Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 14

  1. A common concern with poorly written web applications is that they can allow an attacker to:

    • gain control through a buffer overflow.
    • conduct a distributed denial of service (DoS) attack.
    • abuse a race condition.
    • inject structured query language (SQL) statements.


    Structured query language (SQL) injection is one of the most common and dangerous web application vulnerabilities. Buffer overflows and race conditions are very difficult to find and exploit on web applications. Distributed denial of service (DoS) attacks have nothing to do with the quality of a web application.

  2. Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?

    • Historical cost of the asset
    • Acceptable level of potential business impacts
    • Cost versus benefit of additional mitigating controls
    • Annualized loss expectancy (ALE)
    The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.
  3. A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization’s local area network (LAN). What should the security manager do FIRST?

    • Understand the business requirements of the developer portal
    • Perform a vulnerability assessment of the developer portal
    • Install an intrusion detection system (IDS)
    • Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

    The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal. Performing a vulnerability assessment of developer portal and installing an intrusion detection system (IDS) are best practices but are subsequent to understanding the requirements. Obtaining a signed nondisclosure agreement will not take care of the risks inherent in the organization’s application.

  4. A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?

    • Prevent the system from being accessed remotely
    • Create a strong random password
    • Ask for a vendor patch
    • Track usage of the account by audit trails

    Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required. Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risks. Vendor patches are not always available, tracking usage is a detective control and will not prevent an attack.

  5. Attackers who exploit cross-site scripting vulnerabilities take advantage of:

    • a lack of proper input validation controls.
    • weak authentication controls in the web application layer.
    • flawed cryptographic secure sockets layer (SSL) implementations and short key lengths.
    • implicit web application trust relationships.

    Cross-site scripting attacks inject malformed input. Attackers who exploit weak application authentication controls can gain unauthorized access to applications and this has little to do with cross-site scripting vulnerabilities. Attackers who exploit flawed cryptographic secure sockets layer (SSI.) implementations and short key lengths can sniff network traffic and crack keys to gain unauthorized access to information. This has little to do with cross-site scripting vulnerabilities. Web application trust relationships do not relate directly to the attack.

  6. Which of the following would BEST address the risk of data leakage?

    • File backup procedures
    • Database integrity checks
    • Acceptable use policies
    • Incident response procedures

    Acceptable use policies are the best measure for preventing the unauthorized disclosure of confidential information. The other choices do not address confidentiality of information.

  7. A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?

    • Access control policy
    • Data classification policy
    • Encryption standards
    • Acceptable use policy

    Data classification policies define the level of protection to be provided for each category of data. Without this mandated ranking of degree of protection, it is difficult to determine what access controls or levels of encryption should be in place. An acceptable use policy is oriented more toward the end user and, therefore, would not specifically address what controls should be in place to adequately protect information.

  8. What is the BEST technique to determine which security controls to implement with a limited budget?

    • Risk analysis
    • Annualized loss expectancy (ALE) calculations
    • Cost-benefit analysis
    • Impact analysis

    Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh its benefit and that the best safeguard is provided for the cost of implementation. Risk analysis identifies the risks and suggests appropriate mitigation. The annualized loss expectancy (ALE) is a subset of a cost-benefit analysis. Impact analysis would indicate how much could be lost if a specific threat occurred.

  9. A company’s mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?

    • A penetration test
    • A security baseline review
    • A risk assessment
    • A business impact analysis (BIA)

    A risk assessment will identify- the business impact of such vulnerability being exploited and is, thus, the correct process. A penetration test or a security baseline review may identify the vulnerability but not the remedy. A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.

  10. Which of the following measures would be MOST effective against insider threats to confidential information?

    • Role-based access control
    • Audit trail monitoring
    • Privacy policy
    • Defense-in-depth

    Role-based access control provides access according to business needs; therefore, it reduces unnecessary- access rights and enforces accountability. Audit trail monitoring is a detective control, which is ‘after the fact.’ Privacy policy is not relevant to this risk. Defense-in-depth primarily focuses on external threats

  11. Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company’s policies. An information security manager should:

    • conduct a risk assessment and allow or disallow based on the outcome.
    • recommend a risk assessment and implementation only if the residual risks are accepted.
    • recommend against implementation because it violates the company’s policies.
    • recommend revision of current policy.

    Whenever the company’s policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take. Recommending revision of current policy should not be triggered by a single request.

  12. After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:

    • increase its customer awareness efforts in those regions.
    • implement monitoring techniques to detect and react to potential fraud.
    • outsource credit card processing to a third party.
    • make the customer liable for losses if they fail to follow the bank’s advice.

    While customer awareness will help mitigate the risks, this is insufficient on its own to control fraud risk. Implementing monitoring techniques which will detect and deal with potential fraud cases is the most effective way to deal with this risk. If the bank outsources its processing, the bank still retains liability. While making the customer liable for losses is a possible approach, nevertheless, the bank needs to be seen to be proactive in managing its risks.

  13. The criticality and sensitivity of information assets is determined on the basis of:

    • threat assessment.
    • vulnerability assessment.
    • resource dependency assessment.
    • impact assessment.

    The criticality and sensitivity of information assets depends on the impact of the probability of the threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets and the impairment of the value. Threat assessment lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value. Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value. Resource dependency assessment provides process needs but not impact.

  14. Which program element should be implemented FIRST in asset classification and control?

    • Risk assessment
    • Classification
    • Valuation
    • Risk mitigation

    Valuation is performed first to identify and understand the assets needing protection. Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation. Classification and risk mitigation are steps following valuation.

  15. When performing a risk assessment, the MOST important consideration is that:

    • management supports risk mitigation efforts.
    • annual loss expectations (ALEs) have been calculated for critical assets.
    • assets have been identified and appropriately valued.
    • attack motives, means and opportunities be understood.
    Identification and valuation of assets provides the basis for risk management efforts as it relates to the criticality and sensitivity of assets. Management support is always important, but is not relevant when determining the proportionality of risk management efforts. ALE calculations are only valid if assets have first been identified and appropriately valued. Motives, means and opportunities should already be factored in as a part of a risk assessment.
  16. The MAIN reason why asset classification is important to a successful information security program is because classification determines:

    • the priority and extent of risk mitigation efforts.
    • the amount of insurance needed in case of loss.
    • the appropriate level of protection to the asset.
    • how protection levels compare to peer organizations.

    Protection should be proportional to the value of the asset. Classification is based upon the value of the asset to the organization. The amount of insurance needed in case of loss may not be applicable in each case. Peer organizations may have different classification schemes for their assets.

  17. The BEST strategy for risk management is to:

    • achieve a balance between risk and organizational goals.
    • reduce risk to an acceptable level.
    • ensure that policy development properly considers organizational risks.
    • ensure that all unmitigated risks are accepted by management.

    The best strategy for risk management is to reduce risk to an acceptable level, as this will take into account the organization’s appetite for risk and the fact that it would not be practical to eliminate all risk. Achieving balance between risk and organizational goals is not always practical. Policy development must consider organizational risks as well as business objectives. It may be prudent to ensure that management understands and accepts risks that it is not willing to mitigate, but that is a practice and is not sufficient to l>e considered a strategy.

  18. Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?

    • Disclosure of personal information
    • Sufficient coverage of the insurance policy for accidental losses
    • Intrinsic value of the data stored on the equipment
    • Replacement cost of the equipment

    When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carries mobile equipment for business purposes, an organization must develop a clear policy as to what information should be kept on the equipment and for what purpose. Personal information is not defined in the question as the data that were lost. Insurance may be a relatively smaller issue as compared with information theft or opportunity loss, although insurance is also an important factor for a successful business. Cost of equipment would be a less important issue as compared with other choices.

  19. An organization has to comply with recently published industry regulatory requirements — compliance that potentially has high implementation costs. What should the information security manager do FIRST?

    • Implement a security committee.
    • Perform a gap analysis.
    • Implement compensating controls.
    • Demand immediate compliance.

    Since they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place. Implementing a security committee or compensating controls would not be the first step. Demanding immediate compliance would not assess the situation.

  20. Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

    • Annual loss expectancy (ALE) of incidents
    • Frequency of incidents
    • Total cost of ownership (TCO)
    • Approved budget for the project

    The total cost of ownership (TCO) would be the most relevant piece of information in that it would establish a cost baseline and it must be considered for the full life cycle of the control. Annual loss expectancy (ALE) and the frequency of incidents could help measure the benefit, but would have more of an indirect relationship as not all incidents may be mitigated by implementing a two-factor authentication system. The approved budget for the project may have no bearing on what the project may actually cost.