Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 58

  1. When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the:

    • access control matrix.
    • encryption strength.
    • authentication mechanism.
    • data repository.


    The access control matrix is the best indicator of the level of compliance with the service level agreement (SLA) data confidentiality clauses. Encryption strength, authentication mechanism and data repository might be defined in the SLA but are not confidentiality compliance indicators.

  2. The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:

    • identifying vulnerabilities in the system.
    • sustaining the organization’s security posture.
    • the existing systems that will be affected.
    • complying with segregation of duties.

    It is important to maintain the organization’s security posture at all times. The focus should not be confined to the new system being developed or acquired, or to the existing systems in use. Segregation of duties is only part of a solution to improving the security of the systems, not the primary reason to involve security in the systems development life cycle (SDLC).

  3. The implementation of continuous monitoring controls is the BEST option where:

    • incidents may have a high impact and frequency
    • legislation requires strong information security controls
    • incidents may have a high impact but low frequency
    • Electronic commerce is a primary business driver

    Continuous monitoring control initiatives are expensive, so they have to be used in areas where the risk is at its greatest level. These areas are the ones with high impact and high frequency of occurrence. Regulations and legislations that require tight IT security measures focus on requiring organizations to establish an IT security governance structure that manages IT security with a risk-based approach, so each organization decides which kinds of controls are implemented. Continuous monitoring is not necessarily a requirement. Measures such as contingency planning are commonly used when incidents rarely happen but have a high impact each time they happen. Continuous monitoring is unlikely to be necessary. Continuous control monitoring initiatives are not needed in all electronic commerce environments. There are some electronic commerce environments where the impact of incidents is not high enough to support the implementation of this kind of initiative.

  4. A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors?

    • System monitoring for traffic on network ports
    • Security code reviews for the entire application
    • Reverse engineering the application binaries
    • Running the application from a high-privileged account on a test system

    Security’ code reviews for the entire application is the best measure and will involve reviewing the entire source code to detect all instances of back doors. System monitoring for traffic on network ports would not be able to detect all instances of back doors and is time consuming and would take a lot of effort. Reverse engineering the application binaries may not provide any definite clues. Back doors will not surface by running the application on high-privileged accounts since back doors are usually hidden accounts in the applications.

  5. An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:

    • source routing.
    • broadcast propagation.
    • unregistered ports.
    • nonstandard protocols.

    If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) IP addresses of the organization. Broadcast propagation, unregistered ports and nonstandard protocols do not create a significant security exposure.

  6. What is the MOS T cost-effective means of improving security awareness of staff personnel?

    • Employee monetary incentives
    • User education and training
    • A zero-tolerance security policy
    • Reporting of security infractions

    User education and training is the most cost-effective means of influencing staff to improve security since personnel are the weakest link in security. Incentives perform poorly without user education and training. A zero-tolerance security policy would not be as good as education and training. Users would not have the knowledge to accurately interpret and report violations without user education and training.

  7. Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?

    • Card-key door locks
    • Photo identification
    • Biometric scanners
    • Awareness training

    Awareness training would most likely result in any attempted tailgating being challenged by the authorized employee. The other choices are physical controls which by themselves would not be effective against tailgating.

  8. Data owners will determine what access and authorizations users will have by:

    • delegating authority to data custodian.
    • cloning existing user accounts.
    • determining hierarchical preferences.
    • mapping to business needs.

    Access and authorizations should be based on business needs. Data custodians implement the decisions made by data owners. Access and authorizations are not to be assigned by cloning existing user accounts or determining hierarchical preferences. By cloning, users may obtain more access rights and privileges than is required to do their job. Hierarchical preferences may be based on individual preferences and not on business needs.

  9. Which of the following is the MOST likely outcome of a well-designed information security awareness course?

    • Increased reporting of security incidents to the incident response function
    • Decreased reporting of security incidents to the incident response function
    • Decrease in the number of password resets
    • Increase in the number of identified system vulnerabilities

    A well-organized information security awareness course informs all employees of existing security policies, the importance of following safe practices for data security anil the need to report any possible security incidents to the appropriate individuals in the organization. The other choices would not be the likely outcomes.

  10. Which item would be the BEST to include in the information security awareness training program for new general staff employees?

    • Review of various security models
    • Discussion of how to construct strong passwords
    • Review of roles that have privileged access
    • Discussion of vulnerability assessment results
  11. A critical component of a continuous improvement program for information security is:

    • measuring processes and providing feedback.
    • developing a service level agreement (SLA) for security.
    • tying corporate security standards to a recognized international standard.
    • ensuring regulatory compliance.

    If an organization is unable to take measurements that will improve the level of its safety program. then continuous improvement is not possible. Although desirable, developing a service level agreement (SLA) for security, tying corporate security standards to a recognized international standard and ensuring regulatory compliance are not critical components for a continuous improvement program.

  12. The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager

    • report risks in other departments.
    • obtain support from other departments.
    • report significant security risks.
    • have knowledge of security standards.

    The IT manager needs to report the security risks in the environment pursuant to the security review, including risks in the IT implementation. Choices A, B and D are important, but not the main responsibilities or job requirements.

  13. An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?

    • Rule-based
    • Mandatory
    • Discretionary
    • Role-based

    Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles. Rule-based access control needs to define the access rules, which is troublesome and error prone in large organizations. In mandatory access control, the individual’s access to information resources needs to be defined, which is troublesome in large organizations. In discretionary access control, users have access to resources based on predefined sets of principles, which is an inherently insecure approach.

  14. An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:

    • an audit of the service provider uncovers no significant weakness.
    • the contract includes a nondisclosure agreement (NDA) to protect the organization’s intellectual property.
    • the contract should mandate that the service provider will comply with security policies.
    • the third-party service provider conducts regular penetration testing.

    It is critical to include the security requirements in the contract based ON the company’s security policy to ensure that the necessary security controls are implemented by the service provider. The audit is normally a one-time effort and cannot provide ongoing assurance of the security. A nondisclosure agreement (NDA) should be part of the contract; however, it is not critical to the security of the web site. Penetration testing alone would not provide total security to the web site; there are lots of controls that cannot be tested through penetration testing.

  15. Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?

    • To mitigate technical risks
    • To have an independent certification of network security
    • To receive an independent view of security exposures
    • To identify a complete list of vulnerabilities

    Even though the organization may have the capability to perform penetration testing with internal resources, third-party penetration testing should be performed to gain an independent view of the security exposure. Mitigating technical risks is not a direct result of a penetration test. A penetration test would not provide certification of network security nor provide a complete list of vulnerabilities.

  16. A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?

    • Prepare an impact assessment report.
    • Conduct a penetration test.
    • Obtain approval from senior management.
    • Back up the firewall configuration and policy files.

    An impact assessment report needs to be prepared first by providing the justification for the change, analysis of the changes to be made, the impact if the change does not work as expected, priority of the change and urgency of the change request. Choices B. C and D could be important steps, but the impact assessment report should be performed before the other steps.

  17. An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?

    • Request that the third-party provider perform background checks on their employees.
    • Perform an internal risk assessment to determine needed controls.
    • Audit the third-party provider to evaluate their security controls.
    • Perform a security assessment to detect security vulnerabilities.

    An internal risk assessment should be performed to identify the risk and determine needed controls. A background check should be a standard requirement for the service provider. Audit objectives should be determined from the risk assessment results. Security assessment does not cover the operational risks.

  18. Which of the following would raise security awareness among an organization’s employees?

    • Distributing industry statistics about security incidents
    • Monitoring the magnitude of incidents
    • Encouraging employees to behave in a more conscious manner
    • Continually reinforcing the security policy

    Employees must be continually made aware of the policy and expectations of their behavior. Choice A would have little relevant bearing on the employee’s behavior. Choice B does not involve the employees. Choice C could be an aspect of continual reinforcement of the security policy.

  19. Which of the following is the MOST appropriate method of ensuring password strength in a large organization?

    • Attempt to reset several passwords to weaker values
    • Install code to capture passwords for periodic audit
    • Sample a subset of users and request their passwords for review
    • Review general security settings on each platform

    Reviewing general security settings on each platform will be the most efficient method for determining password strength while not compromising the integrity of the passwords. Attempting to reset several passwords to weaker values may not highlight certain weaknesses. Installing code to capture passwords for periodic audit, and sampling a subset of users and requesting their passwords for review, would compromise the integrity of the passwords.

  20. What is the MOST cost-effective method of identifying new vendor vulnerabilities?

    • External vulnerability reporting sources
    • Periodic vulnerability assessments performed by consultants
    • Intrusion prevention software
    • honey pots located in the DMZ

    External vulnerability sources are going to be the most cost-effective method of identifying these vulnerabilities. The cost involved in choices B and C would be much higher, especially if performed at regular intervals. Honeypots would not identify all vendor vulnerabilities. In addition, honeypots located in the DMZ can create a security risk if the production network is not well protected from traffic from compromised honey pots.