Answers to Practice Questions
Chapter 1: Enterprise Governance
Practice Question Set 1
Q. 1
Answer: A. Security projects are discussed and approved by a steering committee
Explanation: The involvement of a steering committee in the discussion and approval of security projects indicates that the management is committed to security governance. The other options are not as significant.
Q. 2
Answer: C. The complexity of the organizational structure
Explanation: The information security governance model is primarily impacted by the complexity of the organizational structure. The organizational structure includes the organization's objectives, vision and mission, hierarchy, leadership structure, different function units, and different product lines. The other options are not as significant.
Q. 3
Answer: B. The development of security policies
Explanation: Security policies indicate the intent of the management. The security architecture and various procedures are designed based on these policies.
Q. 4
Answer: C. The business strategy
Explanation: Information security governance should support the business strategy. An organization's security must be aligned with the business objectives.
Q. 5
Answer: C. To prioritize information security projects
Explanation: One of the responsibilities of a steering committee is to discuss, approve, and prioritize information security projects and to ensure that they are aligned with the goals and objectives of the enterprise.
Q. 6
Answer: C. To define the security strategy
Explanation: The first step is to adopt a security strategy. The next step is to develop security policies based on this strategy. The final step is to develop security procedures and guidelines based on the security policies.
Q.7
Answer: A. To align with the organization's business strategy
Explanation: The most important objective of an information security governance program is to ensure that the information security strategy is in alignment with the strategic goals and objectives of the enterprise. The other options are secondary factors.
Q.8
Answer: D. An established risk management program
Explanation: An effective and efficient risk management program is a key element of effective governance. A structured risk management program indicates that senior management is aware of the organization's risk appetite and their willingness to address unacceptable risks. The other options are not as significant.
Q.9
Answer: D. The use of a top-down approach
Explanation: In a top-down approach, policies, procedures, and goals are set by senior management, and as a result, the policies and procedures are directly aligned with the business objectives. A bottom-up approach may not directly address management priorities. Initiatives by the IT department and a compliance-oriented approach are not as significant.
Q.10
Answer: A. To design and develop the security strategy
Explanation: The prime responsibility of the information security manager is to develop the security strategy based on the business objectives in coordination with the business process owner. The review and approval of the security strategy is the responsibility of the steering committee and senior management. The security manager is not directly required to train end users, and budget allocation is the responsibility of senior management.
Q.11
Answer: D. To align with organizational goals
Explanation: The objective of security governance is to support the business objectives, so the most important factor is to align with organizational objectives and goals.
Q.12
Answer: B. To understand the objectives of the business units
Explanation: The information security governance program will not be effective if it is not able to address the requirements of the business units. The objective of the business units can be best understood by reviewing their processes and functions. Option A is not correct as security requirements should be aligned with the business and not the other way around. Options C and D are not as significant.
Q.13
Answer: D. To optimize the security strategy to support the business objectives
Explanation: The primary objective of security governance is to ensure that the business objectives are achieved. Unless the information security strategy is aligned with the business objectives, the other options will not offer any value.
Q. 14
Answer: B. Ineffective governance
Explanation: Governance is the process of having oversight to ensure the availability of effective and efficient processes. A lack of procedures, training, and standards is a sign of ineffective governance.
Q. 15
Answer: C. A framework that provides structure and guidance
Explanation: A framework is a structure intended to support processes and methods. It provides the outline and basic structure rather than detailed processes and methods. Frameworks are generally not intended to provide programming inputs.
Q. 16
Answer: D. To address operational risks
Explanation: The main objective of integrating the security aspect in business processes is to address operational risks. The other options may be considered secondary benefits.
Q.17
Answer: A. A well-defined organizational structure with necessary resources and defined responsibilities
Explanation: The most important attribute is a well-defined organizational structure that minimizes any conflicts of interest. This ensures better governance. Options B and D are important aspects, but option A is more critical. Option C is not correct, as the security strategy supports the business objectives and not the other way around.
Q. 18
Answer: B. A framework
Explanation: A framework is the most suitable method for developing an information security program as it is more flexible in adoption. Some common frameworks include ISO 27001 and COBIT. Standards, processes, and models are not as flexible as frameworks.
Practice Question Set 2
Q.1
Answer: B. The culture of the organization
Explanation: The culture of the organization influences the risk appetite, which in turn has a significant influence on the design and implementation of the information security program. The business objective is important to prioritize the risk treatment. However, the culture of the organization will have a major influence on the design and implementation of the security program. A pro-risk culture will have a different implementation approach compared to a risk-averse culture.
Q. 2
Answer: B. Protecting life
Explanation: The most important consideration when developing a control policy is to protect human life. For example, carbon dioxide fire extinguishers should be restricted in areas where employees are working. Also, electric door access should be set to fail open in case of fire. The other options are secondary factors.
Q. 3
Answer: A. Cultural differences
Explanation: Cultural differences and their impact on data security are generally not considered during security reviews. Different cultures have different perspectives on information that is considered sensitive and how it should be handled. This cultural practice may not be consistent with the organization's legal requirements.
Q. 4
Answer: D. The organization's culture
Explanation: The culture of an organization determines its risk appetite. Pro-risk organizations tend to have a higher risk appetite compared to risk-averse organizations. The other options do not directly impact the risk appetite.
Q. 5
Answer: D. Organizational goals
Explanation: The prime objective of a security strategy is to facilitate and support organizational goals. The other options are secondary factors.
Q. 6
Answer: C. The cultures of the different countries
Explanation: Culture plays an important role when designing security policies. Different countries have different cultures, and this impacts their local legal requirements. The organization needs to ensure that the local laws of all the countries are appropriately addressed. The other options are not as significant as the local culture.
Q. 7
Answer: B. The risk appetite of the organization
Explanation: The risk appetite is the level of willingness of an organization to take risks. It sets the boundary of acceptable risk, which also determines the acceptable limit for the organizational standards. The other options do not directly impact the acceptable level of organizational standards.
Q. 8
Answer: C. Collaboration across business lines
Explanation: Collaboration across business lines is of utmost importance to promote a positive information security culture. This will ensure collective effort toward common security goals. The other options are not as significant.
Practice Question Set 3
Q.1
Answer: D. To determine the information security strategy for BYOD
Explanation: The first step for the information security manager is to determine a strategy to protect the organization from the risks of BYOD. Option A is not feasible, as the role of the security manager is to facilitate business processes by mitigating the risk. Options B and C will be based on the security strategy.
Q. 2
Answer: C. Affected departments
Explanation: Departments affected by new regulations are most likely to raise these requirements. They are in the best position to determine the impact of new regulatory requirements on their processes and the best ways to address them.
Q. 3
Answer: B. The desired outcomes
Explanation: The desired outcomes should dictate the input requirements of an information security program. It is the responsibility of the security manager to ensure that the program is implemented in such a manner that it achieves the desired outcomes. The security strategy should also be based on the desired outcomes of the information security program.
Q. 4
Answer: C. To assess whether existing controls meet the regulation
Explanation: The first step is to determine whether existing controls are adequate to address the new regulation. If existing controls are adequate, the other options are not required.
Q. 5
Answer: D. Identifiable personal data
Explanation: The prime focus of privacy law is to protect identifiable personal data. Identity theft is one way that personal data can be misused. There are other possible consequences too. If analytics are performed on identifiable personal data, it could impact privacy, but only if it violates regulatory provisions.
Q. 6
Answer: A. Determine the processes and activities that may be impacted.
Explanation: The very first step is to determine the processes and activities that may be impacted. Based on this, the security manager can do a risk assessment and determine the level of impact. The other options are subsequent steps.
Q. 7
Answer: A. To the extent that they impact the organization
Explanation: Laws and regulations should be addressed to the extent that they impact the organization, irrespective of whether they are required for certification standards or the requirements of policies.
Q. 8
Answer: B. The evolving data protection regulations
Explanation: Privacy laws vary from country to country and organizations must comply with the applicable laws in each country where their data is collected, processed, or stored.
Q. 9
Answer: C. Require management to report on compliance
Explanation: The board of directors has oversight responsibilities, and they should monitor compliance. The board would not be directly involved in evaluating various options and the cost of implementation. Furthermore, the board will not directly instruct the information security department.
Q. 10
Answer: D. The threat landscape
Explanation: A threat is something that exploits a vulnerability. Threat factors are not under the control of the organization. Examples of threat factors are hackers, fires, earthquakes, and changes in the regulatory environment. All the given factors are difficult to estimate and control but not as much as the threat landscape.
Q. 11
Answer: A. To identify whether the current controls are adequate
Explanation: The first step is to analyze and identify whether the current controls are adequate. If current practices already adhere to the regulations, then there is no need to implement further controls.
Practice Question Set 4
Q. 1
Answer: D. Potential changes in application systems and media
Explanation: The type and nature of application systems and media and their capability to read and interpret different data formats is the most important factor in planning record retention. New application systems may not be able to read and interpret data generated by earlier applications. This is a major risk.
Q. 2
Answer: B. Regulatory and legal requirements
Explanation: Record retention should be primarily based on two factors: business requirements and legal requirements. If a record is required to be maintained for two years as per the business requirements, and three years from the legal perspective, then it should be maintained for three years. Organizations generally design their business requirements after considering the relevant laws and regulations.
Q. 3
Answer: A. It should be analyzed under the retention policy
Explanation: From an information security perspective, such data should be analyzed under the retention policy. It should then be determined whether the data is required to be maintained for business or regulatory reasons. If the data is no longer required, it should be removed in a secure manner.
Q. 4
Answer: D. Implementing comprehensive retention policies
Explanation: E-discovery is the process of identifying, collecting, and submitting electronic records in a lawsuit or investigation. The best way to ensure the availability of electronic records is to implement comprehensive retention policies. A retention policy will dictate the terms of storage and backup of, and access to, the records.
Practice Question Set 5
Q.1
Answer: B. Better adherence to policy compared to decentralized processes
Explanation: The centralization of information security management will result in greater uniformity and easier monitoring of processes. This in turn will help achieve better adherence to security policies. Decentralized processes are generally more expensive to manage but will be more aligned with business unit requirements. Centralized processes will generally have a slower turnaround for requests due to a larger gap between the information security department and the end user.
Q. 2
Answer: D. Steering committee
Explanation: Senior management members who are on the steering committee are best placed to determine the level of acceptable risk for the organization.
Q. 3
Answer: C. Better alignment with decentralized unit requirements
Explanation: In a decentralized environment, more emphasis is placed on the needs and requirements of business units. Options A and D are more relevant for centralized processes. Decentralized processes may not always ensure compliance with the policy.
Practice Question Set 6
Q. 1
Answer: B. The principle of proportionality
Explanation: The principle of proportionality requires that the access be proportionate to the criticality of the assets and access should be provided on a need-to-know basis. The principle of accountability is important for the mapping of job descriptions; however, people with access to data may not always be accountable. Options C and D are not directly relevant to mapping job descriptions.
Q. 2
Answer: D. Ensuring all security measures are in accordance with the organizational policy
Explanation: The data custodian is responsible for ensuring that appropriate security measures are implemented and are consistent with the organizational policy. The other options are not the responsibility of the data custodian.
Q. 3
Answer: D. Refer the matter to senior management along with any necessary recommendations
Explanation: The best option for a security manager in this case is to highlight the issue to senior management. Senior management will be in the best position to make a decision after considering business and security aspects.
Q. 4
Answer: D. Better accountability
Explanation: Having clearly set-out roles and responsibilities ensures better accountability, as individuals are aware of their key performance areas and expected outcomes. The other options may be indirect benefits, but the only direct benefit is better accountability.
Q. 5
Answer: A. To define and ratify the data classification process
Explanation: The primary role of an information security manager is to define the structure of data classification. They need to ensure that the data classification policy is consistent with the organization's risk appetite. The mapping of data as per the classification is the responsibility of the data owner. Providing security is the responsibility of the data custodian. Confirming proper classification may be the role of the information security manager or the information security auditor.
Q. 6
Answer: D. That security projects are reviewed and approved by the data center manager
Explanation: Security projects should be approved by the steering committee (which consists of senior management). The data center manager may not be in a position to ensure the alignment of security projects with the overall enterprise objectives. This will have an adverse impact on security governance. The approval of the security policy by senior management is seen as an indicator of good governance. Vacant positions are not a major concern. The steering committee meeting on a quarterly basis is also not an issue.
Q. 7
Answer: A. Supporting organizational objectives
Explanation: The main objective of the security manager having a thorough understanding of the business operations is to support the organization's objectives. The other options are specific actions to support the business objectives.
Q. 8
Answer: C. Develop communication channels across the organization
Explanation: The best approach is to develop communication channels that will help in the timely reporting of events as well as disseminating security information. The other options are good practices; however, without an appropriate communication channel, the identification of events may be delayed.
Q. 9
Answer: C. The board of directors and senior management
Explanation: The ultimate responsibility for compliance with legal and regulatory requirements is with the board of directors. The board delegates this responsibility to senior management. The CISO, head of legal, and steering committee implement the directives of the board and senior management, but they are not individually liable for the failure of security.
Q. 10
Answer: B. Conduct a risk assessment
Explanation: The best way to gain the support of senior management is to conduct a risk assessment and present it to management in the form of an impact analysis. A risk assessment will help management to understand the areas of concern. The other options may be considered secondary factors.
Q. 11
Answer: B. The impact on the organization's objectives
Explanation: Security projects should be assessed and prioritized based on their impact on the organization. This will ensure optimum utilization of resources. The other options are secondary factors.
Q. 12
Answer: D. The security administrators
Explanation: The security administrators are custodians of data, and they need to ensure that data is in safe custody. They are responsible for enforcing and implementing security measures in accordance with the information security policy. The data owner and process owner are responsible for classifying the data and approving access rights. However, they do not enforce and implement security controls. The steering committee is not responsible for enforcement.
Q. 13
Answer: D. The data owner
Explanation: The data owner has responsibility for the classification of their data in accordance with the organization's data classification policy. The data administrator is required to implement security controls as per the security policy. The security manager and system auditor oversee the data classification and handling process to ensure conformance to the policy.
Q. 14
Answer: B. Business requirements
Explanation: The primary basis for defining the data retention period is the business requirements as these will already consider any legal and regulatory aspects. If data is not retained as per the business needs, it may have a negative impact on the business objectives.
Q. 15
Answer: B. The local security program should comply with the data privacy policy of the location where the data is collected.
Explanation: Data privacy laws are country specific. It is very important to ensure adherence to local laws, and the organization's data privacy policy cannot supersede the local laws. The organization's privacy policy may not be able to address all the local laws and requirements.
Q. 16
Answer: C. The board of directors
Explanation: The board of directors has the ultimate accountability for information security. The other options, the security administrators, steering committee, and security managers, are responsible for implementing, enforcing, and monitoring security controls as per the directive of the board.
Q. 17
Answer: B. The COO
Explanation: The COO is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has the most thorough knowledge of the business operations and objectives and is most likely the sponsor for the implementation of security projects as they have a strong influence across the organization. Sponsoring means supporting the project financially or through products or services. Although the CISO should provide security advice and recommendations, the sponsor should be the COO for effective ground-level implementation.
Q. 18
Answer: D. The business owner
Explanation: The business owner needs to ensure that their data is appropriately protected, and access is provided on a need-to-know basis only. The security officer, data protection officer, and compliance officer can advise on security aspects, but they do not have final responsibility.
Q. 19
Answer: B. The data owner
Explanation: The data owner is responsible for determining the level of security controls for the data, as well as for the application that stores the data. The system owner is generally responsible for platforms rather than applications or data. The system auditor is responsible for evaluating the security controls. The steering committee consists of senior-level officials and is responsible for aligning the security strategy with the business objectives.
Practice Question Set 7
Q.1
Answer: A. Continuous evaluation, monitoring, and improvement
Explanation: The maturity model requires continuous improvement in the governance framework. It requires continuous evaluation, monitoring, and improvement to move toward the desired state from the current state.
Q. 2
Answer: A. A defined maturity model
Explanation: A defined maturity model will be the best indicator to determine the level of security governance. The maturity model indicates the maturity of the governance processes on a scale of 0 to 5, where Level 0 indicates incomplete processes and Level 5 indicates optimized processes.
Q. 3
Answer: B. The maturity level
Explanation: A defined maturity model is the best indicator to determine the level of security governance. A maturity model indicates the maturity of the governance processes on a scale of 0 to 5, where Level 0 indicates incomplete processes and Level 5 indicates optimized processes.
Practice Question Set 8
Q. 1
Answer: D. Effective metrics
Explanation: Based on effective metrics, organizations evaluate and measure the achievements and performance of various processes and controls. Effective metrics are primarily used for security-related decision-making. The other options are secondary factors.
Q. 2
Answer: B. Trends in incident occurrence
Explanation: Trends in incidents will be more valuable from a strategic perspective as they will indicate whether a security program is heading in the right direction or not. The other options are more of an operational metric.
Q. 3
Answer: C. The number of unplanned business interruptions.
Explanation: The number of unplanned business interruptions is the best indication to evaluate organizational risk by determining how much business may be lost due to interruptions. Annual loss expectancy is based on projections and does not indicate actual value. Security incidents and open vulnerabilities do not reveal impact.
Q. 4
Answer: B. Metrics should be meaningful to the process owner
Explanation: Metrics are measurements used to evaluate and monitor a particular process. Metrics are most effective when they are meaningful to the person receiving the information. The process owner should be able to take appropriate action based on the metrics. Metrics can be either quantifiable or qualitative based on the nature of the process. Options A and D are important, but more significant is the ability of metrics to convey meaning.
Q. 5
Answer: B. A KRI should be arrived at by consistent methodologies and practices
Explanation: A KRI will be effective only if it is arrived at by consistent methodologies and practices. In the absence of this, the KRI will be meaningless as it cannot be compared over different periods of time and hence may not be able to indicate actual risk. The other options are good attributes but do not provide a consistent approach to determine deviation over time.
Q. 6
Answer: D. The strategy helps to achieve the control objectives.
Explanation: The control objectives are developed to achieve an acceptable level of risk. The strategy is effective if the control objectives are met. The other options may be part of the control objectives, but the effectiveness of the security strategy is best measured by evaluating the extent to which the overall control objectives are met.
Q. 7
Answer: C. The key performance indicator
Explanation: Key performance indicators measure how well a process is performing compared to its expectations. The key success factor determines the most important aspects or issues to achieve the goal. The key objective indicator and key goal indicator define the objective set by the organization.
Revision Questions
Q. 1
Answer: D. Reviewing access privileges when an operator's role changes
Explanation: In the absence of access privilege reviews, there is the risk that a single staff member can acquire excess operational capabilities. This will defeat the objective of SoD. In order to maintain the effectiveness of SoD, it is important to review access privileges more frequently and more specifically when an operator's role changes.
Q. 2
Answer: A. To manage the risk to information assets
Explanation: The prime responsibility of an information security manager is to evaluate and manage the information security risk by involving risk owners.
Implementing the security configuration is the responsibility of the asset owner. Disaster recovery testing should be conducted by the process owner, and the closing of vulnerabilities is the responsibility of the asset owner.
Q. 3
Answer: B. Process performance and capabilities
Explanation: Process performance and capabilities provide a detailed perspective of the maturity levels, just like the maturity model. The other options will not help to determine the level of maturity of the process. The Monte Carlo method is a risk assessment method that uses simulations. Vulnerability assessments are used to identify the vulnerability and risk analysis is used to determine the current state of risk. They will not help to determine the maturity of the process.
Q. 4
Answer: A. The information owner
Explanation: The information owner is ultimately responsible for the protection of their data. The information owner is the best person to know the criticality of the data and who should have access to the data. Therefore, information system access should be primarily authorized by the information owner.
Q. 5
Answer: B. The unauthorized modification of logs by the database administrator
Explanation: The DBA will have access to logs if they are stored in the database server. The administrator can modify or delete the log entries, and this is a major cause of concern. The DBA should not have access to logs related to the database. Backing up the logs will address the issue of server crashes. Log capturing may not always impact transaction processing. If critical information is not captured in logs, it is a design failure and has nothing to do with log entries stored in the production database.
Q. 6
Answer: B. The organization is committed to its responsibility for information security
Explanation: Appointing a CISO indicates that the organization wants to have a clear line of responsibility for information security. Information security is one of the focus areas of the organization. Having a CISO does not impact the role of senior management. Even if the CISO is appointed, accountability lies with the board of directors. The CISO is generally not accountable for technology projects.
Q. 7
Answer: A. To address the security gaps that exist between assurance functions
Explanation: Whenever there are shared responsibilities for information security, gaps tend to exist. Integrating the roles and responsibilities is the best way to address these gaps and ensure consistent risk management. The other options are secondary factors.
Q. 8
Answer: A. To verify that only approved changes are made
Explanation: In the absence of SoD, the best compensatory control is to ensure that only approved changes are made by the employee. This verification can either be done for all cases or on a sample basis depending on the risk involved. The review of logs by the manager may not be meaningful as an employee can manipulate the logs and hide activities from the supervisor. Penetration tests and risk assessments may not be able to detect unauthorized activities.
Q. 9
Answer: B. To determine the level of classification for their data
Explanation: The information owner is required to determine the level of classification for their respective data. Based on its classification, the system administrator implements the required security measures and data backups. The information owner may delegate the process of classification to some other responsible employee but not to the system administrator.
Q. 10
Answer: C. Senior management
Explanation: Senior management has the final responsibility for the effectiveness of the organization's security measures. Although the authority to implement, monitor, and evaluate the security measures is delegated to the security administrator, CISO, and information security auditor, the responsibility cannot be delegated. The final responsibility rests with senior management.
Q. 11
Answer: C. Assigned accountability
Explanation: If accountability is properly assigned and made known to the individuals, individuals will be more proactive and concerned about their responsibilities, and this will ensure that duties are properly carried out.
Q. 12
Answer: D. All organizational units
Explanation: Every employee is required to comply with security policies and standards, as applicable to their performance areas. Though the CISO and senior management monitor the level of compliance, all organizational units should adhere to policies and standards.
Q. 13
Answer: C. The adoption of a maturity model
Explanation: A maturity model such as the CMM can be used to determine the maturity level of the risk management process from Level 0 (that is, initial) to Level 5 (that is, optimized). The organization can know under which level the process falls and can gradually move toward higher levels, thereby improving their risk management process. The other options are secondary factors.
Q. 14
Answer: A. All personnel
Explanation: It is the responsibility of all personnel to adhere to the security requirements of the organization.
Q. 15
Answer: C. Senior management
Explanation: Senior management is in the best position to understand the key business objectives and how they should be protected through policies and procedures. Other officials (for example, the operation manager, CISO, and CTO) may provide necessary inputs, but final approval should be provided by senior management.
Q. 16
Answer: C. Implementing the principle of least privilege
Explanation: The most effective method to protect the confidentiality of information assets is to follow the principle of least privilege. The principle of least privilege ensures that access is provided only on a need-to-know basis, and it should be restricted for all other users. The other options are good measures; however, in the absence of the principle of least privilege, they may not be effective.
Q. 17
Answer: C. Better alignment with decentralized unit requirements
Explanation: In a decentralized environment, more emphasis is placed on the needs and requirements of business units. Options A and D are more relevant to centralized processes. Decentralized processes may not always ensure compliance with the policy.
Chapter 2: Information Security Strategy
Practice Question Set 1
Q. 1
Answer: B. To evaluate the current business strategy
Explanation: The first step for an information security manager is to understand and evaluate the current business strategy. This is essential to align the information security plan with the business strategy. The other options are subsequent steps.
Q. 2
Answer: D. Desired future state of information security
Explanation: A strategy plan should include the desired level of information security. This desired state will impact options A and B. A mission statement is a high-level statement that may not indicate the detailed desired state for information security.
Q. 3
Answer: B. To support the business objectives
Explanation: The primary objective of any security strategy is to support the business objective. Thus, it should be aligned with business objectives. Other options are secondary objectives.
Q. 4
Answer: B. Security objectives and processes
Explanation: A security strategy consists of the desired security objectives and the supporting processes, methods, and relevant tools and techniques. The other options are not as significant.
Q. 5
Answer: C. To establish a local version of the organization's policy
Explanation: The best way to tackle such a situation is to establish a local version of the policy that is aligned with local laws and regulations. The other options are not sensible.
Q. 6
Answer: B. To conduct a self-assessment using regulatory guidelines and reports
Explanation: Self-assessment is the best way to determine the readiness and remediation of non-compliant items. This will help the organization prepare for regulatory review. The other options are not as effective as option B.
Q. 7
Answer: C. The chief information security officer
Explanation: Generally, the CISO is responsible for enforcing the information security policy. The steering committee monitors the enforcement process but is not responsible for enforcement. The steering committee ensures that the security policy is aligned with business objectives. The chief technical officer and compliance officer may to some extent be involved in the enforcement of policy but are not directly responsible for it.
Q. 8
Answer: A. Design and develop an information security strategy
Explanation: The CISO is primarily responsible for designing and developing the organization's information security strategy. The other functions are normally carried out by IT and operational staff.
Q. 9
Answer: D. Aligned with business strategy
Explanation: The timeline for an information security strategic plan should be designed and aligned with the organization's business strategy. The other options should be secondary considerations. The business strategy and requirements should be the primary consideration.
Q. 10
Answer: A. Emphasizing the organizational risk
Explanation: Emphasizing the organizational risk and its impact on the business objectives is the best way to gain commitment and support from senior management. The other options are secondary factors.
Q. 11
Answer: A. To manage the risks impacting business objectives
Explanation: The primary objective of a security strategy is to manage and reduce any risk that could impact the business objectives. It is not feasible to mitigate risks to zero. The transfer of risks to insurers and developing a risk-aware culture may also be aspects of managing risk.
Q. 12
Answer: A. A conflict of security controls with business requirements
Explanation: This is an example of a conflict between security controls and business requirements. In this case, the security controls are not supporting the business needs. Controls should not restrict employees' ability to perform their jobs.
Q. 13
Answer: C. Defining the scope
Explanation: The first step should be to define the scope of the strategy. Scope means determining the extent of functions/units/departments to be covered in the strategy. The other options are subsequent steps to be performed.
Q. 14
Answer: B. To support the business objectives and goals of the enterprise
Explanation: The most important objective of an information security strategy is that it should support the objectives of the organization. The other options are secondary objectives.
Q. 15
Answer: A. Defined objectives
Explanation: Defined objectives are the most important element. Without objectives, a strategy to achieve the objectives cannot be developed. Policies are developed after the strategy. Having a defined time frame and framework are not as important.
Q. 16
Answer: D. The information security strategy may not be aligned with business requirements.
Explanation: The security steering committee monitors and controls the security strategy. In the absence of inputs from user management (the user department), the developed strategy may not support the business requirements. Other options are not as significant as the strategy not supporting the business requirements. User training and budget allocation are not normally under the purview of the steering committee.
Q. 17
Answer: C. To review the risk assessment with senior management for final consideration
Explanation: Senior management will be in the best position to evaluate the impact of the risk on business requirements. They will be able to balance security and business processes. The other options would not address the issue.
Q. 18
Answer: D. Direct traceability
Explanation: Direct traceability is the best way to ensure that business and security objectives are connected and that security is adding value to the business objectives. The other options are not as good as traceable connections.
Q. 19
Answer: B. Senior management
Explanation: The overall accountability resides with senior management, though they may delegate this responsibility to different functions. The security administrator and system administrator support the security objectives of senior management.
Q. 20
Answer: A. To understand the key business objectives
Explanation: Understanding key business objectives is the most critical factor in aligning any security strategy with the business strategy, as the security strategy should support business objectives. The other options are secondary factors.
Practice Question Set 2
Q.1
Answer: A. Financial performance
Explanation: The IT BSC considers factors such as customer satisfaction, innovation capacity, and internal processes. Financial performance is not part of an IT balanced scorecard.
Q. 2
Answer: B. Defining key performance indicators.
Explanation: For measuring the performance of IT services, it is required to define the key performance areas along with benchmarks of the expected performance level. The other choices are the objectives of an IT BSC.
Q. 3
Answer: C. Absence of IT alignment with business objectives
Explanation: A major risk can be the absence of IT alignment with business objectives. A steering committee should exist to ensure that IT strategies support the organization's goals.
Q. 4
Answer: D. To improve performance
Explanation: The primary objective of an IT measurement process is to optimize the performance of IT services. An IT performance measurement process can be used to optimize performance, measure, and manage products/services, assure accountability, and make budget decisions. The other options are aspects of performance measurement but not primary objectives.
Practice Question Set 3
Q. 1
Answer: C. To evaluate and determine the correlation between the solution and the business objectives
Explanation: The first step should be to assess and determine that the proposed solution is aligned with the business objectives and requirements. Once this is established, the other options can follow.
Q. 2
Answer: D Mitigate the risks impacting the business.
Explanation: The most important objective of an information security program is to reduce any risk and its impact on business objectives. The other options are secondary factors.
Q. 3
Answer: B. Aligning and integrating development activities
Explanation: A strategy is a roadmap to achieve objectives. Various implementation activities can be aligned and integrated based on a developed strategy to achieve security objectives more effectively and efficiently. The other options may be secondary factors.
Q. 4
Answer: A. A higher amount of vulnerabilities being exploited
Explanation: A threat by itself cannot harm the organization unless it finds a vulnerability in the system to exploit. Detective controls will not be able to prevent the event. The absence of a system audit is an unlikely explanation for an increase in the number of security events.
Q. 5
Answer: A. To protect information assets in accordance with the business strategy and objectives
Explanation: The primary objective of an information security program is to align the security implementation with an organization's business strategy and objectives. An information security program is not limited to only operational risks. It should also consider the confidentiality, integrity, and availability of assets. A security policy is developed as a part of a security program to achieve the protection of information assets.
Q. 6
Answer: A. An organization cannot completely depend on technical controls to address faulty processes.
Explanation: Structured and resilient processes in addition to technical controls is the most effective way to manage and address the risk. The right combination of management, administrative, and technical controls is the most effective and efficient way to address the risk.
Q. 7
Answer: A. To improve the integration of business and security processes
Explanation: The integration of security governance and overall governance is the best way to ensure that key business processes are well protected. The other options are actions that may arise due to close integration between business and security processes.
Q. 8
Answer: B. To ascertain the need for creating the program
Explanation: The first step is to justify the need for the program by conducting a cost-benefit analysis. Once the requirement of the program is established, the other options may be acted upon.
Practice Question Set 4
Q. 1
Answer: B. Business goals and objectives
Explanation: Security architecture should primarily be aligned with business goals and objectives. The other options may be secondary considerations.
Q. 2
Answer: A. To understand the IT architecture and portfolio
Explanation: The primary step of the security manager is to understand and evaluate the IT architecture and portfolio. Once they have a fair idea about the IT architecture, they can determine the security strategy. The other options are to be followed once the security strategy is defined.
Practice Question Set 5
Q. 1
Answer: B. To improve risk management
Explanation: GRC is implemented by integrating interrelated control activities across the organization for improving risk management activities. The other options are secondary objectives.
Q. 2
Answer: A. To synchronize and align an organization's assurance functions
Explanation: GRC is an effort to synchronize and align the assurance activities across the organization for greater efficiency and effectiveness. The other options can be considered as secondary objectives.
Q. 3
Answer: B. IT, finance, and legal
Explanation: Though GRC programs can be applied in any function of the organization, it primarily focuses on financial, IT, and legal areas. Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on IT processes. Legal GRC focuses on enterprise-level regulatory compliance. GRC is mainly focused on IT, finance, and legal processes to ensure that regulatory requirements are adhered to and that risk is appropriately addressed.
Practice Question Set 6
Q.1
Answer: A. A cost-benefit analysis
Explanation: Senior management is more interested in the benefits derived from the budget, so a cost-benefit analysis is the most important factor. The other options are also important considerations while evaluating and approving the budget.
Q. 2
Answer: C. Approving policy statements and funding
Explanation: A policy statement contains the intent and direction of the management. Senior management should approve policy statements and provide a sufficient budget to achieve the organization's information security objectives. Management may be involved in evaluating products, risk assessments, and mandating information security audits, but their primary role is to provide direction, oversight, and governance.
Q. 3
Answer: A. They support the requirements of all key business stakeholders
Explanation: Information security should support the achievement of organizational objectives by minimizing business disruptions. When information security supports the requirements of key business units, there is alignment. The IT department is one of the stakeholders. The other options are secondary factors.
Q. 4
Answer: D. Explain the impact of security risks on key business objectives
Explanation: Senior management is more concerned about the achievement of business objectives and will be keen to address all the risks impacting key business objectives. The other options will not be as effective.
Q. 5
Answer: C. Developing a business case
Explanation: A business case contains the need and justification for the project. It will be the most important document to gain support from senior management. The other options will not be as effective.
Q. 6
Answer: C. To conduct periodic reviews of alignment between security and business goals
Explanation: The most effective way is to ensure that the security program continues to be aligned with and supports business objectives. This is critical for continued management support. Other options will not have as much of an effect on management.
Q. 7
Answer: C. To consider a cost-benefit analysis
Explanation: The most effective way to justify the budget is to consider a cost-benefit analysis. The other options may be considered while conducting a cost-benefit analysis.
Q. 8
Answer: B. Review and approval of risk management methodologies
Explanation: Management involvement in the review of risk management methodology is the best indicator of management support and commitment to effective information security. The other options do show some level of management support and commitment but are not the best indicators.
Q. 9
Answer: D. Enhanced business value
Explanation: The objective of security investment is to increase the business value by addressing instances of business disruptions, reduction in losses, and improvements in productivity. The protection of information assets is one of the elements of enhanced business value.
Q. 10
Answer: C. The chief operating officer
Explanation: The steering committee should be sponsored by an authority who is well versed in the business objectives and strategy. The chief operating officer has the most knowledge of business operations and objectives and is in the best position to align the security strategy with business objectives.
Q. 11
Answer: B. A value analysis
Explanation: Any investment should be able to provide value to the business. The primary driver for investment in an information security project is a value analysis and having a sound business case. The other options are secondary factors.
Q. 12
Answer: A. Senior management commitment
Explanation: Support and commitment from senior management is the most important prerequisite. Without that, the other options may not add value to an information security program.
Q. 13
Answer: C. The steering committee
Explanation: The steering committee consists of senior officials from different departments. They are well informed about business objectives and strategy. They can ensure that security governance is aligned with the business strategy and objectives.
Q. 14
Answer: B. Strong management support
Explanation: Intention and support from senior management are of utmost importance to changing an organization's security culture. In the absence of management support, the other options will not add value.
Q. 15
Answer: D. A lack of high-level sponsorship
Explanation: A lack of high-level sponsorship means a lack of commitment and support from senior management. Support from senior management is a prerequisite for effective security governance. With high-level sponsorship, budget constraints and business priorities can be set right.
Q. 16
Answer: A. To survey the business stakeholders
Explanation: Discussions with key business stakeholders will provide an accurate picture of the alignment of security programs with supporting business objectives. Incident trends will help you understand the effectiveness of security programs, but they are not directly about alignment. A business case is prepared at the time of initiation of the project and a discussion with business owners will help you understand whether alignment, as indicated in the business case, is being adhered to.
Q. 17
Answer: D. Reviewing the business balanced scorecard
Explanation: Reviewing the business balanced scorecard will help to determine the alignment of the security goals with the business goals. The business scorecard contains important metrics from the business perspective. The other options do not address the alignment directly.
Q. 18
Answer: A. Support from senior management
Explanation: The most important factor in the successful implementation of an organization's information security program is support and commitment from senior management. The other options are secondary factors. Without appropriate support, it will be difficult for the program to achieve the desired objectives.
Q. 19
Answer: A. A periodic survey of management
Explanation: A survey of management is the best way to determine whether the security program supports the business objectives. Achieving strategic alignment means that the business process owners and managers believe that the organization's information security is effectively supporting their goals. If business management is not confident in the security programs, the information security manager should redesign the process to provide value to the business. The other options do not directly indicate strategic alignment.
Q. 20
Answer: C. Maximize the cost-effectiveness of the control
Explanation: Alignment ensures that assurance functions are integrated to maximize cost-effectiveness. A lack of alignment can result in potential duplicates or contradictory controls. These would negatively impact cost-effectiveness. The others are secondary factors.
Q. 21
Answer: C. Discuss with senior management to understand their concerns.
Explanation: The best method to address the concern is to first discuss the same and try to understand the area of concern. Based on that, the program can be redesigned to be more meaningful for the management.
Practice Question Set 7
Q. 1
Answer: A. Appropriate justification
Explanation: The objective of a business case is to justify the implementation of any new project. Justifications can be either the results of a gap analysis linked to a legal requirement or expected annual loss, or any other reason.
Q. 2
Answer: C. To define the need
Explanation: The first step in developing a business case is to define the need for and justification of the project. Without defining the need for the new project, the other options cannot be evaluated and determined.
Q. 3
Answer: C. Developing a business case
Explanation: A business case contains the need and justification for the project. It will be the most important document to gain support from senior management. The other options will not be as effective.
Q. 4
Answer: D. Whether the technology provides benefits in comparison to its costs
Explanation: A technology should provide benefits by mitigating risk and at the same time it should be cost-effective. A technology should be effective as well as efficient. If the technology is not cost-effective, then it will not be meaningful even if it mitigates the risk.
Q. 5
Answer: A. Technical requirements
Explanation: Business requirements are the most important aspect for an information security manager, followed by privacy and other regulatory requirements. Regulatory requirements and privacy requirements are more important for a security manager compared to technical requirements.
Q. 6
Answer: C. A business case
Explanation: A business case contains the need and justification for the proposed project. It helps to illustrate the costs and benefits of the project. The other options can be considered as part of the information required in the business case.
Q. 7
Answer: B. To demonstrate the project's value and benefit
Explanation: It is very important and challenging to include the value and benefit in a business case in a manner that convinces senior management. Technical aspects are generally not covered in the business case. Risk scenarios and comparative data can be used to demonstrate value and benefit.
Q. 8
Answer: A. Develop and present a business case
Explanation: All options are important, but a significant aspect is developing and presenting a business case to demonstrate that the security initiative is aligned to the organization's goals and that it provides value to the organization. A business case includes all the given options.
Q. 9
Answer: D. To define issues to be addressed
Explanation: The first step in the development of a business case is to understand the issues that need to be addressed. Without clear requirements being defined, the other options may not add value.
Q. 10
Answer: D. Feasibility and value proposition
Explanation: The most important basis for developing a business case is the feasibility and value proposition. It helps to determine whether a project should be implemented. The feasibility and value proposition indicates whether the project will be able to address risks with an effective ROI and whether it will help to achieve the organizational objectives.
Q. 11
Answer: A. To develop and present a business case
Explanation: A business case is the best way to present the link between a new security project and an organization's business objective. Senior management is keen to protect and achieve the business objectives. If they see value in the project in terms of business support, there will not be any reluctance. Risk scenarios should be considered as a part of the business case. Other options will not be effective to address this concern.
Q. 12
Answer: D. A cost-benefit analysis
Explanation: A cost-benefit analysis will be the best way to make a decision. It indicates the cost of implementing the control and the expected benefit from the investment. The cost of a control should not exceed the benefit to be derived from it. The risk assessment is a step prior to the evaluation and implementation of a control. In security parlance, ROI is difficult to calculate as returns are in the form of safety and security.
Q. 13
Answer: B. A detailed business case
Explanation: A business case is the justification for the implementation of the program. It contains the rationale for making an investment and indicates the cost of the project and its expected benefits. The other options by themselves are not sufficient to justify the information security program. User acceptance may not always be reliable for a security program, and security and performance often clash.
Q. 14
Answer: C. A well-developed business case
Explanation: A business case is the justification for the implementation of a program. It contains the rationale for making an investment and indicates the cost of the project and its expected benefits. The other options by themselves are not sufficient to justify the information security budget.
Q. 15
Answer: C. Implementation benefits
Explanation: A business case is the justification for the implementation of the program. It contains the rationale for making an investment and indicates the cost of the project and its expected benefits. The other options by themselves are not sufficient to justify the information security budget.
Revision Questions
Q. 1
Answer: C. Effectiveness in mitigating risk
Explanation: The most important factor is the effectiveness of the information security program in addressing the risk impacting the business objectives. The other options are secondary factors. Even a considerable budget will be meaningless if a security program is not effective in mitigating risks.
Q. 2
Answer: A. The requirements of the desired state
Explanation: The objective of a security strategy can be best described as what is required to achieve the desired state. It is not restricted to only key processes or loss expectations.
Q. 3
Answer: B. Aligning with business objectives and risk appetite
Explanation: The risk management strategy should support and be aligned with the business objectives and risk appetite of the organization. The other options are not as significant.
Q. 4
Answer: B. The perspective of the whole being greater than the sum of its individual parts
Explanation: Systems thinking in terms of information security, refers to the idea that a system is greater than the sum of its individual parts.
Q. 5
Answer: C. To determine the objectives of the security strategy
Explanation: Determining the objectives of the security strategy is a must before any other steps are taken, as all other steps are developed based on this strategy. The other factors are important but not as significant.
Q. 6
Answer: B. Trends in incident occurrence
Explanation: Trends in incident occurrence will be more valuable from a strategic perspective as they will indicate whether a security program is headed in the right direction or not. The other options are more like operational metrics.
Q. 7
Answer: A. Resource utilization is high
Explanation: Value delivery means designing a process that brings the maximum benefit to the organization. It indicates high utilization of the available resources for the benefit of the organization. The other options by themselves do not indicate value delivery.
Q. 8
Answer: C. The current state of security and future objectives
Explanation: It is very important to understand the current state of security and the desired future state or objective. In the absence of clearly defined objectives, it will not be possible to develop a strategy. The other options are important but not as significant.
Q. 9
Answer: A. Whether the strategy supports the business objectives
Explanation: The most important objective of a security strategy is to support the business requirements and goals. The strategy should support the business objectives. The other options are secondary objectives.
Q. 10
Answer: A. To determine the goals of security and the plan to achieve them
Explanation: The primary objective of a security strategy is to set out the goals of the information security program and the plan to achieve these goals. The budget is linked with security objectives. A strategy is a high-level management intent and does not generally include implementation aspects as mentioned in options B and C.
Q. 11
Answer: C. Security strategy
Explanation: The security strategy is the guiding force for the implementation of a security program. The roadmap detailing security implementation, i.e. procedure, resources, timelines, and so on, is developed based on the strategy. The other options may be input factors for designing the strategy. However, once a strategy is developed, it is considered to be the overall guiding principle for the implementation of a security program.
Q. 12
Answer: C. Changes in management intent and direction
Explanation: A policy reflects the intent and direction of the management. Any changes in management intent should also be appropriately addressed in the policy. Changes in regulation and baseline should be addressed in procedures, guidelines, and standards. Changes in culture may or may not impact the policy; however, management intent is more significant here.
Q. 13
Answer: B. Ensuring that residual risk is kept within acceptable levels
Explanation: Residual risk is the risk that remains after controls are implemented. One of the objectives of a security strategy is to ensure that residual risks are well within the acceptable limit. This reassures management. The other options are not as significant as residual risk being within acceptable levels.
Q. 14
Answer: D. The strategy helps to achieve the control objectives
Explanation: Control objectives are developed to achieve an acceptable level of risk. A strategy is considered effective if control objectives are met. The other options may be a part of a control objective, but effectiveness is best measured by evaluating the extent to which the overall control objectives are met.
Q. 15
Answer: B. Concerns regarding the organization's liability
Explanation: The involvement of board members in information security initiatives indicates good governance. The liability of directors can be protected if the board has exercised due care. Many laws and regulations make the board responsible in cases of data breaches. Even a cybersecurity insurance policy requires the board to exercise due care as a precondition for insurance coverage. The board is not required to involve themselves in routine compliance and policy implementation processes.
Q. 16
Answer: C. Key performance indicator
Explanation: A key performance indicator is a measure to determine how well a process is performing compared to expectations. A key success factor determines the most important aspects or issues to achieve the goal. A key objective indicator and key goal objective define the objectives set by the organization.
Q. 17
Answer: D. Reviewing the business balanced scorecard
Explanation: The business balanced scorecard contains many important metrics from the perspective of the business. Reviewing these metrics will help in determining whether the security goals are in line with the goals of the business. The other options do not directly address alignment between the two.
Q. 18
Answer: C. To ensure that the security goals are derived from the business goals
Explanation: Security goals should be developed based on the overall business objective. The security strategy should support the business goals and objectives.
Q. 19
Answer: C. Control objectives being met
Explanation: "Baseline" means the basic standard to be complied with. In a mature organization, it is expected that the control objectives of security should be met. The other options may be part of the control objectives, but all objectives defined should be met in a mature organization.
Q. 20
Answer: D. Difficulty in monitoring compliance with laws and regulations
Explanation: The area of most concern is compliance with laws and regulations. Security managers need to ensure that local laws are appropriately addressed. Local laws vary from country to country, and sometimes they might be in conflict with the organization's global security requirements. Non-compliance with laws and regulations may have a major impact on business processes. The other options are not as significant.
Q. 21
Answer: A. An abnormal deviation in employee attrition rate
Explanation: A sudden increase in employee attrition rate indicates some suspicious activity that requires the attention of the security manager. For example, if a large number of developers are leaving the organization, it may indicate that a competitor is trying to obtain the organization's development plan. A large number of viruses and filtered packets may indicate a change in the threat environment; however, there would be no impact as that will have been controlled by the antivirus software or the firewall. A low amount of security officers does not necessarily indicate a risk.
Q. 22
Answer: C. The business priorities
Explanation: Senior management will be more interested in understanding how the security strategy is supporting the business objectives, that is, whether the top-level goals and objectives are being supported by security. The other options are not relevant at the strategic level.
Q. 23
Answer: B. To design a tailored methodology based on exposure
Explanation: The classification of data in accordance with its value and exposure, followed by the development of a strategy for each class, is the best process for effective data protection. This will address the risk of under-protection as well as over-protection of data. Vulnerability assessments do not consider threat and other factors that impact the risk treatment. Insurance policies and industry practices may be considered based on risk and the classification of data.
Q. 24
Answer: D. Discuss the relationship between the security program and business goals.
Explanation: Senior management is keen to protect and achieve the business goals and objectives. If they see value in the project in terms of business support, there will not be any reluctance. The other options can be secondary factors.
Q. 25
Answer: C. Alignment with the goals set by the board of directors
Explanation: A security strategy is said to be successful if it supports the achievement of goals set up by the board of directors. The other options do not directly indicate that the security program is successful.
Q. 26
Answer: D. To demonstrate support for the desired outcome
Explanation: Demonstrating support for the desired outcome is the best approach. This can be done by demonstrating improvements in performance metrics related to business objectives. Senior management is keen to protect and achieve the desired outcome in the form of business goals and objectives. The other options are secondary factors.
Chapter 3: Information Risk Assessment
Practice Question Set 1
Q. 1
Answer: A. The magnitude of impact
Explanation: To determine the risk level, two things are required, i.e., the probability (likelihood) of the event and the impact of the event. Risk is the product of probability and impact. Once the likelihood has been determined, the next step is to assess the magnitude of the impact. Once the level of risk is determined, it can be compared against risk appetite and risk tolerance.
Q. 2
Answer: B. Likelihood and consequences
Explanation: To determine the level of risk, two things are necessary: the probability of an event happening and the impact if it does take place. Risk is the product of probability (likelihood) and impact (consequence).
Q. 3
Answer: C. Reduction in the likelihood of being exploited
Explanation: Reducing the exposure refers to keeping the information assets away from public reach. For example, consider a sensitive database that was previously accessible through the public internet but now is not. This reduction in exposure will reduce the likelihood of this database being exploited. However, this will not automatically reduce other vulnerabilities. Also, it will not reduce the impact if the database is compromised.
Practice Question Set 2
Q. 1
Answer: D. Management may have concerns that the stated impact is underestimated.
Explanation: The most likely reason is that management has doubts regarding the estimation of the level of risk. In such cases, management might choose to mitigate the risk even if it is within the risk tolerance level. It is much less likely that the board requires all risks to be mitigated. This is neither practical nor feasible. Also, management generally accepts risks if they are within the organization's risk appetite. There is no sense in addressing any risk that is within the risk appetite even if the treatment is cost effective.
Practice Question Set 3
Q. 1
Answer: C. To determine whether the residual risk is acceptable
Explanation: Once the residual risk is determined, the next step is to validate whether it is acceptable or not. If it is within the risk appetite, it can be accepted. Otherwise, further controls would need to be implemented to reduce it.
Q. 2
Answer: A. Organizational requirements
Explanation: The acceptable level of risk is determined by the overall organizational requirements. Organizational requirements refer to what the organization wants to achieve by taking the risk. The other options may not directly determine the acceptable level of IT risk.
Q. 3
Answer: B. The residual risk level is less than the acceptable risk level
Explanation: Controls are said to be effective when the residual risk is less than the acceptable risk level. Residual risk is the risk that remains after controls have been implemented. The acceptable level of risk is the management's willingness to take a risk.
Q. 4
Answer: A. Management discretion
Explanation: Residual risk means the risk that management is willing to accept. It is ultimately subject to the management's discretion. The objective of a risk management program is to ensure that the risks applicable to the organization are brought down to an acceptable level by the implementation of various mitigation strategies. It is not possible to completely eliminate all inherent or control risks.
Practice Question Set 4
Q. 1
Answer: D. Context and purpose of the program
Explanation: The first step is to establish the context and purpose of the risk management program. Management support can be gained only if the program has appropriate context and purpose. Security policy and assignment of an oversight committee are subsequent steps.
Q. 2
Answer: A. It provides the basis for selecting the risk response
Explanation: A risk evaluation determines whether any risk is within the acceptable range or whether it should be mitigated. Based on this evaluation, risk responses are decided.
Q. 3
Answer: D. To decrease the level of impact
Explanation: The most important objective of a risk response is to ensure that the impact of the risk is within acceptable levels. Lowering the vulnerability or addressing the threat is one of the approaches to controlling the risk's impact. The objective of a risk response is not to decrease the cost of control.
Q. 4
Answer: D. To assess the level of exposure and plan the remediation
Explanation: In a risk analysis, the impact and level of risk are determined (i.e., high, medium, or low). Risk analysis helps determine the exposure and helps to plan for remediation. The prioritization of assets, justification of the security budget, and determining the residual risks are indirect benefits of risk analysis but not the main objectives.
Q. 5
Answer: C. The organization can minimize the residual risk
Explanation: The prime objective of a risk management program is to minimize residual risk so that it is within the organization's risk appetite. It is not practical and/or feasible to eliminate inherent risk. Quantification and monitoring of risks are good indicators of a successful risk management program; however, they are not as significant.
Practice Question Set 5
Q. 1
Answer: B. To reduce risk to an acceptable level
Explanation: The most effective strategy for risk management is to reduce the risk to an acceptable level. This will help the organization manage risks as per their risk appetite. It may not always be practical to achieve a balance between the risks and the business goals. Developing a policy statement and documentation of risks are not as significant.
Q. 2
Answer: A. To provide training to the assessor
Explanation: The best approach to reduce the subjectivity of the risk assessment is to provide frequent training to the risk assessor. It improves their accuracy. Without appropriate training, the other options may not be effective.
Q. 3
Answer: D. To achieve an acceptable level of risk
Explanation: The main objective of a risk management program is to ensure that the risk is within a level that is acceptable to management. If the inherent risk is already within the acceptable level, there is no need to further reduce it. It is not practical or feasible to eliminate all risks. The ultimate objective of establishing an effective control is to ensure that risks are within the agreed acceptable level.
Q. 4
Answer: D. If the program is supported by all members of the organization
Explanation: For effective risk management, the most important criterion is that the program should be supported by all the members of the organization. All staff members should be able to understand their roles and responsibilities with respect to risk management. The other options are secondary criteria.
Q. 5
Answer: B. An acceptable level
Explanation: The objective of a risk management program is to reduce the risk to a level that is acceptable to management. Reducing the risk to zero or eliminating all hazards is not possible. Industry-adopted standards may not always be acceptable.
Q. 6
Answer: C. The risk is within the risk tolerance level
Explanation: Risk tolerance is the acceptable level of deviation from the risk appetite. Generally, risk tolerance is slightly higher than risk appetite. The other options are not the main factors for ignoring a risk.
Q. 7
Answer: A. All organizational processes
Explanation: Risk management should be applied to all the processes within the organization. Whether a risk level is acceptable can be determined only when the risk is known.
Q. 8
Answer: D. Risk activities being embedded in business processes
Explanation: The main objective of a risk management process is to ensure that any risk is identified and mitigated in a timely manner. This can best be done by embedding the risk activities in all business processes. The other options are not as significant.
Practice Question Set 6
Q. 1
Answer: B. On a continuous basis
Explanation: The effectiveness of a risk assessment increases if it is conducted on a continuous basis. This helps the organization address any emerging risks and other significant changes in the business environment. It must be noted that risk assessment is not a one-time activity.
Q. 2
Answer: D. Annually or whenever there is a significant change
Explanation: The risk environment for any organization changes constantly. The most effective risk assessment frequency is annual or whenever there is a significant change. This helps to assess risks within a reasonable timeframe and allows the flexibility to assess risks when there are significant changes. Risk assessment is applicable to all processes, not just critical business processes.
Q. 3
Answer: C. To address the constantly changing risk environment
Explanation: A change in the risk environment introduces new threats and vulnerabilities to the organization. To address this, risk assessments should be conducted on a continuous basis. The other options are not the prime objectives for conducting riskassessments.
Q. 4
Answer: C. A risk assessment
Explanation: Risk assessments help determine the impact of a vulnerability, and based on the impact, necessary remedial measures can be decided. The other options will not help determine the impact of the vulnerability.
Q. 5
Answer: A. To justify the selection of risk mitigation strategies
Explanation: Risk assessments help determine the impact of a vulnerability, and based on the impact, necessary remedial measures can be decided. They help to justify the selection of risk mitigation strategies.
Q. 6
Answer: C. Evaluating both monetary value and likelihood of loss
Explanation: Risk is the combination of two components: probability (likelihood) and impact. Both components are essential for the analysis of risk. Hence, likelihood and impact are the primary elements to be determined in a risk analysis.
Q. 7
Answer: A. To address constantly changing business threats
Explanation: The business environment changes constantly and new threats emerge. Therefore, risk assessments should be repeated at regular intervals.
Q. 8
Answer: D. Performing a risk assessment
Explanation: A risk assessment will help the organization to determine any new risks introduced by the migration of IT operations to an offshore location. The new risks may be in the form of non-adherence to regulations, overspending, or perhaps some operational aspects.
Q. 9
Answer: D. A list of risks that may impact the organization
Explanation: A risk assessment helps to derive a list of all the applicable risks impacting the organization.
Q. 10
Answer: A. Consequences
Explanation: If there are no impacts or consequences of the exploitation of a vulnerability, then there is no risk. Risk analysis, risk evaluation, and risk treatment are primarily based on the impacts of a risk.
Q. 11
Answer: A. In the case of material control failure
Explanation: A failure of material control indicates that the control was not designed and monitored properly. It requires a full reassessment of the risk. All other options do not require full reassessment.
Q. 12
Answer: D. To determine trends in the evolving risk profile
Explanation: Consistency in the risk assessment process will help to determine trends over a period. If risk assessments are not consistent, then the results of those risk assessments cannot be comparable with the previous results.
Practice Question Set 7
Q. 1
Answer: D. The aggregated risk
Explanation: A homogenous network is a computer network comprised of similar configurations and protocols. This allows for a common threat to impact all devices. Thus, the area of major concern is the aggregated risk of all devices being impacted by a single threat. The other options are not directly impacted by a homogeneous network.
Q. 2
Answer: C. Ability to generate revenue
Explanation: The valuation of intangible assets should be done based on the ability of the asset to generate revenue for the organization. In the absence of availability of these assets, an organization will lose that amount of revenue. Acquisition or replacement costs may be more or less than the actual ability to generate revenue.
Q. 3
Answer: C. To determine the value of the information or asset
Explanation: The best way to estimate potential loss is to determine the value of the information or assets. Value can be in the form of productivity loss, the impact of data leakage, or the opportunity cost due to the unavailability of assets.
Q. 4
Answer: D. Identify significant overall risk from a single threat
Explanation: The goal of risk aggregation is to identify significant overall risk from a single threat vector. Aggregated risk means the significant impact caused by a large number of minor vulnerabilities. Such minor vulnerabilities do not cause any major impact individually, but when all vulnerabilities are exploited at the same time, they can cause a huge impact.
Practice Question Set 8
Q. 1
Answer: B. Likelihood and impact
Explanation: Risk is the product of two components: probability (likelihood) and impact. Both components are essential for the analysis of risk. Hence, likelihood and impact are the primary elements determined in a risk analysis.
Q. 2
Answer: B. The risk of electrical power outages on business processes
Explanation: The impact due to loss of power can be more easily measurable and quantifiable compared to the other options.
Q. 3
Answer: B. Contains percentage estimates
Explanation: The results derived from a quantitative risk analysis are measurable. Percentage estimates are characteristics of quantitative risk analysis. The other options are generally characteristics of a qualitative risk analysis.
Q. 4
Answer: B. To determine the maximum possible loss over a period of time
Explanation: Value at risk is the statistical computation based on historical data to arrive at the probability. Value at risk is mostly used in the financial sector to determine the risk of an investment. However, it is also applicable to the information security domain.
Q. 5
Answer: B. To determine possible scenarios with threats and impacts
Explanation: For qualitative risk analysis, the best way is to list down all possible threats and impact scenarios. This will facilitate an informed risk management decision. The other options are generally used for the quantification of risk.
Q. 6
Answer: C. The ratio of insurance coverage to total cost of business interruption
Explanation: The objective here is to determine the level of risk acceptable to management. The best quantification is to derive the cost of business interruption and the level of insurance taken to protect against such losses. For example, suppose the cost of business disruption is $100,000 and insurance coverage is up to $80,000. Then, the risk appetite of the organization can be considered as $20,000. The other options will provide only a rough estimation of the risk appetite.
Practice Question Set 9
Q. 1
Answer: B. Mitigation should be based on threat, impact, and cost considerations
Explanation: Mitigation must consider the level of risk and the cost of various treatment options. High-risk vulnerabilities should be addressed on priority. Low-risk vulnerabilities may not be addressed immediately. Resources should be first utilized to address high-risk vulnerabilities.
Q. 2
Answer: A. Prioritization
Explanation: Prioritization helps determine the importance of assets/processes that need to be addressed first. Prioritization is organized based on the level of the risk. The highest risks are addressed first. Threat alone is not sufficient as you need to consider vulnerability as well as impact.
Q. 3
Answer: B. Frequency and impact
Explanation: Risk is the product of probability and impact. Frequency (i.e., probability) and impact can help determine the actual level of risk. Both terms are equally important to determine the level of risk. Once the risk is determined based on its frequency (i.e., probability) and impact, then high-level risks are prioritized and addressed first. The other options are not as important.
Q. 4
Answer: B. Likelihood of compromise and subsequent impact
Explanation: Risk is the product of probability and impact. Probability (i.e., likelihood) and impact can help determine the actual level of risk. Both terms are equally important to determine the level of risk. Each risk is determined based on its probability (i.e., likelihood) and impact. Then, high-level risks are prioritized and addressed first. The other options are not as important.
Practice Question Set 10
Q. 1
Answer: C. Review of all IT-related risks on a periodic basis
Explanation: A risk register contains the details of all identified risks. The main objective of the risk register is to facilitate a thorough review of all risks on a periodic basis. The other options are secondary factors.
Practice Question Set 11
Q. 1
Answer: A. Feasibility
Explanation: It is always advisable to identify and address the risk at an early stage of any new system development. The risk of a new system may challenge the feasibility of the system's development.
Q. 2
Answer: D. To implement an appropriate procurement process
Explanation: The most important aspect is to implement a structured process that will help to identify the risk that may be introduced by a new system. Options A, B, and C can be made part of a structured process.
Practice Question Set 12
Q. 1
Answer: D. Security review
Explanation: A security review is conducted to determine the current state of the security posture of the organization. Vulnerability and threat analysis will help determine the level of vulnerability and threat but without knowing the existing security arrangement, the risk cannot be determined. An impact analysis is more effective in determining the potential impact of a loss event.
Q. 2
Answer: B. Reducing the exposure
Explanation: If a threat is already known, the best way to address it is to reduce the exposure to the extent possible. This reduces the probability of exploitation of the risk. The other options are not as effective as reducing the exposure itself.
Q. 3
Answer: B. Reduce the attack surface
Explanation: An attack surface refers to the various entry points from which an attack can happen. It determines the level of exposure. By decreasing the attack surface, the level of exposure decreases. The attack surface can be reduced by limiting entry points, ports, and protocols and disabling unused services. The other options are not as effective.
Q. 4
Answer: A. The vulnerability being compartmentalized
Explanation: Compartmentalization means separating sensitive information assets in a manner that reduces exposure or eliminates it. If compartmentalization of the vulnerability results in no exposure, then there is no risk. The availability of an incident response procedure and compensating control are not as effective. Even if there has been no exploitation so far, the threat can materialize at any time. The appropriate safeguards should be in place.
Q. 5
Answer: A. External vulnerability reporting sources
Explanation: Many agencies publish new vulnerabilities and provide recommendations to address vulnerabilities. This is the most cost-effective method of understanding new vulnerabilities. The other options may not be as cost effective as external vulnerability sources.
Q. 6
Answer: C. To provide assurance to management
Explanation: A vulnerability assessment helps identify all existing vulnerabilities and plans to address them. This assures management that the risks to business objectives are actively monitored and controlled. It is not possible to eliminate all risks. A vulnerability assessment is not primarily conducted to adhere to the security policy or to monitor the efficiency of the security team.
Q. 7
Answer: A. Determine the weaknesses in the network and server security
Explanation: The objective of a penetration test is to identify weaknesses in the network and server security. Based on the results of the penetration test, the identified weaknesses can be addressed to improve the security posture of the organization.
Q. 8
Answer: B. Regular signature updates of the scanning tool
Explanation: The most important aspect of a scanning tool is to get it updated with new signatures to address new and emerging risks. A vulnerability scanner need not delete viruses. Multiple functions and user-friendly graphical user interfaces are good-to-have features but not as important.
Q. 9
Answer: D. Identified vulnerabilities should be evaluated for threat, impact, and cost of mitigation
Explanation: To prioritize and decide on the treatment of a vulnerability, it should be evaluated based on threat, impact, and cost of mitigation. All three factors should be considered
Q. 10
Answer: D. To conduct a vulnerability assessment to detect the application's weaknesses
Explanation: The most cost-effective approach to test the security of a legacy application is to conduct a vulnerability assessment. The other options are not as effective as vulnerability assessments to test the security of legacy applications.
Chapter 4: Information Risk Response
Practice Question Set 1
Q.1
Answer: C. Risk transfer
Explanation: Taking out insurance is an example of risk transfer. In risk transfer, the risk is shared with partners or is transferred via insurance coverage, contractual agreement, or other means. For instance, natural disasters have a very low probability but a high impact. The response to such a risk should be risk transfer.
Q. 2
Answer: B. The business manager
Explanation: The business manager will be in the best position to decide on any particular control on the basis of risk assessment as they are thoroughly aware of the risks relevant to their processes. The senior manager should provide the appropriate funding for the control. The audit and security managers support the business manager in reviewing and monitoring the effectiveness of the control.
Q. 3
Answer: A. Set up monitoring techniques to detect and react to fraud
Explanation: The best course of action for the organization in the given situation is to set up monitoring techniques to detect and react to potential fraud. It is not possible to make customers liable for fraud. Making customers aware of the risks of fraud is a good option but not as effective. To outsource the processes, a business case needs to be reviewed and decisions should be taken accordingly. However, the most effective method will be setting up monitoring techniques to detect and react to fraud.
Q. 4
Answer: A. Conducting user awareness training
Explanation: In a phishing attack, employees are approached via email by someone posing as an authorized representative. This is done to trick employees into divulging sensitive information, such as personal information, banking and credit card information, and passwords. The best way to combat this attack is to conduct frequent user awareness training.
Q. 5
Answer: C. Risk transfer
Explanation: Taking out insurance is an example of risk transfer. In risk transfer, the risk is shared with partners or transferred via insurance coverage, contractual agreement, or other means. Natural disasters have a very low probability but a high impact. The response to such a risk should be risk transfer.
Q. 6
Answer: A. To mitigate the impact by purchasing insurance
Explanation: The best approach in this situation is to purchase insurance to compensate for the financial liability. Privacy laws are aimed to protect customers and generally mandate heavy penalties for data breach incidents. A breach can still happen even after implementing technical controls, so the best solution is to purchase insurance.
Q. 7
Answer: B. Risk treatment
Explanation: Risk treatment consists of four types: risk acceptance, risk avoidance, risk mitigation, and risk transfer.
Q. 8
Answer: B. Risk mitigation
Explanation: Risk mitigation is the act of implementing security controls to reduce the impact of risk and to bring risk down to an acceptable level.
Q. 9
Answer: C. A method that addresses the control objectives
Explanation: A control objective is met when risk is mitigated in the most effective and efficient manner. The best risk treatment should be both effective (that is, it should be able to address the risk) and efficient (that is, the cost of treatment should be optimum).
Q. 10
Answer: D. Transferring the risk to a third party
Explanation: The best risk response in such a scenario (low probability and high impact) is to transfer the risk to a third party. Insurance for natural calamities is one such example. This will help the organization compensate for the financial losses they face.
Q. 11
Answer: B. User entitlement
Explanation: The data owner is accountable for ensuring that access to their data is provided based on user entitlement and a need-to-know basis. The other options are the responsibilities of the security team.
Q. 12
Answer: A. Implementing role-based access control
Explanation: The best way is to provide access to confidential information on a need-to-know basis, that is, role-based access control. Defense in depth is generally for external threats. A privacy policy details how information is collected and used. It will not be able to prevent a threat. Capturing transaction logs is a detective control. A detective control will not be able to prevent a threat.
Q. 13
Answer: C. Use third-party service providers to manage low-risk activities
Explanation: The best option in this situation is to use the services of a third party with expertise in information security. This will result in cost reduction and, at the same time, adherence to security requirements. The other options are not feasible and will result in an increase in security risks.
Practice Question Set 2
Q. 1
Answer: C. The business process owner
Explanation: Business process owners are in the best position to conduct the risk analysis for their respective processes. They have detailed knowledge of the risks and controls applicable to their processes.
Q. 2
Answer: C. The business process owners
Explanation: A business process owner will be in the best position to drive a project for implementing regulatory requirements. They have a thorough understanding of their processes and the impact of regulatory requirements on those processes. The other options do support the business process owner in the implementation of the project but are not primary.
Practice Question Set 3
Q. 1
Answer: C. The potential impact affects the extent of mitigation
Explanation: The potential impact helps management determine the extent of mitigation required. If the impact is on the higher side, management may allow more budget for mitigation efforts. The potential impact does not directly relate to risk treatment options. The potential impact can be more than the cost of the assets as it may include the cost of recovery, business downtime, and other costs. The potential impact is in no way useful in determining the probability.
Q. 2
Answer: C. Understanding the business objectives and the flow and classification of information
Explanation: The most important factor to determine new threats is to first understand the business objectives and the flow and classification of information. It is of utmost importance to have knowledge of the threats to business processes. The other options can be subsequent steps.
Q. 3
Answer: C. Increase in risk scenarios
Explanation: The use of cloud services will introduce new risk scenarios as the dependency will be on a third-party cloud service provider. This new risk has to be included in the risk profile of the organization. A cloud service is generally considered a cost-effective resource. The source of a business transaction is not impacted by the cloud service. Cloud service providers generally have more stringent security controls to prevent attacks.
Q. 4
Answer: D. Probability of mobile devices being lost or stolen easily
Explanation: Because of the small size and ease of mobility, mobile devices are subject to a high risk of being lost or stolen. This can result in unauthorized disclosure of any sensitive data present on the mobile devices. The other options are not significant security concerns.
Q. 5
Answer: A. Calculating the risk
Explanation: The first course of action for a security manager is to calculate the risk of exception and make a call for approval on that basis. If the potential benefit from the exception is more than the potential loss from the risk, an exception may be granted.
Q. 6
Answer: C. Advising management of the risk and its potential impact
Explanation: The best course of action for the security manager is to discuss with management the risk and the potential impact of noncompliance. Management is in the best position to address any conflict between security requirements and business requirements. An exception can be approved if management considers the potential benefit of the exception to be more significant than the perceived risk. Designing new guidelines and benchmarking standards are not relevant.
Q. 7
Answer: C. Define an exception process for sending the data without encryption
Explanation: In the given situation, the best course of action is to work out an exception process to send the data without encryption. The security manager should work out another secure way of communicating and implement other compensating controls for the protection of unencrypted data.
Q. 8
Answer: A. When determining the results of the implementation of controls
Explanation: Residual risk refers to the remaining risk after controls have been implemented. Residual risk is compared to the acceptable risk level to determine whether controls are effective. If the residual risk is higher than the acceptable risk then more controls are required. The classification of assets is based on their value. Residual risk is not relevant at the time of the identification of risk or the valuation of assets.
Q. 9
Answer: B. Preparation of a list of action items to mitigate the risk
Explanation: Risk analysis results provide a list of the most critical risks that need to be addressed on a priority basis. The other options are not directly impacted by the results of a risk analysis.
Q. 10
Answer: A. To understand the risk due to noncompliance and recommend an alternate control
Explanation: The best course of action for the security manager is to evaluate the risk due to noncompliance. If the potential benefit from the exception is more than the potential loss from the risk, an exception may be granted along with some alternate controls.
Q. 11
Answer: D. The percentage of incidents from unknown risks
Explanation: An incident from an unidentified risk indicates the effectiveness of the risk assessment. A low percentage indicates that almost all sources of risk have been identified, whereas a high percentage indicates that the risk assessment was unable to identify major sources of risk. The other options do not directly indicate the effectiveness of a risk assessment.
Q. 12
Answer: B. Review compliance with the standards and policies
Explanation: The first course of action is to review compliance with the standards and policies. If risk management procedures are in accordance with those and the risk management procedures are still inadequate and inconsistent, it indicates that standards and policies have not been drafted appropriately. Policies and standards need to be reviewed to determine whether they are adequate. The other options will not be meaningful if policies and standards are inconsistent and inadequate.
Q. 13
Answer: A. To validate the noncompliance
Explanation: The first step for the security manager is to validate the noncompliance to rule out any false positives. The other options are subsequent actions.
Q. 14
Answer: C. To compare logical access and physical access for deviations
Explanation: The security manager should be most concerned about loopholes in the physical and logical access controls. By comparing physical access records with logical access records, the security manager can identify issues such as tailgating, password sharing, and other forms of compromise. Options A and B are not relevant from the information security perspective. Option D is less significant.
Q. 15
Answer: D. Operational risk
Explanation: Operational risk is a risk related to failed processes and systems due to either internal or external events. The objective of a DDoS attack is to bring down the system by flooding it with excessive traffic. Aggregate risk is defined as the overall impact of a single threat vector. Systemic risk is the risk of the collapse of an entire system. Residual risk refers to the risk that remains after controls are implemented.
Q. 16
Answer: C. Background checks for prospective employees
Explanation: Background checks help determine the integrity of new employees. A security awareness program will not necessarily guarantee that the employee will behave with honesty. Penetration testing and network address translation will be more effective to address external attacks.
Q. 17
Answer: B. As per business decisions
Explanation: Compliance with legal and regulatory requirements should be considered on the basis of business decisions. Business decisions are based on a cost-benefit analysis. Legal and regulatory requirements, like any other requirements, should be considered for risk assessment and decision-making. Sometimes the cost of compliance is much more than the expected benefit; in such cases, management needs to make a business call.
Q. 18
Answer: C. The new system may affect the security or operations of other systems
Explanation: The area of most concern for a security manager is the impact of a new system on the security and operational aspects of other systems. Functionality, support staff, and time needed for installation are the responsibility of the business and IT departments.
Q. 19
Answer: C. Immediately informing top management about the elevated risk
Explanation: In this scenario, the first step is to advise management about the elevated risk. In consultation with management, subsequent actions can be taken.
Practice Question Set 4
Q. 1
Answer: C. Availability of an acceptable usage policy
Explanation: An acceptable usage policy is a document stipulating constraints and practices that a user must agree to for the usage of organizational resources. Many organizations require employees to sign an acceptable usage policy before access is granted to them. The other options may not directly impact data leakages.
Q. 2
Answer: B. Cost-benefit balance
Explanation: The selection of controls and countermeasures is primarily dependent on a cost-benefit analysis. If the cost of control is more than the benefit derived, control is not efficient. The others are secondary factors.
Q. 3
Answer: D. To measure the current state of control versus the desired future state
Explanation: The objective of a gap analysis is to identify the gap between the current level of control and the desired level of control. This gap is also known as control deficiencies. Risk practitioners first analyze the desired state of risk management required by the organization and then determine the current condition of risk management. This helps them identify any gaps. They should recommend actions to close such gaps.
Q. 4
Answer: B. To limit the impact on the organization
Explanation: The objective of an indemnity clause is to compensate for or recover any losses due to any breach of the service-level agreement. It helps to reduce the financial impact on the organization. An indemnity clause may not always be a regulatory requirement. Merely incorporating an indemnity clause will neither reduce probability nor ensure performance improvement.
Q. 5
Answer: C. A cost-benefit analysis
Explanation: The objective of a cost-benefit analysis is to determine the benefits compared to the costs of a project. If the benefit realized from the control is less than the cost of implementation of the control, then it does not justify the implementation of that control. The selection of a control is primarily based on the cost-benefit analysis.
Q. 6
Answer: A. A cost-benefit analysis
Explanation: The objective of a cost-benefit analysis is to determine the benefits compared with the cost of the project. If the benefit realized from the control is less than the cost of implementation of the control, then it does not justify the implementation of the control. The selection of a control is primarily based on a cost-benefit analysis. The other options do not indicate the benefit of a control.
Q. 7
Answer: B. Develop an information classification program
Explanation: The first step is to develop a classification program. Based on this, critical data can be identified. The other options are subsequent steps.
Q. 8
Answer: D. To reduce the exposure
Explanation: Segmenting the data helps reduce the exposure as more controls are implemented for a segmented critical database. Segmentation by itself does not reduce the threat, sensitivity, or criticality.
Q. 9
Answer: B. To determine the project's feasibility
Explanation: Information security requirements may directly impact the feasibility of a project. The cost of security must be considered while calculating the business case and feasibility study. Sometimes, the cost of security may exceed the benefit expected from the project and hence the implementation of the project may not be feasible.
Q. 10
Answer: B. To escalate the issue to management
Explanation: Management will be in the best position to address such issues where security requirements are adversely impacting the business. The best action for a security manager is to escalate such an issue to management.
Q. 11
Answer: A. A business impact analysis
Explanation: A business impact analysis helps to determine the critical processes/assets of the organization. These critical processes/assets should be recovered as a priority.
Q. 12
Answer: C. On the basis of the risk applicable to each factor
Explanation: The most important factor is considered based on the risk applicable to each of them. For example, in the case of the failure of an automatic door, the organization can opt for fail open (door should remain open) or fail closed (door should remain closed). In the case of fail open, confidentiality and integrity may be compromised, and in the case of fail closed, availability may be compromised. In such a situation, the risk is determined for each element and accordingly, a decision is made. Considering only the threat element will not serve the purpose as both threat and impact need to be considered.
Q. 13
Answer: C. Making security policy decisions
Explanation: Risk management helps to highlight the critical risks that can impact business processes. It helps to make security policy decisions to address the highlighted risks. Risk management is aimed at supporting the business objectives and is not designed to change them. An audit charter highlights the roles and responsibilities of the audit department and is not directly impacted by the risk management process.
Q. 14
Answer: C. On the basis of the risk applicable to each factor
Explanation: The most important factor is considered based on the risk applicable to each of them. For example, in the case of the failure of an automatic door, the organization can opt for fail open (door should remain open) or fail closed (door should remain closed). In the case of fail open, confidentiality and integrity may be compromised, and in the case of fail closed, availability may be compromised. In such a situation, the risk is determined for each element and accordingly, a decision is made. Considering only the threat element will not serve the purpose as both threat and impact need to be considered.
Q. 15
Answer: D. It ensures that costs are justified by a reduction in risk
Explanation: The main objective of a cost-benefit analysis is to ensure that the cost of the project does not exceed the benefit expected from the project. The cost should be justified by an appropriate reduction in the risk.
Q. 16
Answer: D. The ratio of cost-to-insurance coverage for business interruption protection
Explanation: The best quantification is to derive the cost of business interruption and the level of insurance taken to protect against such losses. For example, if the cost of business disruption is $100,000 and insurance coverage is up to $80,000, then the risk appetite of the organization can be considered as $20,000. The other options will provide only a rough estimation of the risk appetite.
Q. 17
Answer: C. The second server is placed where there is no exposure
Explanation: If the second server is placed where there is no exposure, then there is no chance of compromise; hence, hardening may not be required. In the case of the other options, that is, the second server being a backup server, supporting noncritical functions, or being monitored on a continuous basis, the risk remains the same as it contains identical content and hence it should be given the same level of protection as the first server.
Q. 18
Answer: A. A workflow analysis
Explanation: A workflow analysis is the process of understanding the workflow. It helps to determine the risk and build relevant controls. The other steps can be subsequent steps.
Q. 19
Answer: D. Addresses the financial liability but leaves the legal and reputational risks generally unchanged
Explanation: The objective of an indemnity clause is to compensate the organization for any financial loss due to an act of the service provider. However, it does not reduce the legal or reputation risks for the organization.
Q. 20
Answer: D. Decreasing the number of incidents impacting the organization
Explanation: The most important objective of a risk management program is to reduce the number of incidents having an adverse impact on the objectives of the organization. The other options are specifically actionable to address adverse incidents.
Q. 21
Answer: D. A business-oriented risk policy
Explanation: A risk policy that is aligned with the business objectives helps in achieving the organization's objectives. A business-oriented risk policy is strongly supported by the effective management of information assets. The other options do not directly impact the effectiveness or efficiency of information assets.
Q. 22
Answer: D. The number of security incidents causing significant financial loss or business disruptions
Explanation: The main objective of risk management is to reduce the number of security incidents that can cause significant financial loss or business disruption. If such incidents are high, then the effectiveness of risk management is questionable. The other options are not as significant.
Practice Question Set 5
Q. 1
Answer: C. Change management
Explanation: Change management is the process of requesting, planning, implementing, testing, and evaluating changes made to a system. Regression testing is a part of change management. The objective of regression testing is to prevent the introduction of new security exposures when making modifications. Thus, change management is the best way to ensure that modifications made to systems do not introduce new security exposures.
Q. 2
Answer: C. Change management
Explanation: Change management is the process of requesting, planning, implementing, testing, and evaluating changes made to a system. Regression testing is a part of change management. The objective of regression testing is to prevent the introduction of new security exposures when making modifications. Thus, change management is the best way to ensure that modifications made to systems do not introduce new security exposures.
Q. 3
Answer: B. A system user
Explanation: Change management is the best way to ensure that modifications made to systems do not introduce new security exposures. System users are in the best position to conduct user acceptance testing and determine whether any new vulnerabilities have been introduced during change management.
Q. 4
Answer: C. Change control process
Explanation: Change management is the best way to ensure that modifications made to systems do not introduce new security exposures. System users are in the best position to conduct user acceptance testing and determine whether any new vulnerabilities have been introduced during the change management process.
Q. 5
Answer: D. The change management process should include mandatory involvement of the information security department
Explanation: For effective change management, it is important that the security team be apprised of every major change. Representation from the security team on the change control board is recommended. This will ensure that the security aspects of any change are considered. It is not required for change management to be handled by the information security team; representation is sufficient. Monitoring the change management process may not be the responsibility of the steering committee. Change management should be separate from release and configuration management.
Q. 6
Answer: C. Preventive control
Explanation: Change management is considered a preventive control as it requires all change requests to pass through formal approval, documentation, and testing via a supervisory process. An effective change management process can prevent and detect unauthorized changes. The primary function of change management is not compensating or corrective or deterrent control.
Q. 7
Answer: C. Scheduling
Explanation: Scheduling in change management is the process of planning implementation at a time that causes the least disturbance to business processes. However, for an emergency change, maintaining the schedule may not be possible. The other options, documentation, impact analysis, and authorization, are integral to change management and in the case of an emergency change, they may be performed after implementation.
Q. 8
Answer: C. Change management
Explanation: A major risk related to production is the continuity of operations. This can be best addressed by a structured change management process. Change management is a structured process of change request, approval, planning, implementation, and testing. The main objective of change management is to support the processing and traceability of changes made to a system. Change management ensures that changes or updates are processed in a controlled manner.
Q. 9
Answer: B. To ensure that any risks arising from the proposed changes are managed
Explanation: Any major change may introduce new risks to the system. The security manager is required to ensure that any new change does not have an adverse impact on the organization's security environment. The other options are not the primary reasons.
Q. 10
Answer: D. A structured change management system
Explanation: A change management process includes approval, testing, scheduling, and rollback arrangements. Any change made to a system or process is likely to introduce new vulnerabilities. Hence, it is very important for a security manager to identify and address new risks. Changes that are not properly reviewed can disrupt the production system. The other options, that is, patch management, baseline management, and antimalware management, should also be implemented through the proper change management process.
Q. 11
Answer: A. To reduce the requirement for periodic full risk assessments
Explanation: Threat and vulnerability assessments during change management help to identify the potential risks in the proposed changes at an early stage. This helps to keep the risk assessment updated. This eventually reduces the requirement for a full assessment. The other options are not primary objectives. Policy is a high-level statement and is generally not impacted by new risks.
Q. 12
Answer: B. Poor change management procedures
Explanation: The lack of an effective change management process can pose a significant risk of disruption to systems and procedures. The other options are not as significant. Guidelines are generally not mandatory. Outsourcing activities can be controlled and monitored. Poor capacity management may not impact security risks.
Q. 13
Answer: A. To reduce the requirement for periodic full risk assessments
Explanation: Threat and vulnerability assessments during change management help to identify vulnerabilities at the initial stages so that they can be addressed early without the need for a full risk assessment. This keeps the risk assessment up to date without the need to complete a full reassessment.
Practice Question Set 6
Q. 1
Answer: C. Verifying the patch logs and tracing them to the change control request
Explanation: To determine whether all patches went through the change control process (change management), it is necessary to use patch logs as a starting point and then verify whether the change control requests for those patch updates are available. When a change request is taken as the starting point and then traced back to patch logs, it will not be possible to determine whether all patches went through the change control process.
Q. 2
Answer: C. Operating system security patches not being applied
Explanation: Patch management is the process of applying updates to operating systems and other software. These patches are often necessary to correct errors in the software. If patches are not applied as and when released, then this is an area of serious concern. The other options are not as significant.
Q. 3
Answer: A. Testing of a patch prior to deployment
Explanation: Patches should be applied through a structured change management process, which includes approval, testing, user acceptance testing, and proper documentation. The testing of a patch prior to implementation is one of the most important aspects as deploying an untested patch may cause system failure. Furthermore, the appropriate rollback procedures should be in place in case of unexpected failure.
Q. 4
Answer: Assessing the problem and initiating rollback procedures if required
Explanation: Patches should be applied through a structured change management process that includes approval, testing, user acceptance testing, and proper documentation. The testing of a patch prior to implementation is of utmost importance as deploying an untested patch may cause the system to fail. Furthermore, appropriate rollback procedures should be in place in case of unexpected failure. The other options are secondary steps to be followed after the problem has been assessed.
Q. 5
Answer: C. The patch should be validated to ensure its authenticity
Explanation: The first step is to validate the authenticity of the patch before taking any further action. If the patch is not from an authentic source, it may be malicious.
Q. 6
Answer: A. Patch management
Explanation: Patch management is the process of applying updates to operating systems and other software. These patches are often necessary to correct errors in the software. A well-defined and structured patch management process helps to address the new vulnerabilities related to operating systems. The timely update of patches helps to secure the operating systems and applications.
Q. 7
Answer: D. As and when critical security patches are released
Explanation: Patches should be applied as and when new patches are released. This is required to ensure that zero-day vulnerabilities are not exploited. However, patch management should include appropriate testing and approvals.
Practice Question Set 7
Q. 1
Answer: D. Business impact analysis
Explanation: The RTO determines the time within which the system should be restored. The RTO is derived from the BIA. The BIA helps to determine the critical systems of the organization and the impact due to the downtime of systems.
Q. 2
Answer: B. Delegating authority for recovery execution
Explanation: During an incident, considerable time is taken up in escalation procedures, as decisions need to be made at each management level. The delegation of authority for recovery execution makes the recovery process faster and more effective. However, the scope of the recovery delegation must be assessed beforehand and appropriately documented. Having multiple operation centers is too expensive to implement. Outsourcing is not a feasible option. Incremental backups do facilitate faster backups; however, they generally increase the time needed to restore the data.
Practice Question Set 8
Q. 1
Answer: D. Feasibility
Explanation: Risk assessment should commence at the earliest phase of the SDLC, that is, the feasibility phase. A feasibility analysis should include risk assessment so that the cost of controls can be determined at the beginning.
Q. 2
Answer: D. At each stage of the SDLC
Explanation: Risk assessment is most effective when it is performed at every stage of the SDLC. This helps in the early identification of any risk that might occur during any stage.
Q. 3
Answer: A. Change management
Explanation: A change management process includes approval, testing, scheduling, and rollback arrangements. Changes at various life cycle stages should be appropriately controlled through a structured change management process. The other options do not relate to complete life cycle stages.
Q. 4
Answer: C. Ensuring effective life cycle management
Explanation: If controls are managed throughout the life cycle, it will reduce the scope of the degradation of controls and ensure control effectiveness throughout the life cycle.
Revision Questions
Q.1
Answer: C. To achieve the stated objectives
Explanation: The primary goal of a risk management program is to achieve the stated objective. The stated objective can be in the form of the protection of assets, availability of systems, or implementation of preventive controls.
Q. 2
Answer: A. Validation checks are missing in data input fields
Explanation: In the absence of validation checks in data input fields, attackers can exploit other weaknesses in the system. For example, through SQL injection attacks, hackers can illegally retrieve application data. Other options may also make the applications vulnerable, but these can be countered in other ways.
Q. 3
Answer: C. Industry tracking groups
Explanation: Industry tracking groups provide insights into the nature of attacks at the industry-specific as well as the global levels. They are engaged in different surveys and closely monitor attack types. Their publications can either be free or subscription based, and they provide detailed overviews of current scenarios. A honeypot is used to trap attackers and understand their attack methods. However, all hackers may not fall into honeypot traps. A rogue access point is a trap set up by hackers to lure legitimate users to connect to it. Penetration testing involves assessing the security posture of the organization and will not be able to identify the evolving nature of attacks.
Q. 4
Answer: A. Should be reassessed on a periodic basis as risks change over time
Explanation: Risks change over time, hence even if a risk was accepted previously, it should be assessed again on a periodic basis to determine its current impact.
Q. 5
Answer: B. Absence of controls
Explanation: An incident can take place either due to a failure of controls or an absence of controls. Inadequate risk analysis may be one of the reasons for the absence of a control. A new attack or operational error can have an impact only if there is no control or if controls have failed.
Q. 6
Answer: D. The time gap between the occurrence of the incident and its detection
Explanation: The level of impact of an incident depends on the time gap between the occurrence of the incident and its detection. The early detection of an incident helps to reduce the damage. The other options are important but not as significant.
Q. 7
Answer: C. The cost of implementation of the regulation is much higher than the risk of noncompliance.
Explanation: An organization may decide to accept the risk of noncompliance if the cost of the implementation of a new regulation is much higher than the risk of noncompliance. The other options are the major factors affecting the decision of whether to comply or not.
Q. 8
Answer: B. To support management's due diligence
Explanation: It is the responsibility of management to conduct due diligence for organizational processes. A risk management program supports this objective.
Q. 9
Answer: D. To identify misconfiguration and missing updates
Explanation: The objective of a network vulnerability assessment is to identify common misconfigurations.
Q. 10
Answer: C. A security gap analysis
Explanation: The objective of a security gap analysis is to identify deficiencies in the control environment by comparing them with the desired state of control.
Q. 11
Answer: B. The risk being justified by the benefits
Explanation: Generally, policy exceptions are approved when the impact of noncompliance is less than the benefit of taking the risk.
Q. 12
Answer: B. To perform a gap analysis
Explanation: The first step is to perform a gap analysis to determine whether the organization has already complied or whether some action is required for compliance. Based on the gap analysis, further action can be taken.
Q. 13
Answer: B. To determine the systems and processes that contain the privacy components
Explanation: The best course of action in this case is to determine the systems and processes that can be impacted due to the new privacy laws. The other options may be subsequent steps.
Q. 14
Answer: C. The detection of new risks
Explanation: Though all options are very important for an effective risk management program, if the program does not have the ability to identify new risks, the other procedures will only be useful for a limited period.
Q. 15
Answer: C. The opportunity costs
Explanation: For a BIA purpose, valuation should be based on the opportunities lost due to the unavailability of assets. This is known as opportunity cost.
Q. 16
Answer: D. Likelihood
Explanation: Likelihood is the most difficult to estimate and will require the highest amount of speculation. The other options can be determined within a range.
Q. 17
Answer: C. Conduct a risk assessment to quantify the risk
Explanation: The first course of action for a risk manager is to conduct a risk assessment and determine the level of risk. Policy exceptions are generally allowed where benefits from the project outweigh the perceived risks. The other options can be meaningful only if the security manager is aware of the level of risk.
Q. 18
Answer: A. To verify the decision of the business unit through a risk analysis
Explanation: The best course of action in this scenario is to conduct a risk analysis and determine the impact of the new application via the BIA. If there is no impact, then there is no need to update the BIA.
Q. 19
Answer: C. Conducting a risk analysis
Explanation: The first course of action for a risk manager is to conduct a risk assessment and determine the level of risk. Policy exceptions are generally allowed when benefits from the project outweigh the perceived risks. The other options can be meaningful only if the security manager is aware of the level of risk. It is unlikely that a business objective is changed to accommodate a security requirement.
Q. 20
Answer: A. To evaluate the likelihood of incidents from the reported cause
Explanation: The first course of action for the security manager is to evaluate the likelihood of an incident from the reported cause. Once the likelihood is determined, other suitable actions can be taken.
Q. 21
Answer: C. Risk management activities should be integrated within the business processes
Explanation: The integration of risk management activities within business processes is a more effective way to enhance risk management. Risk management should not be treated as a separate activity.
Q. 22
Answer: A. Downtime tolerance
Explanation: A BIA is a process to determine the critical processes of an organization and decide the recovery strategy during a disaster. The prime criterion to determine the severity of service disruptions is the period for which the system will remain down. The higher the system downtime, the higher the severity of the disruption. The other options are not directly related to the BIA.
Q. 23
Answer: C. The scope
Explanation: Once the objectives are finalized, the next step is to determine the scope of the review. The limitations and approach must be defined after the scope. The report structure is the last step.
Q. 24
Answer: A. To apply compensating controls for the vulnerable system
Explanation: The best course of action in this case is to apply compensating controls until the patch is installed. This will help to address the risk. Updating signatures for the antivirus does not address zero-day vulnerabilities.
Q. 25
Answer: A. Determine the risk of noncompliance
Explanation: The most important aspect for a security manager is to know the level of risk for this noncompliance. The risk may be either very high or negligible. Based on the level of risk, further courses of action can be determined.
Q. 26
Answer: C. A gap analysis
Explanation: The objective of a gap analysis is to identify the gap between the current level of controls and the desired level of controls. A gap analysis is used to improve the maturity level of risk management processes. A workflow analysis is used to understand the current level of risk management processes, but it does not provide support for improvement opportunities. A program evaluation and review technique (PERT) is used to determine the project timelines.
Q. 27
Answer: B. To perform a comprehensive assessment before approving devices
Explanation: The first step is to develop a comprehensive assessment process based on which approval should be granted to devices. The other options are subsequent steps.
Q. 28
Answer: A. Applying standard risk measurement criteria throughout the organization
Explanation: The best way to address this situation is to apply standard risk measurement criteria for all the departments throughout the organization. This will help in arriving at a standard risk level where each risk can be compared to others for the prioritization of risk responses. The other options will not help to address the issue directly.
Q. 29
Answer: B. Requirements to protect sensitive information on the device
Explanation: The most important aspect is to ensure that users understand the various requirements for the protection of sensitive data on the device. Generally, personal devices are not returned to the organization. The other options are not as important as the protection of data.
Q. 30
Answer: D. Just another risk
Explanation: It should be dealt with as just another risk. Regulatory risk, like every other risk, should be addressed considering its impact on the business processes. Priority should be given based on feasibility, possible impact, and cost of compliance.
Q. 31
Answer: C. The environment changes.
Explanation: Existing controls may not be relevant to address new and emerging risks arising due to changes in the environment. As a result, risk management is most effective when it is completed on an ongoing basis.
Q. 32
Answer: C. Perform a business impact analysis
Explanation: The first action for the security manager in this case is to determine the level of risk of nonavailability of the service. This can be done by performing a BIA. The other options can be considered based on the results of the BIA.
Q. 33
Answer: C. Assurance process integration
Explanation: Integrating the activities of various assurance functions helps to ensure that there are no overlapping activities or gaps in risk management activities. It is the most cost-effective method as duplicate efforts are removed. The decentralization of the risk management function actually increases the cost of risk management. The other options do not directly impact the cost effectiveness of risk management functions.
Q. 34
Answer: A. A regulatory risk should be treated like any other risk
Explanation: A regulatory risk should be treated just like any other risk and should be addressed considering its impact on business processes. Priority should be given based on feasibility, possible impact, and the cost of compliance.
Q. 35
Answer: B. The data retention policy
Explanation: The data retention policy defines the minimum period of data retention. Overwriting of data may impact the data retention policy.
Q. 36
Answer: A. Exposure
Explanation: The level of exposure of the data affects the threat, vulnerability, probability, as well as impact. It is the most important aspect when considering the level of protection required.
Q. 37
Answer: B. The probability and consequences
Explanation: Risk can be determined based on the probability and consequences. The product of probability and consequences will help to derive the level of risk for noncompliance. Hence, both probability and consequences should be considered to prioritize the requirements.
Q. 38
Answer: B. When the uncertainty of the risk is high
Explanation: Risk tolerance is the acceptable deviation from the risk appetite. For example, suppose the risk appetite of an organization is $100 and the risk tolerance is $125. In this case, the organization is comfortable even if the risk level reaches $125. High risk tolerance means a wider gap between risk appetite and risk tolerance. This will be more helpful when the uncertainty of the risk is high.
Chapter 5: Information Security Program Development
Practice Question Set 1
Q.1
Answer: A. To improve the integration of business and information security processes
Explanation: The most important challenge for a security manager is to obtain support from senior management and other business units for changing the business processes to include the security aspect. As the incident has already happened, business units will be more open to supporting security processes. In the absence of close integration of business and security processes, the other options will not be effective.
Q. 2
Answer: B. To understand the risk of technology and its contribution to security objectives
Explanation: An information security manager is required to evaluate the risk of technology and determine the relevant controls to safeguard IT resources. The other options are secondary aspects.
Q. 3
Answer: C. Strategy
Explanation: An information security strategy is a set of actions taken to achieve security objectives. This strategy includes what should be done, how it should be done, and when it should be done to achieve the security objectives. A strategy also includes the details of the resources necessary to implement the program.
Q. 4
Answer: C. A risk assessment and control objectives
Explanation: Generally, the framework starts with conducting a risk assessment and establishing the objectives of control. Once the objectives are established, the information security policy is developed and the security budget is allotted. An internal audit is not relevant.
Q. 5
Answer: C. To understand the overall risk exposure of the organization
Explanation: It is of utmost importance that the security manager is aware of the overall risk exposure of the organization. The other options will be evaluated as a part of risk exposure.
Q. 6
Answer: A. The charter
Explanation: A charter is the formal grant of authority or rights. An information security charter states that the organization formally recognizes the information security department. In the absence of a charter, it will be difficult for the information security department to operate within the environment. All the other choices follow the charter.
Q. 7
Answer: B. Prevention
Explanation: DiD is an arrangement wherein multiple layers of controls are implemented to protect the information resources. Its intent is to provide redundancy in case one control fails. The first layer of DiD aims to prevent any event from occurring by implementing preventive controls such as authentication. The second layer is containment, which involves isolating and minimizing the impact. The third layer is reaction, which is incident response procedures. The final layer is a recovery and restoration procedure that includes backup arrangements.
Q. 8
Answer: B. Senior management commitment
Explanation: The most important element for an effective information security program is support and commitment from senior management. If senior management is committed to robust information security across the organization, there will be no constraints on security budgeting and resources. The other options are secondary aspects.
Q. 9
Answer: B. Authentication
Explanation: DiD is an arrangement wherein multiple layers of controls are implemented to protect information resources. Its intent is to provide redundancy in case one control fails. The first layer of DiD prevents any event from occurring and involves implementing preventive controls such as authentication. The second layer is containment, which involves isolating and minimizing the impact. The third layer is reaction, that is, incident response procedures. The final layer is recovery and restoration procedures, which include backup arrangements.
Practice Question Set 2
Q. 1
Answer: C. Asset valuation
Explanation: Among all the given options, the first step is to value the assets. Based on the valuation, an asset can be classified and then risk can be assessed and controls can be implemented.
Q. 2
Answer: D. The head of the finance department
Explanation: Ownership should be assigned to an individual with sufficient authority in the department. To the extent possible, ownership should not be assigned to a department or group as individual accountability cannot be established. The head of IT and the system administrator will not be in a position to determine the usage and importance of the data and any relevant security concerns.
Q. 3
Answer: D. Requirements of the data owners
Explanation: It is very important to consider the requirements of the data owners when defining the information classification policy. Data owners may have specific requirements to address the risk related to their data. The other options do not directly impact the design of the classification policy.
Q. 4
Answer: D. The data owner
Explanation: The data owner has the prime responsibility for determining the appropriate level of classification as they are the one who owns the risk related to their data.
Q. 5
Answer: A. Risk analysis results
Explanation: Risk analysis is the process of determining the level of risk. Risk level can either be quantified in monetary terms or be expressed as qualitative indicators such as high risk, medium risk, and low risk. The results of a risk analysis help the security manager determine the efforts required to address any risk. More resources may be required to mitigate high-risk areas, whereas fewer resources may be required to mitigate low-risk areas.
Q. 6
Answer: C. Identifying data owners
Explanation: Identification of asset/data owners is an essential prerequisite for the implementation of a classification policy. In the absence of an owner, the true value of the asset cannot be determined. The other options are not prerequisites for implementing a classification policy.
Q. 7
Answer: C. It helps to determine the appropriate level of protection for the asset
Explanation: Information asset classification means the classification of assets based on their criticality to the business. Assets can be classified as confidential data, private data, or public data. This classification helps the organization to provide an appropriate level of protection for the assets. More resources should be utilized for the protection of confidential data compared to public data.
Q. 8
Answer: B. To determine controls commensurate with impact
Explanation: Information asset classification means the classification of assets based on their criticality to the business. It determines the appropriate level of protection applicable to the asset; that is, controls are commensurate with the impact. Classification helps to reduce the risk of the under-protection of assets and at the same time reduces the cost of the over-protection of assets.
Q. 9
Answer: B. The data classification policy
Explanation: Data classification means the classification of data on the basis of its criticality to the business. Data can be classified as confidential data, private data, or public data. This classification helps the organization to provide an appropriate level of protection for the assets. More resources should be utilized for the protection of confidential data as compared to public data.
Q. 10
Answer: C. The data owner
Explanation: The responsibility for the maintenance of proper security controls over information assets should reside with the data owner. The ultimate responsibility resides with senior management. The security manager and data administration support the data owner in classification and providing appropriate controls.
Q. 11
Answer: B. Determine the appropriate level of access control
Explanation: Information asset classification means the classification of assets based on their criticality to the business. Assets can be classified as confidential data, private data, or public data. This classification helps the organization to provide an appropriate level of protection for the assets. More resources should be utilized for the protection of confidential data compared to public data.
Q. 12
Answer: D. The published financial results
Explanation: Information asset classification means the classification of assets based on their criticality to the business. Assets can be classified as confidential data, private data, or public data. This classification helps the organization to provide an appropriate level of protection for the assets. Published financial results are considered public data and hence require the lowest level of protection.
Q. 13
Answer: D. An impact assessment
Explanation: The prime basis for determining the classification of information assets is the criticality and sensitivity of the assets in achieving the business objectives. An impact assessment is used to determine the criticality and sensitivity of the assets.
Q. 14
Answer: D. The data manager
Explanation: Information classification is primarily based on inputs from data owners. Business managers (data owners) have thorough knowledge and an understanding of an asset's impact on business processes. They are in the best position to determine the value of the information assets.
Q. 15
Answer: D. The criticality of the business function supported by the asset
Explanation: Assets can be classified and protected on the basis of business dependency assessments. In this approach, critical business functions are identified, and all the assets of critical functions are given high priority for protection.
Q. 16
Answer: A. Criticality and sensitivity
Explanation: The primary basis for determining the classification of information assets is their criticality and sensitivity in achieving business objectives. An impact assessment is used to determine the criticality and sensitivity of assets.
Q. 17
Answer: B. An impact assessment
Explanation: The primary basis for determining the classification of information assets is their criticality and sensitivity in achieving business objectives. An impact assessment is used to determine the criticality and sensitivity of the assets.
Q. 18
Answer: A. It should consider the impact of a security breach
Explanation: Classification should be based on an impact assessment, that is, the potential impact due to asset loss. The classification should be performed by the asset owner rather than the security manager. Vulnerability should not be the basis of classification—the potential impact due to the loss of the asset should be.
Q. 19
Answer: C. Potential impact
Explanation: Classification should be based on an impact assessment, that is, potential impact due to asset loss.
Q. 20
Answer: B. Determine the information classification level of the requested information
Explanation: The first step is to determine the classification level of the requested information. If the information is classified as confidential, then such information should not be made available to any unauthorized users. The other steps could be subsequent actions.
Practice Question Set 3
Q. 1
Answer: D. The replacement cost
Explanation: An asset should be valued at the replacement cost, which is the cost to replace the asset if it is damaged or destroyed. The replacement cost gives a realistic impact assessment. The other options are not true indicators for an impact assessment.
Q. 2
Answer: C. To create an inventory of the assets
Explanation: The first step is to create an inventory of all the information assets of the organization. Once the inventory is available, ownership is established and assets are valued. Based on this valuation, assets are classified.
Q. 3
Answer: C. Potential impact of the data loss
Explanation: An organization can suffer a huge impact if data lost is critical and sensitive from the business perspective. In the case of leakage of personally identifiable information (PII) data, the organization is liable for legal consequences. The other options are not as critical.
Q. 4
Answer: A. The business managers
Explanation: Valuation is done on the basis of an impact assessment. Business managers are in the best position to understand the impact of an asset on the business. The other options (including senior management) will not have detailed knowledge of each process and its impact on the business.
Q. 5
Answer: C. Identification of the asset inventory and the appropriate valuation of assets
Explanation: The identification of all available assets is the first step in risk assessment. If the identification process is not properly followed, some assets may not be appropriately protected. Valuation is performed to understand the criticality and sensitivity of assets needing protection. Support from management, annual loss expectations, and threat motives are important, but risk assessment would be meaningless without asset inventory and valuation.
Q. 6
Answer: D. The financial losses of the affected business units
Explanation: Impact can be considered as the financial losses incurred by the affected business units. Impact is not merely restricted to service provider charges or the quantity of data transmitted. RoI is not based on connectivity and would not be useful in calculating impact.
Q. 7
Answer: A. Identification of business assets
Explanation: The first step is to create a list of all assets. This will ensure that no assets are missed during risk assessment. The other options are subsequent steps.
Q. 8
Answer: A. The dependency on subjective information
Explanation: A lack of accurate information is always a challenge in calculating annual loss expectancy. It is calculated on the basis of assumptions. The other options are comparatively less significant.
Q. 9
Answer: A. Potential financial loss
Explanation: Assets should be valued on the basis of potential financial loss due to their unavailability. The other options are not key considerations.
Q. 10
Answer: D. Classification
Explanation: Information asset classification involves the classification of assets on the basis of their criticality to the business. If an asset is classified as confidential, it means that it holds a high value for the organization.
Q. 11
Answer: B. Asset valuation
Explanation: Asset valuation indicates the impact from the cost perspective that the organization may face in the event of a major compromise. The other options will not be able to provide a direct cost representation.
Q. 12
Answer: D. Listing critical business resources
Explanation: A BIA determines the critical business assets by analyzing the impact of the unavailability of an asset on business objectives. In the event of a disaster, identified critical assets are recovered and restored by priority to minimize the damage. Identification of threats and vulnerabilities is performed during risk assessment. Incident notification procedures are a part of the business continuity and disaster recovery plans.
Q. 13
Answer: D. An inaccurate valuation of information assets
Explanation: Prioritization is based on the valuation of the assets. High-value assets are given priority for risk treatment. An inaccurate valuation may impact prioritization. An incomplete list may also impact the prioritization as some assets may be missed. However, generally, organizations will adopt procedures to identify at least all the critical assets. Hence, concern about an incomplete list is not as major a concern. Incomplete vulnerability and threat assessments are less significant compared to no assessment at all due to impropriate valuation.
Q. 14
Answer: B. The restoration priority
Explanation: A BIA is the best way to determine the criticality of assets. A BIA determines the critical business assets by analyzing the impact of their unavailability on business objectives. In the event of a disaster, identified critical assets are recovered and restored by priority to minimize the damage.
Q. 15
Answer: D. A business impact analysis
Explanation: An RTO determines the time within which a system should be restored. An RTO is derived from a BIA, which helps to determine the critical systems of the organization and the impact due to the downtime of systems.
Practice Question Set 4
Q. 1
Answer: C. Discuss the situation with data owners to understand the business needs
Explanation: The first step is to determine the business needs for granting privilege access to all HR team members as it may be a business process requirement. Without understanding the business requirements, the security manager should not revoke access or report to senior management.
Q. 2
Answer: C. Determining the desired outcomes
Explanation: The most important aspect when developing a framework for an information security program is to determine the desired outcomes. If the desired outcome is not considered at the time of developing the framework, it will be difficult to determine the strategy, control objectives, and security architecture.
Q. 3
Answer: A. The extent of support provided to business objectives
Explanation: To get the framework approved, the security manager should demonstrate a positive return on security investment. The best method to evaluate the return on security investment is to determine how information security supports the achievement of business objectives. The other options do not directly help to determine the RoI.
Q. 4
Answer: B. It is comparatively easy to manage and control
Explanation: Due to centralized control, it is easy to manage the security functions compared to decentralized functions. Decentralized functions are more convenient, allow easier promotion of security awareness, and ensure faster turnaround for security requests as they are closer to business units. Decentralized units are more responsive to business unit needs.
Q. 5
Answer: C. It ensures better alignment of security with the business needs
Explanation: Decentralized units are more responsive to business unit needs as they are closer to the business units. The other options are advantages of centralized functions. Centralized management is easy to manage and control and ensures increased compliance and a reduction in the cost of security.
Q. 6
Answer: D. Performing a risk assessment
Explanation: The first step is to conduct a risk assessment and determine the impact of non-compliance. Based on the potential impact, subsequent actions should be determined.
Q. 7
Answer: C. Regular interaction with business owners
Explanation: The security framework and security policy should closely align with organizational needs. Policies must support the needs of the organization. For the alignment of the security program, the security manager should have a thorough understanding of the business plans and objectives. Effective strategic alignment of the information security program requires regular interaction with business owners.
Q. 8
Answer: B. Determining the risk and identifying the compensating controls
Explanation: The first step for the security manager is to determine the risk associated with granting the exception and evaluate whether any compensatory controls are in place to address the risk. Based on the risk perceived, other options can be considered.
Practice Question Set 5
Q. 1
Answer: C. The statement is an example of a standard
Explanation: A standard is a mandatory requirement to be followed to comply with a given policy, framework, certification, or regulation. Standards help to ensure the efficiency and effectiveness of processes, which results in reliable products or services. A policy is a high-level statement of management intent and does not cover the preceding type of requirements. Guidelines and procedures provide detailed dos and don'ts to support the organization's policies.
Q. 2
Answer: C. Approving operating system access standards
Explanation: Standards should be approved by the information security team. The team should ensure that standards meet the requirements of the security policy. Implementation of the approved standard is performed by the IT department. The other options are generally performed by the IT department.
Q. 3
Answer: A. Standards
Explanation: Standards are sets of minimum requirements to be followed to comply with the requirements of a security policy. Standards (minimum requirements) are included in procedures to ensure that they comply with the intent of policies. Guidelines are generally detailed descriptions of procedures. A maturity model is adopted to ensure continuous improvement in the security process.
Q. 4
Answer: B. Standards
Explanation: A standard is a mandatory requirement to be followed to comply with a given framework, certification, or regulation. Standards help to ensure an efficient and effective process that results in reliable products or services. A policy is a high-level statement of management intent and does not cover specific regulatory requirements. Guidelines and procedures provide detailed dos and don'ts to support the organization's policies and standards.
Q. 5
Answer: D. The last review date
Explanation: The most important element in an information security standard is the last review date, which helps to ensure the currency of the standard and provides assurance that the document has been reviewed and updated to address current issues.
Q. 6
Answer: A. Database hardening procedures
Explanation: Generally, procedures are changed more frequently compared to policies and standards. As operating systems change, procedures for hardening also need to be changed. Policies and standards should be more static and less subject to frequent change.
Q. 7
Answer: C. A standard provides detailed directions to comply with a policy
Explanation: A policy is a high-level statement of management intent and does not cover specific requirements or actionable steps. A standard is a mandatory requirement to be followed to comply with a given framework or policy. That is, a standard provides detailed directions to comply with a policy.
Q. 8
Answer: D. A change in the results of the periodic risk assessment
Explanation: A standard is a mandatory requirement to be followed to comply with a given framework, certification, or policy. If the results of a risk assessment are not encouraging, then the standard should be updated to ensure that it appropriately addresses the organization's security objectives. The other options do not directly impact standards.
Q. 9
Answer: C. The board of directors
Explanation: The final responsibility for compliance with laws and regulations resides with the board of directors. The other options support the board to execute the security policy.
Q. 10
Answer: C. The policy approver
Explanation: A framework defines the process for handling exceptions to policies and procedures. The inherent authority to grant an exception to the information security policy resides with the one who approved the policy.
Q. 11
Answer: D. Control objectives not being met
Explanation: A standard is a mandatory requirement to be followed to comply with a given framework, certification, or policy. If the current standard does not help to achieve the intended control objectives, the standard should be modified to ensure that it appropriately addresses the organization's security objectives. The other options do not directly impact standards.
Practice Question Set 6
Q. 1
Answer: B. The cost of achieving control objectives
Explanation: A security program should provide value to the organization. The security manager should determine the cost of implementation of controls and the corresponding value of the assets to be protected. This will form the basis for determining whether the information security program is delivering value. If the cost of controls is higher than the value of the assets, then the program does not provide any value. The other options are secondary aspects.
Q. 2
Answer: B. The business asset owner
Explanation: It is very important to take approval from the business asset owner for patch update timings as patch updates may lead to unexpected problems and can interrupt business processes. Generally, business asset owners prefer non-working hours for patch updates.
Q. 3
Answer: B. Focus on key controls
Explanation: A security manager should primarily focus on the key controls to reduce risks and protect information assets. Role-based control may be one of the key control areas. Focusing only on financial applications is not as justifiable as the protection of other data (for example, customer data may be equally critical). Key controls need not necessarily be only preventive controls.
Q. 4
Answer: C. Information technology
Explanation: A security program should be integrated with the processes of other departments, such as IT, audit, risk management, quality assurance, and HR. This helps to improve the overall effectiveness of the security program. The most important aspect is integration with IT processes. For instance, automated controls are considered more effective than manual controls and are generally driven by the IT department. Also, IT is responsible for the implementation and operations of information processing systems. The other options are secondary aspects.
Q. 5
Answer: A. Issuance of termination notice
Explanation: In the event of the termination of an employee, details should be immediately made available to the security team to revoke all access rights of that employee, including de-provisioning of mobile devices. The other options are not as significant.
Q. 6
Answer: A. Feasibility stage
Explanation: For any new IT project, the security department should be involved right from the feasibility stage until the project completion stage. In fact, the security department should be involved throughout all SDLC phases. Security considerations affect feasibility. Thus, involving the security team only in the later stages may not be an effective and efficient strategy.
Q. 7
Answer: D. Access should be provided according to business needs
Explanation: Access should be provided on a need-to-know basis, that is, according to the business needs. The other options are not justifiable if users do not require data to perform their duties.
Q. 8
Answer: A. Reviewing and updating their access rights
Explanation: When an employee is transferred to another department, it is very important to review and update their access rights to ensure that any access no longer needed is removed and appropriate access for the new position is granted. The other options are secondary aspects.
Q. 9
Answer: D. To understand IT issues to achieve adequate information security
Explanation: A security manager should be well versed in IT in order to make informed decisions about technology risks. Technology knowledge will help the security manager understand IT issues and help them achieve adequate information security. A security manager is not expected to implement IT technology or adhere to the IT budget.
Practice Question Set 7
Q. 1
Answer: C. Reduction in the average response time for incidents
Explanation: An early response time helps to minimize the impact of the incident. Hence, to determine the effectiveness of an incident response team, the best indicator is the reduction of the average response time per incident. The other options are not direct indicators of the effectiveness of an incident response team.
Q. 2
Answer: A. To measure the effectiveness of the security program
Explanation: Defined objectives can be used to measure the effectiveness of the information security program. The success of the program is determined based on the achievement of the security objectives. The other observations are secondary aspects.
Q. 3
Answer: A. Program metrics
Explanation: Program metrics measure how well a process is doing in terms of achieving its goals and objectives. A defined metric helps to measure the current state of different security objectives. This trend can be used to determine the improvement in a security program over time. If an organization is unable to take measurements over time that provide data regarding the key aspects of its security program, then continuous improvement is difficult to monitor. The other options are secondary aspects.
Q. 4
Answer: A. It is meaningful to the recipient
Explanation: A metric should be meaningful to the recipient and should provide the basis for sound decision-making. Unless it is meaningful to the recipient, all other attributes are of no use.
Q. 5
Answer: A. A reduction in the impact of security issues
Explanation: The main objective of implementing security controls is to minimize the adverse impacts of incidents. A reduction in impacts from security incidents indicates that security controls are effective. The other options do not directly indicate the effectiveness of security controls.
Q. 6
Answer: C. The security metrics
Explanation: Security metrics measure how well a process is doing in terms of its goals and objectives. A well-defined metric helps to measure the current state of different security objectives. This trend can be used to determine the improvement in the security program over time. The other options are secondary aspects.
Q. 7
Answer: A. Trends showing the number of servers compliant with security requirements
Explanation: Overall trends of security-compliant servers indicate the level of effectiveness of the information security program compared to standalone counts. Trends in the number of patch updates would be less relevant as they depend on the number of vulnerabilities. A high patch update rate will not necessarily indicate the effectiveness of a security program.
Q. 8
Answer: B. The percentage of control objectives achieved
Explanation: Executive management will be more interested in the achievement of control objectives as they are directly linked to business objectives. The achievement of control objectives is the best metric for executive management to evaluate the effectiveness of the security program. The other options are secondary aspects.
Q. 9
Answer: C. Design
Explanation: Security metrics are developed during the design phase of system development. Metrics should be developed before the testing and implementation phases. The feasibility stage is too early for the development of security metrics. In the feasibility phase, the possibility of implementing a project is determined.
Q. 10
Answer: A. Adverse incident trend reports
Explanation: Adverse incident trend reports indicate the impact on business objectives. Security incidents occur because either a control failed or there was no control in place. This will be taken seriously by management to fund the appropriate budget for information security. The other options are secondary aspects.
Q. 11
Answer: B. Relevance to the recipient
Explanation: A metric should be meaningful for the recipient and should provide a basis for sound decision-making. Unless it is meaningful to the recipient, all other attributes are of no use. The other options are secondary aspects.
Q. 12
Answer: A. A reduction in incident impacts
Explanation: The prime objective of any security program is to reduce the impact of incidents. A reduction in incident impacts indicates that the security program is effective in achieving its objectives. The other options do not directly indicate the achievement of security objectives.
Q. 13
Answer: D. Providing non-compliance reports to executive management at regular intervals
Explanation: Providing reports to executive management will create performance pressure on the business units. This will motivate them to address the non-compliant areas at the earliest opportunity. The other options are secondary aspects.
Q. 14
Answer: C. Measuring monetary values in a consistent manner
Explanation: In the absence of a consistent method, the results of the metrics can be incomparable, and trends can be misleading. Consistency is important to have reasonably accurate and reliable results. It is not practical to simply exclude qualitative risks because of difficulties in measurement. Developing cost-effective processes and considering investment amounts as profits are not relevant to the calculation of RoI.
Q. 15
Answer: A. Percentage of penetration attempts investigated
Explanation: The objective of capturing a log is to conduct follow-up investigations for suspected penetration attempts. Investigation helps to take various preventive and corrective actions. Merely capturing the logs or generating reports will not serve the ultimate purpose. Hence, the most useful metric for measuring the success of log monitoring is to determine the percentage of suspected penetration attempts investigated. If organizations do not investigate and only keep capturing logs, the ultimate objective of log capturing will not be achieved.
Q. 16
Answer: C. Security objectives
Explanation: Primarily, metrics should be based on the security objectives so they can provide a useful measure to evaluate the effectiveness and efficiency of the information security program and its objectives. Avoiding financial and operational risks can be one of the security objectives. Industry standards may or may not be aligned with the security objectives of the organization.
Q. 17
Answer: C. To enable continuous improvement
Explanation: The main objective of security-related metrics is to measure performance and facilitate and focus on the continuous improvement of the security program. Metrics may indicate security weaknesses but do not directly identify them. The other options are secondary aspects.
Q. 18
Answer: C. Define and monitor the security metrics
Explanation: Metrics help measure performance over a period of time. They indicate the trend of security performance by comparing against the baseline and help identify areas of improvement. The other options are secondary aspects.
Q. 19
Answer: D. The information security manager
Explanation: Metrics are generally relevant to the owner of the control. Metrics for measuring the effectiveness of antivirus software are primarily relevant to the information security manager. It helps them determine the current state of a control. If a control is not performing as per expectations, the security team can investigate and address the issue.
Revision Questions
Q. 1
Answer: C. Classification of assets
Explanation: Information asset classification refers to the classification of information assets based on their criticality to the business. Information assets can be classified as confidential data, private data, or public data. This classification helps the organization provide the appropriate level of protection for data. More resources should be utilized for the protection of confidential data compared to public data.
Q. 2
Answer: B. The impact of a compromise
Explanation: Information asset classification refers to the classification of assets based on their criticality to the business. Critical assets can have a significant impact in the event of a compromise compared to less critical assets.
Q. 3
Answer: D. To determine the protection level
Explanation: Information asset classification refers to the classification of assets based on their criticality to the business. Assets can be classified as confidential data, private data, or public data. This classification helps the organization provide an appropriate level of protection for the assets. More resources should be utilized for the protection of confidential data as compared to public data.
Q. 4
Answer: A. An assessment of impact by the data owner
Explanation: Data classification refers to the classification of data based on its criticality to the business. Data classification is primarily based on inputs from the data owner. Data owners (business managers) have thorough knowledge and understanding of an asset's impact on overall business processes. They are in the best position to determine the value of the information assets. Requirements of the information security policy are generally applicable after the classification of assets. The level of protection is determined on the basis of classification and not the other way around as indicated in option C.
Q. 5
Answer: A. Classification of assets
Explanation: Information asset classification refers to the classification of assets on the basis of their criticality to the business. Assets are then protected in proportion to their criticality. Assets can be classified as confidential data, private data, or public data. This classification helps the organization provide the appropriate level of protection for the assets. More resources should be utilized for the protection of confidential data as compared to public data.
Q. 6
Answer: A. Its business value
Explanation: The classification of an asset is generally based on its business value, that is, the impact on the business if the asset is compromised. From the risk management perspective, an asset is generally valued on the basis of its business value and not merely on the basis of simple acquisition or replacement costs. Business value is measured in terms of revenue loss or other potential impacts when an asset is compromised. For example, suppose software is acquired at a cost of $1,000 and generates a revenue of $5,000 in a single day. Its business value will be $5,000 per day and not merely its acquisition cost.
Chapter 6: Information Security Program Management
Practice Question Set 1
Q. 1
Answer: C. To mitigate impact
Explanation: Corrective controls are implemented to reduce the impact once a threat event has occurred. They facilitate the quick restoration of normal operations. Examples of corrective controls include the following:
- Business continuity planning
- Disaster recovery planning
- Incident response planning
- Backup procedures
Q. 2
Answer: D. The data custodian
Explanation: The data custodian is required to provide and implement adequate controls for the protection of data. The data owner is required to classify the level of protection required for their data.
Q. 3
Answer: C. A source code review
Explanation: The most effective method to identify and remove an application backdoor is to conduct a review of the source code. The other options will not be as effective.
Q. 4
Answer: C. A signed acceptable use policy
Explanation: The purpose of a deterrent control is to give a warning signal to deter or discourage a threat event. When employees sign an acceptable use policy, they are made aware of the consequences of not adhering to it. This acts as a deterrent control. Two-factor authentication will not be able to prevent the activities of authorized users. Internal audits and log capturing are used after the fact (detective control) and may not be effective to prevent the event.
Q. 5
Answer: C. Performing a network address translation
Explanation: External security threats can be prevented by the use of network address translation, as they have internal addresses that are non-routable. The other options are not as effective.
Q. 6
Answer: A. Criteria for data backup
Explanation: A policy is a high-level statement indicating the intent of management. With respect to backups, the policy will include the criteria for data backup. These criteria will help the user determine which data is to be considered critical and accordingly the frequency at which data backups should be taken. The other options are generally included in procedure documents.
Q.7
Answer: C. The system design specifications stage
Explanation: System specifications, with respect to the type of access control and encryptions, are considered in the system design specification. The feasibility phase includes a cost-benefit analysis of system development. In the procedural design phase, structured components are converted into procedural descriptions. The software development stage would be too late as in this stage, the system is already being coded.
Q.8
Answer: D. Degaussing the tapes
Explanation: Degaussing is the best way to erase data from a tape. In the degaussing process, an alternating current field is increased gradually from 0 to a maximum value and again reduced to 0, thus leaving a very low residue of magnetic induction on the device.
This is known as demagnetization or degaussing. The other options are not as secure. Multiple overwriting and erasing of the tape are not fool-proof methods of removing data. Burning the tape will physically destroy it, so it cannot be reused.
Q.9
Answer: B. Native database auditing impacts the production database's performance
Explanation: With respect to database security, a native audit refers to the use of tools and techniques that help the administrator perform an audit of database activities. However, enabling a native audit may lead to performance degradation of the database. This is a major concern. The other options are less significant.
Q.10
Answer: A. Degradation of performance
Explanation: Enabling an audit log function may create a burden on database processing, which may result in a degradation of the database's performance. The more elaborate the logging becomes, the slower the performance will be. It is important to strike a balance. The other options will not be impacted by enabling an audit log function.
Q.11
Answer: A. Diverting the incoming traffic during a denial-of-service attack
Explanation: The prime objective of a corrective control is to reduce the impact of an event once it has occurred and to ensure restoration to normal operations.
The process of diverting the incoming traffic helps correct the situation and hence it is a corrective control. Filtering network traffic is a preventive control. Auditing and logging are detective controls.
Q.12
Answer: A. When general controls are weak
Explanation: Application controls are controls implemented for a particular application, whereas general system controls are implemented for the overall environment. An application is protected by a combination of application as well as general controls. When general controls are weak, more emphasis is to be placed on application-level control. Detective, preventive, and corrective controls exist at both the general and the application levels.
Q.13
Answer: A. The activity of the system administrator should be monitored by a separate reviewer.
Explanation: The activities of a system administrator should be monitored to ensure that their performance is in accordance with the information security program. Monitoring by a third party will be more effective than a self-audit. It is not necessary for the monitoring to be done by a member of the security team. The steering committee is not involved in routine monitoring.
Q. 14
Answer: D. A risk to availability
Explanation: Controls can be designed to either fail close or fail open. For example, in case of the failure of an automatic door, an organization can opt for a fail open (the door remains open) or a fail closed (the door remains closed). In case of a fail open, confidentiality and integrity may be compromised, and in case of fail closed, availability and safety may be compromised. In such a situation, the risk is determined for each element and a decision is made accordingly.
Q. 15
Answer: D. Failure modes
Explanation: Failure modes describe the mode in which the controls operate in cases of failure, that is, whether a control fails open or fails closed. The failure mode of the control impacts safety, confidentiality, and availability. For example, in case of the failure of an automatic door, an organization can opt for fail open (door should remain open) or fail closed (door should remain closed). In case of fail open, confidentiality and integrity may be compromised, and in case of fail closed, availability and safety may be compromised. In such a situation, the risk is determined for each element and a decision is taken accordingly.
Q. 16
Answer: D. To verify the sender's identity and determine whether orders are in accordance with the contract terms
Explanation: In an EDI environment, there are primarily two challenges with respect to the receipt of an order. The first challenge is to ensure that an order received is from a trusted partner and the second is to ensure that the order quantity is correct. Hence, a control should be available for the verification of the sender's identity and to determine the correctness of the order quantity. The other options will not be as effective.
Q.17
Answer: A. To limit the consequences of a compromise
Explanation: Segmentation refers to dividing a network into parts. Segmentation limits the consequences of an attack by constraining the scope of impact. Segmentation by itself does not reduce vulnerability, but may result in complex administration, and is not implemented primarily to support the data classification scheme.
Q. 18
Answer: B. The safety of human life
Explanation: While implementing any framework, policy, or control, the most important consideration is the safety of human life. The other options are secondary aspects.
Q. 19
Answer: D. Control design and development
Explanation: Control design and development is the prime activity in the development of an information security program. Most program development activities will involve designing, testing, and implementing controls. The other options are secondary aspects.
Q. 20
Answer: A. In areas where incidents may have a high impact and high frequency
Explanation: A security manager should understand that implementing continuous monitoring is expensive. The use of continuous monitoring may not always be feasible or practical, so it should be used in areas with the highest risk levels. Therefore, continuous monitoring is best deployed in the areas where incidents may have a high impact and frequency.
Practice Question Set 2
Q.1
Answer: C. It helps to define the minimum acceptable security required across the organization
Explanation: A baseline refers to basic requirements. A security baseline refers to the minimum basic requirement for an organization's security.
Establishing a security baseline across the entire organization will help to ensure that controls are consistently applied in accordance with acceptable risk levels.
Q. 2
Answer: B. Implementing a security baseline
Explanation: A security baseline refers to the minimum basic requirement for an organization's security. The objective of implementing a security baseline throughout the organization is to ensure that controls are consistently implemented as per the acceptable risk levels. The other options do not directly address compliance with the information security policy. Frequent user awareness training need not necessarily ensure compliance.
Q. 3
Answer: B. To establish a uniform process of system hardening
Explanation: The objective of implementing a security baseline throughout the organization is to ensure that controls are consistently implemented as per the acceptable risk levels. A baseline helps to establish a uniform and consistent security standard throughout the organization.
Q. 4
Answer: C. A baseline
Explanation: A baseline describes basic requirements. A security baseline refers to the minimum basic requirement for an organization's security. The objective of implementing a security baseline throughout the organization is to ensure that controls are consistently implemented as per the acceptable risk levels. Procedures determine the detailed processes but do not include configuration requirements. Guidelines are not mandatory in nature. Policies are high-level statements indicating management's intent but do not include details about configuration requirements.
Q. 5
Answer: B. To prepare baseline requirements for all locations and add location-wise supplementary standards as per the local requirements
Explanation: The most effective and efficient method in this scenario is to determine a baseline standard and then add additional requirements as per the local needs. Mandating all locations to follow all requirements will place an undue burden and may also result in contradictory requirements. Letting each location decide on its own requirements may cause the failure of some of the corporate-level compliances. Hence, deciding on a baseline is a must.
Q. 6
Answer: B. To establish a uniform process of system hardening
Explanation: A security baseline refers to the minimum basic security requirements for a specific group of applications. It helps to establish a uniform security standard for system hardening. The other options are secondary aspects.
Practice Question Set 3
Q.1
Answer: D. To conduct security awareness training for employees
Explanation: Human resources should primarily aid in creating awareness about the information security requirements of the organization. Recruitment is a secondary factor. Budget allocation and risk assessment may not be the responsibility of the human resources department.
Q. 2
Answer: A. To customize the content of the program as per the target audience
Explanation: The most effective way to increase the effectiveness of the training is to customize it as per the target audience and to address the systems and procedures applicable to that particular group. For example, a system developer needs to undergo an enhanced level of training covering secure coding aspects, while data entry operators can be trained on the security aspects related to their functions. The other options are secondary aspects.
Q. 3
Answer: D. Security awareness campaigns
Explanation: Frequent security awareness campaigns are the best way to improve an organization's security culture. The other options are secondary aspects.
Q. 4
Answer: C. What employees should or should not do in the context of their job responsibilities
Explanation: An awareness program will be more relevant if it is customized to include the dos and don'ts of the job responsibilities of employees. A security awareness program should focus on employee behavior and its impact on the organization's security posture. The other options are secondary aspects.
Q. 5
Answer: A. Logon banners displayed at every logon
Explanation: The most effective method is to create awareness through the use of logon banners. A security message will be displayed every time the user logs on, and they will be required to read and agree to the message before access is granted. This will help to enforce the security requirements throughout the organization. The other options are not as effective.
Q. 6
Answer: C. Before access to data is provided
Explanation: Security awareness training should be completed before the new joiner is given access to data. They should be aware of the secure data handling process.
Q. 7
Answer: B. To influence employee behavior
Explanation: Frequent awareness training efforts can influence the behavior of employees from a security aspect. It helps employees make security-conscious decisions and actions.
Q. 8
Answer: B. Some quantitative evaluation used to ensure user comprehension
Explanation: The security manager should design some quantitative evaluation criteria to determine the understanding level of the user, for example, a quiz or other type of assessment that is measurable. The other options are secondary aspects.
Q. 9
Answer: A. The methodology to be used in the assessment
Explanation: The methodology helps you to understand the process and formulae for the assessment. It is the most important element in the selection of a consultant. The other options, though important, are not as significant.
Q. 10
Answer: C. A top-down approach
Explanation: A top-down approach means that commitment to the success of the security awareness program comes from the senior management level. Support from senior management will ensure enough resources are provided for the program's success. The other options, though important, are not primary success factors.
Q. 11
Answer: B. User education and training
Explanation: Periodic education and training is the most cost-effective method to improve the security awareness of employees. The other options will not be effective in the absence of user education and training.
Q. 12
Answer: D. The information security department
Explanation: The information security program is generally managed by the information security department. Security awareness training and materials are part of the information security program.
Q. 13
Answer: C. Security awareness training
Explanation: In the absence of structured security awareness training, the other components of the program may not be effective.
Q. 14
Answer: B. A discussion on how to construct a strong password
Explanation: To improve the effectiveness of awareness training, modules should be customized as per the job functions of the audience. An employee engaged in general operational duties is expected to create a strong password for their authentication. They are not required to have a thorough understanding of the other options.
Q. 15
Answer: D. Continually reinforce the security policy.
Explanation: The most effective method is to continuously reinforce the security policy and management expectations of the behavior of the employees. The other options are not as effective.
Q. 16
Answer: C. Conduct role-specific awareness training
Explanation: The best way to increase the effectiveness of the training is to customize the training as per the target audience and to address the systems and procedures applicable to that particular group. For example, a system developer needs to undergo an enhanced level of training that covers secure coding aspects, while data entry operators can be trained on security aspects related to their functions.
Q. 17
Answer: A. To decrease the likelihood of information security incidents
Explanation: The prime objective of security training is to influence the behavior of the employees and thereby reduce the likelihood of information security incidents. Although compliance with the information security policy is important, the objective of security training is to influence the cultural and behavioral elements of information security. The other options are secondary factors.
Q. 18
Answer: C. To establish an organizational culture that is favorable to security
Explanation: A structured and well-defined security awareness training program will help to build a favorable environment for secure business processes. The other options are secondary factors.
Q. 19
Answer: B. Calling back the branch number listed in the office phone directory
Explanation: The best way to authenticate the caller is to call back the branch number listed in the office phone directory. The recipient should not use any phone number or email address provided by the caller. Once the call has been reasonably verified, the information may be provided to the caller. The other options are not as effective.
Q. 20
Answer: D. Threats and vulnerabilities
Explanation: Security awareness training should be a continuous process as threats and vulnerabilities change over time. Regular refresher training is an important part of security awareness. Changes in technology and compliance requirements are covered by addressing changes in threats and vulnerabilities.
Practice Question Set 4
Q.1
Answer: C. A service level agreement
Explanation: An SLA defines the level of service expected from a vendor and includes the other options, such as penalty clauses, indemnity clauses, and the right to terminate.
Q.2
Answer: A. A right-to-audit clause
Explanation: To conduct independent assessments of the service provider, it is critical that a right-to-audit clause is included in the contract. In the absence of this clause, a service provider may not allow the auditing of their processes. The other options depend upon the nature of the services outsourced and should be evaluated during the audit.
Q.3
Answer: C. Whether the service provider is contractually obliged to follow all relevant security requirements.
Explanation: In the absence of contractual liability, the security manager will not be able to ensure compliance with security requirements by the service provider. Contractual obligations help both parties to commit to the contract. Adherence to the budget and obtaining industry references is the responsibility of the business unit and not the security manager. The availability of a business continuity arrangement is a secondary aspect.
Q.4
Answer: B. Conducting regular security reviews of the third-party service provider
Explanation: Frequent audits and security reviews of the third-party service provider are the best way to ensure an appropriate security arrangement on an ongoing basis. Including security requirements in the service contract is important but it does not help to ensure ongoing effectiveness. Security training and increasing contract rates are secondary aspects.
Q.5
Answer: A. An access control matrix
Explanation: The required level of an access control matrix (discussed in Chapter 7, Information Security Infrastructure and Architecture) should be included in the SLA to ensure the confidentiality of data. The other options are generally not included in an SLA.
Q.6
Answer: C. The contract should mandate that the service provider complies with the organization's security requirements
Explanation: A security manager can enforce security requirements only if a contract mandates compliance with the information security policy. A confidentiality clause and a security audit should be part of the security requirements. The contract rate is required to be approved by business management, not by the steering committee.
Q.7
Answer: A. The security arrangement for stored and transmitted sensitive data
Explanation: As the third party is involved in handling sensitive customer data, the primary consideration for the security manager is to determine the security arrangement for the storage and transmission of sensitive data. The other options are secondary aspects.
Q.8
Answer: D. Included in the contract
Explanation: The most effective method is to ensure that the requirements are included in the contract. This will help to enforce those requirements. The other options are secondary aspects.
Q.9
Answer: C. To conduct periodic audit reviews of the service provider
Explanation: The best control to monitor the services of the third-party service provider is to conduct periodic audit reviews of the provider. The other options are not as effective. An audit will help to determine the level of actual compliance with the security requirements.
Q.10
Answer: C. Ensure that appropriate controls are included
Explanation: The role of the security manager is to ensure that appropriate controls are included in the contract. In the absence of a well-defined contractual agreement, the organization cannot enforce security requirements. The right to audit is one of the controls to be included in the contract. Operational issues and the contract rate are not within the purview of the security manager.
Q.11
Answer: C. Implement a firewall to restrict network traffic from the trading partner's location
Explanation: The best way to continue the business relationship and at the same time address the risk is to set up firewall rules restricting network traffic from the trading partner. Options A and D will not prevent security incidents. Option B is not feasible considering business requirements.
Q.12
Answer: B. Conducting a risk assessment to determine the required controls
Explanation: The most important step is to conduct a risk assessment to identify the risks and determine the required controls. A background check of the service provider's employees is the responsibility of the service provider. Audits and security assessments are carried out subsequent to risk assessment.
Q.13
Answer: A. The right to conduct an independent security review
Explanation: The most important aspect is the right to conduct an independent security review of the third-party service provider. This will help the organization determine the service provider's security posture. The other options are secondary aspects.
Q.14
Answer: C. When requirements are being established
Explanation: It is important to get the information security manager involved right from the beginning when the requirements are being established. The security requirements should be considered at the time of bids and other negotiations with the third party.
Q.15
Answer: A. Limiting user access rights
Explanation: The most effective method is to limit access to the extent required for the user to perform their job. User authentication by way of two-factor authentication and biometric controls is important, but once access is granted, the users should have only specific rights.
Q.16
Answer: D. Adherence to the organization's information security requirements
Explanation: The most important aspect is to ensure compliance with the organization's information security requirements. Authentication and alternate processing sites will already be included in the organization's security requirements. Compliance with international standards is a secondary aspect.
Q.17
Answer: C. Prior to developing a project budget
Explanation: RFP is a process of requesting technical details and costs for the proposed project. The budget is generally finalized based on a proposal from the service providers. Project feasibility and business cases are initial steps to decide whether a project should be implemented or not.
Q.18
Answer: A. To establish the process for monitoring the service provider
Explanation: After the contract has been signed, the next step will be to ensure that continuous service provider monitoring is established. This will help to control and monitor the activities of the service provider and irregularities, if any, can be addressed immediately. All the other options are actions taken prior to signing the contract.
Q.19
Answer: A. Assurances that the third party will comply with the requirements of the contract
Explanation: The service provider is required to provide assurance about compliance with the requirements of the contract. One of the methods to do this is through independent security audit reports. Awareness training and background checks may be among the requirements of the contract. A review of contracts and policies is important, but it does not assure compliance.
Q.20
Answer: B. Whether privacy requirements are complied with
Explanation: Privacy is the right of the individual to demand the utmost care of any personal information that they have shared with any organization or individual. Individuals can demand that the use of their information be appropriate, legal, and only for the specific purpose for which the information was provided. Non-compliance with privacy requirements may lead to legal consequences. The other options are secondary aspects.
Practice Question Set 5
Q.1
Answer: B. The business strategy
Explanation: The security framework and policy should closely align with organizational needs. Policies must support the needs of the organization. For the alignment of the security program, the security manager should have an understanding of the business strategy, plans, and objectives. An effective strategic alignment of the information security program requires regular interaction with business owners.
Q.2
Answer: B. Organizational needs
Explanation: The security framework and security policy should closely align with organizational needs. Policies must support the needs of the organization. The other options are secondary aspects.
Q.3
Answer: D. Obtain sign-off from all stakeholders
Explanation: Before implementing the security framework and policy, sign-off should be obtained from all relevant stakeholders to ensure that the policy supports the objectives and expectations of the business. The other options are secondary aspects.
Practice Question Set 6
Q.1
Answer: C. The information security manager
Explanation: The responsibility for raising awareness for sufficient funds for security initiatives resides with the information security manager. Even though the chief information officer, business process owner, and chief audit officer do play important roles in the final approval of funds, the information security manager has the ultimate responsibility for raising awareness for adequate security funds.
Q.2
Answer: C. Prioritizing risk mitigation and educating management
Explanation: When funds are inadequate, the best option is to allocate the available resources to those areas of highest risk and, at the same time, to educate management about the potential impact of underfunding. The other options are secondary factors.
Q.3
Answer: A. The identified levels of risk
Explanation: On the basis of the risk assessment, areas of high risk should be identified. Priority should be given to these areas of high risk. Security investment should then be prioritized by the level of each risk. Prioritization should not be based on trends or the discretion of the security manager or industry benchmarking.
Practice Question Set 7
Q.1
Answer: D. Does not interrupt the production process
Explanation: The most important aspect is to ensure that the scan process does not interrupt the production process. There is no harm in using industry-recognized open source tools. A scan should concentrate on all servers within the network because if any of the servers is compromised, then the entire network will be in danger. Adherence to the budget is not a major concern.
Q.2
Answer: C. The steering committee
Explanation: The security steering committee consists of senior officials from different business functions. It plays an important part in the finalization of security requirements. The security steering committee is in the best position to support the establishment of an information security program.
Q.3
Answer: A. On a daily basis
Explanation: New attack patterns are introduced almost on a daily basis. If signature files are not updated daily, the organization could be exposed to new types of attacks. The other options are not effective.
Q.4
Answer: D. Definition files
Explanation: The effectiveness of antivirus software depends on virus definition files. If definitions are not updated on a frequent basis, antivirus software will not be able to control new types of attacks. The other options are secondary aspects.
Q.5
Answer: D. Ease of maintenance and frequency of updates
Explanation: For antivirus software to be effective, it must be easy to maintain and must be updated frequently to address new viruses. The other options are secondary factors.
Q.6
Answer: B. Use protective switch covers
Explanation: Installing protective switch covers will help reduce instances of an individual accidentally pressing the power button and shutting down the system. A redundant power supply will not prevent accidental system shutdowns. Shutdown alarms will come on after the event. Biometric readers are generally used for granting access to a system and not for switching on/off the power.
Q.7
Answer: D. Leadership from IT, business management, and human resources
Explanation: The role of a steering committee is to ensure that the security initiatives are in harmony with the organization's mission and objectives. A steering committee monitors and facilitates the deployment of security resources for specific projects in support of business plans. Senior management and representatives from IT, business management, human resources, information security, and so on should make up the steering committee.
Q.8
Answer: D. System overheads
Explanation: Overhead means excess or indirect utilization of computation time, memory, bandwidth, and other resources. A monitoring product can have a significant impact on system overheads for servers, applications, and networks. A security manager should ensure that the monitoring device does not degrade the performance of the servers, applications, and networks. The other options are secondary aspects.
Q.9
Answer: D. A Trojan program
Explanation: If a computer is infected with a Trojan program, the attacker can take full control of the system and hijack, copy, or modify the information after authentication is completed by the user. An IP is not used for authentication and hence IP spoofing will not work. A secure socket layer along with a digital certificate will prevent a man-in-the-middle attack. A digital certificate will prevent the risk of repudiation.
Q.10
Answer: B. Perform periodic reviews for compliance
Explanation: The best method is to conduct a periodic review and determine the status of compliance. Gaps, if any, should be addressed appropriately. The other options are secondary factors.
Q.11
Answer: A. It is a cost-effective way to take advantage of expertise not available internally.
Explanation: The primary driver for taking advantage of the services of an external resource is that it helps to contribute cost-effective expertise that is generally not available internally. The other options are secondary factors.
Q.12
Answer: B. Finance department
Explanation: The responsibility for determining the appropriate level of classification resides with the data owner. In this case, the finance department is the owner of the accounting data and hence the finance department should determine the level of classification for the server.
Q.13
Answer: A. Restrict access to read only
Explanation: The best way is to only allow read-only access for the module. The developer should not have the right to modify or download the base data. The other options will not be as effective as read-only access.
Q.14
Answer: C. Operational units
Explanation: The most effective way to optimize the security program is to embed the security processes with the operational processes. The involvement of operation units is of utmost importance to ensure that the security process is accurate and functional.
Q.15
Answer: C. The system programmer
Explanation: The system programmer should not have the privilege to update the access control list as it enables them to have unlimited control over the system. The data owner, the data custodian, or the security administrator may be required to carry out updates of the access control list as per their defined job responsibilities.
Q.16
Answer: B. Log all of the application programmer's activity for a review by their manager.
Explanation: The best way to mitigate the situation is to capture a log of the programmer's activities, which needs to be reviewed by their manager. This will help to detect any inappropriate action on the part of the application programmer. The other options will not be as effective.
Q.17
Answer: D. To remove all logical access provided to the employee
Explanation: The most important step is to remove all logical access provided to the employee. Upon termination, the employee should not be able to access the organization's data. Taking back the identity card and laptop does not prevent the employee from logging in from external machines. Deleting the employee's files needs to be considered after analyzing the nature of the data.
Q.18
Answer: A. To ensure that the process is repeatable and sustainable
Explanation: The primary objective of documenting the security processes is to ensure that they are repeatable and sustainable. This helps to ensure that the security processes are performed correctly and consistently.
Q.19
Answer: A. The various circumstances in which cryptography should be used
Explanation: The objective of a process document is to support users in ensuring that the process is followed in a consistent and correct manner. The most important aspect that should be included in a cryptography process document is the circumstances in which cryptography should be used. The other options are generally automated and system driven, so users may not need to be involved much.
Q.20
Answer: B. Throughout the entire life cycle of the process
Explanation: Risk assessment is not a one-time activity. It should be conducted at every stage of the newly implemented process for the most effective result.
Practice Question Set 8
Q.1
Answer: C. A notification about what the company will do with the information it collects
Explanation: Generally, all privacy laws mandate the disclosure of how information collected will be used. The privacy budget is generally not included in a privacy statement. Notifications about the accuracy of information are included in the website disclaimer. Information classification is not part of a privacy statement.
Practice Question Set 9
Q.1
Answer: B. Verify a copy of independent security reviews or audit reports for the cloud service provider
Explanation: The best way to evaluate a provider is to obtain and verify independent security reviews or audit reports of the company. The other options are not sufficient in themselves to verify the physical security arrangements.
Q.2
Answer: D. The contract should restrict the movement of data within the territory allowed as per the relevant law or regulation.
Explanation: It is very important to validate and verify whether the regulations of the locations (where the infrastructure is located) are aligned with the enterprise's requirements. A contract should include terms to restrict the movement of assets within approved locations. The other options are comparatively less important.
Q.3
Answer: A. Clarity with respect to data ownership, data custody, and IPR-related requirements
Explanation: It is very important that the contract has proper clarification with respect to data ownership, data custodian, and other IPR-related requirements.
Q.4
Answer: B. The data in the multitenancy environment being accessed by competitors
Explanation: The most important concern about the storage of personal data in a cloud environment is unauthorized access by competitors. Data leakage may have serious consequences.
Q.5
Answer: B. Compliance with legal requirements
Explanation: The most important items to consider are legal requirements, laws, and regulations. The other options are comparatively less important.
Q.6
Answer: B. Private cloud
Explanation: A private cloud is considered the most secure deployment method as it can be controlled and centralized by the organization.
Q.7
Answer: A. Ability to expand storage and bandwidth on demand
Explanation: The main benefit of cloud computing is flexibility in obtaining the storage and bandwidth capacity as per the business requirements. This is very difficult to manage in a locally hosted environment. End user training is required irrespective of whether it is a cloud or local environment. Encryption and access control can be established in both local and cloud environments.
Revision Questions
Q.1
Answer: A. Employees engaged in monitoring activities
Explanation: Ethics training is important for all employees but is primarily useful for employees engaged in monitoring activities as they have access to sensitive corporate and personal information. Ethics training includes guidance on appropriate legal behavior to reduce corporate liability and awareness of data privacy and ethical behavior.
Q. 2
Answer: B. Residual risk
Explanation: Residual risk refers to the risk that remains after controls are implemented. The objective of an awareness program is to improve the controls and reduce vulnerability, which thereby reduces the residual risk. The other options are not primarily influenced by a security awareness program.
Q. 3
Answer: A. To promote the advantages of a good security culture through influential people
Explanation: Influential people in the organization are usually employees with substantial authority and who have a greater interest in promoting the security culture. They act as ambassadors for the security culture within their department and can bring significant change across the entire organization's culture. The other options are not as effective.
Q. 4
Answer: D. The possibility of disclosure of sensitive data in transit or storage
Explanation: A primary area of concern is the disclosure of sensitive data, which may lead to regulatory, financial, as well as reputational loss. Generally, cloud storage is cost effective. The unavailability of proper training and network problems are secondary aspects.
Q. 5
Answer: B. Risk assessment
Explanation: The first step is to conduct a risk assessment to determine the level of risk involved in providing access to a third-party service provider. The other options are covered in the risk assessment process.
Q. 6
Answer: B. A clause for the right to audit
Explanation: The absence of a right-to-audit clause would prevent an organization from determining the security arrangements of the service provider. The organization would not have any assurance about contractual and legal compliance from the service provider. The other options are not as significant as the right-to-audit clause.
Q. 7
Answer: D. Whether the service provider meets the organization's security requirements on an ongoing and verifiable basis
Explanation: From a security perspective, the most important consideration is the service provider's capability to meet the organization's security requirements. The other options are secondary aspects.
Q. 8
Answer: B. Incompatible culture
Explanation: It is very difficult to determine the culture of another organization. The incompatible culture of a third-party service provider possesses a high risk for any organization. Employees with different cultures often have different perspectives on data privacy. Sometimes, the perspectives of the employees may not be consistent with the organization's requirements. Employees from different cultures may have different perspectives on what information is considered sensitive or confidential and how such information should be handled.
Q. 9
Answer: A. Ensure that the security requirements included in the service agreement meet the current business requirements
Explanation: The first step is to ensure that current business and security requirements are included in the service agreement. As the service agreement has not been significantly revised in 5 years, it is possible that the third-party service provider is not aware of the current requirements of the organization. If requirements are not included in the service agreement, even compliance with the service agreement, a heavy penalty, and automatic monitoring will not be meaningful.
Q. 10
Answer: D. The defined responsibilities
Explanation: It is easy to assign ownership of and accountability for an operational issue if roles and responsibilities are properly defined in the SLA. If there are any concerns, it is most important to identify the owner of responsibility. This helps to determine the next action to be taken. The other options are secondary aspects.
Q. 11
Answer: B. Whether the service provider's security architecture meets the organization's requirements
Explanation: From a security perspective, the most important consideration is the service provider's capability to meet the organization's security requirements. The security manager is generally not concerned about the contract rate. Application availability and alternate site processing will already be included in the organization's security requirements.
Q. 12
Answer: D. By conducting a security code review for the entire application
Explanation: The best security measure when a third party is engaged in application development is to conduct a security code review for the entire application to detect all the malware, including backdoors.
Q. 13
Answer: A. Discuss the finding with the marketing manager to evaluate the risk and impact
Explanation: The first step for the security manager is to discuss the finding with the marketing manager and determine the risk and impact of such an act. Input from business unit management is very important in deciding the next step. The findings should not be directly highlighted to the audit committee without understanding the risk and impact. The other options are subsequent actions.
Q. 14
Answer: B. Conducting a risk assessment
Explanation: The first step is to conduct a risk assessment to identify the current needs and requirements of the organization and accordingly develop a security strategy. The other options are subsequent steps.
Q. 15
Answer: D. The operations department
Explanation: Most of the critical processes and data of the organization are generally handled by the operations department. This department has first-hand knowledge of the organization's processes and responsibilities and will help to ensure that written procedures are sound, repeatable, and sustainable.
Q. 16
Answer: A. To implement content filtering
Explanation: Content filtering is the best tool to address the issue as it has the ability to examine the content of an attachment and prevent any information containing certain words or phrases from being sent out of the organization. Encryption will not be effective because it does not prevent confidential information from going out. In fact, the content filtering tool will not be able to read encrypted information. Email audit and security training will not be as effective.
Chapter 7: Information Security Infrastructure and Architecture
Practice Question Set 1
Q. 1
Answer: D. The information security architecture
Explanation: Just as conventional architecture defines the rules and standards for the construction of buildings, information security architecture addresses the design and implementation of the security posture of the organization. An architecture helps to integrate the different components of information security in an effective manner. A security architecture also defines minimum levels of security for the infrastructure.
Q. 2
Answer: D. Business objectives and goals
Explanation: The prime objective of the security architecture is to support business objectives and goals. The other options are secondary factors.
Q. 3
Answer: B. Developing an architecture
Explanation: Information security architecture supports the design and implementation of the organization's security posture, just as traditional architecture specifies the guidelines and standards for building construction. An architecture helps in the efficient integration of the various information security components.
Practice Question Set 2
Q. 1
Answer: D. Effective termination process
Explanation: An effective termination process is one of the most important aspects of the information security process. Terminated employees may use their active credentials to access the system or data for unauthorized activities. Therefore, it is of utmost importance to ensure timely revocation of all access of the terminated employee. The other options are not as effective at preventing this type of situation.
Q. 2
Answer: C. The process owner
Explanation: The responsibility to implement and maintain the required level of security for a specific business application resides with the business process owner. Process owners have thorough knowledge of the business needs and security requirements for the business application for which they are responsible.
Q. 3
Answer: D. Determining the extent of application security required
Explanation: The data owner is responsible for determining the extent of application security required for their data. Data owners have thorough knowledge of the business needs and information security requirements for their systems and processes. The other options are the responsibility of the system administrator.
Q. 4
Answer: D. User awareness training
Explanation: In a phishing attack, an attacker acts as a trusted entity and tries to lure the victim to part with confidential information. The best method to address the risk of phishing is to conduct periodic awareness training with the users. Educating users will help to address the risk of visits to untrusted websites or email links. The other options will not be as effective.
Q. 5
Answer: A. Locally managed file servers
Explanation: The area of most concern will be the locally managed file servers as they are not subject to centralized oversight and monitoring. The other options are subject to close scrutiny and monitoring.
Q. 6
Answer: D. A backup is taken after the data is infected
Explanation: A backup of the infected file will increase the spread of the infected code. It will then become difficult to eradicate the malicious code. The other options do not significantly increase the level of difficulty.
Q. 7
Answer: B. Conducting periodic security awareness programs
Explanation: In a social engineering attack, an attacker acting as a trusted entity lures a victim into opening an email. Security awareness training is the best method to address the risk of social engineering attacks such as phishing. Educating users will help to address the risk of visits to untrusted websites or email links. The other options are secondary aspects.
Q. 8
Answer: B. The system user
Explanation: Change management is the best way to ensure that modifications made to systems do not introduce new security exposures. System users will be in the best position to conduct user acceptance testing and determine whether the change in the system has introduced any new exposure.
Q. 9
Answer: A. The existence of the message is not known
Explanation: Using the steganography technique, secret data is hidden in an ordinary file or image to avoid detection. An ordinary file or image is sent to the recipient along with secret data. For highly confidential data, an organization generally uses this kind of technique to protect the data from any third party. The benefit of using steganographic techniques compared to an encryption technique is that the existence of the message is itself unknown.
A steganographic technique does require a key to view the hidden message, can be sniffed, and does not impact traffic reliability.
Q. 10
Answer: C. Data integrity may be affected
Explanation: Middleware is software that acts as a link between the operating system and applications. It has the capability to provide additional services to applications that are not provided by the operating system. Some examples of functions handled by middleware are data management, application services, messaging, and authentication. The major risk associated with middleware is that data integrity may be adversely affected if the middleware is corrupted. The other options are not relevant.
Practice Question Set 3
Q. 1
Answer: D. Implementing role-based access control
Explanation: RBAC involves granting access on the basis of the role of the staff. They are provided access on a need-to-know basis only. This best ensures that any staff is not provided excess access rights. Virtual private networks help with secured connectivity from remote locations. MAC prevents delegation for granting access but obtaining clearance for temporary employees from higher authorities is time consuming and expensive.
Q. 2
Answer: B. To avoid granting system administration roles
Explanation: Administration rights can entitle temporary staff with unlimited access privileges. Temporary staff should not be assigned any administrative roles that can provide them with privileged rights. Administrative access rights, if misused, can have a huge impact on the organization. The other options are secondary aspects.
Q. 3
Answer: A. Mandatory access control
Explanation: MAC rules are governed by an approved policy. Users or data owners cannot modify the access role. Mandatory access control helps to control access on the basis of the security classification of the file. This prevents users from sharing files with unauthorized users. The other options are not as effective as MAC for the prevention of file sharing.
Q. 4
Answer: A. Restricting the available drive allocation on all personal computers
Explanation: The most effective method is to restrict the drive allocation. This will prevent any users from allocating a USB drive on their system. Furthermore, a user will also be unable to attach a compact disc writer as this would not be recognized by the operating system. Disabling the USB port may not be practical as mice and other peripherals depend on these ports. Role-based access or periodic training will not be able to prevent users from copying files.
Q. 5
Answer: D. Role-based access control
Explanation: RBAC is a control technique to allow access to only authorized users. In RBAC, access is allowed on a need-to-know basis. RBAC helps to simplify the security administration for large organizations with thousands of users and multiple permissions. Other options will not be as effective as role-based access control.
Q. 6
Answer: B. Implementing role-based access control
Explanation: Role-based access control is considered the most effective method to implement SoD. It requires defining the roles and corresponding access requirements. Access is provided on the basis of the roles. The other options do support the proper implementation of SoD but are not as effective.
Q. 7
Answer: B. Role-based access control
Explanation: RBAC is a control technique that allows access to only authorized users. In RBAC, access is allowed only on a need-to-know basis. RBAC helps to simplify the security administration for large organizations with thousands of users and multiple permissions. Due to administrative convenience, RBAC is considered the most cost-effective method compared to the other options.
Q. 8
Answer: B. Role-based
Explanation: RBAC allows access to authorized users only on a need-to-know basis. RBAC helps to simplify the security administration for large organizations with thousands of users and multiple permissions. The other options are not as effective.
Q. 9
Answer: B. When it ensures that all user activities are uniquely identifiable
Explanation: The main objective of the access control process is to ensure that only authorized users are granted access. To achieve this, it is very important for user activities to be uniquely identifiable for accountability purposes. The other options will have no meaning if users are not individually identifiable.
Q. 10
Answer: C. IT security standard
Explanation: A standard defines the minimum security requirements to be applied for each type of application. A security manager should ensure that access controls are implemented in line with the IT security standards.
Q. 11
Answer: D. Restricting access to data on a need-to-know basis
Explanation: The most effective approach is to provide access to only those employees who are required to access that data for their function. Access should not be allowed to anyone else. The other options are secondary aspects.
Q. 12
Answer: B. Changes in access rules
Explanation: The most common area that exposes the security software to vulnerabilities is access rules. Major vulnerabilities generally occur when access rules are changed as access may be provided to undesirable candidates. The other options do not cause significant exposure.
Q. 13
Answer: D. Degaussing the tape
Explanation: Degaussing (also known as demagnetization) involves gradually increasing the alternating current field from 0 to a maximum value and back to 0, thereby leaving a very low residue of magnetic induction on the media. The other options are not as secure as degaussing the tapes. Multiple overwriting and erasing of the tape is not a foolproof method of removing the data. Burning the tape will physically destroy the tape, so it cannot be reused.
Q. 14
Answer: A. Creating a matrix of work functions
Explanation: RBAC is a control technique that provides access on a need-to-know basis only. This is a simplified approach where a matrix of work functions along with their corresponding access requirements is created. RBAC helps to simplify the security administration for large organizations with thousands of users and multiple permissions. Some components of RBAC, such as role permissions, make it convenient and simple to allow access to authorized users. RBAC does not require a specialized team. The factor of authentication is not relevant to RBAC. Using automated logon scripts for assigning permissions to individual accounts is contrary to the intent of RBAC.
Q. 15
Answer: D. Creating awareness of the benefits of data classification
Explanation: The success of the data classification scheme depends on accurate data classification by users, and for that, it is of utmost importance to create user awareness. Data is not classified on the basis of its protection level. In fact, protection levels are decided based on the classification. Data is classified based on its criticality and not on the basis of the possibility of leakage. Data classification does not require the same level of protection for all types of data. The objective of a data classification scheme is to ensure that the appropriate level of protection is provided based on the criticality of data.
Q. 16
Answer: A. To monitor a key risk indicator
Explanation: The difference between logical and physical records indicates the existence of a discrepancy. A discrepancy can be due to any reason. It can indicate piggybacking, sharing of passwords, unauthorized logical access, or any other risks. Hence, this monitoring can serve as a key risk indicator. Tailgating, lapses of the security department, and wrong payments are some of the risks.
Practice Question Set 4
Q. 1
Answer: D. Enforcing a virtual private network (VPN) over the wireless network
Explanation: Deploying a VPN over wireless is the best method to ensure confidentiality. A VPN is used to secure the wireless network. It provides a platform for remote users to get connected to the organization's private network. Deploying a wireless intrusion prevention system would not prevent sniffing of the information. Preventing the broadcast of the service set identifier (SSID) is a good control; however, it does not prevent sniffing of the information. WEP is a compromised protocol.
Q. 2
Answer: A. Virtual private networks
Explanation: A VPN is used to extend a private network through the use of the internet in a secured manner. It provides a platform for remote users to get connected to the organization's private network. To enable a VPN, a virtual point-to-point connection is established by dedicated circuits of tunneling protocols. VPN technology ensures the safeguarding of critical data traveling through the internet.
The other options do not impact the confidentiality of data transmission through the internet.
Q. 3
Answer: A. It ensures secured communication
Explanation: A VPN tunnel helps to hide the IP address and encrypt messages, thereby securing the communication channel. The other options are not relevant for VPN tunneling.
Q. 4
Answer C: Hide data traveling in the network
Explanation: The objective of a VPN is to hide data from sniffers. A VPN uses data encapsulation or the tunneling method to encrypt the traffic payload for the secure transmission of data.
Q. 5
Answer B: Data encapsulation
Explanation: A VPN uses data encapsulation or the tunneling method to encrypt the traffic payload for the secure transmission of the data. A VPN uses and is enabled through either IPSec tunnel mode or IPSec transport mode. In IPSec tunnel mode, an entire packet (including the header) is encrypted, whereas in IPSec transport mode, only a data portion is encrypted. Mere data hashing and compression will not ensure data confidentiality. Data diddling is an attack method.
Q. 6
Answer: B. It helps to segregate personal and organizational data while using a remote computer
Explanation: Through VDI, a user can connect to their desktop from a remote location. Users can connect to virtual desktops from any location with any device. In a VDI setup, all processing is done on a host server. Also, data is stored in the host server rather than on the device of the user. It helps to safeguard the data if an endpoint device is lost or compromised.
VDI establishes the segregation of personal and organizational data while using a remote PC. A user cannot download or copy data from a virtual desktop to their PC. This serves as a control against unauthorized copies of business data on a user's PC. Remote data wiping is not possible through VDI. Also, antivirus software is recommended even for a VDI environment.
Practice Question Set 5
Q. 1
Answer: D. A retina scan
Explanation: Among the current biometric identifiers, a retina scan is considered to be the most accurate and reliable identifier with the lowest FAR.
Q. 2
Answer: B. False acceptance rate (FAR)
Explanation: An IS manager should be most concerned about FAR as one of the critical performance indicators. FAR poses the risk of unauthorized access to the systems as unauthorized users are granted access.
Q. 3
Answer: D. Equal error rate
Explanation: To evaluate the overall quantitative performance of a biometric system, it is important to consider the CER or the EER.
Q. 4
Answer: B. A system with the lowest equal error rate
Explanation: EER is the rate at which the FAR is equal to the FRR. A biometric system with the lowest CER or EER is the most effective system. A biometric system with the highest CER or EER is the most ineffective system.
Q. 5
Answer: D. The false acceptance rate
Explanation: The FAR, FRR, and CER are the three main accuracy measures for a biometric control. The other options are more related to performance measures.
Q. 6
Answer: A. The false acceptance rate
Explanations: FAR is the rate of acceptance of unauthorized persons, that is, the rate at which the biometric device provides access to unauthorized people. For critical systems, the FAR should be nil or very low. In cases of a high FAR, the biometric control may not be considered effective. CRR is generally used when two systems are compared. In general, the lower the EER value, the higher the accuracy of the biometric system.
Q. 7
Answer: C. Transit data between a biometric device and control server is not encrypted.
Explanation: It is of utmost importance to implement a secured, encrypted tunnel to protect the confidentiality of the biometric data transmitted from the biometric device to the access control system. The other options are not as critical.
Q. 8
Answer: B. The enrollment stage
Explanation: The process of biometric control starts with the enrollment of users, which is followed by storage, verification, identification, and termination. The first step is to get the users enrolled in the device. The enrollment process involves the iterative process of getting the user's sample, extracting the data from the sample, validating the data, and developing a final template that is stored and used subsequently to authenticate the user.
Q. 9
Answer: B. Iris scan
Explanation: Among all the options, an iris scan is the most reliable for authentication. An intruder would find it very difficult to duplicate an iris scan for bypassing the biometric controls. The other options are not as reliable.
Q. 10
Answer: A. A fingerprint scanner
Explanation: Among all the options, the most reliable control is the fingerprint scanner. A fingerprint is a biometric control, which is very difficult to break. It is very difficult for an intruder to duplicate a user's fingerprint. As no two fingerprints are alike (very rare chance), authentication can be done with confidence. The other options are not as reliable.
Q. 11
Answer: D. A replay attack
Explanation: In a replay attack, an attacker makes use of residual biometric characteristics (such as fingerprints left on a biometric device) to gain unauthorized access.
Q. 12
Answer. A. A mimic attack
Explanation: In a mimic attack, an attacker attempts to reproduce fake biometric features of a genuine biometric user, for example, imitating the voice of an enrolled user.
Q. 13
Answer: C. A cryptographic attack
Explanation: In a cryptographic attack, an attacker attempts to obtain information by targeting the algorithm or the encrypted information transmitted between a biometric device and an access control system.
Q. 14
Answer: B. A brute-force attack
Explanation: In a brute-force attack, an attacker sends numerous biometric samples with the objective of making the biometric device malfunction.
Q. 15
Answer: B. Require the enrollment of all users that access the critical server
Explanation: To set up a biometric control, relevant users need to enroll themselves by registration of their biometric features. Choices A and D are incorrect, as the risk of false acceptance as well as the FRR cannot be eliminated completely. Option C is not correct as a biometric reader is not required to be protected by a password.
Q. 16
Answer: A. A high false rejection rate
Explanation: A biometric device can generally be tuned in the following three ways:
High FRR: This is the most stringent access control. Here, the biometric matching criteria are set as extremely high, and in a few cases, even valid users are rejected. However, overall, it provides good protection for critical databases.
High FAR: Here, access control is not rigorous. Biometric matching criteria are set at a low level. Sometimes, even unauthorized users are accepted.
EER: This is a moderate type of access control. Here, the sensitivity is tuned in such a way that the FRR is equal to the FAR, that is, neither high false rejection nor high false acceptance.
Thus, for a critical database, a security manager would always prefer a high FRR, that is, biometric matching criteria being set at a high level.
Practice Question Set 6
Q. 1
Answer: D. Two-factor authentication
Explanation: Two-factor authentication is a more secure control as it requires more than one type of authentication. Apart from a password requirement, a user also needs a smart card, a token OTP, or a biometric feature to log on. Biometrics alone is single-factor authentication. Encryption is more relevant to the confidentiality of the information and is not concerned with authentication. Secure sockets layer is used to establish an encrypted link between a browser and a web server and is not relevant to authentication.
Q. 2
Answer: D. Installing an automatic strong password setting
Explanation: Password strength can best be improved by installing an automatic control to allow only strong passwords that include numbers, special characters, and uppercase and lowercase letters. Single sign-on by itself does not ensure a strong password. Conducting a password audit and discussing the password policy are not as effective.
Q. 3
Answer: C. Share passwords through an out-of-band channel
Explanation: Generally, passwords should not be shared through the same channel. It is risky to send passwords to a file by the same channel the file was sent through. Using an out-of-band channel, such as the telephone, reduces the risk of interception. Digital signatures prove the identity of the sender but do not ensure confidentiality. Delivery path tracing helps in the identification of the route used but does not confirm the identity of the sender.
Q. 4
Answer: B. Performing a risk assessment to quantify the risk
Explanation: The most important aspect for the security manager is to determine the impact of non-compliance by conducting a risk assessment. The other options can be determined only after conducting a risk assessment.
Q. 5
Answer: D. Enabling system-enforced password configuration
Explanation: Strong and complex passwords are one of the most important requirements of a password policy. A security manager should also ensure that the password policy is properly implemented. The most effective way to ensure compliance with the password policy is to enable a system-enforced password configuration. The other options are not as effective.
Q. 6
Answer: A. Enabling access through a different device that requires adequate authentication
Explanation: Authentication through a separate device helps prevent unauthorized access as well as sharing of user IDs. It also helps to capture the logs of user access. Neither purchasing multiple devices nor changing passwords after each user are feasible and cost-effective solutions. Analyzing the log will not be effective as there is only one user ID.
Q. 7
Answer: A. It decreases the overall administrative workload
Explanation: Many organizations prefer implementing automatic password synchronization for administrative convenience. Password synchronization facilitates syncing user passwords across different devices, so a user only needs to remember a single password instead of multiple passwords for different devices or machines. Password synchronization facilitates smooth administration of password management as it reduces the workload of resetting many passwords. Password synchronization by itself does not improve the security between multi-tier applications.
Q. 8
Answer: C. To conduct frequent security awareness programs
Explanation: Frequent guidance and awareness training are key factors in promoting the requirement of a password policy. It gradually helps to obtain buy-in from end users. The other options are not as effective.
Practice Question Set 7
Q. 1
Answer: B. Enabling the Wi-Fi Protected Access 2 protocol
Explanation: Currently, the most secure protocol for a wireless network is the WPA2 protocol. MAC filtering is a good practice but it can easily be sniffed with technical tools. WEP is no longer a secure encryption mechanism. Two-factor authentication will not address the issue of network sniffing.
Q. 2
Answer: C. Rogue access points
Explanation: A rogue access point is installed by a hacker on a secured network to gain unauthorized access. It facilitates wireless backdoors for unauthorized users and can bypass the network firewalls and other monitoring devices, exposing a network to attack. Rogue access attacks specifically occur with wireless networks, whereas the other options do not depend on the use of WLAN technology.
Practice Question Set 8
Q. 1
Answer: B. Parameter tampering
Explanation: Unauthorized modification of web application parameters with malicious intent is known as parameter tampering. As the hidden files on the web page are not visible, a developer may feel safe transferring the data without proper validation. This creates a risk as an intruder may intercept the hidden data and modify the parameter for malicious purposes.
Q. 2
Answer: C. IP spoofing
Explanation: In IP spoofing, a forged IP address is used to break a firewall. In this attack, an intruder hides their original identity and acts as someone else. The intruder generally makes use of a spoofed internal IP to get access to a system or some data that is restricted for outside IPs. IP spoofing can be considered masquerading by a machine.
Q. 3
Answer: A. A DDoS attack
Explanation: In a DDoS attack, a network or system is flooded with an enormous amount of traffic with the objective to shut it down. DDoS is considered a significant risk for a VoIP infrastructure. Premium rate fraud occurs when a phone system is compromised and used for making long-distance calls. Juice jacking and social engineering do not have any direct impact on VoIP infrastructure.
Q. 4
Answer: A. Privilege escalation
Explanation: In a privilege escalation attack, high-level system authority is obtained by some unauthorized methods by exploiting security flaws. In this example, a security flaw in the task scheduler is exploited by the employee to gain unauthorized access to restricted applications.
Q. 5
Answer: C. Social engineering
Explanation: In a social engineering attack, an attempt is made to obtain sensitive information from users by tricking and manipulating them. In a social engineering attack, an attacker does not require any tools and techniques to obtain information. Social engineering is generally conducted through dialogue, an interview, an inquiry, and other social methods of interaction.
Q. 6
Answer: C. Providing security awareness training
Explanation: The objective of a social engineering attack is to exploit human nature and its weaknesses for obtaining critical and sensitive information. With adequate and effective security awareness training, the impact of social engineering attacks can be minimized. The other options will not help to directly address the impact of social engineering attacks.
Q. 7
Answer: C. Shoulder surfing
Explanation: In a shoulder surfing attack, an intruder or a camera captures sensitive information by looking over the shoulder of a user entering details on a computer screen. Passwords entered on a computer screen should be masked to prevent shoulder surfing attacks.
Q. 8
Answer: B. Piggybacking
Explanation: In this type of attack, an intruder follows an authorized person through a secured door and gains entry to a restricted area without authentication. Piggybacking is considered a physical security vulnerability.
Q. 9
Answer: B. Data diddling
Explanation: In a data diddling attack, data is modified as it enters into a computer system. This attack is generally carried out by a data entry clerk or a computer virus. Data is altered before computer security can protect the data. Very limited technical knowledge is required for data diddling. There are no preventive controls for data diddling, so organizations need to rely on compensatory controls.
Q. 10
Answer: A. Traffic analysis
Explanation: Passive attacks are types of attacks in which information is only collected but not modified, inserted, or deleted in an active way. Examples of passive attacks include traffic analysis, network analysis, and eavesdropping. The other options are examples of active attacks.
Q. 11
Answer: C. Help an intruder gain unauthorized access to the system
Explanation: In a password sniffing attack, tools are used to listen to all the traffic in the network and to build data streams out of TCP/IP packets to extract usernames and passwords. These tools are known as password sniffers. This password is then used to gain unauthorized access to the system.
Q. 12
Answer: A. Wardriving
Explanation: Wardriving is a technique for locating and getting access to a wireless network with the use of specialized tools. An intruder drives around the building to identify unsecured networks. The same technique is used by information security auditors to identify unsecured networks and thereby test the wireless security of an organization. A similar technique is warwalking; the principle is the same but no vehicle is used.
Q. 13
Answer: C. Botnets
Explanation: A botnet is a network of zombie computers controlled by an intruder. Botnets can be used to execute DDoS, spam, and other types of attacks.
Q. 14
Answer: B. Wardriving
Explanation: Wardriving is a technique to exploit the weaknesses of a wireless infrastructure. It is used to locate and gain access to a wireless network with the use of specialized tools, such as wireless Ethernet cards. An intruder drives around a building to identify unsecured networks.
Q. 15
Answer: D. A replay attack
Explanation: In a replay attack, an attacker makes use of residual biometric characteristics (such as fingerprints left on a biometric device) to gain unauthorized access.
Q. 16
Answer: B. Man in the middle
Explanation: In this attack, an attacker interferes while two devices are establishing a connection. If any device asks for authentication, the attacker sends the request to the other device and then forwards the response to the first device. Once a connection is established, the attacker can communicate and obtain information as needed, thus circumventing two-factor authentication.
Q. 17
Answer: C. Buffer overflow
Explanation: Buffer overflow, also known as buffer overrun, is the most common software coding error that can be exploited by an attacker to gain unauthorized access to a system. Buffer overflow occurs when more data is fed into the buffer than it can handle. Excess data overflows to adjacent storage.
Due to this, an attacker gets the opportunity to manipulate coding errors for malicious actions. A major cause of buffer overflow is poor programming and coding practices.
Q. 18
Answer: B. Phishing
Explanation: A URL shortening service converts long URLs (web addresses) into shorter versions. A hacker attempts to fool users by using URL shortening services for the creation of a URL resembling some genuine website. This is done to spread malicious software or collect sensitive data through phishing.
Q. 19
Answer: B. Judgmental error
Explanation: Social engineering succeeds due to judgmental errors on the part of employees who provide sensitive information to the intruder. The intruder builds a level of trust with the user/employee and takes advantage.
Q. 20
Answer: C. Traffic analysis
Explanation: In traffic analysis, an intruder attempts to capture and analyze the nature of traffic flow between hosts, the frequency of messages, the length of messages, session length, and other relevant information. Through all this information, the intruder attempts to understand and guess the type of communication. This is typically done when messages are encrypted.
Revision Questions
Q.1
Answer: A. Security awareness training
Explanation: Dumpster diving is a technique in which an intruder attempts to gather sensitive information from bins and other areas where documents are not properly discarded. Users should be appropriately trained on discarding sensitive information. In the absence of security awareness training, the other options may not be effective to prevent dumpster diving.
Q.2
Answer: C. Two-factor authentication
Explanation: Two-factor authentication requires an individual to authenticate themselves twice, which reduces the risk of successful masquerading. It provides additional security over and above passwords alone. The other options are not relevant for authentication and access to a corporate network.
Q.3
Answer: C. Encryption
Explanation: Data communication from a card to a POS device should be encrypted to protect the confidentiality of the data. Strong encryption should be used to protect the cardholder's data. The other options will not prevent the reading of data by an intruder.
Q.4
Answer: A. An intrusion prevention system
Explanation: In a SQL injection attack, a SQL query is injected or inserted in the input field of an application. By entering some command in the data entry field of a web page, the hacker tries to bypass the authentication requirements. SQL injection attacks occur at the application layer. Most intrusion prevention systems will detect at least basic sets of SQL injection and will be able to stop them. The other options will not be as effective.
Q.5
Answer: B. Establishing a connection through an IPv6 security virtual private network
Explanation: IPv6 security is resilient to man-in-the-middle attacks. It includes source and destination IPs within encrypted portions and hence effectively prevents man-in-the-middle attacks. The other options are not effective for preventing this kind of attack.
Q.6
Answer: C. Awareness training
Explanation: Piggybacking/tailgating is the act wherein an intruder follows authorized users and enters a restricted area. The best method to prevent such an act is to provide training to all authorized users to be careful while entering the premises. Authorized users should challenge such intruders.
Q.7
Answer: B. Structured query language injection
Explanation: In a SQL injection attack, an SQL query is injected or inserted in the input field of the application. By entering some command in the data entry field of the web page, the hacker tries to bypass the authentication requirements. After gaining access, an intruder can read confidential data, modify the database by updating or deleting data, or execute the administration operations on the database. The best way to prevent a SQL injection attack is to implement input controls so that any programming commands can be rejected. The other options, though areas of weakness, will not bypass the authentication requirement.
Q.8
Answer: C. Cleartext authentication
Explanation: The objective of SNMP is to monitor network behavior. SNMP collects and organizes information about managed devices on a network. SNMP is also used to change the device's behavior. Devices such as routers, modems, switches, servers, printers, and workstations support SNMP.
One of the security-related vulnerabilities of the use of SNMP is that it uses cleartext passwords for authentication. Such passwords can easily be sniffed and reused.
Q.9
Answer: D. Enabling system lockouts after multiple wrong attempts
Explanation: In a brute-force attack, an intruder uses trial and error to determine the password of a user. The intruder uses multiple passwords with the hope of finding the correct password. Many software programs are available to execute brute-force attacks. The best way to control a brute-force attack is to enable system lockout when multiple wrong attempts are detected. Generally, three attempts are allowed, and the system is locked out on the fourth wrong attempt.
Chapter 8: Information Security Monitoring Tools and Techniques
Practice Question Set 1
Q. 1
Answer: B. The rule to deny all traffic by default and permit only specific traffic
Explanation: From the preceding options, the most robust firewall configuration is to deny all traffic by default and permit only specific traffic. This is the most effective method to prevent unknown traffic from entering the organization's network.
Q. 2
Answer: A. The network layer of the OSI
Explanation: A CISM aspirant should note that packet filtering and stateful inspection operate at the network layer (3rd layer). The circuit level operates at the session layer (5th layer) and the application-level firewall operates at the application layer (7th layer).
Q. 3
Answer: B. A screened subnet firewall
Explanation: A screened subnet firewall (DMZ) is regarded as the safest type of firewall implementation. A screened subnet firewall includes two packet filtering routers and one bastion host. A screened subnet firewall acts as a proxy and does not allow direct communication between external and internal networks. A DMZ and a screened subnet firewall function in the same way. It must be noted that in a screened subnet firewall, there are two packet filtering routers, and in a screened host firewall, there is only one packet filtering firewall.
Q. 4
Answer: C. Application gateway
Explanation: An application-level firewall is considered the most secure type of firewall. It functions at the highest level of the OSI model, that is, the application layer. It also works on the concept of bastion hosts and proxy servers but provides a separate proxy for each service. It controls applications such as FTP and HTTP. Application firewalls function at the application layer of the OSI, whereas circuit gateways function at the session layer. Application gateways operate in a more granular way compared to other firewalls.
Q. 5
Answer: A. A screened subnet firewall
Explanation: A screened subnet firewall (DMZ) is regarded as the safest kind of firewall implementation. A screened subnet firewall includes two packet filtering routers. It also has one bastion host. A screened subnet firewall acts as a proxy and does not allow direct communication between external and internal networks. A DMZ and a screened subnet firewall function in the same way. It must be noted that in a screened subnet firewall, there are two packet filtering routers, and in a screened host firewall, there is only one packet filtering firewall.
Q. 6
Answer: B. A stateful inspection firewall
Explanation: A stateful inspection firewall monitors and tracks the destination of each packet that is sent from the internal network. It ensures that the incoming message is in response to the request that went out from the internal network. A stateful inspection firewall functions at the network layer of the OSI.
Q. 7
Answer: B. An application gateway firewall
Explanation: An application-level firewall is regarded as the most secure type of firewall. It functions at the application layer of the OSI model. It also works on the concept of bastion hosts and proxy servers but provides a separate proxy for each service. It controls applications such as FTP and HTTP. An application firewall operates at the application layer of the OSI, whereas a circuit gateway operates at the session layer. An application gateway operates in a more granular way compared to other firewalls.
Q. 8
Answer: C. An application-level gateway
Explanation: An application-level gateway or firewall is regarded as the most secure type of firewall. It functions at the application layer of the OSI model. It also works on the concept of bastion hosts and proxy servers but provides a separate proxy for each service. It controls applications such as FTP and HTTP. An application firewall operates at the application layer of the OSI, whereas circuit gateways operate at the session layer. An application gateway operates in a more granular way compared to other firewalls.
Q. 9
Answer: C. The effectiveness of the firewall in enforcing compliance with the information security policy
Explanation: If a firewall is unable to enforce the requirements of the security policy, then it is a major loophole. The availability of a good security policy is important, but it will be of little value if it is not effectively implemented. The other options are not as significant.
Q. 10
Answer: A. Incorrect configuration of the access lists
Explanation: An accurate update of the current access list is a major challenge faced by most organizations. Hence, the wrong configuration of an access list is the most common type of error while setting up a firewall configuration. The other options are not relevant to firewall configuration.
Q. 11
Answer: A. Developing a security policy
Explanation: A security policy is the basis on which firewall rules are configured. In the absence of a security policy, firewall rules will be ad hoc and may not support the objectives of the organization. The other options are subsequent steps.
Q. 12
Answer: C. Connecting authorized users to a trusted network
Explanation: The prime function of a firewall is to connect authorized users to a trusted network, thereby preventing unauthorized access to the server. The other options are secondary factors.
Q. 13
Answer: D. The implementation of the firewall above a commercial operating system with all installation options enabled
Explanation: When a firewall is placed on top of a commercial operating system without blocking the installation options, firewall security can be compromised. The other options are not as significant.
Q. 14
Answer: D. To conduct a review of the parameter settings
Explanation: A review of the parameter settings helps to understand the actual configuration. This can then be compared with the requirements of the security policy. The other options are not as significant.
Q. 15
Answer: A. Unauthorized attempts to access the network outside the organization
Explanation: The primary function of the firewall is to protect the network from external sources. The other options are not the objectives of implementing a firewall.
Q. 16
Answer: C. To allow traffic load balancing
Explanation: Two parallel firewalls with two separate entries are useful to allow traffic load balancing. Multi-level defense is established only if firewalls are installed in a series, that is, one behind another. If firewalls are deployed in parallel, then they provide concurrent paths for compromise and do not provide multi-layer defense. Both firewalls are connected to the same DMZ and hence it cannot separate the test and production environments. Firewalls generally cannot control denial of service (DoS) risks.
Q. 17
Answer: C. On a screened subnet
Explanation: Generally, servers that interact with the internet (extranets) are placed in the demilitarized area as this area is separate from the internal servers and is properly hardened. Placing the server before the firewall or outside the router would make it defenseless. A firewall should be placed in a hardened server with minimum services enabled. It is not recommended to place anything else on the firewall server.
Q. 18
Answer: C. On a screened subnet
Explanation: Generally, the IDS is placed on the screened subnet, which is the DMZ. A DMZ is separate from the internal servers and is properly hardened. Placing the IDS before the firewall or outside the router is not recommended as the IDS will generate alerts for all malicious traffic even though the majority of such traffic will eventually be blocked by the firewall and never reach the internal network. Firewalls should be placed in a hardened server with minimum services enabled. It is not recommended to place anything else on the firewall server.
Q. 19
Answer: D. On the domain boundary
Explanation: A firewall should be placed on a domain boundary to monitor and control incoming and outgoing traffic. A firewall should be placed in a hardened server with minimum services enabled. It is not recommended to place a firewall along with other services such as an IDS, database, or web server.
Q. 20
Answer: C. To conduct penetration testing at frequent intervals
Explanation: The most effective way to ensure that firewall rules are adequate is to conduct penetration testing periodically. Gaps identified during the penetration test should be addressed immediately. This will help to improve the security posture of the organization. The other options are not as effective as penetration testing.
Practice Question Set 2
Q. 1
Answer: A. A neural network-based IDS
Explanation: A neural network-based IDS works on the same principle as a statistical-based IDS. However, it has the advanced functionality of self-learning. The neural network keeps updating its database by monitoring the general patterns of activity.
Q. 2
Answer: B. The sensor
Explanation: The function of the sensor is to collect data. Data may be in the form of IP packets, log files, and so on. The function of an analyzer is to analyze the data and determine whether there is any intrusive activity. The administration console helps the administrator control and monitor IDS rules and functions. The user interface helps the user view the results and carry out any required tasks.
Q. 3
Answer: B. A statistical-based IDS
Explanation: A statistical-based IDS attempts to identify abnormal behavior by analyzing a statistical algorithm. Any abnormal activity is flagged as an intrusion. For example, if the normal logon hours are between 7 A.M. and 5 P.M. and a logon is detected at 11 P.M., the IDS will raise this as an intrusion. Therefore, a statistical-based IDS generates the most number of false positives, compared to other types of IDS.
Q. 4
Answer B. Being unable to identify intrusions
Explanation: The area of most concern is if the IDS is unable to identify and detect intrusions. This defeats the core purpose of installing the IDS. Attacks will go unnoticed if not identified by the IDS and hence no corrective and preventive action can be taken for such attacks. The number of false alarms is not as significant. Options C and D are not areas of concern.
Q. 5
Answer: B. Between the firewall and the internal network
Explanation: If an IDS is installed between the firewall and the internal network, it will be able to detect only those attempts that bypass the firewall rules. If an IDS is installed between the firewall and the external network, it will be able to identify all intrusion attempts irrespective of whether intrusion packets bypass the firewall or not.
Q. 6
Answer: A. Collecting evidence on intrusive activities
Explanation: An IDS helps to monitor a network (network-based IDS) or a single system (host-based IDS) with the objective of recognizing and detecting any intrusions. The function of an IDS is to analyze the data and determine the presence of intrusive activities. IDSs do not have features to achieve the other options.
Q. 7
Answer: C. False positives
Explanation: The identification of false positives is a routine and frequent issue in the implementation of an IDS. IDSs operate on the basis of policy definitions. Any weakness in the policy definitions weakens the function of the IDS. False acceptance rates and false rejection rates are associated with biometric implementation. A DDoS is a type of attack and is not an issue with the operations of an IDS.
Q. 8
Answer: D. An intrusion detection system
Explanation: An IDS attempts to identify abnormal behavior by analyzing a statistical algorithm. Any abnormal activity is flagged as an intrusion. Hubs and switches are networking devices for routing. A packet filter is a type of firewall that restricts blocked traffic.
Q. 9
Answer: C. Monitoring of unsuccessful logon attempts
Explanation: The most important control to identify and detect intrusions is to actively monitor unsuccessful logon attempts. The other options will not directly help detect an intrusion.
Q. 10
Answer: A. Many false alarms generated by a statistical-based IDS
Explanation: High instances of false alarms indicate that the IDS configuration needs to be tuned further. A major impact of a poorly configured IDS would be on the business processes or systems that need to be closed due to false alarms. It can have an adverse impact on business profitability. An IDS cannot read encrypted traffic; however, it can be compensated by a next-generation firewall. The other options are not as significant as blocking off critical services and systems due to false alarms.
Q. 11
Answer: C. A neural network monitors the general patterns of activity and creates a database, addressing complex problems involving input variables from different sources.
Explanation: A neural network-based IDS works on the same principle as a statistical-based IDS. However, it has the advanced functionality of self-learning. Neural networks keep updating their database by monitoring the general patterns of activity. A neural network is the most effective at addressing problems that can only be solved by analyzing a large number of input variables.
Q. 12
Answer: A. In a DMZ
Explanation: Public-facing websites are placed in a DMZ to safeguard the internal network from external attacks. An IDS should be placed in the same DMZ. The IDS would monitor the network traffic to detect any intrusions. A network-based IDS would not be installed on a web server, unlike a host-based IDS. Placing the IDS outside the firewall would not be helpful in specifically protecting the website. Placing an IDS in the internal network is good to ensure that the website is not prone to internal attacks; however, the IDS would normally be placed in a DMZ.
Q. 13
Answer: D. A host-based intrusion prevention system
Explanation: The most viable option is to install a host-based IPS. A host-based IPS will prevent activities on the host computer or server such as deletion of files or modification of programs. A network-based IDS will be able to detect irregular traffic but if signatures are not updated or the traffic is encrypted, that traffic may still bypass the IDS. A regular OS patch update addresses vulnerabilities; however, a host-based IPS is more effective in preventing unauthorized installation. A packet filtering firewall will not be able to restrict the rootkit if the incoming IP is correct.
Q. 14
Answer: A. A honeypot
Explanation: A honeypot is a decoy system set up to attract hackers and intruders. The purpose of setting up a honeypot is to capture the details of intruders in order to proactively strengthen security controls.
Q. 15
Answer: A. An intrusion prevention system
Explanation: IPSs can not only detect intrusion attempts but also prevent the impact of the intrusion attack. An IDS only monitors, records, and raises alarms about intrusive activities, whereas an IPS also prevents intrusive activities. Routers and switches are devices used for network routing.
Q. 16
Answer: A. To capture information
Explanation: The first step that an intruder takes is to capture and gather relevant information about the target environment. Based on this information, they attempt various techniques to gain access and once the objective is accomplished, they try to eliminate the evidence.
Q. 17
Answer: D. An intrusion detection system
Explanation: A network-based IDS is considered the next line of defense after a firewall. An IDS monitors, records, and raises alarms about intrusive activity that bypasses the firewall. An IDS has more capabilities to identify abnormal traffic than antimalware software. Routers and switches are devices used for network routing.
Q. 18
Answer: B. Critical services or systems are blocked due to false alarms
Explanation: The major impact of a poorly configured IPS would be on the business processes or systems that are blocked due to false alarms. This can have an adverse impact on business profitability. The other options are not as significant.
Q. 19
Answer: A. Tuning
Explanation: Tuning is the most important element for the successful implementation of an IDS. It is the process of adjusting the criteria to determine abnormal behavior. If the criteria are not properly tuned, the IDS may generate false alarms or fail to identify actual abnormalities. A patch update is more related to the OS. Logging and change management are not as relevant as tuning.
Q. 20
Answer: C. Generate false alarms from different users or system actions
Explanation: A statistical-based IDS attempts to identify abnormal behavior by analyzing a statistical algorithm. Any abnormal activity is flagged as an intrusion. For example, if normal logon hours are between 7 A.M. and 5 P.M. and a logon happens at 11 P.M., the IDS will raise this as an intrusion. A statistical-based IDS generates more false alarms compared to the other types of IDSs. A statistical-based IDS is capable of identifying a new attack; a signature-based IDS cannot detect a new type of attack. Statistical-based IDSs may be more expensive and may require specialized staff; however, the more important aspect is the false alarms.
Practice Question Set 3
Q. 1
Answer: B. To ensure the integrity of the message
Explanation: A digital signature is used to validate the integrity, authentication, and non-repudiation of messages. However, it does not ensure message confidentiality. A digital signature includes an encrypted hash value of the message. This hash value would change if the message was subsequently altered, thus indicating that an alteration has occurred. Hence, it helps to ensure message integrity. Digital signatures will not be able to address and support any of the other options.
Q. 2
Answer: A. The authentication and integrity of data
Explanation: A digital signature is used to validate the integrity, authenticity, and non-repudiation of electronic messages. It does not ensure message confidentiality or the availability of data. A digital signature is created as follows:
Step 1: Create a hash value (message digest) of the message.
Step 2: Encrypt the hash value (as derived in the previous step) with the private key of the sender.
Q. 3
Answer: D. Alteration
Explanation: The hash value of a message is used to create the digital signature. Each message has a unique hash value. If a message changes, its hash also changes. Thus, the hash value will not be the same if the message is altered. A digital signature will not address other concerns.
Q. 4
Answer: A. Digital signatures
Explanation: A digital signature is created by encrypting the hash value of a message. An encrypted hash cannot be altered without the key of the sender.
Q. 5
Answer: C. Integrity, authentication, and non-repudiation
Explanation: A digital signature is used to validate the integrity, authenticity, and non-repudiation of electronic messages. It does not ensure message confidentiality, privacy, or availability of data.
Q. 6
Answer: B. Integrity
Explanation: Digital signatures confirm integrity because the hash value of a message changes in the case of any unauthorized changes being made in the data (file, mail, document, etc.).
Q. 7
Answer: B. Non-repudiation
Explanation: Non-repudiation provides assurance that the sender of a message or the initiator of a transaction cannot later deny sending the message or initiating the transaction. Non-repudiation is the most effective way to validate that a specific action has occurred. Digital signatures are used to provide non-repudiation.
Q. 8
Answer: A. The use of a sender's private key to encrypt the hash value of the message
Explanation: A sender encrypts the hash value of their message with their private key. If the recipient is successful in decrypting the hash value with the public key of the sender, then authenticity is established. That is, it is proved that the message is in fact sent by the sender. It ensures non-repudiation; that is, the sender cannot repudiate having sent the message. For authentication, the encryption of the entire message is not required. The encryption of the entire message will involve more cost and time and hence the encryption of the hash alone is considered sufficient.
Q. 9
Answer: B. The hash value of the message is transmitted and encrypted with the customer's private key
Explanation: A digital signature is created as follows:
Step 1: The hash value (message digest) of the message is created.
Step 2: The hash value (derived in the previous step) is encrypted with the private key of the sender.
In the question, the sender is the customer. Hence, the hash is to be encrypted using the customer's (sender's) private key.
Q. 10
Answer: A. Help detect spam
Explanation: With the use of digital signatures, a sender can be tracked and authenticated. The recipient will be able to set a configuration on their system to delete messages from specific senders automatically. The file size of a digital signature is only a few bytes and will not have any impact on the bandwidth. There will be no major impact on the workload of gateway servers. A digital signature does not ensure confidentiality.
Q. 11
Answer: A. Cannot be reversed
Explanation: The following example explains the outcome of hashing as well as encryption:
For the message Meeting at 8 AM, the hash value is 4526dee03a36204cbb9887b3528fac4e.
For the message Meeting at 8 AM, encryption leads to Mxxxxxx xx x xM.
Now, from the hash value 4526dee03a36204cbb9887b3528fac4e, you cannot derive the message, but from Mxxxxxx xx x xM, you can derive the original message by decryption.
Thus, hashing operates in one way and cannot be reversed. You can create a hash from the message, but it is not possible to create a message from that particular hash value. Thus, a hash value is irreversible, whereas encryption is reversible. This is the major difference between encryption and hash.
Q. 12
Answer: A. Employees digitally signing their email messages
Explanation: When employees digitally sign their email messages, the receiver will be able to validate the integrity and authenticity by checking the digital signature.
Q. 13
Answer: C. Non-repudiation
Explanation: Non-repudiation provides the best evidence of the occurrence of a specific action or transaction. The sender of the email or initiator of the transaction cannot deny their action. Digital signatures are used to provide non-repudiation.
Q. 14
Answer: D. Non-repudiation
Explanation: Non-repudiation provides the best evidence of the occurrence of a specific action or transaction. The initiator of the transaction cannot deny that transaction. Digital signatures are used to provide non-repudiation.
Q. 15
Answer: A. Authenticity and integrity
Explanation: In the preceding case, the message is not encrypted (only the hash is encrypted) and hence it will not ensure privacy or confidentiality. An encryption of the hash will ensure authenticity and integrity.
Q. 16
Answer: B. The signer has the private key of the sender and the receiver has the public key of the sender
Explanation: A digital signature is created as follows:
Step 1: Create a hash value (message digest) of the message.
Step 2: Encrypt the hash value (as derived from the previous step) with the private key of the sender.
At the recipient end, the hash is decrypted using the public key of the sender.
Q. 17
Answer: A. Ensuring the integrity of the message
Explanation: A digital signature is created by calculating the hash value of the given message. Recalculating the hash value for the original message should provide the same hash value. Thus, it helps to ensure message integrity.
Q. 18
Answer: D. By using the embedded digital signature
Explanation: A digital signature is used to determine the identity and integrity of the data. The other options are not relevant to determining whether the message and the sender are genuine.
Q. 19
Answer: D. Digital signatures
Explanation: A digital signature is used to validate the integrity, authenticity, and non-repudiation of electronic messages. Non-repudiation is a process used to make sure that the sender of a message or initiator of a transaction is not in the position to deny their action. Encryption and symmetric encryption provide confidentiality but not non-repudiation. Hashing provides integrity but not non-repudiation.
Q. 20
Answer: D. Create a hash value of the file, then compare the file hashes
Explanation: The best way is to create a hash of the original file and then compare this with the suspected file to ensure that the files are the same. If the hash has changed, then it indicates that the file has been modified. The last modified date can also be fabricated. File encryption and role-based access control are good access controls but do not prevent the file from being corrupted or modified by a valid user.
Practice Question Set 4
Q. 1
Answer: B. The certificate authority
Explanation: The CA is an entity responsible for issuing digital certificates. It is also responsible for the management of digital certificates.
Q. 2
Answer: D. Validating the information of the applicants for a certificate
Explanation: An RA has the following functions:
- To verify and validate information provided by applicants
- To ensure that the applicant is in possession of a private key that matches the public key requested for a certificate; this is known as POP
- To distribute the physical tokens containing private keys
- To generate shared secret keys during the initialization and certificate pickup phase of registration
Q. 3
Answer: A. The certificate authority
Explanation: The CA is an entity that issues digital certificates. It is responsible for the issuance and management of digital certificates throughout their life cycle.
Q. 4
Answer: C. Establishing a link between the applicant and their public key
Explanation: The CA delegates some of the administrative functions, such as verification of information provided by the applicants. The RA is delegated with the function of verifying the correctness of information provided by applicants. The RA verifies that the applicant is in possession of a private key that matches the public key requested for the certificate. This is known as POP.
Q. 5
Answer: C. The user organization is also the owner of the certificate authority
Explanation: It indicates a conflict of interest when the user and owner of the CA are the same. The independence of the CA will be impaired in this scenario, and this is considered a major weakness.
Q. 6
Answer: B. Validation of information provided by the applicants
Explanation: An RA has the following functions:
- To verify and validate the information provided by applicants
- To ensure that the applicant is in possession of a private key that matches the public key requested for a certificate; this is known as POP
- To distribute the physical tokens containing the private keys
- To generate shared secret keys during the initialization and certificate pickup phase of the registration
Q. 7
Answer: A. The certificate practice statement
Explanation: A CPS is a document that prescribes the practice and process of issuing and managing digital certificates by the CA. It includes details such as the controls in place, the methods for validating applicants, and the usage of certificates.
Q. 8
Answer: B. To validate the identity and authenticity of certificate owners
Explanation: An RA has the following functions:
- To verify and validate the information provided by the applicant
- To ensure that the applicant is in possession of a private key that matches the public key requested for a certificate; this is known as POP
- To distribute the physical tokens containing the private keys
- To generate a shared secret key during the initialization and certificate pickup phase of the registration
Q. 9
Answer: C. When users attest to each other's identity
Explanation: The objective of a CA is to support the identification of the key holder. In a case where a user already attests to another user's identity, the CA may not be required. The CA is not relevant for the other options.
Q. 10
Answer: D. A certification practice statement
Explanation: A CPS is a document that prescribes practices and processes for the issuing and management of digital certificates by the CA. It also provides contractual requirements between the relying parties and the CA. It includes details such as the controls that should be in place, the methods for validating applicants, and the usage of certificates.
Q. 11
Answer: C. It attests to the validity of a user's public key
Explanation: The CA is responsible for the issuance and management of digital certificates. The CA authenticates and validates the holder of the certificate after the issuance of the certificate. The other options are not functions of a CA.
Q. 12
Answer: C. The private key of the certificate authority
Explanation: The private key of a CA is used to issue the digital certificates to all parties in a PKI. If the private key of a CA is compromised, it will lead to a single point of failure for the entire PKI because the integrity of all digital certificates is based on this private key. If the private key of a holder is compromised, it will affect only that holder. Public keys are published and pose no risk.
Practice Question Set 5
Q. 1
Answer: A. Data encryption
Explanation: The best method is to encrypt the communication, which will ensure the confidentiality of the transactions. Multiple authentications, maximum password age, and digital signatures may help in strong authentication but they will not help in the confidentiality of the data in transit.
Q. 2
Answer: A. A secure socket layer
Explanation: Secure sockets layer (SSL) is the protocol that operates at the transport layer. It is used for privacy and data security while communicating over a network. SSL makes use of cryptographic functions to protect the confidentiality, reliability, and integrity of private documents traveling through the internet. A dynamic host configuration protocol (DHCP) is a protocol used to manage the network configuration. DHCP assigns an IP address and other network configuration parameters to every device on a network so that they can communicate with other IP networks. Secure shell (SSH) and Telnet are remote terminal control protocols. Through these protocols, a user can connect to a terminal from a remote location.
Q. 3
Answer: B. To encrypt the data stored on the mobile
Explanation: Encryption is the most effective method to safeguard the data stored on mobile devices. Encryption converts the data into an unreadable form such that it can only be read by the person possessing the encryption key. The other options are good controls, but they are not as effective.
Q. 4
Answer: B. Scaling is more convenient in public key encryption
Explanation: One of the limitations of symmetrical encryption is that it requires a key for each pair of individuals who wish to have confidential communication. This results in an exponential increase in the number of keys, resulting in complex distribution and storage problems. Public key encryption does not have this issue. Public key encryption requires more computation efforts and maintenance compared to symmetric encryption. A public key by itself does not provide greater encryption strength.
Q. 5
Answer: C. User passwords not being encrypted
Explanation: If passwords are sent over an internal network in plain text, they can easily be sniffed. Passwords should be encrypted for adequate security. The other options do not present significant exposures.
Q. 6
Answer: B. Implementing application-level encryption
Explanation: Encryption makes the database unreadable for the DBA and other staff. This helps the DBA to perform this routine function without reading the data in cleartext. The other options cannot prevent the DBA from reading the data in the database.
Q. 7
Answer: C. Authenticate the sender
Explanation: The public key of the other party is used to decrypt the message and if the message is successfully decrypted, it helps to authenticate the user, that is, the owner of the corresponding private key. Authorization and compression are not functions of PKI. A private key is used for the creation of digital signatures.
Q. 8
Answer: B. Strong encryption
Explanation: The most effective method to secure a wireless network is to provide strong encryption. An IDS and a router will not offer any protection from local attacks. Two-factor authentication is for access control and will not protect data from being sniffed.
Q. 9
Answer: C. Encrypting the USB device
Explanation: Encryption is the most effective method to safeguard the data stored on removable devices. Encryption converts the data on the USB to an unreadable form. It can only be read by the person possessing the encryption key. The other options are good controls but not as effective.
Practice Question Set 6
Q. 1
Answer: B. Penetration tests
Explanation: Aggregated risk refers to a significant impact caused by a large number of minor vulnerabilities. Such minor vulnerabilities individually do not cause a major impact but when all are exploited at the same time, they can cause a huge impact. The goal of risk aggregation is to identify the significant overall risk from a single threat vector. Penetration testing is the best way to assess aggregate risks by exploiting them one by one. Risk aggregation provides a good measurement for prioritizing the risk.
Q. 2
Answer: A. Determine weaknesses in the network and server security
Explanation: The objective of penetration testing is to identify the weaknesses in the network and server security of an organization. Based on the results of the penetration test, the identified weakness are addressed to improve the security posture of the organization.
Q. 3
Answer: C. To get an independent view of security exposures
Explanation: The main objective of engaging an external company to perform penetration testing is to get an independent view of the organization's security exposure. Even though the organization may have the necessary skills and resources to conduct penetration testing, third-party penetration testing is recommended to get an objective view from external experts. The other options are secondary aspects.
Q. 4
Answer: B. To ensure that goals and objectives are clearly defined
Explanation: It is very important to establish a clear understanding of the scope of testing. In the absence of a defined scope, a tester may cause a system outage or other major damage. Sometimes, the test may have adverse impacts on business processes if the organization is not well prepared. The other options are secondary aspects. In the case of a blind penetration test, IT and security monitoring staff are not informed about the proposed test in order to determine their readiness with respect to any attack. A demonstration of the test system will reduce the spontaneity of the test.
Q. 5
Answer: D. Establishing clear rules of engagement
Explanation: It is very important to establish a clear understanding of the scope of testing. In the absence of a defined scope, a tester may cause a system outage or other major damage. Sometimes, a test may have adverse impacts on business processes if the organization is not well prepared. The other options are secondary aspects. In the case of a blind penetration test, IT and security monitoring staff are not informed about the proposed test in order to determine their readiness for any attack.
Q. 6
Answer: A. A clear scope of the test
Explanation: In a black box testing attack scenario, the tester is provided with limited or no knowledge of the target's information systems. Inappropriate planning and timing of the attack may cause the system to fail. It is very important that the tester is well experienced and aware of the clear scope of the test. The other options are not as significant.
Q. 7
Answer: A. More time is spent on exploitation rather than discovery and information gathering
Explanation: In cases of white box penetration testing, relevant details of the infrastructure are made available to the tester in advance. They need not spend time gathering the information. This helps the tester concentrate on exploitation. A black box approach, where no information is provided, better simulates an actual hacking attempt. Cost is a secondary aspect. Penetration testing tools are required for both white box as well as black box penetration tests.
Q. 8
Answer: C. For control assessments of legacy applications
Explanation: Ethical hacking (penetration testing) involves the use of tools and techniques available to actual hackers to penetrate the network of an organization. The objective of ethical hacking is to find out vulnerabilities in the existing control and address the loopholes. Ethical hacking is not directly relevant to the other options.
Q. 9
Answer: D. Conducting periodic penetration testing
Explanation: The most effective way to ensure that an organization's network is properly secured against external attacks is to conduct penetration testing at regular intervals. The results of penetration testing determine the effectiveness of the organization's security posture. Any loopholes identified during penetration testing should immediately be rectified. The other options are not as effective.
Q. 10
Answer: B. Network mapping
Explanation: The first step that a penetration tester conducts is to analyze the network mapping. Network mapping is the process of understanding the target network topology. It helps to determine the points of attack in a network. The IDS is a secondary aspect. The nature of data and data analytics are not relevant to a tester.
Revision Questions
Q.1
Answer: C. It may be quarantined by the firewall or mail filters
Explanation: Generally, firewalls or mail filters would quarantine a password-protected ZIP file as the filter (or the firewall) will not be able to determine whether the file contains malicious code. A ZIP file does have the capability of using strong encryption. Generally, a firewall will not be able to read the password-protected file. A password-protected file by itself does not use high network bandwidth.
Q.2
Answer: A. The firewall allows source routing
Explanation: A firewall, by default, should be able to reject any traffic with IP source routing. Source routing is a tool to get information about all the routers in a packet transit. This could be used to bypass firewalls, hence it is a security threat. If source routing is allowed by a firewall, an intruder can attempt spoofing attacks by stealing the IP addresses of the organization. Deploying a firewall in a standalone server is a good practice. A firewall should be placed in a hardened server with minimum services enabled. Firewall rules should be reviewed in a structured manner at periodic intervals. Allowing unregistered ports is not recommended but does not necessarily pose a significant security threat.
Q.3
Answer: A. A screened subnet
Explanation: In a screened subnet, one bastion host is deployed along with two packet filtering routers. It is considered the most secure type of firewall implementation. It acts as a DMZ. An acceptable use policy and role-based access will not have an impact on external users. An IDS will be able to identify the invalid attempts but will not be able to prevent them.
Q.4
Answer: B. A web server
Explanation: A DMZ is a separate area that is exposed to external-facing untrusted areas. Generally, servers that interact with the internet are placed in a demilitarized area as this area is separate from internal servers and properly hardened. Servers and resources placed in a DMZ are isolated and are not directly connected to the internal network. A database should not be placed in a DMZ as it is exposed to external connections.
Q.5
Answer: A. On the internal network
Explanation: An intranet server is not required to communicate with external networks as external people do not need access to it. Hence, for security purposes, it should be placed on an internal network. Placing the intranet server outside the firewall, in the DMZ, or on an external router will expose it to external threats.
Q.6
Answer: A. One rule may conflict with another rule and create a loophole
Explanation: Firewall rules should be simple and easy to implement. A complex rule is difficult to manage and there is a chance that a particular rule may conflict with another, resulting in a loophole. Also, it becomes complex to test a high number of rules and so the operating effectiveness of a rule cannot be determined. High expenditure and network performance are secondary concerns. A next-generation firewall has the ability to handle any number of rules.
Q.7
Answer: B. Inability to detect new attack methods
Explanation: In signature-based IDSs, the IDS looks for specific predefined patterns to detect intrusion. Patterns are stored as signatures and are updated at frequent intervals. This is also known as a rule-based IDS. A signature-based IDS is not capable of identifying new types of attacks for which the signatures are not yet available. The other options are not relevant.
Q.8
Answer: A. Simulating various attack scenarios and reviewing the performance of the intrusion detection system
Explanation: The most effective way to determine whether an IDS is properly tuned is to simulate various attack scenarios and review the performance of the IDS. The other options are secondary aspects.
Q.9
Answer: D. To identify attacks on the internal network
Explanation: The main objective of an IDS is to identify attacks on the internal network and provide alerts for immediate countermeasures. This helps minimize the impact of the attack. The other options are secondary aspects.
Q.10
Answer: C. Ensuring the encrypted traffic is decrypted prior to being processed by the intrusion detection system
Explanation: An IDS cannot read encrypted traffic. Encryption should be removed before the traffic is processed by the IDS. Encryption should be removed at the SSL or VPN server to allow all traffic to be monitored. Placing an IDS before the firewall will generate a high number of alerts, which will eventually be blocked by the firewall. All end devices are not required to be connected to the IDS. Network bandwidth is not relevant.
Q.11
Answer: D. Install a honeypot on the network
Explanation: A honeypot is a decoy system set up to attract hackers and intruders. The purpose of setting up a honeypot is to capture the details of intruders to proactively strengthen security controls. As honeypots are closely monitored, any unauthorized attempt is more likely to be detected before significant damage is inflicted. The other options will not directly help detect the intruder.
Q.12
Answer: D. Anomaly-based detection
Explanation: Anomaly-based detection works on the statistics of normal traffic patterns. It is also known as statistic-based IDS. Any change from the normal traffic range is considered a deviation and an alert is generated. In a DDoS attack, incoming traffic increases tremendously, hence it is detected by anomaly-based detection. The other options will not be effective to detect a DDoS attack.
Q.13
Answer: C. To set up decoy files
Explanation: A decoy file is also known as a honeypot. A honeypot is a decoy system set up to attract hackers and intruders. The purpose of setting up a honeypot is to capture the details of intruders in order to proactively strengthen security controls. The other options are used to keep hackers out of the internal network.
Q.14
Answer: A. An increase in the number of false positives
Explanation: An IDS uses different logs, such as firewall logs, system logs, and application logs. Logs are analyzed to determine the trends and patterns of attacks. Threshold refers to the acceptable deviation from the normal pattern. A low threshold value means anything outside that value will be considered an attack. Even genuine business traffic will be considered an attack if it is above the threshold. A low threshold value generally increases the number of false positives.
Q.15
Answer: D. Hashing
Explanation: Hashing is the process of converting a given password into another value. The result of a hash function is known as a hash value. When a user enters a password, it is converted into a hash value and is compared with the stored hash. If the hashes match, then access is granted. The actual password cannot be generated from the hash value (because it is a one-way algorithm), so the actual password remains the same.
Chapter 9: Incident Management Readiness
Practice Question Set 1
Q. 1
Answer: C. An incident response plan
Explanation: An incident response plan includes a detailed procedure to handle an incident. It also includes the detailed roles and responsibilities of different teams for handling the incident. A security breach can best be handled using an incident response plan. BCPs and DRPs will be applicable only if an incident becomes a disaster and an alternative site needs to be activated. A change management plan is used to manage changes and does not directly impact the handling of a security breach.
Q. 2
Answer: A. To check the facility access logs
Explanation: The first step should be to check the facility access logs and determine the number of employees in the facility. They should be evacuated on an emergency basis. The safety of human life always comes first. The other options are secondary actions.
Q. 3
Answer: B. Installing a packet filtering firewall to drop suspicious packets
Explanation: In a DoS attack, numerous packets are sent to a particular IP address with the objective of disrupting services. Installing a packet filtering firewall will help drop the suspected packets and thus reduce the network congestion caused by a DoS attack. Patching the operating system will not affect network traffic. Implementing NAT or load balancing would not be as effective to tackle a DoS attack.
Q. 4
Answer: C. To ensure compliance with reporting procedures
Explanation: The first step is to initiate the reporting process as defined in the incident response procedure. The incident response procedure may include reporting it to the police or another authority, wiping data remotely, removing users, and so on. Determining impact and removing it from the inventory list are subsequent actions.
Q. 5
Answer: A. At the time the disaster recovery plan is established
Explanation: Roles and responsibilities should be assigned at the time of preparing the plan. An unclear plan will have an adverse impact during execution. Without assigned roles and responsibilities, testing and approval will not be effective.
Q. 6
Answer: B. Copies of the business continuity plan
Explanation: A BCP contains the step-wise process to ensure continuity of the business from an alternative site. Without a copy of the BCP, recovery efforts may not be effective. Generally, a BCP includes contact details of key employees, suppliers, and key service-level agreements.
Q. 7
Answer: D. Containment
Explanation: Containment refers to taking action to prevent the expansion of the incident. Incident response procedures primarily focus on containing the incident and minimizing damage. For example, when a virus is identified in a computer, the first action should be containing the risk, that is, disconnecting the computer from the network so that it does not impact other computers. The other options are subsequent actions.
Q. 8
Answer: D. The installation of a Trojan horse on a system administrator's computer
Explanation: A Trojan horse is a type of illegitimate software that is often disguised as legitimate software; it is a type of malware. Trojans are used by intruders to attempt unauthorized access to an organization's network and systems. Finding a Trojan horse in an administrator's computer is a major concern as the administrator has privileged access that could be exploited. The other options are still serious issues, but not as significant.
Q. 9
Answer: D. It takes 6 days to investigate security incidents
Explanation: A delay in investigation is an area of major concern as it can have a large impact on business processes. The other options do not pose significant risks.
Q. 10
Answer: B. Often clash with effective problem management
Explanation: One of the most important objectives of problem management is to understand the root cause of an incident and address it so that the same type of incident does not reoccur. Merely restoring the service at the earliest is not the solution. Hence, if the incident is closed within a strict timeline, this aspect may be missed. Quick resolution may not always give positive results. Forensics are concerned with evidence analysis and preservation from a legal perspective and are not involved in service continuity.
Q. 11
Answer: C. Isolating the impacted network
Explanation: The most important action is to isolate the network and contain the further spread of the attack. Disconnecting all network access points will impact business processes and should be the last resort. Analyzing and monitoring are subsequent actions.
Q. 12
Answer: C. Safety of personnel
Explanation: The safety of human life is of utmost priority for any emergency response plan.
Q. 13
Answer: B. The escalation criteria
Explanation: Escalation criteria include specific actions to be followed as per predefined timelines. They also include defined roles and responsibilities for individual team members. For the smooth execution of incident response, it is of utmost importance to follow the escalation criteria.
Q. 14
Answer: B. To determine the impact of the compromise
Explanation: The first course of action is to determine the extent of the impact on the organization. Even when reporting to senior management and other stakeholders, the extent of the compromise needs to be submitted.
Q. 15
Answer: C. Disconnecting the computer from the network
Explanation: The first step is to contain the spread of the virus by disconnecting the infected computer. The other options are subsequent steps.
Q. 16
Answer: C. To minimize business disruptions
Explanation: The main objective of incident response is the containment of the incident and thereby minimization of damage. The other options are not primary objectives of incident response.
Q. 17
Answer: C. To rebuild the system from the original media
Explanation: Due to a compromise at the administrative level, malware may have already been installed on the server. The best way is to rebuild the email server from the original media. This will address the risk of the presence of any hidden malware. Isolation is a temporary solution. A change of password and two-factor authentication will not address a hidden virus in the email server.
Q. 18
Answer: B. The cost of the unavailability of the system
Explanation: The unavailability of the system due to disaster may result in losses for the organization. Losses due to the unavailability of the system increase on a daily basis. A BCP is considered on the basis of these losses. Based on the losses from the unavailability of the system, the RTO, RPO, and recovery sites are finalized. The other options do not directly impact the BCP.
Q. 19
Answer: B. Incident severity criteria
Explanation: It is very important to prioritize the incident based on its possible impact. Quickly ranking the severity criteria of an incident is key to incident response. The other details are not included in a computer incident response team manual but are included in the BCP.
Q. 20
Answer: A. Immediately isolating the server from the network
Explanation: The most important action is to isolate the server and contain the further spread of the virus. The other options are subsequent actions.
Practice Question Set 2
Q. 1
Answer: A. To confirm the incident
Explanation: The immediate step should be to confirm the incident to rule out any false positives. It is very important for a security manager to verify and validate the incident before any containment action is taken. Once the incident is confirmed, the next step is isolating the incident. The other options are subsequent steps.
Q. 2
Answer: B. Blocking all emails containing picture file attachments
Explanation: The first step should be to block all emails containing picture files until the time the signature files are updated. Deleting all picture files and quarantining mail servers is not necessary. Blocking all incoming emails would hamper business processes.
Q. 3
Answer: A. The system owner
Explanation: A vulnerability should be reported to the system owner to take appropriate corrective action. The system owner should in turn report to the data owner if the vulnerability is in the database arrangement. The system owner will coordinate with the development team for any development-related changes to address the vulnerability.
Q. 4
Answer: A. Slack space can be used to store hidden data
Explanation: Slack space refers to the additional storage that is available on a computer's hard disk drive. It is created when a computer file does not use all the space allocated to it by the operating system. Slack space can be used to store hidden data. The verification of slack space is an important aspect of computer forensics.
Q. 5
Answer: A. To confirm the incident
Explanation: The first step should be to confirm the incident to rule out any false positives. It is very important for a security manager to verify and validate the incident before any containment action is taken. Once the incident has been confirmed, the next step is to contain the incident. The other options are subsequent steps.
Q. 6
Answer: D. Installing an intrusion detection system
Explanation: The installation of an IDS will help the security manager identify the source of the attack. An IDS can be used to detect both internal as well as external attacks depending on where it is placed. An IDS is used to monitor the network or systems for abnormal activities. IP addresses can be spoofed and hence implementing a static IP may not be useful. If the attack is internal, two-factor authentications may not be helpful either. Capturing logs will only be meaningful if the logs are monitored through SIEM.
Q. 7
Answer: C. To obtain guidance from the firewall manufacturer
Explanation: The first course of action is to consult with the firewall manufacturer as they may have a patch to address the vulnerability. They will also be in a position to suggest a workaround and any compensating controls to address the issue. Blocking all incoming traffic may not be feasible as it will hamper business processes. Updating OS patches and penetration testing will not help to address the vulnerability.
Q. 8
Answer: B. To contain the incident
Explanation: Once the incident has been confirmed, the next step is to contain the incident. Containment means taking actions to prevent the expansion of the incident. Incident response procedures primarily focus on containing incidents and minimizing damage.
Q. 9
Answer: C. Discussing the situation with the data owner
Explanation: The first step should be to discuss the situation with the data owner and determine the requirement of data access on a need-to-know basis. Based on the discussion, access should be provided according to the relevant job function and should be removed for other users. The encryption of data may not be feasible as the user may require access to data for further processing.
Q. 10
Answer: D. Possible business benefits from incident impact reduction
Explanation: The best way to justify the establishment of an incident management team is to highlight the possible business benefits derived from structured incident management processes. The trends of previous incidents and industry losses may not directly impact future losses.
Q. 11
Answer: D. Security awareness training of end users
Explanation: Frequent security awareness training for end users as well as help desk staff is one of the most important factors for the early identification and reporting of any incident. The availability of a well-structured communication and reporting procedure is also an important aspect but it is only useful when staff are able to identify the incident. An IDS will not be able to identify non-IT-related incidents. Determining the severity level is a subsequent step and will be useful only once the incident is identified.
Q. 12
Answer: D. Promote business resiliency
Explanation: Business resilience refers to the capability of an organization to sustain disruption. The main objective of an IRP is to minimize the impact of an incident by developing resilient processes. An incident response plan is a means to reduce the impact of an incident but cannot prevent the occurrence of an incident. Business continuity processes are addressed by the BCP and not the IRP.
Q. 13
Answer: C. Verifying whether the file is malicious
Explanation: The first step should be to confirm whether the file is actually malicious and thereby rule out a false positive. It is very important for a security manager to verify and validate the incident before any containment action is taken. Once the incident has been confirmed, the next step is to isolate the file. The other options are subsequent steps.
Q. 14
Answer: D. The information security department
Explanation: Generally, the information security response is handled by the information security manager and they should ensure that the team members consist of individuals with the requisite knowledge and experience to handle incidents.
Q. 15
Answer: B. Determining whether it is an actual incident
Explanation: The first step should be to confirm the incident to rule out any false positives. It is very important for the security manager to verify and validate any incident before containment action is taken. Once the incident has been confirmed, the file can be isolated. The other options are subsequent steps.
Q. 16
Answer: C. The data owner
Explanation: The data owner should be notified first as they will be in the best position to determine the impact of the security breach. The data owner will then coordinate with the computer incident response team for further action. The other options are to be notified later, as required by the incident management policy.
Q. 17
Answer: B. Defined roles and responsibilities
Explanation: Defined roles and responsibilities of the incident response team increase the effectiveness of incident management. Each team should have predefined and assigned responsibilities for managing incidents. They should also have the relevant experience and should be appropriately trained in accordance with their responsibilities. The other options are important but not as significant.
Q. 18
Answer: A. To ensure that adequate corrective actions are implemented
Explanation: The main objective is to ensure that incidents are closed by taking appropriate corrective actions as per the business requirements. A review by management helps align the security policy with the business objectives. The other options are not the objectives of a management review.
Q. 19
Answer: B. Escalating to the next level for resolution
Explanation: The incident response policy and procedure will have a defined escalation procedure and timelines for each activity. If an activity is not completed within the defined timeline, then it should be escalated to the next level.
Q. 20
Answer: C. A well-defined and structured communication plan
Explanation: The two most important aspects for the timely identification of incidents are frequent security awareness training for end users and a well-defined communication plan. A well-defined and structured communication plan facilitates the information flow from the end user to senior management in a time-bound manner. In this manner, incidents can be recognized, declared, and appropriately addressed. An IDS will not be able to address non-technical incidents. Audits are generally detective in nature and may not identify incidents in a timely manner. Reviews of network logs will help to address only network-related incidents.
Practice Question Set 3
Q. 1
Answer: D. The strategy validated by senior management
Explanation: Senior management is in the best position to understand and adopt the strategy that is the most beneficial for the organization's continuity. A BCP is primarily based on the SDO of the management. A strategy to cover all applications is not practical. If the objective of senior management is achieved, they will definitely support the budget for business continuity processes and alternative sites.
Q. 2
Answer: D. Developing a recovery time objective for critical functions
Explanation: While the goal of a BCP is to prevent and mitigate incidents, the goal of a DRP is to restore operations if business operations are down due to an incident. Developing an RTO directly relates to business continuity whereas the other options are more related to infrastructure disaster recovery.
Q. 3
Answer: A. Available resources
Explanation: The MTO is the maximum period of time that an organization can operate from an alternative site. Various factors affect the MTO such as resource availability, location availability, raw material availability, or electric power availability at the alternative site. SDOs and operational capabilities should have been addressed when considering the available resources for the alternative site.
Q. 4
Answer: B. Before image restoration
Explanation: The RPO is the level of acceptable data loss. Whenever a database is corrupted, the recovery process recovers only the completed transactions, and any incomplete transactions are rolled back. This is known as before image processing. The extent of system downtime is referred to as the RTO.
Q. 5
Answer: A. Business impact analysis
Explanation: A BIA is conducted to determine the critical processes of the organization and to help decide the recovery strategy during a disaster.
Q. 6
Answer: C. A reciprocal arrangement
Explanation: In a reciprocal arrangement, two organizations with similar capabilities and processing capacities agree to provide support to one another in the event of an emergency. Reciprocal agreements are not considered very reliable. They pose many challenges, such as both organizations having different processing capabilities, difficulties in testing the plan, keeping the plan up to date, and so on.
Q. 7
Answer: B. The chief operating officer
Explanation: The RPO is best determined by the business process owner, that is, the chief operating officer. The chief operating officer has adequate knowledge to make this decision.
Q. 8
Answer: A. To determine the maximum tolerable period of data loss
Explanation: The RPO is a measure of the user's tolerance to data loss. In other words, the recovery point objective is the extent of acceptable data loss. For example, an RPO of 2 hours indicates that an organization will not be overly impacted if it loses data for up to 2 hours.
Q. 9
Answer: C. The business process owner
Explanation: The business process owner is in the best position to determine the impact of the unavailability of their system or processes and the appropriate recovery time and cost estimates accordingly.
Q. 10
Answer: C. To periodically test the plan with varied scenarios
Explanation: The best method is to conduct tests on a periodic basis and determine whether the plan supports the requirements of the business. The other options are not as effective.
Q. 11
Answer: D. When selecting an alternative recovery site
Explanation: When selecting an alternative recovery site, it is of utmost importance to consider the proximity of the site to hazards. A recovery site should have an appropriate distance from potential hazards such as bodies of water, chemical factories, or other locations that could cause significant risk to the recovery site. A recovery site should also be away from the primary site so that both are not subject to the same environmental events.
Q. 12
Answer: C. The allowable interruption window
Explanation: The AIW is the maximum period of time for which normal operations of the organization can be down. After this point, the organization will start to face major financial difficulties threatening its existence. The technical specification of the disaster recovery site will be based on this constraint. Based on the AIW, the organization needs to choose between a mirrored, hot, warm, or cold site.
Q. 13
Answer: A. The primary and offsite facilities should not be subject to the same environmental threats
Explanation: An offsite facility should be away from the primary site so that both are not subject to the same environmental events. In the event of natural calamities, both sites would be impacted if located in close proximity.
Q. 14
Answer: C. Systems are restored
Explanation: The RTO is the amount of time required to restore a system. Normal functioning may occur significantly later than the RTO. The RTO is the minimum acceptable operational level and is generally lower than normal operations.
Q. 15
Answer: A. Test results show that the recovery time objective was not exceeded
Explanation: The RTO is the extent of acceptable system downtime. A system should be restored within the RTO. The RTO is an important element of a BCP. If the RTO is achieved during testing, it indicates that the BCP objectives have been achieved. Conducting BCP tests and assigning asset ownership are not the core objectives of a BCP.
Q. 16
Answer: B. Adequate distance between the primary site and offsite facility so that the same disaster does not simultaneously impact both
Explanation: Offsite facilities should be away from primary sites so that both cannot be subject to the same environmental events. In the event of natural disasters, both sites would be impacted if located in close proximity. The other options are secondary factors.
Q. 17
Answer: A. Recovery time objectives
Explanation: The RTO is the length of time required to restore the system to a service level acceptable to the organization.
Q. 18
Answer: D. The end-to-end transaction flow
Explanation: If an organization can establish an end-to-end transaction flow from the offsite facility, then it can be validated that the key business processes are available at the offsite location. The achievement of the RPO and staff requirements does not indicate the availability of the required support and processes at the offsite location.
Q. 19
Answer: A. A business impact analysis
Explanation: BIA is a process used to determine the critical processes of an organization and, accordingly, decide the priority level and recovery strategy during a disaster.
Q. 20
Answer: A. Conducting periodic and event-driven business impact analyses to determine the business needs
Explanation: This situation could have been controlled if the organization had a practice of conducting BIA on a periodic basis and also triggered by certain events (such as the purchase of a new system). This helps to update the recovery strategy to meet current business requirements.
Practice Question Set 4
Q. 1
Answer: D. Fidelity insurance covers any losses suffered due to dishonesty or fraud by employees
Explanation: Fidelity insurance provides protection against business losses caused due to employee dishonesty, theft, or fraud.
Q. 2
Answer: B. Business interruption insurance
Explanation: Business interruption insurance is the best way to compensate for any loss incurred due to business disruptions. The other options are focused on the restoration of services as early as possible to minimize the downtime costs. However, they cannot compensate for losses that have occurred already.
Practice Question Set 5
Q. 1
Answer: D. Involving managers from the affected operational areas
Explanation: The severity of an incident is best determined based on the level of impact on the organization. A manager from the affected operational areas will be in the best position to determine the impact. Past incidents and benchmarking will not give accurate impact estimates. Valuation is based on the impact on the business as a whole and not only on asset value.
Q. 2
Answer: C. Determining the category of the incident based on impact
Explanation: In the detection and analysis phase, the emphasis is on the identification and detailed analysis of the incident. The following activities are carried out in the identification phase:
- Determining whether the reported incident is valid
- Assigning the incident to a team member
- Detailed analysis of the incident
- Determining the severity of the incident and following the escalation process
Option A refers to the containment phase, Option B is eradication, and Option D is post-incident review.
Q. 3
Answer: C. To prioritize resources for handling multiple incidents
Explanation: Triage refers to the process of deciding the order of treatment based on urgency. It is very important to prioritize the incident on the basis of its possible impact. Triage provides a snapshot of the current status of all incidents reported to assign resources in accordance with criticality.
Practice Question Set 6
Q. 1
Answer: C. The critical business processes are recovered and duplicated within the defined timeframe
Explanation: For the success of a recovery test, it is very important to ensure that all critical processes are successfully recovered and reproduced to support the business functions. This should be done within the defined timeframe. The other options do not directly indicate the success of the test.
Q. 2
Answer: A. All data and applications should be erased from the devices of the service provider
Explanation: It is of utmost importance to ensure the security of organizational data. After the completion of the test, all data and applications should be erased from the devices of the service provider. The other options are not as significant.
Q. 3
Answer: B. Periodically testing and improving the plan from the lessons learned
Explanation: Periodic testing will help the manager understand the capability of the plan. Any deficiency noted during the test should be immediately addressed. This will help improve the effectiveness of the plan. The other options are not as significant.
Q. 4
Answer: C. A full interruption test
Explanation: A full interruption test provides the best assurance to the security manager because it comes closest to an actual disaster. The primary site is completely shut down and operations are carried out from the recovery site as per the DRP.
Q. 5
Answer: A. Tested business continuity plan/disaster recovery plan
Explanation: The best indicator for incident risk management is a detailed and structured plan that is tested at periodic intervals. The other options are not as effective.
Q. 6
Answer: B. Simulation tests
Explanation: Out of all the above tests, a full interruption test is considered to be the most effective to determine the readiness of the BCP and DRP. However, in a full interruption test, business operations are impacted. In a simulation test, a roleplay is prepared for a disaster scenario and the adequacy of the DRP is determined. A simulation test is more effective compared to the checklist or walk-through tests.
Q. 7
Answer: A. Periodic testing of the incident response plan
Explanation: Periodic testing of the IRP helps to determine its effectiveness and identify its shortcomings. It helps to improve the plan by plugging deficiencies. The other options are good controls but are not as effective.
Q. 8
Answer: C. Periodic testing of the disaster recovery plan
Explanation: Periodic testing of the DRP will help to determine its effectiveness and identify whether it supports the current business processes and objectives. It helps to improve the plan by plugging deficiencies. The other options are good controls but are not as effective.
Q. 9
Answer: A. Restoration testing
Explanation: Restoration testing helps to determine the capability of the organization to restore data from the recovery site during a disaster. The success of a restoration test indicates that the organization is quite capable of recovering from the disaster as data drives the majority of business processes. The other options will not be meaningful if the recovery of data is questionable.
Q. 10
Explanation: Out of all the above tests, a full interruption test is considered the most effective to determine the readiness of the BCP and DRP. However, full interruption tests impact business operations. In both parallel tests and simulation tests, normal business operations are not impacted. In a parallel test, the recovery site is activated whereas in a simulation test, the recovery site is not activated. When the objective of the test is to not disturb the normal business operations, a parallel test is most effective followed by a simulation test.
Q. 11
Answer: D. In a parallel test, the recovery site is brought to operational readiness; this is not done in a simulation test
Explanation: The difference between a parallel test and a simulation test is that in a parallel test, the recovery site is activated, whereas in a simulation test, the recovery site is not activated. In both tests, a walk-through is performed and fictitious scenarios are used. Neither test impacts normal business operations. When the objective of the test is not to disturb normal business operations, a parallel test is considered the most effective followed by a simulation test.
Q. 12
Answer: D. The aggregate recovery activities exceed the acceptable interruption window
Explanation: The AIW is based on the maximum time the organization can be down before major financial impacts occur. If restoration does not occur within the AIW, then the test will not be considered a success. The SDO is the minimum level of service to be continued at the recovery site. If the level of service exceeds the expected SDO then this is a positive achievement. An old version of the operating system might cause a delay but is not a major issue.
Q. 13
Answer: C. It poses the risk that the plan will not work when needed
Explanation: A major challenge is that an untested plan may not work as expected when a disaster occurs. Testing of the plan helps to determine its effectiveness. The other options are secondary concerns.
Q. 14
Answer: D. Active participation by business management
Explanation: The most important factor for the success of the test is active participation by business management. Business process owners have a thorough understanding of processes and recovery priorities. To conduct a test, sufficient resources are required, which may not be possible without management support. The other options are secondary concerns.
Revision Questions
Q.1
Answer: A. Containing incidents to reduce the damage
Explanation: Containment means taking action to prevent the expansion of an incident. Incident response procedures primarily focus on containing the incident and minimizing damage. The other options also finally lead to minimizing damage.
Q.2
Answer: D. To control the impact
Explanation: The main objective of incident management is to minimize the impact and damage to the organization. Containment, root cause analysis, and eradication are steps used to minimize damage.
Q.3
Answer: D. Determining the category of the incident based on its likelihood and impact
Explanation: The first step is to determine the various categories of incidents based on their likelihood and impact. Based on the categorization, the other options, such as turnaround time, escalation process, and required resources, can be determined.
Q.4
Answer: D. Addressing the incident to control the impact to an acceptable level
Explanation: The main goal of an incident management process is to restrict incidents from growing into problems and problems growing into disasters. The restoration of disrupted processes is the objective of a disaster recovery procedure.
Q.5
Answer: A. Capability to detect the incident
Explanation: Timely detection of an incident is of utmost importance for an effective incident management process. The other options are not as significant.
Q.6
Answer: A. To determine whether a clear incident definition and criteria for severity exists
Explanation: The first step is to determine whether an organizational-level incident management procedure exists. If not, this should be established as a priority. The other options are secondary actions.
Q.7
Answer: A. To develop a structured communication channel
Explanation: An organization should have well-defined communication channels for timely communication of incidents to different stakeholders and external parties. The channel should support two-way communication, that is, employees should be able to communicate with the incident management team and management should be able to communicate with employees. Ineffective communication is a major challenge as incomplete or untimely communication causes hurdles in incident handling. The other options are not as significant.
Q.8
Answer: D. Repeated low-risk events
Explanation: In a risk-based approach, the focus is on high-risk events. A perpetrator may take advantage of this and concentrate on exploiting low-risk areas multiple times. Even though the impact will be small per incident, the accumulated damage may be much higher. Hence, it is also important to review the possibility of repeated occurrences of low-risk events.
Q.9
Answer: B. Start containment
Explanation: Containment means taking action to prevent the expansion of an incident. Incident response procedures primarily focus on containing the incident and minimizing damage. Disconnecting the server is the first part of the containment process. The other options are subsequent steps.
Q.10
Answer: C. An incident management plan
Explanation: The objective of an incident management plan is to not only recover from an incident that has already occurred but to also take action to prevent future incidents. An incident management plan should include a proactive security assessment to improve processes and reduce the chances of occurrences of incidents. BCPs and DRPs concentrate on activities to deal with business interruptions due to disasters. A BIA determines the critical processes of the organization.
Q.11
Answer: C. To determine the criticality of the affected services
Explanation: The business impact is best determined by knowing the criticality of the affected system. The other options will not help to determine the impact.
Q.12
Answer: A. Frequent testing of the plan and a dedicated team to provide oversight
Explanation: Testing the plan will help to understand the service provider's capability to address incidents. Also, it is important to have an oversight team to monitor the service provider's activities. Audit, structured communication channels, and documented plans are also important aspects, but in the absence of a tested plan, it is difficult to determine the service provider's capabilities.
Q.13
Answer: D. Meeting service delivery objectives
Explanation: An incident response procedure should support the SDO. The SDO is the extent of service and operational capability to be maintained during an incident. The other options are not as significant.
Q.14
Answer: C. The service delivery objectives
Explanation: The SDO is the extent of service and operational capability to be maintained from an alternative site. It is directly related to business needs and is the level of service to be attained during disaster recovery. This is influenced by business requirements. MTO and available budget are determined based on the SDO.
Q.15
Answer: B. Conduct a fresh business impact analysis and update the plan
Explanation: Generally, the MTO should be as long as the AIW. However, without conducting a BIA there is no way to determine whether it is the MTO or the AIW that is incorrect. Based on a fresh BIA, the AIW can be derived. The AIW is the maximum period of time for which normal operations of the organization can be down. After this point, the organization will start to face major financial difficulties threatening its existence. Based on the AIW, the MTO should be derived. The MTO is the maximum period of time that an organization can operate from an alternative site. Various factors affect the MTO, such as location availability, resource availability, raw material availability, and electric power availability at the alternative site. All these constraints should be addressed to ensure that the MTO is as long as the AIW.
Q.16
Answer: B. Optimizing risk management efforts
Explanation: Incident management is a component of risk management that focuses on the prevention and containment of the adverse impacts of incidents. Incident management does not remove threats. The other options are not the primary objectives of incident management.
Q.17
Answer: D. The business impact analysis
Explanation: A BIA determines the critical processes of the organization. Incident response activities are primarily focused on protecting the organization's critical processes. The other options do not impact the prioritization of incident response activities.
Q.18
Answer: C. The service delivery objectives
Explanation: A data restoration plan determines the amount of data that should be restored within a predefined limit. The extent of data restoration is primarily based on the SDO. The SDO is the extent of the service operational capability to be maintained from an alternative site. It is directly related to business needs and is the level of service to be attained during disaster recovery. This is influenced by business requirements.
Q.19
Answer: B. Key process documents at the alternative site
Explanation: Continuity can best be ensured if personnel who have to resume the key processes are aware of the procedure. If procedural documents are not available at the alternative site, it will hamper continuity arrangements. If key process documents are made available at the offsite location, they can be utilized by employees operating there during a disaster. These documents will also support employees who may not typically be involved in performing those functions. The other options are not as significant.
Q.20
Answer: A. The timelines for responses and what to do if no response occurs
Explanation: The objective of incident escalation is to state how long a team member should wait for an incident response and what to do if no such response occurs. Defined timeframes are important steps of an effective escalation process. The communication process can also be part of the escalation process, but a significant aspect is the timeframe. Determining the severity and impact is not part of escalation.
Q.21
Answer: A. The current status of all incidents reported
Explanation: Triage means deciding the order of treatment based on urgency. It is very important to prioritize an incident based on its possible impact. Triage provides a snapshot of the current status of all incidents reported so resources can be assigned in accordance with criticality. Triage does not focus on already resolved incidents and does not determine the appropriateness of the post-incident review procedure. Triage provides a view on both the tactical and strategic levels.
Q.22
Answer: B. Risk and impact analysis
Explanation: The objective of the escalation process is to highlight the issue to a higher authority in accordance with the risk perceived and the expected impact of the incident. For example, minor issues can be escalated to the manager, major issues can be escalated to the senior manager, and so on. A risk and impact analysis will be the basis for determining what authority levels need to respond to particular incidents.
Q.23
Answer: A. It detects, assesses, and prevents the reoccurrence of incidents
Explanation: The objective of an incident management program is the timely detection and containment of the incident and also to implement controls to prevent future occurrences. The other options are secondary aspects.
Q.24
Answer: C. The time between detection and response
Explanation: The readiness of the response team is best determined by the time between the detection of the incident and the response provided. The time required to detect incidents determines the control effectiveness. A response is more relevant compared to documentation and reporting to senior management.
Q.25
Answer: D. The escalation process is inadequately defined
Explanation: In the absence of a structured escalation process, there can be a substantial delay in handling the incident. This can have a huge adverse impact on business processes. The IT team is required to manage only incidents related to IT processes. The security policy is a high-level statement and is not required to include the details of the key process owner. Unstructured reporting is not a major concern compared to an inadequate escalation process.
Q.26
Answer: B. The business impact analysis
Explanation: A BIA is conducted to determine the business impact due to potential incidents. The following are the key elements of a BIA:
- Analysis of business loss due to processes or assets not being available
- Establishing escalation criteria for prolonged incidents
- Prioritization of processes or assets for recovery
- The other options do not directly consider the impact of the incident.
Q.27
Answer: A. Formal training
Explanation: As all team members are new, it is advisable to conduct formal training. Formal training involves a structured way of learning starting from basic concepts and moving to advanced-level learning. This helps everyone, even if they are from different backgrounds. On-the-job training and mentoring will be more relevant when the team is already established and has some senior and experienced members.
Q.28
Answer: A. The percentage of incidents resolved within the defined timeframe
Explanation: The effectiveness of an incident response team is best determined by the closure of incidents within the defined timeframe. Timely resolution helps to minimize the impact incidents have. The other options, by themselves, do not provide any indication of effectiveness.
Q.29
Answer: A. Eradication
Explanation: The dictionary meaning of eradication is "the complete destruction of something." To ensure complete destruction (so the incident does not reoccur), determining the root cause of the incident and addressing it is critical. Hence, the incident response team addresses the root cause during eradication.
Q.30
Answer: B. The recovery point objective
Explanation: The RPO is the extent of acceptable data loss. For example, an RPO of 2 hours indicates that an organization will not be overly impacted if it loses data for up to 2 hours. The RPO is used to determine the various factors of a backup strategy such as frequency and type of backup (that is, mirroring, tape backup, etc.).
Q.31
Answer: B. Business requirements
Explanation: The RTO is the extent of acceptable system downtime. It is primarily based on business requirements. Generally, business requirements are inclusive of legal requirements.
Q.32
Answer: C. The service delivery objective
Explanation: The SDO is the level of service and operational capability to be maintained from an alternative site. This is influenced by business requirements. Until the time a new offsite is available, the SDO should be kept at a lower level. The other options are not directly impacted by the new recovery site.
Q.33
Answer: B. Differences in the processing capacity load with the data center
Explanation: Due to a difference in capacity, the data center may not be able to handle the load of the other data centers during a disaster. This is an area of major concern. The other options can be addressed without much concern.
Q.34
Answer: A. To ensure the availability of the tool when a disaster occurs
Explanation: The area of most importance is the availability of the tool during a disaster. In the absence of the tool, it will be extremely difficult to implement business continuity procedures. The tool should be accessible from offsite locations also. The other options are not as serious.
Q.35
Answer: C. The service delivery objective
Explanation: The SDO is the level of service and operational capability to be maintained from an alternative site. It is directly related to business needs and is the level of service to be attained during disaster recovery. The other options are linked to SDO.
Q.36
Answer: A. To conduct a scenario-based structured walk-through
Explanation: A structured walk-through helps to understand the capability of the IRP to support the requirements of business continuity. The walk-through should include team members from the incident response and business continuity teams. It will help to identify gaps or misalignments between the plans.
Q.37
Answer: B. The recovery point objective
Explanation: The RPO is a measure of the user's tolerance to data loss. In other words, the RPO is the level of acceptable data loss. For example, an RPO of two hours indicates that an organization will not be overly impacted if it loses data for up to two hours.
The RPO is used to determine the various factors of the backup strategy such as frequency and type of backup (i.e., mirroring, tape backup, etc.).
Q.38
Answer: D. The extent of acceptable data loss
Explanation: The RPO is a measure of the user's tolerance to data loss. It is the level of acceptable data loss. For example, an RPO of two hours indicates that an organization will not be overly impacted if it loses data for up to two hours. The RPO is used to determine the various factors of a backup strategy such as frequency and type of backup (i.e., mirroring, tape backup, etc.). The extent of acceptable system downtime is indicated by the RTO. The acceptable level of service is determined by SDOs.
Q.39
Answer: A. A copy of the disaster recovery plan being maintained at the offsite facility
Explanation: If a copy of the DRP is not available during a disaster, business recovery will be seriously impaired. The other options are generally addressed satisfactorily through the BCP.
Q.40
Answer: A. To increase the recovery time objective
Explanation: The RTO refers to the time within which a system should be restored. If data is not available within the defined timeline then the system will not be restored in line with the RTO. In this case, it is advisable to increase the RTO. The AIW is based on the maximum time the organization can be down before major financial impacts occur. It cannot be adjusted. Adjusting the MTO or decreasing the security budget will not have any effect on the situation.
Q.41
Answer: B. All equipment at the hot site is provided at the time of disaster but is not available on the data center floor.
Explanation: A hot site is a site already equipped with the required equipment and one that can be activated at any time. If equipment is not available on the floor then it does not meet the requirements of a hot site. A hot site can be arranged in another city. Many commercial providers arrange shared hot sites. Substitution with equivalent equipment is not a major concern.
Q.42
Answer: C. Variations in infrastructure and capacity between both organizations
Explanation: In a reciprocal arrangement, two organizations with similar capabilities and processing capacities agree to provide support to one another in the event of an emergency. If both organizations have different infrastructure and capacities then they may not be able to support the other organization properly in the event of a disaster. Recovery becomes difficult in such cases. This is an area of major concern for a reciprocal arrangement. The other options will not have a major impact on the recovery aspect.
Chapter 10: Incident Management Operations
Practice Question Set 1
Q. 1
Answer: A. Minimizing the impact of incidents
Explanation: Continuous monitoring helps to identify abnormalities in real time. This will help an information security manager take corrective action on an immediate basis and thereby control the impact of the incident. The other options are not the prime objectives of continuous monitoring.
Q. 2
Answer: D. The ability to handle stress amidst chaos
Explanation: The ability to stay calm and make appropriate decisions in stressful situations is the most important attribute of an incident handler. Any decision made by an individual who is unable to stay calm under pressure may not be in the best interests of the organization. The other options are secondary attributes of an incident handling team.
Practice Question Set 2
Q. 1
Answer: B. Applications being exposed to new viruses during the intervening week
Explanation: As a prudent practice, virus signature files should be updated on a daily basis to address the risk of new viruses. In this case, files are updated every week, which makes the application vulnerable to new viruses during the intervening week. The other options are secondary concerns.
Q. 2
Answer: D. Rebuilding the server with original media and subsequent patches
Explanation: It is recommended to rebuild a server with original media and update it with subsequent patches as a compromised server might have some hidden malicious files that cannot be detected through mere scanning. Discontinuing the use of the server or using it as a honeypot may not be a feasible option. There is no harm in using the server after rebuilding it with original media.
Q. 3
Answer: B. Check intrusion detection system logs and monitor for any active attacks
Explanation: An information security team should verify IDS logs and continue to monitor the situation. The other options are not relevant at this point. Updating the IDS could cause further temporary exposure until the time the updated version is properly tuned.
Q. 4
Answer: C. A time server
Explanation: A time server provides common time to all connected servers and applications. The time element is very important during a forensic investigation. The other options will not directly assist in log review and correlation.
Q. 5
Answer: B. Invalid login attempts
Explanation: As the password was guessed, there will be multiple attempts to gain access. These attempts are recorded in an invalid login log. Analyzing the logs for invalid login attempts can lead to the discovery of this unauthorized activity. The other options will not directly give indications about an unauthorized attempt. For a shared account, concurrent use is common, hence reviewing concurrent logins will not be helpful.
Q. 6
Answer: C. Monitoring the probe and isolating the affected segment
Explanation: In the case of probing, it is advisable to monitor the situation and isolate the network being probed. The other options are not warranted.
Q. 7
Answer: D. The impact of the incident and corrective action taken
Explanation: Senior management is more interested in the impact caused by the breach as well as the corrective actions taken to minimize the damage and prevent reoccurrence. The other options may not be relevant at this point in time.
Q. 8
Answer: B. To management after determining the severity of the incident
Explanation: The security manager is required to communicate the details of the incident along with its severity and impact to management. Generally, communication to the regulator and insurance company is handled by the legal and compliance team. Management will take the call for legal proceedings and the security manager is not expected to directly report to legal.
Practice Question Set 3
Q. 1
Answer: C. Implement structured backup procedures
Explanation: The most effective method to control damage due to a ransomware attack is to implement a structured backup procedure. Generally, an organization adopts air gap backups. The air gap technique is a backup and recovery strategy. It means that at any given time, a copy of the organization's sensitive data is offline, disconnected, and inaccessible from the internet. This makes it impossible for hackers to remotely access the data.
Q. 2
Answer: B. Preserving evidence
Explanation: Preserving evidence is the most crucial aspect while containing any incident. If evidence is destroyed, it may not be possible to identify the attacker or to determine the root cause of the incident. Root cause analysis is not conducted before containment. Meeting the recovery time objective (RTO) should not be at the cost of evidence. Informing senior management is not as important as preserving evidence.
Q. 3
Answer: C. Preserving forensic evidence
Explanation: Preserving evidence is the most crucial aspect while containing any incident. If the evidence is destroyed, it may not be possible to identify the attacker or to determine the root cause of the incident. Meeting the RTO should not come at the cost of evidence. The other options are not as significant.
Q. 4
Answer: D. Preventing traffic from reaching the attacker's servers
Explanation: The first step should be to block all traffic moving to the attacker's server. This should be done immediately. Containment will limit the damage. The other options are subsequent steps.
Q. 5
Answer: A. To isolate the systems that are affected from the network
Explanation: In the given situation, the first step is to contain the impact of the incident by isolating the affected computers. Ransomware spreads quickly and if not contained can destroy more systems. The other options are subsequent steps.
Practice Question Set 4
Q. 1
Answer: A. The detailed process on when and how to communicate with stakeholders
Explanation: The primary objective of a communication plan is to educate employees on their roles and responsibilities with respect to the communication process. It includes processes such as who should authorize the communication, who should communicate, how to communicate, whom to communicate with, and what to communicate. Having a structured communication process improves the effectiveness of incident response during an incident. The other options may be part of the overall communication process.
Q. 2
Answer: D. Improvements in incident response
Explanation: The primary objective of a communication plan is to educate employees on their roles and responsibilities with respect to the communication process. It includes processes such as who should authorize the communication, who should communicate, how to communicate, whom to communicate with, and what to communicate. Having a structured communication process improves the effectiveness of incident response during an incident. Compliance with laws and regulations and providing updates on status to management are secondary aspects. Having a communication plan does not directly impact the security posture of the organization.
Q. 3
Answer: C. Effective communication with stakeholders
Explanation: The primary goal of a communication plan is to educate employees on their roles and responsibilities with respect to the communication process. It includes processes such as who should authorize the communication, who should communicate, how to communicate, whom to communicate with, and what to communicate. Having a structured communication process can improve the effectiveness of incident response during an incident.
Practice Question Set 5
Q. 1
Answer: C. Before image restoration
Explanation: The before image is a copy of the data made before the disruption. It is the point from which data is corrupted or not available. To get the database updated, data processed after this point should be restored. The other options will not provide an updated and correct database.
Q. 2
Answer: A. The recovery time objective
Explanation: The RTO is the extent of acceptable system downtime. After this time, the system should be up and functioning. An RTO can be set as per the service delivery objective (SDO) or at the level of normal business transactions. For example, a banking system is required to be live and available 24 hours per day. This is normal business. The service delivery objective is 8 hours per day (i.e., 8 hours per day is a must for the survival of the business). It will take 2 days to make the system available for 8 hours and 5 days to make the system available for 24 hours.
If the bank sets its RTO to achieve its SDO, its RTO is 2 days. If the bank sets its RTO to achieve full normal transactions, its RTO is 5 days.
Q. 3
Answer: B. Scanning the entire network and systems to remove and clean up any malware
Explanation: The objective of eradication is to identify and correct the root cause that led to the incident. Once containment efforts have been implemented successfully, eradication should be appropriately planned and performed. The following are some of the activities performed during eradication:
- Root cause analysis
- Updating the firewall and anti-virus to address any gaps
- Scanning the system to determine whether any vulnerabilities remain unnoticed
- Option A is containment. Option C is the recovery phase. Option D is the post-incident review.
Q. 4
Answer: C. Eradicate malware from the network
Explanation: The objective of the containment process is to stop the spread of the incident. The phase after containment is eradication which has the objective of identifying and correcting the root cause that led to the incident. Once containment efforts have been implemented successfully, eradication should be appropriately planned and performed. The following are some activities performed during eradication:
- Root cause analysis
- Updating the firewall and anti-virus to address any gaps
- Scanning the system to determine whether any artifacts are still left unnoticed
Practice Question Set 6
Q. 1
Answer: D. Implementing a security information and event management (SIEM) system to automate log analysis
Explanation: SIEMs help to identify incidents through log analysis on the basis of predefined rules. SIEMs can provide information on policy compliance as well as incident monitoring and other capabilities. If properly deployed, configured, and tuned, it substantially reduces the time needed for the detection of incidents compared to manual log reviews. The other options are not as effective.
Q. 2
Answer: D. An EDR is capable of performing forensic analysis and identification of emerging threats and suspicious activities
Explanation: An EDR is an advanced solution that integrates the functions of an antivirus, a firewall, whitelisting tools, monitoring tools, and so on. In addition to file analysis and threat detection, EDR solutions have inbuilt machine learning capabilities to perform forensic analysis and identify emerging threats and suspicious activities. The other options are secondary aspects.
Q. 3
Answer: C. Restoring the system to normal operations
Explanation: After successful containment and eradication of an incident, the next phase is recovery. The objective of the recovery phase is to ensure that the business is brought back to its original state by restoring the impacted systems.
Practice Question Set 7
Q. 1
Answer: A. To have an independent and objective review of the root cause of the incident
Explanation: It is always advisable to involve a third party in a post-incident review to avoid any conflict of interest. The involvement of a third party will help the organization gain an independent and objective review of the cause of the incident. Involving a third party will generally increase the cost. The availability of expert service is one of the advantages but not a prime factor of involving a third party. Lessons learned can be identified through an in-house team as well.
Q. 2
Answer: D. The expertise of the investigators
Explanation: Forensic investigation is the process of gathering and analyzing all crime-related evidence to conclude an event. Investigators analyze the hard drives, computers, or other technology to establish how a crime took place. The most important element of forensic investigation is the expertise of the employees performing the investigation. The other options are secondary aspects. The involvement of legal experts depends on the nature of the investigation.
Q. 3
Answer: A. Assigning the job to a qualified person
Explanation: Forensic investigation is the process of gathering and analyzing all crime-related evidence in order to conclude an event. Evidence will be accepted in legal proceedings only if it is proved that the integrity of the evidence has not been compromised. Hence, it is of utmost importance that the evidence is handled only by a qualified person. An end user is not qualified to take an image copy. Evidence can be stored anywhere provided the appropriate controls are in place to safeguard its integrity. The involvement of law enforcement is not mandatory while collecting evidence.
Q. 4
Answer: B. Establishing the chain of custody log
Explanation: Chain of custody is a legal term referring to the order and manner in which evidence is handled to ensure the integrity of the evidence and its admissibility in a court of law. The first step should be to determine and safeguard the integrity of the hard drive. The other options are important steps but must be completed after the chain of custody is established.
Q. 5
Answer: A. To determine the lessons learned to improve the process
Explanation: The objective of a post-incident review is to learn from each incident and improve the organization's response and recovery procedures. Lessons learned during incident management can best be used to inform the overall improvement of the security posture of the organization as well as the incident management process. The other options are secondary aspects.
Q. 6
Answer: B. To identify the lessons learned
Explanation: Explanation: The objective of a post-incident review is to learn from each incident and improve the organization's response and recovery procedures. Lessons learned during incident management can best be used to inform the overall improvement of the security posture of the organization as well as the incident management process. The other options are secondary aspects.
Q. 7
Answer: B. Copying a bit-by-bit image from the original media to new media
Explanation: The first step is to create a copy of the original media by copying its bit-by-bit image into new media. This is very important to ensure that all analysis is performed on the copy drive and not on the original drive. A simple backup may not be able to copy 100 percent of the data, such as erased or deleted files and the data in the slack space. The other options are subsequent steps.
Q. 8
Answer: B. Chain of custody
Explanation: Chain of custody is a legal term referring to the order and manner in which evidence is handled to ensure its integrity and its admissibility in a court of law. The first step should be to determine and safeguard the integrity of the hard drive. The other options are secondary aspects.
Q. 9
Answer: D. Whether the chain of custody was maintained
Explanation: Chain of custody is a legal term referring to the order and manner in which evidence is handled to ensure the integrity of the evidence and its admissibility in a court of law. The most important aspect is to determine the integrity of the evidence. The other options are secondary aspects.
Q. 10
Answer: B. To conduct an assessment to determine the system status
Explanation: The first step should be to determine the status of the system in terms of damage and other impacts. This status will help the security manager determine the subsequent course of action. Penetration testing and notifying law enforcement are subsequent actions. Isolating the firewall after the incident will not provide any benefit.
Q. 11
Answer: B. The suspected hard drive was kept in a tape library for further analysis
Explanation: In cases where a hard drive is stored in a tape library, the chain of custody cannot be verified as many individuals would have access to the library. It is not mandatory to remove the disk in the presence of the law enforcement agency. Storing the hard drive in a safe and handing it over to an authorized investigator does not violate the chain of custody.
Q. 12
Answer: C. Taking an image copy of the media
Explanation: The next step should be to take an image copy of the media. An analysis should be performed on the copy and not on the original media. Preserving the evidence and maintaining the chain of custody are very important factors to ensure legal admissibility. Documentation and notification to law enforcement are subsequent steps. Scraping the server will result in the destruction of the evidence.
Q. 13
Answer: B. Preserving the integrity of the evidence
Explanation: It is of utmost importance to demonstrate the integrity of evidence to have it recognized in legal proceedings. The other options do help the investigation process but are not relevant to the admissibility of evidence.
Q. 14
Answer: A. A bit-level copy of the server
Explanation: Analysis should not be conducted on the original affected server. This may impact the integrity of the evidence. Analysis should be performed on a bit-level copy of the server. A bit-level copy image supports the integrity and quality of forensic evidence in a way that is admissible in a court of law. The other options will not provide a quality, exact image for investigative work.
Q. 15
Answer: C. To improve the response process
Explanation: The objective of a post-incident review is to learn from each incident and improve the organization's response and recovery procedure. Lessons learned during the incident management process can best be used to inform the overall improvement of the security posture of the organization as well as the incident management process. The other options are secondary aspects.
Q. 16
Answer: C. Proven forensic processes are applied
Explanation: The admissibility of evidence in legal proceedings depends on what processes are used to collect, analyze, and preserve the evidence. Proven forensic processes help with the admissibility of evidence.
Q. 17
Answer: B. Locating the evidence and preserving the integrity of the evidence
Explanation: The priority should be locating the electronic evidence and preserving its integrity. The other options are secondary aspects.
Q. 18
Answer: A. The use of specially drafted messages by an authorized person
Explanation: It is always advisable to provide details that are preapproved by senior management. Any unnecessary information may create havoc and impact the reputation of the organization.
Q. 19
Answer: D. To prevent the loss of data available in the volatile memory
Explanation: Disconnecting the power may result in the loss of data stored in the volatile memory. This data may be critical for the investigation and for understanding the impact of the incident. Disconnecting power will generally not impact the safety of hard drives or cause a loss of the data in the server logs and will help contain the spread. However, instead of disconnecting, the computer should be isolated from the network.
Q. 20
Answer: C. The file contents have been overwritten multiple times
Explanation: Overwriting the file makes it the most difficult to recover the data. Even highly specialized tools may not be able to recover overwritten files in some instances. Deleted files that have not been overwritten can easily be retrieved using forensic tools. Formatted disks and deleted partition tables can also be recovered.
Practice Question Set 8
Q. 1
Answer: A. To build business cases
Explanation: One of the important challenges of implementing a SIEM is to reduce false positive alerts. The most effective way to reduce false positive alerts is to develop business use cases. Business use cases document the entire workflow, which provides the required results. In this scenario, business cases would focus on the ability of a SIEM to analyze the logs for known threats. The other options are components to develop the business case.
Q. 2
Answer: A. SIEM supports compliance with security policies
Explanation: SIEM helps to identify incidents through log analysis on the basis of predefined rules. SIEM can provide information on policy compliance as well as incident monitoring and other capabilities if properly deployed, configured, and tuned. SIEM is not meant to reduce the residual risk, replace the firewall, or promote compensating controls.
Q. 3
Answer: B. A security information and event management system
Explanation: A SIEM system collects data from various sources and analyzes it for possible security events. The SIEM system can detect attacks by signature- or behavior-based (heuristics) analysis. Further, SIEM has the capability to perform a granular assessment, can highlight developing trends, and can alert the risk practitioner for an immediate response. SIEM is the most effective method to determine aggregate risk from different sources. The other options are not as effective.
Revision Questions
Q.1
Answer: A. The application support team
Explanation: SQL injection is an application-based attack. An application support team will be in the best position to determine any unauthorized activity with respect to an application database. The business process owner will be able to discuss the attack only if it has a major impact on business processes. SQL injection is an application-based attack so the network security team and the incident response team will not be able to assess the possible impact.
Q.2
Answer: D. It provides evidence of due diligence to support legal and liability claims
Explanation: A structured incident management process supports the legal and liability claims as evidence is formally documented and handled in a methodical way. The other options are secondary aspects.
Q.3
Answer: C. Path of the virus's entry
Explanation: It is most important for a security manager to understand the entry path of the virus. The first step is to determine the entry path so that the investigation can identify which controls failed. This loophole should be addressed at the earliest to prevent a reoccurrence.
Q.4
Answer: B. To determine the lessons learned
Explanation: On the basis of observations noted by staff involved in disaster recovery tests, the areas of improvement can be determined. This will help improve the effectiveness of the test. The other options are secondary aspects.
Q.5
Answer: D. An effective communication and reporting process
Explanation: A structured communication and reporting process is an important aspect to ensure that incidents are reported in a timely manner to the incident response team. Timely reporting will help in a prompt response. An intrusion detection system may not be able to detect and report incidents that are not related to IT. The capability of the help desk team is also an important aspect; however, without reporting from end users, the help desk team will not be able to detect the incident. Determining the severity level is a secondary aspect compared to the communication and reporting process.
Q.6
Answer: C. Creating hashes for the original and the image
Explanation: After a bit-by-bit copy is created, the next step is to generate the hash value for both the original drive as well as the copied drive. A hash value is a fixed value derived from the content. If the content changes, the hash value also changes. Both the hash values should be compared to ensure that the copy is complete, correct, and accurate. Analysis should start only after ensuring that the copy is an exact replica of the original. Tool validation should have happened prior to initiating the copy. Encrypted images cannot be analyzed.
Q.7
Answer: C. Analysis
Explanation: The next step should be to analyze the vulnerability with respect to the possibility of exposure, possible impact, applicable threat factors, and other relevant factors. The identification of a vulnerability does not necessarily mean that an incident has occurred. Containment and eradication are steps to be taken after the occurrence of an incident. Reporting is to be done after analysis.
Q.8
Answer: D. The defined responsibilities
Explanation: If responsibilities for the service provider and the service receiver are defined and documented, it will help in the smooth execution of processes. In the event of operational issues, responsibility ownership will help to determine the course of action. The other options are secondary aspects for resolving operational issues.
Q.9
Answer: A. Creating a bit-by-bit image of the hard drive
Explanation: To the extent possible, forensic analysis should not be performed on original media. It may impact the integrity of the evidence. The best way is to create a bit-by-bit image of the original media. A bit-by-bit image will ensure that erased or deleted files and any data in slack memory are also copied. A logical copy will only copy the files and folders and may not copy the other necessary data to properly examine the hard drive for forensic evidence. Encryption is not required.
Q.10
Answer: D. Traceability of control
Explanation: Traceability of control refers to demonstrating who had control of the evidence throughout the process. It indicates the proper chain of custody. The other options are secondary aspects.
Q.11
Answer: B. To record the progress of incident response and document the exceptions
Explanation: The documentation of incident history helps to keep a record of the incident starting from detection until closure. This helps to determine whether all related aspects of incident management are performed appropriately as per the defined process and timelines. Exceptions, if any, are discussed and deliberated and appropriate actions are taken. The other options are secondary aspects.
Q.12
Answer: C. Improvements in identification
Explanation: A structured method of monitoring helps in the early detection of incidents. In the absence of any monitoring process, an incident may go undetected and can have a major impact on business processes. Monitoring will help to improve the identification of threats and vulnerabilities. Implementing a monitoring process may increase the security budget. Monitoring does not impact risk appetite. Compliance with the security policy is a secondary aspect.
Q.13
Answer: C. A hash value should be generated from both the original as well as the copy
Explanation: After a bit-by-bit copy is created, the next step is to generate hash values for both the original drive as well as the copied drive. A hash value is a fixed value derived from the content. If the content changes, the hash value also changes. Both the hash values should be compared to ensure that the copy is complete, correct, and accurate. Analysis should start only after ensuring that the copy is an exact replica of the original. It is not necessary to have the same disk model. It is good practice to have two copies, but creating a hash value is more important. Restoration is not relevant when evaluating evidence.
Q.14
Answer: B. Prevent contamination of the evidence
Explanation: For legal proceedings, the integrity of evidence is of utmost importance. Hence, the first step in such a situation is to prevent contamination or alteration of the evidence. The other options are subsequent actions.