Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 57

  1. Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?

    • Reconciliation of the annual systems inventory to the disaster recovery, business continuity plans
    • Periodic audits of the disaster recovery/business continuity plans
    • Comprehensive walk-through testing
    • Inclusion as a required step in the system life cycle process

    Information security should be an integral component of the development cycle; thus, it should be included at the process level. Choices A, B and C are good mechanisms to ensure compliance, but would not be nearly as timely in ensuring that the plans are always up-to-date. Choice D is a preventive control, while choices A, B and C are detective controls.

  2. When a new key business application goes into production, the PRIMARY reason to update relevant business impact analysis (BIA) and business continuity/disaster recovery plans is because:

    • this is a requirement of the security policy.
    • software licenses may expire in the future without warning.
    • the asset inventory must be maintained.
    • service level agreements may not otherwise be met.
    The key requirement is to preserve availability of business operations. Choice A is a correct compliance requirement, but is not the main objective in this case. Choices B and C are supplementary requirements for business continuity/disaster recovery planning.
  3. To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?

    • Service level agreements (SLAs)
    • Right to audit clause
    • Intrusion detection system (IDS) services
    • Spam filtering services
    Service level agreements (SLA) will be most effective in ensuring that Internet service providers (ISPs) comply with expectations for service availability. Intrusion detection system (IDS) and spam filtering services would not mitigate (as directly) the potential for service interruptions. A right-to-audit clause would not be effective in mitigating the likelihood of a service interruption.
  4. To mitigate a situation where one of the programmers of an application requires access to production data, the information security manager could BEST recommend to.

    • create a separate account for the programmer as a power user.
    • log all of the programmers’ activity for review by supervisor.
    • have the programmer sign a letter accepting full responsibility.
    • perform regular audits of the application.
    It is not always possible to provide adequate segregation of duties between programming and operations in order to meet certain business requirements. A mitigating control is to record all of the programmers’ actions for later review by their supervisor, which would reduce the likelihood of any inappropriate action on the part of the programmer. Choices A, C and D do not solve the problem.
  5. Before engaging outsourced providers, an information security manager should ensure that the organization’s data classification requirements:

    • are compatible with the provider’s own classification.
    • are communicated to the provider.
    • exceed those of the outsourcer.
    • are stated in the contract.
    The most effective mechanism to ensure that the organization’s security standards are met by a third party, would be a legal agreement. Choices A. B and C are acceptable options, but not as comprehensive or as binding as a legal contract.
  6. What is the GREATEST risk when there is an excessive number of firewall rules?

    • One rule may override another rule in the chain and create a loophole
    • Performance degradation of the whole network
    • The firewall may not support the increasing number of rules due to limitations
    • The firewall may show abnormal behavior and may crash or automatically shut down

    If there are many firewall rules, there is a chance that a particular rule may allow an external connection although other associated rules are overridden. Due to the increasing number of rules, it becomes complex to test them and. over time, a loophole may occur.

  7. Which of the following would be the MOST appropriate physical security solution for the main entrance to a data center”?

    • Mantrap
    • Biometric lock
    • Closed-circuit television (CCTV)
    • Security guard

    A biometric device will ensure that only the authorized user can access the data center. A mantrap, by itself, would not be effective. Closed-circuit television (CCTV) and a security guard provide a detective control, but would not be as effective in authenticating the access rights of each individual.

  8. What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?

    • Provide detailed instructions on how to carry out different types of tasks
    • Ensure consistency of activities to provide a more stable environment
    • Ensure compliance to security standards and regulatory requirements
    • Ensure reusability to meet compliance to quality requirements

    Developing procedures and guidelines to ensure that business processes address information security risk is critical to the management of an information security program. Developing procedures and guidelines establishes a baseline for security program performance and consistency of security activities.

  9. What is the BEST way to ensure data protection upon termination of employment?

    • Retrieve identification badge and card keys
    • Retrieve all personal computer equipment
    • Erase all of the employee’s folders
    • Ensure all logical access is removed

    Ensuring all logical access is removed will guarantee that the former employee will not be able to access company data and that the employee’s credentials will not be misused. Retrieving identification badge and card keys would only reduce the capability to enter the building. Retrieving the personal computer equipment and the employee’s folders are necessary tasks, but that should be done as a second step.

  10. The MOST important reason for formally documenting security procedures is to ensure:

    • processes are repeatable and sustainable.
    • alignment with business objectives.
    • auditability by regulatory agencies.
    • objective criteria for the application of metrics.

    Without formal documentation, it would be difficult to ensure that security processes are performed in the proper manner every time that they are performed. Alignment with business objectives is not a function of formally documenting security procedures. Processes should not be formally documented merely to satisfy an audit requirement. Although potentially useful in the development of metrics, creating formal documentation to assist in the creation of metrics is a secondary objective.

  11. Which of the following is the BEST approach for an organization desiring to protect its intellectual property?

    • Conduct awareness sessions on intellectual property policy
    • Require all employees to sign a nondisclosure agreement
    • Promptly remove all access when an employee leaves the organization
    • Restrict access to a need-to-know basis

    Security awareness regarding intellectual property policy will not prevent violations of this policy. Requiring all employees to sign a nondisclosure agreement and promptly removing all access when an employee leaves the organization are good controls, but not as effective as restricting access to a need-to- know basis.

  12. The “separation of duties” principle is violated if which of the following individuals has update rights to the database access control list (ACL)?

    • Data owner
    • Data custodian
    • Systems programmer
    • Security administrator

    A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them by the data owner.

  13. An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download non sensitive production data for software testing purposes. The information security manager should recommend which of the following?

    • Restrict account access to read only
    • Log all usage of this account
    • Suspend the account and activate only when needed
    • Require that a change request be submitted for each download

    Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Logging all usage of the account, suspending the account and activating only when needed, and requiring that a change request be submitted for each download will not reduce the exposure created by this excessive level of access. Restricting the account to read only access will ensure that the integrity can be maintained while permitting access.

  14. Which would be the BEST recommendation to protect against phishing attacks?

    • Install an antispam system
    • Publish security guidance for customers
    • Provide security awareness to the organization’s staff
    • Install an application-level firewall

    Customers of the organization are the target of phishing attacks. Installing security software or training the organization’s staff will be useless. The effort should be put on the customer side.

  15. Which of the following is the BEST indicator that an effective security control is built into an organization?

    • The monthly service level statistics indicate a minimal impact from security issues.
    • The cost of implementing a security control is less than the value of the assets.
    • The percentage of systems that is compliant with security standards.
    • The audit reports do not reflect any significant findings on security.

    The best indicator of effective security control is the evidence of little disruption to business operations. Choices B, C and D can support this evidence, but are supplemental to choice A.

  16. What is the BEST way to alleviate security team understaffing while retaining the capability in-house?

    • Hire a contractor that would not be included in the permanent headcount
    • Outsource with a security services provider while retaining the control internally
    • Establish a virtual security team from competent employees across the company
    • Provide cross training to minimize the existing resources gap

    While hiring an indirect resource that will not be part of headcount will help to add an extra resource, it usually costs more than a direct employee; thus, it is not cost efficient. Outsourcing may be a more expensive option and can add complexities to the service delivery. Competent security staff can be recruited from other departments e.g., IT. product development, research and development (R&D). By leveraging existing resources, there is a nominal additional cost. It is also a strategic option since the staff may join the team as full members in the future (internal transfer). Development of staff is often a budget drain and, if not managed carefully, these resources may move away from the company and leave the team with a bigger resource gap.

  17. An information security manager wishing to establish security baselines would:

    • include appropriate measurements in the system development life cycle.
    • implement the security baselines to establish information security best practices.
    • implement the security baselines to fulfill laws and applicable regulations in different jurisdictions.
    • leverage information security as a competitive advantage.

    While including appropriate measurements in the system development life cycle may indicate a security baseline practice; these are wider in scope and, thus, implementing security baselines to establish information security best practices is the appropriate answer. Implementing security baselines to fulfill laws and applicable regulations in different jurisdictions, and leveraging information security as a competitive advantage may be supplementary benefits of using security baselines.

  18. Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:

    • policy.
    • strategy.
    • guideline
    • baseline.

    A security policy is a general statement to define management objectives with respect to security. The security strategy addresses higher level issues. Guidelines are optional actions and operational tasks. A security baseline is a set of minimum requirements that is acceptable to an organization.

  19. An organization’s information security manager has been asked to hire a consultant to help assess the maturity level of the organization’s information security management. The MOST important element of the request for proposal (RIP) is the:

    • references from other organizations.
    • past experience of the engagement team.
    • sample deliverable.
    • methodology used in the assessment.

    Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverables only tell how the assessment is presented, not the process.

  20. Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:

    • assess the problems and institute rollback procedures, if needed.
    • disconnect the systems from the network until the problems are corrected.
    • immediately uninstall the patches from these systems.
    • immediately contact the vendor regarding the problems that occurred.

    Assessing the problems and instituting rollback procedures as needed would be the best course of action. Choices B and C would not identify where the problem was, and may in fact make the problem worse. Choice D is part of the assessment.