Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 54
The GREATEST benefit of using a maturity model when providing security reports to management is that it presents the:
- security program priorities to achieve an accepted risk level
- level of compliance with internal policy
- assessed level of security risk at a particular point in time
- current and target security state for the business
Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?
- Identifying risk mitigation options
- Identifying critical business processes
- Identifying key business risks
- Identifying the threat environment
An information security manager is concerned that executive management does not support information security initiatives. Which of the following is the BEST way to address this situation?
- Report the risk and status of the information security program to the board
- Revise the information security strategy to meet executive management’s expectations
- Escalate noncompliance concerns to the internal audit manager
- Demonstrate alignment of the information security function with business needs
The MOST important reason that security risk assessments should be conducted frequently throughout an organization is because:
- control effectiveness may weaken
- compliance with legal and regulatory standards should be reassessed
- controls should be regularly tested
- threats to the organization may change
A recent audit has identified that security controls by the organization’s policies have not been implemented for a particular application. What should the information security manager do NEXT to address this issue?
- Discuss the issue with the data owners to determine the reason for the exception
- Discuss the issue with data custodians to determine the reason for the exception
- Report the issue to senior management and request funding to fix the issue
- Deny access to the application until the issue is resolved
Which of the following is the PRIMARY role of a data custodian?
- Validating information
- Processing information
- Classifying information
- Securing information
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?
- Utilize an intrusion detection system.
- Establish minimum security baselines.
- Implement vendor recommended settings.
- Perform periodic penetration testing.
Penetration testing is the best way to assure that perimeter security is adequate. An intrusion detection system (IDS) may detect an attempted attack, hut it will not confirm whether the perimeter is secured. Minimum security baselines and applying vendor recommended settings are beneficial, but they will not provide the level of assurance that is provided by penetration testing.
Which of the following presents the GREATEST exposure to internal attack on a network?
- User passwords are not automatically expired
- All network traffic goes through a single switch
- User passwords are encoded but not encrypted
- All users reside on a single internal subnet
When passwords are sent over the internal network in an encoded format, they can easily be converted to clear text. All passwords should be encrypted to provide adequate security. Not automatically expiring user passwords does create an exposure, but not as great as having unencrypted passwords. Using a single switch or subnet does not present a significant exposure.
Which of the following provides the linkage to ensure that procedures are correctly aligned with information security policy requirements?
- Security metrics
- IT governance
Standards are the bridge between high-level policy statements and the “how to” detailed formal of procedures. Security metrics and governance would not ensure correct alignment between policies and procedures. Similarly, guidelines are not linkage documents but rather provide suggested guidance on best practices.
Which of the following are the MOST important individuals to include as members of an information security steering committee?
- Direct reports to the chief information officer
- IT management and key business process owners
- Cross-section of end users and IT professionals
- Internal audit and corporate legal departments
Security steering committees provide a forum for management to express its opinion and take some ownership in the decision making process. It is imperative that business process owners be included in this process. None of the other choices includes input by business process owners.
Security audit reviews should PRIMARILY:
- ensure that controls operate as required.
- ensure that controls are cost-effective.
- focus on preventive controls.
- ensure controls are technologically current.
The primary objective of a security review or audit should be to provide assurance on the adequacy of security controls. Reviews should focus on all forms of control, not just on preventive control. Cost-effectiveness and technological currency are important but not as critical.
Which of the following is the MOST appropriate method to protect a password that opens a confidential file?
- Delivery path tracing
- Reverse lookup translation
- Out-of-band channels
- Digital signatures
Out-of-band channels are useful when it is necessary, for confidentiality, to break a message into two parts that are then sent by different means. Digital signatures only provide nonrepudiation. Reverse lookup translation involves converting; in Internet Protocol (IP) address to a username. Delivery path tracing shows the route taken but does not confirm the identity of the sender.
What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
- Walled garden
Mandatory access controls restrict access to files based on the security classification of the file. This prevents users from sharing files with unauthorized users. Role-based access controls grant access according to the role assigned to a user; they do not prohibit file sharing. Discretionary and lattice-based access controls are not as effective as mandatory access controls in preventing file sharing. A walled garden is an environment that controls a user’s access to web content and services. In effect, the walled garden directs the user’s navigation within particular areas, and does not necessarily prevent sharing of other material.
Which of the following is an inherent weakness of signature-based intrusion detection systems?
- A higher number of false positives
- New attack methods will be missed
- Long duration probing will be missed
- Attack profiles can be easily spoofed
Signature-based intrusion detection systems do not detect new attack methods for which signatures have not yet been developed. False positives are not necessarily any higher, and spoofing is not relevant in this case. Long duration probing is more likely to fool anomaly-based systems (boiling frog technique).
Data owners are normally responsible for which of the following?
- Applying emergency changes to application data
- Administering security over database records
- Migrating application code changes to production
- Determining the level of application security required
Data owners approve access to data and determine the degree of protection that should be applied (data classification). Administering database security, making emergency changes to data and migrating code to production are infrastructure tasks performed by custodians of the data.
Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
- System analyst
- System user
- Operations manager
- Data security officer
System users, specifically the user acceptance testers, would be in the best position to note whether new exposures are introduced during the change management process. The system designer or system analyst, data security officer and operations manager would not be as closely involved in testing code changes.
What is the BEST way to ensure users comply with organizational security requirements for password complexity?
- Include password construction requirements in the security standards
- Require each user to acknowledge the password requirements
- Implement strict penalties for user noncompliance
- Enable system-enforced password configuration
Automated controls are generally more effective in preventing improper actions. Policies and standards provide some deterrence, but are not as effective as automated controls.
Which of the following is the MOST appropriate method for deploying operating system (OS) patches to production application servers?
- Batch patches into frequent server updates
- Initially load the patches on a test machine
- Set up servers to automatically download patches
- Automatically push all patches to the servers
Some patches can conflict with application code. For this reason, it is very important to first test all patches in a test environment to ensure that there are no conflicts with existing application systems. For this reason, choices C and D are incorrect as they advocate automatic updating. As for frequent server updates, this is an incomplete (vague) answer from the choices given.
Which of the following would present the GREATEST risk to information security?
- Virus signature files updates are applied to all servers every day
- Security access logs are reviewed within five business days
- Critical patches are applied within 24 hours of their release
- Security incidents are investigated within five business days
Security incidents are configured to capture system events that are important from the security perspective; they include incidents also captured in the security access logs and other monitoring tools. Although, in some instances, they could wait for a few days before they are researched, from the options given this would have the greatest risk to security. Most often, they should be analyzed as soon as possible. Virus signatures should be updated as often as they become available by the vendor, while critical patches should be installed as soon as they are reviewed and tested, which could occur in 24 hours.
The PRIMARY reason for using metrics to evaluate information security is to:
- identify security weaknesses.
- justify budgetary expenditures.
- enable steady improvement.
- raise awareness on security issues.
The purpose of a metric is to facilitate and track continuous improvement. It will not permit the identification of all security weaknesses. It will raise awareness and help in justifying certain expenditures, but this is not its main purpose.