Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 38
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
- change the root password of the system.
- implement multifactor authentication.
- rebuild the system from the original installation medium.
- disconnect the mail server from the network.
Rebuilding the system from the original installation medium is the only way to ensure all security vulnerabilities and potential stealth malicious programs have been destroyed. Changing the root password of the system does not ensure the integrity of the mail server. Implementing multifactor authentication is an aftermeasure and does not clear existing security threats. Disconnecting the mail server from the network is an initial step, but does not guarantee security.
The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:
- verify the decision with the business units.
- check the system’s risk analysis.
- recommend update after post implementation review
- request an audit review.
Verifying the decision with the business units is the correct answer because it is not the IT function’s responsibility to decide whether a new application modifies business processes Choice B does not consider the change in the applications. Choices C and D delay the update.
A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?
- Denial of service (DoS) attacks
- Traffic sniffing
- Virus infections
- IP address spoofing
Network segmentation reduces the impact of traffic sniffing by limiting the amount of traffic that may be visible on any one network segment. Network segmentation would not mitigate the risk posed by denial of service (DoS) attacks, virus infections or IP address spoofing since each of these would be able to traverse network segments.
The PRIMARY objective of an Internet usage policy is to prevent:
- access to inappropriate sites.
- downloading malicious code.
- violation of copyright laws.
- disruption of Internet access.
Unavailability of Internet access would cause a business disruption. The other three objectives are secondary.
An internal review of a web-based application system finds the ability to gain access to all employees’ accounts by changing the employee’s ID on the URL used for accessing the account. The vulnerability identified is:
- broken authentication.
- unvalidated input.
- cross-site scripting.
- structured query language (SQL) injection.
The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed. Cross-site scripting is not the problem in this case since the attack is not transferred to any other user’s browser to obtain the output. Structured query language (SQL) injection is not a problem since input is provided as a valid employee ID and no SQL queries are injected to provide the output.
A test plan to validate the security controls of a new system should be developed during which phase of the project?
In the design phase, security checkpoints are defined and a test plan is developed. The testing phase is too late since the system has already been developed and is in production testing. In the initiation phase, the basic security objective of the project is acknowledged. Development is the coding phase and is too late to consider test plans.
The MOST effective way to ensure that outsourced service providers comply with the organization’s information security policy would be:
- service level monitoring.
- penetration testing.
- periodically auditing.
- security awareness training.
Regular audit exercise can spot any gap in the information security compliance. Service level monitoring can only pinpoint operational issues in the organization’s operational environment. Penetration testing can identify security vulnerability but cannot ensure information compliance Training can increase users’ awareness on the information security policy, but is not more effective than auditing.
In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:
- a strong authentication.
- IP antispoofing filtering.
- network encryption protocol.
- access lists of trusted devices.
Strong authentication will provide adequate assurance on the identity of the users, while IP antispoofing is aimed at the device rather than the user. Encryption protocol ensures data confidentiality and authenticity while access lists of trusted devices are easily exploited by spoofed identity of the clients.
The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:
- contribute cost-effective expertise not available internally.
- be made responsible for meeting the security program requirements.
- replace the dependence on internal resources.
- deliver more effectively on account of their knowledge.
Choice A represents the primary driver for the information security manager to make use of external resources. The information security manager will continue to be responsible for meeting the security program requirements despite using the services of external resources. The external resources should never completely replace the role of internal resources from a strategic perspective. The external resources cannot have a better knowledge of the business of the information security manager’s organization than do the internal resources.
Priority should be given to which of the following to ensure effective implementation of information security governance?
Planning is the key to effective implementation of information security governance. Consultation, negotiation and facilitation come after planning.
Which of the following will BEST facilitate the development of appropriate incident response procedures?
- Conducting scenario testing
- Performing vulnerability assessments
- Analyzing key risk indicators (KRIs)
- Assessing capability maturity
Which of the following is the MOST effective way for an information security manager to ensure that security is incorporated into an organization’s project development processes?
- Conduct security reviews during design, testing, and implementation.
- Integrate organization’s security requirements into project management.
- Develop good communications with the project management office.
- Participate in project initiation, approval, and funding.
An organization is considering a self-service solution for the deployment of virtualized development servers. Which of the following should be the information security manager’s PRIMARY concern?
- Ability to maintain server security baseline
- Ability to remain current with patches
- Generation of excessive security event logs
- Segregation of servers from the production environment
Which of the following activities would BEST incorporate security into the software development life cycle (SDLC)?
- Minimize the use of open source software.
- Include security training for the development team.
- Scan operating systems for vulnerabilities.
- Test applications before go-live.
Which of the following is MOST important to consider when developing a business continuity plan (BCP)?
- Disaster recovery plan (DRP)
- Business impact analysis (BIA)
- Incident management requirements
- Business communication plan
Which of the following should be the MOST important consideration when implementing an information security framework?
- Compliance requirements
- Audit findings
- Risk appetite
- Technical capabilities
Which of the following should provide the PRIMARY justification to approve the implementation of a disaster recovery (DR) site on the recommendation of an external audit report?
- Cost-benefit analysis
- Recovery time objectives (RTOs)
- Security controls at the DR site
- Regulatory requirements
An information security manager has been tasked with implementing a security awareness training program. Which of the following will have the MOST influence on the effectiveness of this program?
- Obtaining buy-in from senior management
- Tailoring the training to the organization’s environment
- Obtaining buy-in from end users
- Basing the training program on industry best practices
A data leakage prevention (DLP) solution has identified that several employees are sending confidential company data to their personal email addresses in violation of company policy. The information security manager should FIRST:
- contact the employees involved to retake security awareness training
- notify senior management that employees are breaching policy
- limit access to the Internet for employees involved
- initiate an investigation to determine the full extent of noncompliance
To address the issue that performance pressures on IT may conflict with information security controls, it is MOST important that:
- noncompliance issues are reported to senior management
- information security management understands business performance issues
- the security policy is changed to accommodate IT performance pressure
- senior management provides guidance and dispute resolution