CISM Practice C Topic 4 Flashcards
1
Q
The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
A
establish security baselines.
2
Q
A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?
A
User
3
Q
The BEST way to ensure that information security policies are followed is to:
A
perform periodic reviews for compliance.
4
Q
The MOST appropriate individual to determine the level of information security needed for a specific business application is the:
A
system data owner.
5
Q
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his or her password reset?
A
Conducting security awareness programs
6
Q
Which of the following is the MOST likely to change an organization’s culture to one that is more security conscious?
A
Security awareness campaigns
7
Q
The BEST way to ensure that an external service provider complies with organizational security policies is to:
A
Perform periodic reviews of the service provider.
8
Q
When an emergency security patch is received via electronic mail, the patch should FIRST be:
A
validated to ensure its authenticity.
9
Q
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
A
Changing access rules
10
Q
Which of the following is the BEST indicator that security awareness training has been effective?
A
More incidents are being reported
11
Q
Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?
A
Penetration attempts investigated
12
Q
Which of the following change management activities would be a clear indicator that normal operational procedures require examination?
A
emergency change requests.
13
Q
Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?
A
User
14
Q
Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:
A
goals and objectives are clearly defined.
15
Q
When a departmental system continues to be out of compliance with an information security policy’s password strength requirements, the BEST action to undertake is to:
A
conduct an impact analysis to quantify the risks.
16
Q
Which of the following is MOST important to the successful promotion of good security management practices?
A
Management support
17
Q
Which of the following environments represents the GREATEST risk to organizational security?
A
Locally managed file server
18
Q
Nonrepudiation can BEST be assured by using:
A
digital signatures.
19
Q
Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:
A
role-based access controls.
20
Q
Which of the following areas is MOST susceptible to the introduction of security weaknesses?
A
Configuration management
21
Q
Security policies should be aligned MOST closely with:
A
organizational needs.
22
Q
The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:
A
simulate an attack and review IDS performance.
23
Q
The BEST time to perform a penetration test is after:
A
various infrastructure changes are made.
24
Q
Successful social engineering attacks can BEST be prevented through:
A
periodic awareness training.
25
What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?
Install a honeypot on the network
26
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
Operating system (OS) security patches have not been applied
27
In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?
Conducting periodic security awareness programs
28
Which of the following will BEST ensure that management takes ownership of the decision making process for information security?
Security-steering committees
29
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
Process owner
30
What is the BEST way to ensure that contract programmers comply with organizational security policies?
Perform periodic security reviews of the contractors
31
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?
Backing up files
32
Security awareness training should be provided to new employees:
before they have access to data.
33
What is the BEST method to verify that all security patches applied to servers were properly documented?
Trace OS patch logs to change control requests
34
A security awareness program should:
address specific groups and roles.
35
The PRIMARY objective of security awareness is to:
influence employee behavior.
36
Which of the following will BEST protect against malicious activity by a former employee?
Effective termination procedures
37
Which of the following represents a PRIMARY area of interest when conducting a penetration test?
Network mapping
38
The return on investment of information security can BEST be evaluated through which of the following?
Support of business objectives
39
To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:
avoid granting system administration roles.
40
Information security policies should:
be straightforward and easy to understand.
41
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?
Perform periodic penetration testing.
42
Which of the following presents the GREATEST exposure to internal attack on a network?
User passwords are encoded but not encrypted
43
Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements?
Standards
44
Which of the following are the MOST important individuals to include as members of an information security steering committee?
IT management and key business process owners
45
Security audit reviews should PRIMARILY:
ensure that controls operate as required.
46
Which of the following is the MOST appropriate method to protect a password that opens a confidential file?
Out-of-band channels
47
What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
Mandatory
48
Which of the following is an inherent weakness of signature-based intrusion detection systems?
New attack methods will be missed
49
Data owners are normally responsible for which of the following?
Determining the level of application security required
50
Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
System user
51
What is the BEST way to ensure users comply with organizational security requirements for password complexity?
Enable system-enforced password configuration
52
Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?
Initially load the patches on a test machine
53
Which of the following would present the GREATEST risk to information security?
Security incidents are investigated within five business days
54
The PRIMARY reason for using metrics to evaluate information security is to:
enable steady improvement.
55
What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
Periodically perform penetration tests
56
Which of the following is MOST important for measuring the effectiveness of a security awareness program?
A quantitative evaluation to ensure user comprehension
57
Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?
Establish clear rules of engagement
58
Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?
Restrict the available drive allocation on all PCs
59
Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?
Number of administrators
60
Good information security standards should:
define precise and unambiguous allowable limits.
61
Good information security procedures should:
be updated frequently as new software is released.
62
What is the MAIN drawback of e-mailing password-protected zip files across the Internet?
may be quarantined by mail filters.
63
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
Set up firewall rules restricting network traffic from that location
64
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
define the circumstances where cryptography should be used.
65
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?
The number of false positives increases
66
What is the MOST appropriate change management procedure for the handling of emergency program changes?
Documentation is completed with approval soon after the change
67
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
Security steering committee
68
The PRIMARY focus of the change control process is to ensure that changes are:
authorized
69
An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
Meet with stakeholders
70
A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?
Enable access through a separate device that requires adequate authentication
71
Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?
IT security policy
72
Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?
The right to conduct independent security reviews
73
Which resource is the MOST effective in preventing physical access tailgating/piggybacking?
Awareness training
74
In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
implement role-based access control in the application.
75
In business-critical applications, user access should be approved by the:
data owner.
76
In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:
testing time window prior to deployment.
77
To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:
operational units.
78
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
Meet with data owners to understand business needs
79
When security policies are strictly enforced, the initial impact is that:
the total cost of security is increased.
80
A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:
an effective control over connectivity and continuity.
81
Which of the following should be in place before a black box penetration test begins?
A clearly stated definition of scope
82
What is the MOST important element to include when developing user security awareness material?
Easy-to-read and compelling information
83
What is the MOST important success factor in launching a corporate information security awareness program?
Top-down approach
84
Which of the following events generally has the highest information security impact?
Merging with another organization
85
The configuration management plan should PRIMARILY be based upon input from:
IT senior management.
86
Which of the following is the MOST effective, positive method to promote security awareness?
Competitions and rewards for compliance
87
An information security program should focus on:
key controls identified in risk assessments.
88
Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?
Finance department management
89
Which of the following would be the MOST significant security risk in a pharmaceutical institution?
Theft of a Research and Development laptop
90
Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?
The program's governance oversight mechanisms
91
Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state?
Capability maturity model (CMM)
92
Who is responsible for raising awareness of the need for adequate funding for risk action plans?
Information security manager
93
Managing the life cycle of a digital certificate is a role of a(n):
independent trusted source.
94
Which of the following would be MOST critical to the successful implementation of a biometric authentication system?
User acceptance
95
Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?
Inclusion as a required step in the system life cycle process
96
When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because:
service level agreements may not otherwise be met.
97
To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?
Service level agreements (SLAs)
98
To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to:
log all of the programmers' activity for review by supervisor.
99
Before engaging outsourced providers, an information security manager should ensure that the organization's data classification requirements:
are stated in the contract.
100
What is the GREATEST risk when there is an excessive number of firewall rules?
One rule may override another rule in the chain and create a loophole
101
Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center?
Biometric lock
102
What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?
Ensure consistency of activities to provide a more stable environment
103
What is the BEST way to ensure data protection upon termination of employment?
Ensure all logical access is removed
104
The MOST important reason for formally documenting security procedures is to ensure:
processes are repeatable and sustainable.
105
Which of the following is the BEST approach for an organization desiring to protect its intellectualproperty?
Restrict access to a need-to-know basis
106
The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
Systems programmer
107
An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download non-sensitive production data for software testing purposes. The information security manager should recommend which of the following?
Restrict account access to read only
108
Which would be the BEST recommendation to protect against phishing attacks?
Publish security guidance for customers
109
Which of the following is the BEST indicator that an effective security control is built into an organization?
The monthly service level statistics indicate a minimal impact from security issues.
110
What is the BEST way to alleviate security team understaffing while retaining the capability inhouse?
Establish a virtual security team from competent employees across the company
111
An information security manager wishing to establish security baselines would:
implement the security baselines to establish information security best practices.
112
Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:
policy.
113
An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. The MOST important element of the request for proposal (RFP) is the:
methodology used in the assessment.
114
Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:
assess the problems and institute rollback procedures, if needed.
115
When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the:
access control matrix.
116
The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:
sustaining the organization's security posture.It is important to maintain the organization's security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC)
117
The implementation of continuous monitoring controls is the BEST option where:
incidents may have a high impact and frequency
118
A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors?
Security code reviews for the entire application
119
An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:
source routing.
120
What is the MOST cost-effective means of improving security awareness of staff personnel?
User education and training
121
Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
Awareness training
122
Data owners will determine what access and authorizations users will have by:
mapping to business needs.
123
Which of the following is the MOST likely outcome of a well-designed information security awareness course?
Increased reporting of security incidents to the incident response function
124
Which item would be the BEST to include in the information security awareness training program for new general staff employees?
Review of various security models
125
A critical component of a continuous improvement program for information security is:
measuring processes and providing feedback.
126
The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager:
report significant security risks.
127
An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
Role-based
128
An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:
the contract should mandate that the service provider will comply with security policies.
129
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
To receive an independent view of security exposures
130
A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?
Prepare an impact assessment report.
131
An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?
Perform an internal risk assessment to determine needed controls.
132
Which of the following would raise security awareness among an organization's employees?
Continually reinforcing the security policy
133
Which of the following is the MOST appropriate method of ensuring password strength in a large organization?
Review general security settings on each platform
134
What is the MOST cost-effective method of identifying new vendor vulnerabilities?
External vulnerability reporting sources
135
Which of the following is the BEST approach for improving information security management processes?
Define and monitor security metrics.
136
An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:
validate and sanitize client side inputs.
137
The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:
has implemented cookies as the sole authentication mechanism.
138
Of the following, retention of business records should be PRIMARILY based on:
regulatory and legal requirements.
139
An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
Ensuring that the third party is contractually obligated to all relevant security requirements
140
An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?
Right to audit
141
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
Conduct regular security reviews of the third-party provider
142
An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?
Set role-based access permissions on the shared folder
143
Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?
A change control process
144
Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
Penetration tests
145
In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
System design specifications
146
Which of the following is generally considered a fundamental component of an information security program?
Security awareness training
147
How would an organization know if its new information security program is accomplishing its goals?
Key metrics indicate a reduction in incident impacts.ing program, but are not as significant as the key metrics indicator. An immediate reduction in reported incidents, in contrast, may indicate that it is not successful.
148
A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:
less time is spent on reconnaissance and information gathering.
149
Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?
User awareness training
150
Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
Implementation of lock-out policies
151
Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?
Signed acceptable use policy
152
The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:
the existence of messages is unknown.
153
As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:
formally managed within the information security framework.
154
There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?
Source code review
155
Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does it always introduce?
Clear text authentication
156
Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?
Feasibility
