An organization has implemented a new customer relationship management (CRM) system. Who should be responsible for enforcing authorized and controlled access to the CRM data? A. The data owner B. Internal IT audit C. The data custodian D. The information security manager
The MOST important reason for an information security manager to be involved in the change management process is to ensure that: A. security controls are updated regularly. B. potential vulnerabilities are identified. C. risks have been evaluated. D. security controls drive technology changes.
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services? A. Provide security awareness training to the third-party provider's employees B. Conduct regular security reviews of the third-party provider C. Include security requirements in the service contract D. Request that the third-party provider comply with the organization's information security policy
Correct Answer: B
Explanation:
Explanation:
Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced services. Depending on the type of services outsourced, security awareness may not be necessary. Security requirements should be included in the contract, but what is most important is verifying that the requirements are met by the provider. It is not necessary to require the provider to fully comply with the policy if only some of the policy is related and applicable.
An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract? A. Right to audit B. Nondisclosure agreement C. Proper firewall implementation D. Dedicated security manager for monitoring compliance
Correct Answer: A
Explanation:
Explanation:
Right to audit would be the most useful requirement since this would provide the company the ability to perform a security audit/assessment whenever there is a business need to examine whether the controls are working effectively at the third party. Options B, C and D are important requirements and can be examined during the audit. A dedicated security manager would be a costly solution and not always feasible for most situations.
An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform? A. A due diligence security review of the business partner's security controls B. Ensuring that the business partner has an effective business continuity program C. Ensuring that the third party is contractually obligated to all relevant security requirements D. Talking to other clients of the business partner to check references for performance
Correct Answer: C
Explanation:
Explanation: The key requirement is that the information security manager ensures that the third party is contractually bound to follow the appropriate security requirements for the process being outsourced. This protects both organizations. All other steps are contributory to the contractual agreement, but are not key.
Of the following, retention of business records should be PRIMARILY based on: A. periodic vulnerability assessment. B. regulatory and legal requirements. C. device storage capacity and longevity. D. past litigation.
Correct Answer: B
Explanation:
Explanation:
Retention of business records is a business requirement that must consider regulatory and legal requirements based on geographic location and industry. Options A and C are important elements for making the decision, but the primary driver is the legal and regulatory requirements that need to be followed by all companies. Record retention may take into consideration past litigation, but it should not be the primary decision factor.
The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application: A. uses multiple redirects for completing a data commit transaction. B. has implemented cookies as the sole authentication mechanism. C. has been installed with a non-legitimate license key. D. is hosted on a server along with other applications.
Correct Answer: B
Explanation:
Explanation:
XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. XSRF is related to an authentication mechanism, not to redirection. Option C is related to intellectual property rights, not to XSRF vulnerability. Merely hosting multiple applications on the same server is not the root cause of this vulnerability.
An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to: A. validate and sanitize client side inputs. B. harden the database listener component. C. normalize the database schema to the third normal form. D. ensure that the security patches are updated on operating systems.
Correct Answer: A
Explanation:
Explanation:
SQL injection vulnerability arises when crafted or malformed user inputs are substituted directly in SQL queries, resulting into information leakage. Hardening the database listener does enhance the security of the database; however, it is unrelated to the SQL injection vulnerability. Normalization is related to the effectiveness and efficiency of the database but not to SQL injection vulnerability. SQL injections may also be observed in normalized databases. SQL injection vulnerability exploits the SQL query design, not the operating system.
Which of the following is the BEST approach for improving information security management processes? A. Conduct periodic security audits. B. Perform periodic penetration testing. C. Define and monitor security metrics. D. Survey business units for feedback.
Correct Answer: C
Explanation:
Explanation:
Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify an opportunity for improvement. This is a systematic and structured approach to process improvement. Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement. Penetration testing will only uncover technical vulnerabilities, and cannot provide a holistic picture of information security management, feedback is subjective and not necessarily reflective of true performance.
What is the MOST cost-effective method of identifying new vendor vulnerabilities? A. External vulnerability reporting sources B. Periodic vulnerability assessments performed by consultants C. Intrusion prevention software D. honey pots located in the DMZ
Correct Answer: A
Explanation:
Explanation:
External vulnerability sources are going to be the most cost-effective method of identifying these vulnerabilities. The cost involved in choices B and C would be much higher, especially if performed at regular intervals. Honeypots would not identify all vendor vulnerabilities. In addition, honeypots located in the DMZ can create a security risk if the production network is not well protected from traffic from compromised honey pots.
Please disable your adblocker or whitelist this site!