CISM Practice B Topic 3 Flashcards by Nancy Taylor

Who can BEST advocate the development of and ensure the success of an information security program?

Internal auditor

Chief operating officer (COO)

Steering committee

IT management

Steering committee

How well did you know this?

Not at all

Perfectly

Which of the following BEST ensures that information transmitted over the Internet will remain confidential?

Virtual private network (VPN)

Firewalls and routers

Biometric authentication

Two-factor authentication

Virtual private network (VPN)

How well did you know this?

Not at all

Perfectly

The effectiveness of virus detection software is MOST dependent on which of the following?

Packet filtering

Intrusion detection

Software upgrades

Definition tables

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST effective type of access control?

Centralized

Role-based

Decentralized

Discretionary

Role-based

How well did you know this?

Not at all

Perfectly

Which of the following devices should be placed within a DMZ?

Router

Firewall

Mail relay

Authentication server

Mail relay

How well did you know this?

Not at all

Perfectly

An intrusion detection system should be placed:

outside the firewall.

on the firewall server.

on a screened subnet.

on the external router.

on a screened subnet.

How well did you know this?

Not at all

Perfectly

The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:

provide in-depth defense.

separate test and production.

permit traffic load balancing.

prevent a denial-of-service attack.

permit traffic load balancing.

How well did you know this?

Not at all

Perfectly

An extranet server should be placed:

outside the firewall.

on the firewall server.

on a screened subnet.

on the external router.

on a screened subnet.

How well did you know this?

Not at all

Perfectly

Which of the following is the BEST metric for evaluating the effectiveness of security awareness twining? The number of:

password resets.

reported incidents.

incidents resolved.

access rule violations.

reported incidents.

How well did you know this?

Not at all

Perfectly

Security monitoring mechanisms should PRIMARILY:

focus on business-critical information.

assist owners to manage control risks.

focus on detecting network intrusions.

record all security violations.

focus on business-critical information.

How well did you know this?

Not at all

Perfectly

Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?

Periodic focus group meetings

Periodic compliance reviews

Computer-based certification training (CBT)

Employee’s signed acknowledgement

Computer-based certification training (CBT)

How well did you know this?

Not at all

Perfectly

When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:

right-to-terminate clause.

limitations of liability.

service level agreement (SLA).

financial penalties clause.

service level agreement (SLA).

How well did you know this?

Not at all

Perfectly

Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?

Number of attacks detected

Number of successful attacks

Ratio of false positives to false negatives

Ratio of successful to unsuccessful attacks

Ratio of false positives to false negatives

How well did you know this?

Not at all

Perfectly

Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?

Patch management

Change management

Security baselines

Virus detection

Change management

How well did you know this?

Not at all

Perfectly

Which of the following tools is MOST appropriate for determining how long a security project will take to implement?

Gantt chart

Waterfall chart

Critical path

Rapid Application Development (RAD)

Critical path

How well did you know this?

Not at all

Perfectly

Which of the following is MOST effective in preventing security weaknesses in operating systems?

Patch management

Change management

Security baselines

Configuration management

Patch management

How well did you know this?

Not at all

Perfectly

When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:

calculating the residual risk.

enforcing the security standard.

redesigning the system change.

implementing mitigating controls.

calculating the residual risk.

How well did you know this?

Not at all

Perfectly

Who can BEST approve plans to implement an information security governance framework?

Internal auditor

Information security management

Steering committee

Infrastructure management

Steering committee

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?

Baseline security standards

System access violation logs

Role-based access controls

Exit routines

Role-based access controls

How well did you know this?

Not at all

Perfectly

Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?

Biometric authentication

Embedded steganographic

Two-factor authentication

Embedded digital signature

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?

Daily

Weekly

Concurrently with O/S patch updates

During scheduled change control updates

Daily

How well did you know this?

Not at all

Perfectly

Which of the following devices should be placed within a demilitarized zone (DMZ)?

Network switch

Web server

Database server

File/print server

Web server

How well did you know this?

Not at all

Perfectly

On which of the following should a firewall be placed?

Web server

Intrusion detection system (IDS) server

Screened subnet

Domain boundary

How well did you know this?

Not at all

Perfectly

An intranet server should generally be placed on the:

internal network.

firewall server.

external router.

primary domain controller.

internal network.

How well did you know this?

Not at all

Perfectly

Access control to a sensitive intranet application by mobile users can BEST be implemented through: data encryption. digital signatures. strong passwords. two-factor authentication.

two-factor authentication.

When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices? Centralizing security management Implementing sanctions for noncompliance Policy enforcement by IT management Periodic compliance reviews

Centralizing security management

Security awareness training is MOST likely to lead to which of the following? Decrease in intrusion incidents Increase in reported incidents Decrease in security policy changes Increase in access rule violations

Increase in reported incidents

The information classification scheme should: consider possible impact of a security breach. classify personal information in electronic form. be performed by the information security manager. classify systems according to the data processed.

consider possible impact of a security breach.

Which of the following is the BEST method to provide a new user with their initial password for email system access? Interoffice a system-generated complex password with 30 days expiration Give a dummy password over the telephone set for immediate expiration Require no password but force the user to set their own in 10 days Set initial password equal to the user ID with expiration in 30 days

Give a dummy password over the telephone set for immediate expiration

An information security program should be sponsored by: infrastructure management. the corporate audit department. key business process owners. information security management.

key business process owners.

Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers? Termination conditions Liability limits Service levels Privacy restrictions

Service levels

The BEST metric for evaluating the effectiveness of a firewall is the: number of attacks blocked. number of packets dropped. average throughput rate. number of firewall rules

number of attacks blocked.

Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion? Patch management Change management Security baselines Acquisition management

Patch management

The MAIN advantage of implementing automated password synchronization is that it: reduces overall administrative workload. increases security between multi-tier systems. allows passwords to be changed less frequently. reduces the need for two-factor authentication.

reduces overall administrative workload.

Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met? SWOT analysis Waterfall chart Gap analysis Balanced scorecard

Balanced scorecard

Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application? Patch management Change management Security metrics Version control

Change management

An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution? Rewrite the application to conform to the upgraded operating system Compensate for not installing the patch with mitigating controls Alter the patch to allow the application to run in a privileged state Run the application on a test platform; tune production to allow patch and application

Compensate for not installing the patch with mitigating controls

Which of the following is MOST important to the success of an information security program? Security awareness training Achievable goals and objectives Senior management sponsorship Adequate start-up budget and staffing

Senior management sponsorship

Which of the following is MOST important for a successful information security program? Adequate training on emerging security technologies Open communication with key process owners Adequate policies, standards and procedures Executive management commitment

Executive management commitment

Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database? Screened subnets Information classification policies and procedures Role-based access controls Intrusion detection system (IDS)

Screened subnets

Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user? Intrusion detection system (IDS) IP address packet filtering Two-factor authentication Embedded digital signature

Two-factor authentication

What is an appropriate frequency for updating operating system (OS) patches on production servers? During scheduled rollouts of new applications According to a fixed security patch management schedule Concurrently with quarterly hardware maintenance Whenever important security patches are released

Whenever important security patches are released

Which of the following devices should be placed within a DMZ? Proxy server Application server Departmental server Data warehouse server

Application server

A border router should be placed on which of the following? Web server IDS server Screened subnet Domain boundary

Domain boundary

An e-commerce order fulfillment web server should generally be placed on which of the following? Internal network Demilitarized zone (DMZ) Database server Domain controller

Demilitarized zone (DMZ)

Secure customer use of an e-commerce application can BEST be accomplished through: data encryption. digital signatures. strong passwords. two-factor authentication.

data encryption.

What is the BEST defense against a Structured Query Language (SQL) injection attack? Regularly updated signature files A properly configured firewall An intrusion detection system Strict controls on input fields

Strict controls on input fields

Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)? Tuning Patching Encryption Packet filtering

Tuning

Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register? Authentication Hardening Encryption Nonrepudiation

Encryption

Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required? Log all account usage and send it to their manager Establish predetermined automatic expiration dates Require managers to e-mail security when the user leaves Ensure each individual has signed a security acknowledgement

Establish predetermined automatic expiration dates

Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the: corporate internal auditor. system developers/analysts. key business process owners. corporate legal counsel.

key business process owners.

Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise? Ease of installation Product documentation Available support System overhead

System overhead

Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network? Never use open source tools Focus only on production servers Follow a linear process for attacks Do not interrupt production processes

Do not interrupt production processes

Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures? Stress testing Patch management Change management Security baselines

Change management

The advantage of Virtual Private Network (VPN) tunneling for remote users is that it: helps ensure that communications are secure. increases security between multi-tier systems. allows passwords to be changed less frequently. eliminates the need for secondary authentication.

helps ensure that communications are secure.

Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network? Boundary router Strong encryption Internet-facing firewall Intrusion detection system (IDS)

Strong encryption

Which of the following is MOST effective in protecting against the attack technique known as phishing? Firewall blocking rules Up-to-date signature files Security awareness training Intrusion detection monitoring

Security awareness training

When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST? The firewall should block all inbound traffic during the outage All systems should block new logins until the problem is corrected Access control should fall back to no synchronized mode System logs should record all user activity for later analysis

Access control should fall back to no synchronized mode

Which of the following is the MOST important risk associated with middleware in a client-server environment? Server patching may be prevented System backups may be incomplete System integrity may be affected End-user sessions may be hijacked

System integrity may be affected

An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know? Security in storage and transmission of sensitive data Provider's level of compliance with industry standards Security technologies in place at the facility Results of the latest independent security review

Security in storage and transmission of sensitive data

Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network? Configuration of firewalls Strength of encryption algorithms Authentication within application Safeguards over keys

Safeguards over keys

In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation? Encryption Digital certificate Digital signature Hashing algorithm

Encryption

The MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs: create more overhead than signature-based IDSs. cause false positives from minor changes to system variables. generate false alarms from varying user or system actions. cannot detect new types of attacks.

generate false alarms from varying user or system actions.

An information security manager uses security metrics to measure the: performance of the information security program. performance of the security baseline. effectiveness of the security risk analysis. effectiveness of the incident response team.

performance of the information security program.

The MOST important success factor to design an effective IT security awareness program is to: customize the content to the target audience. ensure senior management is represented. ensure that all the staff is trained. avoid technical content but give concrete examples.

customize the content to the target audience.

Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts? Use security tokens for authentication Connect through an IPSec VPN Use https with a server-side certificate Enforce static media access control (MAC) addresses

Connect through an IPSec VPN

Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser? Certificate-based authentication of web client Certificate-based authentication of web server Data confidentiality between client and web server Multiple encryption algorithms

Certificate-based authentication of web client

The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is: Secure Sockets Layer (SSL). Secure Shell (SSH). IP Security (IPSec). Secure/Multipurpose Internet Mail Extensions (S/MIME).

Secure Sockets Layer (SSL).

A message that has been encrypted by the sender's private key and again by the receiver's public key achieves: authentication and authorization. confidentiality and integrity. confidentiality and nonrepudiation. authentication and nonrepudiation.

confidentiality and nonrepudiation.

When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following? IP spoofing Man-in-the-middle attack Repudiation Trojan

Trojan

Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee? Security compliant servers trend report Percentage of security compliant servers Number of security patches applied Security patches applied trend report

Security compliant servers trend report

It is important to develop an information security baseline because it helps to define: critical information resources needing protection. a security policy for the entire organization. the minimum acceptable security to be implemented. required physical and logical access controls.

the minimum acceptable security to be implemented.

Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation? Symmetric cryptography Public key infrastructure (PKI) Message hashing Message authentication code

Public key infrastructure (PKI)

Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices? Regular review of access control lists Security guard escort of visitors Visitor registry log at the door A biometric coupled with a PIN

Regular review of access control lists

To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should: revise the information security program. evaluate a balanced business scorecard. conduct regular user awareness sessions. perform penetration tests.

evaluate a balanced business scorecard.

What is the MOST important item to be included in an information security policy? The definition of roles and responsibilities The scope of the security program The key objectives of the security program Reference to procedures and standards of the security program

The key objectives of the security program

In an organization, information systems security is the responsibility of: all personnel. information systems personnel. information systems security personnel. functional personnel.

all personnel.

An organization without any formal information security program that has decided to implement information security best practices should FIRST: invite an external consultant to create the security strategy. allocate budget based on best practices. benchmark similar organizations. define high-level business security requirements.

define high-level business security requirements.

When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance? Number of controls Cost of achieving control objectives Effectiveness of controls Test results of controls

Cost of achieving control objectives

Which of the following would be the BEST metric for the IT risk management process? Number of risk management action plans Percentage of critical assets with budgeted remedial Percentage of unresolved risk exposures Number of security incidents identified

Percentage of critical assets with budgeted remedial

Which of the following is a key area of the ISO 27001 framework? Operational risk assessment Financial crime metrics Capacity management Business continuity management

Business continuity management

The MAIN goal of an information security strategic plan is to: develop a risk assessment plan. develop a data protection plan. protect information assets and resources. establish security governance.

protect information assets and resources.

Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message? Encrypting first by receiver's private key and second by sender's public key Encrypting first by sender's private key and second by receiver's public key Encrypting first by sender's private key and second decrypting by sender's public key Encrypting first by sender's public key and second by receiver's private key

Encrypting first by sender's private key and second by receiver's public key

The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to: change the root password of the system. implement multifactor authentication. rebuild the system from the original installation medium. disconnect the mail server from the network.

rebuild the system from the original installation medium.

The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should: verify the decision with the business units. check the system's risk analysis. recommend update after post implementation review. request an audit review.

verify the decision with the business units.

A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following? Denial of service (DoS) attacks Traffic sniffing Virus infections IP address spoofing

Traffic sniffing

The PRIMARY objective of an Internet usage policy is to prevent: access to inappropriate sites. downloading malicious code. violation of copyright laws. disruption of Internet access.

disruption of Internet access.

An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is: broken authentication. unvalidated input. cross-site scripting. structured query language (SQL) injection.

broken authentication.

A test plan to validate the security controls of a new system should be developed during which phase of the project? Testing Initiation Design Development

Design

The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be: service level monitoring. penetration testing. periodically auditing. security awareness training.

periodically auditing.

In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement: a strong authentication. IP anti-spoofing filtering. network encryption protocol. access lists of trusted devices.

a strong authentication.

The PRIMARY driver to obtain external resources to execute the information security program is that external resources can: * contribute cost-effective expertise not available internally. * be made responsible for meeting the security program requirements. * replace the dependence on internal resources. * deliver more effectively on account of their knowledge.

contribute cost-effective expertise not available internally.

Priority should be given to which of the following to ensure effective implementation of information security governance? Consultation Negotiation Facilitation Planning

Planning

The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to: ensure the confidentiality of sensitive material. provide a high assurance of identity. allow deployment of the active directory. implement secure sockets layer (SSL) encryption.

provide a high assurance of identity.

Which of the following controls would BEST prevent accidental system shutdown from the console or operations area? Redundant power supplies Protective switch covers Shutdown alarms Biometric readers

Protective switch covers

Which of the following is the MOST important reason why information security objectives should be defined? Tool for measuring effectiveness General understanding of goals Consistency with applicable standards Management sign-off and support initiatives

Tool for measuring effectiveness

What is the BEST policy for securing data on mobile universal serial bus (USB) drives? Authentication Encryption Prohibit employees from copying data to USB devices Limit the use of USB devices

Encryption

When speaking to an organization's human resources department about information security, an information security manager should focus on the need for: an adequate budget for the security program. recruitment of technical IT employees. periodic risk assessments. security awareness training for employees.

security awareness training for employees.

Which of the following would BEST protect an organization's confidential data stored on a laptop computer from unauthorized access? Strong authentication by password Encrypted hard drives Multifactor authentication procedures Network-based data backup

Encrypted hard drives

What is the MOST important reason for conducting security awareness programs throughout an organization? Reducing the human risk Maintaining evidence of training records to ensure compliance Informing business units about the security strategy Training personnel in security incident response

Reducing the human risk

At what stage of the applications development process would encryption key management initially be addressed? Requirements development Deployment Systems testing Code reviews

Requirements development

The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is: messages displayed at every logon. periodic security-related e-mail messages. an Intranet web site for information security. circulating the information security policy.

messages displayed at every logon.

Which of the following would be the BEST defense against sniffing? Password protect the files Implement a dynamic IP address scheme Encrypt the data being transmitted Set static mandatory access control (MAC) addresses

Encrypt the data being transmitted

A digital signature using a public key infrastructure (PKI) will: * not ensure the integrity of a message. * rely on the extent to which the certificate authority (CA) is trusted. * require two parties to the message exchange. * provide a high level of confidentiality.

rely on the extent to which the certificate authority (CA) is trusted.

When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set: to a higher false reject rate (FRR). to a lower crossover error rate. to a higher false acceptance rate (FAR). exactly to the crossover error rate

to a higher false reject rate (FRR).

Which of the following is the BEST method to securely transfer a message? Password-protected removable media Facsimile transmission in a secured room Using public key infrastructure (PKI) encryption Steganography

Using public key infrastructure (PKI) encryption

Which of the following would be the FIRST step in establishing an information security program? Develop the security policy. Develop security operating procedures. Develop the security plan. Conduct a security controls study.

Develop the security plan.

An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross-training. Which type of authorization policy would BEST address this practice? Multilevel Role-based Discretionary Attribute-based

Role-based

Which of the following is the MOST important reason for an information security review of contracts? To help ensure that: the parties to the agreement can perform. confidential data are not included in the agreement. appropriate controls are included. the right to audit is a requirement.

appropriate controls are included.

For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure? Biometrics Symmetric encryption keys Secure Sockets Layer (SSL)-based authentication Two-factor authentication

Two-factor authentication

Which of the following guarantees that data in a file have not changed? Inspecting the modified date of the file Encrypting the file with symmetric encryption Using stringent access control to prevent unauthorized access Creating a hash of the file, then comparing the file hashes

Creating a hash of the file, then comparing the file hashes

Which of the following mechanisms is the MOST secure way to implement a secure wireless network? Filter media access control (MAC) addresses Use a Wi-Fi Protected Access (WPA2) protocol Use a Wired Equivalent Privacy (WEP) key Web-based authentication

Use a Wi-Fi Protected Access (WPA2) protocol

Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack? An intrusion prevention system (IPS) An intrusion detection system (IDS) A host-based intrusion detection system (HIDS) A host-based firewall

An intrusion prevention system (IPS)

Nonrepudiation can BEST be ensured by using: strong passwords. a digital hash. symmetric encryption. digital signatures.

digital signatures.

CISM Practice B Topic 3 Flashcards

(115 cards)