Which of the following should be the primary goal of developing information security metrics?

A. To provide guidance to users, managers, and IT on organizational goals and objectives to protect data

B. To provide assurance that information security controls protect assets in accordance with the risk

C. To provide metrics to support management's assertion that information security is an organizational objective

D. To provide the highest level of protection available to an organization's information assets

TAKE THE TEST

Title of test:
Simulado CISM

Description:
Simulado on line para alunos Daryus

Author:
PCR
(Other tests from this author)

Creation Date:
02/10/2014

Category:
Others

Number of questions: 100

No comments about this test.

Content:

The PRIMARY goal in developing an information security strategy is to: establish security metrics and performance monitoring. educate business process owners regarding their duties. ensure that legal and regulatory requirements are met. support the business objectives of the organization.
Senior management commitment and support for information security can BEST be enhanced through: a formal security policy sponsored by the chief executive officer (CEO). regular security awareness training for employees. periodic review of alignment with business management goals. senior management signoff on the information security strategy.
Which of the following requirements would have the lowest level of priority in information security? Technical Regulatory Privacy Business.
Which of the following MOST commonly falls within the scope of an information security governance steering committee? Interviewing candidates for information security specialist positions Developing content for security awareness programs Prioritizing information security initiatives Approving access to critical financial systems.
Which of the following is the MOST important factor when designing information security architecture? Technical platform interfaces Scalability of the network Development methodologies Stakeholder requirements.
What will have the HIGHEST impact on standard information security governance models? Number of employees Distance between physical locations Complexity of organizational structure Organizational budget.
In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: prepare a security budget. conduct a risk assessment. develop an information security policy obtain benchmarking information.
An outcome of effective security governance is: business dependency assessment. strategic alignment. risk assessment. planning.
How would an information security manager balance the potentially conflicting requirements of an international organization’s security standards and local regulation? Give organization standards preference over local regulations Follow local regulations only Make the organization aware of those standards where local regulations causes conflicts Negotiate a local version of the organization standar.
Which of the following should drive the risk analysis for an organization? Senior management Security manager Quality manager Legal department.
In implementing information security governance, the information security manager is PRIMARILY responsible for: developing the security strategy. reviewing the security strategy. communicating the security strategy. approving the security strategy.
An information security strategy document that includes specific links to an organization’s business activities is PRIMARILY an indicator of performance measurement. integration. alignment. value delivery.
To justify the need to invest in a forensic analysis tool, an information security manager should FIRST: review the functionalities and implementation requirements of the solution. review comparison reports of tool implementation in peer companies. provide examples of situations where such a tool would be useful. demonstrate that the investment meets organizational needs.
The MOST useful way to describe the objectives in the information security strategy is through: attributes and characteristics of the ‘desired state.’ overall control objectives of the security program. mapping the IT systems to key business processes. calculation of annual loss expectations.
Which of the following will have the GREATEST impact on a financial enterprise with offices in various countries and involved in transborder flow of information? Current and future technologies Evolving data protection regulations Economizing the costs of network bandwidth Centralization of information securi.
Strategic alignment is PRIMARILY achieved when services provided by the information security department closely reflect the requirements of key business stakeholders. closely reflect the desires of the IT executive team. reflect the requirements of industry best practices are reliable and cost-effective using the latest technologies.
Who is in the BEST position to implement and monitor a balanced scorecard (BSC) for the information systems (IS) security program? Executive management The chief information security officer (CISO) The director of auditing The chief information officer (CIO).
Which of the following is the MOST important factor on which to rely to successfully assign cross-organizational responsibility to integrate an information security program? The ease of information security technologies Open channels of communication The roles of different job functions Qualified information security professionals in each department.
The security responsibility of data custodians in an organization will include: assuming overall protection of information assets. determining data classification levels. implementing security controls in products they install. ensuring security measures are consistent with policy.
Who can BEST approve plans to implement an information security governance framework? Internal auditor Information security management Steering committee Infrastructure management.
An organization that has decided to implement a formal information security program should FIRST: invite an external consultant to create the security strategy. allocate budget based on best practices. benchmark similar organizations. define high-level business security requirements.
Which of the following is a key area of the ISO 27001 framework? Operational risk assessment Financial crime metrics Capacity management Business continuity management.
The MAIN goal of an information security strategic plan is to: develop a risk assessment plan. develop a data protection plan. protect information assets and resources. establish security governance.
Information security policies should: address corporate network vulnerabilities. address the process for communicating a violation. be straightforward and easy to understand. be customized to specific groups and roles.
Attackers who exploit cross-site scripting vulnerabilities take advantage of: a lack of proper input validation controls. weak authentication controls in the web application layer. flawed cryptographic secure sockets layer (SSL) implementations and short key lengths. implicit web application trust relationships.
Which of the following would BEST address the risk of data leakage? File backup procedures Database integrity checks Acceptable use policies Incident response procedures.
A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected? Access control policy Data classification policy Encryption standards Acceptable use policy.
What is the BEST technique to determine which security controls to implement with a limited budget? Risk analysis Annualized loss expectancy (ALE) calculations Cost-benefit analysis Impact analysis.
A company’s mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action? A penetration test A security baseline review A risk assessment A business impact analysis (BIA).
Which of the following measures would be MOST effective against insider threats to confidential information? Role-based access control Audit trail monitoring Privacy policy Defense-in-depth.
Which of the following is the MAIN reason for performing risk assessment on a continuous basis? Justification of the security budget must be continually made. New vulnerabilities are discovered every day. The risk environment is constantly changing. Management needs to be continually informed about emerging risks.
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period? Identify the vulnerable systems and apply compensating controls Minimize the use of vulnerable systems Communicate the vulnerability to system users Update the signatures database of the intrusion detection system (IDS).
Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes? Business impact analysis (BIA) Penetration testing Audit and review Threat analysis.
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented? Cost-benefit analysis Penetration testing Frequent risk assessment programs Annual loss expectancy (ALE) calculation.
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of: eliminating the risk. transferring the risk. mitigating the risk. accepting the risk.
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset? Manager Custodian User Owner.
The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for: determining the scope for inclusion in an information security program. defining the level of access controls. justifying costs for information resources. determining the overall budget of an information security program.
An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs? Key performance indicators (KPIs) Business impact analysis (BIA) Gap analysis Technical vulnerability assessment.
When performing a qualitative risk analysis, which of the following will BEST produce reliable results? Estimated productivity losses Possible scenarios with threats and impacts Value of information assets Vulnerability assessment.
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program? User assessments of changes Comparison of the program results with industry stand Assignment of risk within the organization Participation by all members of the organization.
The MOST effective use of a risk register is to: identify risks and assign roles and responsibilities for mitigation. identify threats and probabilities. facilitate a thorough review of all IT-related risks on a periodic basis. record the annualized financial amount of expected losses due to risks.
Logging is an example of which type of defense against systems compromise? Containment Detection Reaction Recovery.
Which of the following is the MOST important to keep in mind when assessing the value of information? The potential financial loss The cost of recreating the information The cost of insurance coverage Regulatory requirement.
When a proposed system change violates an existing security standard, the conflict would be BEST resolved by: calculating the risk enforcing the security standard. redesigning the system change. implementing mitigating controls.
The information classification scheme should: consider possible impact of a security breach. classify personal information in electronic form. be performed by the information security manager. classify systems according to the data processed.
Which of the following is the BEST method to provide a new user with their initial password for e-mail system access? Interoffice a system-generated complex password with 30 days expiration Provide a temporary password over the telephone set for immediate expiration Require no password but force the user to set their own in 10 days Set initial password equal to the user ID with expiration in 30 days.
An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution? Rewrite the application to conform to the upgraded operating system Compensate for not installing the patch with mitigating controls Alter the patch to allow the application to run in a privileged state Run the application on a test platform; tune production to allow patch and application.
Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the: corporate internal auditor. system developers/analysts. key business process owners. corporate legal counsel.
The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should: verify the decision with the business units. check the system’s risk analysis. recommend update after postimplementation review. request an audit review.
An internal review of a web-based application system finds the ability to gain access to all employees’ accounts by changing the employee’s ID on the URL used for accessing the account. The vulnerability identified is: broken authentication. unvalidated input. cross-site scripting. structured query language (SQL) injection.
What is the MOST cost-effective method of identifying new vendor vulnerabilities? External vulnerability reporting sources Periodic vulnerability assessments performed by consultants Intrusion prevention software Honeypots located in the DMZ.
Of the following, retention of business records should be PRIMARILY based on: periodic vulnerability assessment. regulatory and legal requirements. device storage capacity and longevity. past litigation.
Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities? Vulnerability scans Penetration tests Code reviews Security audits.
Determining the nature and extent of activities required in developing or improving an information security program often requires assessing the existing security levels of various program components. The BEST process to accomplish this task is to perform a(n impact assessment. vulnerability assessment. gap analysis. threat assessment.
The design and implementation of controls and countermeasures must be PRIMARILY focused on: eliminating IT risk. cost-benefit balance. resource management. the number of assets protected.
The PRIMARY purpose of performing an internal attack and penetration test is to identify: weaknesses in network and server security ways to improve the incident response process. potential attack vectors on the network perimeter. the optimum response to internal hacker attacks.
An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is: assess the likelihood of incidents from the reported cause. discontinue the use of the vulnerable technology. report to senior management that the organization is not affected. remind staff that no similar security breaches have taken place.
An intrusion detection system should be placed: outside the firewall. on the firewall server. on a screened subnet. on the external router.
The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to: provide in-depth defense. separate test and production. permit traffic load balancing. prevent a denial-of-service attack.
An extranet server should be placed: outside the firewall. on the firewall server. on a screened subnet. on the external router.
Which of the following is the BEST metric for evaluating the effectiveness of security awareness training? The number of: password resets. reported incidents. incidents resolved. access rule violations.
Security monitoring mechanisms should PRIMARILY: focus on business-critical information. assist owners to manage control risks. focus on detecting network intrusions. record all security violations.
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the: right-to-terminate clause. limitations of liability. service level agreement (SLA). financial penalties clause.
Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism? Number of attacks detected Number of successful attacks Ratio of false positives to false negatives Ratio of successful to unsuccessful attacks.
Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems? Patch management Change management Security baselines Virus detection.
Which of the following is MOST effective in preventing security weaknesses in operating systems? Patch management Change management Security baselines Configuration management.
Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information? Baseline security standards System access violation logs Role-based access controls Exit routines.
Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender? Biometric authentication Embedded steganographic Two-factor authentication Embedded digital signature.
What is an appropriate frequency for updating operating system (OS) patches on production servers? During scheduled rollouts of new applications According to a fixed security patch management schedule Concurrently with quarterly hardware maintenance Whenever important security patches are released.
A border router should be placed on which of the following? Web server IDS server Screened subnet Domain boundary.
An e-commerce order fulfillment web server should generally be placed on which of the following? Internal network Demilitarized zone (DMZ) Database server Domain controller.
Secure customer use of an e-commerce application can BEST be accomplished through: data encryption. digital signatures. strong passwords. two-factor authentication.
What is the BEST defense against a Structured Query Language (SQL) injection attack? Regularly updated signature files A properly configured firewall An intrusion detection system Strict controls on input fields.
Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)? Tuning Patching Encryption Packet filtering.
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register? Authentication Hardening Encryption Nonrepudiation.
Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required? Log all account usage and send it to their manager Establish predetermined automatic expiration dates Require managers to e-mail security when the user leaves Ensure each individual has signed a security acknowledgement.
Which of the following is MOST important for a successful information security program? Adequate training on emerging security technologies Open communication with key process owners Adequate policies, standards and procedures Executive management commitment.
When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance? Number of controls Cost of achieving control objectives Effectiveness of controls Test results of control.
Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message? Encrypting first by receiver’s private key and second by sender’s public key Encrypting first by sender’s private key and second by receiver’s public key Encrypting first by sender’s private key and second decrypting by sender’s public key Encrypting first by sender’s public key and second by receiver’s private.
A test plan to validate the security controls of a new system should be developed during which phase of the project? Testing Initiation Design Development.
The MOST effective way to ensure that outsourced service providers comply with the organization’s information security policy would be: service level monitoring. penetration testing. periodically auditing. security awareness training.
In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement: a strong authentication. IP antispoofing filtering. network encryption protocol. access lists of trusted devices.
Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract? A hot site facility will be shared in multiple disaster declarations All equipment is provided “at time of disaster, not on floor” The facility is subject to a “first-come, first-served” policy Equipment may be substituted with equivalent model.
Which of the following should be performed FIRST in the aftermath of a denial-of-service attack? Restore servers from backup media stored offsite Conduct an assessment to determine system status Perform an impact analysis of the outage Isolate the screened subnet.
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster? Detailed technical recovery plans are maintained offsite Network redundancy is maintained through separate providers Hot site equipment needs are recertified on a regular basis Appropriate declaration criteria have been established.
The business continuity policy should contain which of the following? Emergency call trees Recovery criteria Business impact assessment (BIA) Critical backups inventory.
The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify: weaknesses in network security. patterns of suspicious access. how an attack was launched on the network. potential attacks on the internal network.
Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was: removed into the custody of law enforcement investigators. kept in the tape library pending further analysis. sealed in a signed envelope and locked in a safe under dual control. handed over to authorized independent investigators.
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach? Business continuity plan Disaster recovery plan Incident response plan Vulnerability management plan.
Isolation and containment measures for a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step? Run a forensics tool on the machine to gather evidence Reboot the machine to break remote connections Make a copy of the whole system’s memory Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports.
The recovery point objective (RPO) requires which of the following? Disaster declaration Before-image restoration System restoration After-image processing.
Who would be in the BEST position to determine the recovery point objective (RPO) for business applications? Business continuity coordinator Chief operations officer (COO) Information security manager Internal audit.
When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify: the information security steering committee. customers who may be impacted. data owners who may be impacted regulatory agencies overseeing privacy.
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by: periodically testing the incident response plans. regularly testing the intrusion detection system (IDS). establishing mandatory training of all personnel. periodically reviewing incident response procedures.
Which of the following would a security manager establish to determine the target for restoration of normal processing? Recovery time objective (RTO) Maximum tolerable outage (MTO) Recovery point objectives (RPOs) Services delivery objectives (SDOs).
Which of the following should be the PRIMARY basis for making a decision to establish an alternate site for disaster recovery? A business impact analysis (BIA), which identifies the requirements for continuous availability of critical business processes Adequate distance between the primary site and the alternate site so that the same disaster does not simultaneously impact both sites A benchmarking analysis of similarly situated enterprises in the same geographic region to demonstrate due diligence Differences between the regulatory requirements applicable at the primary site and those at the alternate site.
During a business continuity plan (BCP) test, one department discovered that its new software application was not going to be restored soon enough to meet the needs of the business. This situation can be avoided in the future by: conducting a periodic and event-driven business impact analysis (BIA) to determine the needs of the business during a recovery. assigning new applications a higher degree of importance and scheduling them for recovery first. developing a help-desk ticket process that allows departments to request recovery of software during a disaster. conducting a thorough risk assessment prior to purchasing the software.
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to: change the root password of the system. implement multifactor authentication. rebuild the system from the original installation medium. disconnect the mail server from the network.
Which of the following would present the GREATEST risk to information security? Virus signature files updates are applied to all servers every day Security access logs are reviewed within five business days Critical patches are applied within 24 hours of their release Security incidents are investigated within five business days.
Which of the following is the MOST important area of focus when examining potential security compromise of a new wireless network? Signal strength Number of administrators Bandwidth Encryption strength.

Which of the following should be the primary goal of information security?

Which of the following should be the primary objective when developing an information security strategy?

What is the primary role of the information security manager in the process of information classification?

Which of the following is most important in developing a security strategy?