Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 25

  1. Shortly after installation, an intrusion detection system (IDS) reports a violation. Which of the following is the MOST likely explanation?

    • The violation is a false positive.
    • A routine IDS log file upload has occurred.
    • A routine IDS signature file download has occurred.
    • An intrusion has occurred.
  2. Which of the following provides the GREATEST assurance that information security is addressed in change management?

    • Performing a security audit on changes
    • Providing security training for change advisory board
    • Requiring senior management sign-off on change management
    • Reviewing changes from a security perspective
  3. The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:

    • ensure the confidentiality of sensitive material.
    • provide a high assurance of identity.
    • allow deployment of the active directory.
    • implement secure sockets layer (SSL) encryption.


    The primary purpose of a public key infrastructure (PKI) is to provide strong authentication. Confidentiality is a function of the session keys distributed by the PKI. An active directory can use PKI for authentication as well as using other means. Even though secure sockets layer (SSL) encryption requires keys to authenticate, it is not the main reason for deploying PKI.

  4. Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?

    • Redundant power supplies
    • Protective switch covers
    • Shutdown alarms
    • Biometric readers
    Protective switch covers would reduce the possibility of an individual accidentally pressing the power button on a device, thereby turning off the device. Redundant power supplies would not prevent an individual from powering down a device. Shutdown alarms would be after the fact. Biometric readers would be used to control access to the systems.
  5. Which of the following is the MOST important reason why information security objectives should be defined?

    • Tool for measuring effectiveness
    • General understanding of goals
    • Consistency with applicable standards
    • Management sign-off and support initiatives

    The creation of objectives can be used in part as a source of measurement of the effectiveness of information security management, which feeds into the overall governance. General understanding of goals and consistency with applicable standards are useful, but are not the primary reasons for having clearly defined objectives. Gaining management understanding is important, but by itself will not provide the structure for governance.

  6. What is the BEST policy for securing data on mobile universal serial bus (USB) drives?

    • Authentication
    • Encryption
    • Prohibit employees from copying data to USB devices
    • Limit the use of USB devices
    Encryption provides the most effective protection of data on mobile devices. Authentication on its own is not very secure. Prohibiting employees from copying data to USB devices and limiting the use of USB devices are after the fact
  7. When speaking to an organization’s human resources department about information security, an information security manager should focus on the need for:

    • an adequate budget for the security program.
    • recruitment of technical IT employees.
    • periodic risk assessments.
    • security awareness training for employees.

    An information security manager has to impress upon the human resources department the need for security awareness training for all employees. Budget considerations are more of an accounting function. The human resources department would become involved once they are convinced for the need of security awareness training. Recruiting IT-savvy staff may bring in new employees with better awareness of information security, but that is not a replacement for the training requirements of the other employees. Periodic risk assessments may or may not involve the human resources department function.

  8. Which of the following would BEST protect an organization’s confidential data stored on a laptop computer from unauthorized access?

    • Strong authentication by password
    • Encrypted hard drives
    • Multifactor authentication procedures
    • Network-based data backup

    Encryption of the hard disks will prevent unauthorized access to the laptop even when the laptop is lost or stolen. Strong authentication by password can be bypassed by a determined hacker. Multifactor authentication can be bypassed by removal of the hard drive and insertion into another laptop. Network- based data backups do not prevent access but rather recovery from data loss.

  9. What is the MOST important reason for conducting security awareness programs throughout an organization?

    • Reducing the human risk
    • Maintaining evidence of training records to ensure compliance
    • Informing business units about the security strategy
    • Training personnel in security incident response

    People are the weakest link in security implementation, and awareness would reduce this risk. Through security awareness and training programs, individual employees can be informed and sensitized on various security policies and other security topics, thus ensuring compliance from each individual. Laws and regulations also aim to reduce human risk. Informing business units about the security strategy is best done through steering committee meetings or other forums.

  10. At what stage of the applications development process would encryption key management initially be addressed?

    • Requirements development
    • Deployment
    • Systems testing
    • Code reviews

    Encryption key management has to be integrated into the requirements of the application’s design. During systems testing and deployment would be too late since the requirements have already been agreed upon. Code reviews are part of the final quality assurance (QA) process and would also be too late in the process.

  11. The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization’s security requirements is:

    • messages displayed at every logon.
    • periodic security-related e-mail messages.
    • an Intranet web site for information security.
    • circulating the information security policy.
    Logon banners would appear every time the user logs on, and the user would be required to read and agree to the same before using the resources. Also, as the message is conveyed in writing and appears consistently, it can be easily enforceable in any organization. Security-related e-mail messages are frequently considered as “Spam” by network users and do not, by themselves, ensure that the user agrees to comply with security requirements. The existence of an Intranet web site does not force users to access it and read the information. Circulating the information security policy atone does not confirm that an individual user has read, understood and agreed to comply with its requirements unless it is associated with formal acknowledgment, such as a user’s signature of acceptance.
  12. Which of the following would be the BEST defense against sniffing?

    • Password protect the files
    • Implement a dynamic IP address scheme
    • Encrypt the data being transmitted
    • Set static mandatory access control (MAC) addresses

    Encrypting the data will obfuscate the data so that they are not visible in plain text. Someone would have to collate the entire data stream and try decrypting it, which is not easy. Passwords can be recovered by brute-force attacks and by password crackers, so this is not the best defense against sniffing. IP addresses can always be discovered, even if dynamic IP addresses are implemented. The person sniffing traffic can initiate multiple sessions for possible IP addresses. Setting static mandatory access control (MAC) addresses can prevent address resolution protocol (ARP) poisoning, but it does not prevent sniffing.

  13. A digital signature using a public key infrastructure (PKI) will:

    • not ensure the integrity of a message.
    • rely on the extent to which the certificate authority (CA) is trusted.
    • require two parties to the message exchange.
    • provide a high level of confidentiality.

    The certificate authority (CA) is a trusted third party that attests to the identity of the signatory, and reliance will be a function of the level of trust afforded the CA. A digital signature would provide a level of assurance of message integrity, but it is a three-party exchange, including the CA. Digital signatures do not require encryption of the message in order to preserve confidentiality.

  14. When configuring a biometric access control system that protects a high-security data center, the system’s sensitivity level should be set:

    • to a higher false reject rate (FRR).
    • to a lower crossover error rate.
    • to a higher false acceptance rate (FAR).
    • exactly to the crossover error rate.
    Biometric access control systems are not infallible. When tuning the solution, one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing access to an invalid user. As the sensitivity of the biometric system is adjusted, these values change inversely. At one point, the two values intersect and are equal. This condition creates the crossover error rate, which is a measure of the system accuracy. In systems where the possibility of false rejects is a problem, it may be necessary’ to reduce sensitivity and thereby increase the number of false accepts. This is sometimes referred to as equal error rate (EER). In a very sensitive system, it may be desirable to minimize the number of false accepts — the number of unauthorized persons allowed access. To do this, the system is tuned to be more sensitive, which causes the false rejects the number of authorized persons disallowed access to increase.
  15. Which of the following is the BEST method to securely transfer a message?

    • Password-protected removable media
    • Facsimile transmission in a secured room
    • Using public key infrastructure (PKI) encryption
    • Steganography

    Using public key infrastructure (PKI) is currently accepted as the most secure method to transmit e-mail messages. PKI assures confidentiality, integrity and nonrepudiation. The other choices are not methods that are as secure as PKI. Steganography involves hiding a message in an image.

  16. Which of the following would be the FIRST step in establishing an information security program?

    • Develop the security policy.
    • Develop security operating procedures.
    • Develop the security plan.
    • Conduct a security controls study.

    A security plan must be developed to implement the security strategy. All of the other choices should follow the development of the security plan.

  17. An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross training. Which type of authorization policy would BEST address this practice?

    • Multilevel
    • Role-based
    • Discretionary
    • Attribute-based

    A role-based policy will associate data access with the role performed by an individual, thus restricting access to data required to perform the individual’s tasks. Multilevel policies are based on classifications and clearances. Discretionary policies leave access decisions up to information resource managers.

  18. Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:

    • the parties to the agreement can perform.
    • confidential data are not included in the agreement.
    • appropriate controls are included.
    • the right to audit is a requirement.

    Agreements with external parties can expose an organization to information security risks that must be assessed and appropriately mitigated. The ability of the parties to perform is normally the responsibility of legal and the business operation involved. Confidential information may be in the agreement by necessity and. while the information security manager can advise and provide approaches to protect the information, the responsibility rests with the business and legal. Audit rights may be one of many possible controls to include in a third-party agreement, but is not necessarily a contract requirement, depending on the nature of the agreement.

  19. For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?

    • Biometrics
    • Symmetric encryption keys
    • Secure Sockets Layer (SSL)-based authentication
    • Two-factor authentication

    Two-factor authentication requires more than one type of user authentication. While biometrics provides unique authentication, it is not strong by itself, unless a PIN or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks. A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a typical authentication mechanism for end users. This private key could still be compromised. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. SSL is not an authentication mechanism. If SSL is used with a client certificate and a password, it would be a two-factor authentication.

  20. Which of the following guarantees that data in a file have not changed?

    • Inspecting the modified date of the file
    • Encrypting the file with symmetric encryption
    • Using stringent access control to prevent unauthorized access
    • Creating a hash of the file, then comparing the file hashes

    A hashing algorithm can be used to mathematically ensure that data haven’t been changed by hashing a file and comparing the hashes after a suspected change.