Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 62
Which of the following is the PRIMARY reason to avoid alerting certain users of an upcoming penetration test?
- To prevent exploitation by malicious parties
- To aid in the success of the penetration
- To evaluate detection and response capabilities
- To reduce the scope and duration of the test
Which of the following metrics provides the BEST indication of the effectiveness of a security awareness campaign?
- The number of reported security events
- Quiz scores for users who took security awareness classes
- User approval rating of security awareness classes
- Percentage of users who have taken the courses
Which of the following is the BEST type of access control for an organization with employees who move between departments?
Which of the following is the BEST mechanism to prevent data loss in the event personal computing equipment is stolen or lost?
- Data encryption
- Remote access to device
- Data leakage prevention (DLP)
- Personal firewall
Which of the following should cause the GREATEST concern for an information security manager reviewing the effectiveness of an intrusion prevention system (IPS)?
- Increase in false negatives
- Decrease in malicious packets
- Decrease in false positives
- Increase in crossover error rate
Using which of the following metrics will BEST help to determine the resiliency of IT infrastructure security controls?
- Number of successful disaster recovery tests
- Percentage of outstanding high-risk audit issues
- Frequency of updates to system software
- Number of incidents resulting in disruptions
An employee is found to be using an external cloud storage service to share corporate information with a third-party consultant, which is against company policy. Which of the following should be the information security manager’s FIRST course of action?
- Determine the classification level of the information.
- Seek business justification from the employee.
- Block access to the cloud storage service.
- Inform higher management a security breach.
Which of the following is the MOST important outcome of a well-implemented awareness program?
- The board is held accountable for risk management.
- The number of reported security incidents steadily decreases.
- The number of successful social engineering attacks is reduced.
- Help desk response time to resolve incidents is improved.
Penetration testing is MOST appropriate when a:
- new system is about to go live.
- security incident has occurred.
- security policy is being developed.
- new system is being designed.
Which of the following should be the FIRST step to ensure system updates are applied in a timely manner?
- Run a patch management scan to discover which patches are missing from each machine.
- Create a regression test plan to ensure business operation is not interrupted.
- Cross-reference all missing patches to establish the date each patch was introduced.
- Establish a risk-based assessment process for prioritizing patch implementation.
An organization’s operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?
- Design a training program for the staff involved to heighten information security awareness
- Set role-based access permissions on the shared folder
- The end user develops a PC macro program to compare sender and recipient file contents
- Shared folder operators sign an agreement to pledge not to commit fraudulent activities
Ideally, requesting that the IT department develop an automated integrity check would be desirable, but given the temporary nature of the problem, the risk can be mitigated by setting stringent access permissions on the shared folder. Operations staff should only have write access and disbursement staff should only have read access, and everyone else, including the administrator, should be disallowed. An information security awareness program and/or signing an agreement to not engage in fraudulent activities may help deter attempts made by employees: however, as long as employees see a chance of personal gain when internal control is loose, they may embark on unlawful activities such as alteration of payment files. A PC macro would be an inexpensive automated solution to develop with control reports. However, sound independence or segregation of duties cannot be expected in the reconciliation process since it is run by an end-user group. Therefore, this option may not provide sufficient proof.
Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?
- A problem management process
- Background screening
- A change control process
- Business impact analysis (BIA)
A change control process is the methodology that ensures that anything that could be impacted by a development change will be reevaluated. Problem management is the general process intended to manage all problems, not those specifically related to security. Background screening is the process to evaluate employee references when they are hired. BIA is the methodology used to evaluate risks in the business continuity process.
Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
- Vulnerability scans
- Penetration tests
- Code reviews
- Security audits
A penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risks. Other security assessments such as vulnerability scans, code reviews and security audits can help give an extensive and thorough risk and vulnerability overview’, but will not be able to test or demonstrate the final consequence of having several vulnerabilities linked together. Penetration testing can give risk a new perspective and prioritize based on the end result of a sequence of security problems.
In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
- Procedural design
- Architectural design
- System design specifications
- Software development
The system design specifications phase is when security specifications are identified. The procedural design converts structural components into a procedural description of the software. The architectural design is the phase that identifies the overall system design, hut not the specifics. Software development is too late a stage since this is the phase when the system is already being coded.
Which of the following is generally considered a fundamental component of an information security program?
- Role-based access control systems
- Automated access provisioning
- Security awareness training
- Intrusion prevention systems (IPSs)
Without security awareness training, many components of the security program may not be effectively implemented. The other options may or may not be necessary, but are discretionary.
How would an organization know if its new information security program is accomplishing its goals?
- Key metrics indicate a reduction in incident impacts.
- Senior management has approved the program and is supportive of it.
- Employees are receptive to changes that were implemented.
- There is an immediate reduction in reported incidents.
Option A is correct since an effective security program will show a trend in impact reduction. Options B and C may well derive from a performing program, but are not as significant as option A. Option D may indicate that it is not successful.
A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:
- it simulates the real-life situation of an external security attack.
- human intervention is not required for this type of test.
- less time is spent on reconnaissance and information gathering.
- critical infrastructure information is not revealed to the tester.
Data and information required for penetration are shared with the testers, thus eliminating time that would otherwise have been spent on reconnaissance and gathering of information. Blind (black box) penetration testing is closer to real life than full disclosure (white box) testing. There is no evidence to support that human intervention is not required for this type of test. A full disclosure (white box) methodology requires the knowledge of the subject being tested.
Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?
- Acceptable use policy
- Setting low mailbox limits
- User awareness training
- Taking disciplinary action
User awareness training would help in reducing the incidents of employees forwarding spam and chain e-mails since users would understand the risks of doing so and the impact on the organization’s information system. An acceptable use policy, signed by employees, would legally address the requirements but merely having a policy is not the best measure. Setting low mailbox limits and taking disciplinary action are a reactive approach and may not help in obtaining proper support from employees.
Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
- Passwords stored in encrypted form
- User awareness
- Strong passwords that are changed periodically
- Implementation of lock-out policies
Implementation of account lock-out policies significantly inhibits brute-force attacks. In cases where this is not possible, strong passwords that are changed periodically would be an appropriate choice. Passwords stored in encrypted form will not defeat an online brute-force attack if the password itself is easily guessed. User awareness would help but is not the best approach of the options given.
Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?
- Layered defense strategy
- System audit log monitoring
- Signed acceptable use policy
- High-availability systems
A layered defense strategy would only prevent those activities that are outside of the user’s privileges. A signed acceptable use policy is often an effective deterrent against malicious activities because of the potential for termination of employment and/or legal actions being taken against the individual. System audit log monitoring is after the fact and may not be effective. High-availability systems have high costs and are not always feasible for all devices and components or systems.