Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 15
One way to determine control effectiveness is by determining:
- whether it is preventive, detective or compensatory.
- the capability of providing notification of failure.
- the test results of intended objectives.
- the evaluation and analysis of reliability.
Control effectiveness requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended. The type of control is not relevant, and notification of failure is not determinative of control strength. Reliability is not an indication of control strength; weak controls can be highly reliable, even if they are ineffective controls.
What does a network vulnerability assessment intend to identify?
- 0-day vulnerabilities
- Malicious software and spyware
- Security design flaws
- Misconfiguration and missing updates
A network vulnerability assessment intends to identify known vulnerabilities based on common misconfigurations and missing updates. 0-day vulnerabilities by definition are not previously known and therefore are undetectable. Malicious software and spyware are normally addressed through antivirus and antispyware policies. Security design flaws require a deeper level of analysis.
Who is responsible for ensuring that information is classified?
- Senior management
- Security manager
- Data owner
The data owner is responsible for applying the proper classification to the data. Senior management is ultimately responsible for the organization. The security officer is responsible for applying security protection relative to the level of classification specified by the owner. The technology group is delegated the custody of the data by the data owner, but the group does not classify the information.
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:
When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more than the cost of the risk itself.
When a significant security breach occurs, what should be reported FIRST to senior management?
- A summary of the security logs that illustrates the sequence of events
- An explanation of the incident and corrective action taken
- An analysis of the impact of similar attacks at other organizations
- A business case for implementing stronger logical access controls
When reporting an incident to senior management, the initial information to be communicated should include an explanation of what happened and how the breach was resolved. A summary of security logs would be too technical to report to senior management. An analysis of the impact of similar attacks and a business case for improving controls would be desirable; however, these would be communicated later in the process.
The PRIMARY reason for initiating a policy exception process is when:
- operations are too busy to comply.
- the risk is justified by the benefit.
- policy compliance would be difficult to enforce.
- users may initially be inconvenienced.
Exceptions to policy are warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits. Being busy is not a justification for policy exceptions, nor is the fact that compliance cannot be enforced. User inconvenience is not a reason to automatically grant exception to a policy.
Which of (lie following would be the MOST relevant factor when defining the information classification policy?
- Quantity of information
- Available IT infrastructure
- Requirements of data owners
When defining the information classification policy, the requirements of the data owners need to be identified. The quantity of information, availability of IT infrastructure and benchmarking may be part of the scheme after the fact and would be less relevant.
To determine the selection of controls required to meet business objectives, an information security manager should:
- prioritize the use of role-based access controls.
- focus on key controls.
- restrict controls to only critical applications.
- focus on automated controls.
Key controls primarily reduce risk and are most effective for the protection of information assets. The other choices could be examples of possible key controls.
The MOST appropriate owner of customer data stored in a central database, used only by an organization’s sales department, would be the:
- sales department.
- database administrator.
- chief information officer (CIO).
- head of the sales department.
The owner of the information asset should be the person with the decision-making power in the department deriving the most benefit from the asset. In this case, it would be the head of the sales department. The organizational unit cannot be the owner of the asset because that removes personal responsibility. The database administrator is a custodian. The chief information officer (CIO) would not be an owner of this database because the CIO is less likely to be knowledgeable about the specific needs of sales operations and security concerns.
In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:
- develop an operational plan for achieving compliance with the legislation.
- identify systems and processes that contain privacy components.
- restrict the collection of personal information until compliant.
- identify privacy legislation in other countries that may contain similar requirements.
Identifying the relevant systems and processes is the best first step. Developing an operational plan for achieving compliance with the legislation is incorrect because it is not the first step. Restricting the collection of personal information comes later. Identifying privacy legislation in other countries would not add much value.
Risk assessment is MOST effective when performed:
- at the beginning of security program development.
- on a continuous basis.
- while developing the business case for the security program.
- during the business change process.
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.
Which of the following is the MAIN reason for performing risk assessment on a continuous basis’?
- Justification of the security budget must be continually made.
- New vulnerabilities are discovered every day.
- The risk environment is constantly changing.
- Management needs to be continually informed about emerging risks.
The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
- Identify the vulnerable systems and apply compensating controls
- Minimize the use of vulnerable systems
- Communicate the vulnerability to system users
- Update the signatures database of the intrusion detection system (IDS)
The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.
Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?
- Business impact analysis (BIA)
- Penetration testing
- Audit and review
- Threat analysis
Penetration testing focuses on identifying vulnerabilities. None of the other choices would identify vulnerabilities introduced by changes.
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
- Countermeasure cost-benefit analysis
- Penetration testing
- Frequent risk assessment programs
- Annual loss expectancy (ALE) calculation
In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
- eliminating the risk.
- transferring the risk.
- mitigating the risk.
- accepting the risk.
Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels. Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc. The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc. Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data.
The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
- determining the scope for inclusion in an information security program.
- defining the level of access controls.
- justifying costs for information resources.
- determining the overall budget of an information security program.
The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.
An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?
- Key performance indicators (KPIs)
- Business impact analysis (BIA)
- Gap analysis
- Technical vulnerability assessment
Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.
When performing a qualitative risk analysis, which of the following will BEST produce reliable results?
- Estimated productivity losses
- Possible scenarios with threats and impacts
- Value of information assets
- Vulnerability assessment
Listing all possible scenarios that could occur, along with threats and impacts, will better frame the range of risks and facilitate a more informed discussion and decision. Estimated productivity losses, value of information assets and vulnerability assessments would not be sufficient on their own.