When an organization hires a new information security manager Which of the following goals should this individual pursue first?

1. A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will be responsible for evaluating the results and identified risk. Which of the following would be the BEST approach of the information security manager?

   1. Acceptance of the business manager’s decision on the risk to the corporation

      The business manager is likely to be focused on getting the business done as opposed to the risk posed to the organization.

   2. Acceptance of the information security manager’s decision on the risk to the corporation

      The typical information security manager is focused on risk, and on average, he/she will overestimate risk by about 100 percent—usually considering worst case scenarios rather than the most probable events.

   3. Review of the risk assessment with executive management for final input

      Executive management will be in the best position to consider the big picture and the trade-offs between security and functionality in the entire organization.

   4. Create a new risk assessment and BIA to resolve the disagreement

      There is no indication that the assessments are inadequate or defective in some way; therefore, repeating the exercise is not warranted

2. Who is accountable for ensuring that information is categorized and that specific protective measures are taken?

   1. The security officer

      The security officer supports and implements information security to achieve senior management objectives.

   2. Senior management

      Routine administration of all aspects of security is delegated, but top management must retain overall accountability.

   3. The end user

      The end user does not perform categorization.

   4. The custodian

      The custodian supports and implements information security measures as directed.

3. Abnormal server communication from inside the organization to external parties may be monitored to:

   1. record the trace of advanced persistent threats

      The most important feature of target attacks as seen in advanced persistent threats is that malware secretly sends information back to a command and control server. Therefore, monitoring of outbound server communications that do not follow predefined routes will be the best control to detect such security events.

   2. evaluate the process resiliency of server operations

      Server communications are usually not monitored to evaluate the resiliency of server operations.

   3. verify the effectiveness of an intrusion detection system

      The effectiveness of an intrusion detection system may not be verified by monitoring outbound server communications.

   4. support a nonrepudiation framework in e-commerce

      Nonrepudiation may be supported by technology, such as a digital signature. Server communication itself does not support the effectiveness of an e-commerce framework.

4. Which of the following authentication methods prevents authentication replay?

   1. Password hash implementation

      Capturing the authentication handshake and replaying it through the network will not work. Using hashes by itself will not prevent a replay.

   2. Challenge/response mechanism

      A challenge/response mechanism prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge.

   3. Wired equivalent privacy encryption usage

      A wired equivalent privacy key will not prevent sniffing, but it will take the attacker longer to break the WEP key if he/she does not already have it). Therefore, it will not be able to prevent recording and replaying an authentication handshake.

   4. Hypertext Transfer Protocol basic authentication

      Hypertext Transfer Protocol basic authentication is cleartext and has no mechanisms to prevent replay.

5. IT-related risk management activities are MOST effective when they are:

   1. treated as a distinct process

      IT risk is part of the broader risk landscape and must be integrated into overall risk management activities.

   2. conducted by the IT department

      To ensure an objective, holistic approach, IT risk management must be addressed on an enterprisewide basis, making it separate from the IT department.

   3. integrated within business processes

      IT is an enabler of business activities, and to be effective, it must be integrated into business processes.

   4. communicated to all employees

      Communication alone does not necessarily correlate with successful execution of the process.

6. Which of the following is the BEST way to detect an intruder who successfully penetrates a network before significant damage is inflicted?

   1. Perform periodic penetration testing

      Penetration testing will not detect an intruder.

   2. Establish minimum security baselines

      Security baselines set minimum security levels but are not related to detecting intruders.

   3. Implement vendor default settings

      Implementing vendor default settings do not detect intruders and is not the best idea.

   4. Install a honeypot on the network

      Honeypots attract hackers away from sensitive systems and files. Because honeypots are closely monitored, the intrusion is more likely to be detected before significant damage is inflicted.

7. Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?

   1. User ad hoc reporting is not logged

      Although the lack of logging for user ad hoc reporting is not necessarily good, it does not represent as serious a security weakness as the failure to install security patches.

   2. Network traffic is through a single switch

      Routing network traffic through a single switch is not unusual.

   3. Operating system security patches have not been applied

      The fact that operating system security patches have not been applied is a serious weakness.

   4. Database security defaults to ERP settings

      Database security defaulting to the enterprise resource planning system’s settings is not as significant.

8. In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?

   1. Implementing on-screen masking of passwords

      Implementing on-screen masking of passwords is desirable but will not be effective in reducing the likelihood of a successful social engineering attack.

   2. Conducting periodic security awareness programs

      Social engineering can best be mitigated through periodic security awareness training for users who may be the target of such an attempt.

   3. Increasing the frequency of password changes

      Increasing the frequency of password changes is desirable but will not be effective in reducing the likelihood of a successful social engineering attack.

   4. Requiring that passwords be kept strictly confidential

      Requiring that passwords be kept secret in security policies is a good control but is not as effective as periodic security awareness programs that will alert users of the dangers posed by social engineering.

9. The postincident review of a security incident revealed that there was a process that was not monitored. As a result monitoring functionality has been implemented. Which of the following may BEST be expected from this remediation?

   1. Reduction in total incident duration

      Monitoring may cause incident durations to become longer as each event is investigated and possibly escalated for further remediation.

   2. Increase in risk tolerance

      Risk tolerance is a determination made by senior management based on the results of a risk analysis and the amount of risk senior management believes the organization can manage effectively. Risk tolerance will not change from implementation of a monitoring process

   3. Improvement in identific

      When a key process is not monitored, that lack of monitoring may lead to a security vulnerability or threat going undiscovered resulting in a security incident. Once consistent monitoring is implemented, identification of vulnerabilities and threats will improve.

   4. Facilitation of escalation

      Monitoring itself is simply an identification and reporting tool; it has little bearing on how information is escalated to other staff members for investigation and resolution.

10. To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?

    1. Database server

       The database server would not assist in the correlation and review of the logs.

    2. Domain name server

       The domain name server would not assist in the correlation and review of the logs.

    3. Time server

       To accurately reconstruct the course of events, a time reference is needed, and that is provided by the time server.

    4. Proxy server

       The proxy server would not assist in the correlation and review of the logs.

Please provide your details to see if you are pre-qualified.

• ISACA has changed its privacy notice, to access the revised, click here. By continuing to use the site, you agree to the revised notice and Terms of Use.
• Yes! I would like to receive by post, e-mail and/or telephone marketing information from ISACA and its affiliates about ISACA and its affiliates and their products and services, and other information in which ISACA and its affiliates think I may be interested.