Information Security Program Development and Management Flashcards
(429 cards)
1
Q
An additional security control request was submitted by a business after the user requirements phase had just been closed. Which of the following would the information security manager MOST likely recommend to avoid this type of inefficiency?
A.Relevant stakeholders are invited to requirements analysis.
B.An adequate system development method is applied to the project.
C.Deliverables are aligned with business objectives.
D.Escalation procedures are supported by project staff.
A
A is the correct answer.
Justification
If key stakeholders are not invited to the requirements analysis, it may not be possible to identify key security control features. In such cases, the lack of security controls may surface in a later stage of project. To prevent this type of problem, it is best to ensure that key stakeholders are all invited at the start of the project.
Assuring the presence and the participation of the stockholders is a necessity regardless of which development method will be used.
Although deliverables are aligned with business objectives, late requirements will continue to arise unless key stakeholders are invited to the project from the start. This could result in focusing on functionality aspects while disregarding security aspects.
Escalation steps are required when any suspicious activities are observed among project staff. Additional requirements are more likely an indication of missing involvement than suspicious activity.
2
Q
What is the initial step that an information security manager would take during the requirements gathering phase of an IT project to avoid project failure?
A.Develop a comprehensive methodology that defines and documents project needs.
B.Build security requirements into the design of the system with consideration of enterprise security needs.
C.Ensure that the business problem is clearly understood before working on the solution.
D.Create a project plan based on the principles of agile development methodology.
A
C is the correct answer.
Justification
Developing a methodology is a step separate from defining requirements.
The question relates to requirements-gathering phase of the project, not the design phase. Therefore, it would be too early to start building the requirement into the design.
The key to successful requirements gathering is to focus initially on the business problem before trying to develop a solution. Otherwise, the solution may address the wrong problem.
An agile development methodology first requires the determination of business requirements.
3
Q
Which of the following choices is the MOST significant single point of failure in a public key infrastructure?
A.A certificate authority’s (CA) public key
B.A relying party’s private key
C.A CA’s private key
D.A relying party’s public key
A
C is the correct answer.
Justification
The certificate authority’s (CA) public key is published and poses no risk.
If destroyed, lost or compromised, the private key of any relying party affects only that party.
The CA’s private key is the single point of failure for the entire public key infrastructure (PKI) because it is unpublished and the system cannot function if the key is destroyed, lost or compromised.
The public key is published and poses no risk.
4
Q
Which of the following practices completely prevents a man-in-the-middle attack between two hosts?
A.Use security tokens for authentication.
B.Connect through an IP Security v6 virtual private network.
C.Use Hypertext Transfer Protocol Secure with a server-side certificate.
D.Enforce static media access control addresses.
A
B is the correct answer.
Justification
Using token-based authentication does not prevent a man-in-the-middle attack; however, it may help eliminate reusability of stolen cleartext credentials.
IP Security v6 effectively prevents man-in-the-middle attacks by including source and destination Internet Protocols within the encrypted portion of the packet. The protocol is resilient to man-in-the-middle attacks.
A Hypertext Transfer Protocol Secure session can be intercepted through Domain Name System (DNS) or Address Resolution Protocol (ARP) poisoning.
ARP poisoning—a specific kind of man-in-the-middle attack—may be prevented by setting static media access control addresses. Nevertheless, DNS and NetBIOS resolution can still be attacked to deviate traffic.
5
Q
Which of the following should the information security manager implement to protect a network against unauthorized external connections to corporate systems?
A.Strong authentication
B.Internet Protocol anti-spoofing filtering
C.Network encryption protocol
D.Access lists of trusted devices
A
A is the correct answer.
Justification
Strong authentication will provide adequate assurance of user identities.
Internet Protocol anti-spoofing is aimed at the device rather than the user.
Encryption protocol ensures data confidentiality and authenticity.
Access lists of trusted devices are easily exploited by spoofed client identities.
6
Q
Which of the following devices could potentially stop a structured query language injection attack?
A.An intrusion prevention system
B.An intrusion detection system
C.A host-based intrusion detection system
D.A host-based firewall
A
A is the correct answer.
Justification
Structured query language (SQL) injection attacks occur at the application layer. Most intrusion prevention systems will detect at least basic sets of SQL injection and will be able to stop them.
Intrusion detection systems will detect but not prevent.
Host-based intrusion detection systems will be unaware of SQL injection problems.
A host-based firewall, whether on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.
7
Q
What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
A.Authentication
B.Encryption
C.Prohibit employees from copying data to USB devices
D.Limit the use of USB devices
A
B is the correct answer.
Justification
Authentication protects access to the data but does not protect the data once the authentication is compromised.
Encryption provides the most effective protection of data on mobile devices.
Prohibiting employees from copying data to universal serial bus (USB) devices does not prevent copying data and offers minimal protection.
Limiting the use of USB devices does not secure the data on them.
8
Q
Which one of the following combinations offers the STRONGEST encryption and authentication method for 802.11 wireless networks?
A.Wired equivalent privacy with 128-bit pre-shared key authentication
B.Temporal Key Integrity Protocol-Message Integrity Check with the RC4 cipher
C.Wi-Fi Protected Access 2 (WPA2) and pre-shared key authentication
D.WPA2 and 802.1x authentication
A
D is the correct answer.
Justification
Wired Equivalent Privacy (WEP) with 128-bit pre-shared key authentication can be easily cracked with open source tools. WEP is easily compromised and is no longer recommended for secure wireless networks.
Temporal Key Integrity Protocol-Message Integrity Check (TKIP-MIC) with the RC4 cipher is not as strong as WPA2 with 802.1x authentication.
Wi-Fi Protected Access 2 (WPA2) with pre-shared keys uses the strongest level of encryption, but the authentication is more easily compromised.
WPA2 and 802.1x authentication is the strongest form of wireless authentication currently available. WPA2 combined with 802.1x forces the user to authenticate using strong Advanced Encryption Standard encryption.
9
Q
Which one of the following types of detection is NECESSARY to mitigate a denial or distributed denial-of-service attack?
A.Signature-based detection
B.Deep packet inspection
C.Virus detection
D.Anomaly-based detection
A
D is the correct answer.
Justification
Signature-based detection cannot react to a distributed denial-of-service (DDoS) attack because it does not have any insight into increases in traffic levels.
Deep packet inspection allows a protocol to be inspected and is not related to denial-of-service (DoS) attacks.
Virus detection would have no effect on DDoS detection or mitigation.
Anomaly-based detection establishes normal traffic patterns and then detects any deviation from that baseline. Traffic baselines are greatly exceeded when under a DDoS attack and are quickly identified by anomaly-based detection.
10
Q
A certificate authority is required for a public key infrastructure:
A.in cases where confidentiality is an issue.
B.when challenge/response authentication is used.
C.except where users attest to each other’s identity.
D.in role-based access control deployments.
A
C is the correct answer.
Justification
The requirement of confidentiality is not relevant to the certificate authority (CA) other than to provide an authenticated user’s public key.
Challenge/response authentication is not a process used in a public key infrastructure (PKI).
The role of the CA is not needed in implementations such as Pretty Good Privacy, where the authenticity of the users’ public keys are attested to by others in a circle of trust.
If the role-based access control is PKI-based, either a CA is required or other trusted parties will have to attest to the validity of users.
11
Q
The MOST effective technical approach to mitigate the risk of confidential information being disclosed in outgoing email attachments is to implement:
A.content filtering.
B.data classification.
C.information security awareness.
D.encryption for all attachments.
A
A is the correct answer.
Justification
Content filtering provides the ability to examine the content of attachments and prevent information containing certain words or phrases, or of certain identifiable classifications, from being sent out of the enterprise.
Data classification helps identify the material that should not be transmitted via email attachments but by itself will not prevent it.
Information security awareness training also helps limit confidential material from being disclosed via email as long as personnel are aware of what information should not be exposed and willingly comply with the requirements, but it is not as effective as outgoing content filtering.
Encrypting all attachments is not effective because it does not limit the content and may actually obscure confidential information contained in the email.
12
Q
Which of the following BEST ensures nonrepudiation?
A.Strong passwords
B.A digital hash
C.Symmetric encryption
D.Digital signatures
A
D is the correct answer.
Justification
Strong passwords only ensure authentication to the system and cannot be used for nonrepudiation involving two or more parties.
A digital hash in itself helps in ensuring integrity of the contents but not nonrepudiation.
Symmetric encryption would not help in nonrepudiation because the keys are always shared between parties.
Digital signatures use a private and public key pair, authenticating both parties. The integrity of the contents exchanged is controlled through the hashing mechanism that is signed by the private key of the exchanging party.
13
Q
Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?
A.Design
B.Implementation
C.Application security testing
D.Feasibility
A
D is the correct answer.
Justification
Security requirements must be defined before doing design specification, although changes in design may alter these requirements later on.
Security requirements defined during system implementation are typically costly add-ons that are frequently ineffective.
Application security testing occurs after security has been implemented.
Information security should be considered at the earliest possible stage because it may affect feasibility of the project.
14
Q
What would be the MOST significant security risk when using wireless local area network technology?
A.Man-in-the-middle attack
B.Spoofing of data packets
C.Rogue access point
D.Session hijacking
A
C is the correct answer.
Justification
Man-in-the-middle attacks can occur in any media and are not dependent on the use of a wireless local area network (WLAN) technology.
Spoofing of data packets is not dependent on the use of a WLAN technology.
A rogue access point masquerades as a legitimate access point. The risk is that legitimate users may connect through this access point and have their traffic monitored.
Session hijacking is not dependent on the use of a WLAN technology.
15
Q
For virtual private network access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
A.Biometrics
B.Symmetric encryption keys
C.Secure Sockets Layer-based authentication
D.Two-factor authentication
A
D is the correct answer.
Justification
While biometrics provides unique authentication, it is not strong by itself, unless a personal identification number (PIN) or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks.
A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a typical authentication mechanism for end users. The private key could still be compromised.
Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. If SSL is used with a client certificate and a password, it is two-factor authentication.
Two-factor authentication requires more than one type of user authentication, typically something you know and something you have, such as a PIN and smart card.
16
Q
How does the development of an information security program begin?
A.Risk is assessed and analyzed.
B.The security architecture is developed.
C.The controls statement of applicability is completed.
D.Required outcomes are defined.
A
D is the correct answer.
Justification
Assessing and analyzing risk is required to develop a strategy and will provide some of the information needed to develop the strategy that will achieve the desired outcomes, but it will not define the scope and charter of the security program.
A security architecture is a part of implementation after developing the strategy.
The applicability statement is a part of strategy implementation using International Organization for Standardization (ISO) 27001 or 27002 after determining the scope and responsibilities of the program.
After management has determined the desired outcomes of the information security program, development of a strategy can begin, together with initiating the process of developing information security governance structures, achieving organizational adoption and developing an implementation strategy that will define the scope and responsibilities of the security program.
17
Q
Which of the following BEST protects confidentiality of information?
A.Information classification
B.Segregation of duties
C.Least privilege
D.Systems monitoring
A
C is the correct answer.
Justification
While classifying information can help focus the assignment of privileges, classification itself does not provide enforcement.
Only in very specific situations does segregation of duties safeguard confidentiality of information.
Restricting access to information to those who need to have access is the most effective means of protecting confidentiality.
Systems monitoring is a detective control rather than a preventive control.
18
Q
Requirements for an information security program should be based PRIMARILY on which of the following choices?
A.Governance policies
B.Desired outcomes
C.Specific objectives
D.The security strategy
A
B is the correct answer.
Justification
Policies are one of the resources used to develop the strategy, which is based on specific objectives that meet the requirements.
The desired outcomes for the security program will be high-level achievements related to acceptable risk across the enterprise and will determine the requirements that must be met to achieve those outcomes.
Objectives are the steps required to achieve the desired outcomes.
The security strategy is the road map to achieve the objectives that result in the desired outcomes.
19
Q
Which of the following is the BEST approach for an enterprise desiring to protect its intellectual property?
A.Conduct awareness sessions on intellectual property policy.
B.Require all employees to sign a nondisclosure agreement.
C.Promptly remove all access when an employee leaves the enterprise.
D.Restrict access to a need-to-know basis.
A
D is the correct answer.
Justification
Security awareness regarding intellectual property policy will not prevent violations of this policy.
Requiring all employees to sign a nondisclosure agreement is a good control but not as effective as restricting access to a need-to-know basis.
Removing all access on termination does not protect intellectual property prior to an employee leaving.
Restricting access to a need-to-know basis is the most effective approach to protecting intellectual property.
19
Q
What is the MOST common protocol to ensure confidentiality of transmissions in a business-to-customer financial web application?
A.Secure Sockets Layer
B.Secure Shell
C.IP Security
D.Secure/Multipurpose Internet Mail Extensions
A
A is the correct answer.
Justification
Secure Sockets Layer is a cryptographic protocol that provides secure communications, providing end point authentication and communications privacy over the Internet. In typical use, all data transmitted between the customer and the business are, therefore, encrypted by the business’s web server and remain confidential.
Secure Shell (SSH) File Transfer Protocol is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer.
IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode.
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of email encapsulated in MIME; it is not a web transaction protocol.
20
Q
What human resources (HR) activity is MOST crucial in managing mobile devices supplied by the enterprise? HR provides:
A.termination notices.
B.background checks.
C.reporting structures.
D.awareness support.
A
A is the correct answer.
Justification
When the human resources (HR) department provides staff termination notices, security management can perform deprovisioning of mobile devices.
Background checks generally do not help the management of mobile devices.
Reporting structures generally do not affect the management of mobile devices.
HR could support information security awareness programs. However, from the management perspective, device deprovisioning upon staff termination will be more important.
21
Q
A web-based business application is being migrated from test to production. Which of the following is the MOST important management sign-off for this migration?
A.User
B.Network
C.Operations
D.Database
A
A is the correct answer.
Justification
As owners of the system, user management sign-off is the most important. If a system does not meet the needs of the business, then it has not met its primary objective.
The needs of the network are secondary to the needs of the business.
The needs of operations are secondary to the needs of the business.
The needs of database management are secondary to the needs of the business.
21
Q
Which of the following is the BEST justification to convince management to invest in an information security program?
A.Cost reduction
B.Compliance with company policies
C.Protection of business assets
D.Increased business value
A
D is the correct answer.
Justification
Cost reduction by itself is rarely the motivator for implementing an information security program.
Compliance is secondary to business value and cannot be the best justification, as the company may already be in compliance as managed by the legal team.
Protection of business assets is not the best justification, as management can counter it by stating that it can ensure protection of assets.
Investing in an information security program would increase business value as a result of fewer business disruptions, fewer losses, increased productivity and stronger brand reputation.
22
Q
An enterprise is implementing intrusion protection in its demilitarized zone (DMZ). Which of the following steps is necessary to make sure that the intrusion prevention system (IPS) can view all traffic in the DMZ?
A.Ensure that intrusion prevention is placed in front of the firewall.
B.Ensure that all devices that are connected can easily see the IPS in the network.
C.Ensure that all encrypted traffic is decrypted prior to being processed by the IPS.
D.Ensure that traffic to all devices is mirrored to the IPS.
A
C is the correct answer.
Justification
An intrusion prevention system (IPS) placed in front of the firewall will almost certainly continuously detect potential attacks, creating endless false-positives and directing the firewall to block many sites needlessly. Most of actual attacks would be intercepted by the firewall in any case.
All connected devices do not need to see the IPS.
For the IPS to detect attacks, the data cannot be encrypted; therefore, all encryption should be terminated to allow all traffic to be viewed by the IPS. The encryption should be terminated at a hardware Secure Sockets Layer accelerator or virtual private network server to allow all traffic to be monitored.
Traffic to all devices is not mirrored to the IPS.
22
Which of the following is the MOST effective security measure to protect data held on mobile computing devices?
A.Biometric access control
B.Encryption of stored data
C.Power-on passwords
D.Protection of data being transmitted
B is the correct answer.
Justification
Biometric access control limits access but does not protect stored data once access has been breached.
Encryption of stored data will help ensure that the actual data cannot be recovered without the encryption key.
Power-on passwords do not protect data effectively.
Protecting data stored on mobile computing devices does not relate to protecting data in transmission.
23
What is the BEST approach to implement adequate segregation of duties in business-critical applications if shared access to elevated privileges by a small group is necessary?
A.Ensure access to individual functions can be granted to individual users only.
B.Implement role-based access control in the application.
C.Enforce manual procedures ensuring separation of conflicting duties.
D.Create service accounts that can only be used by authorized team members.
B is the correct answer.
Justification
Access to individual functions will not ensure appropriate segregation of duties (SoD).
Role-based access control is the best way to implement appropriate SoD. Roles will have to be defined once, and then the user can be changed from one role to another without redefining the content of the role each time.
Giving a user access to all functions and implementing, in parallel, a manual procedure ensuring SoD is not an effective method, and it would be difficult to enforce and monitor.
Creating service accounts that can be used by authorized team members would not provide any help unless their roles were properly segregated.
24
The use of public key encryption for the purpose of providing encryption keys for a large number of individuals is preferred PRIMARILY because:
A.public key encryption is computationally more efficient.
B.scaling is less problematic than using a symmetrical key.
C.public key encryption is less costly to maintain than symmetrical keys for small groups.
D.public key encryption provides greater encryption strength than secret key options.
B is the correct answer.
Justification
Public key encryption is computationally intensive due to the long key lengths required.
Symmetrical or secret key encryption requires a key for each pair of individuals who wish to have confidential communications resulting in an exponential increase in the number of keys resulting in intractable distribution and storage problems.
Public key infrastructure is more costly for small groups but less costly to maintain as the participant numbers increase. It is the only manageable option for large groups, which is why it is preferable.
Secret key encryption requires much shorter key lengths to achieve equivalent strength.
25
Obtaining another party’s public key is required to initiate which of the following activities?
A.Authorization
B.Digital signing
C.Authentication
D.Nonrepudiation
C is the correct answer.
Justification
Authorization is not a public key infrastructure function.
A private key is used for signing.
The counterparty’s public key is used for authentication.
The private key is used for nonrepudiation.
26
Which of the following considerations is the MOST important one in the use of a vulnerability scanning tool?
A.Multiple functions
B.Regular updates
C.Graphical user interface
D.Real-time virus deletion
B is the correct answer.
Justification
Multiple functionalities cannot replace the importance of a scanner being kept current with the latest vulnerabilities.
A vulnerability scanner is as good as its last update.
The graphical user interface addresses ease of use rather than the effectiveness of the scanner.
A vulnerability scanner does not need to have the ability to delete viruses.
27
Which information security liaison is PRIMARILY responsible for providing assurance of policy compliance and identifying risk?
A. Information technology
B. Privacy
C. IT audit
D. Legal
C is the correct answer.
Justification
Information technology has a critical role as the hands-on implementer and operator of information processing systems.
The privacy department coordinates with information security to discuss compliance to avoid potential sanctions for violations to privacy regulations.
IT audit is generally charged with providing assurance of policy compliance and identifying risk.
Legal works with information security to oversee corporate responsibility, contract review, and due diligence, protecting the firm from legal liability.
28
Which of the following guarantees that data in a file have not changed?
A.Inspecting the modified date of the file
B.Encrypting the file with symmetric encryption
C.Using stringent access control to prevent unauthorized access
D.Creating a hash of the file, then comparing the file hashes
D is the correct answer.
Justification
The modified date can be modified to reflect any date.
Encrypting the file will make it difficult to modify but does not ensure it has not been corrupted.
Access control cannot ensure that file data has not been changed.
A hashing algorithm can be used to mathematically ensure that data have not been changed by hashing a file and comparing the hashes after a suspected change.
29
What is an advantage of sending messages using steganographic techniques as opposed to using encryption?
A.The existence of messages is unknown
B.Required key sizes are smaller.
C.Traffic cannot be sniffed.
D.Reliability of the data is higher in transit.
A is the correct answer.
Justification
The existence of messages is hidden in another file, such as a JPEG image, when using steganography.
Some implementations count on security through obscurity and others require keys, which may or may not be smaller.
Sniffing of steganographic traffic is possible.
The reliability of the data is not relevant.
30
In which of the following system development life cycle phases are access control and encryption algorithms chosen?
A.Procedural design
B.Architectural design
C.System design specifications
D.Software development
C is the correct answer.
Justification
The procedural design converts structural components into a procedural description of the software.
The architectural design is the phase that identifies the overall system design but not the specifics
The system design specifications phase that identifies security specifications.
Software development is too late a stage because during this phase the system is already being coded.
31
When a user employs a client-side digital certificate to authenticate to a web server through Secure Sockets Layer, confidentiality is MOST vulnerable to which of the following?
A.Internet Protocol spoofing
B.Man-in-the-middle attack
C.Repudiation
D.Trojan
D is the correct answer.
Justification
Internet Protocol spoofing will not work because the IP is not used as an authentication mechanism.
Man-in-the-middle attacks are not possible if using Secure Sockets Layer with client-side certificates.
Repudiation is unlikely because client-side certificates authenticate the user.
A Trojan is a program that can give the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user.
32
An enterprise is planning to deliver subscription-based educational services to customers online that will require customers to log in with their user IDs and passwords. Which of the following is the BEST method to validate passwords entered by a customer before access to educational resources is granted?
A.Encryption
B.Content filtering
C.Database hardening
D.Hashing
D is the correct answer.
Justification
Encryption is the application of an algorithm that converts the plaintext password to the encrypted form, but using encrypted passwords requires that they be decrypted for authentication—this would expose the actual password. Also, the authentication mechanism would need to have access to the encryption key in order to decrypt the password for authentication. This would allow anyone with the appropriate access to the server to decrypt user passwords, which is not typically acceptable and is not a secure practice.
Content filtering is not a component of password validation.
Database hardening helps in enhancing the security of a database but does not assist with password validation.
Hashing refers to a one-way algorithm that always creates the same output if applied to the same input. When hashing passwords, only the password’s hash value (output) is stored, not the actual password (input). When a user logs in and enters the password, the hash is applied to the password by the authentication mechanism and compared to the stored hash. If the hash matches, then access is granted. The actual password cannot be derived from the hash (because it is a one-way algorithm), so there is no chance of the password being compromised from the hash values stored on the server.
33
Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?
A.Never use open source tools.
B.Focus only on production servers.
C.Follow a linear process for attacks.
D.Do not interrupt production processes.
D is the correct answer.
Justification
Open source tools are an excellent resource for performing scans.
Scans should focus on both the test and production environments because, if compromised, the test environment could be used as a platform for attacks on production servers.
The process of scanning for exposures is a spiral process rather than a linear process.
The first rule of scanning for security exposures is to not break anything. This includes interrupting any running production processes.
34
Which of the following mechanisms is the MOST secure way to implement a secure wireless network?
A.Filter media access control addresses.
B.Use a Wi-Fi Protected Access protocol.
C.Use a Wired Equivalent Privacy key.
D.Use web-based authentication.
B is the correct answer.
Justification
Media access control (MAC) address filtering by itself is not a good security mechanism because allowed MAC addresses can be easily sniffed and then spoofed to get into the network.
Wi-Fi Protected Access (WPA2) protocol is currently one of the most secure authentication and encryption protocols for mainstream wireless products.
Wired Equivalent Privacy (WEP) is no longer a secure encryption mechanism for wireless communications. The WEP key can be easily broken within minutes using widely available software. Once the WEP key is obtained, all communications of every other wireless client are exposed.
A web-based authentication mechanism can be used to prevent unauthorized user access to a network, but it will not solve the wireless network’s main security issues, such as preventing network sniffing.
35
Which of the following choices is the WEAKEST link in the authorized user registration process?
A.The certificate authority’s private key
B.The registration authority’s private key
C.The relying party’s private key
D.A secured communication private key
B is the correct answer.
Justification
The certificate authority’s (CA’s) private key is heavily secured both electronically and physically and is extremely difficult to access by anyone.
The registration authority’s (RA’s) private key is in the possession of the RA, often stored on a smart card or laptop, and is typically protected by a password and, therefore, is potentially accessible. If the RA’s private key is compromised, it can be used to register anyone for a certificate using any identity, compromising the entire public key infrastructure for that CA.
The relying party’s private key, if compromised, only puts that party at risk.
The private key used for secure communication will only pose a risk to the parties communicating.
36
What is a desirable sensitivity setting for a biometric access control system that protects a high-security data center?
A.A high false reject rate
B.A high false acceptance rate
C.Lower than the crossover error rate
D.The exact crossover error rate
A is the correct answer.
Justification
Biometric access control systems are not infallible. When tuning the solution, one has to adjust the sensitivity level to give preference either to false reject rate (FRR) (type I error rate) making the system more prone to err denying access to a valid user, or to err allow access to an invalid user. The preferable setting will be in the FRR region of sensitivity.
A high false acceptance rate (FAR) will marginalize security by allowing too much unauthorized access. In systems in which the possibility of false rejects is a problem, it may be necessary to reduce sensitivity and thereby increase the number of false accepts.
As the sensitivity of the biometric system is adjusted, the FRR and FAR change inversely. At one point, the two values intersect and are equal. This condition creates the crossover error rate, which is a measure of the system accuracy. Lower than the crossover error rate will create too high a FAR for a high-security data center.
The crossover rate is sometimes referred to as equal error rate. In a very sensitive system, it may be desirable to minimize the number of false accepts—the number of unauthorized persons allowed access. To do this, the system is tuned to be more sensitive with a lower FAR, which causes the FRR—the number of authorized persons disallowed access—to increase.
37
Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?
A.Ease of installation
B.Product documentation
C.Available support
D.System overhead
D is the correct answer.
Justification
Ease of installation, while important, would be secondary.
Product documentation, while important, would be secondary.
Available support, while important, would be secondary.
Monitoring products can impose a significant impact on system overhead for servers and networks.
38
Which of the following is the BEST approach to deal with inadequate funding of the information security program?
A.Eliminate low-priority security services.
B.Require management to accept the increased risk.
C.Use third-party providers for low-risk activities.
D.Reduce monitoring and compliance enforcement activities.
C is the correct answer.
Justification
Prioritizing information security activities is always useful, but eliminating even low-priority security services is a last resort.
If budgets are seriously constrained, management is already addressing increases in other risk and is likely to be aware of the issue. A proactive approach to doing more with less will be well-received.
Outsourcing of some information security activities can cut costs and increase resources for other security activities proactively, as can automation of some security procedures.
Reducing monitoring activities may unnecessarily increase risk when lower-cost options to perform those functions may be available.
39
A newly appointed security manager has innovative plans for the information security management program. What is the MOST critical factor to ensure the success of the proposed changes? Ensuring that:
A. senior leadership buys into the proposed changes.
B. all employees understand the proposed changes and are trained.
C. risk reduction efforts are quantified, documented, and communicated to the CISO.
D. policies, procedures, baselines, and guidelines reflect the proposed changes.
A is the correct answer.
Justification
Senior leadership support is the most important factor when building or changing an information security program, as management support will ensure that other resources are made available for the program to succeed.
Employee understanding and training are important but come after program design and implementation. However, without senior leadership support, the program will not even get to that stage.
While communicating to the CISO on risk reduction due to the program, it is important to ensure continued support; broad senior management support is vital to initiate the program.
Policies, procedures, baselines, and guidelines are outcomes of the program after management commitment is secured.
40
When setting up an information classification scheme, the role of the information owner is to:
A.ensure that all data on an information system are protected according to the classification policy.
B.determine the classification of information across the information owner's scope of responsibility.
C.identify all information that requires backup according to its criticality and classification.
D.delegate the classification of information to responsible information custodians.
B is the correct answer.
Justification
The information system owner is responsible for protecting data on an information system according to the information security policy and the mandate and classification of the information. The classification would have been set up earlier.
The information owner must determine the classification of information across the role's scope of responsibility and ensure that information is classified consistently.
Identification of all information that requires backup according to classification will happen after the information classification scheme has been set up. Ensuring backup of data is the role of the information custodian and operations group.
The information owner may delegate the classification to another responsible manager however this is not the advised role in setting up the classification scheme.
41
Which of the following factors BEST helps determine the appropriate protection level for an information asset?
A.The cost of acquisition and implementation of the asset
B.Knowledge of vulnerabilities present in the asset
C.The degree of exposure to known threats
D.The criticality of the business function supported by the asset
D is the correct answer.
Justification
The criticality of the asset is determined by the business value of the asset, not just the cost of the asset. The value is determined by the cost of acquisition and implementation of the asset.
Knowledge of vulnerabilities helps in determining the protection method; however, protection is implemented based on the business value of the asset compared with the cost of the protection method.
The degree of exposure may require certain treatment options, but the degree and extent of protection is still determined by criticality.
Although all the options may help in determining the protection level of the asset, the criticality of the business function supported by the asset is the most important because nonavailability might affect the delivery of services.
42
Asset classification should be MOSTLY based on:
A.business value.
B.book value.
C.replacement cost.
D.initial cost.
A is the correct answer.
Justification
Classification should be based on the value of the asset to the business, generally in terms of revenue production or potential impact on loss or disclosure of sensitive information.
Book value is not an appropriate basis for classification.
Replacement cost is not an appropriate basis for classification.
Initial cost is not an appropriate basis for classification.
43
Which of the following activities is MOST effective for developing a data classification schema?
A.Classifying critical data based on protection levels
B.Classifying data based on the possibility of leakage
C.Aligning the schema with data leak prevention tools
D.Building awareness of the benefit of data classification
D is the correct answer.
Justification
Data protection levels are decided based on classification or business value.
Data are classified on business value and not on the possibility of leakage. Protection of the data may well be based on the possibility of leakage.
Aligning the schema with data leak prevention (DLP) tools may help while automating protection, but the data classification schema already has to exist for it to align with DLP.
While developing a data classification schema, it is most important that all users are made aware of the need for accurate data classification to reduce the cost of overprotection and the risk of underprotection of information assets.
44
A company recently developed a breakthrough technology. Because this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?
A.Access control policy
B.Data classification policy
C.Encryption standards
D.Acceptable use policy
B is the correct answer.
Justification
Without a mandated ranking of degree of protection, it is difficult to determine what access controls should be in place.
Data classification policies define the level of protection to be provided for each category of data based on business value.
Without a mandated ranking of degree of protection, it is difficult to determine what levels of encryption should be in place.
An acceptable use policy is oriented more toward the end user and, therefore, would not specifically address what controls should be in place to adequately protect information.
45
Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a publicly traded, multinational enterprise?
A.Strategic business plan
B.Upcoming financial results
C.Customer personal information
D.Previous financial results
D is the correct answer.
Justification
The strategic business plan is private information and should only be accessed by authorized entities.
Upcoming financial results are private information and should only be accessed by authorized entities.
Customer personal information is private information and should only be accessed by authorized entities.
Previous financial results are public; all the other choices are private information and should only be accessed by authorized entities.
46
The PRIMARY objective of asset classification is to:
A.maximize resource management.
B.comply with IT policy.
C.define information architecture.
D.determine protection level.
D is the correct answer.
Justification
Classification is one of many parts of resource management.
The IT policy of an enterprise is determined based on business policies.
Asset classification is an input to information architecture.
Classification allows the appropriate protection level to be assigned to the asset.
47
What is the PRIMARY benefit of performing an information asset classification?
A.It links security requirements to business objectives.
B.It identifies controls commensurate with impact.
C.It defines access rights.
D.It establishes asset ownership.
B is the correct answer.
Justification
Asset classification indirectly links security to business objectives on the basis of business value of assets.
Classification levels are based on the business value (or potential impact) of assets and the stronger controls needed for higher classification.
Classification does not define access rights.
Classification does not establish ownership.
48
When initially establishing an information security program, it is MOST important that managers:
A.examine and understand the culture within the enterprise.
B.analyze and understand the control system of the enterprise.
C.identify and evaluate the overall risk exposure of the enterprise.
D.examine and assess the security resources of the enterprise.
C is the correct answer.
Justification
Examining and understanding the culture within the enterprise is an important step in the overall evaluation process.
Analyzing and understanding the control system is an essential step to determine what risk is addressed and what control objectives are currently in place.
Identifying and evaluating the overall risk is most important, because it includes the other three elements, in addition to others.
Examining and assessing security resources is important information in determining and evaluating overall risk and exposure of an enterprise.
49
Which of the following is MOST important to achieve proportionality in the protection of enterprise information systems?
A.Asset classification
B.Risk assessment
C.Security architecture
D.Configuration management
A is the correct answer.
Justification
Asset classification is based on the criticality and sensitivity of information assets with the goal of providing the appropriate and, therefore, proportional degree of protection.
Proper risk assessment requires assets to be classified; asset classification most directly impacts the mitigation efforts an enterprise will implement.
Security architecture will be affected by asset classification and, to some extent, may affect how assets are classified; asset classification most directly impacts the mitigation efforts an enterprise will implement.
Configuration management is likely to be affected by asset classification levels but is not directly related to information security.
50
Assuming that the value of information assets is known, which of the following gives the information security manager the MOST objective basis for determining that the information security program is delivering value?
A.Number of controls
B.Cost of achieving control objectives
C.Effectiveness of controls
D.Test results of controls
B is the correct answer.
Justification
Number of controls has no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated.
A comparison of the cost of achievement of control objectives with the corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery.
Effectiveness of controls has no correlation with the value of assets unless their costs are also evaluated.
Test results of controls may determine their effectiveness but has no correlation with the value of assets.
51
Which of the following is the PRIMARY prerequisite to implementing data classification within an enterprise?
A.Defining job roles
B.Performing a risk assessment
C.Identifying data owners
D.Establishing data retention policies
C is the correct answer.
Justification
Defining job roles is not relevant.
Performing a risk assessment is important but will require the participation of data owners (who must first be identified).
Identifying the data owners is the first step and is essential to implementing data classification.
Establishing data retention policies may occur at any time.
52
Which of the following choices BEST helps determine appropriate levels of information resource protection?
A.A business case
B.A vulnerability assessment
C.Asset classification
D.Asset valuation
C is the correct answer.
Justification
A business case may be useful to support the need for asset classification but does not by itself provide a basis for assignment at the individual resource level.
Vulnerability assessment does not take into account criticality or sensitivity, which is the basis for assigning levels of information resource protection.
Asset classification based on criticality and sensitivity provides the best basis for assigning levels of information resource protection.
Asset valuation is not an adequate basis for determining the needed level of protection. For example, an asset can be very valuable from a cost standpoint but be neither critical to operations nor sensitive if exposed.
53
An information security manager has two identical servers in the network subject to a viable threat but decides to harden only one of them. The MOST likely reason for this choice is that the second server:
A.handles only unimportant information.
B.will be unable to perform required tasks.
C.is placed so that it has no exposure.
D.has constant monitoring that precludes attack.
C is the correct answer.
Justification
Unimportant information may require less protection, but it is unlikely that it should be totally unprotected because it may provide an avenue into the rest of the network.
It is unlikely that hardening a server will render it incapable of performing required tasks.
If the second server has no exposure, there is no probability that a compromise can occur.
Monitoring may indicate when an attack occurs but will not preclude an attack.
54
Why is asset classification important to a successful information security program?
A.It determines the priority and extent of risk mitigation efforts.
B.It determines the amount of insurance needed in case of loss.
C.It determines the appropriate level of protection to the asset.
D.It determines how protection levels compare to peer enterprises.
C is the correct answer.
Justification
Classification does not determine the priority and extent of the risk mitigation efforts; prioritization of risk mitigation efforts is generally based on risk analysis or a business impact analysis.
Classification does not establish the amount of insurance needed; insurance is often not a viable option.
Classification is based on the value of the asset to the enterprise and helps establish the protection level in proportion to the value of the asset.
Classification schemes differ from enterprise to enterprise and are often not suitable for benchmarking.
55
Which of the following is the BEST method to determine classification of data?
A.Assessment of impact associated with compromise of data by the data owner
B.Compliance requirements defined in the information security policy
C.Requirements based on the protection level implemented for different datasets
D.Assessment of risk of data loss by the information security manager
A is the correct answer.
Justification
The classification of data is based upon the potential impact from loss or corruption.
Compliance requirements are used as an input to risk assessment by considering risk associated with noncompliance.
The protection level is determined based on the classification of data and not the other way around.
Classification is not based upon risk; it is based upon impact (criticality or sensitivity or business value). The data owner determines the classification level.
56
When creating an effective data-protection strategy, the information security manager must understand the flow of data and its protection at various stages. This is BEST achieved with:
A.a third-party vulnerability assessment.
B.a tailored methodology based on exposure.
C.an insurance policy for accidental data losses.
D.a tokenization system set up in a secure network environment.
B is the correct answer.
Justification
Vulnerability assessments, third-party or otherwise, do not provide information about data flow, risk or threats that is needed to create a data protection strategy.
Enterprises classify data according to business value and risk exposure. The enterprise can then develop a sensible plan to invest budget and effort to create the data protection strategy based on the information gathered about the data assets.
An insurance policy is a risk treatment option for the transfer/sharing of risk and does not provide the information necessary for creating a data protection strategy.
Tokenization is a technique used to protect data, and not a method to ascertain data flow or other attributes relevant and necessary to create the data protection strategy.
57
Which of the following BEST supports the principle of security proportionality?
A.Release management
B.Ownership schema
C.Resource dependency analysis
D.Asset classification
D is the correct answer.
Justification
Release management provides no indication that protection is proportionate to the value of the asset.
An implemented ownership schema is one step in achieving proportionality, but other steps must also occur.
Resource dependency analysis can reveal the level of protection afforded a particular system, but that may be unrelated to the level of protection of other assets.
Classification provides the basis for protecting resources in relation to their importance to the enterprise; more important assets get a proportionally higher level of protection.
58
The classification level of an asset must be PRIMARILY based on which of the following choices?
A.Criticality and sensitivity
B.Likelihood and impact
C.Valuation and replacement cost
D.Threat vector and exposure
A is the correct answer.
Justification
The extent to which an asset is critical to business operations or can damage the enterprise if disclosed is the primary consideration for the level of protection required.
Asset classification is driven by criticality and sensitivity, not likelihood of compromise.
Probability and frequency are considerations of risk and not the main consideration of asset classification.
Threat vector and exposure together do not provide information on impact needed for classification.
59
The information classification scheme should:
A.consider possible impact of a security breach.
B.classify personal information in electronic form.
C.be performed by the information security manager.
D.be based on a risk assessment.
A is the correct answer.
Justification
Data classification is determined by the business value of the asset (i.e., the potential impact on the business of the loss, corruption or disclosure of information).
Classification of personal information in electronic form is an incomplete answer because it addresses a subset of organizational data.
Information classification is performed by the data owner based on accepted security criteria.
The risk to a particular asset is not the basis for classification, rather the potential impact from compromise is the basis.
60
Which of the following is the MOST important element of information asset classification?
A.Residual risk
B.Segregation of duties
C.Potential impact
D.Need to know
C is the correct answer.
Justification
Residual risk is unrelated to asset classification.
Segregation of duties is a control unrelated to asset classification.
Classification levels must be based on the level of impact that would occur as a result of compromise.
Need to know is a control indirectly related to asset classification.
61
Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?
A.Database administrator
B.Finance department management
C.Information security manager
D.IT department management
B is the correct answer.
Justification
The database administrator is the custodian of the data who would apply the appropriate security levels for the classification.
Data owners are responsible for determining data classification; in this case, management of the finance department would be the owner of accounting ledger data.
The security manager would act as an advisor and enforcer.
The IT management is the custodian of the data who would apply the appropriate security levels for the classification.
62
Who is accountable for ensuring that information is categorized and that specific protective measures are taken?
A.The security officer
B.Senior management
C.The end user
D.The custodian
B is the correct answer.
Justification
The security officer assumes responsibility, as this role supports and implements information security to achieve senior management objectives.
While routine administration and operations of all aspects of security may be delegated, top management must retain overall accountability.
The end user is not responsible for ensuring that information is categorized and that specific protective measures are taken.
The custodian supports and implements information security measures as directed and is not responsible for ensuring that information is categorized and that specific protective measures are taken.
63
Which of the following would be the BEST indicator of an asset’s value to an enterprise?
A.Risk assessment
B.Security audit
C.Certification
D.Classification
D is the correct answer.
Justification
Assessing the risk to resources will not determine their importance to the business.
Security audits may provide an indication of the importance of particular resources but will be more focused on risk, vulnerabilities and compliance.
Certification is the process of assessing compliance with a standard.
Classification is the process of determining criticality and sensitivity of information resources (i.e., business value).
64
Which of the following poses the GREATEST challenge to an enterprise seeking to prioritize risk management activities?
A.An incomplete catalog of information assets
B.A threat assessment that is not comprehensive
C.A vulnerability assessment that is outdated
D.An inaccurate valuation of information assets
D is the correct answer.
Justification
Enterprises are only able to prioritize items they know to exist. An incomplete catalog of information assets introduces the possibility that prioritization is overlooking assets that may have substantial value, unintentionally resulting in the implicit acceptance of risk that may exceed the risk appetite and tolerance. However, inaccurate valuation of known assets has a greater negative impact on prioritization than the possibility of certain high-value assets not being properly taken into account.
Evaluating the threat environment is the most challenging aspect of risk assessment, and it is nearly always the case that a threat assessment excludes one or more threats. As a result, any prioritization effort must assume that the threat assessment is not comprehensive.
It is common for a vulnerability assessment to be outdated at the start of each cycle of a risk management program prior to the start of risk management activities, but the influence of outdated vulnerability information is less a concern than inaccurate valuation of assets.
Although prioritization on the basis of risk requires knowledge of threat, vulnerability and potential consequence, it is this last factor expressed in terms of value that is most influential when prioritizing risk management activities. If assets are valued incorrectly, otherwise justifiable decisions of how to prioritize activities may be incorrect.
65
Which program element should be implemented FIRST in asset classification and control?
A.Risk assessment
B.Classification
C.Valuation
D.Risk mitigation
C is the correct answer.
Justification
Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation.
Classification is a step following valuation.
Valuation is performed first to identify and understand the value of assets needing protection.
Risk mitigation is a step following valuation based on the valuation.
66
Which of the following is the MOST important to keep in mind when assessing the value of information?
A.The potential financial loss
B.The cost of recreating the information
C.The cost of insurance coverage
D.Regulatory requirements
A is the correct answer.
Justification
The potential for financial loss is always a key factor when assessing the value of information.
The cost of recreating the information may be a contributor but not the key factor.
The cost of insurance coverage may be a contributor but not the key factor.
Regulatory requirements may be a contributor but not the key factor.
67
Which of the following is the MOST important prerequisite to undertaking asset classification?
A.Threat analysis
B.Impact assessment
C.Controls evaluation
D.Penetration testing
B is the correct answer.
Justification
Threat analysis only identifies the threats that exist against enterprise assets. However, threat and impact need to be taken into account.
The classification level is an indication of the value or importance of the asset to the enterprise. Impact assessments are needed to determine criticality and sensitivity, which form the basis for the classification level.
Controls evaluation is needed after classification levels have been determined to ensure that the asset is protected according to the classification level.
Penetration testing is not one of the prerequisites for conducting asset classification.
68
Which of the following items is the BEST basis for determining the value of intangible assets?
A.Contribution to revenue generation
B.A business impact analysis
C.Threat assessment
D.Replacement costs
A is the correct answer.
Justification
The value of any business asset is generally based on its contribution to generating revenues for the enterprise, both in the present and in the future.
A business impact analysis (BIA) is a process to determine the impact of losing the support of any resource. The BIA study will establish the escalation of that loss over time. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision. It may not take into account the long-term impact to revenue of losing intangible assets.
Threat analysis is an evaluation of the type, scope and nature of events or actions that can result in adverse consequences; it provides identification of the threats that exist against enterprise assets. The threat analysis usually defines the level of threat and the likelihood of it materializing. Threat assessment is not concerned with asset value but with the probability of compromise.
The replacement cost of intangible assets such as trade secrets typically cannot be calculated because replacement is impossible.
69
From an information security perspective, information that no longer supports the main purpose of the business should be:
A.analyzed under the retention policy.
B.protected under the information classification policy.
C.analyzed under the backup policy.
D.assessed by a business impact analysis.
A is the correct answer.
Justification
Information analyzed under the retention policy will determine whether the enterprise is required to maintain the data for business, legal or regulatory reasons. Keeping data that are no longer required consumes resources unnecessarily and, in the case of sensitive personal information, can increase the risk of data compromise.
Whether information is protected under the information classification policy is an attribute that should be considered in the destruction and retention policy.
There is no reason to back up information that is no longer of use to the enterprise, and it should be considered as part of the retention policy.
A business impact analysis could help determine whether information supports the main objective of the business but would not indicate the action to take.
70
Most standard frameworks for information security show the development of an information security program as starting with:
A.policy development and implementation of process.
B.an internal audit and remediation of findings.
C.a risk assessment and control objectives.
D.resource identification and budgetary requirements.
C is the correct answer.
Justification
Policies are written to support objectives, which are determined by business requirements.
Audits are conducted to determine compliance with control objectives.
An information security program is established to close the gap between the existing state of controls (as identified by a risk assessment) and the state desired on the basis of business requirements, which will be obtained through the meeting of control objectives.
A program must have objectives before resources can be allocated in pursuit of those objectives.
71
What should documented standards/procedures for the use of cryptography across the enterprise achieve?
A.They should define the circumstances in which cryptography should be used.
B.They should define cryptographic algorithms and key lengths.
C.They should describe handling procedures of cryptographic keys.
D.They should establish the use of cryptographic solutions.
A is the correct answer.
Justification
There should be documented standards/procedures for the use of cryptography across the enterprise; they should define the circumstances in which cryptography should be used.
Procedures should cover the selection of cryptographic algorithms and key lengths but should not define them precisely.
Procedures should address the handling of cryptographic keys. However, this is secondary to how and when cryptography should be used.
The use of cryptographic solutions should be addressed but this is a secondary consideration.
72
Which of the following control measures BEST addresses integrity?
A.Nonrepudiation
B.Time stamps
C.Biometric scanning
D.Encryption
A is the correct answer.
Justification
Nonrepudiation is a control technique that addresses the integrity of information by ensuring that the originator of a message or transaction cannot repudiate (deny or reject) the message, so the message or transaction can be considered authorized, authentic and valid.
Using time stamps is a control that addresses only one component of message integrity.
Biometric scanning is a control that addresses access.
Encryption is a control that addresses confidentiality; it may be an element of a data integrity scheme, but it is not sufficient to achieve the same level of integrity as the set of measures used to ensure nonrepudiation.
73
One of the MAIN benefits of reviewing the enterprise security architecture when developing an enterprise information security program is to:
A. create strong security awareness among the decision-making entities.
B. implement effective and efficient value-added security controls.
C. enable compliance with security- and information-related regulations.
D. facilitate the acceptance of information security roles and responsibilities.
B is the correct answer.
Justification
Every information security program is comprised of information security awareness campaigns and initiatives, and enterprise information security architecture (EISA) consists of people and process dimensions, thus helping to create a security-aware culture. However, these concepts are included as part of implementing the value-added controls.
Information security programs include any activities or initiatives that protect and maintain enterprise information, technology, processes, and resources. Most information security program development activities involve designing, testing, and deploying strategic, technical, and operational controls that achieve risk management objectives, which is the main purpose of information security programs. An information security architecture showing current and future assets and scopes (technology, business, people, applications, processes, etc.) helps the enterprise build the most effective and efficient security controls.
Although applicable information-related compliance requirements are part of business requirements and the information security program should address compliance with those requirements, this is not one of the main reasons to review the EISA during development of an information security program.
Security architectures help with communication and collaboration among stakeholders, but information security management frameworks facilitate the information security stakeholders’ understanding of their roles, responsibilities, and expectations.
74
What is the PRIMARY goal of developing an information security program?
A.To implement the strategy
B.To optimize resources
C.To deliver on metrics
D.To achieve assurance
A is the correct answer.
Justification
The development of an information security program is usually seen as a manifestation of the information security strategy. Thus, the goal of developing the information security program is to implement the strategy.
Optimizing resources can be achieved in an information security program once the program has been aligned to the strategy.
Delivery of the metrics is a subset of strategic alignment with the information security program in an enterprise.
Assurance of information security occurs upon the strategic alignment of the information security program.
75
What is the GREATEST benefit of decentralized security management?
A.Reduction of the total cost of ownership
B.Improved compliance with organizational policies and standards
C.Better alignment of security with business needs
D.Easier administration
C is the correct answer.
Justification
Reduction of the total cost of ownership is a benefit of centralized security management.
Improved compliance is a benefit of centralized security management.
Better alignment of security with business needs is the only answer that fits because the other choices are benefits of centralized security management.
Easier administration is a benefit of centralized security management.
76
Which of the following security controls addresses availability?
A.Least privilege
B.Public key infrastructure
C.Role-based access
D.Contingency planning
D is the correct answer.
Justification
Least privilege is an access control that is concerned with confidentiality.
Public key infrastructure is concerned with confidentiality and integrity.
Role-based access limits access but does not directly address availability.
Contingency planning ensures that the system and data are available in the event of a problem.
77
Which of the following challenges associated with information security documentation is MOST likely to affect a large, established enterprise?
A.Standards change more slowly than the environment.
B.Policies change faster than they can be distributed.
C.Procedures are ignored to meet operational requirements.
D.Policies remain unchanged for long periods of time.
A is the correct answer.
Justification
Large, established enterprises tend to have numerous layers of review and approval associated with changes to standards. These review mechanisms are likely to be outpaced by changes in technology and the risk environment.
Policies are meant to reflect strategic goals and objectives. In small or immature enterprises, the policy model may be poorly implemented, resulting in rapid changes to policies that are treated more like standards, but this situation is unlikely to arise in a large, established enterprise.
Large, established enterprises typically have formal training programs and internal controls that keep activities substantially in line with published procedures.
Although policies should be subject to periodic review and not be regarded as static, properly written policies should require significant changes only when there are substantial changes in strategic goals and objectives. It is reasonable that a large, established enterprise would experience policy changes only rarely.
78
A control policy is MOST likely to address which of the following implementation requirements?
A.Specific metrics
B.Operational capabilities
C.Training requirements
D.Failure modes
D is the correct answer.
Justification
A control policy may specify a requirement for monitoring or metrics but will not define specific metrics.
Operational capabilities will likely be defined in specific requirements or in a design document rather than in the control policy.
There may be a general requirement for training but not control-specific training, which will be dependent on the particular control.
A control policy will state the required failure modes in terms of whether a control fails open or fails closed, which has implications for safety, confidentiality and availability.
79
Information security should:
A.focus on eliminating all risk.
B.balance technical and business requirements.
C.be driven by regulatory requirements.
D.be defined by the board of directors.
B is the correct answer.
Justification
It is not practical or feasible to eliminate all risk.
Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements.
The extent of compliance with regulatory requirements is a business decision and must be defined by management.
Defining information security is an executive and operational function, not a board function.
80
What is the MAIN objective for developing an information security program?
A.To create the information security policy
B.To maximize system uptime
C.To develop strong controls
D.To implement the strategy
D is the correct answer.
Justification
The policy should not be written for its own sake. To be effective, the policy must address the threat and risk landscape that is usually the basis for strategy development.
The degree of uptime required will be defined as a part of strategy development balanced against costs.
Not all controls need to be strong, and the degree of control must be determined by cost-effectiveness, impact on productivity and other factors.
The information security strategy provides a development road map to which the program is built.
81
The MOST direct way to accurately determine the control baseline in an IT system is to do which of the following activities?
A.Review standards and system compliance.
B.Sample hardware and software configurations.
C.Review system and server logs for anomalies.
D.Perform internal and external penetration tests.
A is the correct answer.
Justification
A control baseline is obtained by reviewing the standards to determine whether the baseline falls within the boundaries set by the standards.
Sampling hardware configurations without knowing the control requirements reflected in the standards provides information on the current state but not on how that state relates to the intended state.
Anomalies in system logs do not necessarily indicate that baseline security is incorrect, nor does an absence of abnormalities mean that the baseline is correct.
Penetration tests that reveal vulnerabilities must be evaluated in the context of the control requirements set by the standard.
82
When corporate standards change due to new technology, which of the following choices is MOST likely to be impacted?
A.Organizational policies
B.The risk assessment approach
C.Control objectives
D.Systems security baselines
D is the correct answer.
Justification
Properly developed organizational policies are not likely to require any change when corporate standards change due to new technology.
Risk assessment is a process used to identify and evaluate risk and its potential effects. Approaches to assessing risk probably will not need to change when corporate standards change due to new technology.
A control objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular process. Properly developed control objectives are not likely to require any changes when corporate standards change due to new technology.
Because security baselines are set by standards, it is most likely that a change in some standards will necessitate a review and possible changes in baseline security.
83
Which of the following is an advantage of a centralized information security organizational structure?
A.It is easier to promote security awareness.
B.It is easier to manage and control.
C.It is more responsive to business unit needs.
D.It provides a faster turnaround for security requests.
B is the correct answer.
Justification
Decentralization allows the of use field security personnel as security missionaries or ambassadors to spread the security awareness message.
It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization.
Decentralized operations allow security administrators to be more responsive.
Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
84
The requirement for due diligence is MOST closely associated with which of the following?
A.The right to audit
B.Service level agreements
C.Appropriate standard of care
D.Periodic security reviews
C is the correct answer.
Justification
The right to audit is an important consideration when evaluating an enterprise but is not as closely related to the concept of due diligence.
Service level agreements are an important consideration when evaluating an enterprise but are not as closely related to the concept of due diligence.
The standard of care is most closely related to due diligence. It is based on the legal notion of the steps that would be taken by a person of similar competency in similar circumstances.
Periodic security reviews is not as closely related to due diligence.
85
Information security frameworks can be MOST useful for the information security manager because they:
A.provide detailed processes and methods.
B.are designed to achieve specific outcomes.
C.provide structure and guidance.
D.provide policy and procedure.
C is the correct answer.
Justification
Frameworks are general structures and will not provide detailed processes and methods.
Frameworks do not specify particular outcomes but may provide the structure to assess outcomes against requirements.
Frameworks are like a skeleton; they provide the outlines and basic structure but not the specifics of process and outcomes.
Frameworks do not specify or provide policies and procedures. The creation of policy/procedure documents is left to the implementer who may follow a documentation framework.
86
Which of the following measures is the MOST effective deterrent against disgruntled staff abusing their privileges?
A.Layered defense strategy
B.System audit log monitoring
C.Signed acceptable use policy
D.High-availability systems
C is the correct answer.
Justification
A layered defense strategy would only prevent those activities that are outside the user’s privileges.
System audit log monitoring is after the fact and may not be effective.
A signed acceptable use policy is often an effective deterrent against malicious activities because of the stated potential for termination of employment and/or legal actions being taken against the individual.
High-availability systems do not deter staff abusing privileges.
87
Which of the following will BEST prevent an employee from using a universal serial bus (USB) drive to copy files from desktop computers?
A.Restrict the available drive allocation on all personal computers.
B.Disable USB ports on all desktop devices.
C.Conduct frequent awareness training with noncompliance penalties.
D.Establish strict access controls to sensitive information.
A is the correct answer.
Justification
Restricting the ability of a personal computer to allocate new drive letters ensures that universal serial bus (USB) drives or even compact disc-writers cannot be attached because they would not be recognized by the operating system.
Disabling USB ports on all machines is not practical because mice and other peripherals depend on these connections.
Awareness training does not prevent copying of information.
Access controls do not prevent copying.
87
The effectiveness of segregation of duties may be MOST seriously compromised when:
A.user IDs of terminated staff remain active in application systems.
B.access privileges are accumulated based on previous job functions.
C.application role-based access deviates from the organizational hierarchies.
D.role mining tools are used in the access privilege review.
B is the correct answer.
Justification
It is not desirable to leave user IDs of terminated personnel or contractors active in the systems because it increases the potential for unauthorized access. However, the risk related to not effectively managing terminated users is an access management issue, not a segregation of duties issue.
When the changing of user roles is not adequately managed, access privileges may cross the boundary of segregation of duties. This often happens when a user’s role changes as part of a promotion or transfer, and the user is assigned new system privileges to fulfill the new role but the privileges of the previous role are not removed.
Role-based access is built on the premise that users are granted those privileges that they need to perform their daily job functions (roles). These may not necessarily be aligned with the organizational hierarchies.
Using role mining tools in the access entitlement review may enhance the efficiency and effectiveness of the process, particularly in large and complex environments.
88
Which item would be the BEST to include in the information security awareness training program for new general staff employees?
A.Review of various security models
B.Discussion of how to construct strong password
C.Review of roles that have privileged access
D.Discussion of vulnerability assessment results
B is the correct answer.
Justification
A review of various security models would not be applicable to general staff employees.
All new employees will need to understand techniques for the construction of strong passwords.
A review of roles that have privileged access would not be applicable to general staff employees.
A discussion of vulnerability assessment results would not be applicable to general staff employees.
89
The MOST effective way to limit actual and potential impacts of e-discovery in the event of litigation is to:
A.implement strong encryption of all sensitive documentation.
B.ensure segregation of duties and limited access to sensitive data.
C.enforce a policy of not writing or storing potentially sensitive information.
D.develop and enforce comprehensive retention policies.
D is the correct answer.
Justification
Encryption will not prevent the legal requirements to produce documents in the event of legal conflicts.
Limiting access to sensitive information based on the need to know may limit which personnel can testify during legal proceedings but will not limit the requirement to produce existing documents.
While some enterprises have practiced a policy of not committing to writing issues of dubious legality, it is not a sound practice and may violate a variety of laws.
Compliance with legally acceptable defined retention policies will limit exposure to the often difficult and costly demands for documentation during legal proceedings such as lawsuits.
90
Which of the following tasks should the information security manager do FIRST when business information has to be shared with external entities?
A.Execute a nondisclosure agreement.
B.Review the information classification.
C.Establish a secure communication channel.
D.Enforce encryption of information
B is the correct answer.
Justification
Execution of a nondisclosure agreement may be needed after the classification of the data to be shared is determined.
The information security manager should first determine whether sharing the information poses a risk for the enterprise based on the information classification.
Whether a secure channel is needed is a function of the classification of data to be shared.
Encryption requirements will be determined as a function of the classification of data to be shared.
91
A newly hired information security manager notes that existing information security practices and procedures appear ad hoc. Based on this observation, the next action should be to:
A.assess the commitment of senior management to the program.
B.assess the maturity level of the enterprise.
C.review the corporate standards.
D.review corporate risk management practices.
C is the correct answer.
Justification
While management may not be exercising due care, it is concerned enough to engage a new information security manager. Assessing the commitment of senior management will not address the immediate concern of ad hoc practices and procedures.
It is evident from the initial review that maturity is very low and efforts required for a complete assessment are not warranted. It may be better to address the immediate problem of ad hoc practices and procedures.
The absence of current, effective standards is a concern that must be addressed promptly.
It is apparent that risk management is not being practiced; establishing an effective program will take time. A more prudent initial activity is to implement basic controls.
92
What is the PRIMARY purpose of segregation of duties?
A.Employee monitoring
B.Reduced supervisory requirements
C.Fraud prevention
D.Enhanced compliance
C is the correct answer.
Justification
Segregation of duties (SoD) is unrelated to monitoring.
As a secondary benefit, some reduction in supervision may be possible.
SoD is primarily used to prevent fraudulent activities.
If SoD is a policy requirement, then a secondary benefit is enhanced compliance. However, the policy exists to reduce fraud.
92
Who should be involved in the design of information security procedures to ensure they are functional and accurate?
A.End users
B.Legal counsel
C.Operational units
D.Audit management
C is the correct answer.
Justification
End users are normally not involved in procedure development other than testing.
Legal counsel is normally not involved in procedure development.
Procedures at the operational level must be developed by or with the involvement of operational units that will use them. This will ensure that they are functional and accurate.
Audit management generally oversees information security operations but does not get involved at the procedural level.
93
Which of the following is the PRIMARY reason to change policies during program development?
A.The policies must comply with new regulatory and legal mandates.
B.Appropriate security baselines are no longer set in the policies.
C.The policies no longer reflect management intent and direction.
D.Employees consistently ignore the policies.
C is the correct answer.
Justification
Regulatory requirements typically are better addressed with standards and procedures than with high-level policies.
Standards set security baselines, not policies.
Policies must reflect management intent and direction. Policies should be changed only when management determines that there is a need to address new business requirements.
Employees not abiding by policies is a compliance and enforcement issue rather than a reason to change the policies.
94
The PRIMARY reason for initiating a policy exception process is when:
A.operations are too busy to comply.
B.the risk is justified by the benefit.
C.policy compliance would be difficult to enforce.
D.users may initially be inconvenienced.
B is the correct answer.
Justification
Being busy is not a justification for policy exceptions.
Exceptions to policy are warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits.
The fact that compliance cannot be enforced is not a justification for policy exceptions.
User inconvenience is not a reason to automatically grant exception to a policy.
95
The enactment of policies and procedures for preventing hacker intrusions is an example of an activity that belongs to:
A.risk management.
B.compliance.
C.IT management.
D.governance.
D is the correct answer.
Justification
Risk management is about identifying risk and adequate countermeasures and would be concerned if such policies and procedures were necessary, based on a risk analysis. However, the enactment does not fall into the area of risk management.
Compliance would be concerned with the adequacy of the policies and procedures to achieve the control objectives and whether employees acted according to the policies and procedures.
IT management would be concerned about setting the policies into operation (e.g., by providing training and resources).
Governance is concerned with implementing adequate mechanisms for ensuring that organizational goals and objectives can be achieved. Policies and procedures are common governance mechanisms.
96
Who has the inherent authority to grant an exception to information security policy?
A.The business process owner
B.The departmental manager
C.The policy approver
D.The information security manager
C is the correct answer.
Justification
The business process owner is typically required to enforce the policy and would not normally have the authority to grant an exception.
The departmental manager cannot approve an exception to policy because the role is not responsible for the policy delivering its promised results.
The person or body empowered to approve a policy is empowered to grant exceptions to it because in approving it, the individual assumed responsibility for the results that it promises to deliver.
The information security manager cannot approve an exception to policy because the role is not responsible for the policy delivering its promised results.
97
The relationship between policies and corporate standards can BEST be described by which of the following associations?
A.Standards and policies have only an indirect relationship.
B.Standards provide a detailed description of the meaning of a policy.
C.Standards provide direction on achieving compliance with policy intent.
D.Standards can exist without a relationship to any particular policy.
C is the correct answer.
Justification
In most cases, there is a direct relationship between policy and corporate standards.
Corporate standards generally do not provide details on the meaning of policy, rather on the acceptable limits needed to comply with policy intent.
Corporate standards set the allowable limits and boundaries for people, processes and technology as an expression of policy intent and, therefore, provide direction on policy compliance.
It would be a poor practice to have corporate standards not directly expressing the intent of a particular policy. To the extent that they exist, they should rely on an implicit policy.
98
Which of the following choices is MOST strongly supported by effective management of information assets?
A.An information/data dictionary
B.A data classification program
C.An information-based security culture
D.A business-oriented risk policy
D is the correct answer.
Justification
An information/data dictionary is a useful management tool but is only one aspect of holistic information asset management.
A data classification program helps to prioritize asset protection based on business value, but management of information assets goes beyond asset protection.
The security culture of an enterprise does not drive the effectiveness or efficiency of information assets.
A risk policy that is oriented to business needs promotes the achievement of organizational objectives. The holistic risk-based approach to the management of information assets includes and addresses a broad range of factors such as data linkages, privacy, business orientation and risk relevance, which in turn help the assets to be managed in an effective and efficient manner.
99
What is the MOST important item to be included in an information security policy?
A.The definition of roles and responsibilities
B.The scope of the security program
C.The key objectives of the security program
D.Reference to procedures and standards of the security program
C is the correct answer.
Justification
The definition of roles and responsibilities is part of implementing an information security governance framework.
The scope of the security program should be defined in the charter of the information security program.
Stating the objectives of the security program is the most important element to ensure alignment with business goals.
Reference to standards that interpret the policy may be included, but the multitude of procedures controlled by those standards would not normally be referenced.
100
Which of the following do security policies need to be MOST closely aligned with?
A.Industry good practices
B.Organizational needs
C.Generally accepted standards
D.Local laws and regulations
B is the correct answer.
Justification
Good practices are generally a substitute for a clear understanding of what exactly is needed in a specific enterprise and may be too much or too little.
Policies must support the needs of the enterprise.
Generally accepted standards do not exist; they are always tailored to the requirements of the enterprise.
Local law and regulation compliance may be identified in policies but would only be a small part of overall policies that must support the needs of the enterprise.
101
Which of the following is the MOST likely outcome of a well-designed information security awareness course?
A.Increased reporting of security incidents to the incident response function
B.Decreased reporting of security incidents to the incident response function
C.Decrease in the number of password resets
D.Increase in the number of identified system vulnerabilities
A is the correct answer.
Justification
A well-organized information security awareness course informs all employees of existing security policies, the importance of following safe practices for data security, and the need to report any possible security incidents to the appropriate individuals in the enterprise.
Decreased reporting of security incidents would not be a likely outcome.
A decrease in the number of password resets would not be a likely outcome.
An increase in the number of identified system vulnerabilities would not be a likely outcome.
102
What is the MOST cost-effective means of improving security awareness of staff personnel?
A.Employee monetary incentives
B.User education and training
C.A zero-tolerance security policy
D.Reporting of security infractions
B is the correct answer.
Justification
Incentives perform poorly without user education and training.
User education and training is the most cost-effective means of influencing staff to improve security because personnel are the weakest link in security.
Unless users are aware of the security requirements, a zero-tolerance security policy would not be as good as education and training.
Users would not have the knowledge to accurately interpret and report violations without user education and training.
103
Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?
A.Card key door locks
B.Photo identification
C.Biometric scanners
D.Awareness training
D is the correct answer.
Justification
Card key door locks are a physical control that by itself would not be effective against tailgating.
Photo identification is a detective control that by itself would not prevent tailgating.
Biometric scanners would not prevent tailgating.
Awareness training is more likely to result in any attempted tailgating being challenged by the authorized employee.
104
Due to limited storage media, an IT operations employee has requested permission to overwrite data stored on a magnetic tape. The decision of the authorizing manager will MOST likely be influenced by the data:
A.classification policy.
B.retention policy.
C.creation policy.
D.leakage protection.
B is the correct answer.
Justification
The data classification policy addresses who can access or modify data. It is more focused on ensuring that confidential data do not fall into the wrong hands.
The data retention policy will specify the time that must lapse before data can be overwritten or deleted.
Security architecture will be affected by asset classification and, to some extent, may affect how assets are classified; asset classification most directly impacts the mitigation efforts an enterprise will implement.
Leakage protection ensures confidentiality of corporate data.
105
Policies regarding the use of bring your own device (BYOD) should include:
A.the need to return the device when leaving the enterprise.
B.the requirement to protect sensitive data on the device.
C.limitations on which applications can be installed on the device.
D.the ability for security to seize the device as part of an investigation.
B is the correct answer.
Justification
Because it is a personal device, it is unlikely that the enterprise can require it to be returned.
The enterprise must proactively ensure that data on personal devices are protected.
The enterprise may require the use of a virtual environment on the personal device to provide isolation, but the enterprise cannot control the personal applications loaded onto the device.
In the event of an investigation, the device may be seized by law enforcement, but it is not expected that security will have the authority to seize the device. Varying standards of privacy and other forms of legal protection around the world make it difficult to apply common standards to private seizure of personal devices even if an internal investigation may be warranted.
106
The MOST important characteristic of good security policies is that they:
A.state expectations of IT management.
B.state only one general security mandate.
C.are aligned with organizational goals.
D.govern the creation of procedures and guidelines.
C is the correct answer.
Justification
Stating expectations of IT management omits addressing overall organizational goals and objectives.
Stating only one general security mandate is the next best option because policies should be clear; otherwise, policies may be confusing and difficult to understand and enforce.
The most important characteristic of good security policies is that they are aligned with organizational goals. Failure to align policies and goals makes them ineffective and potentially misleading in governing the creation of standards and procedures.
Policies are created with the objective to govern the creation of procedures and guidelines by design
107
Which of the following will the data backup policy contain?
A.Criteria for data backup
B.Personnel responsible for backup
C.A data backup schedule
D.A list of systems to be backed up
A is the correct answer.
Justification
A policy is a high-level statement of management intent and will essentially contain the criteria to be followed for backing up any data such as critical data, confidential data and project data, and the frequency of backup.
A list of personnel responsible for backup is a procedural detail and will not be included in the data backup policy.
A data backup schedule is a procedural detail and will not be included in the data backup policy.
A list of systems to be backed up is a procedural detail and will not be included in the data backup policy.
108
Which of the following will require the MOST effort when supporting an operational information security program?
A.Reviewing and modifying procedures
B.Modifying policies to address changing technologies
C.Writing additional policies to address new regulations
D.Drafting standards to address regional differences
A is the correct answer.
Justification
When an information security program is operational, few changes to policies or standards will be needed. Procedures, however, are designed at a more granular level and will require reasonably frequent modification. Because procedures are more detailed and can be technology specific, there are generally far more procedures than standards or policies. Consequently, review and modification of procedures will consume the majority of effort.
While technology does change, it is relatively rare for a technology shift to be so disruptive as to require a modification of policy. Most technological changes should be addressed at lower levels (e.g., in standards or procedures).
New regulations may require the creation of a new policy, but this does not happen nearly as often or consume as much time in an operational program as the review and modification of procedures.
Global enterprises may need to customize policy through the use of regional standards, but an operational program will already have most of these standards in place. Even where they need to be drafted, the level of effort required to customize policy by region is less than what will be needed to review and modify the vast body of procedures that change more frequently.
109
What is the MOST likely reason that an organizational policy can be eliminated?
A.There is no credible threat.
B.The policy is ignored by staff.
C.Underlying standards are obsolete.
D.The policy is not required by regulatory requirements.
A is the correct answer.
Justification
If it is certain that there is no threat, then there is no risk and a policy is not needed to address it.
Noncompliance is not a good reason to eliminate a policy.
If the standards are obsolete, then they should be brought current, but that is not a reason to eliminate the policy.
If there is a potential risk, then there is a reason to have the policy, independent of whether regulation mandates that particular control.
109
What is the BEST means to standardize security configurations in similar devices?
A.Policies
B.Procedures
C.Technical guides
D.Baselines
D is the correct answer.
Justification
Policies set high-level direction, not technical details.
Procedures are used to provide instructions on accomplishing specific tasks.
Technical guides provide support but not necessarily the requirements.
Baselines describe the minimum configuration requirements across similar devices, activities or resources.
110
Which of the following areas BEST addresses the interaction among systems and their relation to the core business process of an enterprise?
A. Business architecture
B. Data architecture
C. Application architecture
D. Technical architecture
C is the correct answer.
Justification
Business architecture defines the business strategy, governance, organization, and key business processes of the enterprise.
Data architecture describes the structure of an enterprise’s logical and physical data assets and the associated data management resources.
Application architecture provides a blueprint for the individual application systems to be deployed, the interaction among the application systems, and their relationship to the core business processes of the enterprise with the frameworks for services to be exposed as business functions for integration.
Technical architecture describes the hardware, software, and network infrastructure needed to support the deployment of core mission-critical applications.
111
Which of the following is the MOST appropriate control to address compliance with specific regulatory requirements?
A.Policies
B.Standards
C.Procedures
D.Guidelines
B is the correct answer.
Justification
Policies are a statement of management intent, expectations and direction and should not address the specifics of regulatory compliance.
Standards set the allowable boundaries for technologies, procedures and practices and thus are the appropriate documentation to define compliance requirements.
Procedures are developed in order to provide instruction for meeting standards but cannot be developed without established standards.
Guidelines are not mandatory and will not normally address issues of regulatory compliance.
112
Which of the following should be included in a good privacy statement?
A.A notification of liability on accuracy of information
B.A notification that information will be encrypted
C.A statement of what the company will do with information it collects
D.A description of the information classification process
C is the correct answer.
Justification
A notification of liability on accuracy of information should be located in the website’s disclaimer.
Although encryption may be applied, this is not generally disclosed.
Most privacy laws and regulations require disclosure on how information will be used.
Information classification is unrelated to privacy statements and would be contained in a separate policy.
113
Which of the following is the MOST important information to include in an information security standard?
A.Creation date
B.Author name
C.Initial draft approval date
D.Last review date
D is the correct answer.
Justification
The creation date is not that important.
The name of the author is not that important.
The initial draft date is not that important.
The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard.
114
An information security manager determines that management of risk is inconsistent across a mature enterprise, creating a weak link in overall protection. The MOST appropriate initial response for the information security manager is to:
A.escalate to the steering committee.
B.review compliance with standards.
C.write more stringent policies.
D.increase enforcement.
B is the correct answer.
Justification
The steering committee may be able to assist in achieving better compliance after it has been established by audit. The steering committee is an executive management-level committee that assists in the delivery of the security strategy, oversees day-to-day management of service delivery and IT projects, and focuses on implementation.
A mature enterprise will have a complete suite of policies and standards, and inconsistent risk treatment is most likely to be inconsistent compliance with standards.
Policies need to be reviewed to determine whether they are adequate. The problem may be with enforcement.
Enforcement can only be as effective as the policies it supports. Increasing enforcement prior to determining the issues would not be the best initial response.
115
An enterprise has decided to implement bring your own device (BYOD) for laptops and mobile phones. What should the information security manager focus on FIRST?
A.Advising against implementing BYOD because of a security risk
B.Preparing a business case for new security tools for BYOD
C.Updating the security awareness program to include BYOD
D.Determining an information security strategy for BYOD
D is the correct answer.
Justification
The enterprise has already made the decision to implement bring your own device (BYOD). The security manager’s role is to identify and communicate the risk and determine how to implement this decision in the most secure way.
A business case can be prepared if new tools are required for implementing BYOD; however, this requirement will be based on the security strategy.
The security strategy must take into account BYOD before the security awareness program may be updated to include it.
The information security manager should determine whether the existing strategy can accommodate BYOD and, if not, then what changes are needed. A risk assessment and other tools may be part of this process.
116
The output of the risk management process is an input for making:
A.business plans.
B.audit charters.
C.security policy decisions.
D.software design decisions.
C is the correct answer.
Justification
Business plans are an output of management translating strategic aspirations into attainable business goals. Business plans provide background, goal statements and plans for reaching those goals.
Audit charters are documents describing the purpose, rights and responsibilities of the audit function. They do not rely on the risk assessment process.
The risk management process detects changes in the risk landscape and leads to changes in security policy decisions.
Software design decisions are based on stakeholder needs, not on the risk management process.
117
Which of the following is the BEST resource to ensure the proper handling and destruction of data?
A. Data classification policy
B. Information security policy
C. Data retention policy
D. Acceptable use policy
C is the correct answer.
Justification
A data classification policy outlines a framework for classifying data based on its criticality and sensitivity to the organization.
An information security policy outlines how assets should be used and protected.
An organization’s records retention policy will outline how to handle data, including how long to retain the data, and what to do with the data when the retention limit has been reached.
An acceptable use policy outlines appropriate use of assets and data.
118
Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position’s sensitivity level and subject to personnel screening is an example of a security:
A.policy.
B.strategy.
C.guideline.
D.baseline.
A is the correct answer.
Justification
A security policy is a general statement to define management objectives with respect to security.
The security strategy is the plan to achieve security objectives and it does not provide guidance at the employee/contractor level.
Guidelines are optional actions and helpful narrative and do not provide guidance at the employee/contractor level.
A security baseline is a set of minimum security requirements that is acceptable to an enterprise and it does not provide guidance at the employee/contractor level.
119
Sensitive data must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure” is a statement that would MOST likely be found in a:
A.guideline.
B.policy.
C.procedure.
D.standard.
B is the correct answer.
Justification
A guideline is a suggested action that is not mandatory.
A policy is a principle that is used to set direction in an enterprise. It can be a course of action to steer and influence decisions. The wording of the policy must make the course of action mandatory and it must set the direction.
A procedure is a particular way of accomplishing something.
A standard sets the allowable boundaries for people, processes and technologies that must be met to meet the intent of the policy.
120
Which of the following are seldom changed in response to technological changes?
A.Standards
B.Procedures
C.Policies
D.Guidelines
C is the correct answer.
Justification
Security standards must be revised and updated based on the impact of technology changes.
Procedures must be revised and updated based on the impact of technology or standards changes.
Policies are high-level statements of management intent and direction, which is not likely to be affected by technological changes.
Guidelines must be revised and updated based on the impact of technology changes.
121
The formal declaration of organizational information security goals and objectives should be found in the:
A.information security procedures.
B.information security principles.
C.employee code of conduct.
D.information security policy.
D is the correct answer.
Justification
Security procedures are usually detailed as step-by-step actions to ensure that activities meet a given standard and cannot be considered as a formal declaration of organizational information security goals.
Security principles are not always enterprise-specific and cannot be considered as a formal declaration of organizational information security goals.
An employee code of conduct is a declaration of procedural requirements that may encompass more guidance than information security.
The information security policy is management’s formal declaration of security goals and objectives.
122
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
A.Ethics
B.Proportionality
C.Integration
D.Accountability
B is the correct answer.
Justification
Ethics is expected to be part of all job roles but has no relation to types of data access. Ethics has no relevance to mapping a job description to types of data access.
Information security controls, including access, should be proportionate to the criticality and/or sensitivity of the asset (i.e., the potential impact of compromise). This is termed the principle of proportionality.
Principles of integration are not relevant to mapping a job description to types of data access.
The principle of accountability would be the second most-adhered-to principle because people with access to data may not always be accountable.
123
How will data owners determine what access and authorizations users will have?
A.Delegating authority to data custodian
B.Cloning existing user accounts
C.Determining hierarchical preferences
D.Mapping to business needs
D is the correct answer.
Justification
Data custodians implement the decisions made by data owners.
Access and authorizations are not to be assigned by cloning existing user accounts. By cloning, users may obtain more access rights and privileges than are required to do their job.
Access and authorizations should be based on a need-to-know basis. Hierarchical preferences may be based on individual preferences and not on business needs.
Access and authorizations should be based on business needs.
124
Information security policy development should PRIMARILY be based on:
A.vulnerabilities.
B.exposures.
C.threats.
D.impacts.
C is the correct answer.
Justification
Absent a threat, vulnerabilities do not pose a risk. Vulnerability is defined as a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse impacts from threat events.
Exposure is only important if there is a threat. Exposure is defined as the potential loss to an area due to the occurrence of an adverse event.
Policies are developed in response to perceived threats. If there is no perceived threat, there is no need for a policy. A threat is defined as anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.
Impact is not an issue if no threat exists. The impact is generally quantified as a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term.
125
What is the MOST important reason for formally documenting security procedures?
A.Ensure processes are repeatable and sustainable.
B.Ensure alignment with business objectives.
C.Ensure auditability by regulatory agencies.
D.Ensure objective criteria for the application of metrics.
A is the correct answer.
Justification
Without formal documentation, it would be difficult to ensure that security processes are performed correctly and consistently.
Alignment with business objectives is not a function of formally documenting security procedures.
Processes should not be formally documented merely to satisfy an audit requirement.
Although potentially useful in the development of metrics, creating formal documentation to assist in the creation of metrics is a secondary objective.
126
What is the BEST method to verify that all security patches applied to servers were properly documented?
A.Trace operating system (OS) patch logs to OS vendor’s update documentation.
B.Trace change control requests to OS patch logs.
C.Trace OS patch logs to change control requests.
D.Review change control documentation for key servers.
C is the correct answer.
Justification
Comparing patches applied to those recommended by the OS vendor’s website does not confirm that the security patches were properly approved and documented.
Tracing from the documentation to the patch log will not indicate if some patches were applied without being documented.
To ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS) patch logs as a starting point and then check to see if change control documents are on file for each of the changes.
Reviewing change control documents for key servers does not confirm that security patches were properly approved and documented.
127
How would an enterprise know if its new information security program is accomplishing its goals?
A.Key metrics indicate a reduction in incident impacts.
B.Senior management has approved the program and is supportive of it.
C.Employees are receptive to changes that were implemented.
D.There is an immediate reduction in reported incidents.
A is the correct answer.
Justification
An effective security program will show a trend in impact reduction.
Senior management support may result from a performing program but is not as significant as key metrics indicating a reduction in incident impacts.
Receptive employees may result from a performing program but are not as significant as key metrics indicating a reduction in incident impacts.
An immediate reduction in reported incidents is likely to be from other causes and not a good indicator of the program achieving its goals.
128
An enterprise has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating the access control policy to the employees?
A.Requiring employees to formally acknowledge receipt of the policy
B.Integrating security requirements into job descriptions
C.Making the policy available on the intranet
D.Implementing an annual retreat for employees on information security
A is the correct answer.
Justification
Requiring employees to formally acknowledge receipt of the policy does not guarantee that the policy has been read or understood but establishes employee acknowledgment of the existence of the new policy. Each communication should identify a point of contact for follow-up questions.
Current employees do not necessarily reread job descriptions that would contain the new policy.
Making the policy available on the intranet does not ensure that the document has been read, nor does it create an audit trail that establishes that employees have been made aware of the policy.
An annual event may not be timely and may not rectify significant gaps in awareness.
129
Which of the following are likely to be updated MOST frequently?
A.Procedures for hardening database servers
B.Standards for password length and complexity
C.Policies addressing information security governance
D.Standards for document retention and destruction
A is the correct answer.
Justification
Procedures, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace.
Standards should generally be more static and less subject to frequent change.
Well-conceived, mature policies will rarely require change.
Standards regarding document retention and destruction will rarely need to be changed.
130
The newly appointed chief information security officer (CISO) of a pharmaceutical company is given the task of creating information security procedures for all departments in the company. Which one of the following groups should the CISO initially approach to write the procedures?
A.Legal department
B.End users
C.Senior management
D.Operations department
D is the correct answer.
Justification
The legal department is not typically involved in writing procedures, except for its own procedures.
End users are not typically involved in writing procedures.
Senior management would not be directly involved in the writing of security procedures.
The operations group has firsthand knowledge of organizational processes and responsibilities and should ensure that all procedures that are written are functionally sound.
131
The corporate information security policy should:
A.address corporate network vulnerabilities.
B.address the process for communicating a violation.
C.be straightforward and easy to understand.
D.be customized to specific target audiences.
C is the correct answer.
Justification
Information security policies are high level documents and will not address network vulnerabilities or functional issues directly.
Information security policies are high-level documents and do not address the process for communicating a violation.
As high-level statements, information security policies should be straightforward and easy to understand.
As policies, information security policies should provide a uniform message to all groups and user roles.
132
What is the BEST way to ensure that information security policies are followed?
A.Distribute printed copies to all employees.
B.Perform periodic reviews for compliance.
C.Include escalating penalties for noncompliance.
D.Establish an anonymous hotline to report policy abuses.
B is the correct answer.
Justification
Distributing printed copies will not motivate individuals as much as the consequences of being found in noncompliance.
The best way to ensure that information security policies are followed is to periodically review levels of compliance.
Escalating penalties will first require a compliance review.
Establishing an abuse hotline will not motivate individuals as much as the consequences of being found in noncompliance.
133
Which of the following is MOST likely to be discretionary?
A.Policies
B.Procedures
C.Guidelines
D.Standards
C is the correct answer.
Justification
Policies define management’s security goals and expectations for an enterprise. These are defined in more specific terms within standards and procedures and cannot be discretionary.
Procedures describe how work is to be done and, as they are a defined set of actions, they cannot be discretionary.
Guidelines provide recommendations that business management must consider in developing practices within their areas of control; therefore, they are most likely to be discretionary.
Standards establish the allowable operational boundaries for people, processes and technology and cannot be discretionary.
134
What is the MOST appropriate change management procedure for the handling of emergency program changes?
A.Formal documentation does not need to be completed.
B.Business management approval must be obtained prior to the change.
C.Documentation is completed with approval soon after the change.
D.Emergency changes eliminate certain documentation requirements.
C is the correct answer.
Justification
Formal documentation is still required as soon as possible after the emergency changes have been implemented.
Obtaining business approval prior to the change is ideal but not always possible.
Even in the case of an emergency change, all change management procedure steps should be completed as in the case of normal changes. The difference lies in the timing of certain events. With an emergency change, it is permissible to obtain certain approvals and other documentation after the emergency has been satisfactorily resolved.
Emergency changes require the same process as regular changes, but the process may be delayed until the emergency has been resolved.
135
In a financial institution, under which of the following circumstances will policies MOST likely need modification?
A.Current access controls have been insufficient to prevent a series of serious network breaches.
B.The information security manager has determined that compliance with configuration standards is inadequate.
C.The results of an audit have identified a going concern issue with the enterprise.
D.Management has mandated compliance with a newly enacted set of information security requirements.
D is the correct answer.
Justification
Necessary modifications to access controls are most likely going to be reflected in standards, not policy.
Compliance with existing standards is not likely to require a policy change; better enforcement may be needed.
If the viability of the enterprise is in doubt (going concern), it is not likely that a change in policy will solve the problem.
A new set of regulations requiring significant changes to the information security program most likely will be reflected in modifications of policy.
136
The MOST important consideration when determining how a control policy is implemented is:
A.the risk of compromise.
B.the safety of personnel.
C.the mean time between failures.
D.the nature of a threat.
B is the correct answer.
Justification
The risk of compromise is a major consideration in the level of protection required, but not at the expense of safety. Only in very rare circumstances does risk of compromise outweigh life safety, and even then it is the risk to a larger population that justifies a fail secure configuration.
Safety of personnel is always the first consideration. For example, even if a data center has highly confidential data, failure of physical access controls should not fail closed and prevent emergency exit. Only in very rare circumstances does risk of compromise outweigh life safety, and even then it is the risk to a larger population that justifies a fail secure configuration.
The mean time between failure is a consideration for technical or mechanical controls and must be considered from a safety perspective.
The nature of a threat is a consideration for the type and strength of controls.
137
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
A.Review the procedures for granting access.
B.Establish procedures for granting emergency access.
C.Meet with data owners to understand business needs.
D.Redefine and implement proper access rights.
C is the correct answer.
Justification
Reviewing the procedures for granting access could be correct depending on the priorities set by the business unit, but this would follow understanding the business needs.
Procedures for granting emergency access require first understanding business needs.
An information security manager must understand the business needs that motivated the change prior to taking any unilateral action.
Redefining and implementing proper access rights would follow understanding the business needs.
138
Which of the following is the MOST important step before implementing a security policy?
A.Communicating to employees
B.Training IT staff
C.Identifying relevant technologies for automation
D.Obtaining sign-off from stakeholders
D is the correct answer.
Justification
Only after sign-off is obtained can communicating to employees begin.
Only after sign-off is obtained can training IT staff begin.
Only after sign-off is obtained can identifying relevant technologies for automation begin.
Sign-off must be obtained from all stakeholders because that would signify formal acceptance of all the policy objectives and expectations of the business along with all residual risk.
139
Which of the following would be the MOST relevant factor when defining the information classification policy?
A.Quantity of information
B.Available IT infrastructure
C.Benchmarking
D.Requirements of data owners
D is the correct answer.
Justification
The quantity of information is not a factor in defining the information classification policy.
The availability of IT infrastructure would not be a significant factor in determining the policy.
Benchmarking would not be a factor in defining the classification policy.
When defining the information classification policy, the requirements of the data owners need to be identified.
140
The MOST important aspect in establishing good information security policies is to ensure that they:
A.have the consensus of all concerned groups.
B.are easy to access by all employees.
C.capture the intent of management.
D.have been approved by the internal audit department.
C is the correct answer.
Justification
Having the consensus of all concerned groups is desirable but is not the most important aspect of good policies, which express the intent and direction of senior management.
Easy availability of policies is important but not an indicator of good information security content and guidance.
Policies should reflect the intent and direction of senior management, and this is the most important aspect of establishing good information security policies.
The internal audit department tests compliance with policy, but it does not write the policies.
141
Which of the following is MOST important in the development of information security policies?
A.Adopting an established framework
B.Using modular design for easier maintenance
C.Using prevailing industry standards
D.Gathering stakeholder requirements
D is the correct answer.
Justification
A framework will not be effective without including the management intent and direction provided by policies.
While using a modular design should be a key consideration, it is not as important as considering stakeholder input. Stakeholder input not only promotes policy completeness, it also facilitates stakeholder buy-in.
Prevailing industry standards are important but may not be appropriate or suitable to address unique or specific issues in an enterprise.
The primary stakeholders in policies are management, and policies are the primary governance tool employed in an enterprise; therefore, the policies must reflect management intent and direction.
142
In a mature enterprise, it would be expected that the security baseline could be approximated by which of the following?
A.Organizational policies are in place.
B.Enterprise architecture is documented.
C.Control objectives are being met.
D.Compliance requirements are addressed.
C is the correct answer.
Justification
Policies, as a statement of management intent and direction, will only indicate the security baseline in general sense.
Enterprise architecture may or may not provide an indication of some of the controls implemented.
The control objectives, when achieved, set the security baselines.
Compliance requirements will indicate some of the controls required indicative of what the baseline should be but only in the areas related to specific regulations.
143
It is essential to determine the forces that drive the business need for the information security program. Determining drivers is critical to:
A.establish the basis for the development of metrics.
B.establish the basis for security controls.
C.report risk results to senior management.
D.develop security awareness training modules.
A is the correct answer.
Justification
Determining the drivers of a program establishes objectives and is essential to developing relevant metrics for the enterprise.
Determining drivers may establish objectives of a program, but the controls are determined by risk and impact.
Risk reporting goes beyond specific drivers and will encompass all organizational risk.
Drivers may indirectly provide subject matter for training, but security awareness goes beyond the drivers alone.
144
What is a critical component of a continuous improvement program for information security?
A.Program metrics
B.Developing a service level agreement for security
C.Tying corporate security standards to a recognized international standard
D.Ensuring regulatory compliance
A is the correct answer.
Justification
If an enterprise is unable to take measurements over time that provide data regarding key aspects of its security program, then continuous improvement is not likely.
Although desirable, developing a service level agreement for security is not a critical component for a continuous improvement program.
Tying corporate security standards to a recognized international standard is not a critical component for a continuous improvement program.
Ensuring regulatory compliance is a separate issue and is not a critical component for a continuous improvement program.
145
What is the PRIMARY reason for using metrics to evaluate information security?
A.To identify security weaknesses
B.To justify budgetary expenditures
C.To enable steady improvement
D.To raise awareness of security issues
C is the correct answer.
Justification
Metrics may not identify vulnerabilities.
Metrics can be used to justify budgetary expenditures, but that is not their primary purpose.
A primary purpose for metrics is to facilitate and track continuous improvement in security posture.
Metrics may serve to raise awareness of security issues, but that would be for the purpose of improving security.
146
Which of the following would be the BEST indicator that an enterprise has good governance?
A.Risk assessments
B.Maturity level
C.Audit reports
D.Loss history
B is the correct answer.
Justification
While it is likely that good results on risk assessments will align with good governance, they are only indirectly correlated with good governance, and many other factors are involved such as industry sector, exposure, etc.
A high score on the capability maturity model (CMM) scale is a good indicator of good governance.
Audit reports generally deal with specifics of compliance and specific risk rather than overall governance.
Loss history will be affected by many factors other than governance.
147
Which of the following choices is the BEST indication that the information security manager is achieving the objective of value delivery?
A.Having a high resource utilization
B.Reducing the budget requirements
C.Utilizing the lowest cost vendors
D.Minimizing the loaded staff cost
A is the correct answer.
Justification
Value delivery means that good rates of return and a high utilization of resources are achieved.
The budget level is not an indication of value delivery.
The lowest cost vendors may not present the best value.
Staff-associated overhead costs by themselves are not an indicator of value delivery.
148
Achieving compliance with a particular process in an information security standard selected by management would BEST be demonstrated by:
A.key goal indicators.
B.critical success factors.
C.key performance indicators.
D.business impact analysis.
C is the correct answer.
Justification
A key goal indicator defines a clear objective sought by an enterprise. A key goal indicator is defined as a measure that tells management, after the fact, whether an IT process has achieved its business requirements, usually expressed in terms of information criteria.
Critical success factors are steps that must be achieved to accomplish high-level goals. A critical success factor is defined as the most important issue or action for management to achieve control over its IT processes.
A key performance indicator (KPI) indicates how well a process is progressing according to expectations. Another definition for a key performance indicator is a measure that determines how well the process is performing in enabling the goal to be reached.
A business impact analysis defines risk impact; its main purpose is not to achieve compliance. It is defined as an exercise that determines the impact of losing the support of any resource to an enterprise. It establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.
149
To BEST improve the alignment of the information security objectives in an enterprise, the chief information security officer should:
A.revise the information security program.
B.evaluate a business balanced scorecard.
C.conduct regular user awareness sessions.
D.perform penetration tests.
B is the correct answer.
Justification
Revising the information security program may be a solution, but it is not the best solution to improve alignment of the information security objectives.
The business balanced scorecard (BSC) can track how effectively an enterprise executes it information security strategy and determine areas of improvement.
User awareness is just one of the areas the enterprise must track through the business BSC.
Performing penetration tests does not affect alignment with information security objectives.
150
Which of the following will be MOST important in calculating accurate return on investment in information security?
A.Excluding qualitative risk for accuracy in calculated figures
B.Establishing processes to ensure cost reductions
C.Measuring monetary values consistently
D.Treating security investment as a profit center
C is the correct answer.
Justification
If something is an important risk factor, an attempt should be made to quantify it even though it may not be highly accurate.
Establishing processes to ensure cost reductions is not relevant to calculating return on investment (ROI).
There must be consistency in metrics in order to have reasonably accurate and consistent results. In assessing security risk, it is not a good idea to simply exclude qualitative risk because of the difficulties in measurement.
Whether security investment is treated as a profit center does not affect ROI calculations.
151
Which of the following information security metrics is the MOST difficult to quantify?
A.Percentage of controls mapped to industry frameworks
B.Extent of employee security awareness
C.Proportion of control costs to asset value
D.Cost of security incidents prevented
D is the correct answer.
Justification
Determining the percentage of controls mapped to industry frameworks is relatively easy to do by reviewing the controls portfolio and checking controls documentation.
While security awareness can be challenging to measure, focusing on behavior change is an option. For example, conducting phishing simulations can help measure how well employees identify and report those types of attacks.
A business impact analysis combined with a financial analysis can facilitate a comparison of asset values to the costs of those assets.
Measuring something that does not occur is inherently difficult, if not impossible. So many variables are theoretical that arriving at a reliable estimate is a guessing game.
152
Which of the following indicators is MOST likely to be of strategic value?
A.Number of users with privileged access
B.Trends in incident frequency
C.Annual network downtime
D.Vulnerability scan results
B is the correct answer.
Justification
The number of users with privileged access, if excessive, can pose unnecessary risk but is more of an operational metric.
Trends in incident frequency will show whether the information security program is improving and heading in the right direction.
Network downtime is a relevant operational metric in terms of service level agreements but, without trends over time, it is not a useful strategic metric.
Vulnerability scans are an operational metric.
153
Decisions regarding information security are BEST supported by:
A.statistical analysis.
B.expert advice.
C.benchmarking.
D.effective metrics.
D is the correct answer.
Justification
A statistical analysis of metrics can be helpful but only if the underlying metrics are sound.
Expert advice may be useful, but effective metrics are a better indication.
Other enterprises would typically only provide some guidance, but decisions should be based on effective metrics.
Effective metrics are essential to provide information needed to make decisions. Metrics are a quantifiable entity that allows the measurement of the achievement of a process goal.
154
Who would be the PRIMARY user of metrics regarding the number of email messages quarantined due to virus infection versus the number of infected email messages that were not caught?
A.The security steering committee
B.The board of directors
C.IT managers
D.The information security manager
D is the correct answer.
Justification
Metrics support decisions. Knowing the number of email messages blocked due to viruses would not on its own be an actionable piece of information for the steering committee.
The board of directors would have no use for the information.
IT managers would be interested, but it would not be in their purview to address the issue.
Information regarding the effectiveness of the current email antivirus control is most useful to the information security manager and staff because they can use the information to initiate an investigation to determine why the control is not performing as expected and to determine whether there are other factors contributing to the failure of the control. When these determinations are made, the information security manager can use these metrics, along with data collected during the investigation, to support decisions to alter processes or add to (or change) the controls in place.
155
Which of the following is the MOST critical success factor of an information security program?
A.Developing information security policies and procedures
B.Senior management commitment
C.Conducting security training and awareness for all users
D.Establishing an information security management system
B is the correct answer.
Justification
Developing policies and procedures is important, but without senior management commitment, implementation will be difficult.
Without senior management commitment, it would be difficult to implement a successful information security program.
Conducting training and awareness exercises is not the most critical success factor.
Establishing an information security management system is essential, but without management support and commitment, it is unlikely to be successful.
156
Which of the following is one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
A.Number of controls implemented
B.Percent of control objectives accomplished
C.Percent of compliance with the security policy
D.Reduction in the number of reported security incidents
B is the correct answer.
Justification
Number of controls implemented does not have a direct relationship with the results of a security program.
Control objectives are directly related to business objectives; therefore, they would be the best metrics.
Percent in compliance with the security policy is a useful metric but says nothing about achieving control objectives.
A reduction in the number of security incidents has no direct bearing on whether control objectives are being achieved.
157
Senior management has expressed some concern about the effectiveness of the information security program. What can the information security manager do to gain the support of senior management for the program?
A.Rebuild the program based on a recognized, auditable standard.
B.Calculate the cost-benefit analysis of the existing controls that are in place.
C.Interview senior managers to address their concerns with the program.
D.Present a report from the steering committee supporting the program.
C is the correct answer.
Justification
The key to gaining support from senior management is understanding its concerns and making sure that those concerns are addressed. Replacing the entire program as a response to general concerns would not be appropriate without more information.
A cost-benefit analysis of controls demonstrates that the controls that have been put in place were preferable to alternative methods of risk treatment, but this evidence does not address the question of overall program effectiveness.
It is not uncommon for senior managers to have concerns. An effective information security manager will discuss these concerns and make changes as needed to address them.
The steering committee generally reports to senior management, so if senior managers express concern regarding the effectiveness of the program, the concern may be directed in part at the steering committee.
158
Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?
A.Security compliant servers trend report
B.Percentage of security compliant servers
C.Number of security patches applied
D.Security patches applied trend report
A is the correct answer.
Justification
The overall trend of security compliant servers provides a metric of the effectiveness of the IT security program.
The percentage of compliant servers will be a relevant indicator of the risk exposure of the infrastructure. However, the percentage is less relevant than the overall trend.
The number of patches applied would be less relevant, as this would depend on the number of vulnerabilities identified and patches provided by vendors.
The security patches applied trend report is a metric indicating the degree of improvement in patching but provides a less complete picture of the effectiveness of the security program.
159
What should metrics be based on when measuring and monitoring information security programs?
A.Residual risk
B.Levels of security
C.Security objectives
D.Statistics of security incidents
C is the correct answer.
Justification
Metrics are used to measure not only the results of the security controls (residual risk) but also the attributes of the control implementation.
Levels of security are only relevant in relation to the security objectives.
Metrics should be developed based on security objectives, so they can measure the effectiveness and efficiency of information security controls in relation to the defined objectives.
Statistics of security incidents provide a general basis for determining if overall outcomes are meeting expectations, but they do not provide a basis for the achievement of individual objectives.
160
Which of the following attributes would be MOST essential to developing effective metrics?
A.Easily implemented
B.Meaningful to the recipient
C.Quantifiably represented
D.Meets regulatory requirements
B is the correct answer.
Justification
Ease of implementation is valuable when developing metrics, but not essential. Metrics are most effective when they are meaningful to the person receiving the information.
Metrics will only be effective if the recipient can take appropriate action based upon the results, in other words—the metrics have to be meaningful to the recipient and provide business value.
Quantifiable representations can be useful, but qualitative measures are often just as useful.
Meeting legal and regulatory requirements may be important, but this is not always essential when developing metrics for meeting business goals.
161
Which of the following choices would provide the BEST measure of the effectiveness of the security strategy?
A.Minimizing risk across the enterprise
B.Countermeasures existing for all known threats
C.Losses consistent with annual loss expectations
D.The extent to which control objectives are met
D is the correct answer.
Justification
Minimizing risk is not the objective. The objective is achieving control objectives and thereby achieving acceptable risk levels. Risk reduction beyond the acceptable level is likely to not be cost-effective and to be a waste of resources.
There are some threats for which no countermeasures exist (e.g., comet strikes).
The extent of losses is not a reliable indication of the effectiveness of the strategy. Losses may or may not exceed expectations for a variety of reasons and relate to impacts rather than to risk levels.
Control objectives are developed to achieve acceptable levels of risk. To the extent those levels are achieved, control objectives are a good measure of the effectiveness of the strategy.
162
An enterprise is implementing an information security program. During which phase of the implementation should metrics be established to assess the effectiveness of the program over time?
A.Testing
B.Initiation
C.Design
D.Development
C is the correct answer.
Justification
The testing phase is too late because the system has already been developed and is in production testing.
In the initiation phase, the basic security objective of the project is acknowledged.
In the design phase, security checkpoints are defined and a test plan is developed.
Development is the coding phase and is too late to consider test plans.
163
Which of the following criteria is the MOST essential for operational metrics?
A.Timeliness of the reporting
B.Relevance to the recipient
C.Accuracy of the measurement
D.The cost of obtaining the metrics
B is the correct answer.
Justification
Timeliness of reporting is important, but secondary to relevance.
Unless the metric is relevant to the recipient and the recipient understands what the metric means and what action to take, if any, all other criteria are of little importance.
A high degree of accuracy is not essential as long as the metric is reliable and indications are within an acceptable range.
Cost is always a consideration, but secondary to the others.
164
Why is it important to develop an information security baseline? The security baseline helps define:
A.critical information resources needing protection.
B.a security policy for the entire enterprise.
C.the minimum acceptable security to be implemented.
D.required physical and logical access controls.
C is the correct answer.
Justification
Before determining the security baseline, an information security manager must identify criticality levels of the enterprise’s information resources.
The security policy helps define the security baseline.
Developing an information security baseline helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality/classification levels.
The security baseline defines the control objectives but not the specific controls required.
165
What is the most significant attribute of a good information security metric?
A.It is meaningful to the recipient.
B.It is reliable and accurate.
C.It impacts productivity.
D.It is scalable and cost-effective.
A is the correct answer.
Justification
Information provided by metrics that are not meaningful to the recipient is of little value.
Reliability and accuracy are important criteria for selecting information security metrics, but it must first be determined that the information provided helps recipients accomplish their tasks.
The impact on productivity must be balanced against the usefulness of the metric; however, it is a valid consideration.
Cost-effectiveness must be balanced against the usefulness of the metric; however, it is a valid consideration. Scalability of metrics—in most situations—is more of a nice-to-have criterion than a selection criterion.
166
Which of the following is the MOST important reason that information security objectives should be defined?
A.Tool for measuring effectiveness
B.General understanding of goals
C.Consistency with applicable standards
D.Management sign-off and support initiatives
A is the correct answer.
Justification
The creation of objectives can be used in part as a source of measurement of the effectiveness of information security management by the extent those objectives have been achieved, which feeds into the overall state of governance.
General understanding of goals is useful but is not the primary reasons for having clearly defined objectives.
The standards should be consistent with the objectives, not the other way around.
Gaining management sign-off and support is important but by itself will not provide the structure for security governance.
167
Controls that fail closed (secure) will present a risk to:
A.confidentiality
B.integrity.
C.authenticity
D.availability.
D is the correct answer.
Justification
The blocked access will not generally impact confidentiality.
The blocked access will not generally impact integrity.
The blocked access will not generally impact authenticity.
A control (such as a firewall) that fails in a closed condition will typically prevent access to resources behind it, thus impacting availability.
168
Objectives for preventive controls should be developed PRIMARILY based on:
A.risk levels aligned with the enterprise risk appetite.
B.technical requirements directed by industry standards.
C.threat levels as established by monitoring tools.
D.uptime targets specified in service level agreements.
A is the correct answer.
Justification
Controls are designed and implemented to produce levels of risk aligned with the enterprise risk appetite.
Industry standards offer managers and engineers direction on how desired objectives might be achieved, but enterprises adopt them only when doing so aligns with business objectives and the enterprise risk appetite.
Monitored threat levels do not provide a comprehensive basis for the design and implementation of preventive controls.
The need to meet uptime targets specified in service level agreements is only one of many considerations taken into account when developing preventive controls.
169
A permissive controls policy would be reflected in which one of the following implementations?
A.Access is allowed unless explicitly denied.
B.IT systems are configured to fail closed.
C.Individuals can delegate privileges.
D.Control variations are permitted within defined limits.
A is the correct answer.
Justification
A permissive controls policy allows activities that are not explicitly denied.
Configuration to fail closed is a restrictive controls policy.
Delegation of privileges refers to discretionary access control.
Standards permit control variations within defined limits.
170
Abnormal server communication from inside the enterprise to external parties may be monitored to:
A.record the trace of advanced persistent threats.
B.evaluate the process resiliency of server operations.
C.verify the effectiveness of an intrusion detection system.
D.support a nonrepudiation framework in e-commerce.
A is the correct answer.
Justification
The most important feature of target attacks as seen in advanced persistent threats is that malware secretly sends information back to a command and control server. Therefore, monitoring of outbound server communications that do not follow predefined routes will be the best control to detect such security events.
Server communications are usually not monitored to evaluate the resiliency of server operations.
The effectiveness of an intrusion detection system may not be verified by monitoring outbound server communications.
Nonrepudiation may be supported by technology, such as a digital signature. Server communication itself does not support the effectiveness of an e-commerce framework.
171
What is the MOST important reason that an information security manager must have an understanding of information technology?
A.To ensure the proper configuration of the devices that store and process information
B.To understand the risk of technology and its contribution to security objectives
C.To assist and advise on the acquisition and deployment of information technology
D.To improve communication between information security and business functions
B is the correct answer.
Justification
The configuration of the devices is not the primary responsibility of the information security manager. The security manager will work through technical staff to ensure that configurations are appropriate.
Knowledge of information technology helps the information security manager understand how changes in the technical environment affect the security posture and its contribution to control objectives.
Advising on acquisition and deployment regarding security issues is a secondary function of the information security manager.
Information security decisions can be made most effectively when they are understood by people in business functions, but this is secondary to understanding the relationship between technology and information security.
172
Which of the following is the BEST method to provide a new user with their initial password for email system access?
A.Provide a system-generated complex password by interoffice mail with 30 days expiration.
B.Provide a temporary password over the telephone set for immediate expiration.
C.Require no password but force the user to set their own in 10 days.
D.Set initial password equal to the user ID with expiration in 30 days.
B is the correct answer.
Justification
Documenting the password on paper is not the best method even if sent through interoffice mail—if the password is complex and difficult to memorize, the user will likely keep the printed password, and this creates a security concern.
A temporary password that will need to be changed upon first logon is the best method because it is reset immediately and is replaced with the user’s choice of password, which will make it easier for the user to remember. If it is given to the wrong person, the legitimate user will likely notify security if still unable to access the system; therefore, the security risk is low.
Setting an account with no initial password is a security concern even if it is just for a few days.
This provides the greatest security threat because user IDs are typically known by both users and security staff, thus compromising access for up to 30 days.
173
What is the BEST risk response for risk scenarios where the likelihood of a disruptive event for an asset is very low, but the potential financial impact is very high?
A.Accept the high cost of protection.
B.Implement detective controls.
C.Ensure that asset exposure is low.
D.Transfer the risk to a third party.
D is the correct answer.
Justification
It will not be appropriate to invest in high cost of protection for a low likelihood of an event. The enterprise can opt for another way to address the issue.
A detective control alone does nothing to limit the impact.
The fact that the likelihood is low suggests that exposure is already minimal. Additional reductions to exposure would do nothing to limit impact.
High-impact, low-likelihood situations are typically most cost-effectively covered by transferring the risk to a third party (e.g., insurance).
174
A company has installed biometric fingerprint scanners at all entrances in response to a management requirement for better access control. Due to the large number of employees coupled with a slow system response, it takes a substantial amount of time for all workers to gain access to the building and workers are increasingly piggybacking. What is the BEST course of action for the information security manager to address this issue?
A.Replace the system for better response time.
B.Escalate the issue to management.
C.Revert to manual entry control procedures.
D.Increase compliance enforcement.
B is the correct answer.
Justification
Upgrading the system is likely to be a costly option and is a management issue.
It is a business decision how management wants to deal with the problem, not directly a security issue. Conflicts of this nature are best addressed by management.
Given that management has set the requirement, it is unlikely that going back to a manual entry control system will be acceptable.
Increasing compliance efforts does not address the underlying issue. Regardless, such a choice should be made by management.
175
Which of the following authentication methods prevents authentication replay?
A.Password hash implementation
B.Challenge/response mechanism
C.Wired equivalent privacy encryption usage
D.Hypertext Transfer Protocol basic authentication
B is the correct answer.
Justification
Capturing the authentication handshake and replaying it through the network will not work. Using hashes by itself will not prevent a replay.
A challenge/response mechanism prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge.
A wired equivalent privacy key will not prevent sniffing, but it will take the attacker longer to break the WEP key if they do not already have it. Therefore, it will not be able to prevent recording and replaying an authentication handshake.
Hypertext Transfer Protocol basic authentication is cleartext and has no mechanisms to prevent replay.
176
Which of the following BEST mitigates a situation in which an application programmer requires access to production data?
A.Create a separate account for the programmer as a power user.
B.Log all the programmers’ activity for review by supervisor.
C.Have the programmer sign a letter accepting full responsibility.
D.Perform regular audits of the application.
B is the correct answer.
Justification
Creating a separate account for the programmer as a power user does not solve the problem.
It is not always possible to provide adequate segregation of duties between programming and operations in order to meet certain business requirements. A mitigating control is to record all the programmers’ actions for later review by their supervisor, which would detect any inappropriate action on the part of the programmer.
Having the programmer sign a letter accepting full responsibility is not an effective control.
Performing regular audits of the application is not relevant to determine if programmer activities are appropriate.
177
Which of the following is the BEST approach to mitigate online brute force attacks on user accounts?
A.Passwords stored in encrypted form
B.User awareness
C.Strong passwords that are changed periodically
D.Implementation of lockout policies
D is the correct answer.
Justification
Passwords stored in encrypted form will not defeat an online brute force attack if the password itself is easily guessed.
User awareness would help to inform users to use strong passwords but would not mitigate an online brute force attack.
In cases where implementation of account lockout policies is not possible, strong passwords that are changed periodically would be an appropriate choice.
Implementation of account lockout policies significantly inhibits brute force attacks.
178
What is the MAIN advantage of implementing automated password synchronization?
A.It reduces the overall administrative workload.
B.It increases security between multi-tier systems.
C.It allows passwords to be changed less frequently.
D.It reduces the need for two-factor authentication.
A is the correct answer.
Justification
Automated password synchronization reduces the overall administrative workload of resetting passwords.
Automated password synchronization does not increase security between multi-tier systems.
Automated password synchronization does not allow passwords to be changed less frequently.
Automated password synchronization does not reduce the need for two-factor authentication.
179
Assuming all options are technically feasible, which of the following would be the MOST effective approach for the information security manager to address excessive exposure of a critical customer-facing server?
A.Develop an incident response plan
B.Reduce the attack vectors
C.Initiate compartmentalization
D.Implement compensating controls
B is the correct answer.
Justification
Even the most effective incident response plan is unlikely to reduce exposure as effectively as reducing the attack surface.
The attack vectors determine the extent of exposure. Reducing the attack vectors by limiting entry points, ports and protocols and taking other precautions reduces the exposure.
Compartmentalization may limit the degree to which impact sustained by one customer results in increased vulnerability or impact for another customer, but the per-customer exposure would not be affected.
Compensating controls are appropriate if existing controls are incapable of reducing risk to acceptable levels.
180
Which of the following attacks is BEST mitigated by using strong passwords?
A.Man-in-the-middle attack
B.Brute force attack
C.Remote buffer overflow
D.Root kit
B is the correct answer.
Justification
Man-in-the-middle attacks intercept network traffic and must be protected by encryption.
Strong passwords mitigate brute force attacks.
Buffer overflow attacks may not be protected by passwords.
Root kits hook into the operating system’s kernel and, therefore, operate underneath any authentication mechanism.
181
Segregation of duties (SoD) has been designed and introduced into an accounts payable system. Which of the following should be in place to BEST maintain the effectiveness of SoD?
A.A strong password rule is assigned to disbursement staff.
B.Security awareness is publicized by the compliance department.
C.An operational role matrix is aligned with the organizational chart.
D.Access privilege is reviewed when an operator’s role changes.
D is the correct answer.
Justification
Password strength is important for each staff member, but complexity of passwords does not ensure effectiveness of segregation of duties (SoD).
Effective SoD is not based on self-governance, so security awareness is an inadequate control for the same.
It is not uncommon for staff to have ancillary roles beyond what is shown on the organizational chart, so aligning a role matrix with the organizational chart is not sufficiently granular to maintain the effectiveness of SoD.
In order to maintain the effectiveness of SoD established in an application system, user access privilege must be reviewed whenever an operator’s role changes. If this effort is neglected, there is a risk that a single staff member could acquire excessive operational capabilities. For instance, if a cash disbursement staff member accidentally acquires a trade input role, this person is technically able to accomplish an illegal payment operation.
182
What is the purpose of a corrective control?
A.To reduce adverse events
B.To identify a compromise
C.To mitigate impact
D.To ensure compliance
C is the correct answer.
Justification
Preventive controls, such as firewalls, reduce the occurrence of adverse events.
Compromise can be detected by detective controls, such as intrusion detection systems.
Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities.
Compliance can be ensured by preventive controls, such as access controls.
183
Why is public key infrastructure the preferred model when providing encryption keys to a large number of individuals?
A.It is computationally more efficient.
B.It is more scalable than a symmetric key.
C.It is less costly to maintain than a symmetric key approach.
D.It provides greater encryption strength than a secret key model.
B is the correct answer.
Justification
Public key cryptography is computationally intensive due to the long key lengths required.
Symmetric or secret key encryption requires a separate key for each pair of individuals who wish to have confidential communication, resulting in an exponential increase in the number of keys as the number of users increase, creating an intractable distribution and storage problems. Public key infrastructure keys increase arithmetically, making it more practical from a scalability point of view.
Public key cryptography typically requires more maintenance and is more costly than a symmetric key approach in small scale implementations.
Secret key encryption requires shorter key lengths to achieve equivalent strength.
184
Which of the following will BEST prevent external security attacks?
A.Static Internet Protocol addressing
B.Network address translation
C.Background checks for temporary employees
D.Securing and analyzing system access logs
B is the correct answer.
Justification
Static Internet Protocol addressing is helpful to an attacker.
Network address translation is helpful by having internal addresses that are non-routable.
Background checks of temporary employees are more likely to prevent an attack launched from within the enterprise.
Writing all computer logs to removable media does not prevent an attack.
185
An information security manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT help desk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A.conflicting security controls with organizational needs.
B.strong protection of information resources.
C.implementing appropriate controls to reduce risk.
D.proving information security’s protective abilities.
A is the correct answer.
Justification
The needs of the enterprise were not considered, so there is a conflict.
This example is not strong protection as it pertains to enabling restrictions and not safeguards.
A control that significantly restricts the ability of users to do their job is not appropriate.
Proving protection abilities at an unacceptable cost or performance is a poor strategy. This control does not prove the ability to protect but proves the ability to interfere with business.
186
An enterprise has a network of suppliers that it allows to remotely access an important database that contains critical supply chain data. What is the BEST control to ensure that the individual supplier representatives who have access to the system do not improperly access or modify information within this system?
A.User access rights
B.Biometric access controls
C.Password authentication
D.Two-factor authentication
A is the correct answer.
Justification
User access rights limit the access and rights that users have to a network, file system or database once they have been authenticated.
Biometric access controls is a method of user access control that manages user access to an overall system, not generally to a specific set of files or records.
Password authentication controls access but not rights once the system is accessed.
Two-factor authentication controls access but not rights once the system is accessed.
187
Which of the following constitutes the MAIN project activities undertaken in developing an information security program?
A.Controls design and deployment
B.Security enterprise development
C.Logical and conceptual architecture design
D.Development of risk management objectives
A is the correct answer.
Justification
The majority of program development activities will involve designing, testing and deploying controls that achieve the risk management objectives.
The security enterprise should be fairly well-developed prior to attempting to implement a security program.
Conceptual and logical architecture designs should have been completed as a part of strategy and road map development.
Risk management objectives are part of strategy development.
188
The MOST important factors to consider when prioritizing control development are:
A.threat and vulnerability.
B.cost and frequency.
C.risk appetite and tolerance.
D.probability and impact.
D is the correct answer.
Justification
Threat and vulnerability are factors in determining probability, but without knowing the magnitude of loss (or impact) associated with a particular event, knowing its probability is an inadequate basis for prioritizing control development.
Cost is always a consideration, and resource constraints may lead to certain controls being delayed, but prioritization occurs even among controls of comparable cost.
These are considerations when developing control objectives but do not factor into the prioritization of controls.
The probability that an adverse event will occur and the consequent impact provide an effective quantitative basis for prioritizing the development of controls.
189
The IT department has been tasked with developing a new transaction processing system for online account management. At which stage should the information security department become involved?
A.Feasibility
B.Requirements
C.Design
D.User acceptance testing
A is the correct answer.
Justification
Involve the security department as early as possible. Security considerations will affect feasibility. Security that is added later in the process often is not nearly as effective as security that is considered from end to end.
The requirements stage is too late in the process, and the introduction of security requirements will potentially cause delays or incur other costs that are neither budgeted nor anticipated by stakeholders.
The design stage is too late in the process, and the introduction of security requirements will potentially cause delays or incur other costs that are neither budgeted nor anticipated by stakeholders.
The user acceptance testing stage is too late in the process, and the introduction of security requirements will potentially cause delays or incur other costs that are neither budgeted nor anticipated by stakeholders.
190
Which of the following approaches is the BEST for designing role-based access controls?
A.Create a matrix of work functions.
B.Apply persistent data labels.
C.Enable multifactor authentication.
D.Use individual logon scripts.
A is the correct answer.
Justification
A matrix that documents the functions associated with particular kinds of work, typically referred to as a segregation of duties matrix, shows which roles are required or need various permissions.
Persistent data labels apply to mandatory access control environments where permissions are brokered by the classification levels of objects themselves. They do not factor into role-based access controls.
Multifactor authentication deals with how users authenticate their identities, which helps to ensure that people are who they claim to be. It does not determine the permissions that they are assigned, particularly in a role-based access control model, where permissions are assigned to roles rather than individual users.
Using automated logon scripts is practical in some environments, but assigning permissions to individual accounts is contrary to the intent of role-based access controls.
191
A security baseline can BEST be used for:
A.securing unstable environments.
B.establishing uniform system hardening.
C.prioritizing security objectives.
D.establishing a corporate security policy.
B is the correct answer.
Justification
The stability of an environment is not necessarily related to baselines; the application of a security baseline can sometimes even destabilize an environment by conflicting with existing software.
A security baseline establishes a uniform security standard to be applied across similar systems.
A baseline does not prioritize security objectives.
Baselines are established as the result of a policy; they are not part of the policy development.
192
What is the BEST method for detecting and monitoring a hacker’s activities without exposing information assets to unnecessary risk?
A.Firewalls
B.Bastion hosts
C.Decoy files
D.Screened subnets
C is the correct answer.
Justification
Firewalls attempt to keep the hacker out.
Bastion hosts attempt to keep the hacker out.
Decoy files, often referred to as honeypots, are the best choice for diverting a hacker away from critical files and alerting security of the hacker’s presence.
Screened subnets or demilitarized zones provide a middle ground between the trusted internal network and the external untrusted Internet but do not help detect hacker activities.
193
Which is the FIRST thing that should be determined by the information security manager when developing an information security program?
A.The control objectives
B.The strategic aims
C.The desired outcomes
D.The logical architecture
C is the correct answer.
Justification
Control objectives cannot be determined until desired outcomes have been determined and subsequent specific objectives defined.
Without determining the desired outcomes of the security program, the strategic aims that would lead to the desired outcomes cannot be determined.
Without determining the desired outcomes of the security program, it will be difficult or impossible to determine a viable strategy, control objectives and logical architecture.
Architecture is the physical manifestation of policy which is developed after and in support of strategy development.
194
In which of the following situations is continuous monitoring the BEST option?
A.Where incidents may have a high impact and frequency
B.Where legislation requires strong information security controls
C.Where incidents may have a high impact but low frequency
D.Where e-commerce is a primary business driver
A is the correct answer.
Justification
Continuous monitoring control initiatives are expensive, so they should be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence.
Regulations and legislation that require tight IT security measures focus on requiring enterprises to establish an IT security governance structure that manages IT security with a risk-based approach, so each enterprise decides which kinds of controls are implemented. Continuous monitoring is not necessarily a requirement.
Measures such as contingency planning or insurance are commonly used when incidents rarely happen but have a high impact each time they happen. Continuous monitoring is unlikely to be necessary.
Continuous control monitoring initiatives are not needed in all e-commerce environments. There are some e-commerce environments where the impact of incidents is not high enough to support the implementation of this kind of initiative.
195
Which of the following is the BEST way to erase confidential information stored on magnetic tapes?
A.Performing a low-level format
B.Rewriting with zeros
C.Burning them
D.Degaussing them
D is the correct answer.
Justification
Performing a low-level format may be adequate but is a slow process, and with the right tools, data can still be recovered.
Rewriting with zeros will not overwrite information located in the disk slack space.
Burning destroys the tapes and does not allow their reuse.
Degaussing the magnetic tapes would quickly dispose of all information because the magnetic domains are thoroughly scrambled and would not allow reuse.
196
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
A.Number of attacks detected
B.Number of successful attacks
C.Ratio of false positives to false negatives
D.Ratio of successful to unsuccessful attacks
C is the correct answer.
Justification
The number of attacks detected does not indicate how many attacks were not detected; therefore, it is no indication of effectiveness.
The number of successful attacks cannot be used as a metric to evaluate the effectiveness of an intrusion detection mechanism.
The ratio of false positives to false negatives will indicate the effectiveness of the intrusion detection system.
Without knowing whether attacks were detected or not, the ratio of successful attacks to unsuccessful attacks indicates nothing about the effectiveness of the IDS.
197
A new business application requires deviation from the standard configuration of the operating system (OS). Which of the following steps should the security manager take FIRST?
A.Contact the vendor to modify the application.
B.Assess risk and identify compensating controls.
C.Approve an exception to the policy to meet business needs.
D.Review and update the OS baseline configuration.
B is the correct answer.
Justification
The security manager would contact the vendor to modify the application only after assessing the risk and identifying compensating controls.
Before approving any exception, the security manager should first check for compensating controls and assess the possible risk due to deviation.
The security manager may make a case for deviation from the policy, but this would be based on a risk assessment and compensating controls. The deviation itself would be approved in accordance with a defined process.
Updating the baseline configuration is not associated with requests for deviations.
198
An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. Assuming all options are possible, which of the following should the information security manager recommend?
A.Restrict account access to read-only.
B.Log all usage of this account.
C.Suspend the account and activate only when needed.
D.Require that a change request be submitted for each download.
A is the correct answer.
Justification
Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Restricting the account to read-only access will ensure that file integrity can be maintained while permitting access.
Logging all usage of the account is a detective control and will not reduce the exposure created by this excessive level of access.
Suspending the account and activating only when needed will not reduce the exposure created by this excessive level of access.
Requiring that a change request be submitted for each download would be excessively burdensome and will not reduce the exposure created by this excessive level of access.
199
Which of the following project activities is the MAIN activity in developing an information security program?
A.Security organization development
B.Conceptual and logical architecture designs
C.Development of risk management objectives
D.Control design and deployment
D is the correct answer.
Justification
The security organization is developed to meet the needs of the security program and may evolve over time, based on evolving requirements.
Conceptual and logical architecture designs should have been completed as a part of strategy and road map development.
Risk management objectives are a part of strategy development.
The majority of program development activities will involve designing, testing and deploying controls that achieve the risk management objectives.
200
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent a successful brute force attack of the account?
A.Prevent the system from being accessed remotely.
B.Create a strong random password.
C.Ask for a vendor patch.
D.Track usage of the account by audit trails.
B is the correct answer.
Justification
Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risk.
Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required.
Vendor patches are not always available.
Tracking usage is a detective control and will not prevent an attack.
201
Outsourcing combined with indemnification:
A.reduces legal responsibility but leaves financial risk relatively unchanged.
B.is more cost-effective as a means of risk transfer than purchasing insurance.
C.eliminates the reputational risk present when operations remain in-house.
D.reduces financial risk but leaves legal responsibility generally unchanged.
D is the correct answer.
Justification
Although indemnification clauses are intended to deflect liability, the legal consequences associated with compromises in information security cannot be fully transferred.
The cost-effectiveness of various forms of risk transfer depends on many factors, such as the scope of operations, limits of liability, specialized knowledge that may be required for implementation and criteria for indemnification.
Clients deal directly with the enterprise, not its supply chain. Outsourcing generally has no effect on reputational risk, which remains associated with the enterprise’s own brand regardless of outsourcing arrangements or indemnification clauses.
Indemnification clauses can transfer operational risk and financial impacts associated with that risk; however, legal responsibility for the consequences of compromise generally remains with the original entity.
202
What is the PRIMARY basis for the selection of controls and countermeasures?
A.Eliminating IT risk
B.Cost-benefit balance
C.Resource management
D.The number of assets protected
B is the correct answer.
Justification
The focus must include procedural, operational and other risk—not just IT risk.
The balance between cost and benefits should direct controls selection.
Resource management is not directly related to controls.
The implementation of controls is based on the impact and risk, not on the number of assets.
203
The director of auditing has recommended a specific information security monitoring solution to the information security manager. What should the information security manager do FIRST?
A.Obtain comparative pricing bids and complete the transaction with the vendor offering the best deal.
B.Add the purchase to the budget during the next budget preparation cycle to account for costs.
C.Perform an assessment to determine correlation with business goals and objectives.
D.Form a project team to plan the implementation.
C is the correct answer.
Justification
Comparative pricing bids and completing the transaction with the vendor offering the best deal is not necessary until a determination has been made regarding whether the product fits the goals and objectives of business.
Adding the purchase to the budget is not necessary until a determination has been made regarding whether the product fits the goals and objectives of business.
An assessment must be made first to determine that the proposed solution is aligned with business goals and objectives.
Forming a project team for implementation is not necessary until a determination has been made regarding whetherthe product fits the goals and objectives of business.
204
An enterprise has implemented an enterprise resource planning system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
A.Rule-based
B.Mandatory
C.Discretionary
D.Role-based
D is the correct answer.
Justification
Rule-based access control needs to define the individual access rules, which is troublesome and error prone in large enterprises.
In mandatory access control, the individual’s access to information resources is based on a clearance level that needs to be defined, which is troublesome in large enterprises.
In discretionary access control, users have access to resources based on delegation of rights by someone with the proper authority, which requires a significant amount of administration and overhead.
Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.
205
Which of the following is the MOST important consideration when choosing between automated fire suppression systems?
A.Probability of fire
B.Cost of maintenance
C.Damage to resources
D.Ownership of the new system
C is the correct answer.
Justification
Probability is part of the justification for adopting an automated fire suppression system, but which system is most appropriate depends on other factors.
The cost of maintenance is an important consideration, but because damage is likely to be much more costly than maintenance, it is a later consideration.
Fire suppression systems may be harmful to resources; therefore, automated systems that release gas or water automatically have their own pros and cons. Gas-based systems are harmful to human life, whereas water-based systems may damage IT resources. Hence, the selection and implementation must consider these aspects.
Ownership of assets, including the new system to be acquired, is required to determine the protection levels of resources. However, it will be based on the enterprise’s roles and responsibility definitions. In any case, resource protection will take priority in considering the choice of solutions.
206
Which of the following is the MOST effective solution for preventing individuals external to the enterprise from modifying sensitive information on a corporate database?
A.Screened subnets
B.Information classification policies and procedures
C.Role-based access control
D.Intrusion detection system
A is the correct answer.
Justification
Screened subnets are demilitarized zones and are oriented toward preventing attacks on an internal network by external users.
The policies and procedures to classify information will ultimately result in better protection, but they will not prevent actual modification.
Role-based access controls help ensure that users only have access to files and systems appropriate for their job role.
Intrusion detection systems are useful to detect invalid attempts, but they will not prevent attempts.
207
The cost of implementing and operating a security control should not exceed the:
A.annual loss expectancy.
B.cost of an incident.
C.asset value.
D.acceptable loss level.
C is the correct answer.
Justification
The annual loss expectancy is the monetary loss for an asset due to specific risk over a single year.
A security mechanism may cost more than the cost of a single incident and still be cost-effective.
The cost of implementing security controls should not exceed the business value of the asset.
The cost of a control may well exceed the acceptable loss level in order to achieve the loss level objective.
208
Which one of the following factors affects the extent to which controls should be layered?
A.Impact on productivity
B.Common failure modes
C.Maintenance cost of controls
D.Controls that fail in a closed condition
B is the correct answer.
Justification
A negative impact on productivity could indicate that controls may be too restrictive, but it is not a consideration for layering.
Common failure modes in existing controls must be addressed by adding or modifying controls so they fail under different conditions. This is done to manage the aggregate risk of total control failure.
Excessive maintenance costs will probably increase and not be addressed by layering additional controls.
Controls that fail closed pose a risk to availability, but layering would not always address this risk.
209
To improve the security of an enterprise’s human resources system, an information security manager was presented with a choice to either implement an additional packet filtering firewall OR a heuristics-based intrusion detection system. How should the security manager with a limited budget choose between the two technologies?
A.Risk analysis
B.Business impact analysis
C.Return on investment analysis
D.Cost-benefit analysis
D is the correct answer.
Justification
Risk analysis identifies the risk and treatment options.
A business impact analysis identifies the impact from the loss of systems or enterprise functions.
Return on investment analysis compares the magnitude and timing of investment gains directly with the magnitude and timing of investment costs.
Cost-benefit analysis measures the cost of a safeguard versus the benefit it provides and includes risk assessment. The cost of a control should not exceed the benefit to be derived from it. The degree of control employed is a matter of good business judgment.
210
Which of the following is a preventive measure?
A.A warning banner
B.Audit trails
C.An access control
D.An alarm system
C is the correct answer.
Justification
A warning banner is a deterrent control, which provides a warning that can deter potential compromise.
Audit trails are an example of a detective control.
Preventive controls inhibit attempts to violate security policies. An example of such a control is an access control.
An alarm system is an example of a detective control.
211
When recommending a control to protect enterprise applications against structured query language injection, the information security manager is MOST likely to suggest:
A.hardening of web servers.
B.consolidating multiple sites into a single portal.
C.coding standards and reviewing code.
D.using Hypertext Transfer Protocol Secure (HTTPS) in place of HTTP.
C is the correct answer.
Justification
Hardening of web servers does not reduce this type of vulnerability.
Consolidating multiple sites into a single portal does not reduce this type of vulnerability.
Implementing secure coding standards and peer review as part of the enterprise’s system development life cycle (SDLC) are controls that address structured query language injection.
Using Hypertext Transfer Protocol Secure (HTTPS) instead of HTTP does not reduce this type of vulnerability.
212
Which of the following is BEST used to define minimum requirements for database security settings?
A.Procedures
B.Guidelines
C.Baselines
D.Policies
C is the correct answer.
Justification
Procedures determine the steps, not the configuration requirements.
Guidelines are not enforceable.
Baselines set the minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity and availability protection.
Policies determine direction but not detailed configurations.
213
Which of the following BEST ensures that information transmitted over the Internet will remain confidential?
A.A virtual private network
B.Firewalls and routers
C.Biometric authentication
D.Two-factor authentication
A is the correct answer.
Justification
Encryption of data in a virtual private network ensures that transmitted information is not readable, even if intercepted.
Firewalls and routers protect access to data resources inside the network but do not protect traffic in the public network.
Biometric authentication alone would not prevent a message from being intercepted and read.
Two-factor authentication alone would not prevent a message from being intercepted and read.
214
The MOST effective approach to ensure the continued effectiveness of information security controls is by:
A.ensuring inherent control strength.
B.ensuring strategic alignment.
C.using effective life cycle management.
D.using effective change management.
C is the correct answer.
Justification
Inherent strength will not ensure that controls do not degrade over time.
Maintaining strategic alignment will help identify life cycle stages of controls but by itself will not address control degradation.
Managing controls over their life cycle will allow for compensation of decreased effectiveness over time.
Change management strongly supports life cycle management but by itself does not address the complete cycle.
215
Which of the following is the BEST way to mitigate the risk of the database administrator reading sensitive data from the database?
A.Log all access to sensitive data.
B.Employ application-level encryption.
C.Install a database monitoring solution.
D.Develop a data security policy.
B is the correct answer.
Justification
Access logging can be easily turned off by the database administrator.
Data encrypted at the application level that is stored in a database cannot be viewed in cleartext by the database administrator.
A database monitoring solution can be bypassed by the database administrator.
A security policy will only be effective if the database administrator chooses to adhere to the policy.
216
Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?
A.Patch management
B.Change management
C.Security baselines
D.Acquisition management
A is the correct answer.
Justification
Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion.
Change management controls the process of introducing changes to systems.
Security baselines provide minimum required settings.
Acquisition management controls the purchasing process.
217
If a defined threat needs to be addressed and a preventive control is not feasible, the next BEST option is to do which of the following activities?
A.Use a deterrent control.
B.Reduce exposure.
C.Use a compensating control.
D.Reassess the risk.
B is the correct answer.
Justification
Using a deterrent control will have only a limited effect on the possibility of compromise.
Reducing exposure reduces the probability that a risk can be exploited.
Using a compensating control will serve to limit impact, but do nothing to prevent exploitation.
Reassessing risk may provide a clearer picture of the risk but does nothing to reduce exploitation.
218
How should an information security manager determine the selection of controls required to meet business objectives?
A.Prioritize the use of role-based access controls.
B.Focus on key controls.
C.Restrict controls to critical applications.
D.Focus on automated controls.
B is the correct answer.
Justification
Prioritizing the use of role-based access controls could be an example of possible key controls but is only one of the typical key controls.
Key controls are the essential controls to reduce risk and are most effective for the protection of information assets.
Controls cannot be restricted to critical applications because, in many cases, noncritical applications can provide access to critical ones.
Focusing on automated controls would eliminate many essential non-automated key controls such as policies, standards, procedures and necessary physical controls.
219
Which of the following will BEST protect an enterprise from insider security attacks?
A.Static Internet Protocol addressing
B.Internal address translation
C.Prospective employee background checks
D.Employee awareness certification program
C is the correct answer.
Justification
Static Internet Protocol addressing does little to prevent an insider attack.
Internal address translation using non-routable addresses is useful against external attacks but not against insider attacks.
Because past performance is a strong predictor of future performance, background checks of prospective employees best prevent attacks from originating within an enterprise.
Employees who certify that they have read security policies are desirable, but this does not guarantee that the employees behave honestly.
220
A social media application system has a process to scan posted comments in search of inappropriate disclosures. Which of the following choices would circumvent this control?
A.An elaborate font setting
B.Use of a stolen identity
C.An anonymous posting
D.A misspelling in the text
D is the correct answer.
Justification
Depending on the font style, text messages may become illegible; however, character codes stay the same behind the scenes. Therefore, scanning may not be affected by font settings.
Even when a message is posted using a stolen identity, scanning will be able to catch an inappropriate posting by checking text against a predefined vocabulary table.
Absence of the identity of the user who posted an inappropriate message may not be a major issue in conducting the scanning of posted information.
Intentional misspellings are hard to detect by fixed rules or keyword search because it is difficult for the system to consider the possible misspellings. The computer may ignore misspelled items. Because humans can understand the context, it is rather easy for humans to sense the true intention hidden behind the misspelling.
221
A company uses a single employee to update the servers, review the audit logs and maintain access controls. Which of the following choices is the BEST compensating control?
A.Verify that only approved changes are made.
B.Perform quarterly penetration tests.
C.Perform monthly vulnerability scans.
D.Implement supervisor review of log files.
A is the correct answer.
Justification
Where segregation of duties is not possible, additional procedures are needed to ensure that a single person with access is not able to abuse that access.
Penetration tests do not address insider threat.
Vulnerability scans only check hardware and software for changes against set requirements. There is no correlation to unauthorized activities.
A sufficiently knowledgeable administrator may be able to manipulate the log files and hide their activities from the supervisor.
222
A project manager is developing a developer portal and requests that the security manager assign a public Internet Protocol address so that it can be accessed by in-house staff and by external consultants outside the enterprise’s local area network. What should the security manager do FIRST?
A.Understand the business requirements of the developer portal.
B.Perform a vulnerability assessment of the developer portal.
C.Install an intrusion detection system.
D.Obtain a signed nondisclosure agreement from the external consultants before allowing external access to the server.
A is the correct answer.
Justification
The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal.
Performing a vulnerability assessment of developer portal is prudent but it should follow understanding the requirements.
Installing an intrusion detection system may be useful but not as essential as understanding the requirements.
Obtaining a signed nondisclosure agreement is a prudent practice but is secondary to understanding requirements.
223
Senior management is reluctant to budget for the acquisition of an intrusion prevention system. The chief information security officer should do which of the following activities?
A.Develop and present a business case for the project.
B.Seek the support of the users and information asset custodians.
C.Invite the vendor for a proof-of-concept demonstration.
D.Organize security awareness training for management.
A is the correct answer.
Justification
Senior management needs to understand the link between the acquisition of an intrusion prevention system (IPS) and the enterprise's business objectives. A business case is the best way to present this information.
Stakeholder buy-in is an important part of the acquisition and implementation process, but senior management needs to see the value of budgeting for the purchase before moving ahead and making approvals.
Senior managers probably believe that the IPS will do what it promises, but they are usually not tech-savvy. A proof-of-concept will demonstrate the functional features but may not be able to provide the understanding for senior management to approve the purchase.
Security awareness training may provide some insight into the value of security tools in general, but the decision to allocate funds for an IPS will be made only on the basis of the specific value that the IPS provides.
224
Which of the following is the PRIMARY driver for initial implementation of a risk-based information security program?
A.Prioritization
B.Motivation
C.Optimization
D.Standardization
A is the correct answer.
Justification
Because enterprises rarely have adequate resources to address all concerns, a risk-based information security program is typically implemented to provide a basis for efficient allocation of limited resources.
Motivation is useful in getting the job done but is not necessarily a result of implementing a risk-based information security program.
Optimization is a long-term benefit associated with a mature risk-based program. It does not present itself during initial implementation.
Standardization is a technique that offers numerous benefits and may support risk management activities. It is not the result of a focus on risk.
225
What is the MAIN objective of integrating the information security process into the system development life cycle?
A.It ensures audit compliance.
B.It ensures that appropriate controls are implemented.
C.It delineates roles and responsibilities.
D.It establishes the foundation for development or acquisition.
B is the correct answer.
Justification
Simply integrating information security processes into the system development life cycle (SDLC) will not ensure audit success; it is merely a piece of the compliance puzzle that must be reviewed by the auditor.
Establishing information security processes at the front end of any development project and using the process at each stage of the SDLC ensures that the appropriate security controls are implemented, based on the review and assessment completed by security staff.
The purpose of integrating the information security process at the front end of any SDLC project is to reduce the risk of delays or rework rather than to identify roles and responsibilities for information security in the project.
The information security process should be performed at each phase of the SDLC to ensure that appropriate controls are in place. However, integration of information security does not establish the foundation for the make-versus-buy decision.
226
A virtual desktop infrastructure enables remote access. The benefit of this approach from a security perspective is to:
A.optimize the IT resource budget by reducing physical maintenance to remote personal computers (PCs).
B.establish segregation of personal and organizational data while using a remote PC.
C.enable the execution of data wipe operations into a remote PC environment.
D.terminate the update of the approved antivirus software list for remote PCs.
B is the correct answer.
Justification
Physical maintenance is reduced in a virtual desktop infrastructure (VDI) environment, but cost reduction is not the benefit of VDI from a security perspective.
The major benefit of introducing a VDI is to establish remote desktop hosting while keeping personal areas in a client personal computer (PC) separate. This serves as a control against unauthorized copies of business data on a user PC.
Remote data wiping is not possible in a VDI.
Termination of antivirus updates may represent a cost savings to the enterprise, but the presence or absence of antivirus software on a remote PC is irrelevant in a VDI context
227
What is the GREATEST risk when there are an excessive number of firewall rules?
A.One rule may override another rule in the chain and create a loophole.
B.Performance degradation of the whole network may occur.
C.The firewall may not support the increasing number of rules due to limitations.
D.The firewall may show abnormal behavior and may crash or automatically shut down.
A is the correct answer.
Justification
If there are many firewall rules, there is a chance that a particular rule may allow an external connection although other associated rules are overridden. Due to the increasing number of rules, it becomes complex to test them and, over time, a loophole may occur.
Excessive firewall rules may impact network performance, but this is a secondary concern.
It is unlikely that the capacity to support rules will exceed capacity and it is not a significant risk.
There is a slight risk that the firewall will behave erratically, but that is not the greatest risk.
228
Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when:
A.assessing overall system risk.
B.developing a controls policy.
C.determining treatment options.
D.developing a classification scheme.
B is the correct answer.
Justification
Overall risk is not affected by determining which element of the triad is of the greatest importance because overall risk is constructed from all known risk, regardless of the components of the triad to which each risk applies.
Because preventive controls necessarily must fail in either an open or closed state (i.e., fail safe or fail secure), and failing open favors availability while failing closed favors confidentiality—each at the expense of the other—a clear prioritization of the triad components is needed to develop a controls policy.
Although it is feasible that establishing a control that bolsters one component of the triad may diminish another, treatment options may be determined without a clear prioritization of the triad.
Classification is based on the potential impact of compromise and is not a function of prioritization within the confidentiality, integrity and availability (CIA) triad.
229
Which of the following is the BEST method for ensuring that temporary employees do not receive excessive access rights?
A.Mandatory access controls
B.Discretionary access controls
C.Lattice-based access controls
D.Role-based access controls
D is the correct answer.
Justification
Mandatory access controls require users to have a clearance at or above the level of asset classification, but providing clearances for temporary employees is time-consuming and expensive.
Discretionary access control allows delegation based on the individual but requires administrative action to grant and remove access.
Lattice-based access control is a mandatory access model based on the interaction between any combination of objects (such as resources, computers and applications) and subjects.
Role-based access controls will grant temporary employee access based on the job function to be performed. This provides a better means of ensuring that the access is not more or less than what is required, and removing access requires less effort.
230
What is the PRIMARY basis for the prioritization of security spending and budgeting?
A.The identified levels of risk
B.Industry trends
C.An increased cost of service
D.The allocated revenue of the enterprise
A is the correct answer.
Justification
The first required action is to conduct a risk assessment of the enterprise’s key processes to identify control gaps and determine where investments should be made to mitigate risk and to determine order of prioritization. This must be conducted with consideration of enterprise goals and strategy.
Prioritization should not be based on the trends at other enterprises because each enterprise has unique requirements and business objectives.
Prioritization by cost alone is not aligned with a risk-based approach.
Although the revenue may increase, it is not wise to link the IT budget to a fixed percentage of revenue because this could lead to spending more or less than is necessary to effectively address risk.
231
Which of the following vulnerabilities is commonly introduced when using Simple Network Management Protocol v2 (SNMP v2) to monitor networks?
A.Remote buffer overflow
B.Cross-site scripting
C.Cleartext authentication
D.Man-in-the-middle attack
C is the correct answer.
Justification
There have been some isolated cases of remote buffer overflows against Simple Network Management Protocol (SNMP) daemons, but generally that is not a problem.
Cross-site scripting is a web application vulnerability that is not related to SNMP.
One of the main problems with using SNMP v1 and v2 is the cleartext community string that it uses to authenticate. It is easy to sniff and reuse. Most times, the SNMP community string is shared throughout the enterprise’s servers and routers, making this authentication problem a serious threat to security.
A man-in-the-middle attack against a User Datagram Protocol makes no sense since there is no active session; every request has the community string and is answered independently.
232
Inherent control strength is PRIMARILY a function of which of the following?
A.Implementation
B.Design
C.Testing
D.Policy
B is the correct answer.
Justification
Improper implementation can affect design control strength; however, even good implementation is not likely to overcome poor design.
Inherent control strength is mainly achieved by proper design.
Testing is important to determine whether design strength has been achieved but will generally not solve design problems.
Policy support for appropriate controls is important but is generally too high level to ensure that a design has inherent control strength.
233
A control for protecting an IT asset, such as a laptop computer, is BEST selected if the cost of the control is less than the:
A.cost of the asset.
B.impact on the business if the asset is lost or stolen.
C.available budget.
D.net present value.
B is the correct answer.
Justification
While the control may be more expensive than the cost of the physical asset, such as a laptop computer, the impact to the business may be much higher and thus justify the cost of the control.
Controls are selected based on their impact on the business due to the nonavailability of the asset rather than on the cost of the asset or the available budget.
Budget availability is a consideration; however, this is not as important as the overall impact to the business if the asset is compromised.
Net present value (NPV) calculations are not useful to determine the cost of a control. While a laptop computer might be fully amortized (or even expensed), the impact of the loss of the asset may be much higher than its NPV.
234
In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?
A.Applying patches
B.Changing access rules
C.Upgrading hardware
D.Backing up files
B is the correct answer.
Justification
Security software will generally have a well-controlled process for applying patches.
The greatest risk occurs when access rules are changed because they are susceptible to being opened up too much, which can result in the creation of a security exposure.
Upgrading hardware will not affect software vulnerabilities.
Backup processes provide little opportunity to introduce vulnerabilities.
235
What is the BEST way to ensure data protection upon termination of employment?
A.Retrieve identification badge and card keys.
B.Retrieve all personal computer equipment.
C.Erase all the employee’s folders.
D.Ensure all logical access is removed.
D is the correct answer.
Justification
Retrieving identification badge and card keys would only reduce the capability to enter the building.
Retrieving the personal computer equipment is a necessary task but does not prevent access to resources.
Erasing the employee’s folders is not reasonable because the folders may contain information important to the enterprise.
Ensuring that all logical access is removed will guarantee that the former employee will not be able to access company data and that the employee’s credentials will not be misused.
236
What is the PRIMARY purpose of installing an intrusion detection system?
A.To identify weaknesses in network security
B.To identify patterns of suspicious access
C.To identify how an attack was launched on the network
D.To identify potential attacks on the internal network
D is the correct answer.
Justification
An intrusion detection system is not designed to identify weaknesses in network security.
An intrusion detection system is not designed to identify patterns of suspicious logon attempts.
Identifying how an attack was launched is secondary.
The most important function of an intrusion detection system is to identify potential attacks on the network.
237
What is the BEST defense against a structured query language injection attack?
A.Regularly updated signature files
B.A properly configured firewall
C.An intrusion detection system
D.Strict controls on input fields
D is the correct answer.
Justification
Regularly updated signature files are unrelated to a structured query language (SQL) attack and would fail to prevent it.
A properly configured firewall would fail to prevent such an attack.
An intrusion detection system would fail to prevent such an attack.
SQL injection involves the typing of programming command statements within a data entry field on a web page, usually with the intent of fooling the application into thinking that a valid password has been entered in the password entry field. The best defense against such an attack is to have strict edits on what can be typed into a data input field so that programming commands will be rejected. Code reviews should also be conducted to ensure that such edits are in place and that there are no inherent weaknesses in the way the code is written; software is available to test for such weaknesses.
238
Why is a certificate authority needed in a public key infrastructure?
A.It provides a proof of the integrity of data.
B.It prevents the denial of specific transactions.
C.It attests to the validity of a user’s public key.
D.It stores a user’s private key.
C is the correct answer.
Justification
The certificate authority (CA) does not provide proof of message integrity.
Nonrepudiation prevents a party from denying that the party originated a specific transaction and is provided by a user’s private key signing communication.
The CA is a trusted third party that attests to the authenticity of a user’s public key by digitally signing it with the CA’s private key.
A conventional CA does not store a user’s private key.
239
An advantage of using a cloud computing solution over a locally hosted solution is:
A.the ability to obtain storage and bandwidth on demand.
B.reduced requirements for training of users and managers.
C.increased security as a result of encrypting data in transit.
D.the opportunity to control changes to applications and data.
A is the correct answer.
Justification
One key advantage of cloud computing is the ability to rapidly adjust storage and network bandwidth needs as required. This is generally not possible in locally hosted environments.
The amount of training required for users and managers is not substantially different between a cloud and a local solution.
Sensitive data can be encrypted in transit regardless of whether it is locally hosted or hosted on a cloud provider.
Access controls may be established in both local and cloud solutions.
240
When implementing a cloud computing solution that will provide software as a service (SaaS) to the enterprise, what is the GREATEST concern for the information security manager?
A.The possibility of disclosure of sensitive data in transit or storage
B.The lack of clear regulations regarding the storage of data with a third party
C.The training of the users to access the new technology properly
D.The risk of network failure and the resulting loss of application availability
A is the correct answer.
Justification
Disclosure of sensitive data is a primary concern of the information security manager.
Many jurisdictions have regulations regarding data privacy. The concern of the information security manager is compliance with those regulations, not the lack of regulations.
The training of how to use software as a service (SaaS) is no different than the need for training required for more traditional solutions. In most cases, the use of SaaS is fairly simple and requires minimal technology but is not within the scope of the information security manager’s responsibility in any case.
Loss of application availability as a result of network failure is an inherent risk associated with SaaS and must be taken into account by the enterprise as part of the decision to move to cloud computing, but this is a business decision rather than a principal concern of the information security manager.
241
What is the BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures?
A.Perform penetration testing.
B.Establish security baselines.
C.Implement vendor default settings.
D.Link policies to an independent standard.
B is the correct answer.
Justification
Penetration testing will not be the most effective and can only be performed periodically.
Security baselines will provide the best assurance that each platform meets minimum security criteria.
Vendor default settings will not necessarily meet the criteria set by the security policies.
Linking policies to an independent standard will not provide assurance that the platforms meet the relevant security levels
241
From a security perspective, which of the following is the MOST important step when an employee is transferred to a different function?
A.Reviewing and modifying access rights
B.Assigning new security responsibilities
C.Conducting specific training for the new role
D.Knowledge of security weaknesses in the previous department
A is the correct answer.
Justification
When an employee is transferred from one function to another, it is very important to review and update the logical access rights to ensure that any access no longer needed is removed and appropriate access for the new position is granted.
Assigning new security responsibilities may not be required.
Training for a new role has no direct security implications.
Having knowledge of security weaknesses in the previous department is not relevant.
242
Which of the following is the MOST appropriate method to protect the delivery of a password that opens a confidential file?
A.Delivery path tracing
B.Reverse lookup translation
C.Out-of-band channels
D.Digital signatures
C is the correct answer.
Justification
Delivery path tracing shows the route taken but does not confirm the identity of the sender.
Reverse lookup translation involves converting an Internet Protocol address to a username.
It is risky to send the password to a file by the same method as the file was sent. An out-of-band channel such as the telephone reduces the risk of interception.
Digital signatures prove the identity of the sender of a message and ensure integrity.
243
What practice should FIRST be applied to an emergency security patch that has been received via email? The patch should be:
A.loaded onto an isolated test machine.
B.decompiled to check for malicious code.
C.validated to ensure its authenticity.
D.copied onto write-once media to prevent tampering.
C is the correct answer.
Justification
The patch should be validated to ensure authenticity before any other action is taken.
Decompiling the patch is not practical and is unlikely to expose malicious code.
It is essential to first validate that the patch is authentic.
Copying to write-once media is not generally a useful step.
244
Which of the following factors will MOST affect the extent to which controls should be layered?
A.The extent to which controls are procedural
B.The extent to which controls are subject to the same threat
C.The total cost of ownership for existing controls
D.The extent to which controls fail in a closed condition
B is the correct answer.
Justification
Whether controls are procedural or technical will not affect layering requirements.
To manage the aggregate risk of total risk, common failure modes in existing controls must be addressed by adding or modifying controls so that they fail under different conditions.
The total cost of ownership is unlikely to be reduced by adding additional controls.
Controls that fail in a closed condition pose a risk to availability, whereas controls that fail in an open condition may require additional control layers to prevent compromise.
245
Where should a firewall be placed?
A.On the web server
B.On the intrusion detection system server
C.On the screened subnet
D.On the domain boundary
D is the correct answer.
Justification
Placing it on a web server, which is a demilitarized zone (DMZ), does not provide any protection.
Because firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to have the firewall and the intrusion detection system on the same physical device.
Placing it on a screened subnet, which is a DMZ, does not provide any protection.
A firewall should be placed on a (security) domain boundary so that it creates a barrier against untrusted networks.
246
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
A.System analyst
B.Quality control manager
C.Process owner
D.Information security manager
C is the correct answer.
Justification
The system analyst does not possess the necessary knowledge or authority to implement and maintain the appropriate level of business security.
Quality control managers do not implement security.
Process owners implement information protection controls as determined by the business’ needs. Process owners have the most knowledge about security requirements for the business application for which they are responsible.
The information security manager will implement the information security framework and develop standards and controls, but the level of security required by a specific business application is determined by the process owner.
247
Which of the following provides the BEST defense against the introduction of malware in end-user computers via the Internet browser?
A.Input validation checks on structured query language injection
B.Restricting access to social media sites
C.Deleting temporary files
D.Restricting execution of mobile code
D is the correct answer.
Justification
Validation of checks on structured query language injection does not apply to this scenario.
Restricting access to social media sites may be helpful but is not the primary source of malware.
Deleting temporary files is not applicable to this scenario.
Restricting execution of mobile code is the most effective way to avoid introduction of malware into the end user’s computers.
248
The implementation of an effective change management process is an example of a:
A.corrective control.
B.deterrent control.
C.preventative control.
D.compensating control.
C is the correct answer.
Justification
A corrective control is designed to correct errors, omissions and unauthorized uses and intrusions once they are detected.
Deterrent controls are intended to discourage individuals from intentionally violating information security policy or procedures. Change management is intended to reduce the introduction of vulnerability by unauthorized changes.
An effective change management process can prevent (and detect) unauthorized changes. It requires formal approval, documentation and testing of all changes by a supervisory process.
Compensating controls are meant to mitigate impact when existing controls fail. Change management is the primary control for preventing or detecting unauthorized changes. It is not compensating for another control that has that function.
249
What is the MOST critical success factor of the patch management procedure in an enterprise where availability is a primary concern?
A.Testing time window prior to deployment
B.Technical skills of the team responsible
C.Certification of validity for deployment
D.Automated deployment to all the servers
A is the correct answer.
Justification
Having the patch tested prior to implementation on critical systems is an absolute prerequisite if availability is a primary concern because deploying patches that could cause a system to fail could be worse than the vulnerability corrected by the patch.
A high level of technical skills is not required because patches are usually applied via automated tools.
Validation of the patch is essential but is unrelated to the testing, which is the primary area of concern.
It makes no sense to deploy patches on every system. Vulnerable systems should be the only candidates for patching.
250
Which of the following is an inherent weakness of signature-based intrusion detection systems?
A.A higher number of false positives
B.New attack methods will be missed
C.Long duration probing will be missed
D.Attack profiles can be easily spoofed
B is the correct answer.
Justification
False positives are usually lower in signature-based intrusion detection systems (IDSs).
Signature-based IDSs do not detect new attack methods for which signatures have not yet been developed.
Long duration probing is more likely to fool anomaly-based systems (boiling frog technique).
Spoofing is not relevant in this case.
251
Which of the following is the MOST important consideration when implementing an intrusion detection system?
A.Tuning
B.Patching
C.Encryption
D.Packet filtering
A is the correct answer.
Justification
If an intrusion detection system is not properly tuned it will generate an unacceptable number of false positives and/or fail to sound an alarm when an actual attack is underway.
Patching is more applicable to operating system hardening.
Encryption would not be as relevant as tuning.
Packet filtering would not be as relevant as tuning.
252
Which of the following vulnerabilities allowing attackers access to the application database is the MOST serious?
A.Validation checks are missing in data input pages.
B.Password rules do not allow sufficient complexity.
C.Application transaction log management is weak.
D.Application and database share a single access ID.
A is the correct answer.
Justification
Attackers are able to exploit the weaknesses that exist in the application layer. For example, they can submit a part of a structured query language (SQL) statement (SQL injection attack) to illegally retrieve application data. Validation control is an effective countermeasure.
Noncomplex passwords may make accounts vulnerable to brute force attacks, but there are other ways to counter them besides complexity (e.g., lockout thresholds).
There is a chance that confidential information is inadvertently written to the application transaction log; therefore, sufficient care should be given to log management. However, it is uncommon for attackers to use the log server to steal database information.
Although developers may embed a single ID in the program to establish a connection from application to database, if the original account is sufficiently secure, then the overall risk is low.
253
If a security incident is not the result of the failure of a control, then it is MOST likely the result of which of the following choices?
A.An incomplete risk analysis
B.The absence of a control
C.A zero-day attack
D.A user error
B is the correct answer.
Justification
An incomplete risk analysis may have the effect of a suitable control not being implemented, but it is not the reason that a compromise occurs.
A security incident is inevitably the result of a control failure or the lack of a suitable control.
A zero-day attack is difficult to predict, but it will only be successful if a control fails or does not exist.
A user error will only result in a security incident because of control failure or the absence of a control.
254
Which of the following should automatically occur FIRST when a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning?
A.The firewall should block all inbound traffic during the outage.
B.All systems should block new logins until the problem is corrected.
C.Access control should fall back to nonsynchronized mode.
D.System logs should record all user activity for later analysis.
C is the correct answer.
Justification
Blocking traffic would be overly restrictive to the conduct of business.
Blocking new logins would be overly restrictive to the conduct of business.
The best mechanism is for the system to fall back to the original process of logging on individually to each system.
Recording all user activity would add little value.
255
Which of the following would PRIMARILY provide the potential for users to bypass a form-based authentication mechanism in an application with a back-end database?
A.A weak password of six characters
B.A structured query language (SQL) injection
C.A session time-out of long duration
D.Lack of an account lockout after multiple wrong attempts
B is the correct answer.
Justification
Weak passwords can make it easy to access the application, but there is no bypass of authentication.
Although structured query language injection is well understood and preventable, it still is a significant security risk for many enterprises writing code. Using SQL injection, one can pass SQL statements in a manner that bypasses the logon page and allows access to the application.
Long time-out duration is not relevant to the authentication mechanism.
Because the authentication mechanism is bypassed, account lockout is not initiated.
256
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?
A.Use an intrusion detection system.
B.Establish minimum security baselines.
C.Implement vendor-recommended settings.
D.Perform periodic penetration testing.
D is the correct answer.
Justification
An intrusion detection system may detect an attempted attack, but it will not confirm whether the perimeter is secure.
Minimum security baselines are beneficial, but they will not provide the level of assurance that is provided by penetration testing.
Vendor-recommended settings may be used to harden systems but provide little assurance that other vulnerabilities do not exist, which may be exposed by penetration testing.
Penetration testing is the best way to assure that perimeter security is adequate.
257
What is the BEST way to ensure users comply with organizational security requirements for password complexity?
A.Include password construction requirements in the security standards.
B.Require each user to acknowledge the password requirements.
C.Implement strict penalties for user noncompliance.
D.Enable system-enforced password configuration.
D is the correct answer.
Justification
Standards provide some deterrence but are not as effective as automated controls.
Requiring user acknowledgment will help but not to the extent of automatic system enforcement.
Penalties for noncompliance may be fairly effective but will not provide the level of assurance provided by automated system enforcement.
Automated system enforced password construction provides the highest level of assurance of compliance.
258
To establish the contractual relationship between entities using public key infrastructure, the certificate authority must provide which of the following?
A.A registration authority
B.A digital certificate
C.A nonrepudiation capability
D.A certification practice statement
D is the correct answer.
Justification
The registration authority is responsible for authentication of users prior to the issuance of a certificate.
A digital certificate is the electronic credentials of individual entities but does not provide the contractual relationship of users and the certificate authority.
Nonrepudiation is an inherent capability of a public key infrastructure by the virtue of the signing capability.
The certification practice statement provides the contractual requirements between the relying parties and the certificate authority.
259
Where should an intranet server generally be placed?
A.On the internal network
B.On the firewall server
C.On the external router
D.On the primary domain controller
A is the correct answer.
Justification
An intranet server should be placed on the internal network. An intranet server should stay in the internal network because external people do not need to access it. This reduces the risk of unauthorized access.
Because firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to store the intranet server on the same physical device as the firewall.
Placing the intranet server on an external router leaves it exposed.
Primary domain controllers should not share the same physical device as the intranet server.
260
Which of the following is the GREATEST security concern when an incident log is stored on the production database server?
A.Log information may be lost when the database server crashes.
B.The database administrator may tamper with the log information.
C.The capacity to handle large transactions may be compromised.
D.Sensitive information may inadvertently be written to the log file.
B is the correct answer.
Justification
Production data and log data are most likely backed up at the same time. Therefore, it is possible to restore both production data and log data based on the same recovery point.
There is a chance that fraud can be committed because the administrator can manipulate the database server. The administrator may alter database transactions and then erase the log. It is best that the log be managed in a separate environment from the production database to serve as a useful detective control.
Transaction processing capacity may or may not degrade as the result of log activation. There is insufficient information provided to affirm process degradation.
There may be a case when sensitive information is inadvertently written to a log. This comes from a design failure in the application or database system rather than from the fact that the production database and log are on the same server.
261
What is the advantage of virtual private network tunneling for remote users?
A.It helps ensure that communications are secure.
B.It increases security between multi-tier systems.
C.It allows passwords to be changed less frequently.
D.It eliminates the need for secondary authentication.
A is the correct answer.
Justification
Virtual private network (VPN) tunneling for remote users provides an encrypted link that helps ensure secure communications.
VPN tunneling does not affect security within the internal network.
VPN tunneling does not affect password change frequency.
VPN tunneling does not eliminate the need for secondary authentication.
262
Which of the following reasons is MOST likely why an enterprise has decided to outsource intrusion detection services?
A.As a response to audit recommendations
B.Due to the complexity of interpreting attacks
C.As a result of a cost-benefit analysis
D.Due to lack of competent staff
C is the correct answer.
Justification
Audit recommendations may lead to a cost-benefit analysis, but generally do not direct a particular approach to solving an identified problem.
Technology for intrusion detection that reduces complexity to manage the levels is available but may not be cost-effective.
A cost-benefit analysis addresses the trade-offs between in-house and outsourced services. If outsourcing is chosen, it is generally chosen on the basis of cost-effectiveness.
Hiring staff with the proper skill set for intrusion detection is generally possible but may not be cost-effective.
263
Which of the following control practices represents the FIRST layer of the defense-in-depth strategy?
A.Data privacy
B.Authentication
C.Incident response
D.Backup
B is the correct answer.
Justification
Data privacy is part of the second layer, which is containment.
Authentication is part of prevention, which is the first layer of defense in depth.
Incident response is part of the fourth layer of defense, which is reaction.
A backup policy is part of the last layer of defense, which is recovery/restoration.
264
Several business units reported problems with their systems after multiple security patches were deployed. What is the FIRST step to handle this problem?
A.Assess the problems and institute rollback procedures, if needed.
B.Disconnect the systems from the network until the problems are corrected.
C.Uninstall the patches from these systems.
D.Contact the vendor regarding the problems that occurred.
A is the correct answer.
Justification
Assessing the problems and instituting rollback procedures as needed would be the best course of action.
Disconnecting the systems from the network would not identify where the problem was and may make the problem worse.
Uninstalling the patches would not identify where the problem was and would recreate the risk the patches were meant to address.
Contacting the vendor regarding the problems that occurred is part of the assessment.
265
Integrating a number of different activities in the development of an information security infrastructure is BEST achieved by developing:
A.a business plan.
B.an architecture.
C.requirements.
D.specifications.
B is the correct answer.
Justification
A business plan may address some issues of integrating activities, but that is not its main purpose.
An architecture allows different activities to be integrated under one design authority.
Requirements do not generally address integration.
Specifications do not address integration.
266
Which of the following presents the GREATEST exposure to internal attack on a network?
A.User passwords are not automatically expired.
B.All network traffic goes through a single switch.
C.User passwords are encoded but not encrypted.
D.All users reside on a single internal subnet.
C is the correct answer.
Justification
Not setting user passwords to automatically expire does create an exposure but not as great as having unencrypted passwords.
Using a single switch does not present a significant exposure.
When passwords are sent over the internal network in an encoded format, they can easily be converted to cleartext. All passwords should be encrypted to provide adequate security.
Using a subnet does not present a significant exposure.
267
Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?
A.Boundary router
B.Strong encryption
C.Internet-facing firewall
D.Intrusion detection system
B is the correct answer.
Justification
Boundary routers would do little to secure wireless networks.
Strong encryption is the most effective means of protecting wireless networks.
An Internet-facing firewall would offer no protection from a local attack on a wireless network.
Compromise of weak encryption would not be detected by an intrusion detection system.
268
Which of the following is the MOST appropriate method of ensuring password strength in a large enterprise?
A.Attempt to reset several passwords to weaker values
B.Install code to capture passwords for periodic audit
C.Sample a subset of users and request their passwords for review
D.Automatic password strength determination on each platform
D is the correct answer.
Justification
Attempting to reset several passwords to weaker values will not ensure adequate password strength.
Installing code to capture passwords for periodic audit creates an unnecessary risk.
Sampling a subset of users and requesting their passwords for review would compromise the integrity of the passwords.
Automatic testing of password strength and enforcing proper construction is the most effective way of ensuring strong password construction.
269
Which of the following BEST ensures that security risk will be reevaluated when modifications in application developments are made?
A.A problem management process
B.Background screening
C.A change control process
D.Business impact analysis
C is the correct answer.
Justification
Problem management is the general process intended to manage all problems, not those specifically related to security.
Background screening is the process of evaluating employee references when they are hired.
A change control process is the methodology that ensures that anything that could be impacted by a development change will be reevaluated.
Business impact analysis is the methodology used to evaluate impacts and the cost of losing a particular function.
270
An operating system noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?
A.Rewrite the application to conform to the upgraded operating system.
B.Compensate for not installing the patch with mitigating controls.
C.Alter the patch to allow the application to run in a privileged state.
D.Run the application on a test platform; tune production to allow patch and application.
B is the correct answer.
Justification
Rewriting the application is not a viable option.
Because the operating system (OS) patch will adversely impact a critical application, a mitigating control should be identified that will provide an equivalent level of security.
Altering the OS patch to allow the application to run in a privileged state is likely to create new security weaknesses.
Running a production application on a test platform is not an acceptable alternative because it will mean running a critical production application on a platform not subject to the same level of security controls.
271
Business management is finalizing the contents of a segregation of duties matrix to be loaded in a purchase order system. Which of the following should the information security manager recommend in order to BEST improve the effectiveness of the matrix?
A.Ensure approvers are aligned with the organizational chart
B.Trace approvers’ paths to eliminate routing deadlocks
C.Set triggers to go off in the event of exceptions
D.Identify conflicts in the approvers’ authority limits
D is the correct answer.
Justification
The approver’s structure in a purchase order system may not necessarily be in sync with the organizational structure. Depending on business requirements, modified hierarchy is acceptable purely in terms of approving certain transactions.
It is rare that the structure of an approver’s routing path will end up with deadlocks. If a highly complicated approval structure is developed, something similar to deadlock may occur (e.g., it takes very long time until request is approved). Even so, it is unlikely that routing effectiveness becomes a primary driver for quality improvement.
Setting triggers to go off in the event of exceptions is a technical feature to be implemented inside the database. It is not relevant advice to be given to business management.
In order to make the segregation of duties matrix complete, it is best to ensure that no conflicts exist in approvers’ authorities. If there are any, it will introduce a flaw in the control, resulting the successful execution of unauthorized transactions.
272
The MOST likely reason to segment a network by trust domains is to:
A.limit consequences of a compromise.
B.reduce vulnerability to a breach.
C.facilitate automated network scanning.
D.implement a data classification scheme.
A is the correct answer.
Justification
Segmentation by trust domain limits the potential consequences of a successful compromise by constraining the scope of impact.
Segmentation by trust domain does not substantially change vulnerability.
Automated network scanning can treat a network as logically segmented without reliance on trust domains.
Segmentation is not implemented primarily to facilitate data classification.
273
When securing wireless access points, which of the following controls would BEST assure confidentiality?
A.Implementing wireless intrusion prevention systems
B.Not broadcasting the service set identifier
C.Implementing wired equivalent privacy authentication
D.Enforcing a virtual private network over wireless
D is the correct answer.
Justification
A wireless intrusion prevention system is a detective system and would not prevent wireless sniffing.
Not broadcasting the service set identifier does not reduce the risk of wireless packets being captured.
Wired equivalent privacy authentication is known to be weak and does not protect individual confidentiality.
Enforcing a virtual private network over wireless is the best option to enforce strong authentication and encryption of the sessions.
274
When designing information security standards for an enterprise, the information security manager should require that an extranet server be placed:
A.outside the firewall.
B.on the firewall server.
C.on a screened subnet.
D.on the external router.
C is the correct answer.
Justification
Placing the extranet server on the Internet side of the firewall would leave it defenseless.
Because firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to store the extranet on the same physical device.
An extranet server should be placed on a screened subnet, which is a demilitarized zone.
Placing the extranet server on the external router, although not be possible, would leave it defenseless.
275
Which of the following is an example of a corrective control?
A.Diverting incoming traffic as a response to a denial-of-service attack
B.Filtering network traffic
C.Examining inbound network traffic for viruses
D.Logging inbound network traffic
A is the correct answer.
Justification
Diverting incoming traffic helps correct the situation and, therefore, is a corrective control.
Filtering network traffic is a preventive control.
Examining inbound network traffic for viruses is a detective control.
Logging inbound network traffic is a detective control.
276
What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
A.Mandatory
B.Discretionary
C.Walled garden
D.Role-based
A is the correct answer.
Justification
Mandatory access controls restrict access to files based on the security classification of the file. This prevents users from sharing files with unauthorized users.
Discretionary access controls are not as effective as mandatory access controls in preventing file-sharing.
A walled garden is an environment that controls a user’s access to web content and services. In effect, the walled garden directs the user’s navigation within particular areas and does not necessarily prevent sharing of other material.
Role-based access controls grant access according to the role assigned to a user; they do not prevent file sharing with unauthorized users.
276
IT management has standardized the Internet browser used within the enterprise. This practice is MOST effective in meeting which of the following objectives?
A.Prevent attacks designed to exploit known vulnerabilities.
B.Ensure the subscription count is aligned with contract.
C.Invalidate illegal browser script program development.
D.Guarantee compatibility with internal web-based applications.
D is the correct answer.
Justification
Standardization of browsers within enterprises typically results in delays to upgrades and patching, making it more likely that the standardized browser will be susceptible to exploitation of known vulnerabilities.
Controlling the version of the Internet browser used may not support the reconciliation between the subscription count and contract license number.
Browser script development is generally not constrained by browser standardization. Information security managers seeking to prevent script execution would typically do so by standardizing configurations rather than versions.
Internal web applications typically depend on particular versions of a web browser. Many enterprises choose to retain versions of their browsers beyond periods of support in order to maintain compatibility with their deployed applications.
277
A critical device is delivered with a single user ID and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?
A.Enable access through a separate device that requires adequate authentication
B.Implement manual procedures that require a password change after each use.
C.Request the vendor to add multiple user IDs.
D.Analyze the logs to detect unauthorized access.
A is the correct answer.
Justification
Enabling access through a separate device that requires adequate authentication allows authentication tokens to be provisioned and terminated for individuals and also introduces the possibility of logging activity by individuals.
Implementing manual procedures that require a password change after each use is not effective because users can circumvent the manual procedures.
Vendor enhancements may take time and require development, and this is a critical device.
Analyzing the logs to detect unauthorized access could, in some cases, be an effective complementary control, but because such a control is detective, it would not be the most effective in this instance.
278
In the process of deploying a new email system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new email system implementation?
A.Encryption
B.Strong authentication
C.Digital signature
D.Hashing algorithm
A is the correct answer.
Justification
To preserve confidentiality of a message while in transit, encryption should be implemented.
Strong authentication ensures the identity of the participants but does not secure the message in transit.
Digital signatures only authenticate the sender, the receiver and the integrity of the message but do not prevent interception.
A hashing algorithm ensures integrity.
278
How can access control to a sensitive intranet application by mobile users BEST be implemented?
A.Through data encryption
B.Through digital signatures
C.Through strong passwords
D.Through two-factor authentication
D is the correct answer.
Justification
Data encryption does not provide access control.
Digital signatures provide assurance of the identity of the sender, not access control.
Strong passwords provide an intermediate strength of access control but are not as strong as two-factor authentication.
Two-factor authentication, through the use of strong passwords combined with security tokens, provides the highest level of security.
279
Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?
A.Stress testing
B.Patch management
C.Change management
D.Security baselines
C is the correct answer.
Justification
Stress testing ensures that there are no scalability problems.
Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion.
Change management controls the process of introducing changes to systems to ensure that unintended changes are not introduced; within change management, regression testing is specifically designed to prevent the introduction of new security exposures when making modifications.
Security baselines provide minimum required security settings.
280
Which one of the following phases of the application development life cycle for in-house development represents the BEST opportunity for an information security manager to influence the outcome of the development effort?
A.System design for a new application
B.User acceptance testing and sign-off
C.Requirements gathering and analysis
D.Implementation
C is the correct answer.
Justification
The design phase helps determine how the requirements will be implemented; however, if an information security manager first becomes involved in the design phase, the manager will likely find that influencing the outcome of the development effort will be more difficult.
The user acceptance testing and sign-off phase is too late in the life cycle to effectively influence the outcome.
An information security manager should be involved in the earliest phase of the application development life cycle to effectively influence the outcome of the development effort. Of the choices listed, the requirements gathering and analysis phase represents the earliest opportunity for an information security manager to have such influence. During this phase, both functional and nonfunctional requirements, including security, should be considered.
The implementation phase is too late in the life cycle to effectively influence the outcome.
281
Which of the following devices should be placed within a demilitarized zone?
A.Network switch
B.Web server
C.Database server
D.File/print server
B is the correct answer.
Justification
Switches may bridge a demilitarized zone (DMZ) to another network but do not technically reside within the DMZ network segment.
A web server should normally be placed within a DMZ to shield the internal network.
Database servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise.
File/print servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise.
282
Who should be responsible for enforcing access rights to application data?
A.Data owners
B.Business process owners
C.The security steering committee
D.Security administrators
D is the correct answer.
Justification
Data owners are responsible for approving access rights.
Business process owners are sometimes also the data owners and would not be responsible for enforcement.
The security steering committee would not be responsible for enforcement.
As custodians, security administrators are responsible for enforcing access rights to data.
283
The BEST reason for an enterprise to implement two discrete firewalls connected directly to the Internet and the same demilitarized zone would be to:
A.provide in-depth defense.
B.separate test and production.
C.permit traffic load balancing.
D.prevent a denial-of-service attack.
C is the correct answer.
Justification
Two firewalls in parallel provide two concurrent paths for compromise and, therefore, do not provide defense in depth. If they were connected in a series, one behind the other, they would provide defense in depth.
As both entry points connect to the Internet and to the same demilitarized zone, such an arrangement is not practical for separating testing from production.
Having two entry points, each guarded by a separate firewall, is desirable to permit traffic load balancing.
Firewalls are not effective at preventing denial-of-service attacks.
284
What is an appropriate frequency for updating operating system patches on production servers?
A.During scheduled rollouts of new applications
B.According to a fixed security patch management schedule
C.Concurrently with quarterly hardware maintenance
D.Whenever important security patches are released
D is the correct answer.
Justification
Patches should not be delayed to coincide with other scheduled rollouts.
Patches should not be delayed to coincide with other scheduled maintenance.
Due to the possibility of creating a system outage, patches should not be deployed during critical periods of application activity such as month-end or quarter-end closing.
Patches should be applied whenever important security updates are released after being tested to ensure compatibility.
285
Which of the following will BEST protect against malicious activity by a former employee?
A.Pre-employment screening
B.Close monitoring of users
C.Periodic awareness training
D.Effective termination procedures
D is the correct answer.
Justification
Pre-employment screening is important but not effective in preventing this type of situation.
Monitoring is important but not effective in preventing this type of situation.
Security awareness training is important but not effective in preventing this type of situation.
After leaving an enterprise, a former employee may attempt to use personal credentials to perform unauthorized or malicious activity. Accordingly, it is important to ensure timely revocation of all access at the time an individual is terminated.
286
Which of the following change management process steps can be bypassed to implement an emergency change?
A.Documentation
B.Authorization
C.Scheduling
D.Testing
C is the correct answer.
Justification
Emergency changes require documentation, although it may occur after implementation.
Emergency changes require formal authorization, although it may occur after implementation.
When a change is being made on an emergency basis, it generally is implemented outside the normal schedule. However, it should not bypass other aspects of the change management process.
Emergency changes require testing.
287
Which of the following is MOST effective in preventing disruptions to production systems?
A.Patch management
B.Security baselines
C.Virus detection
D.Change management
D is the correct answer.
Justification
Patch management involves the correction of software vulnerabilities as they are discovered by modifying the software with a “patch,” which may or may not prevent production system disruptions.
Security baselines provide minimum recommended settings and do not necessarily prevent introduction of control weaknesses.
Virus detection is an effective tool but primarily focuses on malicious code from external sources.
Change management controls the process of introducing changes to systems. Changes that are not properly reviewed before implementation can disrupt or alter established controls in an otherwise secure, stable environment.
288
In what circumstances should mandatory access controls be used?
A.When the enterprise has a high risk tolerance
B.When delegation of rights is contrary to policy
C.When the control policy specifies continuous oversight
D.When access is permitted, unless explicitly denied
B is the correct answer.
Justification
Mandatory access controls (MACs) are a restrictive control employed in situations of low risk tolerance.
With MAC, the security policy is centrally controlled by a security policy administrator, and users do not have the ability to delegate rights.
A requirement for continuous oversight is not related to MACs.
MACs do not allow access as a default condition.
289
Which of the following BEST accomplishes secure customer use of an e-commerce application?
A.Data encryption
B.Digital signatures
C.Strong passwords
D.Two-factor authentication
A is the correct answer.
Justification
Encryption is the preferred method of ensuring confidentiality in customer communications with an e-commerce application.
A digital signature is not a practical solution because there is typically no client-side certificate and integrity of the communication cannot be ensured.
Strong passwords, by themselves, would not be sufficient because the data could still be intercepted.
Two-factor authentication would be impractical and provide no assurance that data have not been modified through a man-in-the-middle attack.
290
Which of the following should be in place before a black box penetration test begins?
A.IT management approval
B.Proper communication and awareness training
C.A clearly stated definition of scope
D.An incident response plan
C is the correct answer.
Justification
IT management approval may not be required, based on senior management decisions.
Communication, awareness and an incident response plan are not a necessary requirement.
Having a clearly stated definition of scope is most important to ensure a proper understanding of risk and+ success criteria.
A penetration test could help promote the creation and execution of the incident response plan.
291
Which of the following tools should a newly hired information security manager review to gain an understanding of how effectively the current set of information security projects are managed?
A.A project database
B.A project portfolio database
C.Policy documents
D.A program management office
B is the correct answer.
Justification
A project database may contain information for one specific project and updates to various parameters pertaining to the current status of that single project.
A project portfolio database is the basis for project portfolio management. It includes project data such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports.
Policy documents on project management set direction for the design, development, implementation and monitoring of the project.
A program management office is the team that oversees the delivery of the project portfolio. Review of the office may provide meaningful insights into the skill set and organizational structure but not on how effectively the current set of information security projects is managed.
292
What is the PRIMARY purpose of performing an internal attack and penetration test?
A.Identify weaknesses in network and server security.
B.Identify ways to improve the incident response process.
C.Identify attack vectors on the network perimeter.
D.Identify the optimum response to internal hacker attacks.
A is the correct answer.
Justification
Internal attack and penetration tests are designed to identify weaknesses in network and server security.
Internal attack and penetration tests do not focus on incident response.
The network perimeter is about external attacks.
Possible responses can be a secondary follow-up effort after the internal attack and penetration test.
293
What is the BIGGEST concern for an information security manager reviewing firewall rules?
A.The firewall allows source routing.
B.The firewall allows broadcast propagation.
C.The firewall allows unregistered ports.
D.The firewall allows nonstandard protocols.
A is the correct answer.
Justification
If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) Internet Protocol addresses of the enterprise.
Broadcast propagation does not create a significant security exposure.
Unregistered ports are a poor practice but do not necessarily create a significant security exposure.
Nonstandard protocols can be filtered and do not necessarily create a significant security exposure.
294
For which of the following types of controls is notification of a verified network intrusion an indication that the control is working properly?
A.Preventative
B.Corrective
C.Detective
D.Deterrent
C is the correct answer.
Justification
Preventative controls, such as authentication mechanisms and encryption, are intended to stop intrusions, so a verified intrusion indicates that preventative controls were ineffective.
Corrective controls, such as backups and failover capabilities, are intended to offset the impact caused by successful attacks directed against information systems. Intrusions may not have impact at the time of their detection, so an intrusion does not unto itself offer any indications regarding the workings of corrective controls.
Detective controls, such as intrusion detection systems, are designed to alert staff to intrusions when they occur. Notification of a verified network intrusion is an indication that the control is working properly.
Deterrent controls, such as warning banners, are intended to reduce the threat level by creating disincentives for threat events. A verified network intrusion indicates that the deterrent was inadequate for the responsible threat actor.
295
An enterprise has commissioned an information security expert to perform network penetration testing and has provided the expert with information about the infrastructure to be tested. The benefit of this approach is:
A.more time is devoted to exploitation than to fingerprinting and discovery.
B.this accurately simulates an external hacking attempt.
C.the ability to exploit Transmission Control Protocol/Internet Protocol vulnerabilities.
D.the elimination of the need for penetration testing tools.
A is the correct answer.
Justification
When information is provided to the penetration tester (white box testing), less time is spent on discovering and understanding the target to be penetrated.
A black box approach, where no information is provided, better simulates an actual hacking attempt.
Both white box and black box approaches could exploit Transmission Control Protocol/Internet Protocol vulnerabilities.
Both white box and black box approaches would require use of penetration testing tools.
296
When performing a review of risk treatment options, the MOST important benefit to consider is:
A.maximum risk mitigation.
B.savings in control options.
C.alignment with regulatory requirements.
D.achieving control objectives.
D is the correct answer.
Justification
Control objectives are established on the basis of organizational risk appetite, so maximizing mitigation beyond the control objectives means incurring unnecessary cost.
Cost is always a consideration, but an option cannot be considered to have saved money unless it also meets an objective.
Regulatory requirements are considered no differently from any other consideration in the risk assessment process. Control objectives are established on the basis of risk appetite, which may or may not include accepting the risk of not complying with a regulation.
Controls are designed and implemented to mitigate the risk. Hence, achievement of control objective is the most important benefit. No other benefit can offset failure to meet the control objectives.
297
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system with the threshold set to a low value?
A.The number of false positives increases
B.The number of false negatives increases
C.Active probing is missed
D.Attack profiles are ignored
A is the correct answer.
Justification
Failure to tune an intrusion detection system will result in many false positives, especially when the threshold is set to a low value.
An increase in false negatives is less likely given the fact that the threshold for sounding an alarm is set to a low value.
Missed active probing is less likely given the fact that the threshold for sounding an alarm is set to a low value.
Ignored attack profiles are less likely given the fact that the threshold for sounding an alarm is set to a low value.
298
Which of the following is the BEST way to detect an intruder who successfully penetrates a network before significant damage is inflicted?
A.Perform periodic penetration testing
B.Establish minimum security baselines
C.Implement vendor default settings
D.Install a honeypot on the network
D is the correct answer.
Justification
Penetration testing will not detect an intruder.
Security baselines set minimum security levels but are not related to detecting intruders.
Implementing vendor default settings do not detect intruders and this approach is not the best idea.
Honeypots attract hackers away from sensitive systems and files. Because honeypots are closely monitored, the intrusion is more likely to be detected before significant damage is inflicted.
299
Which of the following represents a PRIMARY area of interest when conducting a penetration test?
A.Data mining
B.Network mapping
C.Intrusion detection system
D.Customer data
B is the correct answer.
Justification
Data mining is associated with ad hoc reporting and is a potential target after the network is penetrated.
Network mapping is the process of determining the topology of the network one wishes to penetrate. It is one of the first steps toward determining points of attack in a network.
The intrusion detection mechanism in place is not an area of focus because one of the objectives is to determine how effectively it protects the network or how easy it is to circumvent.
Customer data, together with data mining, is a potential target after the network is penetrated.
300
What is the BEST method for mitigating against network denial-of-service (DoS) attacks?
A.Ensure all servers are up to date on operating system patches.
B.Employ packet filtering to drop suspect packets.
C.Implement network address translation to make internal addresses non-routable.
D.Implement load balancing for Internet-facing devices.
B is the correct answer.
Justification
In general, patching servers will not affect network traffic.
Packet filtering techniques are the only ones which reduce network congestion caused by a network denial-of-service (DoS) attack.
Implementing network address translation would not be effective in mitigating most network DoS attacks.
Load balancing would not be as effective in mitigating most network DoS attacks.
301
Controls are effective when:
A.residual risk is at a level acceptable to the enterprise.
B.continuous monitoring programs are in place.
C.inherent risk is within the organizational risk tolerance.
D.key performance indicators have been identified.
A is the correct answer.
Justification
The purpose of controls is to bring residual risk to acceptable levels. When controls achieve this result, they are effective by definition.
Continuous monitoring provides a means of monitoring the effectiveness of controls, but the existence of a monitoring program does not make controls effective.
Inherent risk does not take controls into account.
Identifying key performance indicators provides a means to gauge performance but does not make controls effective.
302
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?
A.Baseline security standards
B.System access violation logs
C.Role-based access controls
D.Exit routines
C is the correct answer.
Justification
Baseline security standards will establish general access controls but not specific authorizations.
Violation logs are detective and do not prevent unauthorized access.
Role-based access controls help ensure that users only have access to files and systems appropriate for their job roles.
Exit routines are dependent upon appropriate role-based access.
303
Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?
A.Patch management
B.Change management
C.Security baselines
D.Virus detection
B is the correct answer.
Justification
Patch management involves the correction of software weaknesses and would necessarily follow change management procedures.
Change management controls the process of introducing changes to systems and controlling unauthorized changes to production, which are often the points at which weaknesses will be introduced.
Security baselines provide minimum recommended settings and do not prevent the introduction of control weaknesses.
Virus detection is an effective tool but primarily focuses on malicious code from external sources. It is unrelated to the introduction of vulnerabilities.
304
Which of the following is MOST effective in preventing security weaknesses in operating systems?
A.Patch management
B.Change management
C.Security baselines
D.Configuration management
A is the correct answer.
Justification
Patch management corrects discovered weaknesses by applying a correction (a patch) to the original program code.
Change management controls the process of introducing changes to systems.
Security baselines provide minimum recommended settings.
Configuration management controls the updates to the production environment.
305
Which of the following choices is a MAJOR concern with using the database snapshot of the audit log function?
A.Degradation of performance
B.Loss of data integrity
C.Difficulty maintaining consistency
D.Inflexible configuration change
A is the correct answer.
Justification
Evidential capability increases if data are taken from a location that is close to the origination point. For database auditing, activation of a built-in log may be ideal. However, there is a trade-off. The more elaborate logging becomes, the slower the performance. It is important to strike a balance.
If database recovery log is impaired, there is a chance that data integrity may be lost. However, it is unlikely that audit logging will impair the integrity of the database.
Database replication functionality will control the consistency between database instances.
It is difficult to judge whether configuration change will become complex as the result of audit log activation. It depends on many factors. Therefore, this is not the best option.
306
What does the effectiveness of virus detection software MOST depend on?
A.Packet filtering
B.Intrusion detection
C.Software upgrades
D.Definition files
D is the correct answer.
Justification
Packet filtering does not focus on virus detection.
Intrusion detection does not address virus detection.
Software upgrades are related to the periodic updating of the program code, which would not be critical.
The effectiveness of virus detection software depends on virus signatures, which are stored in virus definition files.
307
Which of the following would be the BEST metric for an information security manager to provide to support a request to fund new controls?
A.Adverse yearly incident trends
B.Audit findings of poor compliance
C.Results of a vulnerability scan
D.Increased external port scans
A is the correct answer.
Justification
Security incidents occur because either a control failed or there was no control in place. Trends are a metric providing their own points of reference.
Failures of compliance with existing controls are not likely to be solved by additional controls. Also, an audit finding absent any prior findings of compliance or other reference point is a measure, not a metric.
Without knowing exposure, threat and potential impact, risk cannot be determined and will be poor support for new controls. Also, results of a vulnerability scan constitute a measure, not a metric.
Port scans are common and generally will not support funding of new controls.
308
Which of the following is MOST important for measuring the effectiveness of a security awareness program?
A.Reduced number of security violation reports
B.A quantitative evaluation to ensure user comprehension
C.Increased interest in focus groups on security issues
D.Increased number of security violation reports
B is the correct answer.
Justification
A reduction in the number of violation reports may not be indicative of a high level of security awareness.
To truly judge the effectiveness of security awareness training, some means of measurable testing is necessary to confirm user comprehension.
Focus groups may or may not provide meaningful feedback but in and of themselves do not provide metrics.
An increase in the number of violation reports is a possible indication of increased awareness but is not as useful as direct testing of awareness levels.
309
Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?
A.Intrusion detection system
B.IP address packet filtering
C.Two-factor authentication
D.Embedded digital signature
C is the correct answer.
Justification
An intrusion detection system can be used to detect an external attack but would not help in authenticating a user attempting to connect.
IP address packet filtering would protect against spoofing an internal address but would not provide strong authentication.
Two-factor authentication provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network.
Digital signatures ensure that transmitted information can be attributed to the named sender.
310
For which of the following purposes would ethical hacking MOST likely be used?
A.a process resiliency test at an alternate site.
B.a substitute for substantive testing.
C.a control assessment of legacy applications.
D.a final check in a cyberattack recovery process.
C is the correct answer.
Justification
It is not common to conduct ethical hacking as part of disaster recovery testing at an alternate site.
Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. Ethical hacking would not be used as a substitute for substantive testing.
The problem with legacy applications is that there is typically not enough documentation to study their functionalities, including security controls. To assess control effectiveness, ethical hacking could be a more efficient way to find out weaknesses than reviewing program code.
It is not necessarily a recommended practice to engage in ethical hacking in the last phase of a system recovery process after a cyberattack.
311
Which of the following is the MOST useful indicator of control effectiveness?
A.The extent to which the control provides defense in depth
B.Whether the control fails open or closed
C.How often the control has failed
D.The extent to which control objectives are achieved
D is the correct answer.
Justification
Defense in depth is an important standard concept but is a metric only to the extent that it meets control objectives.
Whether the control fails open or closed is only relevant as a metric to the extent identified in defined control objectives.
Without knowing the reason a control has failed, how often the control fails is not a good indication of control effectiveness.
The extent to which control objectives are achieved is the only true indicator of control effectiveness. It is a measurement with a point of reference.
312
Which of the following metrics is the MOST useful for the effectiveness of a controls monitoring program?
A.The percentage of key controls being monitored
B.The time between detection and initiating remediation
C.The monitoring cost versus incidents detected
D.The time between an incident and detection
D is the correct answer.
Justification
While the percentage of key controls being monitored is an important metric, it is not an indication of effectiveness.
The time between detection and remediation is an indication of the effectiveness of the incident response activity.
The monitoring cost per incident is an indicator of efficiency rather than effectiveness.
The time it takes to detect an incident after it has occurred is a good indication of the effectiveness of the control monitoring effort.
313
What is a reasonable approach to determine control effectiveness?
A.Determine whether the control is preventive, detective or corrective.
B.Review the control’s capability of providing notification of failure.
C.Confirm the control’s ability to meet intended objectives.
D.Assess and quantify the control’s reliability.
C is the correct answer.
Justification
The type of control is not relevant.
Notification of failure is not determinative of control effectiveness.
Control effectiveness requires a process to verify that the control process works as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
Reliability is not an indication of control strength; weak controls can be highly reliable, even if they are ineffective controls.
314
An enterprise has implemented several risk mitigation strategies to reduce an identified risk. The risk control measures are sufficient when:
A.the risk acceptance level is less than or equal to the total risk level.
B.the residual risk is less than or equal to the risk acceptance level.
C.risk avoidance is justified by cost-benefit analysis.
D.risk mitigation is equal to annual loss expectancy.
B is the correct answer.
Justification
The risk acceptance level is the level of risk the enterprise is willing to accept. This does not measure the effectiveness of the controls.
Risk controls are adequate once the residual risk is less than or equal to acceptable risk.
Risk avoidance is the suppression of the activity associated with the risk, not the implementation of controls.
Annual loss expectancy justifies the amount that can be spent on risk mitigation but does not indicate whether the controls are adequate.
315
Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files?
A.Verify the date that signature files were last pushed out.
B.Use a recently identified benign virus to test if it is quarantined.
C.Research the most recent signature file and compare to the console.
D.Check a sample of servers that the signature files are current.
D is the correct answer.
Justification
The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server.
Personnel should never release a virus, no matter how benign.
Checking the vendor information to the management console would still not indicate whether the file was properly loaded on the server.
The only accurate way to check the signature files is to look at a sample of servers.
316
An information security manager has instructed a system database administrator to implement native database auditing in order to meet regulatory requirements for privileged user monitoring. Which of the following is the PRIMARY reason that the database administrator would be concerned? Native database auditing:
A.interferes with policy-driven event logging.
B.affects production database performance.
C.requires development of supplementary tools.
D.impairs flexibility in configuration management.
B is the correct answer.
Justification
Interference with policy-driven event logging is a potential concern but secondary to performance impact.
Many database products come with a native audit log function. Although it can be easily activated, there is a risk that it may negatively impact the performance of the database.
The need to develop supplementary tools is a potential concern but secondary to performance impact.
Impaired flexibility in configuration management is not an issue.
317
Periodically analyzing the gap between controls and the control objectives is necessary to:
A.prevent an increase in audit findings.
B.address changes in exposure.
C.avoid a substantial increase in cost.
D.maintain alignment with regulatory requirements.
B is the correct answer.
Justification
Although gap analysis may identify shortcomings before they are noted by an audit, correcting deficiencies is distinct from gap analysis.
Changes in exposure, business objectives or regulations may occur at any time and have implications for what controls are needed as part of an overall risk management program.
Gap analysis does not necessarily avoid increases in cost.
Maintaining alignment with regulatory requirements is a component of the stated gap analysis. It is just one of the possible exposures to consider.
318
Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?
A.Biometric authentication
B.Embedded steganographic
C.Two-factor authentication
D.Embedded digital signature
D is the correct answer.
Justification
Authentication does not ensure the authenticity of the data, just the identity of the sender.
Steganography is a form of encryption that may ensure integrity but not identity.
Authentication does not ensure the authenticity of the data, just the identity of the sender.
Digital signature ensures both the identity and the integrity of the data.
319
Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?
A.Daily
B.Weekly
C.Concurrently with operating system patch updates
D.During scheduled change control updates
A is the correct answer.
Justification
New viruses are introduced almost daily. The effectiveness of virus detection software depends on frequent updates to virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur.
Weekly updates may potentially allow new viruses to infect the system.
Operating system updates are too infrequent for virus updates.
Change control updates are sporadic and not the basis for virus updates.
320
The facilities department of a large financial enterprise uses electronic swipe cards to manage physical access. The information security manager requests that facilities provide the manager with read-only access to the physical access data. What is the MOST likely purpose?
A.To monitor personnel compliance with contract provisions
B.To determine who is in the building in case of fire
C.To compare logical and physical access for anomalies
D.To ensure that the physical access control system is operating correctly
C is the correct answer.
Justification
Contract compliance monitoring would usually not be part of an information security manager’s role.
The physical security and emergency response personnel should be monitoring presence in the building in case of fire.
Any differences between physical and logical access may indicate one of several risk scenarios, such as personnel not swiping in and tailgating, password sharing, or system compromise, and serves as a key risk indicator. Some of the best security metrics come from non–security-related activities.
The correct operation of the system is likely the responsibility of IT, although a periodic validation by security is prudent.
321
During an audit, an information security manager discovered that sales representatives were sending sensitive customer information through email messages. Which of the following is the BEST course of action to address the issue?
A.Review the finding with the sales manager to evaluate the risk and impact.
B.Report the issue to senior management immediately.
C.Request that the sales representatives stop emailing sensitive information.
D.Provide security awareness training to the sales representatives.
A is the correct answer.
Justification
It is always good practice to engage the management of the business unit when addressing security threats and risk. The input from business unit management is critical in formulating the next step.
The issue should not be escalated until gaining an understanding of the risk and business issues from the business unit manager.
Asking the representatives to stop sending sensitive information can be a temporary remediation but does not solve the underlying problem.
Awareness training may help but does not resolve the problem.
322
What is the BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed?
A.Simulate an attack and review IDS performance.
B.Use a honeypot to check for unusual activity.
C.Audit the configuration of the IDS.
D.Benchmark the IDS against a peer site.
A is the correct answer.
Justification
Simulating an attack on the network demonstrates whether the intrusion detection system (IDS) is properly tuned.
A honeypot would be a poor test to see if the IDS is working properly because attacking it is discretionary and not representative of all attacks.
Reviewing the configuration may or may not reveal weaknesses because an anomaly-based system uses trends to identify potential attacks.
Benchmarking against a peer site would generally not be practical or useful.
323
An information security manager has implemented an automated process to compare physical access using swipe cards operated by the physical security department with logical access in the single sign-on (SSO) system. What is the MOST likely use for this information?
A.Monitoring a key risk indicator
B.Determining whether staff is piggybacking
C.Overseeing the physical security department
D.Evaluating the SSO process
A is the correct answer.
Justification
Discrepancies between physical and logical access can occur for a variety of reasons, but all are indications that something is wrong and risk is elevated. Discrepancies could indicate piggybacking, shared passwords or attempts at unauthorized access, and therefore, this monitoring can serve as a key risk indicator (KRI).
Potential piggybacking can be flagged if more individuals log in from within the network than physically enter the facility; however, this is just one KRI.
Although this information could indicate that the physical access control is not functioning properly, the responsibility for oversight of the physical security department is not usually a function of the information security manager.
Comparing physical access and logical access is not an effective way to monitor the single sign-on (SSO) system, and there are other methods more specific and useful for this purpose.
324
When is the BEST time to perform a penetration test?
A.After an attempted penetration has occurred
B.After an audit has reported weaknesses in security controls
C.After various infrastructure changes are made
D.After a high turnover in systems staff
C is the correct answer.
Justification
Conducting a test after an attempted penetration is not as productive because an enterprise should not wait until it is attacked to test its defenses.
Any exposure identified by an audit should be corrected before it would be appropriate to test.
Changes in the systems infrastructure are most likely to inadvertently introduce new exposures.
A turnover in administrative staff does not warrant a penetration test, although it may warrant a review of password change practices and configuration management.
325
What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
A.Periodic review of network configuration
B.Review of intrusion detection system logs for evidence of attacks
C.Periodically perform penetration tests
D.Daily review of server logs for evidence of hacker activity
C is the correct answer.
Justification
Due to the complexity of firewall rules and router tables, plus the sheer size of intrusion detection systems (IDSs) and server logs, a physical review would be complex, time-consuming and probably insufficient.
Reviewing IDS logs for evidence of attacks would not indicate whether the settings were adequate.
The best approach for confirming the adequacy of these configuration settings is to periodically perform attack and penetration tests.
Evidence of hacker activity has little to do with configuration adequacy.
326
Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?
A.To mitigate technical risk
B.To have an independent certification of network security
C.To receive an independent view of security exposures
D.To identify a complete list of vulnerabilities
C is the correct answer.
Justification
Mitigating technical risk is not a direct result of a penetration test.
A penetration test would not provide certification of network security.
Even though the enterprise may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure.
A penetration test would not provide a complete list of vulnerabilities.
327
A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:
A.it simulates the real-life situation of an external security attack.
B.human intervention is not required for this type of test.
C.less time is spent on reconnaissance and information gathering.
D.critical infrastructure information is not revealed to the tester.
C is the correct answer.
Justification
Blind (black box) penetration testing is closer to real life than full disclosure (white box) testing.
There is no evidence to support that human intervention is not required for this type of test.
Data and information required for penetration are shared with the testers, thus eliminating time that would otherwise have been spent on reconnaissance and gathering of information.
A full disclosure (white box) methodology requires the knowledge of the subject being tested.
328
When designing an intrusion detection system, the information security manager should recommend that it be placed:
A.outside the firewall.
B.on the firewall server.
C.on a screened subnet.
D.on the external router.
C is the correct answer.
Justification
Placing the intrusion detection system (IDS) on the Internet side of the firewall is not advised because the system will generate alerts on all malicious traffic—even though 99 percent will be stopped by the firewall and never reach the internal network.
Because firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to install the IDS on the same physical device.
An IDS should be placed on a screened subnet, which is a demilitarized zone.
Placing the IDS on the external server, even if it were feasible, is not advised because the system will generate alerts on all malicious traffic—even though 99 percent will be stopped by the firewall and never reach the internal network.
329
What is the result of segmenting a highly sensitive database?
A.It reduces threat.
B.It reduces criticality.
C.It reduces sensitivity.
D.It reduces exposure.
D is the correct answer.
Justification
The threat may remain constant, but each segment may represent a different vector against which it must be directed.
Criticality of data is not affected by the manner in which a database is segmented.
Sensitivity of data is not affected by the manner in which a database is segmented.
Segmenting data reduces the quantity of data exposed as a result of a particular event.
330
Which of the following conditions is MOST likely to require that a corporate standard be modified?
A.The standard does not conform to procedures.
B.IT staff does not understand the standard.
C.The standard is inconsistent with guidelines.
D.Control objectives are not being met.
D is the correct answer.
Justification
If a procedure does not meet the standard, the procedure must be changed, not the standard.
IT staff not understanding the standard may require clarification and/or training.
Inconsistencies with the guidelines require that the guidelines be changed to conform to the standard.
If conformance with the standard does not achieve control objectives, the standard requires modification.
331
Which of the following is the BEST indicator that security controls are performing effectively?
A.The monthly service level statistics indicate minimal impact from security issues.
B.The cost of implementing security controls is less than the value of the assets.
C.The percentage of systems that are compliant with security standards is satisfactory.
D.Audit reports do not reflect any significant findings on security.
A is the correct answer.
Justification
The best indicator of effective security control is the evidence of acceptable disruption to business operations.
The cost of implementing controls is unrelated to their effectiveness.
The percentage of systems that are compliant with security standards is not an indicator of their effectiveness.
Audit reports that do not reflect any significant findings on security can support this evidence, but this is generally not sufficiently frequent to be a useful management tool and is only supplemental to monthly service level statistics.
332
There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application back door?
A.Black box penetration test
B.Security audit
C.Source code review
D.Vulnerability scan
C is the correct answer.
Justification
Application back doors are almost impossible to identify using a black box penetration test.
Security audits will not detect an application back door.
Source code review is typically the only way to find and remove an application back door.
A vulnerability scan will only find known vulnerability patterns and therefore will not find a programmer’s application back door.
333
Which of the following is the MOST cost-effective type of access control?
A.Centralized
B.Role-based
C.Decentralized
D.Discretionary
B is the correct answer.
Justification
Centralized access control is not a type of access control but a form of administration.
Role-based access control allows users to be grouped into job-related categories, which significantly eases the required administrative overhead. In most enterprises there are fewer roles than employees, and roles change far less frequently.
Decentralized access control is not a type of access control but an administrative approach.
Discretionary access control would require a greater degree of administrative overhead because it is based on each individual rather than on groups of individuals.
334
What is the MOST important reason to periodically test controls?
A.To meet regulatory requirements
B.To test the control design
C.To ensure that objectives are met
D.To achieve compliance with standard policy
C is the correct answer.
Justification
Not all enterprises are required to test controls periodically.
Testing control design alone is insufficient if the design is not implemented and monitored effectively.
Periodically testing controls ensures they continue to meet control objectives.
Compliance with policy is not the most important factor for periodically testing controls.
335
Which resource is the MOST effective in preventing physical access tailgating/piggybacking?
A.Card key door locks
B.Photo identification
C.Awareness training
D.Biometric scanners
C is the correct answer.
Justification
Card key door locks are a physical control that by itself would not be effective against tailgating.
Photo identification by itself would not be effective against tailgating.
Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee.
A biometric scanner is a physical control that by itself would not be effective against tailgating.
336
Which of the following is the BEST metric for evaluating the effectiveness of security awareness training?
A.The number of password resets
B.The number of reported incidents
C.The number of incidents resolved
D.The number of access rule violations
B is the correct answer.
Justification
Password resets may or may not have anything to do with awareness levels.
Reported incidents will provide an indicator of the awareness level of staff. An increase in reported incidents could indicate that the staff is paying more attention to security.
The number of incidents resolved may not correlate with staff awareness; resolution is the job of the incident management team.
Access rule violations may or may not have anything to do with awareness levels.
337
A person working at a bank receives a call on a voice-over Internet protocol line from a person claiming to be an employee of the bank at another branch office. He is requesting customer information. The FIRST action to take when receiving this type of call is to:
A.obtain the email address of the caller and have the recipient transmit the information using message encryption.
B.advise the employee who received the call to hang up and then return the call to the other branch using the number in the office phone directory.
C.pose business-related questions to the caller, and if a proper reply is received, the recipient may forward the information to the caller.
D.ask the person to call back later and notify regulatory officers of a possible fraud attempt.
B is the correct answer.
Justification
Sensitive information should not be sent to a third party that has not been validated even if encryption is used, because the enterprise cannot guarantee that the recipient will be unable to decipher information in a time period during which the information can still be used.
If the call recipient suspects any chance of social engineering over the phone, the callback option is quite effective. The best approach to confirm the caller's identity is to call back using the legitimate phone number listed in the office phone directory. The recipient should not use a phone number or email address provided by the caller. Once the legitimacy of the call has been reasonably verified, the information may be transmitted using message encryption. Even after voice verification, it is essential that encryption be used because voice verification might be subject to additional attacks (e.g., man-in-the-middle).
Even when there is a strong suspicion of fraud, the recipient should not indicate this to the caller over the phone. Instead, the recipient should hang up and call back using the phone number from the office phone directory.
The person attempting social engineering will attempt to pass business (or non-business) related questions to the caller. If proper answers are obtained, the recipient will continue the conversation. A caller who feels uneasy will have the control to end the conversation. Because this technique gives the attacker control of the conversation, it is not the best answer.
338
In a large enterprise, what makes an information security awareness program MOST effective?
A.The program is developed by a professional training company.
B.The program is embedded into the orientation process.
C.The program is customized to the audience using the appropriate delivery channel.
D.The program is required by the information security policy.
C is the correct answer.
Justification
It does not have to be developed by a professional training company to make it effective.
The awareness program should be embedded into the orientation process for new employees, but that does not necessarily indicate efficacy.
An awareness program should be customized for different types of audiences (e.g., for new employees, system administration, sales and delivery channels such as posters or e-learning).
Being required by policy does not make the program more effective.
339
When should security awareness training be provided to new employees?
A.On an as-needed basis
B.During system user training
C.Before they have access to data
D.Along with department staff
C is the correct answer.
Justification
Providing training on an as-needed basis implies that security awareness training is delivered after the granting of system access, which may place security as a secondary step.
Providing awareness training during system user training implies that security awareness training is delivered after the granting of system access, which may place security as a secondary step.
Security awareness training should occur before access is granted to ensure the new employee understands that security is part of the system and business process.
Providing training along with department staff implies that security awareness training is delivered after the granting of system access.
340
What should an information security manager focus on when speaking to an enterprise’s human resources department about information security?
A.An adequate budget for the security program
B.Recruitment of technical IT employees
C.Periodic risk assessments
D.Security awareness training for employees
D is the correct answer.
Justification
Budget considerations are typically an accounting function.
Recruiting IT-savvy staff may bring in new employees with better awareness of information security, but that is not a replacement for the training requirements of the other employees.
Periodic risk assessments may or may not involve the human resources department function.
An information security manager has to impress upon the human resources department the need for security awareness training for all employees. Human resources staff members will become involved once they are convinced of the need of security awareness training.
341
Which of the following training mechanisms is the MOST effective means of promoting an organizational security culture?
A.Choose a subset of influential people to promote the benefits of the security program.
B.Hold structured training in small groups on an annual basis.
C.Require each employee to complete a self-paced training module once per year.
D.Deliver training to all employees across the enterprise via streaming video.
A is the correct answer.
Justification
Certain people are either individually inclined or required by their positions to have greater interest in promoting security than others. By selecting these people and offering them broad, diverse opportunities for security education, they are able to act as ambassadors to their respective teams and departments, imparting a gradual and significant change in an organizational culture toward better security.
Structured training rarely aligns with the interests of individual employees when chosen at random to fill a small group setting.
Computer-based training is a common approach to annual information awareness, but there is limited evidence that employees retain the information or adopt it into their regular activities.
Streaming-video webinars are among the least effective means of presenting information, requiring very little interaction from end users.
342
In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?
A.Implementing on-screen masking of passwords
B.Conducting periodic security awareness programs
C.Increasing the frequency of password changes
D.Requiring that passwords be kept strictly confidential
B is the correct answer.
Justification
Implementing on-screen masking of passwords is desirable but will not be effective in reducing the likelihood of a successful social engineering attack.
Social engineering can best be mitigated through periodic security awareness training for users who may be the target of such an attempt.
Increasing the frequency of password changes is desirable but will not be effective in reducing the likelihood of a successful social engineering attack.
Requiring that passwords be kept secret in security policies is a good control but is not as effective as periodic security awareness programs that will alert users of the dangers posed by social engineering.
343
What is the PRIMARY objective of security awareness?
A.Ensure that security policies are understood.
B.Influence employee behavior.
C.Ensure legal and regulatory compliance.
D.Notify of actions for noncompliance.
B is the correct answer.
Justification
Ensuring that policies are read and understood is important but secondary.
It is most important that security-conscious behavior be encouraged among employees through training that influences expected responses to security incidents.
Meeting legal and regulatory requirements is important but secondary.
Giving employees fair warning of potential disciplinary action is important but secondary.
344
What is the MOST important success factor to design an effective IT security awareness program?
A.Customization of content to the target audience
B.Representation of senior management
C.Training of staff across all hierarchical levels
D.Replacing technical jargon with concrete examples
A is the correct answer.
Justification
Awareness training can only be effective if it is customized to the expectations and needs of attendees. Needs will be quite different depending on the target audience and will vary between business managers, end users and IT staff; program content and the level of detail communicated will, therefore, be different.
Representation of senior management is important; however, the customization of content is the most important factor.
Training of staff across all hierarchical levels is important; however, the customization of content is the most important factor.
Replacing technical jargon with concrete examples is a good practice; however, the customization of content is the most important factor.
345
Enterprises implement ethics training PRIMARILY to provide guidance to individuals engaged in:
A.monitoring user activities.
B.implementing security controls.
C.managing risk tolerance.
D.assigning access.
A is the correct answer.
Justification
Monitoring user activities may result in access to sensitive corporate and personal information. The enterprise should implement training that provides guidance on appropriate legal behavior to reduce corporate liability and increase user awareness and understanding of data privacy and ethical behavior.
While ethics training is good practice for all employees, those that implement security controls are not necessarily privy to sensitive data.
Employees who manage risk tolerance may have access to high-level corporate information but not necessarily to sensitive or private information. While ethics training is good practice, it is not required to manage risk tolerance for an enterprise.
Employees who manage network access do not necessarily need ethics training.
346
What is the MOST important reason for conducting security awareness programs throughout an enterprise?
A.Reducing the human risk
B.Maintaining evidence of training records to ensure compliance
C.Informing business units about the security strategy
D.Training personnel in security incident response
A is the correct answer.
Justification
People are the weakest link in security implementation, and awareness would reduce this risk.
Maintaining evidence of training is useful but far from the most important reason for conducting awareness training.
Informing business units about the security strategy is best done through steering committee meetings or other forums.
Security awareness training is not generally for security incident response.
347
Phishing is BEST mitigated by which of the following?
A.Security monitoring software
B.Encryption
C.Two-factor authentication
D.User awareness
D is the correct answer.
Justification
Security monitoring software is generally incapable of detecting a phishing attack.
Encryption would not mitigate a phishing attack.
Two-factor authentication would not mitigate this threat.
Phishing is a type of email attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering. It can best be mitigated by appropriate user awareness.
348
The BEST defense against successful phishing attacks is:
A.application hardening.
B.spam filters.
C.an intrusion detection system.
D.end-user awareness.
D is the correct answer.
Justification
Application hardening has no effect on phishing attacks.
Spam filters may catch some unsophisticated phishing attacks.
An intrusion detection system will not detect phishing attacks.
Phishing attacks are social engineering attacks and are best defended by end-user awareness training.
349
With regard to the implementation of security awareness programs in an enterprise, it is MOST relevant to understand that which one of the following aspects can change?
A.The security culture
B.The information technology
C.The compliance requirements
D.The threats and vulnerabilities
D is the correct answer.
Justification
The security culture changes over time in part because of an effective security awareness training program. It is not necessary that the workforce be told that the culture will change.
Changes in technology are only one part of security awareness.
Changes in compliance requirements are not a primary driver of security awareness training.
People tend to think that security awareness training can be completed once and it is good forever. It is important for everyone, including management and the general workforce, to understand that threats and vulnerabilities change constantly, and that regular refresher training is an important part of security awareness.
350
What is the PRIMARY benefit of a security awareness training program?
A.To reduce the likelihood of an information security event
B.To encourage compliance with information security policy
C.To comply with the local and industry-specific regulation and legislation
D.To provide employees with expectations for information security
A is the correct answer.
Justification
Employees should know how information security relates to their job roles and how to perform work tasks appropriately to protect the enterprise and its assets.
Although compliance with the information security policy is important, security awareness training goes beyond to include cultural and behavioral elements of information security.
Industry-specific regulation and legislation are not the primary drivers of security awareness training programs.
Employee expectations do not necessarily ensure understanding of information security or influence cultural or behavioral attitudes directly.
351
Which of the following roles is MOST appropriately responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience?
A.The human resources department
B.The business manager
C.The subject matter experts
D.The information security department
D is the correct answer.
Justification
The human resources department may assist in disseminating security awareness material but the primary responsibility rests with the information security department.
The business manager may also assist in information dissemination but is not primarily responsible.
Subject matter experts are not normally involved with security awareness activities.
The information security department oversees the information security program. This includes ensuring that training reaches the intended audience.
352
Which of the following is generally considered a fundamental component of an information security program?
A.Role-based access control systems
B.Automated access provisioning
C.Security awareness training
D.Intrusion prevention systems
C is the correct answer.
Justification
Role-based access control systems may not be necessary; they are discretionary.
Automated access provisioning may not be necessary; they are discretionary.
Without security awareness training, many components of the security program may not be effectively implemented.
Intrusion prevention systems may not be necessary; they are discretionary.
353
Which of the following would be the BEST way to improve employee attitude toward, and commitment to, information security?
A.Implement restrictive controls.
B.Customize methods training to the audience.
C.Apply administrative penalties.
D.Initiate stronger supervision.
B is the correct answer.
Justification
Implementing restrictive controls may improve compliance but is not likely to improve attitude.
Cultural differences will dictate the best behavior modification techniques to customize training. For example, some cultures value relationships over monetary rewards.
Applying administrative penalties may increase compliance but is likely to have a negative effect on attitudes.
Initiating stronger supervision may improve attitudes in certain circumstances, enterprises and geographic locations, but not in others.
354
What is the MOST important success factor in launching a corporate information security awareness program?
A.Adequate budgetary support
B.Centralized program management
C.Top-down approach
D.Experience of the awareness trainers
C is the correct answer.
Justification
Funding is not a primary concern.
Centralized management does not provide sufficient support.
Senior management support will provide enough resources and will focus attention on the program; training should start at the top levels to gain support and sponsorship.
Trainer experience, while important, is not the primary success factor.
355
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have their password reset?
A.Performing reviews of password resets
B.Conducting security awareness programs
C.Increasing the frequency of password changes
D.Implementing automatic password syntax checking
B is the correct answer.
Justification
Performing reviews of password resets may be desirable but will not be effective in reducing the likelihood of a social engineering attack.
Social engineering can be mitigated best through periodic security awareness training for staff members who may be the target of such an attempt.
Changing the frequency of password changes may be desirable but will not reduce the likelihood of a social engineering attack.
Strengthening passwords is desirable but will not reduce the likelihood of a social engineering attack.
356
An enterprise’s security awareness program should focus on which of the following?
A.Establishing metrics for network backups
B.Installing training software which simulates security incidents
C.Communicating what employees should or should not do in the context of their job responsibilities
D.Access levels within the enterprise for applications and the Internet
C is the correct answer.
Justification
Metrics for network backups is not an awareness issue.
Training software simulating security incidents is suitable for incident response teams but not for general awareness training.
An enterprise’s security awareness program should focus on employee behavior and the consequences of both compliance and noncompliance with the security policy
Access levels are specific issues, not generally the content of awareness training.
357
Which of the following is the MAIN reason for implementing a corporate information security education and awareness program?
A.To achieve commitment from the board and senior management
B.To assign roles and responsibility for information security
C.To establish a culture that is conducive to effective security
D.To meet information security policy and regulatory requirements
C is the correct answer.
Justification
Implementing such a program is an ongoing process that supports senior management’s commitment to information security.
Assigning roles and responsibilities for information security is achieved largely by implementing information security policies. However, to be effective, it is important that the policy be supported by a corporate information security education and awareness program.
Education, training and awareness help in the dissemination of information on the necessity of information security and in building a conducive environment for secure and reliable business operations.
The information security policy and regulatory requirements contribute content to an education and awareness program.
358
Which of the following would be the GREATEST challenge when developing a standard awareness training program for a global enterprise?
A.Technical input requirements for IT security staff
B.Evaluating training program effectiveness
C.A diverse culture and varied technical abilities of end users
D.Availability of users either on weekends or after office hours
C is the correct answer.
Justification
IT security staff will require technical inputs, and having a separate training program would not be considered a challenge.
Evaluating training program effectiveness is not a problem when developing a standard training program. In fact, the evaluation of training program effectiveness will be easier for a standard training program delivered across the enterprise.
A diverse culture and differences in the levels of IT knowledge and IT exposure pose the most challenges to development of a standard training program because the learning needs of employees vary.
Availability of users on weekends or after office hours has no impact on the development of a standard training program.
359
An information security manager conducted a phishing simulation at the enterprise. More than 70% of the staff accidentally clicked on the link in the phishing email. Which of the following is the FIRST step the information security manager should take to revise the awareness training program to ensure that staff take the appropriate action?
A. Obtain senior management’s full support.
B. Require all staff to take awareness training.
C. Develop phishing response procedures.
D. Update the security awareness policy.
A is the correct answer.
Justification
For a program or project to be successful, it is mandatory to obtain the senior management’s full support. Once support is received, the likelihood that the revised training will succeed increases.
Making training mandatory does not ensure that staff understand the importance of the training. Senior leadership support will help to emphasize the value of the training.
Response procedures are reactive and do not influence the quality of a training program.
The security awareness policy can be updated after the program is reevaluated and rebuilt.
360
Which of the following would raise security awareness among an enterprise’s employees?
A.Distributing industry statistics about security incidents
B.Monitoring the magnitude of incidents
C.Encouraging employees to behave in a more conscious manner
D.Continually reinforcing the security policy
D is the correct answer.
Justification
Distributing industry statistics about security incidents would have little bearing on the employee’s behavior.
Monitoring the magnitude of incidents does not involve the employees.
Encouraging employees to behave in a more conscious manner could be an aspect of continual reinforcement of the security policy.
Employees must be continually made aware of the policy and expectations for their behavior.
361
Which of the following is the BEST indicator that security awareness training has been effective?
A.Employees sign to acknowledge the security policy.
B.More incidents are being reported.
C.A majority of employees have completed training.
D.No incidents have been reported in three months.
B is the correct answer.
Justification
Acknowledging the security policy is not an indication of awareness.
More incidents being reported could be an indicator that the staff is paying more attention to security.
The number of individuals trained is not an indication of the effectiveness of awareness training.
No recent security incidents reported does not reflect awareness levels but may prompt further research to confirm.
362
Which of the following is MOST effective in protecting against the attack technique known as phishing?
A.Firewall blocking rules
B.Up-to-date signature files
C.Security awareness training
D.Intrusion detection system monitoring
C is the correct answer.
Justification
Firewall rules are unsuccessful at blocking this kind of attack.
Signature files are unrelated to this kind of attack.
Phishing relies on social engineering techniques. Providing good security awareness training will best reduce the likelihood of such an attack being successful.
Intrusion detection system monitoring is unsuccessful at blocking this kind of attack.
363
Which of the following is the MOST effective method to enhance information security awareness?
A.Timely emails that address actual security threats
B.Security training from specialized external experts for key IT personnel
C.Role-specific awareness training
D.General online security awareness training for all staff
C is the correct answer.
Justification
Email is not a strong communication medium to enhance information security awareness.
Training for IT personnel is important, but information security awareness training needs to be provided to all employees.
Role-based training that includes simulation of actual information security incidents is the most effective method to teach employees how their specific function can impact information security.
Well-developed general awareness training can be an acceptable method to enhance information security awareness if resources are not available for role-specific training, but it is not typically as effective.
364
Which of the following steps should be FIRST in developing an information security plan?
A.Perform a technical vulnerabilities assessment.
B.Analyze the current business strategy.
C.Perform a business impact analysis.
D.Assess the current levels of security awareness.
B is the correct answer.
Justification
Technical vulnerabilities as a component of risk will be most relevant in the context of threats to achieving the business objectives defined in the business strategy.
An information security manager needs to first gain an understanding of the current business strategy and direction to understand the enterprise’s objectives and the impact of the other answers on achieving those objectives.
A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security plan because it focuses on impact due to non-availability, which is also primarily relevant in terms of the business objectives that are the basis of the strategy.
Assessment of the current level of awareness is not the appropriate first step in developing an information security plan because awareness is a component of the plan itself.
365
Active information security awareness programs PRIMARILY influence:
A.acceptable risk.
B.residual risk.
C.control objectives.
D.business objectives.
B is the correct answer.
Justification
The level of risk that an enterprise deems acceptable is a business decision. Controls, including active security awareness programs, are implemented to reduce risk to acceptable levels and do not influence what level of risk is acceptable.
An information security awareness program is an administrative control that reduces vulnerability, thereby yielding lower residual risk.
Security awareness may be a control objective, depending on the information security strategy of the enterprise, but such a program does not primarily influence the objectives of other controls.
Security awareness does not primarily influence business objectives
366
Which of the following controls would BEST reduce the frequency of phishing attacks from succeeding in an enterprise?
A.Awareness and training
B.Endpoint protection
C.Email filters
D.Intrusion prevention
A is the correct answer.
Justification
Employee awareness and training is the best method to prevent employees from becoming victims of a phishing attack.
While end point protection would reduce the likelihood of a phishing email reaching end users, it would not prevent them from clicking a link.
While email filters would reduce the likelihood of a phishing email reaching end users, it would not prevent them from clicking a link.
Intrusion prevention would not be the most effective control against phishing attacks.
367
Which of the following is MOST essential when selecting a third-party service provider?
A.Ongoing management
B.Contract review
C.On-site control reviews
D.Availability of third-party policies
B is the correct answer.
Justification
Ongoing management is essential after the contract is signed.
Contract structuring and review is essential for selecting a third party because it provides recourse for the enterprise when there is a breach of contract. The contract also gives the enterprise access to independent audit reports, the ability to perform on-site reviews, and other requirements to protect the enterprise following a contract breach.
Onsite reviews might be a requirement of the enterprise, and would be part of the contract if required.
The availability of third-party policies for access and review is important, but it does not provide assurance and protections to the enterprise.
368
How should an information security manager proceed when selecting a public cloud vendor to provide outsourced infrastructure and software?
A.Insist on strict service level agreements to guarantee application availability.
B.Verify that the vendor’s security posture meets the enterprise’s requirements.
C.Update the enterprise’s security policies to reflect the vendor agreement.
D.Consult a third party to provide an audit report to assess the vendor’s security program.
B is the correct answer.
Justification
Agreements that address availability do not address other aspects of the enterprise’s security policy.
When considering a cloud implementation, an information security manager must verify that a chosen vendor will meet the enterprise’s security requirements.
An enterprise defines its security policies with its business risk in mind. Changing internal policy requirements to reflect what a vendor can deliver may not be sufficient and could raise risk to the enterprise making it an inappropriate approach.
Third-party audit reports are snapshots that tell what was true at a particular time and address only those items that were within the audit scope. Each enterprise has its own security policy considerations, and verification with the vendor should be accomplished with the enterprise’s specific considerations and requirements in mind.
369
What is the BEST way to ensure that an external service provider complies with organizational security policies?
A.Explicitly include the service provider in the security policies.
B.Receive acknowledgment in writing stating the provider has read all policies.
C.Cross-reference to policies in the service level agreement.
D.Perform periodic reviews of the service provider.
D is the correct answer.
Justification
References in policies will not be as effective because they will not trigger the detection of noncompliance.
Assurance that the provider has read the policies does nothing to ensure compliance.
Written documents by themselves provide little assurance without confirming oversight.
Periodic reviews will be the most effective way of ensuring compliance from the external service provider.
370
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
A.Provide security awareness training to the third-party provider’s employees.
B.Conduct regular security reviews of the third-party provider.
C.Include security requirements in the service contract.
D.Request that the third-party provider comply with the enterprise’s information security policy.
B is the correct answer.
Justification
Depending on the type of services outsourced, security awareness training may not be relevant or necessary.
Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced services.
Security requirements should be included in the contract, but what is most important is verifying that the requirements are met by the provider.
It is not necessary to require the provider to fully comply with the policy if only some of the policy is related and applicable.
371
Which of the following is the BEST approach for improving information security management processes?
A.Conduct periodic security audits.
B.Perform periodic penetration testing.
C.Define and monitor security metrics.
D.Survey business units for feedback.
C is the correct answer.
Justification
Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement on an ongoing basis.
Penetration testing will only uncover technical vulnerabilities and cannot provide a holistic picture of information security management.
Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify opportunities for improvement. This is a systematic and structured approach to process improvement.
Feedback is subjective and not necessarily reflective of true performance.
372
After deciding to acquire a security information and event management system, it is MOST important for the information security manager to:
A.perform a comparative analysis of available systems.
B.develop a comprehensive business case for the system.
C.use the enterprise’s existing acquisition process.
D.ensure that there is adequate network capacity for the system.
C is the correct answer.
Justification
A comparative analysis should have been accomplished prior to the decision to purchase.
Development of a business case should have been accomplished prior to the decision to purchase.
The information security manager should always use existing enterprise practices and processes whenever possible to minimize potential issues with other departments.
Ensuring adequate capacity should have been accomplished prior to the decision to purchase.
373
When an enterprise is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?
A.Compliance with international security standards
B.Use of a two-factor authentication system
C.Existence of an alternate hot site in case of business disruption
D.Compliance with the enterprise’s information security requirements
D is the correct answer.
Justification
Requiring compliance only with this security standard does not guarantee that a service provider complies with the enterprise’s security requirements.
The requirement to use a specific kind of control methodology is not usually stated in the contract with third-party service providers.
The requirement for a hot site is not usually stated in the contract with third-party service providers.
From a security standpoint, compliance with the enterprise’s information security requirements is one of the most important topics that should be included in the contract with third-party service provider.
374
An enterprise is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
A.A due diligence security review of the business partner’s security controls
B.Ensuring that the business partner has an effective business continuity program
C.Ensuring that the third party is contractually obligated to all relevant security requirements
D.Talking to other clients of the business partner to check references for performance
C is the correct answer.
Justification
A due diligence security review is contributory to the contractual agreement but not key.
Ensuring that the business partner has an effective business continuity program is contributory to the contractual agreement but not key.
The key requirement is that the information security manager ensure that the third party is contractually bound to follow the appropriate security requirements for the process being outsourced. This protects both enterprises.
Talking to other clients of the business partner is contributory to the contractual agreement but not key.
375
When considering outsourcing technical or business processes, one of the MAIN concerns of the information security manager is whether the third-party service provider will:
A.deliver a level of quality acceptable to the enterprise’s established customer base.
B.agree to service level agreements with penalties sufficient to offset potential losses.
C.provide technical services at a lower cost than would be possible on an in-house basis.
D.meet the enterprise’s security requirements on an ongoing and verifiable basis.
D is the correct answer.
Justification
Quality assurance is an area of concern when dealing with third-party service providers, but it is not a primary focus of the information security manager.
Penalties written into service level agreements are a form of risk transfer (sharing) that may be appropriate for an enterprise’s business objectives, but the sufficiency of such arrangements are not a primary focus of the information security manager.
Reducing or controlling cost is typically one of the main reasons that enterprises choose to enter into third-party service agreements, but whether such agreements deliver their expected cost savings is not a primary focus of the information security manager.
When an enterprise enters into an outsourcing agreement with a third-party service provider, the information security manager becomes responsible for ensuring that the provider adheres to the same security requirements as apply to the enterprise itself and that any variances are documented and presented to senior management for an appropriate risk response. The challenge of being able to assess a provider’s security behaviors on an ongoing and verifiable basis is one of the main concerns of the information security manager in any outsourcing arrangement.
376
A contract has just been signed with a new vendor to manage IT support services. Which of the following tasks should the information security manager ensure is performed NEXT?
A.Establish vendor monitoring.
B.Define reporting relationships.
C.Create a service level agreement.
D.Have the vendor sign a nondisclosure agreement.
A is the correct answer.
Justification
Once the contract is signed, the security manager should ensure that continuous vendor monitoring is established and operational. This control will help identify and provide alerts on security events and minimize potential losses.
The reporting relationships are defined prior to the contract being signed.
The service level agreement is part of the contract.
Nondisclosure agreements are signed prior to entering contract discussions.
377
Which of the following is the MOST effective method for ensuring that outsourced operations comply with the company’s information security posture?
A.The vendor is provided with audit documentation.
B.A comprehensive contract is written with service level metrics and penalties.
C.Periodic onsite visits are made to the vendor’s site.
D.An onsite audit and compliance review is performed.
D is the correct answer.
Justification
Audit documentation may not show whether the vendor meets the company’s needs; the company needs to know the testing procedures.
While comprehensive contracts set minimum service levels, contracts do not ensure that vendors will perform without confirming oversight.
On-site visits to the vendor’s site are not sufficient by themselves; they should be coupled with an audit approach to gauge information security compliance.
Audits and compliance reviews are the most effect way to ensure compliance.
378
Which of the following is the MOST important process that an information security manager needs to negotiate with an outsourced service provider?
A.The right to conduct independent security reviews
B.A legally binding data protection agreement
C.Encryption between the enterprise and the provider
D.A joint risk assessment of the system
A is the correct answer.
Justification
A key requirement of an outsourced contract involving critical business systems is the establishment of the enterprise’s right to conduct independent security reviews of the provider’s security controls.
A legally binding data protection agreement is also critical but secondary to conducting independent security reviews that permit examination of the actual security controls prevailing over the system, which is a more effective risk management tool.
Network encryption of the link between the enterprise and the provider may well be a requirement but by itself will not provide the assurance of independent security reviews.
A joint risk assessment of the system in conjunction with the outsourced provider may be a compromise solution should the right to conduct independent security reviews of the controls related to the system prove contractually difficult, but it is not the best option.
379
Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?
A.Request a list of the software to be used.
B.Provide clear directions to IT staff.
C.Monitor intrusion detection system and firewall logs closely.
D.Establish clear rules of engagement.
D is the correct answer.
Justification
Not as important, but still useful, is to request a list of what software will be used.
IT staff should not be alerted in order to maximize effectiveness of the penetration test.
Monitoring personnel should not be alerted in order to effectively test their activities.
It is critical to establish a clear understanding of what is permissible during the engagement. Otherwise, the tester may inadvertently trigger a system outage or inadvertently corrupt files.
380
When outsourcing, to ensure that third-party service providers comply with an enterprise security policy, which of the following should occur?
A.A predefined meeting schedule
B.A periodic security audit
C.Inclusion in the contract of a list of individuals to be called in the event of an incident (call tree)
D.Inclusion in the contract of a confidentiality clause
B is the correct answer.
Justification
A predefined meeting schedule is a contributor to, but does not ensure, compliance.
A periodic security audit is a formal and documented way to determine compliance level.
A call tree is useful for dealing with incidents but does nothing to ensure compliance.
Inclusion of a confidentiality clause does not ensure compliance.
381
An enterprise that outsourced its payroll processing needs to perform independent assessments of the security controls of the third party, according to policy requirements. Which of the following is the MOST useful requirement to include in the contract?
A.Right to audit
B.Nondisclosure agreement
C.Proper firewall implementation
D.Dedicated security manager for monitoring compliance
A is the correct answer.
Justification
Right to audit would be the most useful requirement because it would provide the company with the ability to perform a security audit/assessment in response to a business need to examine whether the controls are working effectively at the third party.
A nondisclosure agreement is an important requirement and can be examined during the audit.
Proper firewall implementation would not be a specific requirement in the contract but part of general control requirements.
A dedicated security manager would be a costly solution and not feasible for most situations.
382
Which of the following should be done FIRST when deciding to allow access to the information processing facility of an enterprise to a new external party?
A.A contract language review
B.A risk assessment
C.The exposure factor
D.Vendor due diligence
B is the correct answer.
Justification
A contract language review is part of the risk assessment.
A risk assessment identifies the risk involved in allowing access to an external party and the required controls.
The exposure factor is part of the risk assessment.
Vendor due diligence is part of the risk assessment.
383
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
A.Sign a legal agreement assigning them all liability for any breach.
B.Remove all trading partner access until the situation improves.
C.Set up firewall rules restricting network traffic from that location.
D.Send periodic reminders advising them of their noncompliance
C is the correct answer.
Justification
Agreements do not protect the integrity of the network.
Removing all access will likely result in lost business and be a career-ending solution.
It is incumbent on an information security manager to see to the protection of the enterprise’s network but to do so in a manner that does not adversely affect the conduct of business. This can be accomplished by adding specific traffic restrictions for that particular location.
Reminders do not protect the integrity of the network.
384
Which of the following is the MOST important aspect that needs to be considered from a security perspective when payroll processes are outsourced to an external service provider?
A.A cost-benefit analysis has been completed.
B.Privacy requirements are met.
C.The service provider ensures a secure data transfer.
D.No significant security incident occurred at the service provider
B is the correct answer.
Justification
A cost-benefit analysis should be undertaken from a business perspective but not from a security perspective.
Applicable privacy requirements may be a matter of law or policy and will require consideration when outsourcing processes that involve personal information.
When data are transferred, it may be necessary to ensure data security, but there are many other privacy and security issues to consider.
Past incidents may not reflect the current security posture of the service provider, nor do they reflect applicable security requirements
385
Which of the following contract terms would MOST likely lead to unintended consequences related to cybersecurity if adequate details are lacking?
A.Service level agreements
B.Recovery time objectives
C.Reasonable security measures
D.Recent risk assessments
C is the correct answer.
Justification
Detailed service level agreements should be included in every contract.
Detailed recovery time objectives should be included in every contract.
When developing a contract, avoid generalities such as “reasonable security measures” that offer little to no clarity into the practices that the vendor is expected to implement.
Results of recent risk assessments are not relevant for inclusion in a contract.
386
Which of the following aspects is MOST important to include in the service level agreement to promote resolution of operational issues with a cloud computing vendor?
A.The court of jurisdiction
B.A process description
C.Audit requirements
D.Defined responsibilities
D is the correct answer.
Justification
The court of jurisdiction may be defined in the agreement, and in fact may be a benefit or a detriment to a satisfactory solution of operational issues, but seeking court remedies is generally costly and time-consuming and is not the best way to resolve operational issues with a vendor.
A process description has a minimal impact on issue resolution.
Audits may help identify and determine the nature of issues but by themselves will not help resolve them.
When issues arise with cloud vendors, it is most important to identify ownership responsibility. This will promptly determine the next action to be taken for follow-up.
387
When considering outsourcing services, at what point should information security become involved in the vendor management process?
A.During contract negotiation
B.Upon request for assistance from the business unit
C.When requirements are being established
D.When a security incident occurs
C is the correct answer.
Justification
Waiting until later in the process can lead to vendors having to re-bid and can disrupt negotiations.
There may be situations where information security involvement is not required, but those situations would be established by conducting an initial risk assessment.
Information security should be involved in the vendor or third-party management process from the beginning of the selection process, when the business is defining what it needs. This will ensure that all bids for the service take into consideration, and reflect in bid prices, the security requirements.
Waiting until after the contract is signed when an incident occurs can expose the enterprise to significant security risk, with little recourse to correct, because the contract has already been executed.
388
An enterprise is considering a reciprocal arrangement with a similar enterprise as a recovery option. Which of the following is the GREATEST risk associated with a reciprocal arrangement?
A.Variations between the risk and impact assessments
B.Frequency of testing of the recovery and continuity plans
C.Similarities in infrastructure and capacity
D.Differences in security policies and procedures
C is the correct answer.
Justification
Analyses are predictive, so differences between the enterprises will not affect adequacy in the event of recovery.
Enterprises must collaborate on frequency of testing to ensure that each meets its needs. However, such agreements are generally established when arranging reciprocity and do not constitute ongoing risk.
If enterprises have dissimilar infrastructure or lack capacity, it may be difficult to implement recovery.
Differences in security policies and procedures are generally addressed when establishing reciprocity and can be managed over time through monitoring and reporting.
389
The MOST effective way to ensure that outsourced service providers comply with the enterprise’s information security policy would be:
A.service level monitoring.
B.penetration testing.
C.periodically auditing.
D.security awareness training.
C is the correct answer.
Justification
Service level monitoring can only pinpoint operational issues in the enterprise’s operational environment.
Penetration testing can identify security vulnerabilities but cannot ensure information policy compliance.
Regular audit exercises can spot any gaps in information security compliance.
Training can increase users’ awareness of the information security policy but does not ensure compliance.
390
The protection of sensitive data stored at a third-party location requires:
A.assurances that the third party will comply with the requirements of the contract.
B.commitments to completion of periodic independent security audits.
C.security awareness training and background checks of all third-party employees.
D.periodic review of third-party contracts and policies to ensure compliance.
A is the correct answer.
Justification
When storing data with a third party, the ownership and responsibility for the adequate protection of the data remains with the outsourcing enterprise. The outsourcing enterprise should have measures in place to provide assurance of compliance with the terms of the contract, which should be written on the basis of the organizational risk appetite.
Independent security audits are one assurance mechanism that an enterprise may use to verify compliance with contractual requirements, but whether they are appropriate is situational and based on the organizational risk appetite.
Awareness training and background checks are assurance mechanisms but may or may not be appropriate or important in all cases.
Review of contracts and policies is important, but it does not assure compliance.
391
Which of the following is the MOST important reason for an information security review of contracts?
A.To help ensure the parties to the agreement can perform
B.To help ensure confidential data are not included in the agreement
C.To help ensure appropriate controls are included
D.To help ensure the right to audit is a requirement
C is the correct answer.
Justification
The ability of the parties to perform is normally the responsibility of legal and the business operation involved.
Confidential information may be in the agreement by necessity, and while the information security manager can advise and provide approaches to protect the information, the responsibility rests with the business and legal department.
Agreements with external parties can expose an enterprise to information security risk that must be assessed and mitigated with appropriate controls.
The right to audit may be one of many possible controls to include in a third-party agreement but is not necessarily a contract requirement, depending on the nature of the agreement.
392
An outsourced service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?
A.Security in storage and transmission of sensitive data
B.Provider’s level of compliance with industry standards
C.Security technologies in place at the facility
D.Results of the latest independent security review
A is the correct answer.
Justification
Knowledge of how the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will be protected.
The provider’s level of compliance with industry standards may or may not be important.
Security technologies are not the only components to protect the sensitive customer information.
An independent security review may not include analysis on how sensitive customer information would be protected.
393
Which of the following actions is essential for ensuring effective oversight of external parties’ adherence to established security requirements?
A. Providing external parties with access to sensitive information to facilitate collaboration
B. Ensuring contractual agreements enforce security requirements
C. Implementing regular audits and assessments of the external party
D. Assigning responsibility for third-party management within the enterprise
C is the correct answer.
Justification
Sharing sensitive information may be necessary depending on the nature of the relationship with the vendor, but it does not ensure adherence to security requirements.
It is important to include security requirements in contracts, but it is crucial to periodically audit and confirm that the vendor is following those requirements.
Implementing regular audits and assessments is essential for ensuring effective oversight of external parties’ adherence to established security requirements. Audits and assessments provide organizations with mechanisms to verify external parties’ compliance with security standards, contractual obligations, and regulatory requirements. By conducting regular audits and assessments, organizations can identify areas of noncompliance, address security gaps, and mitigate risk associated with third-party relationships.
While assigning responsibility is important, it does not ensure that vendors are adhering to policies.
394
What action should be taken concerning data classification requirements before engaging outsourced providers? Ensure the data classification requirements:
A.are compatible with the provider’s own classification.
B.are communicated to the provider.
C.exceed those of the outsourcer.
D.are stated in the contract.
D is the correct answer.
Justification
Ensuring the data classification requirements are compatible with the provider’s own classification is an acceptable option but does not provide a requirement for the handling of classified data.
Ensuring the data classification requirements are communicated to the provider does not provide a requirement for appropriate handling of classified data.
Ensuring the data classification requirements exceed those of the outsourcer is an acceptable option but not as comprehensive or as binding as a legal contract.
The most effective mechanism to ensure that the enterprise’s security standards are met by a third party would be a legal agreement stating the handling requirements for classified data and including the right to inspect and audit.
395
An enterprise plans to contract with an outside service provider to host its corporate website. The MOST important concern for the information security manager is to ensure that:
A.an audit of the service provider uncovers no significant weakness.
B.the contract includes a nondisclosure agreement to protect the enterprise’s intellectual property.
C.the contract should mandate that the service provider will comply with security policies.
D.the third-party service provider conducts regular penetration testing.
C is the correct answer.
Justification
The audit is normally a one-time effort and cannot provide ongoing assurance of the security.
A nondisclosure agreement should be part of the contract and would be a part of the policy compliance requirements.
It is critical to include the security requirements in the contract based on the company’s security policy to ensure that the necessary security controls are implemented by the service provider.
Penetration testing alone would not provide total security to the website; there are many controls that cannot be tested through penetration testing.
396
An information security manager has received complaints from senior management about the level of security delivered by a third-party service provider. The service provider is a long-standing vendor providing services based on a service agreement that has been renewed regularly without much change over the last four years. Which of the following actions is the FIRST one the information security manager should take in this situation?
A.Ensure that security requirements in the service agreement meet current business requirements.
B.Review security metrics to determine whether the vendor is meeting the terms of the service agreement.
C.Conduct a formal assessment of the vendor’s capability to deliver security services.
D.Automate the incident reporting process to ensure timely reporting and monitoring.
A is the correct answer.
Justification
Because the service agreement has not been significantly revised in four years, it is entirely likely that the vendor is delivering exactly what was purchased and that the disappointment shown by senior management is the result of the agreement not reflecting current business requirements.
Knowing whether the vendor is meeting the terms of the agreement is actionable only after the information security manager is certain that the terms of the agreement align with the business requirements of the company.
If the vendor has committed to a level of security services that metrics indicate are consistently not being met, it may be worthwhile to conduct a formal assessment of the vendor’s capabilities to determine whether a new vendor is needed. However, knowing how what was contracted aligns with business requirements needs to be the first step.
Automation of the incident reporting process to ensure timely reporting and monitoring is only a reporting mechanism and does not resolve the issues faced.
397
An enterprise is MOST likely to include an indemnity clause in a service level agreement because an indemnity clause:
A.reduces the likelihood of an incident.
B.limits impact to the enterprise.
C.is a regulatory requirement.
D.ensures performance.
B is the correct answer.
Justification
The indemnity clause would not reduce the likelihood of an incident.
An indemnity clause is a compensating control that serves to reduce impact if the provider causes financial loss.
An indemnity clause is generally not a regulatory requirement.
An indemnity clause may provide an incentive to perform but will not ensure it.
398
What activity BEST helps ensure that contract personnel do not obtain unauthorized access to sensitive information?
A.Set accounts to expire.
B.Avoid granting system administration roles.
C.Ensure they successfully pass background checks.
D.Ensure their access is approved by the data owner.
B is the correct answer.
Justification
Setting an expiration date is a positive element but will not prevent contract personnel from obtaining access to sensitive information.
Contract personnel should not be given job duties that provide them with power user or other administrative roles that they could then use to grant themselves access to sensitive files.
Requiring background checks is a positive element but will not prevent contract personnel from obtaining access to sensitive information.
Having the data owner approve access is a marginally effective approach to limiting access to sensitive information.
399
An enterprise is using a vendor-supplied critical application with a maximum password length that does not comply with organizational security standards. Which of the following approaches BEST helps mitigate the weakness?
A.Shorten the password validity period.
B.Encourage the use of special characters.
C.Strengthen segregation of duties.
D.Introduce compensating controls.
D is the correct answer.
Justification
Periodic change of password is a good control against password theft. However, it would not compensate for the shortcoming in password length.
Use of special characters will enhance password complexity. However, it will not fully replace the shortcoming in password length.
Segregation of duties will tighten the control against fraud. However, it will not resolve password noncompliance.
Vendor systems are sometimes unable to provide a security control that meets the policy of the enterprise. In such cases, compensating controls should be sought (e.g., password lockout on failed attempts).
400
What is the PRIMARY consideration when communicating information security incidents to external parties?
A. Providing detailed technical analysis
B. Avoiding assigning blame for the incident
C. Explaining the mechanism used for root cause analysis
D. Minimizing reputational damage
D is the correct answer.
Justification
Technical details of an incident analysis are not considered for communication with external stakeholders.
Enterprises may communicate the root causes of incidents to external stakeholders rather than revealing the individuals responsible for the incidents. This is a subset of minimizing reputational damage, but not the main consideration.
The tools, techniques, and mechanisms used for incident analysis are internal to organizations and not shared with external stakeholders without proper justification.
Communicating information security incidents to external stakeholders is a tricky task. Releasing more than the required information can lead to reputational damage and directly impact the organization’s business objectives and profitability.
401
Which of the following BEST informs senior management about the overall effectiveness of the enterprise’s information security program?
A.Gap analysis report
B.Incident statistics
C.Key risk indicators
D.Key performance indicators
D is the correct answer.
Justification
A gap analysis report would only highlight the gaps in the enterprise’s security posture with respect to industry best practices. It would not provide an indication of the overall effectiveness of the enterprise’s information security program.
Incident statistics would provide information about incidents alone and not the overall effectiveness of the enterprise’s information security program.
Key risk indicators highlight any aspects of concern. They are not useful in assessing the overall effectiveness of the enterprise’s information security program.
The overall effectiveness of an information security program can be assessed by looking at the organizational security key performance indicators, which would provide assurance regarding the effectiveness of security controls.
402
Which of the following BEST helps management in getting assurance that a security program is implemented effectively?
A. Security audit report by independent auditor
B. Risk status report after implementing the security program
C. Monthly summary report on incidents detected and addressed
D. Survey report on security implementation by various stakeholders
B is the correct answer.
Justification
A security audit report provides assurance on the effectiveness of controls; however, it is based on a sample selected by auditors and is based on a point in time.
Security is a function of risk management. A risk status report helps management ensure that security-related risk is managed within acceptable limits.
A summary report on incidents detected and responded to provides input on the effectiveness of incident management but not overall security.
A survey asking stockholders their opinion about security implementation provides only subjective and partial assurance, as the stakeholders may not be qualified to completely understand and measure the implementation and its impact.
403
Which of the following BEST helps an organization in the successful implementation of an information security program?
A. Providing adequate budget
B. Adopting global standards
C. Developing a communication plan
D. Implementing a maturity model
C is the correct answer.
Justification
An appropriate budget is required to implement security. However, if clear communication is not established, the budget could be used inappropriately.
Adopting global standards helps in benchmarking and understanding gaps in controls that can be implemented, but it does not directly help in successful implementation of a security program.
Information security program implementation is the responsibility of all stakeholders. It is necessary that all stakeholders understand their role in the successful implementation of a security program, which can be achieved by developing an appropriate communication plan.
Implementing a maturity model will help in improving the quality of information security processes.
404
A multinational enterprise has recently implemented a series of updates to its information security program. The chief information security officer (CISO) is tasked with delivering a quarterly board report on the program’s performance. Which of the following should be the focus of the report to provide the board with the MOST strategic insight?
A. Key changes in the company’s security risk profile and future risk mitigation plans
B. A detailed breakdown of the cybersecurity budget and resource allocation
C. Statistics on employee participation in security awareness training programs
D. A comparison of the company’s security measures with industry benchmarks
A is the correct answer.
Justification
Highlighting changes in the company’s security risk profile along with actions taken and future plans gives the board significant insights for strategic decision-making, indicating current status and future direction.
While understanding the budget and resource allocation is important for overall strategic planning, it does not provide direct insight into the performance of the information security program or the company’s security risk profile.
While employee participation in security awareness training is an important aspect of an information security program, it does not directly indicate the program’s performance or effectiveness in managing security risk.
While comparing the company’s security measures with industry benchmarks can provide some context, it does not directly provide insight into the company’s specific security risk profile or the effectiveness of its information security program.
405
An organization experiences a security incident resulting in the loss of sensitive customer data. The chief information security officer (CISO) must report the incident to regulatory authorities. What considerations should the CISO take into account when communicating with regulatory bodies?
A. Comply with legal requirements for timely and accurate reporting.
B. Provide a high-level summary to protect the organization’s reputation.
C. Provide a report after a full investigation is completed.
D. Communicate only with legal, public relations, and internal stakeholders.
A is the correct answer.
Justification
Regulatory authorities have specific requirements regarding the reporting of security incidents, including timelines for notification and the level of detail required. It is crucial for the chief information security officer (CISO) to understand and comply with those legal requirements to avoid potential fines, penalties, or other regulatory actions.
While protecting the organization’s reputation is important, providing minimal details to regulatory authorities may not align with legal requirements or regulatory expectations. Regulatory bodies typically expect transparent and comprehensive reporting of security incidents, including details about the nature and scope of the incident, the impact on affected individuals, and the organization’s response and remediation efforts. Attempting to withhold information or provide minimal details may result in additional scrutiny and regulatory consequences.
While conducting a thorough investigation is important for understanding the root cause of the incident and implementing effective remediation measures, delaying reporting to regulatory authorities is generally not advisable. Many regulatory requirements mandate timely reporting of security incidents, often within a specified timeframe from the discovery of the incident. Delaying reporting can lead to noncompliance with legal requirements.
While it is important to notify internal teams and stakeholders, involving external regulatory bodies in a timely manner is often necessary and required by law in the event of a significant security incident involving the loss of sensitive customer data. Regulatory authorities play a crucial role in overseeing compliance with data protection laws and regulations, and they may need to assess the severity of the incident, evaluate the organization’s response efforts, and determine whether any regulatory action is warranted. Failing to promptly involve external regulatory bodies can lead to legal and regulatory consequences, including fines, penalties, and further reputational damage.
406
Which of the following BEST describes the purpose of management metrics when measuring the effectiveness of an information security program? Management metrics:
A. help senior management assess the overall performance of the information security program.
B. provide senior management detailed insights into technical vulnerabilities and security incidents.
C. focus on quantifying the operational efficiency and effectiveness of security controls.
D. Highlight trends regarding employee compliance with security policies and procedures.
A is the correct answer.
Justification
Management metrics are designed to provide senior management with insights into the overall performance of the information security programs. These metrics typically focus on high-level indicators of security posture, such as risk exposure, compliance levels, and alignment with business objectives. Management metrics enable senior management to make informed decisions about resource allocation, strategic planning, and risk management.
Management metrics focus on more than technical insights.
Management metrics focus on more than operational efficiency.
Management metrics address more than employee behavior.
407
Which of the following, when implemented, BEST ensures that all the systems have consistent configuration?
A. Policies
B. Procedures
C. Standards
D. Guidelines
C is the correct answer.
Justification
Policies form the basis for all accountability concerning security responsibility throughout the enterprise.
Procedures provide clear details on how to implement policies.
Standards must be designed to ensure that all systems of the same type are configured similarly based on the criticality and sensitivity of the resources.
Guidelines provide a step-by-step detailed guide to configure a system.
408
An enterprise is challenged with a major budget reduction that could include cuts to the information security program. Which of the following would be the BEST consideration when communicating to senior management to obtain ongoing support of the information security program?
A. Strategic information security program metrics
B. The current state of information security within the enterprise
C. Information security incidents that are impacting business operations
D. The risk that may result from reducing or retiring the information security program
D is the correct answer.
Justification
Senior management reviews strategic program metrics to determine the success of an information security program, but this practice will not be as effective as having senior management understand the risk of reducing allocations to the program.
The current state of information security within the enterprise highlights existing issues for senior management. While the current state of information security is important information, it does not necessarily provide the context needed for senior managers to make decisions on whether to cut the information security program’s budget. It is beneficial for senior management to understand how the overall risk of budgets cuts to the program affects the current state of information security in the enterprise.
Advising senior managers regarding information security incidents impacting business operations can provide additional insight into the impact associated with the reduction or elimination of parts of the information security program. Evaluating incidents individually does not provide a holistic view of the overall risk to the organization.
Senior management needs to be aware of the benefits of the information security program and the negative consequences to business strategies and objectives if any resources allocated to the program are reduced or eliminated.
409
With whom should the information security manager PRIMARILY share the results of a security program evaluation?
A. Information security steering committee
B. Chief information security officer
C. Chief executive officer
D. Board of directors
A is the correct answer.
Justification
Security program evaluation results should be shared with the information security steering committee for review and development of needed program modification.
Sharing the result only with chief information security officer (CISO) may miss the opportunity to get input and decisions from other key stakeholders.
The chief executive officer (CEO) should be informed of high-level security matters but would not be the main audience for the report.
The board of directors is generally concerned with high-level oversight and strategic direction.
410
Which of the following is the BEST approach for the chief information security officer (CISO) to take when communicating the compliance of the information security program during a regulatory audit?
A. Demonstrate compliance by highlighting areas where compliance is met.
B. Provide comprehensive information on all noncompliance areas and corrective actions taken.
C. Provide a trend report showing that the number of issues is declining.
D. Delegate the communication to the internal audit team.
B is the correct answer.
Justification
While it is important to highlight areas of compliance, selectively focusing only on those areas can create a misleading impression of the organization’s overall compliance status. Auditors expect transparency and honesty in reporting compliance status, and omitting information about noncompliance areas may lead to distrust and raise questions about the organization’s commitment to regulatory compliance.
Transparency and accuracy are crucial when communicating the compliance status of the information security program during a regulatory audit. Providing comprehensive information on all noncompliance areas, along with details of the corrective actions taken or planned, demonstrates the organization’s commitment to compliance and continuous improvement.
It is necessary to provide a detailed and complete report to audit showing the true picture of the current state of compliance. Trend reports are more beneficial to senior management than to audit.
While the internal audit team may play a role in supporting the communication of compliance status, ultimate responsibility for communicating the information security program’s compliance status lies with the CISO. Delegating this communication may lead to a lack of clarity or accountability in the communication process.
411
A multinational corporation is exploring big data tools to enhance reporting suspicious activities as part of the information security program. Recognizing the criticality of data accuracy and quality in this scenario, which action is the MOST important to take to ensure security of the data?
A. Regularly updating data recovery protocols
B. Instituting a rigorous data governance strategy
C. Implementing advanced encryption methodologies
D. Building a robust data loss prevention system
B is the correct answer.
Justification
While keeping data recovery protocols updated is important, this action does not directly address the requirements of data accuracy and quality.
Establishing a rigorous data governance strategy is the most important action as it ensures data accuracy, integrity, and management, which are crucial for the information security program’s reporting capabilities.
Implementing advanced encryption methodologies is vital for data security but does not directly improve data accuracy or quality.
While having a robust data loss prevention system is important, it does not directly enhance data accuracy or quality.
412
Which of the following is the MOST important consideration when briefing board executives about the current state of the information security program?
A.Include a program metrics dashboard.
B.Include third-party audit results.
C.Use a balanced score card to show business alignment.
D.Use appropriate language for the target audience.
D is the correct answer.
Justification
A program trends dashboard will not be very effective without connections to business requirements.
Third-party audit results may be helpful, but if the board does not understand the content, it is less useful.
The balanced score card may be helpful, but if the board does not understand the content, it is less useful.
When reporting to board executives, it is most important to use business terms that the target audience will understand to effectively communicate the message.
413
Which of the following is the MOST important consideration for senior management when approving and supporting a security program? The security program is:
A. focused on enterprise objectives.
B. defined within budgetary limits.
C. designed to use existing resources.
D. established based on security objectives.
A is the correct answer.
Justification
Although management does have all these considerations in mind while approving a security program, the most important focus is meeting business objectives. If the security program helps in achieving them, other considerations may be relaxed.
Budget is important, but if the program does not meet enterprise objectives, it is not of value to the enterprise overall.
Although management encourages the use of existing resources, additional resources may be needed in order for the program to meet its objectives.
Achieving security objectives is important, but the security objectives must help achieve the organization’s business objectives.
414
When developing a reporting mechanism for an organization’s information security program, which of the following would BEST address cybersecurity risk?
A. Adopt a broad-spectrum approach to report risk metrics.
B. Emphasize reporting of compliance-focused risk.
C. Generate reports aligned with the organization’s risk appetite.
D. Ensure the report includes in-depth technical aspects.
C is the correct answer.
Justification
Collecting a broad spectrum of key risk indicators (KRIs) without considering their immediate business relevance could result in an overload of information that diverts attention from key business-related risk.
While compliance is important, considering technology risk management solely as a compliance function might overlook strategic objectives.
Creating comprehensive, relevant, and timely reports directly linked to the organization’s risk appetite and business context allows for strategically aligned and effective cyber risk management.
Focusing reports predominantly on complex technical aspects can lead to ignoring fundamental elements such as risk appetite and control mechanisms and how they align with the overall business context and objectives.
415
The MOST timely and effective approach to detecting nontechnical security violations in an enterprise is:
A.the development of enterprise-wide communication channels.
B.periodic third-party auditing of incident reporting logs.
C.an automated policy compliance monitoring system.
D.deployment of suggestion boxes throughout the enterprise.
A is the correct answer.
Justification
Timely reporting of all security-related activities provides the information needed to monitor and respond to information security governance issues. Effective communication channels also are important for disseminating security-related information to the enterprise.
Audits are one form of periodic reporting, but they are too infrequent for effective day-to-day information security management.
Automated policy compliance monitoring is useful for reporting IT-related processes but, by itself, is insufficient for nontechnical security violations.
Even if personnel could be persuaded to leave notes on policy violations in suggestion boxes, it would not be effective and is unlikely to be timely unless suggestions are collected daily.
416
Which of the following information would be MOST useful to senior management to enable effective information security program decision-making?
A. Current program resource levels
B. Existing program control performance
C. Outline of future program activities
D. Program risk trend analysis reports over time
D is the correct answer.
Justification
The level of financial, human, and technical resources allocated to the program is important and needs management support if deficiencies exist. Current financial, human, and technical resource levels do not give management sufficient information about decision-making on resource adjustments and allocations without resource-related risk information regarding the program.
Information security programs comprise a wide range of strategic, operational, and technical controls to mitigate program risk. The performance of current program controls provides very useful information on how well existing control objectives are met and it helps with decision-making about existing risk and controls. If there is new risk to the program, this information would not be as useful for making decisions about the program as a risk trend analysis report would.
A program road map and future activities gives management information on what needs to be done. This information has no influence in decision-making if the program is progressing according to the plans.
Program risk is a potential outcome that could cause the program to fail to meet its goals. It is a combination risk that may affect program objectives, scope, schedule, budget, resources, quality, or stakeholders. Program risk trend analysis reports demonstrate how well the program risk is managed over time so management can make accurate decisions for effective and efficient risk response actions based on trends.
417
Which of the following would BEST communicate the effectiveness of the information security program to senior management?
A. Key control indicators (KCIs)
B. Key risk indicators (KRIs)
C. Objectives and key results (OKRs)
D. Key performance indicators (KPIs)
D is the correct answer.
Justification
Key control indicators (KCIs) provide feedback on control performance only. They may not provide information on the performance of other resources required for successful security implementation.
Key risk indicators (KRIs) help in providing early warnings about materializing risk so that it can be addressed in time. They may help in reporting limited areas of materializing risk but not the overall security profile.
Objectives and key results (OKRs) are useful in setting goals for the information security program, but they would not provide insight into performance itself.
Key performance indicators (KPIs) provide a comparison between expected and achieved performance and best provide feedback to the senior management on the overall effectiveness of the information security program.
418
Which of the following is the MOST reliable source of information for determining trends in information system performance?
A. Internal and external system changes
B. Feedback from relevant parties
C. Lessons learned from incidents
D. Audit results
D is the correct answer.
Justification
Reporting on system changes is not the most reliable as it only provides changes made to the system and not system performance trends.
Feedback from relevant parties may not show trends in the system.
Lessons learned focus on specific moments in time and may not provide a good overall view of the system’s performance.
Audit results provide an independent, objective, and reliable examination of the system along with comparative information from previous audits.
419
The information security manager has identified that a security breach occurred at an enterprise as the result of a social engineering attack, despite the organization having the most leading-edge controls in place. What is the MOST effective step the information security manager could take to mitigate similar events in the future?
A. Update the incident response plan.
B. Share the incident response plan with users.
C. Implement additional security controls.
D. Provide regular security awareness training.
D is the correct answer.
Justification
The incident response plan goes into effect after an incident has happened so that an organization can contain it. It could be used after a security breach has been identified.
Sharing the incident response plan with users may not be relevant as an organization should have an incident response team who would be aware of the process. However, the incident response team could provide relevant training to users periodically.
Implementing additional security controls may not prevent social engineering attacks. Security awareness training is still required.
Providing regular security awareness training helps employees to identify various kinds of cybersecurity attacks like social engineering, scams, phishing, etc., and counter malicious phishing practices from bad actors. Therefore, regular security awareness training will help to prevent similar events from occurring.
420
Which of the following is the MOST effective approach to identify events that may affect information security across a large multinational enterprise?
A.Review internal and external audits to indicate anomalies.
B.Ensure that intrusion detection sensors are widely deployed.
C.Develop communication channels throughout the enterprise.
D.Conduct regular enterprise-wide security reviews.
C is the correct answer.
Justification
Audits are performed periodically, and a number of events can occur between audits that might not be detected and responded to in a timely manner.
Intrusion detection sensors are useful in detecting intrusion events but not other types of events.
Good communication channels can provide timely reporting of events across a large enterprise and provide channels for dissemination of security information.
Enterprise-wide security reviews are an enormous task and will be, at best, periodic; therefore, they are an ineffective approach in providing timely information on events.
