Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 72
Which of the following is a risk of cross-training?
- Increases the dependence on one employee
- Does not assist in succession planning
- One employee may know all parts of a system
- Does not help in achieving a continuity of operations
When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.
Which of the following reduces the potential impact of social engineering attacks?
- Compliance with regulatory requirements
- Promoting ethical understanding
- Security awareness programs
- Effective performance incentives
Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.
Which of the following activities performed by a database administrator (DBA) should be performed by a different person?
- Deleting database activity logs
- Implementing database optimization tools
- Monitoring database usage
- Defining backup and recovery procedures
Since database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA’s role. A DBA should perform the other activities as part of the normal operations.
When segregation of duties concerns exists between IT support staff and end users, what would be a suitable compensating control?
- Restricting physical access to computing equipment
- Reviewing transaction and application logs
- Performing background checks prior to hiring IT staff
- Locking user sessions after a specified period of inactivity
Only reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be exploited via logical access to data and computing resources rather than physical access. Choice C is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently} of access privileges that have officially been granted.
When training an incident response team, the advantage of using tabletop exercises is that they:
- provide the team with practical experience in responding to incidents
- ensure that the team can respond to any incident
- remove the need to involve senior managers in the response process
- enable the team to develop effective response interactions
An information security manager that is utilizing a public cloud is performing a root cause investigation of an incident that took place in that environment. Which of the following should be the security manager’s MAIN concern?
- Limited access to information
- Shared infrastructure with other subscribers
- Transaction records split into multiple cloud locations
- Lack of security log filtering
The PRIMARY objective of performing a post-incident review is to:
- identify the root cause.
- identify control improvements.
- re-evaluate the impact of incidents.
- identify vulnerabilities.
Which of the following is the MOST important objective of testing a security incident response plan?
- Confirm that systems are recovered in the proper order
- Verify the response assumptions are valid
- Ensure the thoroughness of the response plan
- Validate the business impact analysis
Which of the following is the PRIMARY objective of incident classification?
- Complying with regulatory requirements
- Increasing response efficiency
- Enabling incident reporting
- Reducing escalations to management
A risk profile support effective security decisions PRIMARILY because it:
- defines how the best mitigate future risks.
- identifies priorities for risk reduction.
- enables comparison with industry best practices.
- describes security threats.
The PRIMARY goal of a post-incident review should be to:
- determine why the incident occurred.
- determine how to improve the incident handling process.
- identify policy changes to prevent a recurrence.
- establish the cost of the incident to the business.
Which of the following activities is used to determine the effect of a disruptive event?
- Maximum tolerable downtime assessment
- Recovery time objective (RTO) analysis
- Business impact analysis (BIA)
- Incident impact analysis
For an organization that provides web-based services, which of the following security events would MOST likely initiate an incident response plan and be escalated to management?
- Multiple failed login attempts on an employee’s workstation
- Suspicious network traffic originating from the demilitarized zone (DMZ)
- Several port scans of the web server
- Anti-malware alerts on several employees’ workstations
When establishing escalation processes for an organization’s computer security incident response team, the organization’s procedures should:
- provide unrestricted communication channels to executive leadership to ensure direct access.
- require events to be escalated whenever possible to ensure that management is kept informed.
- recommend the same communication path for events to ensure consistency of communication.
- specify step-by-step escalation paths to ensure an appropriate chain of command.
Which of the following is the MOST reliable way to ensure network security incidents are identified as soon as possible?
- Collect and correlate IT infrastructure event logs.
- Conduct workshops and training sessions with end users.
- Install stateful inspection firewalls.
- Train help desk staff to identify and prioritize security incidents.
Which of the following would be MOST helpful to reduce the amount of time needed by an incident response team to determine appropriate actions?
- Providing annual awareness training regarding incident response for team members
- Defining incident severity levels during a business impact analysis (BIA)
- Validating the incident response plan against industry best practices
- Rehearsing incident response procedures, roles, and responsibilities
Which of the following is the BEST way for an organization to ensure that incident response teams are properly prepared?
- Conducting tabletop exercises appropriate for the organization
- Providing training from third-party forensics firms
- Documenting multiple scenarios for the organization and response steps
- Obtaining industry certifications for the response team
The MOST important reason to have a well-documented and tested incident response plan in place is to:
- standardize the chain of custody procedure
- facilitate the escalation process
- promote a coordinated effort.
- outline external communications
Which of the following is the MOST important security consideration when developing an incident response strategy with a cloud provider?
- Escalation processes
- Security audit reports
- Technological capabilities
- Recovery time objective (RTO)
Which of the following is a MAIN security challenge when conducting a post-incident review related to bring your own device (BYOD) in a mature, diverse organization?
- Ability to obtain possession of devices
- Lack of mobile forensics expertise
- Diversity of operating systems
- Ability to access devices remotely