Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 33

  1. An intranet server should generally be placed on the:

    • internal network.
    • firewall server.
    • external router.
    • primary domain controller.


    An intranet server should be placed on the internal network. Placing it on an external router leaves it defenseless. Since firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to store the intranet server on the same physical device as the firewall. Similarly, primary- domain controllers do not normally share the physical device as the intranet server.

  2. Access control to a sensitive intranet application by mobile users can BEST be implemented through:

    • data encryption.
    • digital signatures.
    • strong passwords.
    • two-factor authentication.

    Two-factor authentication through the use of strong passwords combined with security tokens provides the highest level of security. Data encryption, digital signatures and strong passwords do not provide the same level of protection.

  3. When application-level security controlled by business process owners is found to be poorly managed, which of the following could BEST improve current practices?

    • Centralizing security management
    • Implementing sanctions for noncompliance
    • Policy enforcement by IT management
    • Periodic compliance reviews

    By centralizing security management, the organization can ensure that security standards are applied to all systems equally and in line with established policy. Sanctions for noncompliance would not be the best way to correct poor management practices caused by work overloads or insufficient knowledge of security practices. Enforcement of policies is not solely the responsibility of IT management. Periodic compliance reviews would not correct the problems, by themselves, although reports to management would trigger corrective action such as centralizing security management.

  4. Security awareness training is MOST likely to lead to which of the following?

    • Decrease in intrusion incidents
    • Increase in reported incidents
    • Decrease in security policy changes
    • Increase in access rule violations

    Reported incidents will provide an indicator as to the awareness level of staff. An increase in reported incidents could indicate that staff is paying more attention to security. Intrusion incidents and access rule violations may or may not have anything to do with awareness levels. A decrease in changes to security policies may or may not correlate to security awareness training.

  5. The information classification scheme should:

    • consider possible impact of a security breach.
    • classify personal information in electronic form.
    • be performed by the information security manager.
    • classify systems according to the data processed.

    Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information. It must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager. Choice B is an incomplete answer because it addresses only privacy issues, while choice A is a more complete response. Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information. It must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager.

  6. Which of the following is the BEST method to provide a new user with their initial password for e-mail system access?

    • Interoffice a system-generated complex password with 30 days expiration
    • Give a dummy password over the telephone set for immediate expiration
    • Require no password but force the user to set their own in 10 days
    • Set initial password equal to the user ID with expiration in 30 days

    Documenting the password on paper is not the best method even if sent through interoffice mail if the password is complex and difficult to memorize, the user will likely keep the printed password and this creates a security concern. A dummy (temporary) password that will need to be changed upon first logon is the best method because it is reset immediately and replaced with the user’s choice of password, which will make it easier for the user to remember. If it is given to the wrong person, the legitimate user will likely notify security if still unable to access the system, so the security risk is low. Setting an account with no initial password is a security concern even if it is just for a few days. Choice D provides the greatest security threat because user IDs are typically known by both users and security staff, thus compromising access for up to 30 days.

  7. An information security program should be sponsored by:

    • infrastructure management.
    • the corporate audit department.
    • key business process owners.
    • information security management.

    The information security program should ideally be sponsored by business managers, as represented by key business process owners. Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business requirements. A corporate audit department is not in as good a position to fully understand how an information security program needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions. Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient operational knowledge and lack of proper authority.

  8. Which of the following is the MOST important item to include when developing web hosting agreements with third-party providers?

    • Termination conditions
    • Liability limits
    • Service levels
    • Privacy restrictions

    Service levels are key to holding third parties accountable for adequate delivery of services. This is more important than termination conditions, privacy restrictions or liability limitations.

  9. The BEST metric for evaluating the effectiveness of a firewall is the:

    • number of attacks blocked.
    • number of packets dropped.
    • average throughput rate.
    • number of firewall rules.

    The number of attacks blocked indicates whether a firewall is performing as intended. The number of packets dropped does not necessarily indicate the level of effectiveness. The number of firewall rules and the average throughput rate are not effective measurements.

  10. Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?

    • Patch management
    • Change management
    • Security baselines
    • Acquisition management

    Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Acquisition management controls the purchasing process.

  11. The MAIN advantage of implementing automated password synchronization is that it:

    • reduces overall administrative workload.
    • increases security between multi-tier systems.
    • allows passwords to be changed less frequently.
    • reduces the need for two-factor authentication.

    Automated password synchronization reduces the overall administrative workload of resetting passwords. It does not increase security between multi-tier systems, allow passwords to be changed less frequently or reduce the need for two-factor authentication.

  12. Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?

    • SWOT analysis
    • Waterfall chart
    • Gap analysis
    • Balanced scorecard

    The balanced scorecard is most effective for evaluating the degree to which information security objectives are being met. A SWOT analysis addresses strengths, weaknesses, opportunities and threats. Although useful, a SWOT analysis is not as effective a tool. Similarly, a gap analysis, while useful for identifying the difference between the current state and the desired future state, is not the most appropriate tool. A waterfall chart is used to understand the flow of one process into another.

  13. Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?

    • Patch management
    • Change management
    • Security metrics
    • Version control

    Change management controls the process of introducing changes to systems. Failure to have good change management may introduce new weaknesses into otherwise secure systems. Patch management corrects discovered weaknesses by applying a correction to the original program code. Security metrics provide a means for measuring effectiveness. Version control is a subset of change management.

  14. An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?

    • Rewrite the application to conform to the upgraded operating system
    • Compensate for not installing the patch with mitigating controls
    • Alter the patch to allow the application to run in a privileged state
    • Run the application on a test platform; tune production to allow patch and application

    Since the operating system (OS) patch will adversely impact a critical application, a mitigating control should be identified that will provide an equivalent level of security. Since the application is critical, the patch should not be applied without regard for the application; business requirements must be considered. Altering the OS patch to allow the application to run in a privileged state may create new security weaknesses. Finally, running a production application on a test platform is not an acceptable alternative since it will mean running a critical production application on a platform not subject to the same level of security controls.

  15. Which of the following is MOST important to the success of an information security program?

    • Security’ awareness training
    • Achievable goals and objectives
    • Senior management sponsorship
    • Adequate start-up budget and staffing

    Sufficient senior management support is the most important factor for the success of an information security program. Security awareness training, although important, is secondary. Achievable goals and objectives as well as having adequate budgeting and staffing are important factors, but they will not ensure success if senior management support is not present.

  16. Which of the following is MOST important for a successful information security program?

    • Adequate training on emerging security technologies
    • Open communication with key process owners
    • Adequate policies, standards and procedures
    • Executive management commitment

    Sufficient executive management support is the most important factor for the success of an information security program. Open communication, adequate training, and good policies and procedures, while important, are not as important as support from top management; they will not ensure success if senior management support is not present.

  17. Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?

    • Screened subnets
    • Information classification policies and procedures
    • Role-based access controls
    • Intrusion detection system (IDS)

    Screened subnets are demilitarized zones (DMZs) and are oriented toward preventing attacks on an internal network by external users. The policies and procedures to classify information will ultimately result in better protection but they will not prevent actual modification. Role-based access controls would help ensure that users only had access to files and systems appropriate for their job role. Intrusion detection systems (IDS) are useful to detect invalid attempts but they will not prevent attempts.

  18. Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user?

    • Intrusion detection system (IDS)
    • IP address packet filtering
    • Two-factor authentication
    • Embedded digital signature

    Two-factor authentication provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network. IP address packet filtering would protect against spoofing an internal address but would not provide strong authentication. An intrusion detection system (IDS) can be used to detect an external attack but would not help in authenticating a user attempting to connect. Digital signatures ensure that transmitted information can be attributed to the named sender.

  19. What is an appropriate frequency for updating operating system (OS) patches on production servers?

    • During scheduled rollouts of new applications
    • According to a fixed security patch management schedule
    • Concurrently with quarterly hardware maintenance
    • Whenever important security patches are released

    Patches should be applied whenever important security updates are released. They should not be delayed to coincide with other scheduled rollouts or maintenance. Due to the possibility of creating a system outage, they should not be deployed during critical periods of application activity such as month-end or quarter-end closing.

  20. Which of the following devices should be placed within a DMZ?

    • Proxy server
    • Application server
    • Departmental server
    • Data warehouse server

    An application server should normally be placed within a demilitarized zone (DMZ) to shield the internal network. Data warehouse and departmental servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise. A proxy server forms the inner boundary of the DMZ but is not placed within it.