Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 55
What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
- Periodic review of network configuration
- Review intrusion detection system (IDS) logs for evidence of attacks
- Periodically perform penetration tests
- Daily review of server logs for evidence of hacker activity
Due to the complexity of firewall rules and router tables, plus the sheer size of intrusion detection systems (IDSs) and server logs, a physical review will be insufficient. The best approach for confirming the adequacy of these configuration settings is to periodically perform attack and penetration tests.
Which of the following is MOST important for measuring the effectiveness of a security awareness program?
- Reduced number of security violation reports
- A quantitative evaluation to ensure user comprehension
- Increased interest in focus groups on security issues
- Increased number of security violation reports
To truly judge the effectiveness of security awareness training, some means of measurable testing is necessary to confirm user comprehension. Focus groups may or may not provide meaningful feedback but, in and of themselves, do not provide metrics. An increase or reduction in the number of violation reports may not be indicative of a high level of security awareness.
Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test?
- Request a list of the software to be used
- Provide clear directions to IT staff
- Monitor intrusion detection system (IDS) and firewall logs closely
- Establish clear rules of engagement
It is critical to establish a clear understanding on what is permissible during the engagement. Otherwise, the tester may inadvertently trigger a system outage or inadvertently corrupt files. Not as important, but still useful, is to request a list of what software will be used. As for monitoring the intrusion detection system (IDS) and firewall, and providing directions to IT staff, it is better not to alert those responsible for monitoring (other than at the management level), so that the effectiveness of that monitoring can be accurately assessed.
Which of the following will BEST prevent an employee from using a USB drive to copy files from desktop computers?
- Restrict the available drive allocation on all PCs
- Disable universal serial bus (USB) ports on all desktop devices
- Conduct frequent awareness training with noncompliance penalties
- Establish strict access controls to sensitive information
Restricting the ability of a PC to allocate new drive letters ensures that universal serial bus (USB) drives or even CD-writers cannot be attached as they would not be recognized by the operating system. Disabling USB ports on all machines is not practical since mice and other peripherals depend on these connections. Awareness training and sanctions do not prevent copying of information nor do access controls.
Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?
- Signal strength
- Number of administrators
- Encryption strength
The number of individuals with access to the network configuration presents a security risk. Encryption strength is an area where wireless networks tend to fall short; however, the potential to compromise the entire network is higher when an inappropriate number of people can alter the configuration. Signal strength and network bandwidth are secondary issues.
Good information security standards should:
- define precise and unambiguous allowable limits.
- describe the process for communicating violations.
- address high-level objectives of the organization.
- be updated frequently as new software is released.
A security standard should clearly state what is allowable; it should not change frequently. The process for communicating violations would be addressed by a security procedure, not a standard. High-level objectives of an organization would normally be addressed in a security policy.
Good information security procedures should:
- define the allowable limits of behavior.
- underline the importance of security governance.
- describe security baselines for each platform.
- be updated frequently as new software is released.
Security procedures often have to change frequently to keep up with changes in software. Since a procedure is a how-to document, it must be kept up-to-date with frequent changes in software. A security standard such as platform baselines — defines behavioral limits, not the how-to process; it should not change frequently. High-level objectives of an organization, such as security governance, would normally be addressed in a security policy.
What is the MAIN drawback of e-mailing password-protected zip files across the Internet? They:
- all use weak encryption.
- are decrypted by the firewall.
- may be quarantined by mail filters.
- may be corrupted by the receiving mail server.
Often, mail filters will quarantine zip files that are password-protected since the filter (or the firewall) is unable to determine if the file contains malicious code. Many zip file products are capable of using strong encryption. Such files are not normally corrupted by the sending mail server.
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
- Sign a legal agreement assigning them all liability for any breach
- Remove all trading partner access until the situation improves
- Set up firewall rules restricting network traffic from that location
- Send periodic reminders advising them of their noncompliance
It is incumbent on an information security manager to see to the protection of their organization’s network, but to do so in a manner that does not adversely affect the conduct of business. This can be accomplished by adding specific traffic restrictions for that particular location. Removing all access will likely result in lost business. Agreements and reminders do not protect the integrity of the network.
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
- define the circumstances where cryptography should be used.
- define cryptographic algorithms and key lengths.
- describe handling procedures of cryptographic keys.
- establish the use of cryptographic solutions.
There should be documented standards-procedures for the use of cryptography across the enterprise; they should define the circumstances where cryptography should be used. They should cover the selection of cryptographic algorithms and key lengths, but not define them precisely, and they should address the handling of cryptographic keys. However, this is secondary to how and when cryptography should be used. The use of cryptographic solutions should be addressed but, again, this is a secondary consideration.
Which of the following is the MOST immediate consequence of failing to tune a newly installed intrusion detection system (IDS) with the threshold set to a low value?
- The number of false positives increases
- The number of false negatives increases
- Active probing is missed
- Attack profiles are ignored
Failure to tune an intrusion detection system (IDS) will result in many false positives, especially when the threshold is set to a low value. The other options are less likely given the fact that the threshold for sounding an alarm is set to a low value.
What is the MOST appropriate change management procedure for the handling of emergency program changes?
- Formal documentation does not need to be completed before the change
- Business management approval must be obtained prior to the change
- Documentation is completed with approval soon after the change
- All changes must follow the same process
Even in the case of an emergency change, all change management procedure steps should be completed as in the case of normal changes. The difference lies in the timing of certain events. With an emergency change, it is permissible to obtain certain approvals and other documentation on “the morning after” once the emergency has been satisfactorily resolved. Obtaining business approval prior to the change is ideal but not always possible.
Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?
- Information security officer
- Security steering committee
- Data owner
- Data custodian
Routine administration of all aspects of security is delegated, but senior management must retain overall responsibility. The information security officer supports and implements information security for senior management. The data owner is responsible for categorizing data security requirements. The data custodian supports and implements information security as directed.
The PRIMARY focus of the change control process is to ensure that changes are:
All steps in the change control process must be signed off on to ensure proper authorization. It is important that changes are applied, documented and tested; however, they are not the primary focus.
An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
- Research best practices
- Meet with stakeholders
- Establish change control procedures
- Identify critical systems
No new process will be successful unless it is adhered to by all stakeholders; to the extent stakeholders have input, they can be expected to follow the process. Without consensus agreement from the stakeholders, the scope of the research is too wide; input on the current environment is necessary to focus research effectively. It is premature to implement procedures without stakeholder consensus and research. Without knowing what the process will be the parameters to baseline are unknown as well.
A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?
- Enable access through a separate device that requires adequate authentication
- Implement manual procedures that require password change after each use
- Request the vendor to add multiple user IDs
- Analyze the logs to detect unauthorized access
Choice A is correct because it allows authentication tokens to be provisioned and terminated for individuals and also introduces the possibility of logging activity by individual. Choice B is not effective because users can circumvent the manual procedures. Choice C is not the best option because vendor enhancements may take time and development, and this is a critical device. Choice D could, in some cases, be an effective complementary control but. because it is detective, it would not be the most effective in this instance.
Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?
- User security procedures
- Business process flow
- IT security policy
- Regulatory requirements
Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?
- The right to conduct independent security reviews
- A legally binding data protection agreement
- Encryption between the organization and the provider
- A joint risk assessment of the system
A key requirement of an outsource contract involving critical business systems is the establishment of the organization’s right to conduct independent security reviews of the provider’s security controls. A legally binding data protection agreement is also critical, but secondary to choice A, which permits examination of the actual security controls prevailing over the system and. as such, is the more effective risk management tool. Network encryption of the link between the organization and the provider may well be a requirement, but is not as critical since it would also be included in choice A. A joint risk assessment of the system in conjunction with the outsource provider may be a compromise solution, should the right to conduct independent security reviews of the controls related to the system prove contractually difficult.
Which resource is the MOST effective in preventing physical access tailgating/piggybacking?
- Card key door locks
- Photo identification
- Awareness training
- Biometric scanners
Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee. Choices A, B and D are physical controls that, by themselves, would not be effective against tailgating.
In business critical applications, where shared access to elevated privileges by a small group is necessary, the BEST approach to implement adequate segregation of duties is to:
- ensure access to individual functions can be granted to individual users only.
- implement role-based access control in the application.
- enforce manual procedures ensuring separation of conflicting duties.
- create service accounts that can only be used by authorized team members.
Role-based access control is the best way to implement appropriate segregation of duties. Roles will have to be defined once and then the user could be changed from one role to another without redefining the content of the role each time. Access to individual functions will not ensure appropriate segregation of duties. Giving a user access to all functions and implementing, in parallel, a manual procedure ensuring segregation of duties is not an effective method, and would be difficult to enforce and monitor. Creating service accounts that can be used by authorized team members would not provide any help unless their roles are properly segregated.