that outsourced service providers comply with the organization’s information security policy would be:

service level monitoring.

penetration testing.

periodically auditing.

security awareness training.

A

periodically auditing.

91
Q

In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:

a strong authentication.

IP anti-spoofing filtering.

network encryption protocol.

access lists of trusted devices.

A

a strong authentication.

92
Q

The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:

  • contribute cost-effective expertise not available internally.
  • be made responsible for meeting the security program requirements.
  • replace the dependence on internal resources.
  • deliver more effectively on account of their knowledge.
A

contribute cost-effective expertise not available internally.

93
Q

Priority should be given to which of the following to ensure effective implementation of information security governance?

Consultation

Negotiation

Facilitation

Planning

A

Planning

94
Q

The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:

ensure the confidentiality of sensitive material.

provide a high assurance of identity.

allow deployment of the active directory.

implement secure sockets layer (SSL) encryption.

A

provide a high assurance of identity.

95
Q

Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?

Redundant power supplies

Protective switch covers

Shutdown alarms

Biometric readers

A

Protective switch covers

96
Q

Which of the following is the MOST important reason why information security objectives should be defined?

Tool for measuring effectiveness

General understanding of goals

Consistency with applicable standards

Management sign-off and support initiatives

A

Tool for measuring effectiveness

97
Q

What is the BEST policy for securing data on mobile universal serial bus (USB) drives?

Authentication

Encryption

Prohibit employees from copying data to USB devices

Limit the use of USB devices

A

Encryption

98
Q

When speaking to an organization’s human resources department about information security, an information security manager should focus on the need for:

an adequate budget for the security program.

recruitment of technical IT employees.

periodic risk assessments.

security awareness training for employees.

A

security awareness training for employees.

99
Q

Which of the following would BEST protect an organization’s confidential data stored on a laptop computer from unauthorized access?

Strong authentication by password

Encrypted hard drives

Multifactor authentication procedures

Network-based data backup

A

Encrypted hard drives

100
Q

What is the MOST important reason for conducting security awareness programs throughout an organization?

Reducing the human risk

Maintaining evidence of training records to ensure compliance

Informing business units about the security strategy

Training personnel in security incident response

A

Reducing the human risk

101
Q

At what stage of the applications development process would encryption key management initially be addressed?

Requirements development

Deployment

Systems testing

Code reviews

A

Requirements development

102
Q

The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization’s security requirements is:

messages displayed at every logon.

periodic security-related e-mail messages.

an Intranet web site for information security.

circulating the information security policy.

A

messages displayed at every logon.

103
Q

Which of the following would be the BEST defense against sniffing?

Password protect the files

Implement a dynamic IP address scheme

Encrypt the data being transmitted

Set static mandatory access control (MAC) addresses

A

Encrypt the data being transmitted

104
Q

A digital signature using a public key infrastructure (PKI) will:

  • not ensure the integrity of a message.
  • rely on the extent to which the certificate authority (CA) is trusted.
  • require two parties to the message exchange.
  • provide a high level of confidentiality.
A

rely on the extent to which the certificate authority (CA) is trusted.

105
Q

When configuring a biometric access control system that protects a high-security data center, the system’s sensitivity level should be set:

to a higher false reject rate (FRR).

to a lower crossover error rate.

to a higher false acceptance rate (FAR).

exactly to the crossover error rate

A

to a higher false reject rate (FRR).

106
Q

Which of the following is the BEST method to securely transfer a message?

Password-protected removable media

Facsimile transmission in a secured room

Using public key infrastructure (PKI) encryption

Steganography

A

Using public key infrastructure (PKI) encryption

107
Q

Which of the following would be the FIRST step in establishing an information security program?

Develop the security policy.

Develop security operating procedures.

Develop the security plan.

Conduct a security controls study.

A

Develop the security plan.

108
Q

An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross-training. Which type of authorization policy would BEST address this practice?

Multilevel

Role-based

Discretionary

Attribute-based

A

Role-based

109
Q

Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:

the parties to the agreement can perform.

confidential data are not included in the agreement.

appropriate controls are included.

the right to audit is a requirement.

A

appropriate controls are included.

110
Q

For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?

Biometrics

Symmetric encryption keys

Secure Sockets Layer (SSL)-based authentication

Two-factor authentication

A

Two-factor authentication

111
Q

Which of the following guarantees that data in a file have not changed?

Inspecting the modified date of the file

Encrypting the file with symmetric encryption

Using stringent access control to prevent unauthorized access

Creating a hash of the file, then comparing the file hashes

A

Creating a hash of the file, then comparing the file hashes

112
Q

Which of the following mechanisms is the MOST secure way to implement a secure wireless network?

Filter media access control (MAC) addresses

Use a Wi-Fi Protected Access (WPA2) protocol

Use a Wired Equivalent Privacy (WEP) key

Web-based authentication

A

Use a Wi-Fi Protected Access (WPA2) protocol

113
Q

Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?

An intrusion prevention system (IPS)

An intrusion detection system (IDS)

A host-based intrusion detection system (HIDS)

A host-based firewall

A

An intrusion prevention system (IPS)

114
Q

Nonrepudiation can BEST be ensured by using:

strong passwords.

a digital hash.

symmetric encryption.

digital signatures.

A

digital signatures.

115
Q
A

CISM Study Questions B (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions