CISM – Flashcards
Unlock all answers in this set
Unlock answersquestion
The foundation of an information security program is:
answer
Alignment with the goals and objectives of the organization
question
The core principles of an information security program are:
answer
Confidentiality, Integrity and Availability
question
The key factor in a successful information security program is:
answer
Senior Management support
question
A threat can be described as:
answer
Any event or action that could cause harm to the organization
question
True/False: Threats can be either intentional or accidental
answer
True
question
Personnel Security requires trained personnel to manage systems and networks. When does personnel security begin?
answer
Through pre-employment checks
question
Who plays the most important role in information security?
answer
Upper management
question
The advantage of an IPS (intrusion prevention system) over an IDS (intrusion detection system) is that:
answer
The IPS can block suspicious activity in real time
question
True/False: Physical security is an important part of an Information Security program
answer
True
question
The Sherwood Applied Business Security Architecture (SABSA) is primarily concerned with:
answer
An enterprise=wide approach to security architecture
question
A centralized approach to security has the primary advantage of:
answer
Uniform enforcement of security policies
question
The greatest advantage to a decentralized approach to security is:
answer
More adjustable to local laws and requirements
question
A primary objective of an information security strategy is to:
answer
Identify and protect information assets
question
The first step in an information security strategy is to:
answer
Determine the desired state of security
question
Effective information security governance is based on:
answer
implementing security policies and procedures
question
The use of a standard such as ISO27001 is useful to:
answer
Ensure that all relevant security needs have been addressed
question
Three main factors in a business case are resource usage, regulatory compliance and:
answer
Return on investment
question
What is a primary method for justifying investments in information security?
answer
development of a business case
question
Relationships with third parties may:
answer
Require the organization to comply with the security standards of the third party
question
True or False? The organization does not have to worry about the impact of third party relationships on the security program
answer
False
question
The role of an Information Systems Security Steering Committee is to:
answer
Provide feedback from all areas of the organization
question
The most effective tool a security department has is:
answer
A security awareness program
question
The role of Audit in relation to Information Security is:
answer
The validate the effectiveness of the security program against established metrics
question
Who should be responsible for development of a risk management strategy?
answer
The Security Manager
question
The security requirements of each member of the organization should be documented in:
answer
Their job descriptions
question
What could be the greatest challenge to implementing a new security strategy?
answer
Obtaining buy-in from employees
question
A disgruntled former employee is a:
answer
Threat
question
A bug or software flaw is a:
answer
Vulnerability
question
An audit log is an example of a:
answer
Detective control
question
A compensating control is used:
answer
When normal controls are not sufficient to mitigate the trick
question
Encryption is an example of a:
answer
Countermeasure
question
The examination of risk factors would be an example of:
answer
Risk analysis
question
True/False: The only real risk mitigation technique is based on effective implementation of technical controls.
answer
False
question
Should a risk assessment consider controls that are planned but not yet implemented?
answer
Yes, because it would not be appropriate to recommend implementing controls that are already planned
question
The main purpose of information classification is to:
answer
Ensure the effective, appropriate protection of information
question
The value of information is based in part on:
answer
The fines imposed by regulators in the event of a breach
question
The definition of an information security baseline is:
answer
The minimum level of security mandated in the organization
question
The use of a baseline can help the organization to:
answer
Compare the current state of security with the desired state
question
The purpose of a Business Impact Analysis (BIA) is to:
answer
Estimate the potential impact on the business in case of a system failure
question
The ultimate goal of BIA is to:
answer
determine the priorities for recovery of business processes and systems
question
New controls should be implemented as a part of the risk mitigation strategy:
answer
In areas where the cost of the control is justified by the benefit obtained
question
An example of risk transference as a risk mitigation option is:
answer
The purchase of insurance to cover some of the losses associated with an incident.
question
The purpose of a life cycle (as used in the Systems Development Life Cycle (SDLC)) is to:
answer
Assist in the management of a complex project by breaking it into individual steps
question
At which stage of a project should risk management be performed?
answer
At each stage starting at project initiation
question
When working with an outside party that may include access to sensitive information, each party should require a:
answer
Non-disclosure agreement (NDA)
question
Symmetric key algorithms are best used for:
answer
Encryption of large amounts of data
question
An benefit provided by a symmetric algorithm is:
answer
confidentiality
question
Asymmetric algorithms are often used in:
answer
Digital signatures
question
The primary benefit of a hash function is:
answer
Proving integrity of a message
question
Which key would open a message encrypted with John's public key?
answer
John corresponding private key
question
Symmetric encryption is a:
answer
two-way encryption process
question
A primary reason for the development of public key cryptography was to:
answer
Address the ley distribution problems of asymmetric encryption
question
What is the length of a digest created by a hash function?
answer
A hash function creates a fixed length hash regardless of input message length
question
A hash is often used for:
answer
Password based authentication
question
The entity requesting access in an access control system is often known as:
answer
The subject
question
Access control is a means to:
answer
Permit authorized persons appropriate levels of access
question
A surveillance camera is an access control based on:
answer
Physical controls
question
Anti-virus systems should be deployed on:
answer
Gateways and individual desktops
question
The use of a policy compliant system may enable an organization to:
answer
Enforce policies at a desktop level
question
An information classification policy is what form of control?
answer
Administrative controls
question
Which of the following is a one-way function?
answer
Hashing
question
True/False: A Disaster Recovery Plan is a part of an Information Security Framework
answer
True
question
An important element of an information security program is:
answer
The development of metrics to measure program performance
question
Identity management applies to:
answer
Giving both internal and external users unique identification
question
The practice of only granting a user the lowest level required is:
answer
Least privilege
question
A deterrent control can be used to:
answer
Discourage inappropriate behavior
question
An example of a preventative control is:
answer
A fence
question
A disadvantage of an automated control may be:
answer
That it may implement a configuration change automatically without review
question
The implementation of a security program requires:
answer
a person that takes ownership of each activity
question
The manipulation of staff to perform unauthorized actions is known as:
answer
NNTPSocial engineering
question
Audit is a form of:
answer
business assurance
question
When an organization undertakes a program to outsource the IT function what must it do as part of the outsourcing program?
answer
Ensure that security requirements are addressed in any contracts
question
What is the best way to understand business priorities?
answer
Interviews with senior management
question
In case the implementation of an IT project fails, what is the next step?
answer
Rollback the implementation if possible
question
A gap analysis can be used to:
answer
Determine the disparity between current and desired state
question
Every policy should be backed up through the use of:
answer
Procedures, standards and baselines
question
The testing and evaluation of the security of a system made in support of the decision to implement the system is known as
answer
Certification
question
Ensuring that a system is not implemented until it has been formally approved by a senior manager is part of:
answer
Accreditation
question
Teaching staff how to use a new security tool is known as:
answer
Training
question
To ensure the quality and adherence to standards for a modification to a system the organization enforces:
answer
Change control
question
One of the most important considerations when two organizations are considering a merger is?
answer
Confidentiality
question
What document is used to set out the expectations for vendors or suppliers?
answer
Service level agreements
question
Good information security metrics are clear, timely and?
answer
Relevant
question
A vulnerability test is intended to:
answer
Find weaknesses in the system
question
True/False: Penetration testing and vulnerability assessments can be either internal or external.
answer
True
question
True/False: Gathering data to evaluate the security program cannot be done through interviews since the answers are too subjective.
answer
False
question
Metrics to evaluate the effectiveness of system controls may be based on:
answer
Key performance indicators (KPIs)
question
The three authentication factors are:
answer
knowledge, ownership, biometric
question
Sensitive information about a person is called:
answer
PII
question
Remote access poses the risk that
answer
Unauthorized users may use remote access systems to gain access
question
A Virtual Private Network (VPN) is used to:
answer
Create a secure tunnel to allow transmission of sensitive data over an insecure network
question
A security risk associated with disposal of any storage device is:
answer
The removal of sensitive information
question
When an outsourcing contract expires the organization must:
answer
Ensure all data is removed or destroyed by the outsource service provider