Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 56
In business-critical applications, user access should be approved by the:
- information security manager.
- data owner.
- data custodian.
- business management.
A data owner is in the best position to validate access rights to users due to their deep understanding of business requirements and of functional implementation within the application. This responsibility should be enforced by the policy. An information security manager will coordinate and execute the implementation of the role-based access control. A data custodian will ensure that proper safeguards are in place to protect the data from unauthorized access; it is not the data custodian’s responsibility to assign access rights. Business management is not. in all cases, the owner of the data.
In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:
- testing time window prior to deployment.
- technical skills of the team responsible.
- certification of validity for deployment.
- automated deployment to all the servers.
Having the patch tested prior to implementation on critical systems is an absolute prerequisite where availability is a primary concern because deploying patches that could cause a system to fail could be worse than the vulnerability corrected by the patch. It makes no sense to deploy patches on every system. Vulnerable systems should be the only candidate for patching. Patching skills are not required since patches are more often applied via automated tools.
To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:
- end users.
- legal counsel.
- operational units.
- audit management.
Procedures at the operational level must be developed by or with the involvement of operational units that will use them. This will ensure that they are functional and accurate. End users and legal counsel are normally not involved in procedure development. Audit management generally oversees information security operations but does not get involved at the procedural level.
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
- Review the procedures for granting access
- Establish procedures for granting emergency access
- Meet with data owners to understand business needs
- Redefine and implement proper access rights
An information security manager must understand the business needs that motivated the change prior to taking any unilateral action. Following this, all other choices could be correct depending on the priorities set by the business unit.
When security policies are strictly enforced, the initial impact is that:
- they may have to be modified more frequently.
- they will be less subject to challenge.
- the total cost of security is increased.
- the need for compliance reviews is decreased.
When security policies are strictly enforced, more resources are initially required, thereby increasing, the total cost of security. There would be less need for frequent modification. Challenges would be rare and the need for compliance reviews would not necessarily be less.
A business partner of a factory has remote read-only access to material inventory to forecast future acquisition orders. An information security manager should PRIMARILY ensure that there is:
- an effective control over connectivity and continuity.
- a service level agreement (SLA) including code escrow.
- a business impact analysis (BIA).
- a third-party certification.
The principal risk focus is the connection procedures to maintain continuity in case of any contingency. Although an information security manager may be interested in the service level agreement (SLA), code escrow is not a concern. A business impact analysis (BIA) refers to contingency planning and not to system access. Third-party certification does not provide any assurance of controls over connectivity to maintain continuity.
Which of the following should be in place before a black box penetration test begins?
- IT management approval
- Proper communication and awareness training
- A clearly stated definition of scope
- An incident response plan
Having a clearly stated definition of scope is most important to ensure a proper understanding of risk as well as success criteria, IT management approval may not be required based on senior management decisions. Communication, awareness and an incident response plan are not a necessary requirement. In fact, a penetration test could help promote the creation and execution of the incident response plan.
What is the MOST important element to include when developing user security awareness material?
- Information regarding social engineering
- Detailed security policies
- Senior management endorsement
- Easy-to-read and compelling information
Making security awareness material easy and compelling to read is the most important success factor. Users must be able to understand, in easy terms, complex security concepts in a way that makes compliance more accessible. Choice A would also be important but it needs to be presented in an adequate format. Detailed security policies might not necessarily be included in the training materials. Senior management endorsement is important for the security program as a whole and not necessarily for the awareness training material.
What is the MOST important success factor in launching a corporate information security awareness program?
- Adequate budgetary support
- Centralized program management
- Top-down approach
- Experience of the awareness trainers
Senior management support will provide enough resources and will focus attention to the program: training should start at the top levels to gain support and sponsorship. Funding is not a primary concern. Centralized management does not provide sufficient support. Trainer experience, while important, is not the primary success factor.
Which of the following events generally has the highest information security impact?
- Opening a new office
- Merging with another organization
- Relocating the data center
- Rewiring the network
Merging with or acquiring another organization causes a major impact on an information security management function because new vulnerabilities and risks are inherited. Opening a new office, moving the data center to a new site, or rewiring a network may have information security risks, but generally comply with corporate security policy and are easier to secure.
The configuration management plan should PRIMARILY be based upon input from:
- business process owners.
- the information security manager.
- the security steering committee.
- IT senior management.
Although business process owners, an information security manager and the security steering committee may provide input regarding a configuration management plan, its final approval is the primary responsibility of IT senior management.
Which of the following is the MOST effective, positive method to promote security awareness?
- Competitions and rewards for compliance
- Lock-out after three incorrect password attempts
- Strict enforcement of password formats
- Disciplinary action for noncompliance
Competitions and rewards are a positive encouragement to user participation in the security program. Merely locking users out for forgetting their passwords does not enhance user awareness. Enforcement of password formats and disciplinary actions do not positively promote awareness.
An information security program should focus on:
- best practices also in place at peer companies.
- solutions codified in international standards.
- key controls identified in risk assessments.
- continued process improvement.
Risk assessment identifies the appropriate controls to mitigate identified business risks that the program should implement to protect the business. Peer industry best practices, international standards and continued process improvement can be used to support the program, but these cannot be blindly implemented without the consideration of business risk.
Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?
- Database administrator (DBA)
- Finance department management
- Information security manager
- IT department management
Data owners are responsible for determining data classification; in this case, management of the finance department would be the owners of accounting ledger data. The database administrator (DBA) and IT management are the custodians of the data who would apply the appropriate security levels for the classification, while the security manager would act as an advisor and enforcer.
Which of the following would be the MOST significant security risk in a pharmaceutical institution?
- Compromised customer information
- Unavailability of online transactions
- Theft of security tokens
- Theft of a Research and Development laptop
The research and development department is usually the most sensitive area of the pharmaceutical organization, Theft of a laptop from this area could result in the disclosure of sensitive formulas and other intellectual property which could represent the greatest security breach. A pharmaceutical organization does not normally have direct contact with end customers and their transactions are not time critical: therefore, compromised customer information and unavailability of online transactions are not the most significant security risks. Theft of security tokens would not be as significant since a pin would still be required for their use.
Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?
- The program’s governance oversight mechanisms
- Information security periodicals and manuals
- The program’s security architecture and design
- Training and certification of the information security team
While choices B, C and D will all assist the currency and coverage of the program, its governance oversight mechanisms are the best method.
Which of the following would BEST assist an information security manager in measuring the existing level of development of security processes against their desired state?
- Security audit reports
- Balanced scorecard
- Capability maturity model (CMM)
- Systems and business security architecture
The capability maturity model (CMM) grades each defined area of security processes on a scale of 0 to 5 based on their maturity, and is commonly used by entities to measure their existing state and then determine the desired one. Security audit reports offer a limited view of the current state of security. Balanced scorecard is a document that enables management to measure the implementation of their strategy and assists in its translation into action. Systems and business security architecture explain the security architecture of an entity in terms of business strategy, objectives, relationships, risks, constraints and enablers, and provides a business-driven and business-focused view of security architecture.
Who is responsible for raising awareness of the need for adequate funding for risk action plans?
- Chief information officer (CIO)
- Chief financial officer (CFO)
- Information security manager
- Business unit management
The information security manager is responsible for raising awareness of the need for adequate funding for risk-related action plans. Even though the chief information officer (CIO), chief financial officer (CFO) and business unit management are involved in the final approval of fund expenditure, it is the information security manager who has the ultimate responsibility for raising awareness.
Managing the life cycle of a digital certificate is a role of a(n):
- system administrator.
- security administrator.
- system developer.
- independent trusted source.
Digital certificates must be managed by an independent trusted source in order to maintain trust in their authenticity. The other options are not necessarily entrusted with this capability.
Which of the following would be MOST critical to the successful implementation of a biometric authentication system?
- Budget allocation
- Technical skills of staff
- User acceptance
- Password requirements
End users may react differently to the implementation, and may have specific preferences. The information security manager should be aware that what is viewed as reasonable in one culture may not be acceptable in another culture. Budget allocation will have a lesser impact since what is rejected as a result of culture cannot be successfully implemented regardless of budgetary considerations. Technical skills of staff will have a lesser impact since new staff can be recruited or existing staff can be trained. Although important, password requirements would be less likely to guarantee the success of the implementation.