Which of the following is the most usable deliverable of an information security risk analysis?

What is the BEST method to verify that all security patches applied to servers were properly documented?

Inhaltsverzeichnis Show

What is the BEST method to verify that all security patches applied to servers were properly documented?
Trace OS patch logs to change control requests
Who is responsible for raising awareness of the need for adequate funding to support risk mitigation plans?
Information security manager
An information security manager must understand the relationship between information security and business operations in order to:A. support organizational objectives.B. determine likely areas of noncompliance.C. assess the possible impacts of compromise.D. understand the threats to the business.
Correct A. support organizational objectives.
Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?
Encrypting by the sender's private key ensures authentication. By being able to decrypt with the sender's public key, the receiver would know that the message is sent by the sender only and the sender cannot deny/repudiate the message
The PRIMARY goal of developing an information security program is to:
The development of an information security program is usually seen as a manifestation of the information security strategy. Thus, the goal of developing the information security program is to implement the strategy.
An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed.
Which of the following BEST indicates senior management commitment toward supporting information security?
Management sign-off on risk management methodology helps in performing the entire risk cycle.
Minimum standards for securing the technical infrastructure should be defined in a security:
Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place.
The PRIMARY focus of information security governance is to:
Optimize the information security strategy to achieve business objectives. Governance ensures that business objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against plans.
When performing an information risk analysis, an information security manager should FIRST:
Assets must be inventoried before any of the other choices can be performed.
Which of the following roles is MOST appropriately responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience?
The information security department oversees the information security program. This includes ensuring that training reaches the intended audience.
When should a request for proposal (RFP) be issued?
Prior to developing a project budget
Senior management commitment and support for information security can BEST be enhanced through:
Periodic review of alignment with business management goals.Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support.
Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
System users, specifically the user acceptance testers, would be in the best position to note whether new exposures are introduced during the change management process. The system designer or system analyst, data security officer and operations manager would not be as closely involved in testing code changes.
Which of the following is an indicator of effective governance?
A risk management program is a key component of effective governance.
The development of an information security program begins with:
an effective information security strategy.
Which of the following is the MOST usable deliverable of an information security risk analysis?
Assignment of risks to process owners
Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?A. Defining job rolesB. Performing a risk assessmentC. Identifying data ownersD. Establishing data retention policies
Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified).
Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?A. The program's governance oversight mechanismsB. Information security periodicals and manualsC. The program's security architecture and designD. Training and certification of the information security team
A. The program's governance oversight mechanisms
Relationships among security technologies are BEST defined through which of the following?A. Security metricsB. Network topologyC. Security architectureD. Process improvement models
Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies.
The BEST strategy for risk management is to:A. achieve a balance between risk and organizational goals. B. reduce risk to an acceptable level. C. ensure that policy development properly considers organizational risks.D. ensure that all unmitigated risks are accepted by management.
B. reduce risk to an acceptable level.
An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:A. source routing.B. broadcast propagation.C. unregistered ports.D. nonstandard protocols.
A. source routing.
Obtaining senior management support for an information security initiative can BEST be accomplished by:A. developing and presenting a business case.B. defining the risk that will be addressed.C. presenting a financial analysis of benefits.D. aligning the initiative with organizational objectives.
developing and presenting a business case.A business case is inclusive of the other options and includes and specifically addresses them.
The MOST important requirement for gaining management commitment to the information security program is to:A. benchmark a number of successful organizations. B. demonstrate potential losses and other impacts that can result from a lack of support. C. inform management of the legal requirements of due care. D. demonstrate support for desired outcomes.
D. demonstrate support for desired outcomes.
What is the primary purpose of using risk analysis within a security program?
Which of the following should a successful information security management program use to determine the amount of resources devoted to mitigating exposures?
Which of the following situations presents the greatest information security risk for an organization with multiple but small domestic processing locations?
Which of the following would be the most relevant factor when defining the information classification policy?

Trace OS patch logs to change control requests

Who is responsible for raising awareness of the need for adequate funding to support risk mitigation plans?

Information security manager

An information security manager must understand the relationship between information security and business operations in order to:A. support organizational objectives.B. determine likely areas of noncompliance.C. assess the possible impacts of compromise.D. understand the threats to the business.

Correct A. support organizational objectives.

Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?

Encrypting by the sender's private key ensures authentication. By being able to decrypt with the sender's public key, the receiver would know that the message is sent by the sender only and the sender cannot deny/repudiate the message

The PRIMARY goal of developing an information security program is to:

The development of an information security program is usually seen as a manifestation of the information security strategy. Thus, the goal of developing the information security program is to implement the strategy.

An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:

The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed.

Which of the following BEST indicates senior management commitment toward supporting information security?

Management sign-off on risk management methodology helps in performing the entire risk cycle.

Minimum standards for securing the technical infrastructure should be defined in a security:

Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place.

The PRIMARY focus of information security governance is to:

Optimize the information security strategy to achieve business objectives. Governance ensures that business objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against plans.

When performing an information risk analysis, an information security manager should FIRST:

Assets must be inventoried before any of the other choices can be performed.

Which of the following roles is MOST appropriately responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience?

The information security department oversees the information security program. This includes ensuring that training reaches the intended audience.

When should a request for proposal (RFP) be issued?

Prior to developing a project budget

Senior management commitment and support for information security can BEST be enhanced through:

Periodic review of alignment with business management goals.Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support.

Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?

System users, specifically the user acceptance testers, would be in the best position to note whether new exposures are introduced during the change management process. The system designer or system analyst, data security officer and operations manager would not be as closely involved in testing code changes.

Which of the following is an indicator of effective governance?

A risk management program is a key component of effective governance.

The development of an information security program begins with:

an effective information security strategy.

Which of the following is the MOST usable deliverable of an information security risk analysis?

Assignment of risks to process owners

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?A. Defining job rolesB. Performing a risk assessmentC. Identifying data ownersD. Establishing data retention policies

Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified).

Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?A. The program's governance oversight mechanismsB. Information security periodicals and manualsC. The program's security architecture and designD. Training and certification of the information security team

A. The program's governance oversight mechanisms

Relationships among security technologies are BEST defined through which of the following?A. Security metricsB. Network topologyC. Security architectureD. Process improvement models

Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies.

The BEST strategy for risk management is to:A. achieve a balance between risk and organizational goals. B. reduce risk to an acceptable level. C. ensure that policy development properly considers organizational risks.D. ensure that all unmitigated risks are accepted by management.

B. reduce risk to an acceptable level.

An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:A. source routing.B. broadcast propagation.C. unregistered ports.D. nonstandard protocols.

A. source routing.

Obtaining senior management support for an information security initiative can BEST be accomplished by:A. developing and presenting a business case.B. defining the risk that will be addressed.C. presenting a financial analysis of benefits.D. aligning the initiative with organizational objectives.

developing and presenting a business case.A business case is inclusive of the other options and includes and specifically addresses them.

The MOST important requirement for gaining management commitment to the information security program is to:A. benchmark a number of successful organizations. B. demonstrate potential losses and other impacts that can result from a lack of support. C. inform management of the legal requirements of due care. D. demonstrate support for desired outcomes.

D. demonstrate support for desired outcomes.

What is the primary purpose of using risk analysis within a security program?

Explanation: Risk analysis explores the degree to which an asset needs protecting so this can be managed effectively.

Which of the following should a successful information security management program use to determine the amount of resources devoted to mitigating exposures?

Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures.

Which of the following situations presents the greatest information security risk for an organization with multiple but small domestic processing locations?

Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations? The lack of change management is a severe omission and will greatly increase information security risk.

Which of the following would be the most relevant factor when defining the information classification policy?

D. Explanation: When defining the information classification policy, the requirements of the data owners need to be identified. The quantity of information, availability of IT infrastructure and benchmarking may be part of the scheme after the fact and would be less relevant.

usable deliverable information security risk analysis

Which of the following is the most usable deliverable of an information security risk analysis?

What is the BEST method to verify that all security patches applied to servers were properly documented?

Trace OS patch logs to change control requests

Who is responsible for raising awareness of the need for adequate funding to support risk mitigation plans?

Information security manager

An information security manager must understand the relationship between information security and business operations in order to:A. support organizational objectives.B. determine likely areas of noncompliance.C. assess the possible impacts of compromise.D. understand the threats to the business.

Correct A. support organizational objectives.

Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?

Encrypting by the sender's private key ensures authentication. By being able to decrypt with the sender's public key, the receiver would know that the message is sent by the sender only and the sender cannot deny/repudiate the message

The PRIMARY goal of developing an information security program is to:

The development of an information security program is usually seen as a manifestation of the information security strategy. Thus, the goal of developing the information security program is to implement the strategy.

An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:

Which of the following BEST indicates senior management commitment toward supporting information security?

Management sign-off on risk management methodology helps in performing the entire risk cycle.

Minimum standards for securing the technical infrastructure should be defined in a security:

Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place.

The PRIMARY focus of information security governance is to:

When performing an information risk analysis, an information security manager should FIRST:

Assets must be inventoried before any of the other choices can be performed.

Which of the following roles is MOST appropriately responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience?

The information security department oversees the information security program. This includes ensuring that training reaches the intended audience.

When should a request for proposal (RFP) be issued?

Prior to developing a project budget

Senior management commitment and support for information security can BEST be enhanced through:

Periodic review of alignment with business management goals.Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support.

Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?

Which of the following is an indicator of effective governance?

A risk management program is a key component of effective governance.

The development of an information security program begins with:

an effective information security strategy.

Which of the following is the MOST usable deliverable of an information security risk analysis?

Assignment of risks to process owners

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?A. Defining job rolesB. Performing a risk assessmentC. Identifying data ownersD. Establishing data retention policies

Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified).

A. The program's governance oversight mechanisms

Relationships among security technologies are BEST defined through which of the following?A. Security metricsB. Network topologyC. Security architectureD. Process improvement models

The BEST strategy for risk management is to:A. achieve a balance between risk and organizational goals. B. reduce risk to an acceptable level. C. ensure that policy development properly considers organizational risks.D. ensure that all unmitigated risks are accepted by management.

B. reduce risk to an acceptable level.

An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:A. source routing.B. broadcast propagation.C. unregistered ports.D. nonstandard protocols.

A. source routing.

Obtaining senior management support for an information security initiative can BEST be accomplished by:A. developing and presenting a business case.B. defining the risk that will be addressed.C. presenting a financial analysis of benefits.D. aligning the initiative with organizational objectives.

developing and presenting a business case.A business case is inclusive of the other options and includes and specifically addresses them.

D. demonstrate support for desired outcomes.

What is the primary purpose of using risk analysis within a security program?

Which of the following should a successful information security management program use to determine the amount of resources devoted to mitigating exposures?

Which of the following situations presents the greatest information security risk for an organization with multiple but small domestic processing locations?

Which of the following would be the most relevant factor when defining the information classification policy?

zusammenhängende Posts

Werbung

NEUESTEN NACHRICHTEN

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial