Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the
Information security program?
A. Representation by regional business leaders
B. Composition of the board
C. Cultures of the different countries
D. IT security skills
Answer: C
Explanation:
Culture has a significant impact on how information security will be implemented. Representation by regional business leaders may not have a major influence unless it concerns cultural issues. Composition of the board may not have a significant impact compared to cultural issues. IT security skills are not as key or high impact in designing a multinational information security program as would be cultural issues.
Q2. Which of the following attacks is BEST mitigated by utilizing strong passwords?
A. Man-in-the-middle attack
B. Brute force attack
C. Remote buffer overflow
D. Root kit
Answer: B
Explanation:
A brute force attack is normally successful against weak passwords, whereas strong passwords would not prevent any of the other attacks. Man-in-the-middle attacks intercept network traffic, which could contain passwords, but is not naturally password-protected. Remote buffer overflows rarely require a password to exploit a remote host. Root kits hook into the operating system's kernel and, therefore, operate underneath any authentication mechanism.
Q3. Which of the following groups would be in the BEST position to perform a risk analysis for a business?
A. External auditors
B. A peer group within a similar business
C. Process owners
D. A specialized management consultant
Answer: C
Explanation:
Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business.
Q4. The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:
A. sales department.
B. database administrator.
C. chief information officer (CIO).
D. head of the sales department.
Answer: D
Explanation:
The owner of the information asset should be the person with the decision-making power in the department deriving the most benefit from the asset. In this case, it would be the head of the sales department. The organizational unit cannot be the owner of the asset because that removes personal responsibility. The database administrator is a custodian. The chief information officer (CIO) would not be an owner of this database because the CTO is less likely to be knowledgeable about the specific needs of sales operations and security concerns.
Q5. Who should be responsible for enforcing access rights to application data?
A. Data owners
B. Business process owners
C. The security steering committee
D. Security administrators
Answer: D
Explanation:
As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement.
Q6. Successful implementation of information security governance will FIRST require:
A. security awareness training.
B. updated security policies.
C. a computer incident management team.
D. a security architecture.
Answer: B
Explanation:
Updated security policies are required to align management objectives with security procedures; management objectives translate into policy, policy translates into procedures. Security procedures will necessitate specialized teams such as the computer incident response and management group as well as specialized tools such as the security mechanisms that comprise the security architecture. Security awareness will promote the policies, procedures and appropriate use of the security mechanisms.
Q7. Risk assessment is MOST effective when performed:
A. at the beginning of security program development.
B. on a continuous basis.
C. while developing the business case for the security program.
D. during the business change process.
Answer: B
Explanation:
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.
Q8. When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?
A. The firewall should block all inbound traffic during the outage
B. All systems should block new logins until the problem is corrected
C. Access control should fall back to no synchronized mode
D. System logs should record all user activity for later analysis
Answer: C
Explanation:
The best mechanism is for the system to fallback to the original process of logging on individually to each system. Blocking traffic and new logins would be overly restrictive to the conduct of business, while recording all user activity would add little value.
Q9. The decision on whether new risks should fall under periodic or event-driven reporting
should be based on which of the following?
A. Mitigating controls
B. Visibility of impact
C. Likelihood of occurrence
D. Incident frequency
Answer: B
Explanation:
Visibility of impact is the best measure since it manages risks to an organization in the timeliest manner. Likelihood of occurrence and incident frequency are not as relevant. Mitigating controls is not a determining factor on incident reporting.
Q10. Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
A. Programming
B. Specification
C. User testing
D. Feasibility
Answer: D
Explanation:
Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C.
Q11. The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
A. determining the scope for inclusion in an information security program.
B. defining the level of access controls.
C. justifying costs for information resources.
D. determining the overall budget of an information security program.
Answer: B
Explanation:
The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.
Q12. When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?
A. Business management
B. Operations manager
C. Information security manager
D. System users
Answer: C
Explanation:
The escalation process in critical situations should involve the information security manager as the first contact so that appropriate escalation steps are invoked as necessary. Choices A, B and D would be notified accordingly.
Q13. A business impact analysis (BIA) is the BEST tool for calculating:
A. total cost of ownership.
B. priority of restoration.
C. annualized loss expectancy (ALE).
D. residual risk.
Answer: B
Explanation:
A business impact analysis (BIA) is the best tool for calculating the priority of restoration for applications. It is not used to determine total cost of ownership, annualized loss expectancy (ALE) or residual risk to the organization.
Q14. Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:
A. conduct a risk assessment and allow or disallow based on the outcome.
B. recommend a risk assessment and implementation only if the residual risks are accepted.
C. recommend against implementation because it violates the company's policies.
D. recommend revision of current policy.
Answer: B
Explanation:
Whenever the company's policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take. Recommending revision of current policy should not be triggered by a single request.
Q15. A security manager meeting the requirements for the international flow of personal data will need to ensure:
A. a data processing agreement.
B. a data protection registration.
C. the agreement of the data subjects.
D. subject access procedures.
Answer: C
Explanation:
Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer.