Upgrade to remove ads
CISM - domain 3 - Q/A
Terms in this set (111)
Which of the following devices should be placed within a DMZ?
An intrusion detection system should be placed:
on a screened subnet
The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:
permit traffic load balancing
On which of the following should a firewall be placed?
Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database?
A border router should be placed on which of the following?
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point- of-sale (POS) cash register?
Which of the following is the MOST important risk associated with middleware in a client-server environment?
system integrity may be affected
Which of the following security mechanisms is MOST
effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network?
safeguards over keys
In the process of deploying a new email system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new email system implementation?
Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?
certificate-based authentication of web client
A message that has been encrypted by the sender's private key and again by the receiver's public key achieves:
confidentiality and nonrepudiation
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?
Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?
encrypting first by sender's private key and second by receiver's public key
In order to protect a network against unauthorized external connections to corporate systems, the information security manager should BEST implement:
a strong authentication
The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
provide a high assurance of identity
What is the BEST policy for securing data on mobile universal serial bus (USB) drives?
A digital signature using a public key infrastructure (PKI) will:
rely on the extent to which the certificate authority (CA) is trusted
Which of the following is MOST useful in managing increasingly complex security deployments?
a security architecture
Which of the following control measures BEST addresses integrity?
Which of the following is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?
install a honeypot on the network
An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:
Which of the following presents the GREATEST exposure to internal attack on a network?
user passwords are encoded but not encrypted
Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?
implementation of lock-out policies
The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:
the existence of messages is unknown
Minimum standards for securing the technical infrastructure should be defined in a security:
Obtaining another party's public key is required to initiate which of the following activities?
The MOST effective technical approach to mitigate the risk of confidential information being disclosed in email attachments is to implement:
An organization is planning to deliver subscription-based educational services to customers online that will require customers to log in with their user IDs and passwords. Which of the following is the BEST method to validate passwords entered by a customer before access to educational resources is granted?
Integrating a number of different activities in the development of an information security infrastructure is BEST achieved by developing:
Application level controls are MOST likely to be employed when:
general controls are not sufficient
The fact that a department manager is able to provide information system access to members of the department when they take on new responsibilities indicates that the organization MOST likely implemented:
discretionary access control (DAC)
Controls that fail closed (secure) will present a risk to:
Which one of the following factors affects the extent to which controls should be layered?
common failure modes
The reason that a certificate authority (CA) is needed in a public key infrastructure (PKI) is to:
attest to the validity of a user's public key
A mandatory access control (MAC) should be used:
when delegation of rights is contrary to policy
Which of the following factors will MOST affect the extent to which controls should be layered?
the degree of homogeneity
A certificate authority (CA) is required for a public key infrastructure (PKI):
except where users attest to each other's identity
The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:
secure Sockets Layer (SSL).
Which of the following will BEST prevent external security attacks?
network address translation
When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set:
to a higher false reject rate (FRR).
The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:
establish security baselines
What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
periodically perform penetration tests
Documented standards/procedures for the use of cryptography across the enterprise should PRIMARILY:
define the circumstances where cryptography should be used.
Which of the following documents would be the BEST reference to determine whether access control mechanisms are appropriate for a critical application?
IT security standards
An enterprise requires the use of Windows XP Service Pack 3 version on all desktops and Windows 2003 Service Pack 1 version on all servers. This is an example of a:
Which of the following would be MOST effective in successfully implementing restrictive password policies?
security awareness program
Which of the following documents includes detailed requirements?
Which of the following is the MOST appropriate control to address compliance with specific regulatory requirements?
Which of the following is the MOST effective way to ensure that noncompliance to information security standards is resolved?
regular reports to executive management
Secure customer use of an e-commerce application can BEST be accomplished through
The MOST important success factor to design an effective IT security awareness program is to:
customize the content to the target audience.
What is the MOST important reason for conducting security awareness programs throughout an organization?
reducing the human risk
Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his/her password reset?
conducting security awareness programs
A security awareness program should:
address specific groups and roles.
Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain email messages?
user awareness training
Which of the following would be the BEST way to improve employee attitude toward and commitment to information security?
customize methods training to the audience.
In a large enterprise, an information security awareness program will be MOST effective if it is:
customized to the audience using the appropriate delivery channel
Which of the following roles is MOST appropriately responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience?
the information security department
Which of the following activities will MOST effectively foster effective security behavior?
implementing a discipline and reward system
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:
service level agreement (SLA).
An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?
security in storage and transmission of sensitive data
A major trading partner with access to the internal network is unwilling or unable to remediate serious information security exposures within its environment. Which of the following is the BEST recommendation?
set up firewall rules restricting network traffic from that location
To reduce the possibility of service interruptions, an entity enters into contracts with multiple Internet service providers (ISPs). Which of the following would be the MOST important item to include?
service level agreements (SLAs)
Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?
the right to conduct independent security reviews
Before engaging outsourced providers, an information security manager should ensure that the organization's data classification requirements:
are stated in the contract
A third party was engaged to develop a business application. Which of the following is the BEST test for the existence of back doors?
security code reviews for the entire application
An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that
the contract should mandate that the service provider will comply with security policies
An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
ensuring that the third party is contractually obligated to all relevant security requirements
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
conduct regular security reviews of the third-party provider
When considering outsourcing services, at what point should information security become involved in the vendor management process?
when requirements are being established
An enterprise has a network of suppliers that it allows to remotely access an important database that contains critical supply chain data. What is the BEST control to ensure that the individual supplier representatives who have access to the system do not improperly access or modify information within this system?
user access rights
Which of the following is the MOST important consideration when developing a service level agreement (SLA) to mitigate the risk that outsourcing will result in a loss to the business?
ensuring that the business objectives are defined and met
A contract has just been signed with a new vendor to manage IT support services. Which of the following tasks should the information security manager ensure is performed NEXT?
establish vendor monitoring
When outsourcing to an offshore provider, the MOST difficult element to determine during a security review will be:
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
laws and regulations of the country of origin may not be enforceable in the foreign country
Which of the following is the MOST important aspect that needs to be considered from a security perspective when payroll processes are outsourced to an external service provider?
privacy requirements are met
Which of the following tools is MOST appropriate to assess whether information security governance objectives are being met?
Which of the following is the MOST important reason that information security objectives should be defined?
tool for measuring effectiveness
Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?
penetration attempts investigated
The PRIMARY reason for using metrics to evaluate information security is to:
enable steady improvement
Which of the following is the BEST indicator that security controls are performing effectively?
the monthly service level statistics indicate minimal impact from security issues.
Which of the following is the BEST approach for improving information security management processes?
define and monitor security metrics
Reviewing which of the following would BEST ensure that security controls are effective?
The FIRST consideration when developing information security metrics is whether they:
are meaningful to the recipient
Monitoring the information security program primarily ensures that:
information security objectives are achieved
Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion?
Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application?
Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?
When a departmental system continues to be out of compliance with an information security policy's password strength requirements, the BEST action to undertake is to:
conduct a risk assessment to quantify the risk
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
operating system (OS) security patches have not been applied
What is the BEST method to verify that all security patches applied to servers were properly documented?
trace OS patch logs to change control requests
To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:
avoid granting system administration roles
Which of the following is the MOST appropriate method to protect a password that opens a confidential file?
What is the MOST effective access control method to prevent users from sharing files with unauthorized users?
Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
What is the MOST appropriate change management procedure for the handling of emergency program changes?
documentation is completed with approval soon after the change
The PRIMARY focus of the change control process is to ensure that changes are:
In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:
testing time window prior to deployment
Managing the life cycle of a digital certificate is a role of a(n):
independent trusted source.
Change management procedures to ensure that disaster recovery/business continuity plans are kept up-to-date can be BEST achieved through which of the following?
inclusion as a required step in the system life cycle process
The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?
An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. Assuming that all options are possible, which of the following should the information security manager recommend?
restrict account access to read-only
An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?
perform an internal risk assessment to determine needed controls.
Which of the following would raise security awareness among an organization's employees?
continually reinforcing the security policy
Which of the following measures is the MOST effective deterrent against disgruntled staff abusing their privileges?
signed acceptable use policy
Which of the following is the BEST way to erase confidential information stored on magnetic tapes?
The MOST common reason for an increasing number of emergency change requests is that:
the normal procedures are being bypassed.
Which of the following roles performs the day-to-day duties required to ensure the protection and integrity of data?
The requirement for due diligence is MOST closely associated with which of the following?
appropriate standard of care
What is an appropriate frequency for updating operating system (OS) patches on production servers?
whenever important security patches are released
THIS SET IS OFTEN IN FOLDERS WITH...
CISM 8ed domain 3 Q/A
CISM domain 2 tests Q/A
CISM 8ed domain 1 Q/A
CISM domain 4 - Q/A
YOU MIGHT ALSO LIKE...
CISM - domain 3a - Q/A
CISM - domain 3 tests Q/A
Enterprise Security Management
OTHER SETS BY THIS CREATOR
SW-CMM and IDEAL models
OTHER QUIZLET SETS
Theology Final Exam Review Questions
Africa, Americas and the 1st global age
Bio EXAM #3 Chapter (15)