Professional Documents
Culture Documents
33333dokumen - Pub - Certified-Information-Security-Manager-Exam-Prep-Guide-Hemang Doshi-2nd-Edition-9781804610633-1804610631
33333dokumen - Pub - Certified-Information-Security-Manager-Exam-Prep-Guide-Hemang Doshi-2nd-Edition-9781804610633-1804610631
33333dokumen - Pub - Certified-Information-Security-Manager-Exam-Prep-Guide-Hemang Doshi-2nd-Edition-9781804610633-1804610631
Second Edition
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of the publisher,
except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information
presented. However, the information contained in this book is sold without warranty, either express or
implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for
any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and
products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot
guarantee the accuracy of this information.
Reviewers: Zeshan Ahmad, Pushkar Nagle, Kartik Sharma, and Wei Tschang
ISBN 978-1-80461-063-3
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
Packt.com
Subscribe to our online digital library for full access to over 7,000 books and videos, as well as
industry leading tools to help you plan your personal development and advance your career. For more
information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and videos from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
At www.packt.com, you can also read a collection of free technical articles, sign up for a range of
free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Contributors
He presently works as a senior analyst for a Fortune 100 financial services company and is certified
as a CISM, CISA and ISO 27001:2013 Lead Auditor.
Pushkar has managed 500+ onsite/offsite Web Application pentests, Mobile applications,
Infrastructure, Build & Code reviews, and other risk-based security testing projects.
"I would like to thank my parents, Sanjay and Kavita, and my wife, Ashvini for their motivation and
support."
– Pushkar
Kartik Sharma has over 18 years of experience in information technology. He holds certifications
like CISSP, CISM, CRISC, CDPSE, and Security certifications from all major cloud providers like
AWS, Google, Azure, Oracle, and Alibaba. He has contributed to the development of various
certification exams for ISC2, AWS, and Adobe, by serving as a subject matter expert (SME). He is
currently working as a Director, Solution Architect at Wiley. His areas of expertise include Cloud
Technologies, Cloud Security, Information Security, Data Privacy, Marketing Technologies, Identity
& Access Management, and Microservices.
"I would like to thank my wife, Punima Sharma, for her support, understanding, and patience during
the long hours of work. I would also like to thank my parents, siblings, and friends for their constant
encouragement."
– Kartik
Wei Tschang has more than 20 years of experience spanning various information technology
disciplines within the banking, legal, and manufacturing industries. He is a passionate member of the
ISACA Community, serving as a board member in various leadership roles for his local ISACA
chapter since 2013. He has received multiple volunteer awards for his contributions to the chapter. He
presented at conferences on cybersecurity topics. Wei holds the following certifications: CISA,
CISM, CGEIT, CISSP, CIPP, SSCP, and ABCP. Wei lives in New Jersey with his wife, daughter, and
golden retriever.
Preface
Enterprise Governance
Importance of Information Security Governance
Desired Outcomes of Good Information Security Governance
Responsibility for Information Security Governance
Steps for Establishing Governance
Governance Framework
Top-Down and Bottom-Up Approaches
Key Aspects from the CISM Exam Perspective
A Note on the Practice Questions
Practice Question Set 1
Organizational Culture
Acceptable Usage Policy
Ethics Training
Practice Question Set 2
Legal, Regulatory, and Contractual Requirements
Key Aspects from the CISM Exam Perspective
Practice Question Set 3
Retention of Business Records
Electronic Discovery
Key Aspects from the CISM Exam Perspective
Practice Question Set 4
Organizational Structure
Board of Directors
Security Steering Committee
Reporting of Security Functions
Centralized vis-à-vis Decentralized Security Functioning
Practice Question Set 5
Information Security Roles and Responsibilities
RACI Chart
Board of Directors
Senior Management
Business Process Owners
Steering Committee
Chief Information Security Officer
Chief Operating Officer
Data Custodian
Communication Channel
Indicators of a Security Culture
Key Aspects from the CISM Exam Perspective
Practice Question Set 6
Maturity Model
Key Aspects from the CISM Exam Perspective
Practice Question Set 7
Governance of Third-Party Relationships
Information Security Governance Metrics
The Objective of Metrics
Technical Metrics vis-à-vis Governance-Level Metrics
Characteristics of Effective Metrics
Key Aspects from the CISM Exam Perspective
Practice Question Set 8
Summary
Revision Questions
10
With this book, you will unlock access to a powerful exam-prep platform that includes interactive
practice questions, exam tips, and flashcards. The platform perfectly complements the book and even
lets you clarify your doubts directly with the author.
This blended learning approach of shoring up key concepts through the book and applying them to
answer practice questions online is designed to help build your confidence in acing the CISM
certification.
By the end of this book, you will have everything you need to succeed in your information security
career and pass the CISM certification exam with this handy, on-the-job desktop reference guide.
Sharpen your understanding of concepts with multiple sets of practice questions and interactive
flashcards, accessible from all modern web browsers. If you get stuck, you can raise your concerns
with the author directly through the website. Before doing that, make sure to go through the list of
resolved doubts as well. These are based on questions asked by other users. Finally, go through the
exam tips on the website to make sure you are well prepared.
Who This Book Is For
This book is ideal for IT risk professionals, IT auditors, CISOs, information security managers, and
risk management professionals.
What This Book Covers
This book is aligned with the CISM Review Manual (16th Edition; 2022) and encompasses the
following topics:
Chapter 2: Information Security Strategy discusses information security strategy and highlights areas
such as security strategy development, senior management's role in an organization's security
strategy, and the security architecture.
Chapter 3: Information Risk Assessment covers the basic aspects of risk management and deals with
the basic definition of risk and its components, risk identification, analysis and evaluation, and the
security baseline.
Chapter 4: Information Risk Response covers the tools and techniques used for risk response: namely,
risk avoidance, risk mitigation, risk transfer, and risk acceptance. The chapter also details change
management and risk management integration with the project life cycle.
Chapter 5 Information Security Program Development explores the different procedures and
techniques for developing an information security program and also deals with the information
security program roadmap.
Chapter 6 Information Security Program Management discusses the basics of information security
program management and covers information security program objectives, the security baseline, and
security awareness and training.
Chapter 8 Information Security Monitoring Tools and Techniques emphasizes the importance of
monitoring tools and techniques and introduces some of the most commonly used and most useful
ones, such as intrusion detection systems, intrusion prevention systems, and firewalls.
Chapter 9 Incident Management Readiness sets out what it means to be ready for information
security incidents. It covers aspects such as incident classification, business impact analysis, and
insurance.
Chapter 10 Incident Management Operations covers the implementation of business continuity and
disaster recovery processes and also deals with post-incident review practices.
Step 5: Attempt the online practice question sets. Make a note of the concepts you are weak in,
revisit those in the book, and re-attempt the practice questions.
Step 6: Keep repeating the practice question sets till you are able to answer all the questions in each
practice set correctly within the time limit.
CISM aspirants will gain a lot of confidence if they approach their CISM preparation as per these
mentioned steps.
Recorded Lectures
This book is also available in video lecture format along with 200+ exam-oriented practice questions
on Udemy. Buyers of this book are entitled to 30% off on Hemang Doshi's recorded lectures. For a
discount coupon, please write to [email protected].
1. Open the sign-up link. Once the page loads, enter your name and email address (1).
Figure 0.2: Enter your name and email address in the sign-up form
3. Enter the unique sign-up code (3). As mentioned in Step 1, the sign-up code can be found on any of the following pages: page
180, page 284, page 327, or page 379. Once you have entered the code, click the Sign Up button.
NOTE
You only need to input the sign-up code once. After your account is created, you will be able to access the website
using just your email address and password from any device.
Figure 0.4: Enter the unique sign-up code
4. Upon a successful sign-up, you will be redirected to the dashboard (see Figure 0.5).
Figure 0.5: Online exam-prep platform dashboard
Going forward, you will simply need to login using your email address and password.
NOTE
If you are facing issues signing up, reach out to [email protected].
Alternatively, you can scan the following QR code to open the website:
Earlier Domains (Applicable up to May 31, 2022) Updated Domains (Applicable from
June 1, 2022)
Candidates who have based their studies so far on the previous weightings should take careful note of
the changes and adjust their preparations accordingly.
The CISM exam contains 150 questions and covers the 4 information security management areas
mentioned in the preceding table in Figure 0.7.
The following are the key topics that candidates will be tested on starting from June 1, 2022:
A Enterprise Governance
3A1 Information Security Program Resources (e.g., people, tools, and technologies)
3B5 Management of External Services (e.g., providers, suppliers, third parties, and fourth
parties)
4 Incident Management
Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook
purchase not compatible with the device of your choice?
Don't worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, and on any device. Search, copy, and paste code from your favorite
technical books directly into your application.
The perks don't stop there; you can get exclusive access to discounts, newsletters, and great free
content in your inbox daily.
3. That's it! We'll send your free PDF and other benefits to your email directly.
1
Enterprise Governance
ACCESSING THE ONLINE CONTENT
With this book, you get unlimited access to web-based CISM exam prep tools which include practice questions, flashcards,
exam tips, and more. To unlock the content, you'll need to create an account using your unique sign-up code provided with
this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.
If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or
scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page
to access the content using your credentials.
Governance is an important aspect of the certified information security manager (CISM) exam. In
simple terms, governance means a set of policies, procedures, and standards used to monitor and
control an activity. Enterprise governance refers to policies, procedures, and standards put in place
to monitor an entire organization. Information security governance is a subset of overall enterprise
governance, and its objective is to monitor and control activities related to information security.
In this chapter, you will gain an overview of information security governance and understand the
impact of good governance on the effectiveness of information security projects.
You will learn about how organizational structure and culture impact information security governance
and details about the various roles and responsibilities of the security function. You will also be
introduced to the best practices for implementing information security governance.
Organizational Culture
Organizational Structure
Maturity Model
Governance of Third-Party Relationships
Information is one of the most important assets for any organization and its governance is mandated
by various laws and regulations. For these reasons, information security governance is of critical
importance.
To optimize security investments and ensure the high-value delivery of business processes
To monitor the security processes to ensure that security objectives are achieved
To integrate and align the activities of all assurance functions for effective and efficient security measures
To ensure that residual risks are well within acceptable limits. This gives comfort to the management
Senior management is responsible for ensuring that security aspects are integrated with business
processes. The involvement of senior management and the steering committee in discussions and the
approval of security projects indicates that the management is committed to aspects relating to
security.
Generally, a steering committee consists of senior officials from different departments. The role of an
information security steering committee is to provide oversight of the organization's security
environment.
2. Next, the information security manager develops a strategy and a set of requirements based on these objectives. The security
manager is required to conduct a gap analysis and identify the best strategy to move to the desired state of security from its current
state of security. The desired state of security is also termed the security objectives. This gap analysis becomes the basis for the
strategy.
3. The final step is to create the road map and identify specific actionable steps to achieve the security objectives. The security
manager needs to consider various factors, such as time limits, resource availability, security budget, and laws and regulations.
These specific actions are implemented by way of security policies, standards, and procedures.
Governance Framework
A governance framework is a structure or outline that supports the implementation of information
security strategies. It provides the best practices for a structured security program. Frameworks are
flexible structures that any organization can adopt as per their environment and requirements. COBIT
and ISO 27001 are both examples of widely accepted and implemented frameworks for security
governance.
In a top-down approach, policies, procedures, and goals are reviewed and approved by senior
management, hence policies and procedures are directly aligned with business objectives.
A bottom-up approach may not directly address management priorities. In a bottom-up approach,
operational level risks are given more importance.
Which approach (that is, The effectiveness of governance is best ensured by a top-down
top-down or bottom-up) approach.
is more effective for
In a top-down approach, policies, procedures, and goals are set by
governance? senior management and hence policies and procedures are directly
aligned with business objectives. A bottom-up approach may not
directly address management priorities. The effectiveness of
governance is best ensured by a top-down approach.
Question Possible Answer
Please also note, as ISACA recommends only those with "technical expertise and experience in IS/IT
security and control" seek CISM certification, that this book assumes some prior experience in the
field. With that in mind, you will face some questions intended to test your expected pre-existing
knowledge. Do not worry if you do not get these questions right the first time; full explanations are
given after every question to help you fill any gaps in your understanding.
NOTE
The answer key and explanations for all practice and revision questions for this chapter can be found via this link.
3. Which of the following is the first step in implementing information security governance?
A. Employee training
A. Technology requirements
B. Compliance requirements
D. Financial constraints
5. Which of the following is the responsibility of the information security governance steering committee?
7. Which of the following is the most important factor for an information security governance program?
C. Frequent audits
C. Compliance-oriented approach
10. What is the prime responsibility of the information security manager in the implementation of security governance?
11. What is the most important factor when developing information security governance?
12. What is the most effective way to build an information security governance program?
B. Ineffective governance
C. Inadequate training
D. Inappropriate standards
16. What is the main reason for integrating information security governance into business activities?
B. To standardize processes
17. Which of the following is the most important attribute of an effective information security governance framework?
18. What is the most effective method to use to develop an information security program?
A. A standard
B. A framework
C. A process
D. A model
Organizational Culture
The culture of an organization and its service provider is the most important factor that determines
the implementation of an information security program. An organization's culture influences its risk
appetite, that is, its willingness to take risks. This will have a significant influence on the design and
implementation of the information security program. A culture that favors taking risks will have a
different implementation approach compared to a culture that is risk averse.
Cultural differences and their impact on data security are generally not considered during security
reviews. Different cultures have different perspectives on what information is considered sensitive
and how it should be handled. This cultural practice may not be consistent with an organization's
requirements.
For some organizations, financial data is more important than privacy data. So, it is important to
determine whether the culture of the service provider is aligned with the culture of the organization.
Cultural differences and their impact on data security are generally not considered during security
reviews.
It is essential that the AUP is conveyed to all users, and acknowledgment should be obtained from
the users that they have read and understood the AUP. For new users, an AUP should be part of their
induction training.
Ethics Training
The information security manager should also consider implementing periodic training on ethics.
Ethical training includes emphasizing moral principles that govern a person's behavior or the conduct
of an activity. It includes guidance on what the company considers legal and appropriate behavior.
Training on ethics is of utmost importance for employees engaged in sensitive activities, such as
monitoring user activities or accessing sensitive personal data.
Some examples of unethical behavior include improper influence on other employees or service
providers, use of corporate information or assets for private benefit, accepting gifts or bribes, and
multiple employments.
Acknowledgment should be obtained from employees on understanding ethical behavior and the
code of conduct and this should be retained as part of the employment records.
A. Types of vulnerabilities
2. Which of the following is the most important factor to consider while developing a control policy?
A. Protecting data
B. Protecting life
A. Cultural differences
B. Security controls
A. IT technology
B. System vulnerabilities
C. Network bandwidth
D. Organizational goals
6. What is the most important consideration when designing a security policy for a multi-national organization operating in different
countries?
7. What is the most important factor in determining the acceptable level of organizational standards?
8. What is the most important factor for promoting a positive information security culture?
Processes should be in place to scan all new regulations and determine their applicability to the
organization.
The information security manager is required to determine the processes and activities that may be
impacted and whether existing controls are adequate to address any new regulations. If not, further
controls should be implemented to address the new regulations.
Departments affected by any new regulations are in the best position to determine the impact of new
regulatory requirements on their processes, as well as the best ways to address them.
Who should determine the control The affected department (as they are in the best
processes for any new regulatory position to determine the impact of new regulatory
requirements? requirements on their processes and the best way to
address them)
What is the first step of an information To determine the processes and activities that may be
security manager who notices a new impacted
regulation impacting one of the
To assess whether existing controls meet the
organization's processes?
regulations
What is the major focus of privacy law? To protect identifiable personal data
Which factors have the greatest impact on Organizational goals and objectives
the security strategy?
A. To ask management to stop the BYOD policy implementation, stating the associated risk
2. New regulatory requirements impacting information security will mostly come from which of the following?
C. Affected departments
D. Senior management
3. Primarily, the requirements of an information security program are based on which of the following?
A. The IT policy
4. Which of the following should be the first step of an information security manager who notices a new regulation impacting one of
the organization's processes?
B. Corporate data
C. Identity theft
6. The information security manager notices a regulation that impacts the handling of sensitive data. Which of the following should
they do first?
7. The information security manager should address laws and regulations in which way?
8. What is the most important consideration for organizations involved in cross-border transactions?
9. What should be the next step for the board of directors when they notice new regulations are impacting some of the organization's
processes?
C. Compliance timelines
11. What should the next step be for an information security manager upon noticing new regulations impacting some of the
organization's processes?
Legal requirements
If a record is required to be maintained for three years as per the business requirements, and for two
years from a legal perspective, then it should be maintained for three years.
Organizations generally design their record retention policy in line with the relevant laws and
regulations.
Electronic Discovery
Electronic discovery (e-discovery) is the process of the identification, collection, and submission of
electronic records in a lawsuit or investigation. The best way to ensure the availability of electronic
records is to implement comprehensive retention policies. A retention policy dictates the terms for
storing, backing up, and accessing the records.
2. Which of the following is the most important consideration in business record retention?
A. Strategic objectives
C. Storage capacity
3. Due to changes in the business strategy, certain information now no longer supports the purpose of the business. What should be
done with this information?
Organizational Structure
The development of a security strategy is highly influenced by the organizational structure.
Organizational structure pertains to the roles and responsibilities of different individuals, the
reporting hierarchy, whether the organization functions in a centralized or decentralized way, and so
on. A flexible and evolving organizational structure is more open to the adoption of a security
strategy, whereas an organization with a more constrained structure might not adopt a security
strategy.
The independence of the security function is the most important factor to be considered, from a
practical as well as the exam perspective, while evaluating organizational functions. This can be
assessed through the reporting structure of the security function.
Board of Directors
The ultimate responsibility for the appropriate protection of an organization's information falls on the
board of directors. The involvement of board members in information security initiatives can be an
indicator of good governance. In the event of an incident, the company directors can be protected
from liability if the board has exercised due diligence. Many laws and regulations make the board
responsible in the event of data breaches. Even cyber security insurance policies require the board to
exercise due diligence as a prerequisite for insurance coverage.
However, with increased awareness and more experience, the responsibility for security is now
entrusted to senior-level functionaries directly reporting to the chief operating officer (COO), chief
executive officer (CEO), or board of directors. This ensures the independence of security functions.
The following table shows the differentiation between centralized and decentralized processes:
Less alignment with the requirements of decentralized units Better alignment with
decentralized unit requirements
A centralized process will generally take more time to process Faster turnaround of requests
requests due to the larger gap between the information compared to centralized processes
security department and the end user
A. Legal department
B. CISO
C. Audit department
D. Steering committee
3. As an information security manager, how do you characterize a decentralized information security process?
RACI Chart
One of the simplest ways to define roles and responsibilities in a business or organization is to form a
matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed.
This chart indicates who is responsible for a particular function, who is accountable with regard to
the function, who should be consulted about the function, and who should be informed about the
function. Clearly defined RACI charts make the information security program more effective.
The following defines RACI in more detail:
Responsible: This is the person who is required to execute a particular job function.
Consulted: This is the person who gives suggestions and recommendations for executing a job function.
Informed: This is the person who should be kept updated about the progress of the job function.
In the next section, you will go through the various roles that are integral to information security.
Board of Directors
The role of board members in information security is of utmost importance. Board members need to
be aware of security-related key risk indicators (KRIs) that can impact the business objectives. The
intent and objectives of information security governance must be communicated from the board level
down.
The current status of key security risks should be tabled and discussed at board meetings. This helps
the board to determine the effectiveness of the current security governance.
Another essential reason for the board of directors to be involved in security governance is liability.
Most organizations obtain specific insurance to deal with their financial liability in the event of a
security incident. This type of insurance requires those bound by it to exercise due care in the
discharge of their duties. Any negligence from the board in addressing the information security risk
may make the insurance void.
Senior Management
The role of senior management is to ensure that the intent and requirements of the board are
implemented in an effective and efficient manner. Senior management is required to provide ongoing
support to information security projects in terms of budgets, resources, and other infrastructure. In
some instances, there may be disagreement between IT and security. In such cases, senior
management can take a balanced view after considering performance, cost, and security. The role of
senior management is to map and align the security objectives with the overall business objectives.
Steering Committee
A steering committee comprises the senior management of an organization. The role of a steering
committee is as follows:
To ensure that security programs support the business objectives
The roles, responsibilities, and scope of a steering committee should be clearly defined.
Data Custodian
The data custodian is a staff member who is entrusted with the safe custody of data. The data
custodian is different from the data owner, though in some cases, both data custodian and data owner
may be the same individual. A data custodian is responsible for managing the data on behalf of the
data owner in terms of data backup, ensuring data integrity, and providing access to data for different
individuals on the basis of the approval of the data owner. From a security perspective, a data
custodian is responsible for ensuring that appropriate security measures are implemented and are
consistent with organizational policy.
Communication Channel
A well-defined communication channel is of utmost importance in the management of information
security. A mature organization has dedicated systems to manage risk-related communication. This
should be a two-way system, wherein management can reach all employees and at the same time
employees can reach a designated risk official to report identified risks. This will help in the timely
reporting of events, as well as disseminating important security information. In the absence of an
appropriate communication channel, the identification of events may be delayed.
Employees are aware of their roles and responsibilities regarding information security
Understanding the roles and responsibilities as covered in this section will help the security manager
to implement an effective security strategy.
What is the best course of action when To refer the matter to senior management along with
there is disagreement on the security any necessary recommendations
aspects between the IT team and the
security team?
Who has the ultimate responsibility for The board of directors and the senior management
legal and regulatory requirements? (when the board delegates them the responsibility)
What is the best way to prioritize Security projects should be assessed and prioritized
information security projects? based on their impact on the organization
Who has the responsibility to enforce the The data custodian/security administrators
access rights of employees?
extent and level of maturity of The process performance and capability model
processes?
What is the major concern if database The unauthorized modification of logs by the DBA
administrators (DBAs) have access to
DBA-related logs?
What is the main objective of integrating To address security gaps that exist between assurance
security-related roles and functions
responsibilities?
What is the role of the information To determine the level of classification for their
owner with regard to the data respective data
classification policy?
What is the role of the information To define and ratify the data classification process
security manager with regard to the data
classification policy?
Question Possible Answer
standards?
What is the principle of proportionality The principle of proportionality requires that access be
for providing system and data access? proportionate to the criticality of the assets and access
should be provided on a need-to-know basis
What is the segregation of duties? Segregation of duties (SoD) is a control wherein a critical function
or job is divided into two parts and each part is handled by a separate
individual
What is a compensatory control? Compensatory controls are controls that are placed in lieu of main
controls as main controls are difficult to implement. The objective of
compensatory controls is to address the risk until the main controls
are implemented.
What is the principle of least privilege? The principle of least privilege ensures that access is
provided only on a need-to-know basis, and it should
be restricted for all other users
D. Ensuring all security measures are in accordance with the organizational policy
3. You are an information security manager for a bank. One of your critical recommendations is not accepted by the IT head. What
should your next course of action be?
D. Refer the matter to senior management along with any necessary recommendations
4. As an information security manager, you strongly recommend having well-defined roles and responsibilities from an information
security perspective. The most important reason for this recommendation is:
D. Better accountability
5. What is the prime role of an information security manager in a data classification process?
6. Which of the following is the area of most concern for the information security manager?
D. That security projects are reviewed and approved by the data center manager
7. An information security manager should have a thorough understanding of business operations with the prime objective of which
of the following?
8. In a big multi-national organization, the best approach to identify security events is to do which of the following?
10. What is the best way to gain support from senior management for information security projects?
11. Prioritization of information security projects is best conducted based on which of the following?
A. Indus\try practices
B. Business requirements
C. Regulatory requirements
D. Storage requirements
15. What is the most important security aspect for a multi-national organization?
A. The local security program should comply with the corporate data privacy policy
B. The local security program should comply with the data privacy policy of the location where the data is collected
C. The local security program should comply with the data privacy policy of the country where the headquarters are
located
D. The local security program should comply with industry best practices
16. The ultimate accountability for the protection of sensitive data lies with which of the following?
17. The most likely authority to sponsor the implementation of new security infrastructure for business processes is which of the
following?
A. The CISO
B. The COO
19. The responsibility for establishing information security controls in an application resides with which of the following?
Maturity Model
CISM aspirants are expected to understand the basic details of a maturity model.
A maturity model is a tool that helps the organization assess the current effectiveness of a process and
determine what capabilities they need to improve their performance.
Capability maturity models (CMMs) are useful to determine the maturity level of governance
processes. The following list defines the different maturity levels of an organization:
Level 0: Incomplete: On this level, the process is not implemented or does not achieve its intended purpose.
Level 1: Performed: On this level, the process can achieve its intended purpose.
Level 2: Managed: On this level, the process can achieve its intended purpose. Also, the process is appropriately planned,
monitored, and controlled.
Level 3: Established: Along with what is required for a Level 2 process, there is a well-defined, documented, and established
process to manage the process.
Level 4: Predictable: On this level, the process is predictable and operates within the defined parameters and limits to achieve its
intended purpose.
Level 5: Optimized: This is the level at which the process is continuously improved to meet the current as well as projected goals.
The CMM uses a scale of 0 to 5 based on process maturity level. It is the most common method
applied by organizations to measure their existing state and then determine the desired one.
Maturity models identify the gaps between the current state of the governance process and the desired
state. This helps the organization to determine the remediation steps required for improvement. A
maturity model calls for continuous improvement in the governance framework. This requires
continuous evaluation, monitoring, and improvement to move toward the desired state from the
current state.
The process performance and capabilities approach also provides a detailed perspective of the
maturity levels, just like the maturity model.
Which models are used to determine the extent and level of processes? The maturity model
What is the best way to determine the continuous improvement of the The adoption of the
risk management process? maturity model
C. A risk assessment
D. An external audit
These third parties are connected to the systems of the organization and have access to its data and
other resources. To protect the organization, it is very important for an information security manager
to assess the risk of such third-party relationships and ensure that relevant controls are in place.
Policies and requirements of information security should be developed before the creation of any
third-party relationship.
Furthermore, the security manager should understand the following challenges of third-party
relationships:
The cultural differences between an organization and the service provider
Technology incompatibilities
The business continuity arrangements of the service provider may not be aligned with the requirements of the organization
Effective governance is highly dependent on the culture of the organization. The next section
discusses this in more detail.
Management is more concerned about the overall security posture of the organization. Full audits and
comprehensive risk assessments are a few of the activities that help management to understand
security from a governance perspective.
What is the Decision-making takes place based on effective metrics. Organizations evaluate and
prime measure the achievements and performance of various processes and controls using
objective of metrics. Effective metrics are primarily used for security-related decision-making.
a metric?
A. Market research
B. Predictive analysis
C. Industry standards
D. Effective metrics
2. Which of the following metrics is considered to have the most important strategic value?
6. What is the best indicator to determine the effectiveness of the security strategy?
7. The information security manager has been asked to implement a particular security standard. Which of the following is the most
effective to monitor this?
Summary
In this chapter, you learned about the importance of assurance functions, that is, governance, risk, and
compliance, and how their integration is key to effective and efficient information security
management. You also learned how organizations can use the maturity model to improve their
processes and explored the importance of the commitment of senior management toward the security
of an organization. The next chapter will cover the practical aspects of information security strategy.
Revision Questions
1. The effectiveness of SoD is best ensured by which of the following?
3. To determine the extent of sound processes, the maturity model is used. Another approach is to use which of the following?
C. Vulnerability assessments
D. Risk analysis
C. The CISO
5. The information security manager observes that the incident log is stored on a production database server. Which of the following
is a major concern?
7. The main objective of integrating security-related roles and responsibilities is which of the following?
A. To address the security gaps that exist between assurance functions
8. Which of the following is the best compensating control when the same employee is responsible for updating servers, maintaining
the access control, and reviewing the logs?
9. What is the responsibility of the information owner when complying with the information classification scheme?
10. The effectiveness of the organization's security measures is the final responsibility of which of the following?
B. The CISO
C. Senior management
11. What is the best way to ensure that responsibilities are carried out?
C. Assigned accountability
D. Documented policies
12. Who is responsible for complying with the organization's security policies and standards?
A. The CISO
B. Senior management
A. All personnel
B. IT personnel
C. Security personnel
D. Operational personnel
A. Operation managers
B. The CISO
C. Senior management
B. Implementing SoD
17. As an information security manager, how do you characterize a decentralized information security process?
If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or
scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page
to access the content using your credentials.
In this chapter, you will explore the practical aspects of an information security strategy and
understand how a well-defined strategy impacts the success of security projects. You will learn about
the different aspects of what a security strategy is and understand the role of an information security
manager in supporting business objectives.
A strategy is basically a roadmap of specific actions that must be completed to achieve any objective.
Long-term and short-term plans are finalized based on the strategy adopted.
The primary objective of any security strategy is to support the business objectives, and the
information security strategy should be aligned with the business objectives. The first step for an
information security manager in creating a plan is to understand and evaluate the business strategy.
This is essential to align the information security plan with the business strategy.
A strategy plan should include the desired level of information security. A strategy is only
considered effective if the objectives of the controls are met. As discussed in Chapter 1, Enterprise
Governance, "the ultimate responsibility for the appropriate protection of an organization's
information falls on the board of directors. The involvement of board members in information
security initiatives indicates good governance. The liability of directors can be protected if the board
has exercised due care. Many laws and regulations make the board responsible in case of data
breaches. Even the cybersecurity insurance policy requires the board to exercise due care as a pre-
condition for insurance coverage."
NOTE
The preceding point is reiterated here to serve as a reminder. During the CISM certification exam, you can expect to face
at least one question on this subject.
The chief information security officer (CISO) is primarily responsible for the design and
development of the information security strategy in accordance with the security policy.
Any changes in the management's intent should be appropriately addressed in the policies.
It is important to ensure compliance with the policy requirements at regular intervals. Self-
assessment is the best way to determine the readiness and remediation of non-compliance items. This
helps the organization to prepare for regulatory reviews conducted as per different regulations.
Key Aspects from the CISM Exam Perspective
Following are some of the key aspects from the perspective of the CISM exam:
What is the first step in To ascertain the need and justification for creating the program
developing an information
security management program?
What is the best way to address The best way in such a situation is to establish a local version
the conflicting requirements of a of the policy that is aligned with the local laws and
multinational organization's regulations.
security policy with local
regulations?
What is the conflict of security The objective of security controls is to support the business objectives and
requirements.
controls with business
A security control should not restrict the users' ability to perform their jobs.
requirements?
When a security control is not supporting the business needs, it is termed as a
conflict of security controls with business requirements.
The objectives of information The requirements of the desired state (i.e., whatever is
security can be best described as: required to achieve the desired state).
What is value delivery in Value delivery means designing processes that give maximum
information security? benefit to the organization. It indicates high utilization of
available resources for the benefit of the organization.
Question Possible Answer
On what basis should intangible The ability of the assets to generate revenue.
assets be valued? In the absence of the availability of intangible assets, the
organization will lose the amount of revenue the asset
normally generates. The acquisition or replacement cost may
be more or less than the asset's actual ability to generate
revenue.
NOTE
The answer key and explanations for all practice and revision questions for this chapter can be found via this link.
2. An information security manager is designing an information security strategy plan for the approval of the security steering
committee. The most important factor to be included in this plan is:
3. An information security manager is designing an information security strategy plan for the approval of the security steering
committee. The primary objective of designing an information security strategy is:
A. To monitor performance
5. The best way to address a conflict between a multinational organization's security policy and local regulations is:
C. To discuss the previous year's regulatory reports with the process owner
D. To ensure that all regulatory inquiries are approved by the legal department
8. The most important role for a Chief Information Security Officer is to:
10. Commitment and support from senior management with respect to information security can be best addressed by:
12. Immediately after implementing access control for the internet, an organization's employees started complaining that they were
unable to perform business functions on internet sites. This is an example of:
13. Which of the following should be the first action when developing an information security strategy?
A. Defined objectives
C. A defined framework
D. Defined policies
16. In an information security steering committee, there is no representation from user management. Which of the following is the
main risk in this scenario?
D. The information security strategy may not be aligned with business requirements.
17. Which of the following is the best approach for an information security manager when there is a disagreement between them and
the business manager regarding the security aspect of a new process?
A. To accept the business manager's decision as they are the process owner
C. To review the risk assessment with senior management for final consideration
18. The connection between business objectives and security should be demonstrated by:
A. Indirect linkages
C. Interconnected constraints
D. Direct traceability
19. The accountability for information categorization and protective measures resides with:
A. Security administrators
B. Senior management
C. System administrators
D. End users
20. As a newly appointed information security manager, you are required to develop a strategic plan for the information security of
the organization. Your most important action should be:
To optimize security investments and ensure the high-value execution of business processes.
To monitor security processes and ensure that security objectives are achieved
To integrate and align the activities of all assurance functions for effective and efficient security measures.
To support the security strategy in ensuring that residual risks are well within acceptable limits. This reassures the management.
Framework Particulars
Framework Particulars
ISO 27001 The ISO 27001 standard is a widely accepted framework for information security management
systems.
It recommends 14 areas of control consisting of a total of 114 controls. These include the
availability of information security policies, human resource securities, asset management,
access controls, and so on.
An organization needs to implement all the applicable controls and get them audited by a
certification body to be ISO 27001 certified.
NIST Cybersecurity NIST Cybersecurity Framework emphasizes the importance of effective risk management
integration and extensively promotes the improvement of supply chain risk management.
Framework
The NIST Cybersecurity Framework does not include any controls. Rather, it provides guidance
on the process of identifying gaps between present practices and a desirable target state.
Understanding these gaps helps the organization to adopt the desirable controls to improve
information security risk management.
NIST Risk NIST RMF was originally designed to assist US government agencies in evaluating and
improving information security.
Management
It has since been expanded to apply to any business and is free to use.
Framework (RMF)
It emphasizes the integration of security, privacy, and cyber supply chain risk management
activities into the system development life cycle.
NIST RMF includes a risk-based approach to categorizing relevant assets and selecting and
implementing controls to achieve adequate protection.
The objective of an IT balanced scorecard (IT BSC) is to establish, monitor, and evaluate IT
performance in terms of (i) business contribution, (ii) future orientation, (iii) operational excellence,
and (iv) user orientation.
The three indicators of an IT balanced scorecard are (a) customer satisfaction, (b) internal processes, and (c) the ability to
innovate.
NOTE
Though financial performance is an indicator of a generic balanced scorecard, it is not part of an IT BSC.
An IT BSC is the most effective means to aid the IT strategy committee and management in achieving IT governance through
proper IT and business alignment. The success of an IT balanced scorecard depends upon the involvement of senior management
in IT strategy planning.
It is of utmost importance that you define key performance indicators (KPIs) before implementing an IT BSC. KPIs help to
measure performance. Examples of KPIs include system uptime, incident response time, and system restoration time.
B. Customer satisfaction
C. Internal processes
D. Innovation capacity
2. Which of the following is the most important prerequisite before implementing an IT balanced scorecard?
3. As an information security manager, you note that senior management is not involved in IT strategy planning. Which of the
following is the area of most concern?
4. As an information security manager, you have been asked to review the parameters for measuring IT performance. The main
objective of the IT performance measurement process is:
A. To reduce errors
D. To improve performance
A security strategy is a guiding force for the implementation of a security program. The roadmap
detailing the security implementation, i.e., procedure, resources, and timelines, is developed based on
this strategy. Further, various implementation activities can be aligned and integrated on the basis of
this strategy to achieve security objectives more effectively and efficiently.
An information security program should be aligned with the business objectives of the organization.
The effectiveness of an information security program is determined based on its ability to address the
risks impacting the business objectives.
What is the first step in developing an To ascertain the need and justification for creating the
information security management program.
program?
What is the aim of cost-benefit analysis The cost of implementing a control should not exceed
when implementing controls? the expected benefits.
C. To evaluate and determine the correlation between the solution and the business objectives
3. The most important factor in developing a security strategy before implementing a security program is:
4. The most likely reason for a sudden increase in the number of security events could be:
A. To protect information assets in accordance with the business strategy and objectives
6. A combination of management, administrative, and technical controls is important for effective information security because:
7. The best way to learn and improve from a security incident is:
8. As an information security manager, you are required to develop an information security management program. What should your
first step be?
Enterprise Architecture (EA) defines and documents the structure and process flow of the
operations of an organization. It describes how different elements such as processes, systems, data,
employees, and other infrastructure are integrated to achieve the organization's current and future
objectives.
Security architecture is a subset of enterprise architecture. Its objective is to improve the security
posture of the organization. Security architecture clearly defines the processes that a business
performs and how those processes are executed and secured.
The first step for a security manager implementing the security strategy is to understand and evaluate
the IT architecture and portfolio. Once they have a fair idea of the IT architecture, they can determine
the security strategy.
A lack of competent security architects results in more effort being required to build reliable security architecture.
The potential benefits of a well-designed security architecture cannot be quantified, so gaining support from management can be
very difficult.
Information security architecture should be aligned with: Business goals and objectives.
C. IT architecture
D. Industry standards
2. An information security manager is entrusted with creating the information security strategy for the organization. Their first step
should be:
End users are one of the most important stakeholders when considering the overall security strategy.
Training, education, and awareness are of extreme importance to ensure that policies, standards,
and procedures are appropriately followed.
What is the best method to increase the effectiveness of Customizing training for the target
security training? audience.
Governance, risk management, and compliance are three related aspects that help achieve
organizational objectives. GRC aims to lay down operations for more effective organizational
processes and avoid wasteful overlaps. Each of these three disciplines impacts the organization's
technologies, people, processes, and information. If GRC activities are handled independently of
each other, it may result in a considerable amount of duplication and a waste of resources. The
integration of these three functions helps to streamline assurance activities by addressing overlapping
and duplicated GRC activities.
Though GRC can be applied in any function of an organization, it focuses primarily on financial, IT,
and legal areas.
Financial GRC focuses on effective risk management and compliance for finance processes. IT
GRC focuses on information technology processes. Legal GRC focuses on enterprise-level
regulatory compliance.
GRC is an ever-evolving concept, and a security manager should understand the current state of GRC
in their organization and determine how to ensure its continuous improvement.
What is the main objective of implementing To improve risk management processes by integrating various
assurance-related activities
GRC procedures?
To synchronize and align an organization's assurance functions
What areas are focused on most in GRC? IT, finance, and legal
It is very important for the information security manager to gain support from senior management.
The most effective way is to ensure that the security program continues to be aligned with, and
supports, the business objectives. This is critical for promoting management support. Senior
management is more concerned about the achievement of business objectives and will be keen to
address all risks impacting key business objectives.
Obtaining commitment from senior managers is very important to ensure appropriate investment in
information security, as you will explore in the next section.
For example, as a security manager, if you request a budget of $5,000 for security investment, senior
management may not be convinced. But if you also project annualized savings of $10,000 against
that investment, senior management may be more willing to invest.
Strategic Alignment
Information security activities are said to have a strategic alignment when they support the
requirements of the key business stakeholders. Information security should support the achievement
of organizational objectives by minimizing business disruption. The most effective way to enhance
management commitment toward information security is to conduct a periodic review of alignment
between security and business goals. A discussion with key business stakeholders will provide an
accurate picture of the alignment of security programs to support business objectives.
A survey of management is the best way to determine whether the security program supports the
business objectives. Achieving strategic alignment means business process owners and managers
believe that information security is effectively supporting their goals. If business management is not
confident in the security programs, the information security manager should redesign the process to
provide better value to the business.
Another aspect of determining the strategic alignment is to review the business balanced scorecard.
A business scorecard contains important metrics from a business perspective. It helps to determine
the alignment of security goals with business goals.
What is the best way to gain support from senior Explain to management the impact of
management for security projects? security risks on key business
objectives.
What is the primary driver for investment in an A value analysis and a sound business
information security project? case
A. A cost-benefit analysis
B. Industry benchmarks
2. What is the most important role of senior management in supporting an information security program?
5. For implementing a new project, support from senior management can be obtained by:
6. The most effective way to enhance the management's commitment to information security is:
7. The most effective way to justify the information security budget is:
8. Senior management's commitment to security programs is best indicated by their involvement in:
9. The most effective justification to gain support from senior management for security investment is:
10. The most likely position to sponsor the security steering committee is:
11. The best driver for investment in an information security project is:
B. A value analysis
12. The most important prerequisite for implementing an information security program is:
B. A documented framework
C. A documented policy
15. Which of the following will have the most adverse impact on the effective implementation of security governance?
16. What is the best method to measure the strategic alignment of an information security program?
17. What is the best method to determine the level of alignment of the security objectives with the business objectives?
18. The best factor to ensure a successful implementation of an information security program is:
20. The objective of aligning information security governance with corporate governance is to:
21. What is the best method to address the senior management's concerns regarding the effectiveness of the existing information
security program?
The business case is a key element in the decision-making for any project. The proposed return on
investment (ROI), along with any other expected benefits, is the most important consideration for
decision-making in any new project.
The first step in developing a business case is to define the need for and justification of the problem.
A feasibility study or analysis is an analysis that takes various factors into account, including
economic, technical, and legal factors, to ascertain the likelihood of completing the project
successfully.
A feasibility study should consider how the project will impact the organization in terms of risk,
costs, and benefits. It helps to assess whether a solution is practical and achievable within the
established budgets and schedule requirements.
What are the first steps for the To define issues to be addressed.
development of a business case? To define the need for the project.
What does it mean if an Using "system thinking" means the organization views
organization implements "system overall systems as more than just the sum of their parts.
thinking"?
A. Appropriate justification
C. Legal requirements
2. As an information security manager, you are required to develop a business case for a new information security initiative. Your
first step should be:
3. When implementing a new project, support from senior management can be obtained by:
5. Which of the following is of the least concern for an information security manager when implementing a new project?
A. Technical requirements
B. Regulatory requirements
C. Privacy requirements
D. Business requirements
6. The most effective report while proposing the implementation of a new security solution is:
C. A business case
D. A budget utilization report
7. What is the biggest challenge when preparing a business case in relation to obtaining approval from senior management for a new
security project?
8. The best way to obtain support from senior management for an information security initiative is to:
9. Which of the following is the first step for the development of a business case?
B. Return on investment
C. Organizational objectives
11. What is the best way to address senior management's reluctance to provide a budget for new security initiatives?
12. An information security manager is evaluating two technologies to address a particular risk and is required to select one for
implementation. The best approach for the security manager, with a limited budget, to choose between the two technologies is:
A. A risk assessment
D. A cost-benefit analysis
A. An impact analysis
C. An industry benchmark
D. Acceptance by users
14. Which factor is most likely to persuade management to approve a new information security budget?
B. Industry benchmarks
C. Implementation benefits
D. Affordability
Summary
In this chapter, you learned about the various aspects of security strategy, governance frameworks,
and information security programs. You also explored in detail the benefits of increasing the
effectiveness of security training. This helps the CISM aspirant understand the organization's security
program and architecture.
In the next chapter, you will go through the important aspects of information risk assessment.
Revision Questions
1. The most important consideration while developing an information security strategy is:
3. The most important factor when developing risk management strategies is:
C. Technology architecture
B. The perspective of the whole being greater than the sum of its individual parts
5. An information security manager is asked to develop a cost-effective information security strategy. What will the most important
step be?
6. Which of the following is considered to have the most important strategic value?
A. IT architecture
B. Governance framework
9. While developing a security strategy, a security manager should be most concerned about:
11. The roadmap for information security implementation is primarily based on:
A. IT architecture
B. IT policy
C. Security strategy
D. Regulatory requirements
12. Which of the following can be the main reason for a change in a policy?
A. Changes in regulation
15. The primary reason for the board of directors to be involved in information security initiatives is:
16. The information security manager has been asked to implement a particular security standard. Which of the following is most
effective to monitor this?
17. What is the most effective way of measuring the degree of alignment between security objectives and business objectives?
18. The best way to align security goals with business goals is:
B. To have business goals and security goals that support each other
C. To ensure that the security goals are derived from the business goals
D. To ensure that the business goals and security goals are independent of each other
19. The security baseline of a mature organization is most generally defined with reference to:
21. Which of the following is considered the most significant key risk indicator?
22. The most important aspect of an information security strategy from senior management's perspective is:
23. The best method to develop an effective data protection strategy is:
24. Out of the following, what is the most effective way to obtain commitment from senior management for the implementation of a
security program?
D. Discuss the relationship between the security program and business goals.
25. Which of these factors most influences the success of an information security strategy?
B. To demonstrate potential loss and other negative impacts due to a lack of support
If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or
scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page
to access the content using your credentials.
In this chapter, you will explore information risk management and learn about the tools and
techniques available to help you with risk management, along with other important concepts from the
perspective of the CISM exam. This chapter will help CISM candidates understand different aspects
of implementing a risk management strategy.
Risk Awareness
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Register
Security Baselines
Understanding Risk
The following table illustrates the different definitions of risk:
NOTE
From a CISM exam perspective, you need not worry about any of the definitions in the table above; these are for your
knowledge.
If you observe, almost every definition speaks directly or indirectly about two terms: probability and
impact. In its simplest form, risk is the product of probability and impact. In other words:
Risk = Probability * Impact
Risk = P * I
Figure 3.2: Risk
NOTE
Probability is also known as likelihood, possibility, chance, and so on.
Both terms are equally important when determining risk. The following example will help you
understand. Suppose the probability of damage to a product is very high, signified as 1. However, the
product hardly costs anything, and the impact is nil, or zero, even if the product gets damaged.
Therefore, for instance, the risk of rain on this product will be:
Risk = P * I
Question Possible
Answer
Impact
(consequences)
Risk is the combination of probability and impact. Which one of them requires Probability
the greatest amount of speculation? (likelihood)
NOTE
The answers and explanations for all practice questions for this chapter can be found via this link.
2. What are the most important aspects for identifying the level of risk?
B. Reduction in vulnerability
The following are some important terminologies from the perspective of ISACA's examinations.
Risk Management
Risk management indicates the combination of the following processes:
Risk assessment
Risk identification
Risk analysis
Risk evaluation
Risk response
Risk monitoring
Risk Assessment
Risk assessment is the combination of the following three processes:
Risk identification
Risk analysis
Risk evaluation
Risk assessment is the process used to identify, analyze, and evaluate risk. The results of risk
assessment are used to prioritize risks and decide the appropriate risk response option.
Risk Analysis
Risk analysis is the process of determining the level of risk. The level of risk can be either quantified
(i.e., numerical, percentage, dollar amount, and so on) or qualified (i.e., low risk, medium risk, or
high risk).
Risk Evaluation
Risk evaluation is the process of comparing the level of risk (as ascertained from risk analysis) with
what is considered an acceptable risk level (i.e., risk appetite).
Risk tolerance: Risk tolerance levels are acceptable deviations from the risk appetite.
Risk appetite: This is the amount of risk that an organization is willing to take.
Mr. A's total savings are $1,000. He wants to invest in equities to earn some income. Since he is risk
averse, he decides to invest only up to $700. If the markets are good, he is willing to invest a further
$50. In terms of risk capacity, risk appetite, and risk tolerance, the following can be derived:
Risk capacity: Total amount available, i.e., $1,000
Risk tolerance: Acceptable deviation from the risk appetite, i.e., $750
The following diagram demonstrates the relationship between risk capacity, risk tolerance, and risk
appetite:
Figure 3.4: The relationship between risk capacity, risk tolerance, and risk appetite
Tolerance can either be equal to or greater than appetite. Risk tolerance levels are acceptable deviations from risk appetite.
Risk acceptance generally should be within the risk appetite of the organization. In no case should it exceed the risk capacity.
Another important aspect that a security manager should understand is risk communication, which you will learn about in the next
topic.
What are the circumstances in which management may not want to The risk falls within the risk
mitigate the risk even if the level of risk is above the organization's tolerance level.
risk appetite?
(Risk tolerance levels are
acceptable deviations from
risk appetite).
Inherent Risk
Inherent risk is considered the risk before implementing a control. It is the risk that a process would
pose if no control factors were in place (the gross risk, or, the risk before controls). It is the weakness
or the susceptibility of a process to introduce a material error when there are no internal controls.
Inherent risk depends on the number of users and business areas. The higher the number of users and
business processes, the higher the level of inherent risk will be.
Residual Risk
This is the risk that remains after controls have been considered (the net risk or the risk after
controls).
For a successful risk management program, residual risk should always be within the risk appetite.
When the residual risk is within the risk appetite, it is considered an acceptable risk level.
The primary objective of a risk management program is to ensure that the residual risk is within a
level acceptable to management. If the residual risk is within the risk appetite of the organization, it
complies with the risk appetite. The achievement of acceptable risk indicates that residual risk is
minimized and within control.
NOTE
The cost of the control (insurance in this case) is a cost and not a risk; hence, it is not factored into the equation.
In this case, your risk before taking insurance is $100,000. This risk is known as inherent risk i.e., the
gross risk or the risk before implementing any control.
The risk after taking the insurance is only $20,000. This risk is known as residual risk i.e., the net risk
or the risk after implementing any control.
What is the best way to determine the To ascertain whether the residual risk is less than or
sufficiency of risk control measures? equal to the acceptable risk level
A. Organizational requirements
B. Security requirements
C. International standards
D. Audit requirements
A. The acceptable risk level is less than the total risk level
B. The residual risk level is less than the acceptable risk level
C. The residual risk level is more than the acceptable risk level
D. The annual risk expectancy is more than the acceptable risk level
A. Management discretion
B. Legal requirements
D. Audit findings
The first step in the development of a risk management program is to establish the context and
purpose of the program. Management support can be gained only if the program has appropriate
context and purpose.
Risk management must operate at both the strategic as well as the operational level. The effectiveness
of a risk management program depends on how well it is integrated into an organization's culture and
the extent to which it becomes everyone's responsibility.
Step 2: Risk analysis. In risk analysis, the impact and level of risks are determined (i.e., high, medium, or low). Risk analysis
helps to determine the exposure and helps to plan for remediation.
Step 3: Risk evaluation. In risk evaluation, it is determined whether the risk is within the acceptable range or whether it should
be mitigated. Based on risk evaluation, risk responses are decided.
Step 4: Risk response. Risk response can be in the form of risk mitigation, risk acceptance, risk avoidance, or risk transfer.
A security manager should also understand the outcome of a risk management program. This is
detailed in the next section.
What is the first step in the To establish the context and purpose of the program
development of a risk
management program?
What is the main objective In risk evaluation, it is determined whether any risk is within the
of risk evaluation? acceptable range or whether it should be mitigated. Based on risk
evaluation, risk responses are decided
A. Management support
C. Oversight committee
Risk Awareness
Having good awareness of risk management programs improves the organization's risk culture. It is
the key element in impacting the behavior of end users. Through a risk awareness program, each
member of the organization can help to identify vulnerabilities, suspicious activities, and other
abnormal behavior patterns. This helps in having faster responses to attacks or incidents and thus
minimizes their impact.
Training Effectiveness
It is equally important to determine the effectiveness of awareness training at periodic intervals.
Metrics can be in the form of security quizzes, phishing attack simulations, blind penetration tests,
and so on.
What is the main objective of a risk management program? To reduce risk to an acceptable level
Figure 3.8: Key aspects from the CISM exam perspective
2. Risk assessment is always subjective. The best method to improve the accuracy of the assessment is:
A. Nil
B. An acceptable level
C. An industry-adopted standard
6. An information security team noted that management has not mitigated the risk even though the risk exceeds the risk appetite.
What is the most likely reason for this?
A. The controls are already applied
8. What is the best way to support the business objectives through risk management?
Risk Assessment
Risk assessment is an important process for the identification of significant risks and to ensure cost-
effective controls can be put in place to address the identified risks.
There are many methodologies available for assessing risks. An organization should use the
methodology that best fits its requirements. This methodology should be able to achieve the goals
and objectives of the organization in the identification of relevant risks. A common risk assessment
methodology is COBIT 5.
2. Risk analysis: Risk analysis involves ranking risks based on their impact on business processes. The impact can be either
quantifiable in monetary terms or qualitative, such as high, medium, or low risk. Both the probability of an event and its impact on
the business are considered to determine the level of risk.
Risk analysis results help with the prioritization of risk responses and the allocation of resources; for
example, high-risk areas are given priority for treatment.
3. Risk evaluation: Risk evaluation is the process of comparing the result of risk analysis against the acceptable level of risk. If the
level of risk is more than the acceptable level, then risk treatment is required to bring down the risk level.
Here are some practical examples for each of the risk assessment phases:
Risk identification: The risk of the malfunction of a machine due to heavy rain.
Risk analysis: In this phase, the level of risk is determined. Suppose that the machine costs $100,000 and the probability of heavy
rain is 50%. In this case, the risk level is $50,000 (i.e., $100,000 * 50%).
Risk evaluation: In this phase, the risk level is compared with the risk level acceptable to management. Suppose the acceptable
level is only $20,000. The current risk of $50,000 exceeds the acceptable level of risk. In such a case, risk treatment is required to
bring the risk level down. The organization may choose to take out insurance worth $30,000 so that the net risk remains only
$20,000.
Why is it very important to conduct risk assessments on a Because the risk environment is
continuous basis? changing constantly
What is the main advantage of performing risk It shows the trends in the evolving
assessments on a consistent basis? risk profile.
B. On a continuous basis
C. Before the implementation of the project
4. A security manager observes that an organization is using FTP access, which can be exploited. Which of the following can they
use to determine the necessity for remedial action?
A. A penetration test
C. A risk assessment
5. What is the main objective for the use of risk assessment techniques?
7. The main reason for repeating a risk assessment at regular intervals is:
8. What is the most important factor when reviewing the migration of IT operations to an offshore location?
10. What is the most essential element for conducting a risk assessment?
A. Consequences
B. Likelihood
C. Vulnerability
D. Budget
B. In the case of the residual risk being higher than the acceptable risk
12. The main objective of conducting risk assessments on a consistent basis is:
Risk Identification
Risk management begins with risk identification. Risk identification is the process of identifying and
listing risks in the risk register.
The primary objective of the risk identification process is to recognize threats, vulnerabilities, assets,
and controls of the organization. A risk practitioner can use the following sources for the
identification of any risk:
Review of past audit reports
Systematic approaches such as vulnerability assessments, penetration testing, review of business continuity plan (BCP) and
disaster recovery plan (DRP) documents, interviews with senior management and process owners, and scenario analysis
All the identified risks should be captured in the risk register along with details such as description,
category, probability, impact, and risk owner. In fact, maintenance of the risk register process starts
with the risk identification process.
A security manager should thoroughly understand the process of risk identification. Generally, this
process begins with the identification of critical assets. A security manager should be aware of all
assets that need protection. After the identification of assets, threats should be determined, followed
by the identification of any existing controls, identification of vulnerabilities, and then determining
consequences.
Conducting Interviews
One method for risk identification is conducting interviews. The following are some good practices
for interview techniques when identifying risk:
Risk practitioners should ensure that staff whose interview is being taken have sufficient authority and knowledge about the
process.
To the extent possible, risk practitioners should study the business process in advance of the interview. This will help in
conducting smooth interviews and risk practitioners can concentrate on areas of concern.
Interview questions should be prepared in advance and shared with the interviewee so they come prepared and bring any
supporting documentation, reports, or data that may be necessary.
Risk practitioners should obtain and review relevant documentation, such as standard operating procedures (SOPs), reports,
and other notes that support the statements of the interviewee.
Risk practitioners should encourage interviewees to be open about various risk scenarios.
Delphi Technique
Many organizations resort to the Delphi technique in which polling or information gathering is done
either anonymously or privately between the interviewer and interviewee.
Asset Identification
The first and most important step in a risk assessment process is to identify and list all the assets and
determine their value based on criticality or sensitivity. In the absence of a detailed asset inventory,
the organization may miss protecting some significant assets. Assets can be in the form of people,
processes, systems, network components, databases, or any other elements that can impact business
processes. Assets need not be only tangible assets. There are often also intangible assets, such as the
reputation of the organization.
Asset Valuation
Once all the assets have been identified, the next step is to determine their value. This is very
important to avoid the under-protection or over-protection of assets. The effort required to protect any
asset should be justified by its criticality. For instance, it would not make sense to spend $100 for the
protection of an asset valued at $10.
The security manager should be careful while valuing the assets. In some situations (as shown in the
following example), the valuation should not be based only on the actual cost or replacement cost,
but also on the impact on the business if said asset is not available.
For example, suppose a server costing $1,000 is hosting data that supports a project worth $20,000. If
this server is not available, then the entire project will be adversely impacted. In this case, the value
of the server will be considered $20,000 even though its cost is only $1,000.
This is also known as opportunity cost. The opportunity cost reflects the cost of loss to the
organization/business resulting from the unavailability of an asset.
The goal of risk aggregation is to identify the overall significant risk posed by a single threat vector.
For example, suppose an organization has implemented multiple controls to protect a critical
database. Even if one control fails, the other controls can compensate. However, when a threat
exploits all the controls together, there can be a significant adverse impact.
Cascading Risk
Cascading risk is when one failure leads to a chain reaction of failures. This is more relevant where
IT and operations have close dependencies. The security manager should consider the impact of the
failure of one activity on other dependent systems.
Valuation of an asset in a Opportunity cost (opportunity cost reflects the cost to the
business impact analysis should organization/business loss resulting from the unavailability of
be based on: an asset).
Question Possible Answer
What is the objective of risk To identify significant overall risk coming from a single threat vector.
aggregation? To identify the significant overall risk from multiple minor vulnerabilities that
are linked to each other being exploited at the same time.
A. Risk of reliability
A. Acquisition cost
B. Replacement cost
D. Risk analysis
Risk Analysis
Risk analysis is the ranking of risks based on their impact on business processes. A risk with high
impact is ranked higher and given priority when it comes to addressing risks. More resources are
allocated to high-risk areas.
Risk analysis results help with the prioritization of risk responses and the allocation of resources.
Risk analysis is the process of rating all identified risks in order to prioritize them. Risks with the
highest rating and impact are addressed first. Generally, the following techniques are used to rank
risks:
Quantitative method
Qualitative method
Semi-quantitative method
The availability of the correct data for risk assessment is a major factor in determining which of the
previously mentioned techniques is to be used. For instance, when a data source is trustworthy and
dependable, an organization will prefer a quantitative risk assessment since it expresses risk in
numerical terms, such as monetary value. The risk response can easily be determined when the risk is
measured in monetary (or other quantitative) values.
In the next section, you will get further insights into each method.
CISM aspirants should always remember that risk is quantified as a product of probability and
impact. For example, suppose the probability of damage for equipment costing $1,000 is 0. Here, the
probability is 0 and the impact is $1,000. Now, risk will be probability * impact i.e., P * I. In this
case, the risk is 1,000 * 0 i.e., 0. Similarly, suppose the probability for another asset is 0.5 and the
asset costs $100. Then, the risk will be $50 (0.5 * 100), i.e., 50. Therefore, the risk of the equipment
costing $100 is more than the risk of the equipment costing $1,000. This is because probability plays
an important role in the quantification of risk.
Challenges in Implementing the Quantitative Method
One major challenge for conducting a quantitative risk analysis is the availability of reliable data. To
effectively quantify a risk, accurate details of probability and impact are required.
Quantitative risk assessment is not feasible for events where probability or impact cannot be
quantified or expressed in numerical terms.
Certain risks cannot be calculated in numeric terms. Qualitative assessments are useful in such
scenarios.
Qualitative risk analysis is more relevant to examining new emerging threats (which do not yet have
historic numerical data) and advanced persistent threats (APTs). Qualitative risk analysis involves
conducting interviews with various stakeholders or using techniques such as the Delphi method (as
discussed previously, under Risk Identification) wherein information can be gathered by way of
anonymous questionnaires.
In semi-quantitative risk analysis, descriptive rankings are associated with a numeric scale.
For example, the qualitative measure of "high" may be given a quantitative weight of 5, "medium"
may be given 3, and "low" may be given 1.
Such methods are frequently used when it is not possible to use only a quantitative method or when
the subjectivity in qualitative methods needs to be reduced.
Risk practitioners should ensure that a standardized process and scale are used throughout the
organization for semi-quantitative risk assessment. Furthermore, risk owners should not mistake the
origins of these values as coming from purely objective sources.
The annual loss expectancy is the product of the annual rate of occurrence (ARO) and the single
loss expectancy (SLE). It is mathematically expressed as SLE * ARO. For example, a particular risk
event can have an impact of $1,000 every time it occurs. $1,000 is the SLE. Now, it is expected that
this particular risk event will materialize five times in a year. So, 5 is the ARO. Therefore, the annual
loss expectancy will be $5,000.
VaR is used to determine the maximum probable loss over a period of time.
OCTAVE
Operationally critical threat asset and vulnerability evaluation (OCTAVE) is a risk assessment
approach with the following characteristics:
In this approach, critical assets are identified first.
The next step is to focus on risk analysis activities for the identified critical assets.
OCTAVE considers the relationship between critical assets and the threats and vulnerabilities applicable to those assets.
It evaluates the risk in terms of the operational aspect, that is, the impact on business operations due to risk on identified critical
assets.
It creates a protection strategy for risk mitigation to safeguard the critical assets of the organization.
This is a method of statistical inference that uses prior distribution data to determine the probability of a result.
This technique relies on the prior distribution data to be accurate in order to be effective and produce accurate results.
It makes the analysis more effective by linking possible causes, controls, and consequences.
The cause of the event is depicted in the middle of the diagram (the "knot" of the bow tie) and threats are placed on the left side
with consequences on the right side.
Delphi method
In the Delphi method, opinions from experts are obtained using two or more rounds of questionnaires.
After each round of questioning, the results are summarized and communicated to the experts by a facilitator.
In the Delphi technique, polling or information gathering is done either anonymously or privately between the interviewer and the
interviewee.
An event tree analysis is a forward-looking model used to assess the probability of different events resulting in possible outcomes.
In fault tree analysis, an event is identified and then the possible sources for the event are determined.
Results are displayed in a logical tree diagram and attempts are made to reduce or eliminate potential causes of the event.
Markov analysis
Markov analysis is a method used to forecast the value of a variable whose predicted value is influenced only by its current state.
The Markov model assumes that future events are independent of past events.
Markov analysis is often used for predicting behaviors and decisions within large groups of people.
Markov analysis is used to analyze systems that can exist in multiple states.
Monte Carlo analysis is a risk management technique used for conducting a quantitative analysis of risks.
Monte Carlo methods, or Monte Carlo experiments, are a broad class of computational algorithms that rely on repeated random
sampling to obtain numerical results.
3. The most important element of quantitative risk analysis is that the result:
D. Is subjective
Risk Evaluation
In the risk evaluation phase, the level of each risk is compared with acceptable risk criteria. If the risk
is within the acceptable level, then it is accepted as it is. If the risk exceeds the acceptable level, then
the treatment will be some form of mitigation.
Risk Ranking
A risk with a high impact is ranked higher and given priority. The process of ranking risk in terms of
its criticality is known as risk analysis. More resources are allocated to high-risk areas. Ranking each
risk based on impact and likelihood is critical in determining the risk mitigation strategy. Ranking the
risk helps the organization determine its priority.
2. The most important factor for a risk-based information security program is:
A. Prioritization
B. Threat
C. Standardization
D. Budget
A. Asset value
C. Legal requirements
Risk Register
As previously noted, all identified risks should be captured in the risk register along with details such
as description, category, probability, impact, and risk owner. The maintenance of the risk register
starts with risk identification.
A risk register is the inventory of all existing risks of an organization. The best method to understand
any kind of risk is to review the risk register. It includes details of all risks along with relevant control
activities. The most effective use of a risk register is to facilitate a thorough review of all risks on a
periodic basis.
Emerging Threats
An information security manager must be aware of the constantly evolving threat landscape and how
it affects their organization. As infrastructures evolve, new risks can emerge in unexpected ways.
When a threat is combined with a lack of adequate monitoring, a breach might occur.
Unusual activity on a system, frequent alarms, delayed system or network performance, or new or
excessive activity in logs are all signs of emerging threats. Many affected organizations have
evidence of emergent risks in their logs well before an actual compromise occurs, yet the evidence
goes unnoticed or unaddressed.
Nowadays, new technologies are designed with a focus on performance, and security is often
considered less important. As a result, new technology tends to introduce new vulnerabilities. The
involvement of an information security team in the implementation of new technologies is vital for
the overall security environment of the organization. Technologies such as cloud computing offer
tremendous benefits for the organization. However, if implemented without due consideration of
security, it may bring disaster.
Similarly, the concept of bring your own device (BYOD) results in a good amount of cost saving for
the organization but comes with its own risks.
In APT, attackers are highly skilled and have access to advanced tools and techniques. An attacker
may gain and maintain unauthorized access to the targeted network while remaining undetected for
an extended period of time. The attacker will then monitor and abstract confidential and sensitive
data.
Although APTs have usually been connected with nation-state sponsorship, there have been several
examples of organizations not backed by a nation-state undertaking large-scale targeted attacks for
specific objectives in recent years.
The information security manager must be aware that APTs pose a substantial threat to the
organization and must ensure that proper measures are in place to detect and identify this threat.
A. Feasibility
B. Design
C. Development
D. Testing
2. The most effective method to address the risk of acquisition of new IT resources is:
C. To obtain the approval of the senior manager before acquiring any new system
Audits, security reviews, vulnerability scans, and penetration tests are some methods that are
commonly used to find vulnerabilities.
Various types of testing, as well as subject matter expert estimates, can be used to determine the
degree of vulnerability. To the extent possible, the overall risk needs to be quantified. This helps
management take relevant action.
What is the prime objective of a To measure the current state vis-à-vis the desired state
gap analysis?
What is the main objective of To identify weaknesses in network and server security
performing a penetration test?
A. Vulnerability analysis
B. Threat analysis
C. Impact analysis
D. Security review
4. The most likely reason for a security manager to not be concerned about an identified major threat is:
5. As an information security manager, you are required to identify a new vulnerability of a particular technology. The best method
to identify the vulnerability in a cost-effective manner is:
D. Implementing honeypots
8. When evaluating a vulnerability scanning tool, a security manager should be most concerned about:
D. Identified vulnerabilities should be evaluated for threat, impact, and cost of mitigation
10. The most cost-effective method to test the security of a legacy application is:
Security Baselines
A security baseline refers to the minimum security requirement across the organization. The baseline
may be different in accordance with asset classification. For highly classified assets, the baseline will
be more stringent. For example, for low-classified assets, the baseline can be single-factor
authentication. However, it would increase to two-factor authentication for high-classified assets.
Baseline security should form a part of the control objectives. The baseline should be reviewed at
regular intervals to ensure that it is aligned with the organization's overall objectives.
Risk Communication
The communication of risk management activities is key to the effective implementation of the
risk management strategy. Communication should involve all relevant stakeholders, and
communication channels should enable interaction in both directions. That is, management should be
able to communicate with end users and end users should be able to pass on information related to
risk to management.
Summary
In this chapter, you learned about the important aspects of risk management. You explored different
risk identification and risk assessment methods. This will help you as a security manager to identify
risk in the organization, assess the level of risk, and determine the most appropriate treatment
options.
The next chapter will cover the different methods for responding to identified risks.
4
Change Management
Patch Management
Risk Mitigation
In this approach, efforts are made to reduce the probability of risk or impact resulting from the risk event by designing appropriate
controls.
Risk Sharing/Transferring
In this approach, risk is shared with partners or transferred via insurance coverage, contractual agreement, or other means.
For example, natural disasters have a very low probability of occurring but have a high impact if they
do. The response to such a risk should be risk transfer.
Risk Avoidance
In this approach, projects or activities that cause risk are avoided.
An example would be terminating a project when business cases show a high risk of failure.
Risk Acceptance
In this approach, risk is accepted as it is in accordance with the risk appetite of the organization.
Risk is accepted when the cost of controlling the risk is more than the cost of the risk event.
For example, for a few noncritical systems, the cost of antimalware installation is more than the
anticipated cost of damage due to any potential malware attack. In such a case, the organization
would generally accept the risk as it is.
In risk acceptance, no steps are taken to reduce the risk at this time (though the risk is recorded and reassessed at regular intervals
to determine if this remains the best course of action)
However, organizations need to be very careful when accepting any risk. If a risk is accepted without fully understanding its
potential impact, it may result in a higher level of liability.
What is the most effective way to treat risks such as natural Risk transfer
disasters that have a low probability but a high impact level?
What are the components of risk treatment (risk response)? Risk mitigation
Risk acceptance
Risk avoidance
Risk transfer
NOTE
The answers and explanations for all practice and revision questions for this chapter can be found via this link.
A. Risk avoidance
B. Risk acceptance
C. Risk transfer
D. Risk mitigation
3. An organization has started operations in a country where identity theft is widespread. The best course of action for the
organization is to:
B. Email encryption
A. Risk avoidance
B. Risk acceptance
C. Risk transfer
D. Risk mitigation
6. The best way to mitigate the liability risk arising out of a breach of privacy law is:
A. Risk reporting
B. Risk treatment
C. Risk monitoring
D. Risk assessment
8. A recommendation for the implementation of information system controls, such as antivirus software, is an example of:
A. Risk acceptance
B. Risk mitigation
C. Risk transfer
D. Risk avoidance
10. The most effective risk treatment when the probability of occurrence of an event is very low, but where the impact can be very
high, is:
B. User entitlement
C. Network security
D. Intrusion detection
12. The best way to protect confidential information from an insider threat is:
D. Defense in depth
13. The most effective way to manage a security program with low funding is to:
Risk should be owned by a senior official who has the necessary authority and experience to select the appropriate risk response
based on an analysis and any guidance provided by the risk practitioner.
Risk owners should also own the associated controls and ensure the effectiveness and adequacy of those controls.
Risk should be assigned to an individual employee rather than a group or a department. Allocating accountability to a department
will circumvent ownership.
Accountability for risk management lies with senior management and the board.
Risk ownership is best established by mapping the risk to specific business process owners.
The results of risk monitoring should be discussed and communicated with the risk owner as they own the risk and are
accountable for maintaining the risk within acceptable levels.
Who is in the best position to perform a risk analysis for a business The process owner
process?
Who should be the primary driver to implement new regulatory The business process
changes? owner
D. An external consultant
2. A project for implementing new regulatory requirements should be preliminarily driven by:
Risk Reporting
The results of risk monitoring should be presented to management at regular intervals. These results
should be meaningful to the recipient and be presented in a simple manner without the excessive use
of technical terms. Red (high-risk), amber (medium-risk), and green (low-risk) reporting help
management understand the risk posture of the organization.
A risk analysis should also include details about potential impact as it will help determine the extent
of the risk mitigation measures required.
Thus, the objective of key risk indicators is to flag an exception as and when it occurs. This provides
an opportunity for the organization to respond to the risk before damage is caused. Examples of key
risk indicators are as follows:
Amount of unauthorized software detected in an audit
Take the example of system downtime. The threshold (maximum limit) for key risk indicators can be
set as follows:
Reporting a change in risk profile to management is the responsibility of the security manager. A
security manager should present to management the status of the organization's updated risk profile at
regular intervals. Management should also be updated about any significant events or incidents
impacting the organization.
What is the primary goal of a risk To support the achievement of business objectives.
management program?
Why should risk be assessed periodically? Risk should be reassessed periodically because risk
changes over time.
D. The potential impact helps determine the probability of occurrence of a risk event
2. As a newly appointed information security manager, you are required to identify new threats. Your first step should be:
C. Understanding the business objectives and the flow and classification of information
3. As an information security manager, you are evaluating the use of cloud services for the storage of an organization's data. An area
of major concern for the use of cloud services is:
A. Increase in cost
5. A security manager received a request to approve an exception to the security standard for a proposed system change. What
should their first course of action be?
6. A security manager noted exceptions to a set of standards that result in significant risk. What should the first course of action for
the security manager be?
7. The security policy of an organization mandates the encryption of data that is sent to an external party. However, a regulatory
body insists that unencrypted data is shared with them. What should the security manager do?
10. A security manager received a request to approve an exception to a security standard for a proposed system change. What is their
best course of action?
B. To reject the approval and insist on compliance with the security policy
12. A security manager notices that risk management activities are inconsistent throughout the organization. What should their first
course of action be?
13. A continuous monitoring tool has flagged noncompliance. What should the security manager's first course of action be?
14. An organization uses electronic swipe cards for physical access. The security manager has requested access to physical access
data. What is the primary cause for asking for this data?
15. The risk of disruption due to distributed denial of service (DDoS) can be classified as:
A. Aggregate risk
B. Systemic risk
C. Residual risk
D. Operational risk
16. The most effective way to address an insider security threat is:
A. Penetration testing
18. Which is the area of most concern for a security manager reviewing the parameters for the acquisition of a new system?
A. The functionality of the new system may not support business processes
B. Existing staff may not be able to provide ongoing support for the new system
C. The new system may affect the security or operations of other systems
19. A security manager has been advised by an enforcement agency about their organization being the target of a group of hackers.
What should the security manager's first step be?
Step 3: Conduct a risk assessment by identifying risk, analyzing the level of risk based on impact,
and evaluating whether the risk meets the criteria for acceptance.
Step 4: Determine the risk treatment options for risks that are above the acceptable level. Risk
treatment can come in any of the following forms:
Mitigating the risk by implementing additional controls
Accepting the risk (generally, this option is selected when the impact is low and the cost of treatment exceeds the impact)
Avoiding the risk (generally, this option is selected when a feasibility study or a business case does not indicate positive results)
Transferring the risk to third parties, such as insurance companies (generally, this option is selected for low-probability risks that
have a high impact, such as a natural disaster)
An appropriate risk treatment method is one that helps to achieve the control objectives in an efficient
manner.
Step 5: Determine the acceptability of the residual risk (that is, risk remaining after the treatment) as
per the management.
Step 6: Monitor the risk on a continuous basis and develop an appropriate procedure to report the
results of the risk monitoring to management.
During all the mentioned steps, it is equally important to share the relevant information about risk
management activities with the concerned stakeholders. An effective communication process
improves the entire risk management process.
Effective risk management requires participation, support, and acceptance by all relevant members of
the organization, starting with senior management. Employees must understand their responsibilities
and be able to perform their required roles.
Risk controls are considered sufficient when the residual risk is less than or equal to the acceptable
risk.
Availability of documented roles and responsibilities for the implementation of the program
By defining the risk management framework, the basic parameters for managing risks are
established. Basic parameters include criteria for acceptable risk, the objective of controls, and
processes to monitor the effectiveness of those controls. Frameworks help to achieve the following
objectives:
Having a common understanding of organizational objectives
Developing a structured process for the identification of risk and assessment of the level of risk
The internal context includes management requirements, the organization's structure and culture,
goals and objectives, and the organization's strengths and weaknesses.
Gap Analysis
A gap analysis is the process used to determine the gap between the existing level of risk
management compared to the desired state of it. Based on the desired state, control objectives are
defined. The objective of a gap analysis is to identify whether the control objectives are being
achieved through the risk management process.
Periodically determining the gap between actual controls and their objectives should be routine
practice. A gap analysis is generally done by determining the effectiveness of controls through
control testing. If a gap is identified, then controls may need to be modified or redesigned to improve
their effectiveness.
Cost-Benefit Analysis
The most important factor in the selection of controls is the cost-benefit balance. The implemented
controls should be effective (that is, able to address the risk) as well as efficient (providing the most
benefit compared to the costs incurred).
A cost-benefit analysis is performed to ensure that the cost of a control does not exceed its benefit
and that the best control is implemented for the given cost. A cost-benefit analysis helps to justify the
implementation of a specific control measure.
Many organizations sponsor security-related roundtables to discuss topics of common interest. This helps to accumulate
knowledge from experts in the industry.
Many institutes are involved in training related to security aspects, such as vulnerability assessment, penetration testing, secure
coding, and end user awareness.
Many organizations release a list of current vulnerabilities impacting specific technology. This can be either a free service or a
subscription-based service. External vulnerability sources are the most cost-effective methods of identifying new vendor
vulnerabilities.
Information security is an ever-evolving subject, and a security manager should keep themself
updated through the preceding sources.
In which phase of system The feasibility phase (risk should be addressed as early as
development should risk possible in the development cycle)
assessment be initiated?
What is the objective of a cost- A cost-benefit analysis is performed to ensure that the cost of
benefit analysis? a control does not exceed its benefit and that the best control
is implemented for the given cost.
What is the prime objective of a To measure the current state vis-à-vis the desired state
gap analysis?
Which of the following is the best To perform a risk analysis and decide, based on the cost-to-
resolution when a security standard benefit ratio, whether an exception to the standard is to be
is in conflict with a business allowed
objective?
What is the objective of integrating To achieve cost-effective risk mitigation across the
different assurance functions? organization
2. As an information security manager, you are required to implement controls and countermeasures. Your most important
consideration should be:
A. Reducing IT risk
B. Cost-benefit balance
C. Resource utilization
D. To measure the current state of control versus the desired future state
D. To improve performance
5. The best method to evaluate and select a control when there is a budget constraint is:
B. A risk analysis
C. A cost-benefit analysis
D. A vulnerability analysis
6. Which of the following is the most effective technique to determine whether a specific risk reduction control should be
implemented?
A. A cost-benefit analysis
B. A vulnerability analysis
C. Penetration testing
9. The main objective of implementing security aspects during the first stage of a project's life cycle is:
10. An information security manager notices that due to slow biometric response and a large number of employees, a substantial
amount of time is wasted in gaining access to the building. This has also increased instances of piggybacking. What is the security
manager's best course of action?
A. To replace the biometric system with one that has a better response time
B. A risk analysis
C. A threat analysis
D. A vulnerability assessment
12. What is the primary objective of periodic analysis of the gap between the control and the control objectives?
14. What is the best way to determine the most critical factor among confidentiality, integrity, and availability?
15. What is the prime objective of a cost-benefit analysis before the implementation of a control?
16. The best quantitative indicator of an enterprise's current risk appetite is:
17. An organization has two servers that have similar content. However, only one of the servers is hardened. The most probable
reason for this choice is:
18. The first step for integrating risk management practices into business processes is:
A. A workflow analysis
B. A threat analysis
C. A hierarchy analysis
D. Addresses the financial liability but leaves the legal and reputational risks generally unchanged
D. The number of security incidents causing significant financial loss or business disruptions
Change Management
A change management process is used to change hardware, install software, and configure various
network devices. This process includes approval, testing, scheduling, and rollback arrangements.
Any changes to the system or the process are likely to introduce new vulnerabilities. Hence, it is
critical for a security manager to identify and address new risks.
Regression Testing
Regression testing is a part of change management. The objective of regression testing is to prevent
the introduction of new security exposures when making modifications. Thus, change management is
the best way to ensure that modifications made to systems do not introduce new security exposures.
System users are in the best position to conduct user acceptance testing and determine whether any
new vulnerabilities have been introduced during the change management process.
Preventive Controls
Change management is considered a preventive control as it requires all change requests to pass
through formal approval, documentation, and testing via a supervisory process.
What is the prime objective of change management? To ensure that only authorized changes are
carried out
What is the best way to reduce the risk arising from Implementing a change management
modifications of a system? process
A. Load testing
B. Patch management
C. Change management
D. Security baseline
2. The most effective method to prevent a weakness from being introduced into an existing system is:
A. Antimalware software
B. Patch management
C. Change management
D. A firewall
3. Who is in the best position to determine that a new vulnerability has not been introduced during the change management process?
A. An internal auditor
B. A system user
C. A system administrator
4. What is the most effective method to evaluate a security risk while modifying applications?
A. The change management process should be handled by the information security team
C. The change management process should be a part of release and configuration management
D. The change management process should include mandatory involvement of the information security department
A. Compensating control
B. Corrective control
C. Preventive control
D. Deterrent control
A. Detailed documentation
B. Impact analysis
C. Scheduling
D. Authorization
A. Audit management
B. Release management
C. Change management
D. Configuration management
9. Why it is important to get approval from the security manager for implementing any major changes?
B. To ensure that any risks arising from the proposed changes are managed
10. Disruptions to the production system can be most effectively prevented by:
11. An organization's change management process includes threat and vulnerability assessments. The primary reason for this is:
12. What is an area of major concern with respect to security risks for an organization with multiple locations?
13. The main objective of including a threat and vulnerability assessment in a change management process is:
Patch Management
Patch management is the process of updating operating systems and other software to correct errors
or enhance performance.
A well-defined and structured patch management process helps to address new vulnerabilities related
to operating systems. The timely update of patches helps to secure operating systems and
applications.
Patches are generally applied to operating systems, applications, and network software. They help fix
vulnerabilities in the system.
Patches should be applied through a structured change management process that includes approval,
testing, user acceptance testing, and proper documentation. The testing of a patch prior to
implementation is of utmost importance. Deploying untested patches may cause the system to fail.
Furthermore, appropriate rollback procedures should be in place in case of unexpected failure.
What is the best way to ensure that newly identified Patch management
security weaknesses in an operating system are
mitigated in a timely manner?
What is the first step when an organization receives a To validate the authenticity of the patch
patch update?
What is the correct frequency for a patch update? Whenever important security patches
are released. However, all patches
should be tested first.
A. Verifying the change control request and tracing it to the patch logs
B. Verifying whether the last patch was properly documented and verified
C. Verifying the patch logs and tracing them to the change control request
D. Verifying whether the last change control request was properly documented
2. An area of major concern for an enterprise resource planning (ERP) system is:
3. The most important factor to be considered while implementing a patch management procedure is:
4. What is the first step when a system starts facing issues immediately after the deployment of a patch?
A. Assessing the problem and initiating rollback procedures if required
5. An organization has received a patch through email to be applied on an emergency basis. What should the first step be?
6. Which of the following is the best technique for timely mitigation of a newly identified vulnerability in an operating system?
A. Patch management
B. Internal audit
C. Change management
D. Security baseline
RTO RPO
Remember, RTO (that is, time) is for system downtime, whereas RPO (that is, point) is for data loss.
The following practical examples further explain the difference between the two:
Example 1: An organization can accept data loss for up to 4 hours. However, it cannot afford to have any downtime. What are the
RTO and RPO?
Solution: Here, a data backup is done every 12 hours, so the maximum data loss is 12 hours. Hence,
the RPO is 12 hours.
Example 3: An organization takes a data backup three times a day. The first backup is at 8 a.m., the second at 4 p.m., and the third
at 12 a.m. What is the RPO?
Solution: Here, a data backup is done every 8 hours, so the maximum data loss is 8 hours. Hence, the
RPO is 8 hours.
Example 4: Following an incident, systems at the primary site went down at 3 p.m. and then resumed from the alternate site at 6
p.m., as per the defined RTO. What is the RTO?
Solution: The system was down for 3 hours, so the RTO is 3 hours.
Example 5: Identify the RTO and RPO in an instance where the BCP of an organization requires zero data loss (that is, no data
should be lost) and processing should resume in 36 hours.
Solution: Here, the organization is accepting a system downtime of up to 36 hours, so the RTO is 36
hours. However, the organization cannot afford to have any data loss, so the RPO is 0 hours.
RTO and RPO for Critical Systems
The RTO indicates a user's tolerance for system downtime. Similarly, the RPO indicates a user's
tolerance for data loss. In the case of critical systems and critical data, an organization cannot afford
to have much downtime or data loss. Hence, in the case of critical systems, the RTO and RPO are
generally zero or near zero. A low RTO indicates that a system should be resumed at the earliest
possible juncture. A low RPO indicates that data loss should be at a minimum.
To put it in another way, if the RTO and RPO are low (that is, zero or near zero), then the systems and
data are both critical to the organization.
RTO, RPO, and Maintenance Costs
A low RTO indicates that systems are critical and need to be resumed as soon as possible. To achieve
this objective, organizations need to invest heavily in redundancy, that is, duplicate or alternative
processing sites. A hot site is ideal where the RTO is lower, but this is a costly affair. A hot site refers
to a site where all the infrastructure is readily available.
On the other hand, if the RTO is high, this indicates that systems are not that critical and that the
organization can afford downtime to some extent. An organization need not invest in redundancy for
systems with a high RTO. A cold site is ideal when the RTO is higher. A cold site refers to a site
where there is only limited infrastructure.
A low RPO indicates that data is critical and should not be lost. That is, if the RPO is zero, the
security manager needs to ensure that there is no data loss. They should invest heavily in data backup
management. Data mirroring or data synchronization are some ideal techniques to use when the RPO
is zero or very low. Hence, for a low RPO, data maintenance costs will be higher compared with a
high RPO. Thus, if both the RTO and RPO are low (that is, zero or near zero), then the cost of
maintaining the environment is high.
RTO, RPO, and Disaster Tolerance
Disaster tolerance indicates an organization's tolerance to the nonavailability of IT facilities. A low
RTO/RPO indicates that the disaster tolerance is low; that is, the organization cannot tolerate system
downtime or data loss. A high RTO/RPO indicates that disaster tolerance is high; that is, the
organization can tolerate system downtime and/or data loss up to a certain level.
RTO, RPO, and BIA
The RTO and RPO are preliminarily based on business impact analysis (BIA). The BIA helps to
determine critical systems and processes of the organization. The RTO and RPO of critical systems
and processes are low compared to noncritical systems and processes. For example, online banking
systems have almost zero RTO and RPO. Banks cannot afford to lose even a single transaction.
A. Risk assessment
B. Gap analysis
C. BCP testing
2. An information security manager observes that not enough details are documented in the recovery plan, and this may prevent
meeting the RTO. Which of the following compensates for the lack of details in the recovery plan and ensures that the RTO
is met?
A. Establishing more than one operation center
Phase Description
Phase 1: The Objective, purpose, and scope of the system are discussed,
Initiation/Feasibility finalized, and documented.
Phase 2: In this phase, alternatives are evaluated, and the system is developed
Development/Acquisition or acquired from a third party.
Phase 3: Implementation In this phase, the system is tested, and migration activities are
carried out.
Phase Description
Phase 4: In this phase, regular updates and maintenance are carried out for
Operations/Maintenance the upkeep of the system.
Phase 5: Disposal In this phase, obsolete systems are discarded by moving, archiving,
discarding, or destroying information and sanitizing the hardware
and software.
A security manager should be involved in all phases of the SDLC. Furthermore, the security
requirements should be integrated into all SDLC phases. Performing risk assessments at each stage of
the SDLC is the most cost-effective way of addressing any flaws early.
The following aspects should be addressed during the risk assessment of any project:
What level of confidentiality is required for the system?
The impact of any laws or regulations on the project (for example, privacy laws)
The best way to implement risk management processes on a continuous basis is to develop a
structured change management procedure.
What is the most effective approach to ensure the continued Effective life cycle
effectiveness of information security controls? management
What is the best way to address risk at various life cycle stages? A structured change
management procedure
A. Implementation
B. Testing
C. Programming
D. Feasibility
3. Which of the following processes addresses risk at various life cycle phases?
A. Change management
B. Patch management
C. Release management
D. Configuration management
4. Which of the following is the most effective method for the continued effectiveness of controls?
Summary
In this chapter, you explored the practical aspects of risk management. This chapter helps you, the
CISM candidate, to classify assets and manage the operational risks of your organization. This
chapter also helps you integrate risk management with the asset life cycle.
The next chapter will cover the procedural aspects of information risk management.
Revision Questions
1. What is the primary objective of a risk management program?
2. Which of the following vulnerabilities will allow attackers to access data through a web application?
A. To place a honeypot
D. Penetration test
5. A security manager notes an incident though none of the controls have failed. What is the most likely cause of there being no
failure?
B. Absence of controls
D. Operational error
6. What is the best metric to determine the effectiveness of a control monitoring program?
D. The time gap between the occurrence of the incident and its detection
7. An organization decides to not comply with a recent set of regulations. What is the most likely reason for this decision?
A. The regulation will increase the complexity of business processes
C. The cost of implementation of the regulation is much higher than the risk of noncompliance
A. Performance metrics
11. Which among the following is the main criterion for approving a policy exception?
A. Project deadlines
12. A security manager notes that a new regulatory requirement is applicable to the organization. What should their next course of
action be?
A. To take approval from the information security committee to implement the new requirement
C. To implement controls
A. To develop a roadmap for the implementation of achieving compliance with the privacy law
B. To determine the systems and processes that contain the privacy components
14. The most important aspect of an effective risk management program is:
16. Which of the following components of a risk assessment will require the highest amount of speculation?
A. Consequences
B. Exposure
C. Vulnerability
D. Likelihood
17. A security manager has received a request from a business unit to implement a new technology that goes against the information
security standards. What should their next course of action be?
18. A security manager has received a request from the IT function to not update the business impact analysis for a new application as
there is no change in the business process. What should their next course of action be?
C. To provide instructions to modify the BIA after a post-implementation review of the new application
D. To recommend an audit review
19. What is the best way to address a conflict between a security requirement and a business objective?
20. A security manager notes a security breach in another organization that has employed a similar technology. What should their next
course of action be?
D. To remind staff that the organization is not currently affected by security breaches
21. What is the most important aspect of the effective risk management of IT activities?
A. Downtime tolerance
B. Security budget
23. A security manager has determined the objectives of a review. The next step is to determine:
A. The limitations
B. The approach
C. The scope
24. A security manager notes that there is a considerable delay between the identification of a vulnerability and the application of a
patch. What should be their first course of action to address the risk during this period?
25. A security manager notes that not all employees comply with the access control policy for the data center. To address this issue,
the security manager should first:
26. Which of the following is used to determine the level of effort required to improve risk management processes?
A. A workflow analysis
C. A gap analysis
D. Return on investment
27. A security manager is implementing a bring your own device (BYOD) program. Their first step should be:
28. A security manager notes that different criteria are used by different departments for measuring risk. To improve this situation, the
manager should recommend:
A. A zero-deviation area
B. A risk management area of focus
C. An operational issue
32. A security manager notes that a web-based service is gaining popularity on the market. They should first:
33. What is the best way to achieve cost-effective risk mitigation activities throughout an organization?
35. A security manager has received a request for overwriting the data stored on a magnetic tape due to limited storage availability.
They should refer to:
36. The most essential element to consider the extent of protection requirements is:
A. Exposure
B. Threat
C. Vulnerability
D. Probability
37. The legal and regulatory requirements should be prioritized on the basis of:
Apart from technical skills, a security manager is expected to have a thorough understanding of the
business processes and objectives. They should ensure that the objectives of the security program are
aligned with the business objectives. Security objectives should have the consensus of the business
management. Security objectives are important to the security program and without them, it will not
be possible to define metrics and monitor the progress of the program. The main goal of a security
program is to implement the security strategy and develop a defined program.
The information security charter can act as a foundation to provide guidance on information security
governance.
A security manager should consider the following aspects while seeking support and a budget from
senior management:
The security strategy should be aligned with the business objectives and goals.
The security manager should obtain consensus from other business units when designing the security strategy.
To the extent possible, the benefits of the proposed project should be quantified in a business case.
Thus, the best way to obtain support from senior management is to let them know how information
security is supporting the business objectives.
Defense in Depth
Defense in depth (DiD) is an arrangement wherein multiple layers of controls are implemented to
protect the information resources. Its intent is to provide redundancy in case one control fails. The
first layer of DiD prevents the event from occurring, that is, by implementing preventive controls
such as authentication. The second layer is containment, which involves isolating and minimizing the
impact. The third layer is reaction, that is, incident response procedures. The final layer is the
recovery and restoration procedure. This includes backup arrangements.
What is the most important reason that an information To understand the risk of technology
security manager must have an understanding of and its contribution to security
information technology? objectives
What is the most common starting point for the A risk assessment and defining
development of an information security program? control objectives
NOTE
The answers and explanations for all practice and revision questions for this chapter can be found via this link.
A. To ensure that the latest and most feasible technology is being used
A. Risk assessment
B. Architecture
C. Strategy
D. Guidelines
5. What is the most important aspect to be considered at the time of establishing an information security program?
6. The involvement of senior management in an information security program will first determine:
A. The charter
C. The budget
A. Containment
B. Prevention
C. Reaction
D. Recovery
A. Isolation
B. Authentication
C. Incident procedures
D. Recovery procedure
An information security manager must be capable of making technical decisions to ensure that the
deployed technologies are aligned with the information security program's goals and objectives. The
following are some of the technological aspects that an information security manager needs to deal
with:
Placement of firewalls
Antivirus/antimalware systems
Step 2: Establish ownership of each information asset. The identification of an asset owner is a
prerequisite for the implementation of the classification policy. In the absence of an owner, the true
value of the asset cannot be determined.
Step 4: Classify the information assets based on their valuation. Classification can be in the form of
high-value data, medium-value data, and low-value data, or in the form of confidential data, sensitive
data, private data, and public data. Classification should be kept simple considering the different
degrees of the criticality of the assets.
Step 6: Implement the level of protection according to the level of classification. Confidential data
should be highly protected, whereas public data may not require any protection.
The data owner/system owner should be responsible for maintaining effective security controls on information assets.
Legal/regulatory/contractual
Confidentiality
Integrity
Availability
Information classification is primarily based on inputs from data owners. Business managers (data owners) will have thorough
knowledge of business impact due to the non-availability of their systems, data, or other assets.
Security managers need to ensure that the requirements of the data owners are properly identified and appropriately addressed in
the information classification policy.
Security managers need to ensure that the classification policy is made available to all users. The
content of the classification policy should be part of the security awareness program. Without user
awareness about the classification requirements, the policy will not be implemented in its true sense.
Assessment
The prime basis for determining the classification of information assets is the criticality and
sensitivity of those assets in relation to achieving business objectives. An impact assessment is used
to determine the criticality and sensitivity of assets.
Risk Analysis
Risk analysis is the process of determining the level of risk. Risk level can be either quantified in
terms of cost or can be expressed as qualitative indicators such as high risk, medium risk, or low risk.
The results of a risk analysis help the security manager to determine the efforts that would be
required to address any risk. More resources may be required to mitigate high-risk areas, whereas
fewer resources may be required to mitigate low-risk areas.
Business Interruptions
The objective of a classification policy is to ensure that the appropriate level of protection is applied
to each class of information. However, it should not interrupt the business processes. Data should be
made available to authorized users. The classification policy should not create unnecessary hurdles
for normal business processes.
What is the main advantage of asset It determines the appropriate level of protection
classification? applicable to each asset. Classification helps to reduce
the risk of under-protection or over-protection of assets.
B. Asset categorization
C. Asset valuation
D. Implementing controls
2. As an information security manager, you are required to allot ownership of sensitive data that is only used by the employees of the
finance department. Who should have ownership of this data?
C. The head of IT
3. As an information security manager, you are required to design an information classification policy. What should your most
important consideration be?
B. Availability of technology
C. Number of staff
5. The extent of resource utilization for the mitigation of risk is determined by:
B. Audit observations
C. A vulnerability assessment
D. Security budget
9. An organization has developed software code that gives it a competitive edge. Which of the following policies will govern the
protection level of the code?
A. Senior management
11. The main reason for data classification in accordance with criticality and sensitivity is to:
12. For a publicly traded organization, the security manager is expected to provide the lowest protection to:
13. The criticality and sensitivity of information assets are primarily based on:
A. Penetration testing
B. Vulnerability testing
D. An impact assessment
B. Senior management
15. What is the most important factor when determining the appropriate protection level for an information asset?
16. Data classification levels are mainly decided on the basis of:
D. Threat factors
A. A vulnerability analysis
B. An impact assessment
C. A control assessment
D. A security test
18. The most important factor for an information classification scheme is:
19. The most important factor for an information classification scheme is:
A. Vulnerability
B. Threat
C. Potential impact
D. Acquisition cost
20. A client has requested that a staff member share some information with them. What should the staff member's first course of
action be?
For example, suppose software is acquired at a cost of $1,000 and it generates revenue of $5,000 per
day. In this case, the business value will be $5,000 per day and not merely the cost of acquisition
($1,000).
For determining the business impact, two independent cost factors are considered. The first is the
downtime cost. Examples of downtime costs include a drop in sales, the cost of idle resources, and
the interest cost. Another element of cost is related to alternative collective measures such as the
activation of a business continuity plan (BCP) and other recovery costs.
Once the business impact is available for each asset, it is important to prioritize the assets in order of
their criticality. This criticality analysis should be performed in coordination with IT and business
users.
A BIA is the best tool for determining the priority of the restoration of applications. Recovery time
objectives (RTOs) are preliminarily based on a BIA.
What is the first step in performing an information risk analysis? Preparing an asset
inventory
What is the best tool for determining the priority of the restoration of A BIA
applications?
2. As an information security manager, you are required to conduct an information risk analysis. What should your first step be?
3. An incident was reported regarding the loss of a mobile device containing unencrypted data. What is the security manager most
concerned about?
D. Senior management
6. A security manager wants to determine the impact of losing network connectivity for 8 to 10 hours. The most important aspect is:
8. What is the greatest challenge in using annual loss expectancy to predict losses?
B. Replacement cost
C. Insurance cost
D. Legal requirements
A. A vulnerability assessment
B. An audit finding
C. Certification
D. Classification
A. A vulnerability assessment
B. Asset valuation
C. Audit findings
D. An architectural analysis
A. Identification of vulnerabilities
B. Identification of threats
13. What is the area of most concern when prioritizing risk management activities?
A. A risk assessment
B. A gap analysis
C. BCP testing
Operational components: Operational components are parts of the framework that cover ongoing management and
administrative activities to ensure the required level of security assurance. Examples of operational components include preparing
standard operating procedures (SOPs), patch management, log analysis, change management, and other routine activities to
support security. Each of these activities should be assigned to individuals with the requisite authority and knowledge.
Management components: Management components are parts of the framework that cover oversight functions. Examples
include the availability of security policies, adequate resources for security, and regular monitoring of key aspects of information
security.
Administrative components: Administrative components are parts of the framework that cover support functions such as HR,
finance, and other functions. Examples of administrative components include personnel job descriptions, performance
management, budget preparation, and calculating RoI.
Educational and informational components: Educational and informational components are parts of the framework that cover
education, awareness, and training requirements for enhancing the security posture of the organization.
A security manager should consider the following factors for the successful implementation of a
framework:
To get the security framework approved, the security manager should demonstrate a positive return on the security investment.
The best method to evaluate the return on security investment is to determine the level of support information security provides to
the business objectives.
The most important thing when developing a framework for an information security program is to determine the desired outcome.
If the desired outcome is not considered at the time of developing the framework, it will be difficult to determine a strategy,
control objectives, and logical architecture.
A security manager should consider the advantages and disadvantages of centralized as well as decentralized security functions.
As already discussed in Chapter 1, Enterprise Governance, centralized functions are more convenient to monitor and control.
Decentralized functions make it easier to promote security awareness and ensure faster turnaround for security requests as they are
closer to business units. Decentralized units are more responsive to business unit needs.
The security framework and the security policy should closely align with organizational needs. Policies must support the needs of
the organization. For the alignment of the security program, a security manager should have a thorough understanding of the
business plans and objectives. Effective strategic alignment of the information security program requires regular interaction with
business owners.
Before implementing the framework and security policy, sign-off should be obtained from all relevant stakeholders to ensure that
the policy supports the objectives and expectations of the business.
Support from senior management is critical for an effective information security program.
The framework should also define the process for handling exceptions to the policies and procedures. The inherent authority to
grant an exception to the information security policy should reside with the authority who approved the policy.
While implementing a framework, a policy, or a control, the most important consideration is the safety of human life.
Some Industry-Recognized Frameworks
The following are some of the industry-recognized frameworks that include essential aspects of
security. Some of them deal exclusively with security:
COBIT
Zachman Framework
NOTE
In the CISM exam, there will be no direct questions on any of the frameworks. The list provided is for your general
knowledge and understanding.
What is the best method to evaluate the return By determining the extent of support provided to
on security investment? the business objectives.
What are the advantages of a decentralized It is more responsive to the requirements of business units.
C. Discuss the situation with data owners to understand the business needs
2. What is the first step in the development of a well-defined information security program?
3. As an information security manager, you are required to determine the return on security investment. This can be done by
evaluating:
6. A security manager notes that compliance with a particular set of standards is weak. What should their first step be?
8. A security manager has received a request for an exception from the standard configuration of an operating system. What should
their first step be?
There can be multiple policies at the corporate level as well as at the department level. It should be
ensured that department-wise policies are consistent and aligned with corporate-level policies.
Standards: These are mandatory requirements to be followed to comply with a given policy, framework, certification, or
regulation. Standards provide detailed directions for compliance.
A standard helps to ensure the efficiency and effectiveness of processes, resulting in reliable products
or services. Standards are updated as and when required to incorporate new processes, technologies,
and regulatory requirements.
A standard is a dynamic document and is changed if control objectives are not achieved or based on
the results of risk assessments.
Procedures: These are detailed steps and actions that help to support the policies and standards. Generally, procedures are
changed more frequently compared to policies and standards.
Guidelines: In some cases, guidelines are required to implement procedures. Guidelines include information such as examples,
suggestions, requirements, and other details for executing procedures.
The last review date confirms the currency of the documents and helps determine that management
has reviewed them and deemed that they meet and address the current business environment.
The security manager should also consider the applicability of policies, standards, procedures, and
guidelines to third-party vendors and service providers and their adherence to these documents.
Who should approve any exception to the information security policy? The policy
approver
"All computers are required to have the Windows 10 operating system and all servers are required to
have Windows 2008."
1. The statement is an example of a policy
2. Which of the following activities should be exclusively performed by the information security department?
A. Standards
B. Audit
C. Maturity model
D. Guidelines
4. Which of the following is the most appropriate document to ensure compliance with specific regulatory requirements?
A. Policies
B. Standards
C. Procedures
D. Guidelines
D. A standard is a standalone document that does not have a relationship with any policy
9. Who is ultimately responsible for ensuring that information policies are consistent with laws and regulations?
In the second stage, security requirements should be formalized and the basic security policy should
be drafted, and approval should be obtained from senior management. A security steering committee
consists of officials from different business functions. It plays an important part in the finalization of
security requirements. In the third stage, members of the security steering committee emphasize the
promotion of security awareness as a part of the policy and conduct security reviews to see whether
they are in compliance.
In the fourth stage, gaps identified during the security review are addressed and a continuous
monitoring process is developed. Gradually, the security manager can start developing consensus
around roles and responsibilities, processes, and procedures in support of the policy.
The roadmap for the development of a security program should revolve around the organization's
security strategy. The roadmap should consider objectives, resources, and constraints. It should also
include various milestones in terms of key goal indicators.
In the absence of a well-defined strategy, there can be a risk that the security program is not
integrated or prioritized as per the organization's requirements. Most of the information security
development efforts will revolve around the design, development, and implementation of the
controls.
Gap Analysis
The security manager should conduct a gap analysis at periodic intervals to determine the gap
between the control objectives and the performance of existing controls. Identified gaps should be
addressed for improvement. It is also important to develop a procedure for monitoring control
effectiveness. This will help the security program to evolve and mature.
Thus, the final objective of a gap analysis is not only to identify gaps but also to address them for the
improvement of security processes.
A security program should also be integrated with HR processes. For example, in the case of the
termination of an employee, their details should be immediately made available to the security team
to revoke all their access rights.
Similarly, when an employee is transferred to another department, it is very important to review and
update their access rights to ensure that any access no longer needed is removed and appropriate
access for the new position is granted.
What is the initial stage of developing To determine the security needs and requirements based
an information security program? on discussion with concerned stakeholders such as
business units, legal, HR, and finance
Question Possible Answer
What is the basis for determining By comparing the cost of achieving control objectives and
whether a security program is the value of the assets protected
delivering value?
For any new IT project, at what stage From the beginning, that is, from the feasibility stage
should the security department be
involved?
What is the basis for providing user Ascertaining the business needs
access authorization?
What are the main project activities Control design and deployment
undertaken in developing an
information security program?
2. The final approval for a security patch's update hours should be provided by:
3. When selecting the controls to meet business objectives, the security manager should primarily:
C. Information technology
D. Quality assurance
5. To protect and control the mobile devices issued by the organization, which of the following activities carried out by HR should
be monitored?
B. Background checks
C. Release of paycheck
6. For a new IT project, at which stage should the information security department first become involved?
A. Feasibility stage
B. Implementation stage
C. Design stage
D. Post-implementation stage
7. What is the best way for a data owner to determine what access and authorization should be provided to users?
8. What is the most important aspect to be considered when an employee is transferred to another function?
A. Reviewing and updating their access rights
9. An information security manager should have a thorough understanding of information technology primarily:
Objective of Metrics
By using effective metrics, organizations evaluate and measure the achievement and performance of
various processes and controls. The main objective of a metric is to help management in decision-
making and to facilitate and track continuous improvement in the organization's security posture.
A metric should provide useful information to the relevant assessor so that informed decisions can be
made.
Monitoring
Metrics should be designed and developed in such a way that the results of controls can be
monitored. If controls cannot be monitored, it leads to unacceptable risks, which should be avoided.
Monitoring enables proper goal setting, progress tracking, benchmarking, and prioritizing.
Monitoring of metrics is fundamental to a successful security program.
Consistent: Metrics should provide consistent results to make them comparable over time. They should provide the same results
under the same conditions each time they are measured.
In the absence of a consistent method, the results of the metrics may not be comparable, and trends
may be misleading. Consistency is important for reasonably accurate and reliable results.
Reliable: The source of input data and information should be genuine and reliable.
Timely: Metrics are useful when available to the user on a timely basis to support them in their decision-making.
Predictive: To the extent possible, metrics should be able to indicate future events.
Unambiguous: Metrics should not be ambiguous. It is better not to have any information rather than to have unclear information.
Primarily, metrics should be based on the security objectives so they can provide a measure to
evaluate the effectiveness and efficiency of the information security program and its objectives.
A defined metric helps to measure the current state of affairs for different security objectives. This
trend can be used to determine improvements in the security program over time. If an organization is
unable to take measurements over time that provide data regarding key aspects of its security
program, then continuous improvement is difficult to monitor.
The main objective of implementing security controls is to minimize the adverse impacts of
incidents. A reduction in the impacts of security incidents indicates that security controls are
effective.
Executive management will be more interested in achieving control objectives as they are directly
linked to business objectives. The achievement of control objectives is the best metric for executive
management to evaluate the effectiveness of the security program.
What is the prime objective of Decision-making: On the basis of effective metrics, organizations
having metrics? evaluate and measure the achievement and performance of various
processes and controls. Effective metrics are primarily used for
security-related decision-making.
What is the main reason for To measure the effectiveness of a security program
defining information security
objectives?
What is the most significant The metric should be meaningful to the recipient
attribute of a good
information security metric?
What is the best indicator that A reduction in the impact of security issues
security controls are
performing effectively?
Question Possible Answer
What is the best metric for an Incident trends and their impact
information security manager
to use to support a request to
fund new controls?
What is the most useful The percentage of unauthorized penetration attempts that are
metric to determine the investigated
effectiveness of a log
monitoring process?
3. What is the most important aspect to measure the effectiveness of continuous improvements of a program?
A. Program metrics
C. It is consistent
D. It is cost effective
9. During which phase of system development should information security metrics be developed?
A. Implementation
B. Testing
C. Design
D. Feasibility
10. The most effective metric to be conveyed to senior management for security funding is:
11. What is the most important consideration for the development of an effective information security metric?
12. What is the best way to determine whether a security program is achieving its objectives?
13. What is the best method to resolve non-compliance with information security standards?
14. What is the most accurate method to determine the RoI for a security investment?
15. What is the most useful metric to determine the effectiveness of a log monitoring process?
16. To measure and monitor the information security program, metrics should be based on:
A. Financial risk
B. Operational risk
C. Security objectives
D. Industry standards
18. The most effective approach to improve the information security management process is to:
19. The metric for measuring the effectiveness of antivirus software is primarily relevant to:
C. The IT managers
Summary
In this chapter, you obtained an overview of information security program development. This chapter
will help CISM candidates understand the methods, tools, and techniques important for developing
an effective and efficient security program. This chapter will also help the CISM candidate define an
information security program roadmap.
The next chapter will cover the management of an information security program.
Revision Questions
1. What is the most important factor to determine the appropriate levels of information asset protection?
C. Classification of assets
D. Valuation of assets
C. To determine IT capability
5. What is the most important factor in achieving proportionality in the protection of information assets?
A. Classification of assets
B. A vulnerability assessment
C. Change management
D. Security architecture
Documentation
Security Budget
Privacy Laws
Cloud Computing
Countermeasures
Countermeasures are a type of control implemented to address specific threats. They can be either
technical or non-technical. While the objective of general controls is to protect information assets
from all threats, countermeasures are put in place in response to specific threats. Countermeasures are
generally expensive and are implemented only when existing general controls cannot mitigate
specific threats. The following are some common examples of countermeasures:
Certain operating system commands can be disabled to address specific types of ransomware attacks.
Filtering all incoming emails may not be practical and will be expensive. In such a scenario, a countermeasure could be filtering
emails from known spammers.
It may not be possible to restrict mobile phones on an organization's premises. In such a scenario, a countermeasure could be
using cell phone jammers in sensitive areas.
Countermeasures can also be non-technical, such as incentives offered for providing information with respect to a specific attack.
Arranging specific security training sessions for employees who failed in a phishing exercise.
ITACs are designed specifically for an application. Examples of ITACs include transaction-
processing controls, user access controls, and other application-specific controls.
A security manager must ensure the appropriate deployment of ITGCs and ITACs in such a way that
they both complement each other and do not overlap. Limitations of ITGCs should be addressed by
ITACs and vice versa. When general controls are weak, more emphasis should be placed on
application-level controls.
Control Categories
A security manager should evaluate the organization's current control environment to determine the
effectiveness, efficiency, and adequacy of the controls implemented. For effective control
management, the security manager should determine the following:
Whether controls are adequate
The security manager should also be aware of the following control categories:
Control Descriptions
categories
Preventive The objective is to prevent an incident from occurring. Examples include locked
doors, user authentication, and encryption.
Detective The objective is to detect an incident after it has occurred. Examples include
auditing, IDSs, CCTV cameras, and checksum.
Directive The objective is to mandate behaviors by specifying dos and don'ts, for example,
including an acceptable usage policy (AUP).
Compensating The objective is to address the absence of controls or weak controls within a
particular domain. An example is a weak physical control being compensated by
stringent logical access control.
The safety of human life is always considered first. For example, even if a data center has highly
confidential data, a failure of physical access controls should not enable fail closed, which prevents
employees from exiting during an emergency.
Continuous Monitoring
Continuous monitoring is the process of monitoring compliance on an ongoing basis. The prime
objective of continuous monitoring is to provide immediate feedback about the performance of
servers, networks, and cloud environments. This helps to enhance operational, security, and business
performance.
A security manager should understand that implementing continuous monitoring is expensive. The
use of continuous monitoring may not always be feasible or practical, so it should only be used in
areas with the highest risk levels. Continuous monitoring is best deployed in areas where incidents
may happen frequently and/or have a high impact.
Who is required to perform the day-to-day duties The data custodian (generally the system
that ensure the protection and integrity of data? administrator)
What is the risk of "fail open" in the case of a Confidentiality and integrity may be
control failure? compromised.
What is the risk of "fail closed" in the case of a Availability and safety may be compromised.
control failure?
What is the most important activity in the Control design and deployment
development of an information security program?
In which situations is continuous monitoring Situations where risk is high, that is, where
more cost effective? incidents may have a high impact and
frequency
NOTE
The answers and explanations for all practice and revision questions for this chapter can be found via this link.
B. To detect vulnerabilities
C. To mitigate impact
2. Who is responsible for performing routine duties required to ensure the protection of information?
B. End users
3. As an information security manager, you are required to identify and remove backdoors from a newly launched application. What
is the most effective method for this?
A. An internal audit
B. Penetration testing
D. Antivirus software
4. What is the most effective deterrent control against employees misusing their privileges?
A. An internal audit
D. Two-factor authentication
7. A security manager is involved in the development of a system. In which phase should they finalize the access control and
encryption algorithm?
8. What is the most effective method of removing data from tape media that is to be reused?
A. Multiple overwriting
NOTE
Some modern media (such as hard disks and tape drives) may not be reused if degaussing overwrites the servo
pattern of the device.
9. Which of the following is an area of concern for implementing native database auditing?
10. Enabling database audit log functions will result in a risk of:
A. Degradation of performance
D. Configuration issues
B. A system administrator should conduct an audit of their own activity on a monthly basis.
14. Which risk will be applicable to a control that fails closed (secured)?
A. A risk to confidentiality
C. A risk to integrity
D. A risk to availability
15. Which of the following primarily determines how a control is being implemented?
B. Measuring capabilities
C. Training capabilities
D. Failure modes
16. An organization is using an electronic data interchange (EDI) system to get orders from its distributors. What is the most
effective way to ensure the authenticity of the orders received?
B. To conduct a reasonableness check for all orders received from the distributor
D. To verify the sender's identity and determine whether orders are in accordance with the contract terms
B. To reduce vulnerability
19. What is the most important activity in the development of an information security program?
A. In areas where incidents may have a high impact and high frequency
B. In areas where incidents may have a low impact and high frequency
It helps to establish a uniform process of system hardening for similar types of systems.
Industry-specific requirements
Although the preceding references provide the necessary information for developing a security
baseline, the security manager should also consider the needs and priorities of the organization.
Key Aspects from the CISM Exam Perspective
The following are some key aspects from the exam perspective:
C. It helps to define the minimum acceptable security required across the organization
2. What is the most effective way to make sure that each application is complying with the organization's information security
requirements?
A. Guidelines
B. Policies
C. A baseline
D. Procedures
5. What is the most effective method to handle regulatory and legal requirements in a multinational organization with operations in
different countries?
B. To prepare baseline requirements for all locations and add location-wise supplementary standards as per the local
requirements
A security manager should consider the following aspects of security awareness training and
education:
The most effective way to increase the effectiveness of training is to customize it as per the target audience and address the
systems and procedures applicable to that particular group. For example, a system developer needs to undergo an enhanced level
of training that covers secure coding aspects, while data entry operators should only be trained on security aspects related to their
functions.
To address common user security concerns, a security awareness program should concentrate on password selection, acceptable
use of information resources, social engineering attacks, email safety, web browser safety, and so on.
For new joiners, a security awareness program should be part of the orientation program. It must be ensured that users have been
trained on the acceptable usage of information resources before any system or data access is provided. Security awareness training
and education is a continuous activity and should start from the point of joining the organization.
The following are some of the common mechanisms used for raising security awareness:
Awareness raised through different media, such as the intranet, newsletters, posters, and login banners
The security manager should design some quantitative evaluation criteria to determine the effectiveness of security training and
user comprehension, for example, quizzes or other types of assessments. One such metric could be the number of incidents
reported. Such incident reporting indicates the awareness level of the staff. An increase in incident reporting indicates that the
staff is paying more attention to security.
Security awareness training and education play an important role in changing an organization's culture toward security
consciousness. However, a security manager should understand that this is a gradual process and employees should be trained at
frequent intervals.
A security program should be launched through a top-down approach. A top-down approach means that commitment to the
success of security awareness should be seen from the senior management level. Support from senior management will ensure
enough resources are provided for the success of the program.
A security manager can obtain support from influential people within the organization to promote security awareness. Influential
people in the organization are employees with substantial authority and who have a greater interest in promoting the security
culture. They act as ambassadors for the security culture within their department and can bring significant change to the
organization's security culture.
What is the most important success factor to design an The customization of content as per
effective IT security awareness program? the target audience
When should security awareness training be provided to Before they have access to any
new employees? system or data
For which group of employees is ethics training primarily Employees involved in monitoring
organized? user activity
2. As an information security manager, you are required to improve the effectiveness of the security training program. The most
effective method for this is:
3. What is the most effective way to improve an organization's culture in terms of security consciousness?
C. What employees should or should not do in the context of their job responsibilities
5. The most effective method to make the end user aware of their security responsibility at regular intervals is:
6. The best time to provide security awareness training to a new employee is:
9. As an information security manager, you have been asked to select a third-party consultant for conducting a maturity assessment
of your organization's information security program. What should the primary consideration for the selection of the consultant be?
10. The best method to improve the effectiveness of a security awareness program is:
C. A top-down approach
11. The security awareness of employees can best be provided in a cost-effective manner by:
12. The deployment of security awareness and training materials for relevant users is the responsibility of:
14. A security awareness program for new staff with general operational duties generally includes:
15. What is the most effective method to improve security awareness among employees?
16. What is the most effective method to improve the effectiveness of an information security program?
18. What is the prime objective of an information security awareness and training program?
B. Calling back the branch number listed in the office phone directory
C. Asking some business questions and if found genuine, providing the relevant information
D. Asking the caller to pass on the phone to their superior to validate the caller
20. The most important reason security awareness training is to be imparted at regular intervals is to address the change in:
B. Information technology
C. Compliance requirements
CISM aspirants should be aware of the following terms with respect to outsourcing:
Insourced: Activities performed by the organization's own staff
Hybrid: Activities performed jointly by staff from both the organization and the vendor
Offsite: Staff working from remote locations in the same geographical area
Roles that require specific expertise, procedures, and key resources that cannot be replicated externally or anywhere else
The organization has sufficient experience in managing third parties working on its behalf.
2. Define a service-level agreement (SLA): Defining an SLA is a very important aspect of outsourcing. SLAs should be approved
by the legal, risk management, and compliance teams.
3. Determine the cost: Here, you need to determine the cost of outsourcing.
4. Conduct due diligence: Due diligence includes verifying the profile of the service provider, their market credibility, their
financial stability, their capability to serve on a long-term basis, and other relevant details.
5. Confirm contractual or regulatory requirements for outsourcing: It is of utmost importance to determine any regulatory and
contractual requirements when outsourcing any activity.
Once the contract is signed, the security manager should ensure that continuous vendor monitoring
processes and metrics are developed and implemented. This control will help identify and address
areas of concern.
Confidentiality, integrity, and availability (CIA) requirements for resources, systems, and data
A right-to-audit clause
To review documented procedures and outcomes of the outsourcer's quality assurance programs
Periodic checks to ensure that the processes and procedures comply with the organization's quality standards
Service-Level Agreements
The most important contractual element when contracting with an outsourcer to provide a service is
the SLA. The SLA defines the level of service expected from a service provider and apart from the
operational parameters, it also includes security-related clauses such as adherence to security
requirements, penalty clauses, indemnity clauses, and right-to-audit clauses.
The security manager can enforce security requirements only if the contract mandates compliance
with the information security policy. An SLA ensures that the service provider is contractually
obliged to comply with the requirements of the service receiver. This protects both organizations.
Right-to-Audit Clause
A right-to-audit clause in a contract is essential to ensure contract compliance. The absence of a
right-to-audit clause would prevent the organization from determining the security arrangement of
the service provider. Furthermore, the organization would not have any assurance about contractual
and legal compliance from the service provider.
Periodic auditing is the most effective method to ensure that the service provider is complying with
the security requirements of the service receiver. The SLA should include clauses with respect to the
right to audit the systems and processes of the service provider. The service provider may not allow
the service receiver to audit them directly. In such cases, there should be a provision to assess
compliance by an independent auditor. If such a provision is not included in the agreement, then the
service receiver has no way to ensure compliance or proper handling of their data.
Security managers need to ensure that applicable privacy laws are adhered to before sharing
personally identifiable data with a third-party service provider.
Subcontracting/Fourth Party
Subcontracting is a term used when a service provider also outsources the task to another entity.
The SLA should specifically restrict subcontracting to a fourth party. If subcontracting is allowed
considering the business requirements, the security manager should consider its risks. In cases of
subcontracting, the service receivers generally do not have control over the fourth party. The
subcontracting process must be thoroughly reviewed when it involves sharing critical data.
Compliance Responsibility
The service receiver retains the responsibility for ensuring compliance with regulatory requirements.
The service receiver is deemed to be the owner of the data and responsible for its safe custody. If the
service provider fails to safeguard the data, the authorities will generally hold the service receiver
responsible for non-compliance and take appropriate action, including penalties.
What is the primary concern about outsourcing to offshore Privacy laws and regulatory
locations? requirements
What is the best way to determine whether the terms of the Independent audit
contract are adhered to in accordance with the SLA?
What is the primary requirement for the development of Escrow arrangements for the
software from a vendor? source code
What is the best way to ensure the ongoing security of To conduct regular security audits
outsourced IT services? and reviews of the third-party
provider
What is the most important reason for a security manager to To help ensure that appropriate
review the outsourcing contract? controls are included
At what point should information security become involved in At the initial stage when
the vendor management process? requirements are being
established
Question Possible Answer
What should the next step of a security manager be, once the To establish the processes and
contract with the service provider is effective? metrics for monitoring the service
provider
What should the first step be when making a decision to allow To conduct a risk assessment
access to a new external party?
What is the most effective method to ensure that no backdoor To conduct security code reviews
code is implemented when an application is developed by a for the entire application
third party?
A. A penalty clause
B. An indemnity clause
D. A right-to-terminate clause
2. The information security policy of an organization requires independent assessment for all third parties associated with the
organization. In the contract, the security manager should ensure the inclusion of:
A. A right-to-audit clause
B. An indemnity clause
3. As an information security manager, you are reviewing your organization's relationship with some third-party service providers.
Your most important consideration should be:
C. Whether the service provider is contractually obliged to follow all relevant security requirements.
4. What is the most effective method to ensure an ongoing security arrangement with a third-party service provider?
A. Conducting continuous security awareness programs for the employees of the third-party service provider
5. Which of the following should be included in an SLA to ensure that the confidentiality requirement is complied with by the third-
party service provider?
C. An authentication mechanism
6. What is the most important aspect a security manager should consider while entering into an agreement with a third-party service
provider?
C. The contract should mandate that the service provider complies with the organization's security requirements
D. The contract should mandate that the service provider conducts regular security audits
7. A third-party service provider is handling sensitive customer data. The security manager is most likely to be interested in:
8. An organization shares critical data with a third-party service provider for processing. The security manager should primarily
ensure that the data classification requirements of the organization are:
10. Before executing the contract, it should be reviewed by the information security manager to:
11. An organization is unable to convince one of its major trading partners to comply with its own security requirements. What is the
best course of action for the security manager?
A. Ask the trading partner to sign a legal agreement to own all liability for any breach
C. Implement a firewall to restrict network traffic from the trading partner's location
12. The most important factor before outsourcing customer relationship management to a third-party service provider is:
13. From a security perspective, the most important aspect that needs to be negotiated with a third-party service provider is:
B. The right to carry out background verification of the third party's employees
C. The right to encrypt the data transmission between the organization and the service provider
16. From a security perspective, the most important aspect of outsourcing a critical process to a third-party service provider is:
17. A request for proposal (RFP) for the selection of a third-party service provider is to be issued:
18. What should the next step of the information security manager be after the contract has been signed with a third-party service
provider for IT support services?
19. When sensitive data is stored at a third-party location, the security manager will require:
A. Assurances that the third party will comply with the requirements of the contract
20. Which of the following is the area of most concern for a security manager when payroll processes are outsourced to a third-party
service provider?
Documentation
Structured documentation regarding risk management policies, standards, registers, and other
relevant processes is of utmost importance for the effective management of risk. The need and
process for documentation should be defined in the risk management policy, strategy, and program.
Generally, the following aspects of risk management processes should be documented:
Risk register: A risk register should include details such as the following:
Risk owners
Risk score
Asset inventory: An asset inventory should include details such as the following:
A description of assets
Asset owners
Asset classifications
Risk mitigation and action plan: It should include details such as the following:
The results of the monitoring process, such as audit reports and security review reports
All the documents should include the appropriate version control, classification level, document
owner and approver, revision date, and number.
Though the process of documentation is not easily adopted by end users, the security manager needs
to gradually develop a culture for this.
Figure 6.8: Documentation
After establishing the objectives, key goal indicators (KGIs) to reflect these objectives should be
developed. After developing the KGIs, the next step is to determine the current state of security. The
current state is compared with the established objectives and any gaps identified are addressed to
improve the security processes.
What is the best method to evaluate the return on By determining the extent of support to
security investment? business objectives
What is the most important step before Obtaining sign-off from all stakeholders
implementing a security policy?
C. Technology advancement
D. User awareness
A. Industry-recognized practices
B. Organizational needs
D. Legal requirements
Security Budget
Budgeting plays a significant role in the effective implementation of an information security
program. The availability of adequate security personnel and other security resources is dependent on
the security budget. An information security manager should be familiar with the budgeting process
and methods used by the organization.
Primarily, the security budget is derived from and supported by the information security strategy.
Before seeking approval for the budget, the security manager should ensure that senior management
has approved the strategy and that there is consensus from the other business units. This is a key
element in a successful budget proposal.
Apart from routine expenditure, the budget should also consider unanticipated costs. Generally, in the
area of incident response, it is difficult to predict expenditure. A security manager may require the
obtaining of external services to support the incident response processes, where the organization does
not have the necessary skills or bandwidth. The best approach to budget for this kind of situation is to
use historical data of incidents and any related expenditure. If this information is not available, a
security manager may rely on statistics from a peer organization to arrive at a reasonable budget.
Adequate funding for information security is the biggest challenge for a security manager. When
funds are inadequate, the best option is to allocate those resources that are available to the areas of
highest risk and, at the same time, to educate management about the potential impact of
underfunding.
Question Possible
Answer
What is the primary basis for the prioritization of security spending and Level of risk
budgeting?
3. As an information security manager, you should prioritize the security budget primarily on the basis of:
B. Incident trends
D. Industry benchmarking
A security program should be aligned with the programs of other assurance functions to ensure that
roles and responsibilities are not overlapping and at the same time that there are adequate controls to
protect the information assets of the organization.
The information security manager is required to be well versed in major security frameworks and
international standards such as ISO 27001 and COBIT and should be able to implement these as per
the requirements of the organization. A framework is generally dependent on the structure, culture,
and business objectives of the organization.
The most effective way for an information security manager to perform their responsibilities is to act
as a facilitator or consultant to help address any issues that impact the business objectives. They
should be able to understand the impact of security on the organization's performance level. There is
no use in implementing heavy security if it degrades performance drastically. A security manager is
required to resolve competing objectives between security and performance. As a facilitator and
consultant, the security manager is likely to achieve support from senior management, which
improves the effectiveness of the security program.
Clear and documented details of roles, responsibilities, and accountability are necessary to ensure the
effective implementation of an information security program.
Role-based access control is very important from a security perspective. An individual is assigned
different types of access on the basis of their role. This helps ensure that various accesses are
provided on a need-to-know basis only.
External Resources
Many organizations obtain external resources (both external staff and outsourced resources) to help
manage their information security program. It is of utmost importance to conduct a cost-benefit
analysis before appointing any external resources. External resources are generally preferred where
skill is required for a short time or for specific projects.
Security managers need to ensure that an AUP is made available to all end users and that it is read
and understood. An AUP generally includes information about access controls, information
classification, document handling, incident reporting procedures, and other requirements related to
end users. An AUP provides the general security baseline for the entire organization.
Documentation
The documentation of security policies and procedures helps to ensure that security procedures are
repeatable and sustainable. A security manager is required to provide oversight over the creation and
maintenance of security-related documentation. For better handling of documents, it is recommended
to assign an owner for each document. The document owner is responsible for updating the
documents as per the defined procedures of approval and review. The document owner is also
responsible for safeguarding the document in accordance with its classification level.
A defined process should be in place for the creation, approval, change, maintenance, distribution,
and expiration of the document. Each document should have the appropriate classification and
labeling to ensure that it is handled and distributed in a secure manner.
Also, document version control is an important element to ensure the integrity of the document and
that all recipients are using the current documentation.
Project Management
A security manager should ensure that security-related projects are appropriately managed in
accordance with the generally accepted project management techniques. Each major project should
have defined goals, completion timelines, processes for measuring the progress and adherence to
budget, assigned responsibilities, and other elements of project management. This will increase the
effectiveness of all security-related projects.
In the case of a large organization with multiple projects, the security manager should have a
documented portfolio of the projects so they can determine the progress of each project. A project's
portfolio will help to determine the priorities for each project and ensure that projects do not overlap,
resources are appropriately allocated, and progress is continuously monitored.
Program Budgeting
Budgeting plays a significant role in the effective implementation of an information security
program. The availability of adequate security personnel and other security resources is dependent on
the security budget. An information security manager should be familiar with the budgeting process
and methods used by the organization.
Primarily, the security budget is derived from and supported by the information security strategy.
Before seeking approval for the budget, the security manager should ensure that senior management
has approved the strategy and other business units have a consensus on it as well. This is a key
element of a successful budget proposal.
Apart from routine expenditure, the budget should also consider unanticipated costs. Generally, in the
area of incident response, it is difficult to predict expenditure. A security manager may need to obtain
external services to support the incident response processes where the organization does not have the
necessary skills or bandwidth. The best approach to a budget for this kind of situation is to use the
historical data of incidents and the related expenditure. If this information is not available, the
security manager may rely on statistics from a peer organization to arrive at a reasonable budget.
Adequate funding for information security is the biggest challenge for a security manager. When
funds are inadequate, the best option is to allocate the available resources to areas of highest risk and
at the same time educate management about the potential impact of underfunding.
Check: Monitor the progress of the program and determine the areas of improvement. This requires the development of various
metrics that indicate the progress or otherwise of the program.
Act: Take action and address the risks and other irregularities identified by the monitoring processes.
The TQM approach helps in the effective and efficient management of security processes with
continuous improvement.
Security Operations
A security manager should consider the following aspects of security operations to improve the
effectiveness and efficiency of an information security program:
A security manager should ensure that the security monitoring processes, such as scanning, testing, and auditing, do not interrupt
any running production process.
Patches need to be applied as and when important updates are released after being tested. The patch management process should
include the appropriate process for testing and approvals.
It is highly recommended to update the antivirus signature files daily. New attack patterns are introduced almost that regularly and
if signature files are not updated daily, an organization is exposed to new types of attacks. The effectiveness of antivirus software
primarily depends on the virus signatures stored in definition files.
The most effective way to verify that all critical systems are utilizing up-to-date virus signature files
is to check sample systems and ensure that the signature files installed are the latest ones.
For antivirus software to be effective, it must be easy to maintain and must be updated frequently to
address new viruses.
A security manager should take adequate steps to protect the wireless network. Strong encryption is the most effective method to
secure a wireless network as a point of entry into a corporate network.
The implementation of monitoring products such as firewalls, IDSs, and antivirus may slow down the performance of the systems
and networks. It can have a major impact on system overheads for servers and networks.
Overhead refers to excess or indirect utilization of computation time, memory, bandwidth, and other resources. A security
manager should consider this aspect when evaluating products to monitor security across the organization. The monitoring
product should support the business processes and should not become a cause for unnecessary interruption.
The most important element for the success of an information security program is support and commitment from senior
management. If senior management is committed to robust information security for the organization, there will be no constraint on
security budgets and resources.
Thus, security operations should support the business operations in the most effective and efficient
manner.
What does the effectiveness of virus detection Virus definition files (signature files)
software most depend on?
What is the best way to prevent an accidental To use protective switch covers
system shutdown from the console or operations
area?
Who should be a part of the information security Senior management from different
steering committee? departments, such as IT, HR, business, and
marketing
Question Possible Answer
What is the main reason for obtaining external External resources are a cost-effective
resources to execute an information security alternative to getting expertise that is not
program? available internally
What is the most effective method to ensure the To ensure that all logical access of the
protection of data upon the termination of terminated employee is removed
employment?
What is the most important reason for formally For ensuring that processes are repeatable and
documenting security procedures? sustainable
When should the risk assessment of a new Throughout the project's life cycle
project be carried out?
2. Which of the following authorities can best ensure the effectiveness of an information security program?
3. As an information security manager, you should ensure that antivirus signature files are updated:
A. On a daily basis
B. On a weekly basis
A. Operating systems
B. Updated patches
C. Application upgrades
D. Definition files
5. Which of the following is the most important criterion for the selection of antivirus software?
6. The best way to reduce the risk of an accidental system shutdown through the power button is to:
C. Board members
8. The most important consideration for implementing a system monitoring device is:
A. Product documentation
B. Ease of configuration
D. System overheads
9. An organization is using a digital certificate along with a secure socket layer to authenticate a web server. The organization is still
vulnerable to:
A. IP spoofing
B. A man-in-the-middle attack
C. Repudiation
D. A Trojan program
10. The most effective way to ensure compliance with an information security policy isto:
11. The main advantage of using an external resource for managing an information security program is that:
B. It is the most effective way to delegate responsibility for maintaining a security program.
12. A server containing the accounting database is maintained by a database administrator. Who should determine the appropriate
level of classification?
A. Database administrator
B. Finance department
C. Security department
D. IT department
13. A particular module is accessible to all the members of the development team. The module is used to test the business data. From
the security perspective, which of the following is the best option?
14. The involvement of the following group is very important in the design of security processes to make them accurate and
functional:
A. Audit management
B. Compliance management
C. Operational units
D. Legal management
15. Which of the following roles should not be given the right to update the database access control list to ensure proper segregation
of duties?
16. As a business requirement, an application programmer requires access to production data. What is the best way to ensure that the
production data is used for authorized purposes only?
B. Log all of the application programmer's activity for a review by their manager.
17. The most important step upon the termination of employment is:
19. The process document for use of cryptography should primarily include:
Privacy Laws
Privacy is the right of an individual to demand the utmost care of their personal information that has
been shared with any organization or individual. Individuals can demand the use of their information
to be appropriate, legal, and only for the specific purpose for which the information was provided.
ISACA describes several privacy principles that can be considered as a framework for privacy audits.
The following are some of the privacy principles:
Organizations should obtain appropriate consent before the transfer of personal information to another jurisdiction.
Organizations should specify the purposes for which personal information is being collected.
Organizations should have appropriate security safeguards for protecting personal information.
Organizations should have an appropriate process for reporting compliance with privacy policies, standards, and laws.
Organizations should have appropriate governance mechanisms over any third-party service providers processing privacy data on
behalf of the organization.
Organizations should comply with the applicable data protection regulations for the transfer of personal information across
country borders.
C. A notification about what the company will do with the information it collects
Cloud Computing
Cloud computing is the process of utilizing servers hosted on the internet for storing and processing
data instead of on a personal computer or a local server. Cloud computing enables users to access
computer resources through the internet from any location without worrying about the physical
availability of the resources. The following are some characteristics of cloud computing:
It provides the capability for organizations to access data or applications from anywhere, anytime, and on almost any device.
It provides the capability for organizations to scale their IT resources as per the business requirements at the optimum cost.
It provides the capability to monitor, control, and report the usage of resources.
Resources such as storage, processing power, memory, network bandwidth, and virtual machines
(VMs) can be used through cloud computing.
It is very important to consider the following requirements for the use of the public cloud:
Legal and regulatory compliance (such as data localization)
Backup
Right to audit
Security requirements
In this type of cloud service, services such as storing data, processing capability, memory, and network resources are
provided to the user as per their requirements.
This helps the user utilize computing resources without having to own or manage their own resources.
The end users or IT architects use VMs as per their requirements. A VM is a resource that uses software instead of a
physical computer to run programs and deploy apps.
The user is not required to maintain or manage any physical servers as these are managed by the service provider.
Some examples of infrastructure service providers are Google Compute Engine, Amazon Web Services (AWS), and
OpenStack.
With the help of SaaS, an end user can access an application through the internet.
Instead of local storage and processing, the application is hosted on a cloud managed by a third-party service provider.
The application development platform and supporting infrastructure are not required to be maintained or controlled by
users.
For example, without installing Office software, you can create a Word document in Google Docs online, or edit a
photo on Pixlr.com without installing any editing software.
In PaaS, users can develop and deploy an application on a development platform made available by the service
provider.
In the traditional method, an application or piece of software is developed on local machines and hosted on a local
server.
For example, applications such as Google App Engine and Microsoft Azure Compute provide tools to develop
applications.
Ensure compliance with privacy laws that restrict the movement of personal data to offshore locations
Evaluate the business continuity and disaster recovery plan of the cloud service provider
Evaluate implemented controls for safeguarding the CIA triad regarding data
Ensure that the SLA includes clauses with respect to ownership and custody of the data and security administration of cloud-
related services
What is the benefit of cloud computing compared to The ability to expand storage and
local hosting? bandwidth on demand
A. Verify the service provider's physical security policy and make sure that it is aligned with the organization's security
policy
B. Verify a copy of independent security reviews or audit reports for the cloud service provider
C. Bind the service provider through a contract to align with the organization's security policy
D. Verify the service provider's disaster recovery plans and make sure that they include the necessary arrangements to
protect the organization's assets
2. As an information security manager, you are reviewing an SLA with a cloud service provider. The area of major focus for you is
that:
A. The contract should specify that upon contract expiration, a mandatory data wipe will be carried out in the presence of
a representative from the enterprise.
D. The contract should restrict the movement of data within the territory allowed as per the relevant law or regulation
3. As an information security manager, you are reviewing a service level agreement with a cloud service provider. The area of major
focus for you is:
A. Clarity with respect to data ownership, data custody, and intellectual property rights (IPR)-related requirements
4. As an information security manager, you are required to evaluate the arrangement of a cloud service provider. You should be
majorly concerned about:
5. As an information security manager, you are reviewing an SLA with a cloud service provider. The area of major focus for you is:
A. Physical security
6. As an information security manager, you need to deploy a cloud application in a way that will be very secure with very little
chance of data leakage. You should deploy a:
A. Public cloud
B. Private cloud
C. Community cloud
D. Hybrid cloud
7. Which of the following is the main benefit of cloud computing compared to local hosting?
The next chapter will cover information security infrastructure and architecture.
Revision Questions
1. Ethics training is primarily meant for:
A. Inherent risk
B. Residual risk
C. Acceptable risk
D. Business objectives
4. The area of most concern for a security manager when an organization is storing sensitive data with a third-party cloud service
provider is:
5. An organization is planning to provide access to a third-party service provider. Which of the following should be the first step?
B. Risk assessment
C. Determining the level of exposure
6. Which of the following is the most important clause to be included in an SLA for outsourcing an IT support service?
7. The most important consideration for an information security manager when selecting a third-party service provider for a critical
business function is:
A. Whether the service provider agrees with the penalty for non-compliance
D. Whether the service provider meets the organization's security requirements on an ongoing and verifiable basis
8. The most difficult factor to determine while conducting a security review of an offshore service provider is:
A. Technological capability
B. Incompatible culture
C. Network controls
D. Adequate procedures
The other areas can be evaluated and determined during a security review.
9. An organization has renewed its agreement with a third-party service provider every year for the last 5 years without a change in
the agreement clauses. However, it recently received complaints with respect to security lapses by the service providers. Which of
the following actions should be taken FIRST by the information security manager?
A. Ensure that the security requirements included in the service agreement meet the current business requirements
B. Determine whether the service provider complies with the service agreement
10. To address the resolution of an operational issue, the most important aspect to be included in an SLA is:
A. An escalation matrix
B. A documented process
B. Whether the service provider's security architecture meets the organization's requirements
12. An application has been developed by a third-party service provider. The most effective method to ensure that no backdoor code is
implemented is:
13. A security manager notes that employees of the marketing department are sending some critical customer data through email.
What should they do first?
A. Discuss the finding with the marketing manager to evaluate the risk and impact
C. Report the finding to the incident management team for further investigation
14. A security manager has obtained commitment and approval from senior management for the establishment of an information
security program. What should their next step be?
15. A security manager is creating security procedures for the entire organization. Which department should be given priority to write
the procedure?
C. The HR department
16. The best method to address the risk of sending confidential information in email attachments is:
Architecture Implementation
Access Control
Biometrics
Factors of Authentication
Wireless Networks
A structured architecture provides the framework to manage a complex environment. As the size and
complexity of the organization grow, a well-defined architecture helps the security manager to
monitor and control the security aspects. Architecture provides the framework within which many
large projects can be managed effectively and efficiently.
In the absence of a well-designed architecture, there can be a lack of integration, haphazard project
management, and other weakness and vulnerabilities in the security environment. Enterprise
information security architecture (EISA) was developed as a part of the overall enterprise IT
system design. The following are some of the objectives of EISA:
To manage security processes and performance
A security practitioner should ensure that these objectives are achieved to improve the effectiveness
of the information security architecture.
For best results, the security architecture should be aligned with: Business objectives
and goals
What is the best method for the effective integration of different To develop a
components of the information security infrastructure? security architecture
NOTE
The answers and explanations for all practice and revision questions for this chapter can be found via this link.
A. Industry-accepted frameworks
3. What is the best method to integrate different components of information security infrastructure?
B. Developing an architecture
Architecture Implementation
A security manager should consider the following aspects while implementing the architecture:
Termination process: An effective termination process is one of the most important aspects of the information security process.
Terminated employees can misuse their credentials for unauthorized activity. Hence, the termination process should ensure timely
revocation of all access as soon as an individual is terminated or otherwise ceases to be in employment.
Security rules: A security manager should ensure that rules related to security tools, such as firewalls, IDS, antimalware software,
and security information and event management (SIEM), should be reviewed at periodic intervals. Rules should be simple and
easy to implement. It is difficult to manage an excessive number of rules, and there is a chance that a particular rule may conflict
with another, which may lead to security vulnerabilities. Furthermore, it becomes difficult to test complex security rules and
architecture.
Phishing: Phishing is a social engineering attack with the objective of obtaining user data in an unauthorized manner. In a
phishing attack, an attacker acts as a trusted entity and tries to lure the victim to part with confidential information. The best
method to address the risk of phishing is to conduct periodic awareness training for users. Educating users will help to address the
risk of visits to untrusted websites or email links.
Steganographic techniques: In a steganographic technique, secret data is hidden in an ordinary file or image to avoid detection.
An ordinary file or image is sent to the recipient along with secret data. For highly confidential data, an organization generally
uses this technique to protect the data from any third party. The advantage of sending messages using the steganographic
technique compared to encryption is that in the case of the steganographic technique, the existence of the message itself is
unknown.
Middleware: Middleware is software that acts as a link between operating systems and applications. It can provide additional
services to applications that are not provided by the operating system. Some examples of functions handled by middleware
software are data management, application services, messaging, and authentication. A major risk associated with middleware is
that data integrity may be adversely affected if the middleware gets corrupted.
What is the most important element of the Timely revocation of access rights of the
termination process from the security perspective? terminated employee
Who is required to ensure that the appropriate level The process owner/the system owner
of information security is applied to a business
application?
What is the best method to control a phishing attack? User awareness training
What are the prime objectives of change To ensure that only authorized changes are
management? carried out
What is the major risk of an excessive number of One rule may conflict with another rule
firewall rules? and create a security weakness.
A. Background verification
C. User monitoring
2. Who is responsible for implementing and maintaining the required level of security for a business application?
4. The best method to protect against the risk of a phishing attack is:
A. System hardening
B. Email filtering
5. Which of the following is the area of most concern for organizational security?
6. The task of eradicating malicious code will become more difficult if:
8. Who will be best able to determine that a new vulnerability has not been introduced during change management?
Access Control
The main objective of the access control process is to ensure that only authorized users are granted
access. To achieve this, it is very important for user activities to be uniquely identifiable for
accountability purposes. The security manager should be aware of the following categories of access
control.
MAC is considered more robust and stringent in terms of information security compared to DAC. To
increase the effectiveness of DAC, it should be aligned in accordance with MAC.
Furthermore, RBAC is considered the most effective method to implement segregation of duties
(SoD). It requires the definition of roles and their corresponding access requirements. Access is
provided on the basis of these roles.
The best method to implement RBAC is to create a matrix of different roles and corresponding work
descriptions.
Degaussing (Demagnetizing)
The right kind of formatting is critical to ensure that residual data from media cannot be recovered by
an unauthorized person. To the extent possible, the media should be physically destroyed in such a
way that it cannot be reused. However, it may not always be economical to physically destroy all
media. Hence, for these cases, extreme care should be taken for the complete deletion of the data
such that it is not recoverable by any tool or technique. One of these methods is the demagnetization
of media records.
Demagnetization involves gradually increasing the alternating current field from 0 to a maximum
value and back to 0, thereby leaving a very low residue of magnetic induction on the media. This
process of demagnetization is also known as degaussing.
What is the most effective access control for an Role-based access control
organization that has a large number of
employees with multiple roles?
What is the best approach for implementing role- Creating a matrix of work functions
based access?
Question Possible Answer
2. What is the most effective method to ensure that temporary staff does not get access to sensitive information?
3. What is the most effective method to prevent users from sharing files with unauthorized users?
4. What is the most effective method to prevent a user from copying files from a computer to a USB drive?
5. What is the most appropriate access control approach for an organization with more than 1,000 employees with multiple
departments and roles?
A. Mandatory access control
8. Which access control is preferable for an organization that has regular job rotation?
A. Rule-based
B. Role-based
C. Discretionary
D. Mandatory
10. To determine whether access controls are appropriately applied for a critical application, the security manager should refer to the:
C. IT security standard
D. Legal requirements
11. The best way to protect the critical data of an organization is by:
A. Performing periodic security awareness sessions
12. Which of the following is a common reason for the introduction of vulnerabilities in security software?
A. Patch updates
C. Upgrades of hardware
13. What is the most effective method of removing data from a tape media that is to be reused?
A. Multiple overwriting
NOTE
Some modern media, such as hard disks and tape drives, may not be reused if degaussing overwrites the servo
pattern of the device.
15. What is the most effective method for the success of a data classification scheme?
16. What is the objective of comparing logical access records with physical attendance records maintained by the security
department?
With the help of VPN technology, remote users and branch offices can connect to the resources and
applications hosted in the private network of the organization. To enable a VPN, a virtual point-to-
point connection is established using dedicated circuits of tunneling protocols.
VPN technology ensures the safeguarding of critical data traveling through the internet.
A VPN is enabled either through IPSec tunnel mode or IPSec transport mode. In IPSec tunnel mode,
an entire packet (including the header) is encrypted, whereas in IPSec transport mode, only the data
portion is encrypted. A VPN uses data encapsulation or tunneling to encrypt the traffic payload for
the secure transmission of the data.
Advantages of a VPN
The following are some of the advantages of a VPN:
A VPN helps organizations expand their corporate network in a cost-efficient manner.
A VPN provides a platform to authorized remote users in terms of a secure and effective way of connecting to corporate networks.
A VPN provides a platform for efficient and effective supply chain management.
In a VDI setup, all processing is done on a host server. Also, data is stored in the host server rather
than on the users' devices. This helps to safeguard the data if an endpoint device is lost or
compromised.
Furthermore, it establishes the segregation of personal and organizational data while using a remote
PC. A user cannot download or copy data from a virtual desktop to their PC. This serves as a control
against unauthorized copies of business data on a user's PC.
2. The most effective way to ensure the confidentiality of data transmitted over the internet is:
C. Routers
D. Two-factor authentication
A. Data diddling
B. Data encapsulation
C. Data hashing
D. Data compression
6. What is the benefit of a virtual desktop infrastructure (VDI) from a security perspective?
B. It helps to segregate personal and organizational data while using a remote computer
Biometrics
Biometric verification is a process through which a person can be uniquely identified and
authenticated by verifying one or more of their biological features. Examples of these biometric
identifiers include palm or hand geometry, fingerprints, retina and iris patterns, voice, and DNA.
High FAR: Here, access control is not rigorous. Biometric matching criteria are set at a low level. Sometimes, even unauthorized
users are accepted.
EER: This is a moderate type of access control. Here, the sensitivity is tuned in such a way that the FRR is equal to the FAR, that
is, neither high false rejection nor high false acceptance.
Thus, for a critical database, a security manager would always prefer a high FRR, that is, biometric
matching criteria being set at a high level.
A security manager should verify that appropriate controls are in place to protect the biometric
information of users. The following are some important aspects:
Biometric information should be stored securely.
The data flow between biometric devices and the server should be encrypted.
An information security manager should be aware of the different types of biometric access.
Types of Biometric Attacks
A CISM aspirant should be aware of the following attacks that exploit the weaknesses in biometric
controls:
Replay attack: In a replay attack, an intruder attempts to use residual biometric characteristics (for example, residual fingerprints
left on a biometric device) to gain unauthorized access.
Brute-force attack: In a brute-force attack, an attacker sends numerous biometric samples with the objective of making the
biometric device malfunction.
Cryptographic attack: In a cryptographic attack, an attacker attempts to obtain information by targeting algorithms or the
encrypted information that is transmitted between biometric devices and access control systems.
Mimic attack: In a mimic attack, the attacker attempts to reproduce a fake biometric feature of a genuine biometric user, for
example, imitating the voice of an enrolled user.
A. A voice wave
B. Face identification
C. Hand geometry
D. A retina scan
2. As an IS manager, you should be most concerned about which of the following biometric performance indicators?
3. Which of the following is considered the most important overall quantitative performance indicator for a biometric system?
7. An information security auditor is reviewing a biometric control for an organization's data center. What is the area of most
concern?
C. Transit data between a biometric device and the control server is not encrypted.
8. An information security auditor should first review which of the following biometric life cycle stages?
9. Which of the following is considered to be the most effective access control mechanism?
A. Session-based password
B. Iris scan
C. Fingerprint
D. Photo ID card
10. Which of the following is the most effective access control mechanism?
A. A fingerprint scanner
B. A password
C. A cipher lock
11. An attack with the unauthorized use of residual biometric information is known as:
A. A brute-force attack
B. An encrypted attack
C. A mimic attack
D. A replay attack
12. An attack in which the attacker attempts to reproduce the characteristics of a genuine biometric user is known as:
A. A mimic attack
B. A cryptographic attack
C. A replay attack
D. A brute-force attack
13. What is an attack in which data transmitted between a biometric device and an access control server is targeted?
A. A mimic attack
B. A brute-force attack
C. A cryptographic attack
D. A replay attack
14. An attack in which numerous biometric samples are sent to a biometric device is known as:
A. A mimic attack
B. A brute-force attack
C. A cryptographic attack
D. A replay attack
15. An organization is implementing biometric control for access to its critical server. This will:
B. Require the enrollment of all users that access the critical server
16. A security manager generally desires which of the following sensitivity for a biometric access control to protect a critical
database?
Factors of Authentication
There are three authentication factors that can be used for granting access:
Something you know (for example, a password, PIN, or some other personal information)
Something you have (for example, a token, a one-time password, or a smart card)
Something you are (for example, biometric features such as a fingerprint or iris scan or voice recognition)
Two-factor authentication means the use of two authentication methods from the preceding list. For
critical systems, it is advisable to use more than one factor of authentication for granting access.
From the user's perspective, two-factor authentication can cause additional hassle. Hence, the security
manager should strike the correct balance between ease of access and control.
Password Management
Password strength is a measure of the effectiveness of a password against guessing or brute-force
attacks.
Strong and complex passwords should be one of the most important requirements of a password
policy. A security manager should also ensure that the password policy is properly implemented. The
most effective way to ensure compliance with the password policy is to enable system-enforced
password configuration.
Frequent guidance and awareness are key factors in promoting the requirements of a password policy.
It gradually helps to obtain buy-in from end users.
What is the best way to ensure that users comply To enable system-enforced password
with the organization's password policy? configuration
A. Biometrics
B. Encryption keys
2. As an information security manager, you are required to improve the password strength of all users. The most effective method is:
3. What is the best method to share the password for a confidential file?
4. A security manager notices that an application does not comply with one of the requirements of the organization's password
policy. What would their best course of action be?
5. The most effective method to ensure that the end users comply with the password requirements is:
6. A critical device with a single user ID needs to be accessed by multiple users. What is the most efficient way to ensure that all
access to the device is authorized?
Wireless Networks
A network connection supporting communication between devices without the use of a cable or a
wire is known as a wireless network. Cell phone networks and wireless local area networks are
examples of wireless networks.
CISM aspirants should know about the following controls regarding the protection of wireless (Wi-
Fi) security:
Encryption
Encryption
Encryption is the process of converting data into an unreadable form. Encryption helps to scramble
the data sent through the wireless network into a code. It is an effective way of restricting intruders
when it comes to accessing the wireless network. Wi-Fi Protected Access (WPA) and Wired
Equivalent Privacy (WEP) are the two main types of encryption. For wireless connections, Wi-Fi
Protected Access II (WPA 2) is the strongest encryption standard. These encryption methods only
protect data in transit and not data on the device.
Such open broadcasting is not required or necessary unless it is purposefully done to promote Wi-Fi,
as in the case of a hotel, restaurant, lounge, mall, and so on.
Question Possible
Answer
What technique is used by a hacker to search for wireless networks from a moving Wardriving
vehicle using hacking tools and software? (The same technique is used by an
information security auditor to test the wireless security of an organization.)
2. Which of the following exposures is introduced specifically by the use of wireless local area network technology?
A. Buffer overflow
B. Data spoofing
D. Session hijacking
Botnets: Botnets are compromised computers, also known as zombie computers. They are primarily used to run malicious
software for distributed denial of service (DdoS) attacks, adware, or spam.
Buffer overflow: A buffer overflow, also known as buffer overrun, is the most common software coding error that can be
exploited by an attacker to gain unauthorized access to a system. A buffer overflow occurs when more data is fed in than the
buffer can handle. Excess data overflows to adjacent storage.
Due to this, the attacker gets an opportunity to manipulate the coding errors for malicious actions.
Data diddling: In a data diddling attack, data is modified as it enters into a computer system.
This is done mostly by a data entry clerk or a computer virus. Data is altered before computer
security can protect it. Very limited technical knowledge is required for data diddling. Currently,
there are no preventive controls for data diddling, so organizations need to rely on compensatory
controls.
Dumpster diving: In a dumpster diving attack, an attempt is made to retrieve confidential information from the trash or a garbage
bin.
To address the risk of dumpster diving, employees should be made aware of this kind of risk through
frequent security awareness training.
A document discarding policy should be in place to define the appropriate methods for discarding
various types of information. One example is the use of a shredder to discard confidential documents.
Figure 7.9: Dumpster diving
War dialing: War dialing is a technique in which tools are used to automatically scan a list of telephone numbers to determine the
details of computers, modems, and other machines.
Wardriving: In wardriving, an attempt is made to locate and get unauthorized access to a wireless network with the use of
specialized tools.
An intruder drives around the building with specialized tools to identify unsecured networks.
The same technique is used by an information security auditor to identify unsecured networks and
thereby test the wireless security of the organization.
Eavesdropping: Through eavesdropping, an intruder gathers the information flowing into the network through unauthorized
methods.
Using tools and techniques, sensitive information such as email addresses, passwords, and even
keystrokes can be captured by the intruder.
Email attacks and techniques:
Email bombing: In this technique, abusers repeatedly send an identical email to a particular address.
Email spamming: In this attack, unsolicited emails are sent to thousands of users.
Email spoofing: In this attack, emails appear to have originated from some legitimate source but not the actual (illegitimate)
source. It is often attempted to trick the user into disclosing sensitive information.
Flooding: This is a type of DDoS attack that brings down a network by flooding it with huge amounts of traffic.
Juice jacking: In this type of attack, data is copied from a device attached to a charging port (mostly available in public places).
Malicious code:
Trojan horse: In this attack, malicious software is disguised as some legitimate software. Once installed on the system, it starts
taking control of the user's system.
Logic bomb: In this type of attack, a program is executed when a certain event happens. For example, a logic bomb can be set to
delete files or databases at a future date.
Trap door: Another name for a backdoor. A backdoor is a type of malware that bypasses normal authentication procedures to
access a system.
Man-in-the-middle attack: In this attack, an attacker interferes when two devices are establishing a connection.
Alternately, an attacker actively establishes a connection between two devices and pretends to be the
other device with each of them.
If any device asks for authentication, the attacker sends a request to the other device and then
forwards the response to the first device.
Once a connection is established, the attacker can communicate and obtain information as needed.
Masquerading: In this type of attack, an intruder hides their original identity and acts as someone else. This is done to access a
system or data that is restricted.
These attacks can have serious impacts in certain instances, for example, when the message is for a
bank to make a payment.
Network analysis: In this type of attack, an intruder creates a repository of information about a particular organization's internal
network, such as internal addresses, gateways, or firewalls.
The intruder then determines what services and operating systems are running on the targeted system
and how they can be exploited.
Packet replay: In this type of attack, an intruder captures the data packet as data moves along a vulnerable network.
Pharming: In this type of attack, the traffic of a website is redirected to a bogus website.
Password sniffing: In a password sniffing attack, tools are used to listen to all the traffic in a network. Then, tools are used to
build data streams out of TCP/IP packets and usernames and passwords are extracted. These tools are known as password sniffers.
These passwords are then used to gain unauthorized access to the system.
Parameter tampering: The unauthorized modification of a web application parameter with malicious intent is known as
parameter tampering.
As the hidden files on the web page are not visible, a developer may feel safe transferring the data
without proper validation. This creates a risk as an intruder may intercept the hidden data and modify
the parameter for malicious purposes.
Privilege escalation: In a privilege escalation attack, a high-level system authority is obtained by the employee through some
unauthorized methods by exploiting security flaws
In this attack, an intruder exploits a small window between the time a service is used and when the
security control is applied.
The larger the time gap between the time of use and the time of service, the higher the chances of
race condition attacks.
Salami: In this technique, a small amount of money is sliced from a computerized transaction and transferred to unauthorized
accounts.
Social engineering: In a social engineering attack, an attempt is made to obtain sensitive information from users by tricking and
manipulating them.
An attacker does not require any technical tools or techniques to obtain information.
A social engineering attack is generally conducted through dialogue, an interview, an inquiry, and/or
other social methods of interaction.
The objective of a social engineering attack is to exploit human nature and weakness to obtain critical
and sensitive information.
By carrying out adequate and effective security awareness training, the impact of social engineering
attacks can be minimized.
Shoulder surfing: In a shoulder surfing attack, an intruder or a camera captures sensitive information by looking over the
shoulder of a user entering details on a computer screen.
Passwords entered on a computer screen should be masked to prevent shoulder surfing attacks.
Figure 7.12: Shoulder surfing
Traffic analysis: In traffic analysis, the communication pattern between entities is studied and information is deduced.
Virus: A virus is a type of malicious code that can self-replicate and spread from computer to computer.
A virus can take control of the user's computer and delete or alter sensitive files. It can also disrupt
system functioning.
Worms: Worms are destructive programs that can destroy sensitive data. However, worms do not replicate like viruses.
Biometric attacks:
Replay attack: In a replay attack, an attacker makes use of residual biometric characteristics (such as fingerprints left
on a biometric device) to gain unauthorized access.
Brute-force attack: In a brute-force attack, an attacker sends numerous biometric samples with the objective of
making the biometric device malfunction.
Cryptographic attack: In a cryptographic attack, an attacker attempts to obtain information by targeting the
algorithm or the encrypted information that is transmitted between the biometric device and the access control system.
Mimic attack: In a mimic attack, an attacker attempts to reproduce fake biometric features of a genuine biometric
user, for example, imitating the voice of an enrolled user.
A CISM aspirant should also understand the differences between active and passive attacks. Passive
attacks are types of attacks in which information is only captured but not modified, inserted, or
deleted. Examples of passive attacks include traffic analysis, network analysis, and eavesdropping.
Active attacks are where an attacker attempts to modify, delete, or corrupt the data or make the
system or network inaccessible. An example of an active attack is DDoS.
An attack in which internet traffic appears to originate from the internal IP IP spoofing
of the organization:
A hidden file on a web page can expose the risk of: Parameter tampering
An attack which does not require any technical tools and/or techniques to Social engineering
obtain critical information:
Inherent risk in a data entry process for which apparently there is no Data diddling
preventive control:
Technique to execute DDoS, spam, and other types of attacks by using Botnet
other computers as zombie devices:
What is the most effective defense to address the risk of structured query Strict controls on
language (SQL) injection attacks? input fields
Question Possible Answer
When a credit card is swiped on a point-of-sale (POS) machine, data is Encryption of data
transferred from the card to the machine. Which is the most important
control for such data transfers?
A. A race condition
B. Parameter tampering
C. Flooding
D. Juice jacking
2. In which of the following attacks does internet traffic appear to originate from the internal IP of the organization?
A. A DDoS attack
B. Parameter tampering
C. IP spoofing
D. Port scanning
A. A DDoS attack
B. Social engineering
C. Juice jacking
4. An employee runs a task scheduler without authorization to access restricted applications. What type of attack is this?
A. Privilege escalation
B. Race condition
C. Social engineering
D. Buffer overflow
5. Which of the following techniques does not require any tools and tactics to obtain critical information?
A. Privilege escalation
B. Race condition
C. Social engineering
D. Buffer overflow
6. The best method to limit the consequences of a social engineering attack is:
A. Juice jacking
B. Tailgating
C. Shoulder surfing
D. Impersonation
8. The mandatory process of reading employee ID badges at the entrance door prevents:
A. Shoulder surfing
B. Piggybacking
C. Race condition
D. Dumpster diving
9. Which of the following techniques is considered an inherent risk in data entry for which apparently there is no preventive control?
A. Shoulder surfing
B. Data diddling
C. Race condition
D. Dumpster diving
A. Traffic analysis
B. Juice jacking
C. Denial of service
D. IP spoofing
11. A password sniffing attack can:
A. Wardriving
B. Juice jacking
C. War dialing
D. Social engineering
A. Phishing techniques
B. Logic bombs
C. Botnets
D. Social engineering
A. Port scanning
B. Wardriving
C. War dialing
D. Backdoor
15. In which of the following attacks is residual biometric information used to gain unauthorized access?
A. A brute-force attack
B. An encrypted attack
C. A mimic attack
D. A replay attack
16. Which of the following methods has the capability to circumvent two-factor authentication?
A. DDoS
C. Juice jacking
D. Brute force
17. Which of the following risks increases due to poor programming and coding practices?
A. Juice jacking
B. Social engineering
C. Buffer overflow
D. Brute force
18. Which of the following risks increases due to URL shortening services?
A. Social engineering
B. Phishing
C. Vishing
D. DDoS
A. Technical error
B. Judgmental error
D. Computer error
20. Which of the following techniques is used to gather information about encrypted data being transmitted over a network?
A. DDoS
B. IP spoofing
C. Traffic analysis
D. Masquerading
Summary
In this chapter, you learned about the infrastructure and architecture of information security. This
chapter will help the CISM candidate understand important methods, tools, and techniques to develop
a security program in an effective and efficient manner.
You also explored security architecture in line with industry best practices and access control
requirements including biometrics and authentication factors.
The next chapter will cover the practical aspects of information security program development and
management.
Revision Questions
1. Which of the following is most effective to address the risk of dumpster diving?
2. The best way to control the activity of an intruder masquerading as an authorized user and connecting to the corporate network is:
C. Two-factor authentication
3. What is the most important aspect to secure credit card data while using the card at point of sale?
A. Authorization
B. Authentication
C. Encryption
D. Digital signature
C. Periodic audits
A. An access card
C. Awareness training
D. A biometric reader
7. A form-based authentication requiring a user to input a user ID and a password can be bypassed by:
8. Which of the following exposures is introduced by the use of Simple Network Management Protocol version 2 (SNMP v2)?
B. Unstable processing
C. Cleartext authentication
D. Cross-site scripting
B. User education
Digital Signatures
Cryptography
Penetration Testing
A security manager should understand the following types of firewalls, as well as how they should be
structured for better protection of information assets:
Types of Firewalls
The following are the basic characteristics of these different types of firewalls.
Packet filtering Router
A packet filtering router is the simplest, and the standard, version of a firewall. It tracks the IP
addresses and port numbers of both the destination and source and acts (either to allow or deny the
connection) as per the defined rules. A packet filtering router functions at the network layer of the
Open Systems Interconnection (OSI) model.
Stateful Inspection
A stateful inspection firewall monitors and tracks the destination of each packet being sent from an
internal network. It only allows incoming messages that are in response to requests sent out from the
internal network. A stateful inspection firewall operates at the network layer of the OSI.
Circuit-Level
A circuit-level firewall operates on the concept of a bastion host and proxy server. It provides the
same proxy for all services. It operates at the session layer of the OSI.
Application-Level
Here are a few characteristics of an application-level firewall:
An application-level firewall is regarded as the most secure type of firewall.
It also works on the concept of a bastion host/demilitarized zone and proxy server but provides a separate proxy for each service.
CISM aspirants should understand the concept of a bastion host, proxy, and demilitarized zone, as
discussed in the following sections.
Proxy
What is a proxy? The following diagram is a visual representation of how a proxy works:
Figure 8.2: Proxy server
No direct communication is allowed between the internal and external networks. All communication passes through the proxy
server.
The outside world cannot see the addresses of the internal networks. It can only recognize proxy servers.
The proxy technology operating at the session layer is known as a circuit-level proxy, and the proxy technology operating at the
application layer is referred to as an application-level proxy.
The firewall ensures that traffic from the outside is routed into the DMZ. Nothing valuable is kept in
a DMZ because it is subject to attack (and compromise resulting from the attack).
The following simple example further explains proxies, bastion hosts, and DMZs.
Your office has a receptionist. The receptionist has a phone number that is easily available in the
phone directory. You and your colleagues have been given specific extension numbers. Only your
receptionist and internal staff know the extension numbers:
Proxy: You cannot directly call outside the organization from your extension. First, you need to call your receptionist and request
an external connection. Your receptionist will do all the due diligence and get you connected. An outsider will only know the
receptionist's phone number. They will not be able to track your extension. The receptionist is thus a proxy.
Bastion host/DMZ: Similarly, an outsider cannot directly contact you on your extension. They need to call the receptionist first.
The receptionist will do the necessary due diligence and then pass the call on to you. Since your receptionist has direct contact
with multiple outsiders, they are more vulnerable to attacks or threats, for instance, intruders trying to gain sensitive information.
Thus, you need to ensure that they do not possess any sensitive or critical data. This is the bastion host or the DMZ.
Of the preceding firewall implementations, a screened subnet firewall (DMZ) is regarded as the most
secure type of firewall implementation.
Generally, servers that interact with the internet (extranet) are placed in a demilitarized area as this
area is separate from internal servers and properly hardened. Also, generally, an IDS is placed on a
screened subnet, which is a DMZ.
Placement of Firewalls
Firewalls should be placed in a hardened server with minimum services enabled. It is not
recommended to place firewalls and IDSs in the same physical server. A firewall should be
implemented on a domain boundary to monitor and control incoming and outgoing traffic.
The most effective way to ensure that firewall rules are adequate is to conduct penetration tests
periodically. Gaps identified during penetration tests should be addressed immediately. This helps to
improve the security posture of the organization.
Source Routing
Firewalls, by default, should be able to reject traffic with IP source routing. Source routing is the way
to get information about all the routers in a packet transit. This could potentially be used to bypass
firewalls, and hence it is a security threat. If a firewall permits source routing, it is possible to execute
spoofing attacks by capturing the IP address of the organization.
The functionality of the firewall improves with the increase in layers. An application-level firewall
that operates at the seventh layer is the most robust.
What is the most secure type of firewall? Application-level (as it works on the highest layer,
that is, the application layer of the OSI model)
The most stringent and robust configuration To reject all traffic and allow only specific traffic
setting in a firewall is:
What is the best technique to validate the Penetration testing on a regular basis
adequacy of firewall rules?
What is the primary disadvantage of the use A mail filter or firewall may quarantine the
of password-protected ZIP files to email password-protected file as it cannot verify whether
files across the internet? the file contains malicious code.
What is the major risk when there is an One rule may override another rule and create a
excessive number of firewall rules? loophole.
NOTE
The answers and explanations for all practice and revision questions for this chapter can be found via this link.
A. The rule to permit all traffic by default and deny specific traffic
B. The rule to deny all traffic by default and permit only specific traffic
C. The rule to decide dynamically on the basis of the nature of the traffic
D. The rule to provide discretionary power to the network administrator to permit or deny all traffic
3. Which of the following is considered the most robust and secure firewall system implementation?
C. A dual-homed firewall
A. Stateful inspection
B. Packet filter
C. Application gateway
D. Circuit gateway
5. Which of the following firewall structures will best protect a network from internet attacks?
D. A circuit-level gateway
6. As an information security manager, you want to deploy a firewall that permits external traffic only in response to traffic sent
from an internal host. Which of the following is the best choice?
D. A circuit-level gateway
7. Which of the following firewalls will not allow the download of a file through the file transfer protocol (FTP)?
D. A circuit-gateway firewall
8. Which of the following firewalls will safeguard the most against a hacking attempt?
C. An application-level gateway
9. The area of most concern for a risk practitioner when reviewing a firewall implementation is:
B. The availability of updated firewall infrastructure with the most secure algorithm
C. The effectiveness of the firewall in enforcing compliance with the information security policy
11. Which of the following is the first step of implementing a firewall within a big organization?
13. The area of most concern for a security manager reviewing the firewall infrastructure is:
A. The firewall administrator has not been trained on the security aspect
D. The implementation of the firewall above a commercial operating system with all installation options enabled
14. What is the most effective method to ensure that a firewall is configured as per the security policy?
C. Slow bandwidth
C. On a screened subnet
C. On a screened subnet
20. The most effective method to ensure that firewall rules and settings are adequate is:
Has high false positives (that is, high rates of false Has low false positives (that is, low rates
alarms) of false alarms)
Generally used to detect attacks from the outside The preferred choice to detect attacks from
the inside
Inspects the contents and header information of all Detects activity on a host computer, such
packets moving across a network and identifies any as the deletion of files or the modification
irregular behavior of programs
Components Description
Sensors The function of sensors is to collect data. Data may be in the form of IP
packets, log files, and so on.
Analyzers An analyzer analyzes the data and determines any intrusive activity.
Administration The administration console helps the administrator control and monitor IDS
console rules and functions.
User interface The user interface helps the user view the results and carry out the required
tasks.
Figure 8.9: Components of IDS
Limitations of an IDS
The following are some limitations of an IDS:
IDSs operate on the basis of policy definition. A weakness in policy definitions weakens the function of IDSs.
Types of IDS
The following are some types of IDSs:
Type Description
Signature- In signature-based IDSs, the IDS looks for specific predefined patterns to detect intrusions.
based Patterns are stored as signatures and are updated at frequent intervals.
Signature-based IDSs are not capable of identifying new types of attacks for which signatures are not yet
available.
Statistical- Statistical-based IDSs attempt to identify abnormal behavior by analyzing statistical algorithms.
based Any abnormal activity is flagged as an intrusion. For example, if normal logon hours are between 7 A.M.
and 5 P.M., and a logon is performed at 11 P.M., the IDS will raise this as an intrusion.
Statistical-based IDSs generate the most false positives compared to other types of IDSs.
Neural Neural network-based IDSs work on the same principle as statistical-based IDSs.
based A neural network keeps updating the database by monitoring the general patterns of activity.
Neural networks are most effective at addressing problems that can be solved by analyzing many input
variables.
For any type of IDS, tuning is the most important element for its successful implementation. Tuning
is the process of adjusting the criteria to determine abnormal behavior. If criteria are not properly
tuned, the IDS may generate false alarms or may fail to identify an actual abnormality. The most
effective way to determine whether an IDS is properly tuned is to simulate various attack scenarios
and review the performance of the IDS.
Placement of IDSs
Network-based IDSs can be installed either between the firewall and the external network (the
internet) or between the firewall and the internal network.
If an IDS is installed between the firewall and the external network, it can identify all intrusion
attempts irrespective of whether the intrusion packets bypass the firewall or not:
If an IDS is installed between the firewall and the internal network, it can only detect those attempts
that bypass the firewall rules:
What is the disadvantage of a statistical-based IDS? False alarms are generated even
for minor abnormalities
Which IDS has the capacity to update its database and self- A neural network-based IDS
learn?
The type of IDS with the highest false alarms is: A statistical-based IDS
The first step in the preparation of a system attack is: Gathering information
Question Possible Answer
What will happen if an IDS is set with a low threshold value to An increase in the number of
determine an attack? false positives
B. A statistical-based IDS
C. A signature-based IDS
D. A role-based IDS
A. The console
B. The sensor
C. The analyzer
3. Which of the following intrusion detection systems gives the highest false alarms?
B. A statistical-based IDS
C. A signature-based IDS
D. A host-based IDS
4. Which of the following is a major concern for an auditor verifying an intrusion detection system?
D. The intrusion detection system being placed between the internal network and the firewall
5. What is the best location to place an intrusion detection system for the detection of an intrusion that bypasses the firewall?
7. Which of the following is the most frequent problem with respect to an intrusion detection system?
C. False positives
D. DDoS attacks
8. The risk of intrusion attacks and network penetration can be detected on the basis of unusual system behavior by:
A. A hub
B. Packet filters
C. A switch
10. Which of the following is the most important concern with respect to an intrusion detection system (IDS)?
B. A firewall being installed between the IDS and the external network
C. A neural network monitors the general patterns of activity and creates a database, addressing complex problems
involving input variables from different sources
D. A neural network solves the problem where a large database is not required
12. An organization with the objective of protecting a public-facing website on its server should install the network intrusion
detection system:
A. In a DMZ
13. To prevent the installation of a rootkit on a web server hosting an application, which of the following should be installed?
14. Which of the following helps to capture information for proactively strengthening security controls?
A. A honeypot
B. A proxy server
C. An IDS
D. An IPS
B. A honeypot
C. A switch
16. Which of the following is the first action in the preparation of a system attack?
A. To capture information
C. To gain access
D. To launch a DoS attack
17. After the firewall, which of the following is considered the next line of defense for network security?
A. Antimalware software
B. Router
C. Switch
19. What is the most important aspect to be considered while deploying an intrusion detection system?
A. Tuning
B. Patch updating
C. Logging
D. Change management
20. Statistical-based IDSs are not as popular as signature-based IDSs because statistical-based IDSs:
Digital Signatures
A digital signature is a method in which a unique code is attached to an electronic message. This
unique code acts as a signature. It helps to verify a document's integrity and the sender's identity.
2. Encrypt the hash (from Step 1) with the private key of the sender.
The following is a screenshot of software showing a hash value of the message Meeting at 8 AM:
The table in Figure 8.15 shows the hash value for the first message (i.e., 8 AM) and the second table
shows the hash value for the second message (i.e., 8 PM). If you note in the preceding screenshot, the
entire hash value changed even though there was only a change in one character:
The following explains how a message is encrypted by a sender and decrypted by the receiver:
Figure 8.19: Verifying a digital signature
2. Then, he will decrypt the digital signature, that is, 4xxxxxxxxxxxxxxxxxxxxxxxxx4e, using the public key of the sender,
Mr. A. (This proves authentication and non-repudiation.)
3. Now, he will compare the value derived in step 1 with the value derived in step 2. If they match, the integrity of the message is
proved.
Non-repudiation (that the sender cannot later deny sending the message)
Does a digital signature provide In the creation of a digital signature, only the hash
confidentiality? value of the message is encrypted (not the entire
message). Hence, a digital signature does not provide
confidentiality or privacy.
Which key is to be used for the creation of The private key of the sender
a digital certificate, that is, for the
encryption of the hash of the message?
Which key is to be used to validate the The public key of the sender
digital certificate, that is, for the decryption
of the hash of the message?
3. As an information security manager, you have been advised by your consultant to deploy a digital signature for electronic
communication. A digital signature will help address the risk of:
A. Unauthorized archiving
B. Loss of confidentiality
C. Unauthorized copying
D. Alteration
4. What is the best method to protect the hash value of a message from being compromised?
A. Digital signatures
B. Message encryption
C. Staff training
A. Privacy
B. Integrity
C. Availability
D. Confidentiality
7. Which of the following provides the strongest evidence of the occurrence of a specific action?
A. Proof of delivery
B. Non-repudiation
C. Proof of submission
D. Authorization
A. The use of a sender's private key to encrypt the hash value of the message
C. The use of a sender's public key to encrypt the hash value of the message
9. As an information security manager of an e-commerce organization, you have been advised by your consultant to validate
customer communication through a digital signature. How is this done?
A. The hash value of the message is transmitted and encrypted with the organization's private key
B. The hash value of the message is transmitted and encrypted with the customer's private key
C. The hash value of the message is transmitted and encrypted with the customer's public key
D. The hash value of the message is transmitted and encrypted with the organization's public key
10. As an information security manager, you have been advised by your consultant to deploy digital signatures. Digital signatures:
B. Provide confidentiality
11. The primary difference between hash and encryption is that a hash value:
A. Cannot be reversed
B. Can be reversed
12. As an information security manager, you noted that some critical information is sent to third-party vendors through email. You
want to ensure that the recipients of emails (that is, vendors) can authenticate the identity of the senders (that is, employees). This
can best be done by:
13. As an information security manager, you are required to deploy a digital signature to ensure that the sender of the message cannot
deny generating and sending the message. This is known as:
A. Integrity
B. Authentication
C. Non-repudiation
D. Security
14. As an information security manager of an e-commerce organization, which of the following is the best way for you to validate the
occurrence of a transaction?
A. Proof of delivery
B. Authentication
C. Encryption
D. Non-repudiation
15. A sender has sent a message along with an encrypted (by the sender's private key) hash of the message to the receiver. This will
ensure:
A. The signer has the public key of the sender and the receiver has the private key of the sender
B. The signer has the private key of the sender and the receiver has the public key of the sender
17. The primary objective of including a hash value (message digest) in a digital signature is:
18. The best method to ensure that information transmitted over the internet is genuine and actually transmitted by the known sender
is:
A. Encryption
B. Hashing
C. Symmetric encryption
D. Digital signatures
20. The most effective way to ensure that a data file has not changed is to:
D. Create a hash value of the file, then compare the file hashes
PKI Terminology
CISM aspirants should have a basic understanding of the following terms with respect to PKI:
Digital certificate: A digital certificate is an electronic document that proves the ownership of a public key. A digital certificate
includes details about the key, details about the owner, and a digital signature of its issuer. It is also known as a public
key certificate.
Certificate Authority: A certificate authority (CA) is an entity that is responsible for issuing digital certificates.
Registration Authority: A registration authority (RA) is an entity that verifies user requests for digital signatures and
recommends the CA issue certificates.
Certificate Revocation List: A certificate revocation list (CRL) is a list of digital certificates that have been revoked and
terminated by the CA before their expiry date. These certificates should no longer be trusted.
Certification Practice Statement: A certification practice statement (CPS) is a document that prescribes the practice and
process of issuing and managing digital certificates by the CA. It includes details such as the controls in place, methods for
validating applicants, and how certificates should be used.
PKI: PKI is a set of rules, policies, and procedures for the issuance, maintenance, and revocation of public key certificates.
4. If the information is correct, the RA recommends that the CA issues the certificate
5. The CA issues the certificate and manages it through its life cycle. The CA also maintains the details of the certificates that have
been terminated or revoked before their expiry date. This list is known as the CRL. The CA also maintains a document known as
the CPS containing the standard operating procedure (SOP) for the issuance and management of certificates.
CA versus RA
The following table presents the differences between CAs and RAs:
CA RA
Functions of an RA
An RA has the following functions:
To verify and validate the information provided by the applicant.
To ensure that the applicant is in possession of a private key and that it matches the public key requested for a certificate. This is
known as proof of possession (POP).
To distribute physical tokens containing private keys.
To generate shared secret keys during initialization and the certificate pickup phase of the registration.
What is the authority that manages the life cycle of a digital certificate Certificate authority
called?
Contractual requirements between the relying parties and the certificate The certification practice
authority are prescribed in: statement
3. Which of the following authorities manages the life cycle of a digital certificate to ensure the existence of security in digital
signatures?
A. Certificate issuance
A. Issuance of certificates
7. The procedural aspects of dealing with a compromised private key are prescribed in:
10. In a public key infrastructure, the contractual relationship between parties is provided in:
B. A digital certificate
C. A non-repudiation certificate
12. The single point of failure in public key infrastructure (PKI) is:
Cryptography
Cryptography is defined as the art or science of secret writing with the use of techniques such as
encryption. Encryption is the process of converting data into unreadable code so it cannot be
accessed or read by unauthorized people. This unreadable data can again be converted into a readable
form by the process of decryption. Different types of algorithms are available for encryption and
decryption.
A single key is used to encrypt and decrypt messages Two keys are used: one for encryption
and another for decryption.
For large key distributors, symmetric encryption is not For large key distributors, asymmetric
preferable, as scaling will result in complex encryption is preferred as scaling is more
distribution and storage problems. convenient.
The following section will dive into the different types of encryption keys.
Encryption Keys
In an asymmetric environment, a total of four keys are available with different functions. The
following table indicates who possesses the different keys:
Sender's public key This key is available in the public domain. Public keys can be accessed by
anyone.
Receiver's public This key is available in the public domain. Public keys can be accessed by
key anyone.
Integrity
Confidentiality
In asymmetric encryption, two keys are used: one for encryption and the other for decryption.
Messages are encrypted by one key and can be decrypted by the other key. These two keys are known
as private and public keys. A private key is available only to the owner of the key and a public key is
available in the public domain.
Receiver's private key: The sender will not be in possession of the receiver's private key and hence this option is not feasible.
Sender's public key: If a message is encrypted using the public key of the sender, then it can be decrypted only by using the
corresponding private key of the sender. The receiver will not be in possession of the sender's private key, so this option is not
feasible.
Sender's private key: If a message is encrypted using the private key of the sender, then anyone with the public key can decrypt
it. The public key is available in the public domain and hence anyone can decrypt the message. This will not ensure the
confidentiality of the message.
Hence, for message confidentiality, the receiver's public key is used to encrypt the message and the
receiver's private key is used to decrypt the message.
Authentication
Authentication is ensured by verifying and validating some unique features of the sender. Generally,
you validate a document by verifying the signature of the sender. This signature is unique for
everyone. Similarly, for digital transactions, a private key is unique for each owner. Only the owner is
in possession of their unique private key. Each private key has a corresponding public key. A third
person can authenticate the identity of the owner with the use of this public key. When the objective
is to authenticate the sender of the message, the sender's private key is used to encrypt the hash value
of the message. The receiver then tries to decrypt it with the sender's public key and if it is
successfully decrypted, it indicates that the message is genuine, and the sender is authenticated.
Hence, for the authentication of a message, the sender's private key is used to encrypt the message
and the sender's public key is used to decrypt the message.
Non-Repudiation
Non-repudiation refers to a situation wherein a sender cannot take back their responsibility for a
digital message or transaction. Non-repudiation is established once the sender is authenticated.
Hence, for non-repudiation, the same concept of authentication will apply.
For the non-repudiation of a message, a sender's private key is used to encrypt the message and the
sender's corresponding public key is used to decrypt the message.
Integrity
Integrity refers to the correctness, completeness, and accuracy of the message/data. To achieve
integrity, the following steps are followed:
1. A sender creates a hash value of the message.
3. The message along with the encrypted hash value is sent to the receiver.
4. The receiver will do two things. First, they will decrypt the hash value using the sender's public key, and second, they will again
calculate the hash value of the message received.
5. The receiver will then compare both the hash values, and if both hash values are the same, the message is considered as correct,
complete, and accurate.
The following table will help you understand the use of different keys to achieve each of the
preceding objectives:
Confidentiality and For confidentiality: the use of a receiver's public key to encrypt
authentication/non-repudiation the full message
Confidentiality, integrity, and For confidentiality: the use of the receiver's public key to encrypt
authentication/non-repudiation the full message
In asymmetric encryption, message The use of the receiver's public key for encryption and
confidentiality can be ensured by: the use of the receiver's private key for decryption
In asymmetric encryption, message The use of the sender's private key to encrypt the
authentication can be ensured by: message or hash value and the use of the sender's public
key to decrypt the message or the hash value
Question Possible Answer
In asymmetric encryption, message non- The use of the sender's private key to encrypt the
repudiation can be ensured by: message or hash value and the use of the sender's public
key to decrypt the message or the hash value
In asymmetric encryption, message The use of the sender's private key to encrypt the hash
integrity can be ensured by: value and the use of the sender's public key to decrypt
the hash value
A. Data encryption
B. Multiple authentications
C. Digital signature
2. What is the most commonly used protocol to safeguard the confidentiality of data transmitted in an e-commerce application?
C. A secure shell
D. A telnet
3. What is the most effective method to protect the data on a mobile computing device?
4. For a large number of key distributions, asymmetric encryption is preferred over symmetric encryption because:
5. Which of the following has the greatest risk of an internal attack on a network?
6. What is the most effective method to prevent a database administrator (DBA) from reading sensitive data from the database?
7. In public key infrastructure, the public key of the other party is required to:
8. What is the best way to secure a wireless network as a point of entry into an organization's network?
B. Strong encryption
C. Two-factor authentication
A. Authentication-based access
B. Read-only data in the USB device
Penetration Testing
In penetration testing, a tester deploys the same tools, techniques, and methods that hackers use to
obtain unauthorized access to systems and networks. Penetration testing helps the organization
determine its security environment. Gaps and vulnerabilities identified by penetration testing are
evaluated and remediated to improve the security posture of the organization. It aids in the
identification of any risks to the information systems' confidentiality, integrity, and availability. Only
a qualified and experienced professional should conduct penetration testing.
The scope should include the testing technique to be deployed (SQL injection, DoS/DDoS, social engineering, and so forth).
The scope should include the date and time of the attack (either during business hours or after business hours).
It is the penetration tester's responsibility to give adequate warning before the test in order to avoid false alarms being raised with
law enforcement agencies.
In a black box approach, no information is provided about the infrastructure to the tester. This
simulates an actual hacking attempt.
Sensitive information relating to the target environment gathered during penetration testing can be misused by the tester.
Inappropriate planning and timing of the attack may cause the system to fail.
This is a simulation of a real attack and may be restricted by law or regulations. Such attacks without appropriate approvals may
have adverse impacts.
What is the main objective of performing a To identify weaknesses in the network and
penetration test? server security of an organization
What are the most important actions prior to To ensure that the goals and objectives are clearly
defined
contracting a third party to perform a penetration
To ensure that the rules of engagement are clearly
test against an organization?
defined
What is the advantage of a white box penetration More time is spent on exploitation rather than
approach? discovering and information gathering
What is the most effective method to determine To perform periodic penetration testing
that a network is adequately secured against an
external attack?
What is the primary area of interest for a Network mapping (i.e., determining which
penetration tester when conducting a penetration network is used for different applications,
test? databases, and other devices)
A. System audits
B. Penetration tests
D. Vulnerability analysis
6. The most important requirement before conducting a black box penetration test is:
7. What is the advantage of a white box penetration testing scenario, where information about the infrastructure to be tested is
provided to the tester in advance?
A. More time is spent on exploitation rather than discovery and information gathering.
B. Network mapping
C. Data analytics
Summary
In this chapter, you learned about information security monitoring tools and techniques, such as
firewall implementation and various types of IDSs and IPSs. This chapter will help the CISM
candidate understand the important methods, tools, and techniques used to develop an effective and
robust security program. You also explored digital signatures and encryption technology from an
information security perspective.
Revision Questions
1. A disadvantage of emailing a password-protected ZIP file is that:
2. An area of primary concern for a security manager reviewing a firewall configuration is:
3. What is the best method to prevent external individuals from accessing and modifying a critical database of the organization?
A. A screened subnet
A. A financial database
B. A web server
C. An operational database
D. A print server
C. In a demilitarized zone
D. On an external router
6. An area of major concern when there is an excessive number of firewall rules is:
A. One rule may conflict with another rule and create a loophole
8. What is the most effective method to determine the proper deployment of an intrusion detection system?
A. Simulating various attack scenarios and reviewing the performance of the intrusion detection system
D. Comparing the intrusion detection system rules with the industry benchmark
10. Which of the following is very important to ensure that an intrusion detection system is able to view all the traffic in a
demilitarized zone?
B. Ensuring that all the end devices are connected to the intrusion detection system
C. Ensuring the encrypted traffic is decrypted prior to being processed by the intrusion detection system
11. What is the most effective way to detect an intruder who successfully penetrates a network?
A. Signature-based detection
B. An external router
C. An antivirus software
D. Anomaly-based detection
13. The most effective way to lure hackers to get their information without exposing the information assets is:
A. To set up a firewall
B. To set up a proxy
D. To set up a router
14. What will happen if an intrusion detection system (IDS) is set with a low threshold value to determine an attack?
A. Packet filtering
B. Encryption
C. System hardening
D. Hashing
Insurance
Incident Classification/Categorization
Incident management is defined as the process of handling disruptive events in a structured manner to
minimize their impact on business processes. In most organizations, the responsibility for developing
and testing incident management lies with the information security manager.
Incident response includes only those activities that are performed when responding to an incident
and focuses on the identification, triage, containment, eradication, and recovery actions taken to
resume normal, planned operations.
Thus, incident management includes all processes, practices, and activities before, during, and after
an event. On the other hand, incident response only includes those activities carried out when an
organization declares an incident.
All the preceding activities ultimately lead to minimizing the impact of the incident on
the organization.
An incident response plan is a very important document that includes the step-by-step process to be
followed along with the assigned roles and responsibilities. An incident response plan helps the
security manager handle incidents.
Phase 2 – Detection, Triage, and Investigation
This phase concerns detection techniques and processes such as the implementation of an intrusion
detection system (IDS), an intrusion prevention system (IPS), and security incident and event
management (SIEM) tools. Timely detection is of utmost importance for effective incident
management. It is very important for a security manager to verify and validate the incident before any
containment action is taken.
Triage refers to the process of deciding the order of treatment on the basis of urgency. It is very
important to prioritize an incident based on its possible impact. Quickly ranking the severity criteria
of an incident is a key element of incident response. To determine the severity of an incident, it is
recommended to consult the business process owner of the affected operations.
Phase 3 – Containment and Recovery
This phase involves executing the containment process for the identified incident. Containment refers
to the process of taking action to prevent the expansion of the incident. Incident response procedures
primarily focus on containing the incident and minimizing damage. For example, when a virus is
identified in a computer, the first action should be to contain the risk by disconnecting the computer
from the network so it does not impact other computers.
After successful containment, forensic analysis is performed, ensuring a proper chain of custody.
Chain of custody is a legal term that refers to the proper handling of evidence to ensure its integrity.
In cases of major incidents, the recovery procedure should be executed in accordance with the
business continuity and disaster recovery plans.
Phase 4 – Post-Incident Review
This phase helps to evaluate the cause and impact of the incident. It also helps to understand the
loopholes in processes and provides the opportunity for improvement based on the lessons learned.
Phase 5 – Incident Closure
This phase evaluates the effectiveness of the incident management process. A final report is
submitted to the management and other stakeholders.
In the next topic, we will discuss the relationship between incident management, business continuity,
and disaster recovery.
Minor incidents can be effectively handled by the incident management process. However, there can
be incidents that lead to major business disruptions and in such cases, organizations need to activate
their business continuity plan (BCP) and/or disaster recovery plan (DRP) processes.
Responsibility for declaring a disaster should be entrusted to an individual at a senior level who has
enough experience to determine the likely impact of an incident on business processes. The
responsibility for declaring a disaster should be determined when the incident response plan is
establisheBusiness continuity and disaster recovery processes involve the activation of alternative
recovery sites.
The primary focus of the incident response process is to ensure that the defined SDO is achieveThe
acceptability of partial system recovery after a security incident is most likely based on the SDO. The
SDO also has a direct impact on the level and extent to which data restoration is required.
For example, a disaster occurred on January 1 and from January 2 onward, services were made
available to 20% of the clients (that is the SDO) from an alternative site. However, the organization
can only operate from the alternative site for 2 months due to location-based constraints. These 2
months are considered the MTO.
The allowable interruption window (AIW) is the maximum period of time for which normal
operations of the organization can be down. After this point, the organization will start to face major
financial difficulties that might threaten its existence. Continuing with the preceding example, if
within 2 months of disaster the main site is not made operational, the organization will not be able to
sustain operations due to financial scarcity. This indicates that the organization only has the financial
capability to operate at a reduced capacity for 2 months. These 2 months are considered the AIW.
Security managers should try to ensure that the MTO is equal to, or higher than, the AIW. Generally,
the MTO should be as long as the AIW to minimize the risk to the organization. That means the
arrangements for an alternative site should be made to last at least until the time the organization has
returned to financial stability.
When is the best time to At the time of preparing the incident response plan
determine who is
responsible for declaring a
disaster?
What is the primary To minimize the business impact (incident response procedures
objective of incident primarily focus on containing the incident and minimizing damage)
response?
Who can best determine the The business process owners of the affected operational areas
severity of an incident?
Question Possible Answer
What is an MTO? The maximum tolerable outage is the maximum period of time that
an organization can operate from an alternative site due to resource
constraints.
What is an AIW? The allowable interruption window is the maximum period of time
for which normal operations of the organization can be down. After
this point, the organization will start facing major financial
difficulties that threaten its existence.
What should the The MTO should be equal to, or longer than, the AIW. Generally,
relationship between the the MTO should be as long as the AIW to minimize the risk to the
MTO and the AIW be? organization.
NOTE
The answers and explanations for all practice and revision questions for this chapter can be found via this link.
3. As an information security manager, you are required to address the risk of network denial of service (DoS) attacks. What is the
most effective way to address this?
4. As an information security manager, you have been informed about a stolen laptop. What should your first course of action be?
7. When an incident is reported, what should the security manager's first priority be?
A. Investigation
B. Documentation
C. Restoration
D. Containment
8. Which of the following is the area of most concern for a security manager?
9. Which of the following is the area of most concern for a security manager?
11. A security manager notes that a network attack is in progress. What should their first course of action be?
B. Protection of infrastructure
C. Safety of personnel
14. A security manager notes a security incident. What should their next course of action be?
15. A security manager notes that a computer has been infected with a virus. What should their first course of action be?
B. Scanning the entire network to determine whether another device has also been infected
17. A security manager notes that an email server has been compromised at the administrative level. What is the best way to make the
system secure?
19. Which of the following documents is most important to include in a computer incident response team manual?
20. A security manager notes that a server is infected with a virus. What is the most important action?
Determining the severity of the incident and following the escalation process
Triage refers to deciding the order of treatment on the basis of urgency. It is very important to
prioritize the incident based on its possible impact. Quickly ranking the severity criteria of an
incident is a key element of incident response. To determine the severity of the incident, it is
recommended to consult the business process owner of the affected operations.
Triage provides a snapshot of the current status of all incidents reporteThis allows resources to be
assigned in accordance with criticality.
Containment
In this phase, the incident management team coordinates with the business process owner for a
detailed assessment and to contain the impact of the incident. The following activities are carried out:
Coordination with the relevant business process owner
Coordination with the IT team and other relevant stakeholders to implement the containment procedure
Eradication
After containment, the next phase of action is to determine the root cause of the incident and
eradicate it. The dictionary definition of eradication is the complete destruction of something. To
ensure complete destruction (meaning it will not reoccur), determining the root cause of the incident
and addressing it is of utmost importance. Hence, the incident response team addresses the root cause
during the eradication process. The following activities are carried out in this phase:
Determining the root cause of the incident
In the event of a virus infection, the existing viruses are eradicated, and further antivirus systems are implemented to prevent
reoccurrence
An organization should have a defined and structured method for root cause analysis. Ad hoc
processes may lead to ineffective solutions.
The objective of root cause analysis is to eliminate the cause of reoccurring incidents.
Figure 9.3: Root cause analysis
Recovery
In this phase, an attempt is made to restore the system to a degree specified in the SDO or the BCP.
This phase should be completed as per the defined RTO. The following activities are carried out in
this phase:
Restoring the systems as defined in the SDO
Lessons Learned
In this last phase, the lessons learned are documented, including details of what happened, the actions
initiated, what went wrong, what happened correctly, and areas for further improvement. The report
should be submitted to senior management and other stakeholders.
Gap Analysis
A gap analysis is the most effective way to determine the gap between current incident management
capabilities and the desired level. Once gaps are identified, the security manager can work to address
them and improve the incident management processes. A gap analysis report is used to determine the
steps needed for improvement.
The objective of a BIA is to understand what impact an incident could have on the business and what
processes or assets (that might be affected by that incident) are critical to the organization.
Participation from the business process owner, senior management, IT, risk management, and end
users is required for an effective BIA.
The identification of critical processes, systems, and other resources is one of the most important
aspects of a BIA.
Goals of a BIA
Following are some of the primary goals of a BIA:
To identify and prioritize critical business unit processes, the impact of an incident must be evaluateThe higher the impact, the
higher the priority.
A BIA is also used to estimate the maximum tolerable downtime (MTD) or MTO for the business. This helps to design the
recovery strategy.
It also determines the longest period of unavailability of critical systems, processes, or assets before the organization starts facing
a financial crisis, that is, the AIW.
Steps of a BIA
The following are the steps for conducting a BIA:
1. Identify the critical processes and assets of the organization.
2. Identify the dependencies of the above identified critical processes and assets.
3. Determine the possible disruptions that could impact the critical processes or their dependencies.
4. Develop a strategy to restore the processes and assets in the event of a disruption.
5. Document the assessment results and create a report for the business process owners and senior management.
Escalation Process
An IRP should contain a structured process of escalation for various categories of incidents. The
objective of the escalation process is to highlight the issue to the appropriate authority in accordance
with the risk perceived and the expected impact of the incident. For example, minor issues can be
escalated to the manager, major issues can be escalated to the senior manager, and so on. A risk and
impact analysis will be the basis for determining what authority levels are needed to respond to
particular incidents.
An escalation process should also state how long a team member should wait for an incident response
and what to do if no such response occurs. For each type of possible incident, a list of actions should
be documenteRoles and responsibilities should be defined for each action.
An IRP should also contain the names of the officials who are authorized to activate the BCP and
DRP in the event of a major disruption.
A security manager should determine the escalation process in coordination with business
management and it should be approved by senior management.
A security manager should have a well-defined process for the help desk team to differentiate a
typical incident from a possible security incident. Help desk executives should have the relevant
skills as well.
Frequent security awareness training for end users as well as help desk staff is one of the most
important factors for the early identification and reporting of incidents.
Emergency management team: They are responsible for making key decisions and coordinating the activities of other teams.
Relocation team: They are responsible for the smooth execution of relocation to alternative sites from the affected site.
Security team: They are responsible for monitoring the security of information assets. They are required to limit exposure to the
security incident and to resolve any security-related issues.
Most detection systems have automated notification processes enabled, which helps the employees
concerned act quickly.
This can best be achieved by highlighting the benefits of incident management from the
organization's perspective.
The incident management plan not being aligned with organizational goals: An incident management plan is effective only if
it supports the goals of the organization. However, business processes change significantly over time. A security manager should
ensure that incident management processes are kept aligned with business requirements.
Experienced and trained professionals: Another important challenge is the availability of experienced and well-trained staff to
handle incidents.
Lack of a communication process: Ineffective communication processes are a major challenge. Incomplete or untimely
communication causes hurdles in the incident handling process.
A complex incident management plan: A security manager should keep the incident management plan simple and meaningful
for all stakeholders. Also, the plan should be realistic and achievable.
early identification of an
incident?
What should the escalation The escalation process document should state how long a team
process document contain? member should wait for an incident response and what to do if no
such response occurs.
What does the triage phase Triage provides a snapshot of the current status of all incidents
indicate? reported so as to assign resources in accordance with criticality.
What is slack space? Slack space means the additional storage available on a computer's
hard disk drive. Slack space is created when a computer file does
not need all the space allocated to it by the operating system. Slack
space can be used to store hidden datThe verification of slack space
is an important aspect of computer forensics.
2. As an information security manager, you have noted a new type of attack in the industry, wherein a virus is disguised in the form
of a picture file. What should your first course of action be?
3. Who should be notified immediately upon the discovery of a vulnerability in the web server?
4. An investigation team is in the process of collecting forensic evidence for a recent security breach. They have a strong suspicion
that the slack space was compromiseWhat is the relevance of slack space during an incident investigation?
5. A security manager has received a report about the breach of a customer database by a hacker. What should their first step be?
C. To initiate containment
6. Which of the following is the most effective method to address network-based security attacks generated internally?
7. A security manager notes a serious vulnerability in the installed firewall. What should their next course of action be?
8. Once a security incident has been confirmed, what should the security manager's next task be?
9. A security manager notes that confidential human resource data is accessible to all users of the human resource department. What
should the security manager's first step be?
10. What is the most effective metric to justify the establishment of an incident management team?
11. What is the most important factor for the early identification of a security incident?
13. An end user notes a suspicious file on a computer. They report it to the security manager. What should the security manager's first
step be?
14. The members of an organization's information security response team are determined by:
15. A security manager has received an alert from the intrusion detection system (IDS) about a possible attack. What should their first
step be?
16. After confirming a security breach related to customer data, a security manager should first notify:
17. The efficiency of an incident response team can best be improved by:
D. Forensic skills
18. What is the main objective of a senior manager reviewing the security incident status and procedures?
19. A response team notes that the investigation of an incident cannot be completed as per the timeframe. What should their next
action be?
20. Which of the following is the most important factor for the timely identification of a security incident?
B. Frequent audits
Apart from having a well-defined BCP, it is of utmost importance for the organization to ensure that
both the BCP and DRP and any related documents are available at offsite locations as well.
Before developing a detailed BCP, it is important to conduct a BIA BIA helps to determine the
incremental costs of losing different systems. Based on the BIA, recovery efforts required for the
system are determineFor critical systems, the RTO will be low and hence the recovery cost will be on
the higher side. By comparison, for non-critical systems, the RTO will be high and the recovery cost
will be comparatively low. The following example will further illustrate this:
An organization has two systems: system A and system System A is a critical system and the
organization cannot afford system downtime of more than one day. Hence, the RTO, in this case, is
one day. To restore the system within one day, the organization needs to have a hot site equipped with
all the required arrangements. This results in a high recovery cost.
System B is non-critical. It will not have any impact even if it is down for 10 days. Hence the RTO is
10 days. The organization can manage through a cold site without much arrangement needeHence,
comparatively, the recovery cost will be low.
In a nutshell, critical systems have a low RTO and a high recovery cost whereas non-critical systems
have a high RTO and a low recovery cost.
Recovery Sites
As already alluded to, in the case of an incident, a primary site may not be available for business
operations. To address such scenarios, an organization should have an arrangement for the
resumption of services from an alternative site to ensure the continuity of business operations. Many
business organizations cannot afford the discontinuation of business processes for even a single day,
and so they need to invest heavily in an alternative recovery site. These arrangements can vary
according to the needs of the business.
From the perspective of the CISM exam, candidates should have an understanding of the following
alternative recovery site types:
Mirrored Site
A mirrored site is regarded as an exact replica of the primary site. When arranging a mirrored site,
the following components are already factored in:
The availability of space and basic infrastructure
A mirrored site can be made available for business operations in the shortest possible timeframe as
everything (in terms of systems and data) has already been considered and made available. It must be
noted that the cost of maintaining a mirrored site is very high compared to the alternatives.
Hot Site
A hot site is the second-best alternative after a mirrored site. The following components are already
factored in while arranging a hot site:
The availability of space and basic infrastructure
The availability of all business applications
However, for a hot site to function, an updated data backup is also required.
Warm Site
The following components are already factored in while arranging a warm site:
The availability of space and basic infrastructure
However, for a warm site to function, the following components are also needed:
An arrangement for the required IT applications
Cold Site
The availability of space and basic infrastructure are already factored in while arranging a cold site:
However, for a cold site to function, the following components are also needed:
An arrangement for the required IT applications
Mobile Site
At a mobile site, a moveable vehicle is used, which is equipped with the required computing
resources. A mobile site can be moved to any warm or cold site depending upon the requirements.
The scale of business operations determines the need for a mobile site.
Reciprocal Agreements
In a reciprocal agreement, two organizations with similar capabilities and processing capacities agree
to provide support to one another in the event of an emergency. Reciprocal agreements are not
considered very reliable. A reciprocal agreement is the least expensive as this relies solely on an
arrangement between two organizations.
The following table summarizes the characteristics of each alternative recovery site:
Figure 9.8: Characteristics of alternative recovery site
A mirrored site is the fastest mode of recovery, followed by a hot site. A cold site is the slowest mode
of recovery. For a critical system, mirrored/hot sites are appropriate options, while for non-critical
systems, cold sites are appropriate. A reciprocal agreement has the lowest expenditure in terms of a
recovery arrangement.
Factors Impacting Recovery Site Selection
Security managers need to consider the requirements of the organization as well as the costs of
maintaining a recovery site. The following factors impact the selection of a recovery site.
Allowable Interruption Window
The AIW is the maximum period of time for which normal operations of the organization can be
down. After this point, the organization will start facing major financial difficulties.
Recovery Time Objective
The RTO is the extent of system downtime that the organization can tolerate. In other words, the RTO
is the extent of acceptable system downtime. For example, an RTO of 2 hours indicates that an
organization will not be overly impacted if its system is down for up to 2 hours.
The RTO is said to be achieved when a system is restored within the defined RTO.
Recovery Point Objective
A recovery point objective (RPO) is the extent of acceptable downtime an organization can tolerate.
For example, an RPO of two hours indicates that an organization will not be overly impacted if it
loses up to two hours of data.
An RPO is used to determine the various factors of a backup strategy, such as the frequency and type
of backups used (i.e., mirroring, tape backup, etc.).
Service Delivery Objective
The SDO is the level of service and operational capability to be maintained from an alternative site.
The SDO is directly related to business needs and is the level of service to be attained even during
disaster recovery. It is influenced by business requirements.
Maximum Tolerable Outage
The MTO is the maximum period of time that an organization can operate from an alternative site.
Various factors affect the MTO, such as resource availability, location availability, raw material
availability, electric power availability at the alternative site, and other constraints.
Apart from the above, the following factors are also considered when selecting an alternative site:
The recovery site should have the appropriate distance from potential hazards such as bodies of water, chemical factories, or other
locations that might cause significant risk to the recovery site.
A recovery site should be away from the primary site so that both are not subject to the same environmental events.
Operating from a recovery site should also be feasible for a longer duration. Major disruptions can make primary sites unavailable
for months. The MTO (that is, the arrangement to operate from the recovery site) should be planned for at least the period defined
in the AIW (that is, until the time the organization starts facing a financial crisis).
Diverse routing
Alternative Routing
In alternative routing, information is routed through cables such as copper cable and fiber optics
cable.
Long-haul network connectivity: This is used to have redundancy for long-distance communication.
Diverse Routing
This is a method for routing information through split or duplicate cables:
Figure 9.9: Diverse routing
In diverse routing, a single cable is split into two parts, whereas in alternative routing, two entirely
different cables are used.
What is the primary basis on which The recovery strategy approved by senior management
a business continuity plan is
developed?
What is the primary factor for The resources available to operate from an alternative site
determining the MTO?
A. Available resources
C. Operational capabilities
5. Which of the following ensures the correct prioritization of operations in the event of disaster recovery?
C. Organization hierarchy
D. Threat assessment
A. A warm site
B. A hot site
C. A reciprocal arrangement
D. A cold site
7. The recovery point objective (RPO) for an application is best determined by:
C. Risk management
D. Internal audit
9. For conducting a business impact analysis, who is the best person to determine the recovery time and cost estimates?
D. The IT department
10. The best way to ensure that a business continuity plan supports the organization's needs is:
12. What is the most important factor to consider when designing the technical aspects of a disaster recovery site?
A. Standby resources
13. Which of the following is the most important factor for the selection of an offsite facility?
A. The primary and offsite facilities should not be subject to the same environmental threats
B. The primary and offsite facilities should be in the same perimeter for ease of operation
A. A disaster is declared
15. Which of the following indicates that the business continuity plan (BCP) objective has been achieved?
A. Test results show that the recovery time objective was not exceeded
C. Test results show that the recovery point objective was inadequate
D. Assets have been assigned to the owners and proper valuation has been achieved
16. Which of the following is the most important factor for the selection of an offsite facility?
B. Adequate distance between the primary site and offsite facility so that the same disaster does not simultaneously
impact both
C. The location of the offsite facilities of other organizations of the same industry
17. The time required for the restoration of processing is determined by:
A. Recovery time objectives
18. A security manager is required to ensure the availability of key business processes at an offsite location. They should verify:
B. Risk evaluation
D. A vulnerability analysis
20. While conducting a business continuity test, a security manager notes that a piece of new software that is important for business
processes is not included in the recovery strategy. This type of concern can be avoided in the future by:
A. Conducting periodic and event-driven business impact analyses to determine the business needs
Insurance
A security manager should consider insurance as one of the important factors to minimize the impact
of loss due to incidents. Insurance can be obtained to recover losses. The following are some relevant
types of insurance coverage:
Insurance to cover damage to IT equipment and facilities
Insurance to cover financial loss due to fraud or dishonesty committed by employees (fidelity insurance)
Insurance to cover damage to media in transit
D. Fidelity insurance covers any losses suffered due to dishonesty or fraud by employees
2. What is the most effective way to compensate for the financial impact of downtime due to a disaster?
Incident Classification/Categorization
An information security manager needs to develop a process to classify incidents based on their
criticality. Classification helps the organization concentrate on areas of high risk and thus ensures
optimum utilization of its limited resources.
The most effective method to deal with multiple incidents is to triage them by considering their
criticality.
An information security manager needs to ensure the availability of a documented escalation process.
The process should include criteria for the classification of events and the responsibility and authority
for each type of event and set of actions along with the desired escalation to be implementeThe
information security manager should design this process in consultation with senior management.
In addition to identifying a potential security event, help desk employees should also be familiar with
the required reporting and response processes.
2. As an information security manager, your team informs you that they are in the detection and analysis phase of a recent
cyberattack on the organization. Which of the following activities is part of this phase?
3. What is the main reason for conducting triage for incident handling?
Types of Tests
The following are some of the important methods for testing the BCP and DRP:
Checklist Review
This test is performed prior to a real test. A checklist is provided to all members of the recovery team
for review and for ensuring that the checklist is up to date.
Structured Walk-through
This includes a review of the BCP and DRP on paper. Team members review each step to evaluate
the effectiveness of the plans. Identified gaps, deficiencies, and constraints are addressed to improve
the plans.
Simulation Test
In this type of test, a roleplay is prepared for a disaster scenario and the adequacy of the DRP is
determineThis does not include activation of the recovery site.
Parallel Test
In this type of test, the recovery site is activated to determine the readiness of the site. The primary
site continues to operate normally.
Full Interruption Test
A full interruption test provides the information security manager good assurance because it comes
the closest to an actual disaster. The primary site is completely shut down and operations are carried
out from the recovery site as per the DRP.
This type of testing is the most expensive and potentially disruptive. It is advisable that testing should
start with a simple exercise and once confidence is established, it should gradually expand to a full
restoration test.
Tests should be scheduled in a manner that will minimize disruptions to normal operations. Key
recovery team members should be actively involved in the test procedures. It is recommended to
conduct full interruption tests on an annual basis once individual tests have been performed
satisfactorily.
Effectiveness of Tests
Out of all the above tests, a full interruption test is considered the most effective to determine the
readiness of the BCP and DRP.
In both parallel and simulation tests, normal business operations are not impacteIn a parallel test, the
recovery site is activated, and in a simulation test, the recovery site is not activateWhen the objective
of the test is not to disturb normal business operations, a parallel test is the most effective followed
by a simulation test.
Category of Tests
A security manager should also understand the following categories of tests with respect to the
recovery process:
Paper Test/Desk-based Evaluation
In this type of testing, the relevant staff have a walk-through of the BCP and discuss what might
happen if service disruptions of a particular type occur. This is also referred to as a tabletop exercise.
The following are some of the important metrics for a recovery plan:
Whether recovery processes are completed within the predefined timelines
Whether the amount of work performed from the recovery site is within the service delivery objective
Whether the accuracy of transactions performed from the recovery site is acceptable
The success of a disaster recovery test depends on whether all critical business functions were successfully recovered and
reproduced.
If a test is performed by a third-party service provider, the security manager needs to ensure that all the data and applications have
the appropriate protection level. Data should be erased from the third-party infrastructure once the test is completed.
Frequent testing and improving from lessons learned will help to ensure that the incident management response plan is aligned
with the current business priorities.
It is essential for testing to be conducted in realistic conditions after considering all the crises in an actual disruptive event.
The security manager should understand the risk of untested plans. An untested plan may not work as expected and the
organization might face severe consequences in the event of a disaster.
Which type of test provides the best assurances about Full interruption tests
the effectiveness of BCPs and DRPs?
Which type of testing provides the best assurances Parallel tests (first preference)
about the effectiveness of a BCP and DRP without Simulation tests (second preference)
What is the most effective method to determine that a Regular testing of the disaster recovery
disaster recovery plan is current? plan
What is the difference between a parallel test and a In a parallel test, the recovery site is
simulation test? activated, whereas in a simulation test,
the recovery site is not activated.
A. Restoration is done with the help of the data available from the recovery site
B. The IT team and the business owners are involved in the recovery test
C. The critical business processes are recovered and duplicated within the defined timeframe
D. The recovery test results are documented and presented to senior management
2. As an information security manager, you are using the infrastructure of a third-party service provider to conduct a recovery test of
your organization. After completion of the test, what is the most important consideration?
A. All data and applications should be erased from the devices of the service provider
B. A meeting should be conducted at the site to evaluate the test results
C. The assessment of the recovery site should be discussed with the service provider
3. What is the most effective way to improve the performance of the incident response team?
B. Periodically testing and improving the plan from the lessons learned
C. Ensuring that all members of the incident response team have an expert level of IT knowledge
4. Which test provides the best assurance about the effectiveness of a recovery plan?
A. A walk-through test
B. A tabletop exercise
D. A simulation test
5. What is the most effective method to ensure that operational incident risks are managed effectively?
6. An organization wants to test the effectiveness of its business continuity plan. However, it does not want to impact its normal
business operations. Which of the following tests will give the best assurance?
A. Checklist tests
B. Simulation tests
C. Walk-through tests
7. A security manager notes that the system administrator failed to report an attempted attack. This situation can be prevented in the
future by:
8. What is the most effective way to determine that a disaster recovery plan is current?
A. Periodic audits of the disaster recovery plan
9. Which of the following activities increases the chance of a full return of operations after a disaster?
A. Restoration testing
B. Checklist reviews
10. An organization does not want to disturb its continuous operations. Which test will best determine the effectiveness of the
response and recovery process without impacting normal business operations?
B. A simulation test
C. A parallel test
D. A structured walk-through
11. Which of the following demonstrates the fundamental difference between a parallel test and a simulation test?
A. In a parallel test, the team members do a walk-through of the necessary recovery tasks; this is not done in a simulation
test
B. In a parallel test, normal business operations are stopped; this is not done in a simulation test
C. In a parallel test, a fictitious scenario is used for testing; this is not done in a simulation test
D. In a parallel test, the recovery site is brought to operational readiness; this is not done in a simulation test
12. A security manager reports a DRP test as a failure even though all essential services were restored at the hot site. What is the main
reason for the failure?
C. A few systems were updated with an old version of the operating system
C. It poses the risk that the plan will not work when needed
D. It will not be possible to determine the budget for the recovery site
14. The success of a disaster recovery test primarily depends on:
Summary
In this chapter, you gained an overview of incident management. This chapter will help the CISM
candidate determine and document incident response procedures for effective incident management.
It will also help the CISM candidate define resilient business processes and determine different
aspects of a BCP and DRP, and to test various plans and improve their effectiveness.
The next chapter will cover the practical aspects of incident management operations.
Revision Questions
1. What is the primary purpose of an incident response procedure?
A. To contain
C. To eradicate
3. A security manager is developing an incident response plan. What should their first step be?
D. Determining the category of the incident based on its likelihood and impact
6. A security manager notes that incident reports from different business units are not consistent and correct. What should their first
course of action be?
A. To determine whether a clear incident definition and criteria for severity exists
7. What is the best way to detect a security violation in a timely and effective manner?
9. A security manager notes that a server has been compromised and sensitive data has been stolen. After confirming the incident,
the next step is to:
B. Start containment
10. In which of the following plans is proactive security assessment and evaluation completed for computing infrastructure?
A. A business continuity plan
11. What is the most effective way to determine the impact of a denial-of-service attack?
B. To determine the number of hours for which the attack was active
12. What is the most effective way to monitor outsourced incident management functions?
13. What is the most important aspect when defining incident response procedures?
14. After an incident, a security manager notes that full system recovery will take a long time. Their efforts are concentrated on the
partial recovery of the system. This level of partial system recovery is most likely based on:
15. As an information security manager, you note that the business continuity plan (BCP) has not been updated in the last 5 years and
the maximum tolerable outage (MTO) is much less than the allowable interruption window (AIW). Your best action should be to:
17. Which of the following determines the priority of incident response activities?
19. What is the most important factor for a global organization to ensure the continuity of business in an emergency situation?
21. With the use of the triage phase of an incident response plan, a security manager can determine:
A. Management discretion
C. Audit reports
24. The best metric to determine the readiness of an incident response team is:
25. The area of most concern for establishing an effective incident management program is:
B. Details of the key process owners are not defined in the security policy
26. A security manager notes that if a server fails for three days, it could cost the organization $100,000, that is, two times more than
if it could be recovered in one day. This calculation is derived from:
27. What is the most effective method of training the members of a newly established incident management team?
A. Formal training
B. Virtual training
C. On-the-job training
D. Mentoring
28. What is the best way to determine the effectiveness of an incident response team?
29. In which of the following processes does the incident response team address the root cause?
A. Eradication
B. Containment
C. Reporting
D. Recovery
30. A security manager is designing a backup strategy. What is the most important factor?
A. Legal requirements
B. Business requirements
D. Resource availability
32. An organization is in the process of acquiring a new recovery site as the old site is no longer adequate to support the business
objectives. Until the new site is available, which of the following objectives for recovery will have to be changed?
33. A new security manager notes that the organization has multiple data centers and has arranged one of its own data centers as a
recovery site instead of having a dedicated recovery site. Which is the area of major concern?
34. An organization has developed an automated tool to manage and store its business continuity plan. The security manager should
be most careful:
35. An incident response team has activated a recovery site. Even though the processing capability is only half of the primary site, the
team notifies the management that they have restored the critical system. This indicates that the team has achieved:
36. What is the most effective way to ensure that incident response activities are aligned with the requirements of business continuity?
37. "In the event of a disaster, the backup of the end of the previous day should be restored." Which of the following is relevant to this
statement?
39. The most important factor for the successful recovery of a business is:
A. A copy of the disaster recovery plan being maintained at the offsite facility
B. Separate ISPs for network redundancy
40. A security manager notes that it is not possible to restore the data in the available time considering various constraints. What
solution should they suggest?
B. All equipment at the hot site is provided at the time of disaster but is not available on the data center floor.
D. Equipment at the hot site will not be an exact replica of the original site. Some equipment may be substituted with
equivalent models.
42. An area of major concern for a reciprocal arrangement for disaster recovery is:
If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or
scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page
to access the content using your credentials.
In this chapter, you will learn about the practical aspects of information security incident
management and understand the importance of building resilient business processes. You will also
explore the practical aspects of business continuity, and disaster recovery plans and processes, as well
as the various aspects of testing incident responses.
Incident Eradication
Recovery
Personnel
Audits
An IMS can be in the form of a distributed or a centralized system. In a distributed system, multiple
devices are placed to monitor incidents. For example, network intrusion detection systems
(NIDSs), host-based intrusion detection systems (HIDSs), logs, and so on.
An information security manager needs to have a basic understanding of the following incident
management systems:
Security information and event management
If properly deployed, configured, and tuned, it reduces the time needed for the detection of incidents
substantially when compared to manual log reviews.
Endpoint Detection and Response
It is a generally accepted fact that most security attacks originate from endpoint devices such as
personal computers, laptops, and mobile devices. Hence, organizations emphasize the protection of
endpoint devices. Endpoint detection and response (EDR) aims to be proactive (rather than only
reactive) and focuses on detecting threats and malware that are meant to circumvent typical security
measures. EDR solutions often establish a historical audit trail of system/user behavior and security
events that security analysts can examine later. Not only can EDR solutions help with incident
responses, but they can also help with root cause analysis.
EDR is an advanced solution that integrates the functions of an antivirus, a firewall, whitelisting
tools, and monitoring tools.
In addition to file analysis and threat detection, most EDR solutions also have inbuilt machine
learning capabilities.
Extended Detection and Response
Extended detection and response (XDR) is an improved version of EDR. As the name implies,
XDR extends beyond individual endpoints and also covers servers, clouds, and networks.
XDR expands on EDR's capabilities by using automation, machine learning, and artificial
intelligence to enhance an organization's defense system.
Managed Detection and Response
Managed detection and response (MDR) is a combination of technology and a service provider.
MDR is beneficial for organizations that lack the necessary expertise and abilities, as well as the
resources, to effectively monitor potential attack vectors. The implementation of technology is
usually the responsibility of the service provider.
Personnel
The composition of an IMT varies from organization to organization depending on the nature and
complexity of business processes. An information security manager generally leads the team. Large
organizations generally prefer to have a separate incident response team leader who can concentrate
on responding to incidents.
Central IRTs
In a small business, or one that is centrally located, a single IRT manages all incidents for the entire
organization.
Distributed IRTs
Generally, in large organizations, different IRTs are made responsible for specific infrastructure. This
model is generally prevalent for organizations that have multiple units scattered geographically.
Coordinating IRTs
A central team may provide direction to distributed IRTs, set policies and standards, provide training,
conduct drills, and coordinate or support incident responses. Incident response is managed and
implemented by the distributed teams.
Audits
Audits are conducted to ensure that an organization's policies, standards, and processes are being
followeRegular audits of the processes and procedures help to ensure that security controls are
effective and that they are implemented as per the requirements of the incident management policy.
Audits provide the opportunity to address identified gaps and improve the overall incident
management procedures of the organization.
Periodic reconciliation of the service provider's data with the organization's data to ensure that incident management efforts are
aligned
Ensure the availability of end-to-end incident management systems and processes by integrating the service provider's systems
with the organization's systems
Periodic audits of the service provider
Conducting root cause analysis for each incident identified by the service provider
NOTE
The answers and explanations for all practice and revision questions for this chapter can be found via this link.
2. As an information security manager, you are required to set up an incident handling team. What is the most desired attribute for an
incident handler?
A security manager should consider the following aspects for the execution of the plan:
To ensure that control procedures are implemented in such a way that risks are appropriately addresseFor example, the mere
installation of anti-malware is not sufficient. Virus signature files should be updated at regulator intervals (ideally they should be
automated to update daily). Any time gap between the updates can be subject to exposure.
In the case of a malware-infected server, it is advisable to rebuild the server from the original media and update it with subsequent
patches. This will address the risk of hidden malware.
It is advisable to synchronize all applications and servers with a common time server. This will help during a forensic
investigation. A time server will provide a common time reference that will help to accurately reconstruct the course of events.
In the event of a security breach, a security manager should keep senior management informed about the impact on the
organization and details of the corrective actions taken.
What information should The impact on the organization and details of corrective actions taken.
be provided to senior
management in the event
of a security breach?
What is the air gap The air gap technique is a backup and recovery strategy. It means that
technique for data at any given time, a copy of the organization's sensitive data is offline,
backup? disconnected, and inaccessible from the internet. This makes it
impossible for hackers to remotely access the data.
2. A compromised server has been isolated and appropriate forensic processes have been completeWhat should the next step be?
3. A security manager has discovered that a hacker is analyzing the network perimeter. What action should they take?
B. Check intrusion detection system logs and monitor any active attacks
4. A security manager is investigating a breach by analyzing logs from different systems. What will best support the correlation
between these logs?
A. An application server
C. A time server
D. A database server
5. A hacker was successful in gaining access to an application by guessing the password of a shared administrative account. The
security manager can detect this breach by analyzing the:
A. Router logs
D. Concurrent logins
6. A security manager has discovered that a hacker is probing the organization's network. What should their first action be?
7. Once a security breach has occurred in an organization, what is the most important aspect to be reported to senior management?
Because each incident is different, the methods used for containment must be tailoreThe
responsibility for initiating a containment action should reside with a senior officer as it is critical to
consider the benefits and drawbacks before initiating any action.
2. As an information security manager, you have instructed your team to contain the impact of an ongoing server hack. Which of the
following is the most crucial when containing the incident?
B. Preserving evidence
4. As an information security manager, you note an active security attack in which data is being extracted piecemeal from the
organization's database. What should your first course of action be?
5. As an information security manager, you note ransomware on a few of the network computers. Your first step should be:
It is essential to define the various communication channels for the passing of information during an
incident. Further, communication should be done only by authorized officials. This is to ensure that
the chances of misunderstanding and disinformation are minimized to the greatest extent possible.
The list of official communication channels and authorized officials must be documented and
communicated with each member. An information security manager should consider the availability
of alternate communication channels in case the original channel gets corrupted or compromised.
An incident management team needs to document the contact details (phone number email, etc.) of
key stakeholders such as senior management, legal counsel, HR, service providers, PR officials, law
enforcement, and insurance companies.
2. As an information security manager, you have instructed your team to prepare a draft of the incident communication plan. What is
the most important reason for having a defined communication plan?
3. As an information security manager, you have instructed your team to prepare a draft of the incident communication plan. What is
the primary benefit you expect from the communication plan?
Incident Eradication
As you learned previously in this chapter, the objective of the containment process is to stop the
spread of an incident. The phase after containment is eradication. The objective of eradication is to
identify and correct the root cause that led to the incident. Once containment efforts have been
implemented successfully, eradication should be appropriately planned and performeThe following
are some activities performed during eradication:
Root cause analysis
2. As an information security manager, you are required to determine the point at which restoration will be considered complete.
Your best choice would be:
3. As an information security manager, your team informs you that they are in the eradication phase of a recent cyberattack on the
organization. Which of the following activities is part of the eradication phase?
B. Scanning the entire network and systems to remove and clean up any malware
4. As an information security manager, you were successful in containing a malware incident. Before restoring the systems, the most
important step is to:
Recovery
After the successful eradication of an incident, the next phase is recovery. The objective of the
recovery phase is to ensure that the business is brought back to its original state by restoring the
impacted systems.
While implementing recovery procedures, information security management needs to be careful and
vigilant to ensure that the same vulnerabilities are not reintroduceOnce a system is compromised,
there is no assurance that all abnormalities will be eradicateAn information security manager should
avoid rushing to recover. Recovery procedures should be planned, tested, and implemented under the
supervision of a senior official. The following are some activities performed during recovery:
Configuration of the security baseline
Testing
Monitoring performance
D. Implementing a security information and event management (SIEM) system to automate log analysis
2. As an information security manager, you are in the process of seeking approval for the installation of an EDR system. The most
appropriate capability of an EDR that should be included in your business case is:
D. An EDR is capable of performing forensic analysis and identification of emerging threats and suspicious activities
3. As an information security manager, you were successful in containing and restoring the system after a malware incident. What
should your next step be?
During a post-incident review, the overall cost of the incident is determineCost includes loss or
damage to infrastructure, loss of business, cost of recovery, and the cost of the resources used to
handle the incident. This cost provides useful metrics to justify the existence of the incident
management team.
Identifying the Root Cause and Taking Corrective
Action
An information security manager should appoint an event review team. This team should be
responsible for determining the root cause of the incident and suggesting the appropriate actions that
should be taken to prevent any reoccurrence of the incident.
Sometimes a security manager obtains the services of third-party experts for an independent and
objective review of the root causes of incidents.
Documenting Events
It is very important to have a structured process for documenting all the events related to the incident.
This serves as crucial evidence for further investigation. It can also be provided to authorities for
forensic analysis. This process of recording events should be entrusted to an employee who is well-
versed in forensic processes.
Documentation also helps to analyze complete incidents during the post-incident review.
Chain of Custody
A security manager should make sure that the appropriate chain of custody process is defined and
documented for the correct handling of evidence. Chain of custody is a legal term referring to the
order and manner in which evidence is handleIt ensures the integrity of the evidence and its
admissibility in a court of law.
The first step in any forensic investigation is to determine the process to ensure chain of custody. The
evidence handling procedure should be designed in consultation with the legal department, the IT
department, business process owners, and forensic experts.
Figure 10.2: Forensic investigation
A security manager should establish the following framework to establish the chain of custody:
Evidence should be handled by authorized officials only. The expertise of employees is the most important factor in a forensic
investigation.
In the case of an ongoing incident, power should be disconnected only after consulting forensic experts as sudden power loss may
corrupt the information on the hard disk or may cause the loss of data in volatile memory. Other means of isolation and
containment should be given preference.
Forensic tools should be used to create bit-by-bit copies of the hard disk and other media to ensure legal admissibility. A bit-by-bit
image ensures that erased or deleted files and data in slack memory are also copieAny further analysis or testing should be done
on this copy. The original media should remain unchanged.
A dedicated custodian should be appointed who will keep safe custody of the evidence.
Data from the original device should be copied using a cable with a write protect diode (write block) to prevent writing on the
original drive.
Once data has been copied from the original media, the hash value of the original media and the copy should be calculated and
compared to ensure that the copy is an exact image of the original media.
The procedure followed for detection, extraction, and analysis of all the evidence should be appropriately recorded along with
details of time, date, tools used, forensic experts present, and other relevant records. This will help to establish that the
investigation is fair, unbiased, and well documented.
The above procedures should be well documented and frequent training should be given to the
concerned employees.
Key Aspects from the CISM Exam Perspective
The following are some key aspects from the exam perspective:
What is the reason for consulting third-party For independent and objective reviews of the root
teams to carry out post-event reviews of causes of incidents
incidents?
What is the first step when initiating a Determining the process to ensure a chain of
forensic investigation? custody
What is the most important objective of a To document and analyze the lessons learned and
post-incident review? to improve the process
What is the best process to copy from media To create a bit-by-bit image of the original media
that is part of forensic evidence? source in new media
What is the reason for not immediately Power loss may corrupt the information on the
disconnecting power during an ongoing hard disk or may cause a loss of data in volatile
incident? memory.
What is the best way to determine that the Comparing the hash image of both files
copy of the original media is complete,
correct, and accurate?
What is the primary purpose for maintaining To track and record the progress of the incident
incident history? handling process
Question Possible Answer
What are the basic steps for investigating a 1. The first action is to create a bit-by-bit image of the original
media.
suspected hard disk or server?
2. The second step is to create and compare the hash value of the
original media and the copied mediThis will help to ensure
that the copy is an exact replica of the original.
A. To have an independent and objective review of the root cause of the incident
2. As an information security manager, you are required to set up a process for forensic investigation. The most important element of
a forensic investigation is:
3. An organization is impacted by a major security incident. The incident has been contained and a forensic investigation is in
process. What is the most important aspect while collecting the evidence for forensic analysis?
4. What should the first step be while taking a forensic image of a hard drive?
7. A security manager has discovered that original data was inadvertently altered while collecting forensic evidence. What should
have been the first action in a forensic investigation?
8. What is the most important aspect of collecting and preserving admissible evidence?
B. Chain of custody
C. Segregation of duties
D. Time synchronization
9. What is the most important aspect when evidence is to be used in legal proceedings?
10. What should the security manager's first step in the aftermath of a distributed denial of service attack be?
A. To perform a penetration test to determine system vulnerability
A. The suspected hard drive was not removed in the presence of a law enforcement agency
B. The suspected hard drive was kept in a tape library for further analysis
C. The suspected hard drive was stored in a safe under dual control
D. The suspected hard drive was handed over to authorized independent investigators
12. A rootkit was installed on a server and the organization's critical data was stolen. What should the security manager's next step be
to ensure the admissibility of evidence in legal proceedings?
13. What is the most important aspect when evidence is to be used in legal proceedings?
14. What is the best source to analyze a compromised server for forensic investigation?
17. Which among the following should be the priority during a forensic analysis of electronic information?
18. When handling an incident, what should the most important aspect be during interaction with the media?
19. What is the main reason for not disconnecting power when analyzing the suspicious behavior of a computer?
20. Data recovery from a specific file will be most challenging when:
A well-defined incident management process will yield far better results in reducing business
disruptions compared to unorganized incident management processes.
The organization will have robust detection techniques and processes for the timely identification of incidents.
The organization will have well-defined criteria for defining the severity of incidents and an appropriate escalation process
The availability of experienced and well-trained staff for effective handling of incidents
The organization will have proactive processes to manage the risk of incidents in a cost-effective manner.
The organization will have well-defined metrics to monitor its response capabilities and incident management performance.
The organization will have well-defined communication channels for timely communication of incidents to different stakeholders
and external parties.
The organization will have a well-defined process to analyze the root cause of incidents and address any gaps to prevent
reoccurrence.
To manage security incidents, an information security manager should have a good conceptual
understanding of the incident management procedures. They should also have a thorough
understanding of the business continuity and disaster recovery processes. This will ensure that the
incident management plan is integrated with the business continuity and disaster recovery plans.
The SIEM system has the capability to detect attacks by signature- or behavior-based (heuristics)
analysis. It also has the capability for granular assessment. SIEM can highlight developing trends and
can alert the risk practitioner for an immediate response. SIEM is the most effective method to
determine aggregate risk from different sources. It is also the best method to counter advanced
persistent threats.
Thus, a SIEM can provide information on policy compliance as well as incident monitoring and other
capabilities, if properly deployed, configured, and tuned.
A properly installed SIEM will help to automate the incident management process and lead to
considerable cost savings by minimizing the impact of incidents. Though SIEM itself may be costly,
it helps to save on the operating costs of manual processes (in place of SIEM) and recovery costs
(with early detection of incidents).
SIEM helps to identify incidents through log analysis on the basis of predefined rules. One of the
important challenges of implementing SIEM is reducing the number of false positive alerts. The most
effective way to reduce the number of false positive alerts is to develop business use cases. A
business use case documents the entire workflow, which provides the required results. A scenario
business case would focus on the SIEM's ability to analyze the logs for known threats.
What is the most important To promote compliance with security policies (SIEM can
characteristic of SIEM? provide information on policy compliance and has incident
monitoring and other capabilities)
2. What is the most effective utilization of security information and event management (SIEM)?
Defined KPIs and KGIs should be agreed upon by relevant stakeholders and approved by senior
management.
The above metrics should help the organization achieve its defined objectives in an efficient and cost-
effective manner. Defined KPIs and KGIs should be agreed upon by the relevant stakeholder and
approved by senior management.
Reporting to Senior Management
Key metrics should be reported to senior management at frequent intervals. It helps senior
management to understand the capability of incident management processes and to identify any gaps.
The current state can also be determined by self-assessment. This can be done by comparing the current processes with some
standard criteriIn this method, the views of other stakeholders are ignored, and this can be a major challenge.
The current state can be determined by external assessment or audit. This is the most comprehensive
method as it involves interviews, simulations, benchmarking with best practices, and other aspects.
This approach is generally used by organizations that already have adequate incident response
capabilities but want to further improve their processes.
It is also important for security managers to have a thorough understanding of the history of
incidents.
History of Incidents
A history of past incidents can provide valuable information about trends, business impact, and
incident response capabilities. This information can be used to prepare a strategy for dealing with
future incidents.
Threat Vulnerability
Threat Vulnerability
Examples of threats include natural disasters, Examples of vulnerabilities include the lack of an
fires, hackers, and other unknown forces. anti-virus, weak coding, and poor access control.
The following sections will explain the responsibility of the security manager in threat and
vulnerability assessments.
Threats
The key responsibility of a security manager is to ensure that various types of threats applicable to
their organization are identified and documenteThreats that are not identified are more dangerous
than threats that are well documented.
Human-made threats such as corporate sabotage, disgruntled employees, political instability, and so on.
Sources of threat identification include past incidents, audit reports, media reports, information from
national computer emergency response teams (CERTs), data from security vendors, and
communication from internal groups. Risk scenarios are used at the time of threat and vulnerability
assessment to identify various events and their likelihood and impact.
Vulnerabilities
Vulnerabilities are weaknesses in security. The existence of vulnerabilities is a potential risk. It
represents a lack of adequate controls. A security manager should conduct regular vulnerability
assessments and bridge gaps before they are found by an adversary and exploiteVulnerability
management is a proactive way to ensure that incidents are prevented.
Summary
In this chapter, you explored the practical aspects of information security incident management. This
chapter will help CISM candidates understand the different types of incident management tools and
techniques. You will be able to execute a response and recovery plan in a more effective manner. This
chapter will also help you design incident management metrics and indicators and determine the
current state of the organization's incident response capability. You also learned how, as a CISM
candidate, you can implement different post-incident activities and investigations.
This book has discussed all four domains of the CISM Review Manual by ISACA and will have
helped CISM aspirants gain a sufficient theoretical, as well as practical, understanding of those
domains. Aspirants should now feel prepared to pass the CISM exam.
Revision Questions
1. A security manager discovered an attempted SQL injection attack on an application. However, they could not determine whether
it was successful. Who is in the best position to assess the possible impact of the attack?
2. What is the most important advantage of implementing a systematic and methodological incident management program?
3. Once a virus incident has been resolved, the security manager will be most interested in knowing the:
4. What is the objective of reviewing the observations of staff involved in a disaster recovery test?
6. A security manager has taken a bit-by-bit copy image of a suspicious hard drive. What should their immediate next step be?
7. A security manager has identified a vulnerability in a server. Their next step should be:
A. Reporting
B. Eradication
C. Analysis
D. Containment
8. The best way to resolve operation issues with a third-party service provider is to include which of the following in a service-level
agreement?
A. A penalty clause
B. An audit requirement
9. With respect to a recent incident, an investigation revealed the involvement of an internal employee. The security team has
confiscated their computer. What should the next step be?
10. What is the most important aspect to ensure the admissibility of evidence in legal proceedings?
D. Traceability of control
11. The main objective of documenting the history of a security incident is:
12. The root cause of a security incident indicates that one important process was not monitoreAs a result, a monitoring process has
been starteMonitoring will best help in:
C. Improvements in identification
13. With respect to a forensic investigation, data is to be copied from the original drive for further analysis. Which of the following
must be ensured?
C. A hash value should be generated from both the original as well as the copy
Explanation: The involvement of a steering committee in the discussion and approval of security
projects indicates that the management is committed to security governance. The other options are
not as significant.
Q. 2
Explanation: The information security governance model is primarily impacted by the complexity of
the organizational structure. The organizational structure includes the organization's objectives,
vision and mission, hierarchy, leadership structure, different function units, and different product
lines. The other options are not as significant.
Q. 3
Explanation: Security policies indicate the intent of the management. The security architecture and
various procedures are designed based on these policies.
Q. 4
Q. 5
Explanation: One of the responsibilities of a steering committee is to discuss, approve, and prioritize
information security projects and to ensure that they are aligned with the goals and objectives of the
enterprise.
Q. 6
Answer: C. To define the security strategy
Explanation: The first step is to adopt a security strategy. The next step is to develop security
policies based on this strategy. The final step is to develop security procedures and guidelines based
on the security policies.
Q.7
Q.8
Explanation: An effective and efficient risk management program is a key element of effective
governance. A structured risk management program indicates that senior management is aware of the
organization's risk appetite and their willingness to address unacceptable risks. The other options are
not as significant.
Q.9
Explanation: In a top-down approach, policies, procedures, and goals are set by senior management,
and as a result, the policies and procedures are directly aligned with the business objectives. A
bottom-up approach may not directly address management priorities. Initiatives by the IT department
and a compliance-oriented approach are not as significant.
Q.10
Explanation: The prime responsibility of the information security manager is to develop the security
strategy based on the business objectives in coordination with the business process owner. The
review and approval of the security strategy is the responsibility of the steering committee and senior
management. The security manager is not directly required to train end users, and budget allocation is
the responsibility of senior management.
Q.11
Q.12
Explanation: The information security governance program will not be effective if it is not able to
address the requirements of the business units. The objective of the business units can be best
understood by reviewing their processes and functions. Option A is not correct as security
requirements should be aligned with the business and not the other way around. Options C and D are
not as significant.
Q.13
Explanation: The primary objective of security governance is to ensure that the business objectives
are achieved. Unless the information security strategy is aligned with the business objectives, the
other options will not offer any value.
Q. 14
Explanation: Governance is the process of having oversight to ensure the availability of effective
and efficient processes. A lack of procedures, training, and standards is a sign of ineffective
governance.
Q. 15
Explanation: A framework is a structure intended to support processes and methods. It provides the
outline and basic structure rather than detailed processes and methods. Frameworks are generally not
intended to provide programming inputs.
Q. 16
Explanation: The main objective of integrating the security aspect in business processes is to address
operational risks. The other options may be considered secondary benefits.
Q.17
Answer: A. A well-defined organizational structure with necessary resources and
defined responsibilities
Explanation: The most important attribute is a well-defined organizational structure that minimizes
any conflicts of interest. This ensures better governance. Options B and D are important aspects, but
option A is more critical. Option C is not correct, as the security strategy supports the business
objectives and not the other way around.
Q. 18
Answer: B. A framework
Explanation: A framework is the most suitable method for developing an information security
program as it is more flexible in adoption. Some common frameworks include ISO 27001 and
COBIT. Standards, processes, and models are not as flexible as frameworks.
Explanation: The culture of the organization influences the risk appetite, which in turn has a
significant influence on the design and implementation of the information security program. The
business objective is important to prioritize the risk treatment. However, the culture of the
organization will have a major influence on the design and implementation of the security program.
A pro-risk culture will have a different implementation approach compared to a risk-averse culture.
Q. 2
Explanation: The most important consideration when developing a control policy is to protect
human life. For example, carbon dioxide fire extinguishers should be restricted in areas where
employees are working. Also, electric door access should be set to fail open in case of fire. The other
options are secondary factors.
Q. 3
Explanation: Cultural differences and their impact on data security are generally not considered
during security reviews. Different cultures have different perspectives on information that is
considered sensitive and how it should be handled. This cultural practice may not be consistent with
the organization's legal requirements.
Q. 4
Explanation: The culture of an organization determines its risk appetite. Pro-risk organizations tend
to have a higher risk appetite compared to risk-averse organizations. The other options do not directly
impact the risk appetite.
Q. 5
Explanation: The prime objective of a security strategy is to facilitate and support organizational
goals. The other options are secondary factors.
Q. 6
Explanation: Culture plays an important role when designing security policies. Different countries
have different cultures, and this impacts their local legal requirements. The organization needs to
ensure that the local laws of all the countries are appropriately addressed. The other options are not as
significant as the local culture.
Q. 7
Explanation: The risk appetite is the level of willingness of an organization to take risks. It sets the
boundary of acceptable risk, which also determines the acceptable limit for the organizational
standards. The other options do not directly impact the acceptable level of organizational standards.
Q. 8
Explanation: The first step for the information security manager is to determine a strategy to protect
the organization from the risks of BYOD. Option A is not feasible, as the role of the security manager
is to facilitate business processes by mitigating the risk. Options B and C will be based on the
security strategy.
Q. 2
Explanation: Departments affected by new regulations are most likely to raise these requirements.
They are in the best position to determine the impact of new regulatory requirements on their
processes and the best ways to address them.
Q. 3
Explanation: The desired outcomes should dictate the input requirements of an information security
program. It is the responsibility of the security manager to ensure that the program is implemented in
such a manner that it achieves the desired outcomes. The security strategy should also be based on
the desired outcomes of the information security program.
Q. 4
Explanation: The first step is to determine whether existing controls are adequate to address the new
regulation. If existing controls are adequate, the other options are not required.
Q. 5
Explanation: The prime focus of privacy law is to protect identifiable personal data. Identity theft is
one way that personal data can be misused. There are other possible consequences too. If analytics
are performed on identifiable personal data, it could impact privacy, but only if it violates regulatory
provisions.
Q. 6
Explanation: The very first step is to determine the processes and activities that may be impacted.
Based on this, the security manager can do a risk assessment and determine the level of impact. The
other options are subsequent steps.
Q. 7
Explanation: Laws and regulations should be addressed to the extent that they impact the
organization, irrespective of whether they are required for certification standards or the requirements
of policies.
Q. 8
Explanation: Privacy laws vary from country to country and organizations must comply with the
applicable laws in each country where their data is collected, processed, or stored.
Q. 9
Explanation: The board of directors has oversight responsibilities, and they should monitor
compliance. The board would not be directly involved in evaluating various options and the cost of
implementation. Furthermore, the board will not directly instruct the information security
department.
Q. 10
Explanation: A threat is something that exploits a vulnerability. Threat factors are not under the
control of the organization. Examples of threat factors are hackers, fires, earthquakes, and changes in
the regulatory environment. All the given factors are difficult to estimate and control but not as much
as the threat landscape.
Q. 11
Explanation: The first step is to analyze and identify whether the current controls are adequate. If
current practices already adhere to the regulations, then there is no need to implement further
controls.
Q. 2
Explanation: Record retention should be primarily based on two factors: business requirements and
legal requirements. If a record is required to be maintained for two years as per the business
requirements, and three years from the legal perspective, then it should be maintained for three years.
Organizations generally design their business requirements after considering the relevant laws and
regulations.
Q. 3
Explanation: From an information security perspective, such data should be analyzed under the
retention policy. It should then be determined whether the data is required to be maintained for
business or regulatory reasons. If the data is no longer required, it should be removed in a secure
manner.
Q. 4
Explanation: E-discovery is the process of identifying, collecting, and submitting electronic records
in a lawsuit or investigation. The best way to ensure the availability of electronic records is to
implement comprehensive retention policies. A retention policy will dictate the terms of storage and
backup of, and access to, the records.
Explanation: The centralization of information security management will result in greater uniformity
and easier monitoring of processes. This in turn will help achieve better adherence to security
policies. Decentralized processes are generally more expensive to manage but will be more aligned
with business unit requirements. Centralized processes will generally have a slower turnaround for
requests due to a larger gap between the information security department and the end user.
Q. 2
Explanation: Senior management members who are on the steering committee are best placed to
determine the level of acceptable risk for the organization.
Q. 3
Explanation: The principle of proportionality requires that the access be proportionate to the
criticality of the assets and access should be provided on a need-to-know basis. The principle of
accountability is important for the mapping of job descriptions; however, people with access to data
may not always be accountable. Options C and D are not directly relevant to mapping job
descriptions.
Q. 2
Answer: D. Ensuring all security measures are in accordance with the organizational policy
Explanation: The data custodian is responsible for ensuring that appropriate security measures are
implemented and are consistent with the organizational policy. The other options are not the
responsibility of the data custodian.
Q. 3
Answer: D. Refer the matter to senior management along with any necessary recommendations
Explanation: The best option for a security manager in this case is to highlight the issue to senior
management. Senior management will be in the best position to make a decision after considering
business and security aspects.
Q. 4
Explanation: Having clearly set-out roles and responsibilities ensures better accountability, as
individuals are aware of their key performance areas and expected outcomes. The other options may
be indirect benefits, but the only direct benefit is better accountability.
Q. 5
Explanation: The primary role of an information security manager is to define the structure of data
classification. They need to ensure that the data classification policy is consistent with the
organization's risk appetite. The mapping of data as per the classification is the responsibility of the
data owner. Providing security is the responsibility of the data custodian. Confirming proper
classification may be the role of the information security manager or the information security auditor.
Q. 6
Answer: D. That security projects are reviewed and approved by the data center manager
Explanation: Security projects should be approved by the steering committee (which consists of
senior management). The data center manager may not be in a position to ensure the alignment of
security projects with the overall enterprise objectives. This will have an adverse impact on security
governance. The approval of the security policy by senior management is seen as an indicator of
good governance. Vacant positions are not a major concern. The steering committee meeting on a
quarterly basis is also not an issue.
Q. 7
Explanation: The main objective of the security manager having a thorough understanding of the
business operations is to support the organization's objectives. The other options are specific actions
to support the business objectives.
Q. 8
Explanation: The best approach is to develop communication channels that will help in the timely
reporting of events as well as disseminating security information. The other options are good
practices; however, without an appropriate communication channel, the identification of events may
be delayed.
Q. 9
Explanation: The ultimate responsibility for compliance with legal and regulatory requirements is
with the board of directors. The board delegates this responsibility to senior management. The CISO,
head of legal, and steering committee implement the directives of the board and senior management,
but they are not individually liable for the failure of security.
Q. 10
Explanation: The best way to gain the support of senior management is to conduct a risk assessment
and present it to management in the form of an impact analysis. A risk assessment will help
management to understand the areas of concern. The other options may be considered secondary
factors.
Q. 11
Explanation: Security projects should be assessed and prioritized based on their impact on the
organization. This will ensure optimum utilization of resources. The other options are secondary
factors.
Q. 12
Explanation: The security administrators are custodians of data, and they need to ensure that data is
in safe custody. They are responsible for enforcing and implementing security measures in
accordance with the information security policy. The data owner and process owner are responsible
for classifying the data and approving access rights. However, they do not enforce and implement
security controls. The steering committee is not responsible for enforcement.
Q. 13
Explanation: The data owner has responsibility for the classification of their data in accordance with
the organization's data classification policy. The data administrator is required to implement security
controls as per the security policy. The security manager and system auditor oversee the data
classification and handling process to ensure conformance to the policy.
Q. 14
Answer: B. Business requirements
Explanation: The primary basis for defining the data retention period is the business requirements as
these will already consider any legal and regulatory aspects. If data is not retained as per the business
needs, it may have a negative impact on the business objectives.
Q. 15
Answer: B. The local security program should comply with the data privacy policy of the location
where the data is collected.
Explanation: Data privacy laws are country specific. It is very important to ensure adherence to local
laws, and the organization's data privacy policy cannot supersede the local laws. The organization's
privacy policy may not be able to address all the local laws and requirements.
Q. 16
Explanation: The board of directors has the ultimate accountability for information security. The
other options, the security administrators, steering committee, and security managers, are responsible
for implementing, enforcing, and monitoring security controls as per the directive of the board.
Q. 17
Explanation: The COO is the head of operational activities in the organization. Operational
processes are reviewed and approved by the COO. The COO has the most thorough knowledge of the
business operations and objectives and is most likely the sponsor for the implementation of security
projects as they have a strong influence across the organization. Sponsoring means supporting the
project financially or through products or services. Although the CISO should provide security
advice and recommendations, the sponsor should be the COO for effective ground-level
implementation.
Q. 18
Explanation: The business owner needs to ensure that their data is appropriately protected, and
access is provided on a need-to-know basis only. The security officer, data protection officer, and
compliance officer can advise on security aspects, but they do not have final responsibility.
Q. 19
Explanation: The maturity model requires continuous improvement in the governance framework. It
requires continuous evaluation, monitoring, and improvement to move toward the desired state from
the current state.
Q. 2
Explanation: A defined maturity model will be the best indicator to determine the level of security
governance. The maturity model indicates the maturity of the governance processes on a scale of 0 to
5, where Level 0 indicates incomplete processes and Level 5 indicates optimized processes.
Q. 3
Explanation: A defined maturity model is the best indicator to determine the level of security
governance. A maturity model indicates the maturity of the governance processes on a scale of 0 to 5,
where Level 0 indicates incomplete processes and Level 5 indicates optimized processes.
Explanation: Based on effective metrics, organizations evaluate and measure the achievements and
performance of various processes and controls. Effective metrics are primarily used for security-
related decision-making. The other options are secondary factors.
Q. 2
Answer: B. Trends in incident occurrence
Explanation: Trends in incidents will be more valuable from a strategic perspective as they will
indicate whether a security program is heading in the right direction or not. The other options are
more of an operational metric.
Q. 3
Explanation: The number of unplanned business interruptions is the best indication to evaluate
organizational risk by determining how much business may be lost due to interruptions. Annual loss
expectancy is based on projections and does not indicate actual value. Security incidents and open
vulnerabilities do not reveal impact.
Q. 4
Explanation: Metrics are measurements used to evaluate and monitor a particular process. Metrics
are most effective when they are meaningful to the person receiving the information. The process
owner should be able to take appropriate action based on the metrics. Metrics can be either
quantifiable or qualitative based on the nature of the process. Options A and D are important, but
more significant is the ability of metrics to convey meaning.
Q. 5
Q. 6
Explanation: The control objectives are developed to achieve an acceptable level of risk. The
strategy is effective if the control objectives are met. The other options may be part of the control
objectives, but the effectiveness of the security strategy is best measured by evaluating the extent to
which the overall control objectives are met.
Q. 7
Revision Questions
Q. 1
Explanation: In the absence of access privilege reviews, there is the risk that a single staff member
can acquire excess operational capabilities. This will defeat the objective of SoD. In order to maintain
the effectiveness of SoD, it is important to review access privileges more frequently and more
specifically when an operator's role changes.
Q. 2
Explanation: The prime responsibility of an information security manager is to evaluate and manage
the information security risk by involving risk owners.
Implementing the security configuration is the responsibility of the asset owner. Disaster recovery
testing should be conducted by the process owner, and the closing of vulnerabilities is the
responsibility of the asset owner.
Q. 3
Explanation: Process performance and capabilities provide a detailed perspective of the maturity
levels, just like the maturity model. The other options will not help to determine the level of maturity
of the process. The Monte Carlo method is a risk assessment method that uses simulations.
Vulnerability assessments are used to identify the vulnerability and risk analysis is used to determine
the current state of risk. They will not help to determine the maturity of the process.
Q. 4
Explanation: The information owner is ultimately responsible for the protection of their data. The
information owner is the best person to know the criticality of the data and who should have access to
the data. Therefore, information system access should be primarily authorized by the information
owner.
Q. 5
Explanation: The DBA will have access to logs if they are stored in the database server. The
administrator can modify or delete the log entries, and this is a major cause of concern. The DBA
should not have access to logs related to the database. Backing up the logs will address the issue of
server crashes. Log capturing may not always impact transaction processing. If critical information is
not captured in logs, it is a design failure and has nothing to do with log entries stored in the
production database.
Q. 6
Explanation: Appointing a CISO indicates that the organization wants to have a clear line of
responsibility for information security. Information security is one of the focus areas of the
organization. Having a CISO does not impact the role of senior management. Even if the CISO is
appointed, accountability lies with the board of directors. The CISO is generally not accountable for
technology projects.
Q. 7
Answer: A. To address the security gaps that exist between assurance functions
Explanation: Whenever there are shared responsibilities for information security, gaps tend to exist.
Integrating the roles and responsibilities is the best way to address these gaps and ensure consistent
risk management. The other options are secondary factors.
Q. 8
Explanation: In the absence of SoD, the best compensatory control is to ensure that only approved
changes are made by the employee. This verification can either be done for all cases or on a sample
basis depending on the risk involved. The review of logs by the manager may not be meaningful as
an employee can manipulate the logs and hide activities from the supervisor. Penetration tests and
risk assessments may not be able to detect unauthorized activities.
Q. 9
Explanation: The information owner is required to determine the level of classification for their
respective data. Based on its classification, the system administrator implements the required security
measures and data backups. The information owner may delegate the process of classification to
some other responsible employee but not to the system administrator.
Q. 10
Explanation: Senior management has the final responsibility for the effectiveness of the
organization's security measures. Although the authority to implement, monitor, and evaluate the
security measures is delegated to the security administrator, CISO, and information security auditor,
the responsibility cannot be delegated. The final responsibility rests with senior management.
Q. 11
Explanation: If accountability is properly assigned and made known to the individuals, individuals
will be more proactive and concerned about their responsibilities, and this will ensure that duties are
properly carried out.
Q. 12
Explanation: Every employee is required to comply with security policies and standards, as
applicable to their performance areas. Though the CISO and senior management monitor the level of
compliance, all organizational units should adhere to policies and standards.
Q. 13
Explanation: A maturity model such as the CMM can be used to determine the maturity level of the
risk management process from Level 0 (that is, initial) to Level 5 (that is, optimized). The
organization can know under which level the process falls and can gradually move toward higher
levels, thereby improving their risk management process. The other options are secondary factors.
Q. 14
Explanation: It is the responsibility of all personnel to adhere to the security requirements of the
organization.
Q. 15
Q. 16
Explanation: The most effective method to protect the confidentiality of information assets is to
follow the principle of least privilege. The principle of least privilege ensures that access is provided
only on a need-to-know basis, and it should be restricted for all other users. The other options are
good measures; however, in the absence of the principle of least privilege, they may not be effective.
Q. 17
Explanation: The first step for an information security manager is to understand and evaluate the
current business strategy. This is essential to align the information security plan with the business
strategy. The other options are subsequent steps.
Q. 2
Explanation: A strategy plan should include the desired level of information security. This desired
state will impact options A and B. A mission statement is a high-level statement that may not indicate
the detailed desired state for information security.
Q. 3
Explanation: The primary objective of any security strategy is to support the business objective.
Thus, it should be aligned with business objectives. Other options are secondary objectives.
Q. 4
Explanation: A security strategy consists of the desired security objectives and the supporting
processes, methods, and relevant tools and techniques. The other options are not as significant.
Q. 5
Explanation: The best way to tackle such a situation is to establish a local version of the policy that
is aligned with local laws and regulations. The other options are not sensible.
Q. 6
Q. 7
Explanation: Generally, the CISO is responsible for enforcing the information security policy. The
steering committee monitors the enforcement process but is not responsible for enforcement. The
steering committee ensures that the security policy is aligned with business objectives. The chief
technical officer and compliance officer may to some extent be involved in the enforcement of policy
but are not directly responsible for it.
Q. 8
Explanation: The CISO is primarily responsible for designing and developing the organization's
information security strategy. The other functions are normally carried out by IT and operational
staff.
Q. 9
Explanation: The timeline for an information security strategic plan should be designed and aligned
with the organization's business strategy. The other options should be secondary considerations. The
business strategy and requirements should be the primary consideration.
Q. 10
Explanation: Emphasizing the organizational risk and its impact on the business objectives is the
best way to gain commitment and support from senior management. The other options are secondary
factors.
Q. 11
Explanation: The primary objective of a security strategy is to manage and reduce any risk that
could impact the business objectives. It is not feasible to mitigate risks to zero. The transfer of risks
to insurers and developing a risk-aware culture may also be aspects of managing risk.
Q. 12
Answer: A. A conflict of security controls with business requirements
Explanation: This is an example of a conflict between security controls and business requirements.
In this case, the security controls are not supporting the business needs. Controls should not restrict
employees' ability to perform their jobs.
Q. 13
Explanation: The first step should be to define the scope of the strategy. Scope means determining
the extent of functions/units/departments to be covered in the strategy. The other options are
subsequent steps to be performed.
Q. 14
Explanation: The most important objective of an information security strategy is that it should
support the objectives of the organization. The other options are secondary objectives.
Q. 15
Explanation: Defined objectives are the most important element. Without objectives, a strategy to
achieve the objectives cannot be developed. Policies are developed after the strategy. Having a
defined time frame and framework are not as important.
Q. 16
Answer: D. The information security strategy may not be aligned with business requirements.
Explanation: The security steering committee monitors and controls the security strategy. In the
absence of inputs from user management (the user department), the developed strategy may not
support the business requirements. Other options are not as significant as the strategy not supporting
the business requirements. User training and budget allocation are not normally under the purview of
the steering committee.
Q. 17
Answer: C. To review the risk assessment with senior management for final consideration
Explanation: Senior management will be in the best position to evaluate the impact of the risk on
business requirements. They will be able to balance security and business processes. The other
options would not address the issue.
Q. 18
Explanation: Direct traceability is the best way to ensure that business and security objectives are
connected and that security is adding value to the business objectives. The other options are not as
good as traceable connections.
Q. 19
Explanation: The overall accountability resides with senior management, though they may delegate
this responsibility to different functions. The security administrator and system administrator support
the security objectives of senior management.
Q. 20
Explanation: Understanding key business objectives is the most critical factor in aligning any
security strategy with the business strategy, as the security strategy should support business
objectives. The other options are secondary factors.
Explanation: The IT BSC considers factors such as customer satisfaction, innovation capacity, and
internal processes. Financial performance is not part of an IT balanced scorecard.
Q. 2
Explanation: For measuring the performance of IT services, it is required to define the key
performance areas along with benchmarks of the expected performance level. The other choices are
the objectives of an IT BSC.
Q. 3
Explanation: A major risk can be the absence of IT alignment with business objectives. A steering
committee should exist to ensure that IT strategies support the organization's goals.
Q. 4
Answer: C. To evaluate and determine the correlation between the solution and the business
objectives
Explanation: The first step should be to assess and determine that the proposed solution is aligned
with the business objectives and requirements. Once this is established, the other options can follow.
Q. 2
Explanation: The most important objective of an information security program is to reduce any risk
and its impact on business objectives. The other options are secondary factors.
Q. 3
Q. 4
Explanation: A threat by itself cannot harm the organization unless it finds a vulnerability in the
system to exploit. Detective controls will not be able to prevent the event. The absence of a system
audit is an unlikely explanation for an increase in the number of security events.
Q. 5
Answer: A. To protect information assets in accordance with the business strategy and objectives
Explanation: The primary objective of an information security program is to align the security
implementation with an organization's business strategy and objectives. An information security
program is not limited to only operational risks. It should also consider the confidentiality, integrity,
and availability of assets. A security policy is developed as a part of a security program to achieve the
protection of information assets.
Q. 6
Explanation: Structured and resilient processes in addition to technical controls is the most effective
way to manage and address the risk. The right combination of management, administrative, and
technical controls is the most effective and efficient way to address the risk.
Q. 7
Explanation: The integration of security governance and overall governance is the best way to
ensure that key business processes are well protected. The other options are actions that may arise
due to close integration between business and security processes.
Q. 8
Explanation: The first step is to justify the need for the program by conducting a cost-benefit
analysis. Once the requirement of the program is established, the other options may be acted upon.
Explanation: Security architecture should primarily be aligned with business goals and objectives.
The other options may be secondary considerations.
Q. 2
Explanation: The primary step of the security manager is to understand and evaluate the IT
architecture and portfolio. Once they have a fair idea about the IT architecture, they can determine
the security strategy. The other options are to be followed once the security strategy is defined.
Q. 2
Explanation: GRC is an effort to synchronize and align the assurance activities across the
organization for greater efficiency and effectiveness. The other options can be considered as
secondary objectives.
Q. 3
Explanation: Though GRC programs can be applied in any function of the organization, it primarily
focuses on financial, IT, and legal areas. Financial GRC focuses on effective risk management and
compliance for finance processes. IT GRC focuses on IT processes. Legal GRC focuses on
enterprise-level regulatory compliance. GRC is mainly focused on IT, finance, and legal processes to
ensure that regulatory requirements are adhered to and that risk is appropriately addressed.
Explanation: Senior management is more interested in the benefits derived from the budget, so a
cost-benefit analysis is the most important factor. The other options are also important considerations
while evaluating and approving the budget.
Q. 2
Explanation: A policy statement contains the intent and direction of the management. Senior
management should approve policy statements and provide a sufficient budget to achieve the
organization's information security objectives. Management may be involved in evaluating products,
risk assessments, and mandating information security audits, but their primary role is to provide
direction, oversight, and governance.
Q. 3
Q. 4
Explanation: Senior management is more concerned about the achievement of business objectives
and will be keen to address all the risks impacting key business objectives. The other options will not
be as effective.
Q. 5
Explanation: A business case contains the need and justification for the project. It will be the most
important document to gain support from senior management. The other options will not be as
effective.
Q. 6
Answer: C. To conduct periodic reviews of alignment between security and business goals
Explanation: The most effective way is to ensure that the security program continues to be aligned
with and supports business objectives. This is critical for continued management support. Other
options will not have as much of an effect on management.
Q. 7
Explanation: The most effective way to justify the budget is to consider a cost-benefit analysis. The
other options may be considered while conducting a cost-benefit analysis.
Q. 8
Q. 9
Explanation: The objective of security investment is to increase the business value by addressing
instances of business disruptions, reduction in losses, and improvements in productivity. The
protection of information assets is one of the elements of enhanced business value.
Q. 10
Explanation: The steering committee should be sponsored by an authority who is well versed in the
business objectives and strategy. The chief operating officer has the most knowledge of business
operations and objectives and is in the best position to align the security strategy with business
objectives.
Q. 11
Explanation: Any investment should be able to provide value to the business. The primary driver for
investment in an information security project is a value analysis and having a sound business case.
The other options are secondary factors.
Q. 12
Explanation: Support and commitment from senior management is the most important prerequisite.
Without that, the other options may not add value to an information security program.
Q. 13
Explanation: The steering committee consists of senior officials from different departments. They
are well informed about business objectives and strategy. They can ensure that security governance is
aligned with the business strategy and objectives.
Q. 14
Q. 15
Explanation: A lack of high-level sponsorship means a lack of commitment and support from senior
management. Support from senior management is a prerequisite for effective security governance.
With high-level sponsorship, budget constraints and business priorities can be set right.
Q. 16
Explanation: Discussions with key business stakeholders will provide an accurate picture of the
alignment of security programs with supporting business objectives. Incident trends will help you
understand the effectiveness of security programs, but they are not directly about alignment. A
business case is prepared at the time of initiation of the project and a discussion with business owners
will help you understand whether alignment, as indicated in the business case, is being adhered to.
Q. 17
Explanation: Reviewing the business balanced scorecard will help to determine the alignment of the
security goals with the business goals. The business scorecard contains important metrics from the
business perspective. The other options do not address the alignment directly.
Q. 18
Q. 19
Explanation: A survey of management is the best way to determine whether the security program
supports the business objectives. Achieving strategic alignment means that the business process
owners and managers believe that the organization's information security is effectively supporting
their goals. If business management is not confident in the security programs, the information
security manager should redesign the process to provide value to the business. The other options do
not directly indicate strategic alignment.
Q. 20
Explanation: Alignment ensures that assurance functions are integrated to maximize cost-
effectiveness. A lack of alignment can result in potential duplicates or contradictory controls. These
would negatively impact cost-effectiveness. The others are secondary factors.
Q. 21
Explanation: The best method to address the concern is to first discuss the same and try to
understand the area of concern. Based on that, the program can be redesigned to be more meaningful
for the management.
Explanation: The objective of a business case is to justify the implementation of any new project.
Justifications can be either the results of a gap analysis linked to a legal requirement or expected
annual loss, or any other reason.
Q. 2
Explanation: The first step in developing a business case is to define the need for and justification of
the project. Without defining the need for the new project, the other options cannot be evaluated and
determined.
Q. 3
Explanation: A business case contains the need and justification for the project. It will be the most
important document to gain support from senior management. The other options will not be as
effective.
Q. 4
Explanation: A technology should provide benefits by mitigating risk and at the same time it should
be cost-effective. A technology should be effective as well as efficient. If the technology is not cost-
effective, then it will not be meaningful even if it mitigates the risk.
Q. 5
Explanation: Business requirements are the most important aspect for an information security
manager, followed by privacy and other regulatory requirements. Regulatory requirements and
privacy requirements are more important for a security manager compared to technical requirements.
Q. 6
Explanation: A business case contains the need and justification for the proposed project. It helps to
illustrate the costs and benefits of the project. The other options can be considered as part of the
information required in the business case.
Q. 7
Explanation: It is very important and challenging to include the value and benefit in a business case
in a manner that convinces senior management. Technical aspects are generally not covered in the
business case. Risk scenarios and comparative data can be used to demonstrate value and benefit.
Q. 8
Explanation: All options are important, but a significant aspect is developing and presenting a
business case to demonstrate that the security initiative is aligned to the organization's goals and that
it provides value to the organization. A business case includes all the given options.
Q. 9
Explanation: The first step in the development of a business case is to understand the issues that
need to be addressed. Without clear requirements being defined, the other options may not add value.
Q. 10
Answer: D. Feasibility and value proposition
Explanation: The most important basis for developing a business case is the feasibility and value
proposition. It helps to determine whether a project should be implemented. The feasibility and value
proposition indicates whether the project will be able to address risks with an effective ROI and
whether it will help to achieve the organizational objectives.
Q. 11
Explanation: A business case is the best way to present the link between a new security project and
an organization's business objective. Senior management is keen to protect and achieve the business
objectives. If they see value in the project in terms of business support, there will not be any
reluctance. Risk scenarios should be considered as a part of the business case. Other options will not
be effective to address this concern.
Q. 12
Explanation: A cost-benefit analysis will be the best way to make a decision. It indicates the cost of
implementing the control and the expected benefit from the investment. The cost of a control should
not exceed the benefit to be derived from it. The risk assessment is a step prior to the evaluation and
implementation of a control. In security parlance, ROI is difficult to calculate as returns are in the
form of safety and security.
Q. 13
Explanation: A business case is the justification for the implementation of the program. It contains
the rationale for making an investment and indicates the cost of the project and its expected benefits.
The other options by themselves are not sufficient to justify the information security program. User
acceptance may not always be reliable for a security program, and security and performance often
clash.
Q. 14
Explanation: A business case is the justification for the implementation of a program. It contains the
rationale for making an investment and indicates the cost of the project and its expected benefits. The
other options by themselves are not sufficient to justify the information security budget.
Q. 15
Explanation: A business case is the justification for the implementation of the program. It contains
the rationale for making an investment and indicates the cost of the project and its expected benefits.
The other options by themselves are not sufficient to justify the information security budget.
Revision Questions
Q. 1
Explanation: The most important factor is the effectiveness of the information security program in
addressing the risk impacting the business objectives. The other options are secondary factors. Even a
considerable budget will be meaningless if a security program is not effective in mitigating risks.
Q. 2
Explanation: The objective of a security strategy can be best described as what is required to achieve
the desired state. It is not restricted to only key processes or loss expectations.
Q. 3
Explanation: The risk management strategy should support and be aligned with the business
objectives and risk appetite of the organization. The other options are not as significant.
Q. 4
Answer: B. The perspective of the whole being greater than the sum of its individual parts
Explanation: Systems thinking in terms of information security, refers to the idea that a system is
greater than the sum of its individual parts.
Q. 5
Explanation: Determining the objectives of the security strategy is a must before any other steps are
taken, as all other steps are developed based on this strategy. The other factors are important but not
as significant.
Q. 6
Explanation: Trends in incident occurrence will be more valuable from a strategic perspective as
they will indicate whether a security program is headed in the right direction or not. The other
options are more like operational metrics.
Q. 7
Explanation: Value delivery means designing a process that brings the maximum benefit to the
organization. It indicates high utilization of the available resources for the benefit of the organization.
The other options by themselves do not indicate value delivery.
Q. 8
Explanation: It is very important to understand the current state of security and the desired future
state or objective. In the absence of clearly defined objectives, it will not be possible to develop a
strategy. The other options are important but not as significant.
Q. 9
Explanation: The most important objective of a security strategy is to support the business
requirements and goals. The strategy should support the business objectives. The other options are
secondary objectives.
Q. 10
Answer: A. To determine the goals of security and the plan to achieve them
Explanation: The primary objective of a security strategy is to set out the goals of the information
security program and the plan to achieve these goals. The budget is linked with security objectives. A
strategy is a high-level management intent and does not generally include implementation aspects as
mentioned in options B and C.
Q. 11
Explanation: The security strategy is the guiding force for the implementation of a security program.
The roadmap detailing security implementation, i.e. procedure, resources, timelines, and so on, is
developed based on the strategy. The other options may be input factors for designing the strategy.
However, once a strategy is developed, it is considered to be the overall guiding principle for the
implementation of a security program.
Q. 12
Explanation: A policy reflects the intent and direction of the management. Any changes in
management intent should also be appropriately addressed in the policy. Changes in regulation and
baseline should be addressed in procedures, guidelines, and standards. Changes in culture may or
may not impact the policy; however, management intent is more significant here.
Q. 13
Explanation: Residual risk is the risk that remains after controls are implemented. One of the
objectives of a security strategy is to ensure that residual risks are well within the acceptable limit.
This reassures management. The other options are not as significant as residual risk being within
acceptable levels.
Q. 14
Explanation: Control objectives are developed to achieve an acceptable level of risk. A strategy is
considered effective if control objectives are met. The other options may be a part of a control
objective, but effectiveness is best measured by evaluating the extent to which the overall control
objectives are met.
Q. 15
Explanation: The involvement of board members in information security initiatives indicates good
governance. The liability of directors can be protected if the board has exercised due care. Many laws
and regulations make the board responsible in cases of data breaches. Even a cybersecurity insurance
policy requires the board to exercise due care as a precondition for insurance coverage. The board is
not required to involve themselves in routine compliance and policy implementation processes.
Q. 16
Q. 17
Explanation: The business balanced scorecard contains many important metrics from the perspective
of the business. Reviewing these metrics will help in determining whether the security goals are in
line with the goals of the business. The other options do not directly address alignment between the
two.
Q. 18
Answer: C. To ensure that the security goals are derived from the business goals
Explanation: Security goals should be developed based on the overall business objective. The
security strategy should support the business goals and objectives.
Q. 19
Explanation: "Baseline" means the basic standard to be complied with. In a mature organization, it is
expected that the control objectives of security should be met. The other options may be part of the
control objectives, but all objectives defined should be met in a mature organization.
Q. 20
Explanation: The area of most concern is compliance with laws and regulations. Security managers
need to ensure that local laws are appropriately addressed. Local laws vary from country to country,
and sometimes they might be in conflict with the organization's global security requirements. Non-
compliance with laws and regulations may have a major impact on business processes. The other
options are not as significant.
Q. 21
Explanation: A sudden increase in employee attrition rate indicates some suspicious activity that
requires the attention of the security manager. For example, if a large number of developers are
leaving the organization, it may indicate that a competitor is trying to obtain the organization's
development plan. A large number of viruses and filtered packets may indicate a change in the threat
environment; however, there would be no impact as that will have been controlled by the antivirus
software or the firewall. A low amount of security officers does not necessarily indicate a risk.
Q. 22
Explanation: Senior management will be more interested in understanding how the security strategy
is supporting the business objectives, that is, whether the top-level goals and objectives are being
supported by security. The other options are not relevant at the strategic level.
Q. 23
Explanation: The classification of data in accordance with its value and exposure, followed by the
development of a strategy for each class, is the best process for effective data protection. This will
address the risk of under-protection as well as over-protection of data. Vulnerability assessments do
not consider threat and other factors that impact the risk treatment. Insurance policies and industry
practices may be considered based on risk and the classification of data.
Q. 24
Answer: D. Discuss the relationship between the security program and business goals.
Explanation: Senior management is keen to protect and achieve the business goals and objectives. If
they see value in the project in terms of business support, there will not be any reluctance. The other
options can be secondary factors.
Q. 25
Explanation: A security strategy is said to be successful if it supports the achievement of goals set
up by the board of directors. The other options do not directly indicate that the security program is
successful.
Q. 26
Explanation: Demonstrating support for the desired outcome is the best approach. This can be done
by demonstrating improvements in performance metrics related to business objectives. Senior
management is keen to protect and achieve the desired outcome in the form of business goals and
objectives. The other options are secondary factors.
Chapter 3: Information Risk Assessment
Explanation: To determine the risk level, two things are required, i.e., the probability (likelihood) of
the event and the impact of the event. Risk is the product of probability and impact. Once the
likelihood has been determined, the next step is to assess the magnitude of the impact. Once the level
of risk is determined, it can be compared against risk appetite and risk tolerance.
Q. 2
Explanation: To determine the level of risk, two things are necessary: the probability of an event
happening and the impact if it does take place. Risk is the product of probability (likelihood) and
impact (consequence).
Q. 3
Explanation: Reducing the exposure refers to keeping the information assets away from public
reach. For example, consider a sensitive database that was previously accessible through the public
internet but now is not. This reduction in exposure will reduce the likelihood of this database being
exploited. However, this will not automatically reduce other vulnerabilities. Also, it will not reduce
the impact if the database is compromised.
Answer: D. Management may have concerns that the stated impact is underestimated.
Explanation: The most likely reason is that management has doubts regarding the estimation of the
level of risk. In such cases, management might choose to mitigate the risk even if it is within the risk
tolerance level. It is much less likely that the board requires all risks to be mitigated. This is neither
practical nor feasible. Also, management generally accepts risks if they are within the organization's
risk appetite. There is no sense in addressing any risk that is within the risk appetite even if the
treatment is cost effective.
Explanation: Once the residual risk is determined, the next step is to validate whether it is acceptable
or not. If it is within the risk appetite, it can be accepted. Otherwise, further controls would need to be
implemented to reduce it.
Q. 2
Explanation: The acceptable level of risk is determined by the overall organizational requirements.
Organizational requirements refer to what the organization wants to achieve by taking the risk. The
other options may not directly determine the acceptable level of IT risk.
Q. 3
Answer: B. The residual risk level is less than the acceptable risk level
Explanation: Controls are said to be effective when the residual risk is less than the acceptable risk
level. Residual risk is the risk that remains after controls have been implemented. The acceptable
level of risk is the management's willingness to take a risk.
Q. 4
Explanation: Residual risk means the risk that management is willing to accept. It is ultimately
subject to the management's discretion. The objective of a risk management program is to ensure that
the risks applicable to the organization are brought down to an acceptable level by the
implementation of various mitigation strategies. It is not possible to completely eliminate all inherent
or control risks.
Q. 2
Explanation: A risk evaluation determines whether any risk is within the acceptable range or
whether it should be mitigated. Based on this evaluation, risk responses are decided.
Q. 3
Explanation: The most important objective of a risk response is to ensure that the impact of the risk
is within acceptable levels. Lowering the vulnerability or addressing the threat is one of the
approaches to controlling the risk's impact. The objective of a risk response is not to decrease the cost
of control.
Q. 4
Explanation: In a risk analysis, the impact and level of risk are determined (i.e., high, medium, or
low). Risk analysis helps determine the exposure and helps to plan for remediation. The prioritization
of assets, justification of the security budget, and determining the residual risks are indirect benefits
of risk analysis but not the main objectives.
Q. 5
Explanation: The prime objective of a risk management program is to minimize residual risk so that
it is within the organization's risk appetite. It is not practical and/or feasible to eliminate inherent risk.
Quantification and monitoring of risks are good indicators of a successful risk management program;
however, they are not as significant.
Q. 2
Explanation: The best approach to reduce the subjectivity of the risk assessment is to provide
frequent training to the risk assessor. It improves their accuracy. Without appropriate training, the
other options may not be effective.
Q. 3
Explanation: The main objective of a risk management program is to ensure that the risk is within a
level that is acceptable to management. If the inherent risk is already within the acceptable level,
there is no need to further reduce it. It is not practical or feasible to eliminate all risks. The ultimate
objective of establishing an effective control is to ensure that risks are within the agreed acceptable
level.
Q. 4
Explanation: For effective risk management, the most important criterion is that the program should
be supported by all the members of the organization. All staff members should be able to understand
their roles and responsibilities with respect to risk management. The other options are secondary
criteria.
Q. 5
Explanation: The objective of a risk management program is to reduce the risk to a level that is
acceptable to management. Reducing the risk to zero or eliminating all hazards is not possible.
Industry-adopted standards may not always be acceptable.
Q. 6
Explanation: Risk tolerance is the acceptable level of deviation from the risk appetite. Generally,
risk tolerance is slightly higher than risk appetite. The other options are not the main factors for
ignoring a risk.
Q. 7
Explanation: Risk management should be applied to all the processes within the organization.
Whether a risk level is acceptable can be determined only when the risk is known.
Q. 8
Explanation: The main objective of a risk management process is to ensure that any risk is identified
and mitigated in a timely manner. This can best be done by embedding the risk activities in all
business processes. The other options are not as significant.
Q. 2
Explanation: The risk environment for any organization changes constantly. The most effective risk
assessment frequency is annual or whenever there is a significant change. This helps to assess risks
within a reasonable timeframe and allows the flexibility to assess risks when there are significant
changes. Risk assessment is applicable to all processes, not just critical business processes.
Q. 3
Explanation: A change in the risk environment introduces new threats and vulnerabilities to the
organization. To address this, risk assessments should be conducted on a continuous basis. The other
options are not the prime objectives for conducting riskassessments.
Q. 4
Q. 5
Explanation: Risk assessments help determine the impact of a vulnerability, and based on the
impact, necessary remedial measures can be decided. They help to justify the selection of risk
mitigation strategies.
Q. 6
Explanation: Risk is the combination of two components: probability (likelihood) and impact. Both
components are essential for the analysis of risk. Hence, likelihood and impact are the primary
elements to be determined in a risk analysis.
Q. 7
Explanation: The business environment changes constantly and new threats emerge. Therefore, risk
assessments should be repeated at regular intervals.
Q. 8
Explanation: A risk assessment will help the organization to determine any new risks introduced by
the migration of IT operations to an offshore location. The new risks may be in the form of non-
adherence to regulations, overspending, or perhaps some operational aspects.
Q. 9
Explanation: A risk assessment helps to derive a list of all the applicable risks impacting the
organization.
Q. 10
Answer: A. Consequences
Explanation: If there are no impacts or consequences of the exploitation of a vulnerability, then there
is no risk. Risk analysis, risk evaluation, and risk treatment are primarily based on the impacts of a
risk.
Q. 11
Explanation: A failure of material control indicates that the control was not designed and monitored
properly. It requires a full reassessment of the risk. All other options do not require full reassessment.
Q. 12
Explanation: Consistency in the risk assessment process will help to determine trends over a period.
If risk assessments are not consistent, then the results of those risk assessments cannot be comparable
with the previous results.
Q. 2
Explanation: The valuation of intangible assets should be done based on the ability of the asset to
generate revenue for the organization. In the absence of availability of these assets, an organization
will lose that amount of revenue. Acquisition or replacement costs may be more or less than the
actual ability to generate revenue.
Q. 3
Explanation: The best way to estimate potential loss is to determine the value of the information or
assets. Value can be in the form of productivity loss, the impact of data leakage, or the opportunity
cost due to the unavailability of assets.
Q. 4
Answer: D. Identify significant overall risk from a single threat
Explanation: The goal of risk aggregation is to identify significant overall risk from a single threat
vector. Aggregated risk means the significant impact caused by a large number of minor
vulnerabilities. Such minor vulnerabilities do not cause any major impact individually, but when all
vulnerabilities are exploited at the same time, they can cause a huge impact.
Explanation: Risk is the product of two components: probability (likelihood) and impact. Both
components are essential for the analysis of risk. Hence, likelihood and impact are the primary
elements determined in a risk analysis.
Q. 2
Explanation: The impact due to loss of power can be more easily measurable and quantifiable
compared to the other options.
Q. 3
Explanation: The results derived from a quantitative risk analysis are measurable. Percentage
estimates are characteristics of quantitative risk analysis. The other options are generally
characteristics of a qualitative risk analysis.
Q. 4
Explanation: Value at risk is the statistical computation based on historical data to arrive at the
probability. Value at risk is mostly used in the financial sector to determine the risk of an investment.
However, it is also applicable to the information security domain.
Q. 5
Explanation: For qualitative risk analysis, the best way is to list down all possible threats and impact
scenarios. This will facilitate an informed risk management decision. The other options are generally
used for the quantification of risk.
Q. 6
Explanation: The objective here is to determine the level of risk acceptable to management. The best
quantification is to derive the cost of business interruption and the level of insurance taken to protect
against such losses. For example, suppose the cost of business disruption is $100,000 and insurance
coverage is up to $80,000. Then, the risk appetite of the organization can be considered as $20,000.
The other options will provide only a rough estimation of the risk appetite.
Explanation: Mitigation must consider the level of risk and the cost of various treatment options.
High-risk vulnerabilities should be addressed on priority. Low-risk vulnerabilities may not be
addressed immediately. Resources should be first utilized to address high-risk vulnerabilities.
Q. 2
Answer: A. Prioritization
Q. 3
Explanation: Risk is the product of probability and impact. Frequency (i.e., probability) and impact
can help determine the actual level of risk. Both terms are equally important to determine the level of
risk. Once the risk is determined based on its frequency (i.e., probability) and impact, then high-level
risks are prioritized and addressed first. The other options are not as important.
Q. 4
Explanation: Risk is the product of probability and impact. Probability (i.e., likelihood) and impact
can help determine the actual level of risk. Both terms are equally important to determine the level of
risk. Each risk is determined based on its probability (i.e., likelihood) and impact. Then, high-level
risks are prioritized and addressed first. The other options are not as important.
Explanation: A risk register contains the details of all identified risks. The main objective of the risk
register is to facilitate a thorough review of all risks on a periodic basis. The other options are
secondary factors.
Answer: A. Feasibility
Explanation: It is always advisable to identify and address the risk at an early stage of any new
system development. The risk of a new system may challenge the feasibility of the system's
development.
Q. 2
Explanation: The most important aspect is to implement a structured process that will help to
identify the risk that may be introduced by a new system. Options A, B, and C can be made part of a
structured process.
Explanation: A security review is conducted to determine the current state of the security posture of
the organization. Vulnerability and threat analysis will help determine the level of vulnerability and
threat but without knowing the existing security arrangement, the risk cannot be determined. An
impact analysis is more effective in determining the potential impact of a loss event.
Q. 2
Answer: B. Reducing the exposure
Explanation: If a threat is already known, the best way to address it is to reduce the exposure to the
extent possible. This reduces the probability of exploitation of the risk. The other options are not as
effective as reducing the exposure itself.
Q. 3
Explanation: An attack surface refers to the various entry points from which an attack can happen. It
determines the level of exposure. By decreasing the attack surface, the level of exposure decreases.
The attack surface can be reduced by limiting entry points, ports, and protocols and disabling unused
services. The other options are not as effective.
Q. 4
Q. 5
Explanation: Many agencies publish new vulnerabilities and provide recommendations to address
vulnerabilities. This is the most cost-effective method of understanding new vulnerabilities. The other
options may not be as cost effective as external vulnerability sources.
Q. 6
Explanation: A vulnerability assessment helps identify all existing vulnerabilities and plans to
address them. This assures management that the risks to business objectives are actively monitored
and controlled. It is not possible to eliminate all risks. A vulnerability assessment is not primarily
conducted to adhere to the security policy or to monitor the efficiency of the security team.
Q. 7
Q. 8
Explanation: The most important aspect of a scanning tool is to get it updated with new signatures to
address new and emerging risks. A vulnerability scanner need not delete viruses. Multiple functions
and user-friendly graphical user interfaces are good-to-have features but not as important.
Q. 9
Answer: D. Identified vulnerabilities should be evaluated for threat, impact, and cost of mitigation
Q. 10
Explanation: The most cost-effective approach to test the security of a legacy application is to
conduct a vulnerability assessment. The other options are not as effective as vulnerability
assessments to test the security of legacy applications.
Chapter 4: Information Risk Response
Explanation: Taking out insurance is an example of risk transfer. In risk transfer, the risk is shared
with partners or is transferred via insurance coverage, contractual agreement, or other means. For
instance, natural disasters have a very low probability but a high impact. The response to such a risk
should be risk transfer.
Q. 2
Explanation: The business manager will be in the best position to decide on any particular control on
the basis of risk assessment as they are thoroughly aware of the risks relevant to their processes. The
senior manager should provide the appropriate funding for the control. The audit and security
managers support the business manager in reviewing and monitoring the effectiveness of the control.
Q. 3
Explanation: The best course of action for the organization in the given situation is to set up
monitoring techniques to detect and react to potential fraud. It is not possible to make customers
liable for fraud. Making customers aware of the risks of fraud is a good option but not as effective.
To outsource the processes, a business case needs to be reviewed and decisions should be taken
accordingly. However, the most effective method will be setting up monitoring techniques to detect
and react to fraud.
Q. 4
Explanation: In a phishing attack, employees are approached via email by someone posing as an
authorized representative. This is done to trick employees into divulging sensitive information, such
as personal information, banking and credit card information, and passwords. The best way to combat
this attack is to conduct frequent user awareness training.
Q. 5
Answer: C. Risk transfer
Explanation: Taking out insurance is an example of risk transfer. In risk transfer, the risk is shared
with partners or transferred via insurance coverage, contractual agreement, or other means. Natural
disasters have a very low probability but a high impact. The response to such a risk should be risk
transfer.
Q. 6
Explanation: The best approach in this situation is to purchase insurance to compensate for the
financial liability. Privacy laws are aimed to protect customers and generally mandate heavy penalties
for data breach incidents. A breach can still happen even after implementing technical controls, so the
best solution is to purchase insurance.
Q. 7
Explanation: Risk treatment consists of four types: risk acceptance, risk avoidance, risk mitigation,
and risk transfer.
Q. 8
Explanation: Risk mitigation is the act of implementing security controls to reduce the impact of risk
and to bring risk down to an acceptable level.
Q. 9
Explanation: A control objective is met when risk is mitigated in the most effective and efficient
manner. The best risk treatment should be both effective (that is, it should be able to address the risk)
and efficient (that is, the cost of treatment should be optimum).
Q. 10
Explanation: The best risk response in such a scenario (low probability and high impact) is to
transfer the risk to a third party. Insurance for natural calamities is one such example. This will help
the organization compensate for the financial losses they face.
Q. 11
Answer: B. User entitlement
Explanation: The data owner is accountable for ensuring that access to their data is provided based
on user entitlement and a need-to-know basis. The other options are the responsibilities of the
security team.
Q. 12
Explanation: The best way is to provide access to confidential information on a need-to-know basis,
that is, role-based access control. Defense in depth is generally for external threats. A privacy policy
details how information is collected and used. It will not be able to prevent a threat. Capturing
transaction logs is a detective control. A detective control will not be able to prevent a threat.
Q. 13
Explanation: The best option in this situation is to use the services of a third party with expertise in
information security. This will result in cost reduction and, at the same time, adherence to security
requirements. The other options are not feasible and will result in an increase in security risks.
Explanation: Business process owners are in the best position to conduct the risk analysis for their
respective processes. They have detailed knowledge of the risks and controls applicable to their
processes.
Q. 2
Explanation: A business process owner will be in the best position to drive a project for
implementing regulatory requirements. They have a thorough understanding of their processes and
the impact of regulatory requirements on those processes. The other options do support the business
process owner in the implementation of the project but are not primary.
Explanation: The potential impact helps management determine the extent of mitigation required. If
the impact is on the higher side, management may allow more budget for mitigation efforts. The
potential impact does not directly relate to risk treatment options. The potential impact can be more
than the cost of the assets as it may include the cost of recovery, business downtime, and other costs.
The potential impact is in no way useful in determining the probability.
Q. 2
Answer: C. Understanding the business objectives and the flow and classification of information
Explanation: The most important factor to determine new threats is to first understand the business
objectives and the flow and classification of information. It is of utmost importance to have
knowledge of the threats to business processes. The other options can be subsequent steps.
Q. 3
Explanation: The use of cloud services will introduce new risk scenarios as the dependency will be
on a third-party cloud service provider. This new risk has to be included in the risk profile of the
organization. A cloud service is generally considered a cost-effective resource. The source of a
business transaction is not impacted by the cloud service. Cloud service providers generally have
more stringent security controls to prevent attacks.
Q. 4
Explanation: Because of the small size and ease of mobility, mobile devices are subject to a high
risk of being lost or stolen. This can result in unauthorized disclosure of any sensitive data present on
the mobile devices. The other options are not significant security concerns.
Q. 5
Explanation: The first course of action for a security manager is to calculate the risk of exception
and make a call for approval on that basis. If the potential benefit from the exception is more than the
potential loss from the risk, an exception may be granted.
Q. 6
Q. 7
Answer: C. Define an exception process for sending the data without encryption
Explanation: In the given situation, the best course of action is to work out an exception process to
send the data without encryption. The security manager should work out another secure way of
communicating and implement other compensating controls for the protection of unencrypted data.
Q. 8
Explanation: Residual risk refers to the remaining risk after controls have been implemented.
Residual risk is compared to the acceptable risk level to determine whether controls are effective. If
the residual risk is higher than the acceptable risk then more controls are required. The classification
of assets is based on their value. Residual risk is not relevant at the time of the identification of risk
or the valuation of assets.
Q. 9
Explanation: Risk analysis results provide a list of the most critical risks that need to be addressed
on a priority basis. The other options are not directly impacted by the results of a risk analysis.
Q. 10
Answer: A. To understand the risk due to noncompliance and recommend an alternate control
Explanation: The best course of action for the security manager is to evaluate the risk due to
noncompliance. If the potential benefit from the exception is more than the potential loss from the
risk, an exception may be granted along with some alternate controls.
Q. 11
Explanation: An incident from an unidentified risk indicates the effectiveness of the risk assessment.
A low percentage indicates that almost all sources of risk have been identified, whereas a high
percentage indicates that the risk assessment was unable to identify major sources of risk. The other
options do not directly indicate the effectiveness of a risk assessment.
Q. 12
Explanation: The first course of action is to review compliance with the standards and policies. If
risk management procedures are in accordance with those and the risk management procedures are
still inadequate and inconsistent, it indicates that standards and policies have not been drafted
appropriately. Policies and standards need to be reviewed to determine whether they are adequate.
The other options will not be meaningful if policies and standards are inconsistent and inadequate.
Q. 13
Explanation: The first step for the security manager is to validate the noncompliance to rule out any
false positives. The other options are subsequent actions.
Q. 14
Explanation: The security manager should be most concerned about loopholes in the physical and
logical access controls. By comparing physical access records with logical access records, the
security manager can identify issues such as tailgating, password sharing, and other forms of
compromise. Options A and B are not relevant from the information security perspective. Option D is
less significant.
Q. 15
Explanation: Operational risk is a risk related to failed processes and systems due to either internal
or external events. The objective of a DDoS attack is to bring down the system by flooding it with
excessive traffic. Aggregate risk is defined as the overall impact of a single threat vector. Systemic
risk is the risk of the collapse of an entire system. Residual risk refers to the risk that remains after
controls are implemented.
Q. 16
Explanation: Background checks help determine the integrity of new employees. A security
awareness program will not necessarily guarantee that the employee will behave with honesty.
Penetration testing and network address translation will be more effective to address external attacks.
Q. 17
Explanation: Compliance with legal and regulatory requirements should be considered on the basis
of business decisions. Business decisions are based on a cost-benefit analysis. Legal and regulatory
requirements, like any other requirements, should be considered for risk assessment and decision-
making. Sometimes the cost of compliance is much more than the expected benefit; in such cases,
management needs to make a business call.
Q. 18
Answer: C. The new system may affect the security or operations of other systems
Explanation: The area of most concern for a security manager is the impact of a new system on the
security and operational aspects of other systems. Functionality, support staff, and time needed for
installation are the responsibility of the business and IT departments.
Q. 19
Explanation: In this scenario, the first step is to advise management about the elevated risk. In
consultation with management, subsequent actions can be taken.
Explanation: An acceptable usage policy is a document stipulating constraints and practices that a
user must agree to for the usage of organizational resources. Many organizations require employees
to sign an acceptable usage policy before access is granted to them. The other options may not
directly impact data leakages.
Q. 2
Answer: D. To measure the current state of control versus the desired future state
Explanation: The objective of a gap analysis is to identify the gap between the current level of
control and the desired level of control. This gap is also known as control deficiencies. Risk
practitioners first analyze the desired state of risk management required by the organization and then
determine the current condition of risk management. This helps them identify any gaps. They should
recommend actions to close such gaps.
Q. 4
Explanation: The objective of an indemnity clause is to compensate for or recover any losses due to
any breach of the service-level agreement. It helps to reduce the financial impact on the organization.
An indemnity clause may not always be a regulatory requirement. Merely incorporating an indemnity
clause will neither reduce probability nor ensure performance improvement.
Q. 5
Explanation: The objective of a cost-benefit analysis is to determine the benefits compared to the
costs of a project. If the benefit realized from the control is less than the cost of implementation of
the control, then it does not justify the implementation of that control. The selection of a control is
primarily based on the cost-benefit analysis.
Q. 6
Explanation: The objective of a cost-benefit analysis is to determine the benefits compared with the
cost of the project. If the benefit realized from the control is less than the cost of implementation of
the control, then it does not justify the implementation of the control. The selection of a control is
primarily based on a cost-benefit analysis. The other options do not indicate the benefit of a control.
Q. 7
Explanation: The first step is to develop a classification program. Based on this, critical data can be
identified. The other options are subsequent steps.
Q. 8
Q. 9
Explanation: Information security requirements may directly impact the feasibility of a project. The
cost of security must be considered while calculating the business case and feasibility study.
Sometimes, the cost of security may exceed the benefit expected from the project and hence the
implementation of the project may not be feasible.
Q. 10
Explanation: Management will be in the best position to address such issues where security
requirements are adversely impacting the business. The best action for a security manager is to
escalate such an issue to management.
Q. 11
Explanation: A business impact analysis helps to determine the critical processes/assets of the
organization. These critical processes/assets should be recovered as a priority.
Q. 12
Explanation: The most important factor is considered based on the risk applicable to each of them.
For example, in the case of the failure of an automatic door, the organization can opt for fail open
(door should remain open) or fail closed (door should remain closed). In the case of fail open,
confidentiality and integrity may be compromised, and in the case of fail closed, availability may be
compromised. In such a situation, the risk is determined for each element and accordingly, a decision
is made. Considering only the threat element will not serve the purpose as both threat and impact
need to be considered.
Q. 13
Explanation: Risk management helps to highlight the critical risks that can impact business
processes. It helps to make security policy decisions to address the highlighted risks. Risk
management is aimed at supporting the business objectives and is not designed to change them. An
audit charter highlights the roles and responsibilities of the audit department and is not directly
impacted by the risk management process.
Q. 14
Explanation: The most important factor is considered based on the risk applicable to each of them.
For example, in the case of the failure of an automatic door, the organization can opt for fail open
(door should remain open) or fail closed (door should remain closed). In the case of fail open,
confidentiality and integrity may be compromised, and in the case of fail closed, availability may be
compromised. In such a situation, the risk is determined for each element and accordingly, a decision
is made. Considering only the threat element will not serve the purpose as both threat and impact
need to be considered.
Q. 15
Explanation: The main objective of a cost-benefit analysis is to ensure that the cost of the project
does not exceed the benefit expected from the project. The cost should be justified by an appropriate
reduction in the risk.
Q. 16
Explanation: The best quantification is to derive the cost of business interruption and the level of
insurance taken to protect against such losses. For example, if the cost of business disruption is
$100,000 and insurance coverage is up to $80,000, then the risk appetite of the organization can be
considered as $20,000. The other options will provide only a rough estimation of the risk appetite.
Q. 17
Explanation: If the second server is placed where there is no exposure, then there is no chance of
compromise; hence, hardening may not be required. In the case of the other options, that is, the
second server being a backup server, supporting noncritical functions, or being monitored on a
continuous basis, the risk remains the same as it contains identical content and hence it should be
given the same level of protection as the first server.
Q. 18
Answer: A. A workflow analysis
Q. 19
Answer: D. Addresses the financial liability but leaves the legal and reputational risks generally
unchanged
Explanation: The objective of an indemnity clause is to compensate the organization for any
financial loss due to an act of the service provider. However, it does not reduce the legal or reputation
risks for the organization.
Q. 20
Explanation: The most important objective of a risk management program is to reduce the number
of incidents having an adverse impact on the objectives of the organization. The other options are
specifically actionable to address adverse incidents.
Q. 21
Explanation: A risk policy that is aligned with the business objectives helps in achieving the
organization's objectives. A business-oriented risk policy is strongly supported by the effective
management of information assets. The other options do not directly impact the effectiveness or
efficiency of information assets.
Q. 22
Explanation: The main objective of risk management is to reduce the number of security incidents
that can cause significant financial loss or business disruption. If such incidents are high, then the
effectiveness of risk management is questionable. The other options are not as significant.
Q. 2
Explanation: Change management is the process of requesting, planning, implementing, testing, and
evaluating changes made to a system. Regression testing is a part of change management. The
objective of regression testing is to prevent the introduction of new security exposures when making
modifications. Thus, change management is the best way to ensure that modifications made to
systems do not introduce new security exposures.
Q. 3
Explanation: Change management is the best way to ensure that modifications made to systems do
not introduce new security exposures. System users are in the best position to conduct user
acceptance testing and determine whether any new vulnerabilities have been introduced during
change management.
Q. 4
Explanation: Change management is the best way to ensure that modifications made to systems do
not introduce new security exposures. System users are in the best position to conduct user
acceptance testing and determine whether any new vulnerabilities have been introduced during the
change management process.
Q. 5
Answer: D. The change management process should include mandatory involvement of the
information security department
Explanation: For effective change management, it is important that the security team be apprised of
every major change. Representation from the security team on the change control board is
recommended. This will ensure that the security aspects of any change are considered. It is not
required for change management to be handled by the information security team; representation is
sufficient. Monitoring the change management process may not be the responsibility of the steering
committee. Change management should be separate from release and configuration management.
Q. 6
Q. 7
Answer: C. Scheduling
Q. 8
Explanation: A major risk related to production is the continuity of operations. This can be best
addressed by a structured change management process. Change management is a structured process
of change request, approval, planning, implementation, and testing. The main objective of change
management is to support the processing and traceability of changes made to a system. Change
management ensures that changes or updates are processed in a controlled manner.
Q. 9
Answer: B. To ensure that any risks arising from the proposed changes are managed
Explanation: Any major change may introduce new risks to the system. The security manager is
required to ensure that any new change does not have an adverse impact on the organization's
security environment. The other options are not the primary reasons.
Q. 10
Explanation: A change management process includes approval, testing, scheduling, and rollback
arrangements. Any change made to a system or process is likely to introduce new vulnerabilities.
Hence, it is very important for a security manager to identify and address new risks. Changes that are
not properly reviewed can disrupt the production system. The other options, that is, patch
management, baseline management, and antimalware management, should also be implemented
through the proper change management process.
Q. 11
Explanation: Threat and vulnerability assessments during change management help to identify the
potential risks in the proposed changes at an early stage. This helps to keep the risk assessment
updated. This eventually reduces the requirement for a full assessment. The other options are not
primary objectives. Policy is a high-level statement and is generally not impacted by new risks.
Q. 12
Explanation: The lack of an effective change management process can pose a significant risk of
disruption to systems and procedures. The other options are not as significant. Guidelines are
generally not mandatory. Outsourcing activities can be controlled and monitored. Poor capacity
management may not impact security risks.
Q. 13
Explanation: Threat and vulnerability assessments during change management help to identify
vulnerabilities at the initial stages so that they can be addressed early without the need for a full risk
assessment. This keeps the risk assessment up to date without the need to complete a full
reassessment.
Answer: C. Verifying the patch logs and tracing them to the change control request
Explanation: To determine whether all patches went through the change control process (change
management), it is necessary to use patch logs as a starting point and then verify whether the change
control requests for those patch updates are available. When a change request is taken as the starting
point and then traced back to patch logs, it will not be possible to determine whether all patches went
through the change control process.
Q. 2
Explanation: Patch management is the process of applying updates to operating systems and other
software. These patches are often necessary to correct errors in the software. If patches are not
applied as and when released, then this is an area of serious concern. The other options are not as
significant.
Q. 3
Explanation: Patches should be applied through a structured change management process, which
includes approval, testing, user acceptance testing, and proper documentation. The testing of a patch
prior to implementation is one of the most important aspects as deploying an untested patch may
cause system failure. Furthermore, the appropriate rollback procedures should be in place in case of
unexpected failure.
Q. 4
Explanation: Patches should be applied through a structured change management process that
includes approval, testing, user acceptance testing, and proper documentation. The testing of a patch
prior to implementation is of utmost importance as deploying an untested patch may cause the system
to fail. Furthermore, appropriate rollback procedures should be in place in case of unexpected failure.
The other options are secondary steps to be followed after the problem has been assessed.
Q. 5
Explanation: The first step is to validate the authenticity of the patch before taking any further
action. If the patch is not from an authentic source, it may be malicious.
Q. 6
Explanation: Patch management is the process of applying updates to operating systems and other
software. These patches are often necessary to correct errors in the software. A well-defined and
structured patch management process helps to address the new vulnerabilities related to operating
systems. The timely update of patches helps to secure the operating systems and applications.
Q. 7
Answer: D. As and when critical security patches are released
Explanation: Patches should be applied as and when new patches are released. This is required to
ensure that zero-day vulnerabilities are not exploited. However, patch management should include
appropriate testing and approvals.
Explanation: The RTO determines the time within which the system should be restored. The RTO is
derived from the BIA. The BIA helps to determine the critical systems of the organization and the
impact due to the downtime of systems.
Q. 2
Answer: D. Feasibility
Explanation: Risk assessment should commence at the earliest phase of the SDLC, that is, the
feasibility phase. A feasibility analysis should include risk assessment so that the cost of controls can
be determined at the beginning.
Q. 2
Explanation: Risk assessment is most effective when it is performed at every stage of the SDLC.
This helps in the early identification of any risk that might occur during any stage.
Q. 3
Explanation: A change management process includes approval, testing, scheduling, and rollback
arrangements. Changes at various life cycle stages should be appropriately controlled through a
structured change management process. The other options do not relate to complete life cycle stages.
Q. 4
Explanation: If controls are managed throughout the life cycle, it will reduce the scope of the
degradation of controls and ensure control effectiveness throughout the life cycle.
Revision Questions
Q.1
Explanation: The primary goal of a risk management program is to achieve the stated objective. The
stated objective can be in the form of the protection of assets, availability of systems, or
implementation of preventive controls.
Q. 2
Explanation: In the absence of validation checks in data input fields, attackers can exploit other
weaknesses in the system. For example, through SQL injection attacks, hackers can illegally retrieve
application data. Other options may also make the applications vulnerable, but these can be countered
in other ways.
Q. 3
Explanation: Industry tracking groups provide insights into the nature of attacks at the industry-
specific as well as the global levels. They are engaged in different surveys and closely monitor attack
types. Their publications can either be free or subscription based, and they provide detailed
overviews of current scenarios. A honeypot is used to trap attackers and understand their attack
methods. However, all hackers may not fall into honeypot traps. A rogue access point is a trap set up
by hackers to lure legitimate users to connect to it. Penetration testing involves assessing the security
posture of the organization and will not be able to identify the evolving nature of attacks.
Q. 4
Explanation: Risks change over time, hence even if a risk was accepted previously, it should be
assessed again on a periodic basis to determine its current impact.
Q. 5
Explanation: An incident can take place either due to a failure of controls or an absence of controls.
Inadequate risk analysis may be one of the reasons for the absence of a control. A new attack or
operational error can have an impact only if there is no control or if controls have failed.
Q. 6
Answer: D. The time gap between the occurrence of the incident and its detection
Explanation: The level of impact of an incident depends on the time gap between the occurrence of
the incident and its detection. The early detection of an incident helps to reduce the damage. The
other options are important but not as significant.
Q. 7
Answer: C. The cost of implementation of the regulation is much higher than the risk
of noncompliance.
Explanation: An organization may decide to accept the risk of noncompliance if the cost of the
implementation of a new regulation is much higher than the risk of noncompliance. The other options
are the major factors affecting the decision of whether to comply or not.
Q. 8
Q. 9
Q. 10
Q. 11
Explanation: Generally, policy exceptions are approved when the impact of noncompliance is less
than the benefit of taking the risk.
Q. 12
Explanation: The first step is to perform a gap analysis to determine whether the organization has
already complied or whether some action is required for compliance. Based on the gap analysis,
further action can be taken.
Q. 13
Answer: B. To determine the systems and processes that contain the privacy components
Explanation: The best course of action in this case is to determine the systems and processes that can
be impacted due to the new privacy laws. The other options may be subsequent steps.
Q. 14
Explanation: Though all options are very important for an effective risk management program, if the
program does not have the ability to identify new risks, the other procedures will only be useful for a
limited period.
Q. 15
Explanation: For a BIA purpose, valuation should be based on the opportunities lost due to the
unavailability of assets. This is known as opportunity cost.
Q. 16
Answer: D. Likelihood
Explanation: Likelihood is the most difficult to estimate and will require the highest amount of
speculation. The other options can be determined within a range.
Q. 17
Answer: C. Conduct a risk assessment to quantify the risk
Explanation: The first course of action for a risk manager is to conduct a risk assessment and
determine the level of risk. Policy exceptions are generally allowed where benefits from the project
outweigh the perceived risks. The other options can be meaningful only if the security manager is
aware of the level of risk.
Q. 18
Answer: A. To verify the decision of the business unit through a risk analysis
Explanation: The best course of action in this scenario is to conduct a risk analysis and determine
the impact of the new application via the BIA. If there is no impact, then there is no need to update
the BIA.
Q. 19
Explanation: The first course of action for a risk manager is to conduct a risk assessment and
determine the level of risk. Policy exceptions are generally allowed when benefits from the project
outweigh the perceived risks. The other options can be meaningful only if the security manager is
aware of the level of risk. It is unlikely that a business objective is changed to accommodate a
security requirement.
Q. 20
Explanation: The first course of action for the security manager is to evaluate the likelihood of an
incident from the reported cause. Once the likelihood is determined, other suitable actions can be
taken.
Q. 21
Answer: C. Risk management activities should be integrated within the business processes
Explanation: The integration of risk management activities within business processes is a more
effective way to enhance risk management. Risk management should not be treated as a separate
activity.
Q. 22
Explanation: A BIA is a process to determine the critical processes of an organization and decide the
recovery strategy during a disaster. The prime criterion to determine the severity of service
disruptions is the period for which the system will remain down. The higher the system downtime,
the higher the severity of the disruption. The other options are not directly related to the BIA.
Q. 23
Explanation: Once the objectives are finalized, the next step is to determine the scope of the review.
The limitations and approach must be defined after the scope. The report structure is the last step.
Q. 24
Explanation: The best course of action in this case is to apply compensating controls until the patch
is installed. This will help to address the risk. Updating signatures for the antivirus does not address
zero-day vulnerabilities.
Q. 25
Explanation: The most important aspect for a security manager is to know the level of risk for this
noncompliance. The risk may be either very high or negligible. Based on the level of risk, further
courses of action can be determined.
Q. 26
Explanation: The objective of a gap analysis is to identify the gap between the current level of
controls and the desired level of controls. A gap analysis is used to improve the maturity level of risk
management processes. A workflow analysis is used to understand the current level of risk
management processes, but it does not provide support for improvement opportunities. A program
evaluation and review technique (PERT) is used to determine the project timelines.
Q. 27
Explanation: The first step is to develop a comprehensive assessment process based on which
approval should be granted to devices. The other options are subsequent steps.
Q. 28
Q. 29
Explanation: The most important aspect is to ensure that users understand the various requirements
for the protection of sensitive data on the device. Generally, personal devices are not returned to the
organization. The other options are not as important as the protection of data.
Q. 30
Explanation: It should be dealt with as just another risk. Regulatory risk, like every other risk,
should be addressed considering its impact on the business processes. Priority should be given based
on feasibility, possible impact, and cost of compliance.
Q. 31
Explanation: Existing controls may not be relevant to address new and emerging risks arising due to
changes in the environment. As a result, risk management is most effective when it is completed on
an ongoing basis.
Q. 32
Explanation: The first action for the security manager in this case is to determine the level of risk of
nonavailability of the service. This can be done by performing a BIA. The other options can be
considered based on the results of the BIA.
Q. 33
Explanation: Integrating the activities of various assurance functions helps to ensure that there are
no overlapping activities or gaps in risk management activities. It is the most cost-effective method as
duplicate efforts are removed. The decentralization of the risk management function actually
increases the cost of risk management. The other options do not directly impact the cost effectiveness
of risk management functions.
Q. 34
Explanation: A regulatory risk should be treated just like any other risk and should be addressed
considering its impact on business processes. Priority should be given based on feasibility, possible
impact, and the cost of compliance.
Q. 35
Explanation: The data retention policy defines the minimum period of data retention. Overwriting of
data may impact the data retention policy.
Q. 36
Answer: A. Exposure
Explanation: The level of exposure of the data affects the threat, vulnerability, probability, as well as
impact. It is the most important aspect when considering the level of protection required.
Q. 37
Explanation: Risk can be determined based on the probability and consequences. The product of
probability and consequences will help to derive the level of risk for noncompliance. Hence, both
probability and consequences should be considered to prioritize the requirements.
Q. 38
Explanation: Risk tolerance is the acceptable deviation from the risk appetite. For example, suppose
the risk appetite of an organization is $100 and the risk tolerance is $125. In this case, the
organization is comfortable even if the risk level reaches $125. High risk tolerance means a wider
gap between risk appetite and risk tolerance. This will be more helpful when the uncertainty of the
risk is high.
Chapter 5: Information Security Program Development
Explanation: The most important challenge for a security manager is to obtain support from senior
management and other business units for changing the business processes to include the security
aspect. As the incident has already happened, business units will be more open to supporting security
processes. In the absence of close integration of business and security processes, the other options
will not be effective.
Q. 2
Answer: B. To understand the risk of technology and its contribution to security objectives
Explanation: An information security manager is required to evaluate the risk of technology and
determine the relevant controls to safeguard IT resources. The other options are secondary aspects.
Q. 3
Answer: C. Strategy
Explanation: An information security strategy is a set of actions taken to achieve security objectives.
This strategy includes what should be done, how it should be done, and when it should be done to
achieve the security objectives. A strategy also includes the details of the resources necessary to
implement the program.
Q. 4
Explanation: Generally, the framework starts with conducting a risk assessment and establishing the
objectives of control. Once the objectives are established, the information security policy is
developed and the security budget is allotted. An internal audit is not relevant.
Q. 5
Explanation: It is of utmost importance that the security manager is aware of the overall risk
exposure of the organization. The other options will be evaluated as a part of risk exposure.
Q. 6
Explanation: A charter is the formal grant of authority or rights. An information security charter
states that the organization formally recognizes the information security department. In the absence
of a charter, it will be difficult for the information security department to operate within the
environment. All the other choices follow the charter.
Q. 7
Answer: B. Prevention
Explanation: DiD is an arrangement wherein multiple layers of controls are implemented to protect
the information resources. Its intent is to provide redundancy in case one control fails. The first layer
of DiD aims to prevent any event from occurring by implementing preventive controls such as
authentication. The second layer is containment, which involves isolating and minimizing the impact.
The third layer is reaction, which is incident response procedures. The final layer is a recovery and
restoration procedure that includes backup arrangements.
Q. 8
Explanation: The most important element for an effective information security program is support
and commitment from senior management. If senior management is committed to robust information
security across the organization, there will be no constraints on security budgeting and resources. The
other options are secondary aspects.
Q. 9
Answer: B. Authentication
Explanation: DiD is an arrangement wherein multiple layers of controls are implemented to protect
information resources. Its intent is to provide redundancy in case one control fails. The first layer of
DiD prevents any event from occurring and involves implementing preventive controls such as
authentication. The second layer is containment, which involves isolating and minimizing the impact.
The third layer is reaction, that is, incident response procedures. The final layer is recovery and
restoration procedures, which include backup arrangements.
Explanation: Among all the given options, the first step is to value the assets. Based on the
valuation, an asset can be classified and then risk can be assessed and controls can be implemented.
Q. 2
Q. 3
Explanation: It is very important to consider the requirements of the data owners when defining the
information classification policy. Data owners may have specific requirements to address the risk
related to their data. The other options do not directly impact the design of the classification policy.
Q. 4
Explanation: The data owner has the prime responsibility for determining the appropriate level of
classification as they are the one who owns the risk related to their data.
Q. 5
Explanation: Risk analysis is the process of determining the level of risk. Risk level can either be
quantified in monetary terms or be expressed as qualitative indicators such as high risk, medium risk,
and low risk. The results of a risk analysis help the security manager determine the efforts required to
address any risk. More resources may be required to mitigate high-risk areas, whereas fewer
resources may be required to mitigate low-risk areas.
Q. 6
Answer: C. It helps to determine the appropriate level of protection for the asset
Explanation: Information asset classification means the classification of assets based on their
criticality to the business. Assets can be classified as confidential data, private data, or public data.
This classification helps the organization to provide an appropriate level of protection for the assets.
More resources should be utilized for the protection of confidential data compared to public data.
Q. 8
Explanation: Information asset classification means the classification of assets based on their
criticality to the business. It determines the appropriate level of protection applicable to the asset; that
is, controls are commensurate with the impact. Classification helps to reduce the risk of the under-
protection of assets and at the same time reduces the cost of the over-protection of assets.
Q. 9
Explanation: Data classification means the classification of data on the basis of its criticality to the
business. Data can be classified as confidential data, private data, or public data. This classification
helps the organization to provide an appropriate level of protection for the assets. More resources
should be utilized for the protection of confidential data as compared to public data.
Q. 10
Explanation: The responsibility for the maintenance of proper security controls over information
assets should reside with the data owner. The ultimate responsibility resides with senior management.
The security manager and data administration support the data owner in classification and providing
appropriate controls.
Q. 11
Explanation: Information asset classification means the classification of assets based on their
criticality to the business. Assets can be classified as confidential data, private data, or public data.
This classification helps the organization to provide an appropriate level of protection for the assets.
More resources should be utilized for the protection of confidential data compared to public data.
Q. 12
Answer: D. The published financial results
Explanation: Information asset classification means the classification of assets based on their
criticality to the business. Assets can be classified as confidential data, private data, or public data.
This classification helps the organization to provide an appropriate level of protection for the assets.
Published financial results are considered public data and hence require the lowest level of
protection.
Q. 13
Explanation: The prime basis for determining the classification of information assets is the criticality
and sensitivity of the assets in achieving the business objectives. An impact assessment is used to
determine the criticality and sensitivity of the assets.
Q. 14
Explanation: Information classification is primarily based on inputs from data owners. Business
managers (data owners) have thorough knowledge and an understanding of an asset's impact on
business processes. They are in the best position to determine the value of the information assets.
Q. 15
Explanation: Assets can be classified and protected on the basis of business dependency
assessments. In this approach, critical business functions are identified, and all the assets of critical
functions are given high priority for protection.
Q. 16
Explanation: The primary basis for determining the classification of information assets is their
criticality and sensitivity in achieving business objectives. An impact assessment is used to determine
the criticality and sensitivity of assets.
Q. 17
Explanation: The primary basis for determining the classification of information assets is their
criticality and sensitivity in achieving business objectives. An impact assessment is used to determine
the criticality and sensitivity of the assets.
Q. 18
Explanation: Classification should be based on an impact assessment, that is, the potential impact
due to asset loss. The classification should be performed by the asset owner rather than the security
manager. Vulnerability should not be the basis of classification—the potential impact due to the loss
of the asset should be.
Q. 19
Explanation: Classification should be based on an impact assessment, that is, potential impact due to
asset loss.
Q. 20
Explanation: The first step is to determine the classification level of the requested information. If the
information is classified as confidential, then such information should not be made available to any
unauthorized users. The other steps could be subsequent actions.
Explanation: An asset should be valued at the replacement cost, which is the cost to replace the asset
if it is damaged or destroyed. The replacement cost gives a realistic impact assessment. The other
options are not true indicators for an impact assessment.
Q. 2
Explanation: The first step is to create an inventory of all the information assets of the organization.
Once the inventory is available, ownership is established and assets are valued. Based on this
valuation, assets are classified.
Q. 3
Q. 4
Explanation: Valuation is done on the basis of an impact assessment. Business managers are in the
best position to understand the impact of an asset on the business. The other options (including senior
management) will not have detailed knowledge of each process and its impact on the business.
Q. 5
Answer: C. Identification of the asset inventory and the appropriate valuation of assets
Explanation: The identification of all available assets is the first step in risk assessment. If the
identification process is not properly followed, some assets may not be appropriately protected.
Valuation is performed to understand the criticality and sensitivity of assets needing protection.
Support from management, annual loss expectations, and threat motives are important, but risk
assessment would be meaningless without asset inventory and valuation.
Q. 6
Explanation: Impact can be considered as the financial losses incurred by the affected business units.
Impact is not merely restricted to service provider charges or the quantity of data transmitted. RoI is
not based on connectivity and would not be useful in calculating impact.
Q. 7
Explanation: The first step is to create a list of all assets. This will ensure that no assets are missed
during risk assessment. The other options are subsequent steps.
Q. 8
Q. 9
Answer: A. Potential financial loss
Explanation: Assets should be valued on the basis of potential financial loss due to their
unavailability. The other options are not key considerations.
Q. 10
Answer: D. Classification
Explanation: Information asset classification involves the classification of assets on the basis of their
criticality to the business. If an asset is classified as confidential, it means that it holds a high value
for the organization.
Q. 11
Explanation: Asset valuation indicates the impact from the cost perspective that the organization
may face in the event of a major compromise. The other options will not be able to provide a direct
cost representation.
Q. 12
Explanation: A BIA determines the critical business assets by analyzing the impact of the
unavailability of an asset on business objectives. In the event of a disaster, identified critical assets
are recovered and restored by priority to minimize the damage. Identification of threats and
vulnerabilities is performed during risk assessment. Incident notification procedures are a part of the
business continuity and disaster recovery plans.
Q. 13
Explanation: Prioritization is based on the valuation of the assets. High-value assets are given
priority for risk treatment. An inaccurate valuation may impact prioritization. An incomplete list may
also impact the prioritization as some assets may be missed. However, generally, organizations will
adopt procedures to identify at least all the critical assets. Hence, concern about an incomplete list is
not as major a concern. Incomplete vulnerability and threat assessments are less significant compared
to no assessment at all due to impropriate valuation.
Q. 14
Q. 15
Explanation: An RTO determines the time within which a system should be restored. An RTO is
derived from a BIA, which helps to determine the critical systems of the organization and the impact
due to the downtime of systems.
Answer: C. Discuss the situation with data owners to understand the business needs
Explanation: The first step is to determine the business needs for granting privilege access to all HR
team members as it may be a business process requirement. Without understanding the business
requirements, the security manager should not revoke access or report to senior management.
Q. 2
Explanation: The most important aspect when developing a framework for an information security
program is to determine the desired outcomes. If the desired outcome is not considered at the time of
developing the framework, it will be difficult to determine the strategy, control objectives, and
security architecture.
Q. 3
Explanation: To get the framework approved, the security manager should demonstrate a positive
return on security investment. The best method to evaluate the return on security investment is to
determine how information security supports the achievement of business objectives. The other
options do not directly help to determine the RoI.
Q. 4
Q. 5
Explanation: Decentralized units are more responsive to business unit needs as they are closer to the
business units. The other options are advantages of centralized functions. Centralized management is
easy to manage and control and ensures increased compliance and a reduction in the cost of security.
Q. 6
Explanation: The first step is to conduct a risk assessment and determine the impact of non-
compliance. Based on the potential impact, subsequent actions should be determined.
Q. 7
Explanation: The security framework and security policy should closely align with organizational
needs. Policies must support the needs of the organization. For the alignment of the security program,
the security manager should have a thorough understanding of the business plans and objectives.
Effective strategic alignment of the information security program requires regular interaction with
business owners.
Q. 8
Explanation: The first step for the security manager is to determine the risk associated with granting
the exception and evaluate whether any compensatory controls are in place to address the risk. Based
on the risk perceived, other options can be considered.
Q. 2
Explanation: Standards should be approved by the information security team. The team should
ensure that standards meet the requirements of the security policy. Implementation of the approved
standard is performed by the IT department. The other options are generally performed by the IT
department.
Q. 3
Answer: A. Standards
Explanation: Standards are sets of minimum requirements to be followed to comply with the
requirements of a security policy. Standards (minimum requirements) are included in procedures to
ensure that they comply with the intent of policies. Guidelines are generally detailed descriptions of
procedures. A maturity model is adopted to ensure continuous improvement in the security process.
Q. 4
Answer: B. Standards
Q. 5
Explanation: The most important element in an information security standard is the last review date,
which helps to ensure the currency of the standard and provides assurance that the document has
been reviewed and updated to address current issues.
Q. 6
Q. 7
Explanation: A policy is a high-level statement of management intent and does not cover specific
requirements or actionable steps. A standard is a mandatory requirement to be followed to comply
with a given framework or policy. That is, a standard provides detailed directions to comply with a
policy.
Q. 8
Q. 9
Explanation: The final responsibility for compliance with laws and regulations resides with the
board of directors. The other options support the board to execute the security policy.
Q. 10
Explanation: A framework defines the process for handling exceptions to policies and procedures.
The inherent authority to grant an exception to the information security policy resides with the one
who approved the policy.
Q. 11
Explanation: A security program should provide value to the organization. The security manager
should determine the cost of implementation of controls and the corresponding value of the assets to
be protected. This will form the basis for determining whether the information security program is
delivering value. If the cost of controls is higher than the value of the assets, then the program does
not provide any value. The other options are secondary aspects.
Q. 2
Explanation: It is very important to take approval from the business asset owner for patch update
timings as patch updates may lead to unexpected problems and can interrupt business processes.
Generally, business asset owners prefer non-working hours for patch updates.
Q. 3
Explanation: A security manager should primarily focus on the key controls to reduce risks and
protect information assets. Role-based control may be one of the key control areas. Focusing only on
financial applications is not as justifiable as the protection of other data (for example, customer data
may be equally critical). Key controls need not necessarily be only preventive controls.
Q. 4
Explanation: A security program should be integrated with the processes of other departments, such
as IT, audit, risk management, quality assurance, and HR. This helps to improve the overall
effectiveness of the security program. The most important aspect is integration with IT processes. For
instance, automated controls are considered more effective than manual controls and are generally
driven by the IT department. Also, IT is responsible for the implementation and operations of
information processing systems. The other options are secondary aspects.
Q. 5
Q. 6
Explanation: For any new IT project, the security department should be involved right from the
feasibility stage until the project completion stage. In fact, the security department should be
involved throughout all SDLC phases. Security considerations affect feasibility. Thus, involving the
security team only in the later stages may not be an effective and efficient strategy.
Q. 7
Explanation: Access should be provided on a need-to-know basis, that is, according to the business
needs. The other options are not justifiable if users do not require data to perform their duties.
Q. 8
Q. 9
Explanation: A security manager should be well versed in IT in order to make informed decisions
about technology risks. Technology knowledge will help the security manager understand IT issues
and help them achieve adequate information security. A security manager is not expected to
implement IT technology or adhere to the IT budget.
Explanation: An early response time helps to minimize the impact of the incident. Hence, to
determine the effectiveness of an incident response team, the best indicator is the reduction of the
average response time per incident. The other options are not direct indicators of the effectiveness of
an incident response team.
Q. 2
Explanation: Defined objectives can be used to measure the effectiveness of the information security
program. The success of the program is determined based on the achievement of the security
objectives. The other observations are secondary aspects.
Q. 3
Explanation: Program metrics measure how well a process is doing in terms of achieving its goals
and objectives. A defined metric helps to measure the current state of different security objectives.
This trend can be used to determine the improvement in a security program over time. If an
organization is unable to take measurements over time that provide data regarding the key aspects of
its security program, then continuous improvement is difficult to monitor. The other options are
secondary aspects.
Q. 4
Explanation: A metric should be meaningful to the recipient and should provide the basis for sound
decision-making. Unless it is meaningful to the recipient, all other attributes are of no use.
Q. 5
Explanation: The main objective of implementing security controls is to minimize the adverse
impacts of incidents. A reduction in impacts from security incidents indicates that security controls
are effective. The other options do not directly indicate the effectiveness of security controls.
Q. 6
Explanation: Security metrics measure how well a process is doing in terms of its goals and
objectives. A well-defined metric helps to measure the current state of different security objectives.
This trend can be used to determine the improvement in the security program over time. The other
options are secondary aspects.
Q. 7
Answer: A. Trends showing the number of servers compliant with security requirements
Explanation: Overall trends of security-compliant servers indicate the level of effectiveness of the
information security program compared to standalone counts. Trends in the number of patch updates
would be less relevant as they depend on the number of vulnerabilities. A high patch update rate will
not necessarily indicate the effectiveness of a security program.
Q. 8
Q. 9
Answer: C. Design
Explanation: Security metrics are developed during the design phase of system development.
Metrics should be developed before the testing and implementation phases. The feasibility stage is
too early for the development of security metrics. In the feasibility phase, the possibility of
implementing a project is determined.
Q. 10
Explanation: Adverse incident trend reports indicate the impact on business objectives. Security
incidents occur because either a control failed or there was no control in place. This will be taken
seriously by management to fund the appropriate budget for information security. The other options
are secondary aspects.
Q. 11
Explanation: A metric should be meaningful for the recipient and should provide a basis for sound
decision-making. Unless it is meaningful to the recipient, all other attributes are of no use. The other
options are secondary aspects.
Q. 12
Q. 13
Explanation: Providing reports to executive management will create performance pressure on the
business units. This will motivate them to address the non-compliant areas at the earliest opportunity.
The other options are secondary aspects.
Q. 14
Explanation: In the absence of a consistent method, the results of the metrics can be incomparable,
and trends can be misleading. Consistency is important to have reasonably accurate and reliable
results. It is not practical to simply exclude qualitative risks because of difficulties in measurement.
Developing cost-effective processes and considering investment amounts as profits are not relevant to
the calculation of RoI.
Q. 15
Explanation: The objective of capturing a log is to conduct follow-up investigations for suspected
penetration attempts. Investigation helps to take various preventive and corrective actions. Merely
capturing the logs or generating reports will not serve the ultimate purpose. Hence, the most useful
metric for measuring the success of log monitoring is to determine the percentage of suspected
penetration attempts investigated. If organizations do not investigate and only keep capturing logs,
the ultimate objective of log capturing will not be achieved.
Q. 16
Explanation: Primarily, metrics should be based on the security objectives so they can provide a
useful measure to evaluate the effectiveness and efficiency of the information security program and
its objectives. Avoiding financial and operational risks can be one of the security objectives. Industry
standards may or may not be aligned with the security objectives of the organization.
Q. 17
Q. 18
Explanation: Metrics help measure performance over a period of time. They indicate the trend of
security performance by comparing against the baseline and help identify areas of improvement. The
other options are secondary aspects.
Q. 19
Explanation: Metrics are generally relevant to the owner of the control. Metrics for measuring the
effectiveness of antivirus software are primarily relevant to the information security manager. It helps
them determine the current state of a control. If a control is not performing as per expectations, the
security team can investigate and address the issue.
Revision Questions
Q. 1
Explanation: Information asset classification refers to the classification of information assets based
on their criticality to the business. Information assets can be classified as confidential data, private
data, or public data. This classification helps the organization provide the appropriate level of
protection for data. More resources should be utilized for the protection of confidential data
compared to public data.
Q. 2
Explanation: Information asset classification refers to the classification of assets based on their
criticality to the business. Critical assets can have a significant impact in the event of a compromise
compared to less critical assets.
Q. 3
Q. 4
Explanation: Data classification refers to the classification of data based on its criticality to the
business. Data classification is primarily based on inputs from the data owner. Data owners (business
managers) have thorough knowledge and understanding of an asset's impact on overall business
processes. They are in the best position to determine the value of the information assets.
Requirements of the information security policy are generally applicable after the classification of
assets. The level of protection is determined on the basis of classification and not the other way
around as indicated in option C.
Q. 5
Explanation: Information asset classification refers to the classification of assets on the basis of their
criticality to the business. Assets are then protected in proportion to their criticality. Assets can be
classified as confidential data, private data, or public data. This classification helps the organization
provide the appropriate level of protection for the assets. More resources should be utilized for the
protection of confidential data as compared to public data.
Q. 6
Explanation: The classification of an asset is generally based on its business value, that is, the
impact on the business if the asset is compromised. From the risk management perspective, an asset
is generally valued on the basis of its business value and not merely on the basis of simple acquisition
or replacement costs. Business value is measured in terms of revenue loss or other potential impacts
when an asset is compromised. For example, suppose software is acquired at a cost of $1,000 and
generates a revenue of $5,000 in a single day. Its business value will be $5,000 per day and not
merely its acquisition cost.
Chapter 6: Information Security Program Management
Explanation: Corrective controls are implemented to reduce the impact once a threat event has
occurred. They facilitate the quick restoration of normal operations. Examples of corrective controls
include the following:
Business continuity planning
Backup procedures
Q. 2
Explanation: The data custodian is required to provide and implement adequate controls for the
protection of data. The data owner is required to classify the level of protection required for their
data.
Q. 3
Explanation: The most effective method to identify and remove an application backdoor is to
conduct a review of the source code. The other options will not be as effective.
Q. 4
Explanation: The purpose of a deterrent control is to give a warning signal to deter or discourage a
threat event. When employees sign an acceptable use policy, they are made aware of the
consequences of not adhering to it. This acts as a deterrent control. Two-factor authentication will not
be able to prevent the activities of authorized users. Internal audits and log capturing are used after
the fact (detective control) and may not be effective to prevent the event.
Q. 5
Answer: C. Performing a network address translation
Explanation: External security threats can be prevented by the use of network address translation, as
they have internal addresses that are non-routable. The other options are not as effective.
Q. 6
Explanation: A policy is a high-level statement indicating the intent of management. With respect to
backups, the policy will include the criteria for data backup. These criteria will help the user
determine which data is to be considered critical and accordingly the frequency at which data
backups should be taken. The other options are generally included in procedure documents.
Q.7
Explanation: System specifications, with respect to the type of access control and encryptions, are
considered in the system design specification. The feasibility phase includes a cost-benefit analysis of
system development. In the procedural design phase, structured components are converted into
procedural descriptions. The software development stage would be too late as in this stage, the
system is already being coded.
Q.8
Explanation: Degaussing is the best way to erase data from a tape. In the degaussing process, an
alternating current field is increased gradually from 0 to a maximum value and again reduced to 0,
thus leaving a very low residue of magnetic induction on the device.
This is known as demagnetization or degaussing. The other options are not as secure. Multiple
overwriting and erasing of the tape are not fool-proof methods of removing data. Burning the tape
will physically destroy it, so it cannot be reused.
Q.9
Explanation: With respect to database security, a native audit refers to the use of tools and
techniques that help the administrator perform an audit of database activities. However, enabling a
native audit may lead to performance degradation of the database. This is a major concern. The other
options are less significant.
Q.10
Answer: A. Degradation of performance
Explanation: Enabling an audit log function may create a burden on database processing, which may
result in a degradation of the database's performance. The more elaborate the logging becomes, the
slower the performance will be. It is important to strike a balance. The other options will not be
impacted by enabling an audit log function.
Q.11
Explanation: The prime objective of a corrective control is to reduce the impact of an event once it
has occurred and to ensure restoration to normal operations.
The process of diverting the incoming traffic helps correct the situation and hence it is a corrective
control. Filtering network traffic is a preventive control. Auditing and logging are detective controls.
Q.12
Explanation: Application controls are controls implemented for a particular application, whereas
general system controls are implemented for the overall environment. An application is protected by
a combination of application as well as general controls. When general controls are weak, more
emphasis is to be placed on application-level control. Detective, preventive, and corrective controls
exist at both the general and the application levels.
Q.13
Answer: A. The activity of the system administrator should be monitored by a separate reviewer.
Explanation: The activities of a system administrator should be monitored to ensure that their
performance is in accordance with the information security program. Monitoring by a third party will
be more effective than a self-audit. It is not necessary for the monitoring to be done by a member of
the security team. The steering committee is not involved in routine monitoring.
Q. 14
Explanation: Controls can be designed to either fail close or fail open. For example, in case of the
failure of an automatic door, an organization can opt for a fail open (the door remains open) or a fail
closed (the door remains closed). In case of a fail open, confidentiality and integrity may be
compromised, and in case of fail closed, availability and safety may be compromised. In such a
situation, the risk is determined for each element and a decision is made accordingly.
Q. 15
Explanation: Failure modes describe the mode in which the controls operate in cases of failure, that
is, whether a control fails open or fails closed. The failure mode of the control impacts safety,
confidentiality, and availability. For example, in case of the failure of an automatic door, an
organization can opt for fail open (door should remain open) or fail closed (door should remain
closed). In case of fail open, confidentiality and integrity may be compromised, and in case of fail
closed, availability and safety may be compromised. In such a situation, the risk is determined for
each element and a decision is taken accordingly.
Q. 16
Answer: D. To verify the sender's identity and determine whether orders are in accordance with the
contract terms
Explanation: In an EDI environment, there are primarily two challenges with respect to the receipt
of an order. The first challenge is to ensure that an order received is from a trusted partner and the
second is to ensure that the order quantity is correct. Hence, a control should be available for the
verification of the sender's identity and to determine the correctness of the order quantity. The other
options will not be as effective.
Q.17
Explanation: Segmentation refers to dividing a network into parts. Segmentation limits the
consequences of an attack by constraining the scope of impact. Segmentation by itself does not
reduce vulnerability, but may result in complex administration, and is not implemented primarily to
support the data classification scheme.
Q. 18
Explanation: While implementing any framework, policy, or control, the most important
consideration is the safety of human life. The other options are secondary aspects.
Q. 19
Explanation: Control design and development is the prime activity in the development of an
information security program. Most program development activities will involve designing, testing,
and implementing controls. The other options are secondary aspects.
Q. 20
Answer: A. In areas where incidents may have a high impact and high frequency
Answer: C. It helps to define the minimum acceptable security required across the organization
Explanation: A baseline refers to basic requirements. A security baseline refers to the minimum
basic requirement for an organization's security.
Establishing a security baseline across the entire organization will help to ensure that controls are
consistently applied in accordance with acceptable risk levels.
Q. 2
Explanation: A security baseline refers to the minimum basic requirement for an organization's
security. The objective of implementing a security baseline throughout the organization is to ensure
that controls are consistently implemented as per the acceptable risk levels. The other options do not
directly address compliance with the information security policy. Frequent user awareness training
need not necessarily ensure compliance.
Q. 3
Q. 4
Answer: C. A baseline
Explanation: A baseline describes basic requirements. A security baseline refers to the minimum
basic requirement for an organization's security. The objective of implementing a security baseline
throughout the organization is to ensure that controls are consistently implemented as per the
acceptable risk levels. Procedures determine the detailed processes but do not include configuration
requirements. Guidelines are not mandatory in nature. Policies are high-level statements indicating
management's intent but do not include details about configuration requirements.
Q. 5
Answer: B. To prepare baseline requirements for all locations and add location-wise supplementary
standards as per the local requirements
Explanation: The most effective and efficient method in this scenario is to determine a baseline
standard and then add additional requirements as per the local needs. Mandating all locations to
follow all requirements will place an undue burden and may also result in contradictory requirements.
Letting each location decide on its own requirements may cause the failure of some of the corporate-
level compliances. Hence, deciding on a baseline is a must.
Q. 6
Explanation: A security baseline refers to the minimum basic security requirements for a specific
group of applications. It helps to establish a uniform security standard for system hardening. The
other options are secondary aspects.
Explanation: Human resources should primarily aid in creating awareness about the information
security requirements of the organization. Recruitment is a secondary factor. Budget allocation and
risk assessment may not be the responsibility of the human resources department.
Q. 2
Answer: A. To customize the content of the program as per the target audience
Explanation: The most effective way to increase the effectiveness of the training is to customize it as
per the target audience and to address the systems and procedures applicable to that particular group.
For example, a system developer needs to undergo an enhanced level of training covering secure
coding aspects, while data entry operators can be trained on the security aspects related to their
functions. The other options are secondary aspects.
Q. 3
Explanation: Frequent security awareness campaigns are the best way to improve an organization's
security culture. The other options are secondary aspects.
Q. 4
Answer: C. What employees should or should not do in the context of their job responsibilities
Explanation: An awareness program will be more relevant if it is customized to include the dos and
don'ts of the job responsibilities of employees. A security awareness program should focus on
employee behavior and its impact on the organization's security posture. The other options are
secondary aspects.
Q. 5
Explanation: The most effective method is to create awareness through the use of logon banners. A
security message will be displayed every time the user logs on, and they will be required to read and
agree to the message before access is granted. This will help to enforce the security requirements
throughout the organization. The other options are not as effective.
Q. 6
Explanation: Security awareness training should be completed before the new joiner is given access
to data. They should be aware of the secure data handling process.
Q. 7
Explanation: Frequent awareness training efforts can influence the behavior of employees from a
security aspect. It helps employees make security-conscious decisions and actions.
Q. 8
Explanation: The security manager should design some quantitative evaluation criteria to determine
the understanding level of the user, for example, a quiz or other type of assessment that is
measurable. The other options are secondary aspects.
Q. 9
Explanation: The methodology helps you to understand the process and formulae for the assessment.
It is the most important element in the selection of a consultant. The other options, though important,
are not as significant.
Q. 10
Explanation: A top-down approach means that commitment to the success of the security awareness
program comes from the senior management level. Support from senior management will ensure
enough resources are provided for the program's success. The other options, though important, are
not primary success factors.
Q. 11
Explanation: Periodic education and training is the most cost-effective method to improve the
security awareness of employees. The other options will not be effective in the absence of user
education and training.
Q. 12
Explanation: The information security program is generally managed by the information security
department. Security awareness training and materials are part of the information security program.
Q. 13
Explanation: In the absence of structured security awareness training, the other components of the
program may not be effective.
Q. 14
Q. 15
Explanation: The most effective method is to continuously reinforce the security policy and
management expectations of the behavior of the employees. The other options are not as effective.
Q. 16
Explanation: The best way to increase the effectiveness of the training is to customize the training as
per the target audience and to address the systems and procedures applicable to that particular group.
For example, a system developer needs to undergo an enhanced level of training that covers secure
coding aspects, while data entry operators can be trained on security aspects related to their functions.
Q. 17
Explanation: The prime objective of security training is to influence the behavior of the employees
and thereby reduce the likelihood of information security incidents. Although compliance with the
information security policy is important, the objective of security training is to influence the cultural
and behavioral elements of information security. The other options are secondary factors.
Q. 18
Explanation: A structured and well-defined security awareness training program will help to build a
favorable environment for secure business processes. The other options are secondary factors.
Q. 19
Answer: B. Calling back the branch number listed in the office phone directory
Explanation: The best way to authenticate the caller is to call back the branch number listed in the
office phone directory. The recipient should not use any phone number or email address provided by
the caller. Once the call has been reasonably verified, the information may be provided to the caller.
The other options are not as effective.
Q. 20
Explanation: An SLA defines the level of service expected from a vendor and includes the other
options, such as penalty clauses, indemnity clauses, and the right to terminate.
Q.2
Explanation: To conduct independent assessments of the service provider, it is critical that a right-to-
audit clause is included in the contract. In the absence of this clause, a service provider may not allow
the auditing of their processes. The other options depend upon the nature of the services outsourced
and should be evaluated during the audit.
Q.3
Answer: C. Whether the service provider is contractually obliged to follow all relevant security
requirements.
Explanation: In the absence of contractual liability, the security manager will not be able to ensure
compliance with security requirements by the service provider. Contractual obligations help both
parties to commit to the contract. Adherence to the budget and obtaining industry references is the
responsibility of the business unit and not the security manager. The availability of a business
continuity arrangement is a secondary aspect.
Q.4
Explanation: Frequent audits and security reviews of the third-party service provider are the best
way to ensure an appropriate security arrangement on an ongoing basis. Including security
requirements in the service contract is important but it does not help to ensure ongoing effectiveness.
Security training and increasing contract rates are secondary aspects.
Q.5
Answer: A. An access control matrix
Explanation: The required level of an access control matrix (discussed in Chapter 7, Information
Security Infrastructure and Architecture) should be included in the SLA to ensure the confidentiality
of data. The other options are generally not included in an SLA.
Q.6
Answer: C. The contract should mandate that the service provider complies with the organization's
security requirements
Explanation: A security manager can enforce security requirements only if a contract mandates
compliance with the information security policy. A confidentiality clause and a security audit should
be part of the security requirements. The contract rate is required to be approved by business
management, not by the steering committee.
Q.7
Answer: A. The security arrangement for stored and transmitted sensitive data
Explanation: As the third party is involved in handling sensitive customer data, the primary
consideration for the security manager is to determine the security arrangement for the storage and
transmission of sensitive data. The other options are secondary aspects.
Q.8
Explanation: The most effective method is to ensure that the requirements are included in the
contract. This will help to enforce those requirements. The other options are secondary aspects.
Q.9
Explanation: The best control to monitor the services of the third-party service provider is to
conduct periodic audit reviews of the provider. The other options are not as effective. An audit will
help to determine the level of actual compliance with the security requirements.
Q.10
Explanation: The role of the security manager is to ensure that appropriate controls are included in
the contract. In the absence of a well-defined contractual agreement, the organization cannot enforce
security requirements. The right to audit is one of the controls to be included in the contract.
Operational issues and the contract rate are not within the purview of the security manager.
Q.11
Answer: C. Implement a firewall to restrict network traffic from the trading partner's location
Explanation: The best way to continue the business relationship and at the same time address the
risk is to set up firewall rules restricting network traffic from the trading partner. Options A and D
will not prevent security incidents. Option B is not feasible considering business requirements.
Q.12
Explanation: The most important step is to conduct a risk assessment to identify the risks and
determine the required controls. A background check of the service provider's employees is the
responsibility of the service provider. Audits and security assessments are carried out subsequent to
risk assessment.
Q.13
Explanation: The most important aspect is the right to conduct an independent security review of the
third-party service provider. This will help the organization determine the service provider's security
posture. The other options are secondary aspects.
Q.14
Explanation: It is important to get the information security manager involved right from the
beginning when the requirements are being established. The security requirements should be
considered at the time of bids and other negotiations with the third party.
Q.15
Explanation: The most effective method is to limit access to the extent required for the user to
perform their job. User authentication by way of two-factor authentication and biometric controls is
important, but once access is granted, the users should have only specific rights.
Q.16
Explanation: The most important aspect is to ensure compliance with the organization's information
security requirements. Authentication and alternate processing sites will already be included in the
organization's security requirements. Compliance with international standards is a secondary aspect.
Q.17
Explanation: RFP is a process of requesting technical details and costs for the proposed project. The
budget is generally finalized based on a proposal from the service providers. Project feasibility and
business cases are initial steps to decide whether a project should be implemented or not.
Q.18
Explanation: After the contract has been signed, the next step will be to ensure that continuous
service provider monitoring is established. This will help to control and monitor the activities of the
service provider and irregularities, if any, can be addressed immediately. All the other options are
actions taken prior to signing the contract.
Q.19
Answer: A. Assurances that the third party will comply with the requirements of the contract
Explanation: The service provider is required to provide assurance about compliance with the
requirements of the contract. One of the methods to do this is through independent security audit
reports. Awareness training and background checks may be among the requirements of the contract.
A review of contracts and policies is important, but it does not assure compliance.
Q.20
Explanation: Privacy is the right of the individual to demand the utmost care of any personal
information that they have shared with any organization or individual. Individuals can demand that
the use of their information be appropriate, legal, and only for the specific purpose for which the
information was provided. Non-compliance with privacy requirements may lead to legal
consequences. The other options are secondary aspects.
Q.2
Explanation: The security framework and security policy should closely align with organizational
needs. Policies must support the needs of the organization. The other options are secondary aspects.
Q.3
Explanation: Before implementing the security framework and policy, sign-off should be obtained
from all relevant stakeholders to ensure that the policy supports the objectives and expectations of the
business. The other options are secondary aspects.
Explanation: The responsibility for raising awareness for sufficient funds for security initiatives
resides with the information security manager. Even though the chief information officer, business
process owner, and chief audit officer do play important roles in the final approval of funds, the
information security manager has the ultimate responsibility for raising awareness for adequate
security funds.
Q.2
Explanation: When funds are inadequate, the best option is to allocate the available resources to
those areas of highest risk and, at the same time, to educate management about the potential impact
of underfunding. The other options are secondary factors.
Q.3
Explanation: The most important aspect is to ensure that the scan process does not interrupt the
production process. There is no harm in using industry-recognized open source tools. A scan should
concentrate on all servers within the network because if any of the servers is compromised, then the
entire network will be in danger. Adherence to the budget is not a major concern.
Q.2
Explanation: The security steering committee consists of senior officials from different business
functions. It plays an important part in the finalization of security requirements. The security steering
committee is in the best position to support the establishment of an information security program.
Q.3
Explanation: New attack patterns are introduced almost on a daily basis. If signature files are not
updated daily, the organization could be exposed to new types of attacks. The other options are not
effective.
Q.4
Explanation: The effectiveness of antivirus software depends on virus definition files. If definitions
are not updated on a frequent basis, antivirus software will not be able to control new types of
attacks. The other options are secondary aspects.
Q.5
Q.6
Explanation: Installing protective switch covers will help reduce instances of an individual
accidentally pressing the power button and shutting down the system. A redundant power supply will
not prevent accidental system shutdowns. Shutdown alarms will come on after the event. Biometric
readers are generally used for granting access to a system and not for switching on/off the power.
Q.7
Explanation: The role of a steering committee is to ensure that the security initiatives are in harmony
with the organization's mission and objectives. A steering committee monitors and facilitates the
deployment of security resources for specific projects in support of business plans. Senior
management and representatives from IT, business management, human resources, information
security, and so on should make up the steering committee.
Q.8
Q.9
Explanation: If a computer is infected with a Trojan program, the attacker can take full control of the
system and hijack, copy, or modify the information after authentication is completed by the user. An
IP is not used for authentication and hence IP spoofing will not work. A secure socket layer along
with a digital certificate will prevent a man-in-the-middle attack. A digital certificate will prevent the
risk of repudiation.
Q.10
Q.11
Explanation: The primary driver for taking advantage of the services of an external resource is that it
helps to contribute cost-effective expertise that is generally not available internally. The other options
are secondary factors.
Q.12
Explanation: The responsibility for determining the appropriate level of classification resides with
the data owner. In this case, the finance department is the owner of the accounting data and hence the
finance department should determine the level of classification for the server.
Q.13
Explanation: The best way is to only allow read-only access for the module. The developer should
not have the right to modify or download the base data. The other options will not be as effective as
read-only access.
Q.14
Explanation: The most effective way to optimize the security program is to embed the security
processes with the operational processes. The involvement of operation units is of utmost importance
to ensure that the security process is accurate and functional.
Q.15
Explanation: The system programmer should not have the privilege to update the access control list
as it enables them to have unlimited control over the system. The data owner, the data custodian, or
the security administrator may be required to carry out updates of the access control list as per their
defined job responsibilities.
Q.16
Answer: B. Log all of the application programmer's activity for a review by their manager.
Explanation: The best way to mitigate the situation is to capture a log of the programmer's activities,
which needs to be reviewed by their manager. This will help to detect any inappropriate action on the
part of the application programmer. The other options will not be as effective.
Q.17
Explanation: The most important step is to remove all logical access provided to the employee.
Upon termination, the employee should not be able to access the organization's data. Taking back the
identity card and laptop does not prevent the employee from logging in from external machines.
Deleting the employee's files needs to be considered after analyzing the nature of the data.
Q.18
Explanation: The primary objective of documenting the security processes is to ensure that they are
repeatable and sustainable. This helps to ensure that the security processes are performed correctly
and consistently.
Q.19
Explanation: The objective of a process document is to support users in ensuring that the process is
followed in a consistent and correct manner. The most important aspect that should be included in a
cryptography process document is the circumstances in which cryptography should be used. The
other options are generally automated and system driven, so users may not need to be involved much.
Q.20
Explanation: Risk assessment is not a one-time activity. It should be conducted at every stage of the
newly implemented process for the most effective result.
Answer: C. A notification about what the company will do with the information it collects
Explanation: Generally, all privacy laws mandate the disclosure of how information collected will
be used. The privacy budget is generally not included in a privacy statement. Notifications about the
accuracy of information are included in the website disclaimer. Information classification is not part
of a privacy statement.
Answer: B. Verify a copy of independent security reviews or audit reports for the cloud service
provider
Explanation: The best way to evaluate a provider is to obtain and verify independent security
reviews or audit reports of the company. The other options are not sufficient in themselves to verify
the physical security arrangements.
Q.2
Answer: D. The contract should restrict the movement of data within the territory allowed as per the
relevant law or regulation.
Explanation: It is very important to validate and verify whether the regulations of the locations
(where the infrastructure is located) are aligned with the enterprise's requirements. A contract should
include terms to restrict the movement of assets within approved locations. The other options are
comparatively less important.
Q.3
Answer: A. Clarity with respect to data ownership, data custody, and IPR-related requirements
Explanation: It is very important that the contract has proper clarification with respect to data
ownership, data custodian, and other IPR-related requirements.
Q.4
Explanation: The most important concern about the storage of personal data in a cloud environment
is unauthorized access by competitors. Data leakage may have serious consequences.
Q.5
Explanation: The most important items to consider are legal requirements, laws, and regulations.
The other options are comparatively less important.
Q.6
Answer: B. Private cloud
Explanation: A private cloud is considered the most secure deployment method as it can be
controlled and centralized by the organization.
Q.7
Explanation: The main benefit of cloud computing is flexibility in obtaining the storage and
bandwidth capacity as per the business requirements. This is very difficult to manage in a locally
hosted environment. End user training is required irrespective of whether it is a cloud or local
environment. Encryption and access control can be established in both local and cloud environments.
Revision Questions
Q.1
Explanation: Ethics training is important for all employees but is primarily useful for employees
engaged in monitoring activities as they have access to sensitive corporate and personal information.
Ethics training includes guidance on appropriate legal behavior to reduce corporate liability and
awareness of data privacy and ethical behavior.
Q. 2
Explanation: Residual risk refers to the risk that remains after controls are implemented. The
objective of an awareness program is to improve the controls and reduce vulnerability, which thereby
reduces the residual risk. The other options are not primarily influenced by a security awareness
program.
Q. 3
Answer: A. To promote the advantages of a good security culture through influential people
Explanation: Influential people in the organization are usually employees with substantial authority
and who have a greater interest in promoting the security culture. They act as ambassadors for the
security culture within their department and can bring significant change across the entire
organization's culture. The other options are not as effective.
Q. 4
Answer: D. The possibility of disclosure of sensitive data in transit or storage
Explanation: A primary area of concern is the disclosure of sensitive data, which may lead to
regulatory, financial, as well as reputational loss. Generally, cloud storage is cost effective. The
unavailability of proper training and network problems are secondary aspects.
Q. 5
Explanation: The first step is to conduct a risk assessment to determine the level of risk involved in
providing access to a third-party service provider. The other options are covered in the risk
assessment process.
Q. 6
Explanation: The absence of a right-to-audit clause would prevent an organization from determining
the security arrangements of the service provider. The organization would not have any assurance
about contractual and legal compliance from the service provider. The other options are not as
significant as the right-to-audit clause.
Q. 7
Answer: D. Whether the service provider meets the organization's security requirements on an
ongoing and verifiable basis
Explanation: From a security perspective, the most important consideration is the service provider's
capability to meet the organization's security requirements. The other options are secondary aspects.
Q. 8
Explanation: It is very difficult to determine the culture of another organization. The incompatible
culture of a third-party service provider possesses a high risk for any organization. Employees with
different cultures often have different perspectives on data privacy. Sometimes, the perspectives of
the employees may not be consistent with the organization's requirements. Employees from different
cultures may have different perspectives on what information is considered sensitive or confidential
and how such information should be handled.
Q. 9
Answer: A. Ensure that the security requirements included in the service agreement meet the current
business requirements
Explanation: The first step is to ensure that current business and security requirements are included
in the service agreement. As the service agreement has not been significantly revised in 5 years, it is
possible that the third-party service provider is not aware of the current requirements of the
organization. If requirements are not included in the service agreement, even compliance with the
service agreement, a heavy penalty, and automatic monitoring will not be meaningful.
Q. 10
Explanation: It is easy to assign ownership of and accountability for an operational issue if roles and
responsibilities are properly defined in the SLA. If there are any concerns, it is most important to
identify the owner of responsibility. This helps to determine the next action to be taken. The other
options are secondary aspects.
Q. 11
Explanation: From a security perspective, the most important consideration is the service provider's
capability to meet the organization's security requirements. The security manager is generally not
concerned about the contract rate. Application availability and alternate site processing will already
be included in the organization's security requirements.
Q. 12
Explanation: The best security measure when a third party is engaged in application development is
to conduct a security code review for the entire application to detect all the malware, including
backdoors.
Q. 13
Answer: A. Discuss the finding with the marketing manager to evaluate the risk and impact
Explanation: The first step for the security manager is to discuss the finding with the marketing
manager and determine the risk and impact of such an act. Input from business unit management is
very important in deciding the next step. The findings should not be directly highlighted to the audit
committee without understanding the risk and impact. The other options are subsequent actions.
Q. 14
Q. 15
Explanation: Most of the critical processes and data of the organization are generally handled by the
operations department. This department has first-hand knowledge of the organization's processes and
responsibilities and will help to ensure that written procedures are sound, repeatable, and sustainable.
Q. 16
Explanation: Content filtering is the best tool to address the issue as it has the ability to examine the
content of an attachment and prevent any information containing certain words or phrases from being
sent out of the organization. Encryption will not be effective because it does not prevent confidential
information from going out. In fact, the content filtering tool will not be able to read encrypted
information. Email audit and security training will not be as effective.
Chapter 7: Information Security Infrastructure and
Architecture
Explanation: Just as conventional architecture defines the rules and standards for the construction of
buildings, information security architecture addresses the design and implementation of the security
posture of the organization. An architecture helps to integrate the different components of
information security in an effective manner. A security architecture also defines minimum levels of
security for the infrastructure.
Q. 2
Explanation: The prime objective of the security architecture is to support business objectives and
goals. The other options are secondary factors.
Q. 3
Explanation: Information security architecture supports the design and implementation of the
organization's security posture, just as traditional architecture specifies the guidelines and standards
for building construction. An architecture helps in the efficient integration of the various information
security components.
Explanation: An effective termination process is one of the most important aspects of the
information security process. Terminated employees may use their active credentials to access the
system or data for unauthorized activities. Therefore, it is of utmost importance to ensure timely
revocation of all access of the terminated employee. The other options are not as effective at
preventing this type of situation.
Q. 2
Explanation: The responsibility to implement and maintain the required level of security for a
specific business application resides with the business process owner. Process owners have thorough
knowledge of the business needs and security requirements for the business application for which
they are responsible.
Q. 3
Explanation: The data owner is responsible for determining the extent of application security
required for their data. Data owners have thorough knowledge of the business needs and information
security requirements for their systems and processes. The other options are the responsibility of the
system administrator.
Q. 4
Explanation: In a phishing attack, an attacker acts as a trusted entity and tries to lure the victim to
part with confidential information. The best method to address the risk of phishing is to conduct
periodic awareness training with the users. Educating users will help to address the risk of visits to
untrusted websites or email links. The other options will not be as effective.
Q. 5
Explanation: The area of most concern will be the locally managed file servers as they are not
subject to centralized oversight and monitoring. The other options are subject to close scrutiny and
monitoring.
Q. 6
Explanation: A backup of the infected file will increase the spread of the infected code. It will then
become difficult to eradicate the malicious code. The other options do not significantly increase the
level of difficulty.
Q. 7
Answer: B. Conducting periodic security awareness programs
Explanation: In a social engineering attack, an attacker acting as a trusted entity lures a victim into
opening an email. Security awareness training is the best method to address the risk of social
engineering attacks such as phishing. Educating users will help to address the risk of visits to
untrusted websites or email links. The other options are secondary aspects.
Q. 8
Explanation: Change management is the best way to ensure that modifications made to systems do
not introduce new security exposures. System users will be in the best position to conduct user
acceptance testing and determine whether the change in the system has introduced any new exposure.
Q. 9
Explanation: Using the steganography technique, secret data is hidden in an ordinary file or image to
avoid detection. An ordinary file or image is sent to the recipient along with secret data. For highly
confidential data, an organization generally uses this kind of technique to protect the data from any
third party. The benefit of using steganographic techniques compared to an encryption technique is
that the existence of the message is itself unknown.
A steganographic technique does require a key to view the hidden message, can be sniffed, and does
not impact traffic reliability.
Q. 10
Explanation: Middleware is software that acts as a link between the operating system and
applications. It has the capability to provide additional services to applications that are not provided
by the operating system. Some examples of functions handled by middleware are data management,
application services, messaging, and authentication. The major risk associated with middleware is
that data integrity may be adversely affected if the middleware is corrupted. The other options are not
relevant.
Q. 2
Explanation: Administration rights can entitle temporary staff with unlimited access privileges.
Temporary staff should not be assigned any administrative roles that can provide them with
privileged rights. Administrative access rights, if misused, can have a huge impact on the
organization. The other options are secondary aspects.
Q. 3
Explanation: MAC rules are governed by an approved policy. Users or data owners cannot modify
the access role. Mandatory access control helps to control access on the basis of the security
classification of the file. This prevents users from sharing files with unauthorized users. The other
options are not as effective as MAC for the prevention of file sharing.
Q. 4
Explanation: The most effective method is to restrict the drive allocation. This will prevent any users
from allocating a USB drive on their system. Furthermore, a user will also be unable to attach a
compact disc writer as this would not be recognized by the operating system. Disabling the USB port
may not be practical as mice and other peripherals depend on these ports. Role-based access or
periodic training will not be able to prevent users from copying files.
Q. 5
Explanation: RBAC is a control technique to allow access to only authorized users. In RBAC,
access is allowed on a need-to-know basis. RBAC helps to simplify the security administration for
large organizations with thousands of users and multiple permissions. Other options will not be as
effective as role-based access control.
Q. 6
Answer: B. Implementing role-based access control
Explanation: Role-based access control is considered the most effective method to implement SoD.
It requires defining the roles and corresponding access requirements. Access is provided on the basis
of the roles. The other options do support the proper implementation of SoD but are not as effective.
Q. 7
Explanation: RBAC is a control technique that allows access to only authorized users. In RBAC,
access is allowed only on a need-to-know basis. RBAC helps to simplify the security administration
for large organizations with thousands of users and multiple permissions. Due to administrative
convenience, RBAC is considered the most cost-effective method compared to the other options.
Q. 8
Answer: B. Role-based
Explanation: RBAC allows access to authorized users only on a need-to-know basis. RBAC helps to
simplify the security administration for large organizations with thousands of users and multiple
permissions. The other options are not as effective.
Q. 9
Answer: B. When it ensures that all user activities are uniquely identifiable
Explanation: The main objective of the access control process is to ensure that only authorized users
are granted access. To achieve this, it is very important for user activities to be uniquely identifiable
for accountability purposes. The other options will have no meaning if users are not individually
identifiable.
Q. 10
Explanation: A standard defines the minimum security requirements to be applied for each type of
application. A security manager should ensure that access controls are implemented in line with the
IT security standards.
Q. 11
Explanation: The most effective approach is to provide access to only those employees who are
required to access that data for their function. Access should not be allowed to anyone else. The other
options are secondary aspects.
Q. 12
Explanation: The most common area that exposes the security software to vulnerabilities is access
rules. Major vulnerabilities generally occur when access rules are changed as access may be provided
to undesirable candidates. The other options do not cause significant exposure.
Q. 13
Q. 14
Explanation: RBAC is a control technique that provides access on a need-to-know basis only. This is
a simplified approach where a matrix of work functions along with their corresponding access
requirements is created. RBAC helps to simplify the security administration for large organizations
with thousands of users and multiple permissions. Some components of RBAC, such as role
permissions, make it convenient and simple to allow access to authorized users. RBAC does not
require a specialized team. The factor of authentication is not relevant to RBAC. Using automated
logon scripts for assigning permissions to individual accounts is contrary to the intent of RBAC.
Q. 15
Explanation: The success of the data classification scheme depends on accurate data classification
by users, and for that, it is of utmost importance to create user awareness. Data is not classified on the
basis of its protection level. In fact, protection levels are decided based on the classification. Data is
classified based on its criticality and not on the basis of the possibility of leakage. Data classification
does not require the same level of protection for all types of data. The objective of a data
classification scheme is to ensure that the appropriate level of protection is provided based on the
criticality of data.
Q. 16
Answer: A. To monitor a key risk indicator
Explanation: The difference between logical and physical records indicates the existence of a
discrepancy. A discrepancy can be due to any reason. It can indicate piggybacking, sharing of
passwords, unauthorized logical access, or any other risks. Hence, this monitoring can serve as a key
risk indicator. Tailgating, lapses of the security department, and wrong payments are some of the
risks.
Answer: D. Enforcing a virtual private network (VPN) over the wireless network
Explanation: Deploying a VPN over wireless is the best method to ensure confidentiality. A VPN is
used to secure the wireless network. It provides a platform for remote users to get connected to the
organization's private network. Deploying a wireless intrusion prevention system would not prevent
sniffing of the information. Preventing the broadcast of the service set identifier (SSID) is a good
control; however, it does not prevent sniffing of the information. WEP is a compromised protocol.
Q. 2
Explanation: A VPN is used to extend a private network through the use of the internet in a secured
manner. It provides a platform for remote users to get connected to the organization's private
network. To enable a VPN, a virtual point-to-point connection is established by dedicated circuits of
tunneling protocols. VPN technology ensures the safeguarding of critical data traveling through the
internet.
The other options do not impact the confidentiality of data transmission through the internet.
Q. 3
Explanation: A VPN tunnel helps to hide the IP address and encrypt messages, thereby securing the
communication channel. The other options are not relevant for VPN tunneling.
Q. 4
Explanation: The objective of a VPN is to hide data from sniffers. A VPN uses data encapsulation or
the tunneling method to encrypt the traffic payload for the secure transmission of data.
Q. 5
Explanation: A VPN uses data encapsulation or the tunneling method to encrypt the traffic payload
for the secure transmission of the data. A VPN uses and is enabled through either IPSec tunnel mode
or IPSec transport mode. In IPSec tunnel mode, an entire packet (including the header) is encrypted,
whereas in IPSec transport mode, only a data portion is encrypted. Mere data hashing and
compression will not ensure data confidentiality. Data diddling is an attack method.
Q. 6
Answer: B. It helps to segregate personal and organizational data while using a remote computer
Explanation: Through VDI, a user can connect to their desktop from a remote location. Users can
connect to virtual desktops from any location with any device. In a VDI setup, all processing is done
on a host server. Also, data is stored in the host server rather than on the device of the user. It helps to
safeguard the data if an endpoint device is lost or compromised.
VDI establishes the segregation of personal and organizational data while using a remote PC. A user
cannot download or copy data from a virtual desktop to their PC. This serves as a control against
unauthorized copies of business data on a user's PC. Remote data wiping is not possible through VDI.
Also, antivirus software is recommended even for a VDI environment.
Explanation: Among the current biometric identifiers, a retina scan is considered to be the most
accurate and reliable identifier with the lowest FAR.
Q. 2
Explanation: An IS manager should be most concerned about FAR as one of the critical performance
indicators. FAR poses the risk of unauthorized access to the systems as unauthorized users are
granted access.
Q. 3
Q. 4
Explanation: EER is the rate at which the FAR is equal to the FRR. A biometric system with the
lowest CER or EER is the most effective system. A biometric system with the highest CER or EER is
the most ineffective system.
Q. 5
Explanation: The FAR, FRR, and CER are the three main accuracy measures for a biometric control.
The other options are more related to performance measures.
Q. 6
Explanations: FAR is the rate of acceptance of unauthorized persons, that is, the rate at which the
biometric device provides access to unauthorized people. For critical systems, the FAR should be nil
or very low. In cases of a high FAR, the biometric control may not be considered effective. CRR is
generally used when two systems are compared. In general, the lower the EER value, the higher the
accuracy of the biometric system.
Q. 7
Answer: C. Transit data between a biometric device and control server is not encrypted.
Q. 8
Explanation: The process of biometric control starts with the enrollment of users, which is followed
by storage, verification, identification, and termination. The first step is to get the users enrolled in
the device. The enrollment process involves the iterative process of getting the user's sample,
extracting the data from the sample, validating the data, and developing a final template that is stored
and used subsequently to authenticate the user.
Q. 9
Answer: B. Iris scan
Explanation: Among all the options, an iris scan is the most reliable for authentication. An intruder
would find it very difficult to duplicate an iris scan for bypassing the biometric controls. The other
options are not as reliable.
Q. 10
Explanation: Among all the options, the most reliable control is the fingerprint scanner. A
fingerprint is a biometric control, which is very difficult to break. It is very difficult for an intruder to
duplicate a user's fingerprint. As no two fingerprints are alike (very rare chance), authentication can
be done with confidence. The other options are not as reliable.
Q. 11
Explanation: In a replay attack, an attacker makes use of residual biometric characteristics (such as
fingerprints left on a biometric device) to gain unauthorized access.
Q. 12
Q. 13
Q. 14
Explanation: In a brute-force attack, an attacker sends numerous biometric samples with the
objective of making the biometric device malfunction.
Q. 15
Answer: B. Require the enrollment of all users that access the critical server
Explanation: To set up a biometric control, relevant users need to enroll themselves by registration
of their biometric features. Choices A and D are incorrect, as the risk of false acceptance as well as
the FRR cannot be eliminated completely. Option C is not correct as a biometric reader is not
required to be protected by a password.
Q. 16
Explanation: A biometric device can generally be tuned in the following three ways:
High FRR: This is the most stringent access control. Here, the biometric matching criteria are set as
extremely high, and in a few cases, even valid users are rejected. However, overall, it provides good
protection for critical databases.
High FAR: Here, access control is not rigorous. Biometric matching criteria are set at a low level.
Sometimes, even unauthorized users are accepted.
EER: This is a moderate type of access control. Here, the sensitivity is tuned in such a way that the
FRR is equal to the FAR, that is, neither high false rejection nor high false acceptance.
Thus, for a critical database, a security manager would always prefer a high FRR, that is, biometric
matching criteria being set at a high level.
Explanation: Two-factor authentication is a more secure control as it requires more than one type of
authentication. Apart from a password requirement, a user also needs a smart card, a token OTP, or a
biometric feature to log on. Biometrics alone is single-factor authentication. Encryption is more
relevant to the confidentiality of the information and is not concerned with authentication. Secure
sockets layer is used to establish an encrypted link between a browser and a web server and is not
relevant to authentication.
Q. 2
Explanation: Password strength can best be improved by installing an automatic control to allow
only strong passwords that include numbers, special characters, and uppercase and lowercase letters.
Single sign-on by itself does not ensure a strong password. Conducting a password audit and
discussing the password policy are not as effective.
Q. 3
Explanation: Generally, passwords should not be shared through the same channel. It is risky to send
passwords to a file by the same channel the file was sent through. Using an out-of-band channel, such
as the telephone, reduces the risk of interception. Digital signatures prove the identity of the sender
but do not ensure confidentiality. Delivery path tracing helps in the identification of the route used
but does not confirm the identity of the sender.
Q. 4
Explanation: The most important aspect for the security manager is to determine the impact of non-
compliance by conducting a risk assessment. The other options can be determined only after
conducting a risk assessment.
Q. 5
Explanation: Strong and complex passwords are one of the most important requirements of a
password policy. A security manager should also ensure that the password policy is properly
implemented. The most effective way to ensure compliance with the password policy is to enable a
system-enforced password configuration. The other options are not as effective.
Q. 6
Answer: A. Enabling access through a different device that requires adequate authentication
Explanation: Authentication through a separate device helps prevent unauthorized access as well as
sharing of user IDs. It also helps to capture the logs of user access. Neither purchasing multiple
devices nor changing passwords after each user are feasible and cost-effective solutions. Analyzing
the log will not be effective as there is only one user ID.
Q. 7
Q. 8
Explanation: Frequent guidance and awareness training are key factors in promoting the requirement
of a password policy. It gradually helps to obtain buy-in from end users. The other options are not as
effective.
Explanation: Currently, the most secure protocol for a wireless network is the WPA2 protocol. MAC
filtering is a good practice but it can easily be sniffed with technical tools. WEP is no longer a secure
encryption mechanism. Two-factor authentication will not address the issue of network sniffing.
Q. 2
Answer: C. IP spoofing
Explanation: In IP spoofing, a forged IP address is used to break a firewall. In this attack, an intruder
hides their original identity and acts as someone else. The intruder generally makes use of a spoofed
internal IP to get access to a system or some data that is restricted for outside IPs. IP spoofing can be
considered masquerading by a machine.
Q. 3
Explanation: In a DDoS attack, a network or system is flooded with an enormous amount of traffic
with the objective to shut it down. DDoS is considered a significant risk for a VoIP infrastructure.
Premium rate fraud occurs when a phone system is compromised and used for making long-distance
calls. Juice jacking and social engineering do not have any direct impact on VoIP infrastructure.
Q. 4
Q. 5
Explanation: In a social engineering attack, an attempt is made to obtain sensitive information from
users by tricking and manipulating them. In a social engineering attack, an attacker does not require
any tools and techniques to obtain information. Social engineering is generally conducted through
dialogue, an interview, an inquiry, and other social methods of interaction.
Q. 6
Explanation: The objective of a social engineering attack is to exploit human nature and its
weaknesses for obtaining critical and sensitive information. With adequate and effective security
awareness training, the impact of social engineering attacks can be minimized. The other options will
not help to directly address the impact of social engineering attacks.
Q. 7
Q. 8
Answer: B. Piggybacking
Explanation: In this type of attack, an intruder follows an authorized person through a secured door
and gains entry to a restricted area without authentication. Piggybacking is considered a physical
security vulnerability.
Q. 9
Explanation: In a data diddling attack, data is modified as it enters into a computer system. This
attack is generally carried out by a data entry clerk or a computer virus. Data is altered before
computer security can protect the data. Very limited technical knowledge is required for data
diddling. There are no preventive controls for data diddling, so organizations need to rely on
compensatory controls.
Q. 10
Explanation: Passive attacks are types of attacks in which information is only collected but not
modified, inserted, or deleted in an active way. Examples of passive attacks include traffic analysis,
network analysis, and eavesdropping. The other options are examples of active attacks.
Q. 11
Explanation: In a password sniffing attack, tools are used to listen to all the traffic in the network
and to build data streams out of TCP/IP packets to extract usernames and passwords. These tools are
known as password sniffers. This password is then used to gain unauthorized access to the system.
Q. 12
Answer: A. Wardriving
Explanation: Wardriving is a technique for locating and getting access to a wireless network with the
use of specialized tools. An intruder drives around the building to identify unsecured networks. The
same technique is used by information security auditors to identify unsecured networks and thereby
test the wireless security of an organization. A similar technique is warwalking; the principle is the
same but no vehicle is used.
Q. 13
Answer: C. Botnets
Q. 14
Answer: B. Wardriving
Q. 15
Explanation: In a replay attack, an attacker makes use of residual biometric characteristics (such as
fingerprints left on a biometric device) to gain unauthorized access.
Q. 16
Explanation: In this attack, an attacker interferes while two devices are establishing a connection. If
any device asks for authentication, the attacker sends the request to the other device and then
forwards the response to the first device. Once a connection is established, the attacker can
communicate and obtain information as needed, thus circumventing two-factor authentication.
Q. 17
Explanation: Buffer overflow, also known as buffer overrun, is the most common software coding
error that can be exploited by an attacker to gain unauthorized access to a system. Buffer overflow
occurs when more data is fed into the buffer than it can handle. Excess data overflows to adjacent
storage.
Due to this, an attacker gets the opportunity to manipulate coding errors for malicious actions. A
major cause of buffer overflow is poor programming and coding practices.
Q. 18
Answer: B. Phishing
Explanation: A URL shortening service converts long URLs (web addresses) into shorter versions.
A hacker attempts to fool users by using URL shortening services for the creation of a URL
resembling some genuine website. This is done to spread malicious software or collect sensitive data
through phishing.
Q. 19
Explanation: Social engineering succeeds due to judgmental errors on the part of employees who
provide sensitive information to the intruder. The intruder builds a level of trust with the
user/employee and takes advantage.
Q. 20
Explanation: In traffic analysis, an intruder attempts to capture and analyze the nature of traffic flow
between hosts, the frequency of messages, the length of messages, session length, and other relevant
information. Through all this information, the intruder attempts to understand and guess the type of
communication. This is typically done when messages are encrypted.
Revision Questions
Q.1
Q.2
Q.3
Answer: C. Encryption
Explanation: Data communication from a card to a POS device should be encrypted to protect the
confidentiality of the data. Strong encryption should be used to protect the cardholder's data. The
other options will not prevent the reading of data by an intruder.
Q.4
Explanation: In a SQL injection attack, a SQL query is injected or inserted in the input field of an
application. By entering some command in the data entry field of a web page, the hacker tries to
bypass the authentication requirements. SQL injection attacks occur at the application layer. Most
intrusion prevention systems will detect at least basic sets of SQL injection and will be able to stop
them. The other options will not be as effective.
Q.5
Q.6
Explanation: Piggybacking/tailgating is the act wherein an intruder follows authorized users and
enters a restricted area. The best method to prevent such an act is to provide training to all authorized
users to be careful while entering the premises. Authorized users should challenge such intruders.
Q.7
Explanation: In a SQL injection attack, an SQL query is injected or inserted in the input field of the
application. By entering some command in the data entry field of the web page, the hacker tries to
bypass the authentication requirements. After gaining access, an intruder can read confidential data,
modify the database by updating or deleting data, or execute the administration operations on the
database. The best way to prevent a SQL injection attack is to implement input controls so that any
programming commands can be rejected. The other options, though areas of weakness, will not
bypass the authentication requirement.
Q.8
Answer: C. Cleartext authentication
Explanation: The objective of SNMP is to monitor network behavior. SNMP collects and organizes
information about managed devices on a network. SNMP is also used to change the device's
behavior. Devices such as routers, modems, switches, servers, printers, and workstations support
SNMP.
One of the security-related vulnerabilities of the use of SNMP is that it uses cleartext passwords for
authentication. Such passwords can easily be sniffed and reused.
Q.9
Explanation: In a brute-force attack, an intruder uses trial and error to determine the password of a
user. The intruder uses multiple passwords with the hope of finding the correct password. Many
software programs are available to execute brute-force attacks. The best way to control a brute-force
attack is to enable system lockout when multiple wrong attempts are detected. Generally, three
attempts are allowed, and the system is locked out on the fourth wrong attempt.
Chapter 8: Information Security Monitoring Tools and
Techniques
Answer: B. The rule to deny all traffic by default and permit only specific traffic
Explanation: From the preceding options, the most robust firewall configuration is to deny all traffic
by default and permit only specific traffic. This is the most effective method to prevent unknown
traffic from entering the organization's network.
Q. 2
Explanation: A CISM aspirant should note that packet filtering and stateful inspection operate at the
network layer (3rd layer). The circuit level operates at the session layer (5th layer) and the
application-level firewall operates at the application layer (7th layer).
Q. 3
Explanation: A screened subnet firewall (DMZ) is regarded as the safest type of firewall
implementation. A screened subnet firewall includes two packet filtering routers and one bastion
host. A screened subnet firewall acts as a proxy and does not allow direct communication between
external and internal networks. A DMZ and a screened subnet firewall function in the same way. It
must be noted that in a screened subnet firewall, there are two packet filtering routers, and in a
screened host firewall, there is only one packet filtering firewall.
Q. 4
Explanation: A screened subnet firewall (DMZ) is regarded as the safest kind of firewall
implementation. A screened subnet firewall includes two packet filtering routers. It also has one
bastion host. A screened subnet firewall acts as a proxy and does not allow direct communication
between external and internal networks. A DMZ and a screened subnet firewall function in the same
way. It must be noted that in a screened subnet firewall, there are two packet filtering routers, and in a
screened host firewall, there is only one packet filtering firewall.
Q. 6
Explanation: A stateful inspection firewall monitors and tracks the destination of each packet that is
sent from the internal network. It ensures that the incoming message is in response to the request that
went out from the internal network. A stateful inspection firewall functions at the network layer of
the OSI.
Q. 7
Q. 8
Q. 9
Answer: C. The effectiveness of the firewall in enforcing compliance with the information security
policy
Explanation: If a firewall is unable to enforce the requirements of the security policy, then it is a
major loophole. The availability of a good security policy is important, but it will be of little value if
it is not effectively implemented. The other options are not as significant.
Q. 10
Explanation: An accurate update of the current access list is a major challenge faced by most
organizations. Hence, the wrong configuration of an access list is the most common type of error
while setting up a firewall configuration. The other options are not relevant to firewall configuration.
Q. 11
Explanation: A security policy is the basis on which firewall rules are configured. In the absence of
a security policy, firewall rules will be ad hoc and may not support the objectives of the organization.
The other options are subsequent steps.
Q. 12
Explanation: The prime function of a firewall is to connect authorized users to a trusted network,
thereby preventing unauthorized access to the server. The other options are secondary factors.
Q. 13
Answer: D. The implementation of the firewall above a commercial operating system with all
installation options enabled
Explanation: When a firewall is placed on top of a commercial operating system without blocking
the installation options, firewall security can be compromised. The other options are not as
significant.
Q. 14
Explanation: A review of the parameter settings helps to understand the actual configuration. This
can then be compared with the requirements of the security policy. The other options are not as
significant.
Q. 15
Explanation: The primary function of the firewall is to protect the network from external sources.
The other options are not the objectives of implementing a firewall.
Q. 16
Explanation: Two parallel firewalls with two separate entries are useful to allow traffic load
balancing. Multi-level defense is established only if firewalls are installed in a series, that is, one
behind another. If firewalls are deployed in parallel, then they provide concurrent paths for
compromise and do not provide multi-layer defense. Both firewalls are connected to the same DMZ
and hence it cannot separate the test and production environments. Firewalls generally cannot control
denial of service (DoS) risks.
Q. 17
Explanation: Generally, servers that interact with the internet (extranets) are placed in the
demilitarized area as this area is separate from the internal servers and is properly hardened. Placing
the server before the firewall or outside the router would make it defenseless. A firewall should be
placed in a hardened server with minimum services enabled. It is not recommended to place anything
else on the firewall server.
Q. 18
Explanation: Generally, the IDS is placed on the screened subnet, which is the DMZ. A DMZ is
separate from the internal servers and is properly hardened. Placing the IDS before the firewall or
outside the router is not recommended as the IDS will generate alerts for all malicious traffic even
though the majority of such traffic will eventually be blocked by the firewall and never reach the
internal network. Firewalls should be placed in a hardened server with minimum services enabled. It
is not recommended to place anything else on the firewall server.
Q. 19
Explanation: A firewall should be placed on a domain boundary to monitor and control incoming
and outgoing traffic. A firewall should be placed in a hardened server with minimum services
enabled. It is not recommended to place a firewall along with other services such as an IDS, database,
or web server.
Q. 20
Explanation: The most effective way to ensure that firewall rules are adequate is to conduct
penetration testing periodically. Gaps identified during the penetration test should be addressed
immediately. This will help to improve the security posture of the organization. The other options are
not as effective as penetration testing.
Explanation: A neural network-based IDS works on the same principle as a statistical-based IDS.
However, it has the advanced functionality of self-learning. The neural network keeps updating its
database by monitoring the general patterns of activity.
Q. 2
Explanation: The function of the sensor is to collect data. Data may be in the form of IP packets, log
files, and so on. The function of an analyzer is to analyze the data and determine whether there is any
intrusive activity. The administration console helps the administrator control and monitor IDS rules
and functions. The user interface helps the user view the results and carry out any required tasks.
Q. 3
Q. 4
Q. 5
Explanation: If an IDS is installed between the firewall and the internal network, it will be able to
detect only those attempts that bypass the firewall rules. If an IDS is installed between the firewall
and the external network, it will be able to identify all intrusion attempts irrespective of whether
intrusion packets bypass the firewall or not.
Q. 6
Explanation: An IDS helps to monitor a network (network-based IDS) or a single system (host-
based IDS) with the objective of recognizing and detecting any intrusions. The function of an IDS is
to analyze the data and determine the presence of intrusive activities. IDSs do not have features to
achieve the other options.
Q. 7
Explanation: The identification of false positives is a routine and frequent issue in the
implementation of an IDS. IDSs operate on the basis of policy definitions. Any weakness in the
policy definitions weakens the function of the IDS. False acceptance rates and false rejection rates
are associated with biometric implementation. A DDoS is a type of attack and is not an issue with the
operations of an IDS.
Q. 8
Q. 9
Q. 10
Explanation: High instances of false alarms indicate that the IDS configuration needs to be tuned
further. A major impact of a poorly configured IDS would be on the business processes or systems
that need to be closed due to false alarms. It can have an adverse impact on business profitability. An
IDS cannot read encrypted traffic; however, it can be compensated by a next-generation firewall. The
other options are not as significant as blocking off critical services and systems due to false alarms.
Q. 11
Answer: C. A neural network monitors the general patterns of activity and creates a database,
addressing complex problems involving input variables from different sources.
Explanation: A neural network-based IDS works on the same principle as a statistical-based IDS.
However, it has the advanced functionality of self-learning. Neural networks keep updating their
database by monitoring the general patterns of activity. A neural network is the most effective at
addressing problems that can only be solved by analyzing a large number of input variables.
Q. 12
Answer: A. In a DMZ
Explanation: Public-facing websites are placed in a DMZ to safeguard the internal network from
external attacks. An IDS should be placed in the same DMZ. The IDS would monitor the network
traffic to detect any intrusions. A network-based IDS would not be installed on a web server, unlike a
host-based IDS. Placing the IDS outside the firewall would not be helpful in specifically protecting
the website. Placing an IDS in the internal network is good to ensure that the website is not prone to
internal attacks; however, the IDS would normally be placed in a DMZ.
Q. 13
Explanation: The most viable option is to install a host-based IPS. A host-based IPS will prevent
activities on the host computer or server such as deletion of files or modification of programs. A
network-based IDS will be able to detect irregular traffic but if signatures are not updated or the
traffic is encrypted, that traffic may still bypass the IDS. A regular OS patch update addresses
vulnerabilities; however, a host-based IPS is more effective in preventing unauthorized installation. A
packet filtering firewall will not be able to restrict the rootkit if the incoming IP is correct.
Q. 14
Answer: A. A honeypot
Explanation: A honeypot is a decoy system set up to attract hackers and intruders. The purpose of
setting up a honeypot is to capture the details of intruders in order to proactively strengthen security
controls.
Q. 15
Explanation: IPSs can not only detect intrusion attempts but also prevent the impact of the intrusion
attack. An IDS only monitors, records, and raises alarms about intrusive activities, whereas an IPS
also prevents intrusive activities. Routers and switches are devices used for network routing.
Q. 16
Explanation: The first step that an intruder takes is to capture and gather relevant information about
the target environment. Based on this information, they attempt various techniques to gain access and
once the objective is accomplished, they try to eliminate the evidence.
Q. 17
Explanation: A network-based IDS is considered the next line of defense after a firewall. An IDS
monitors, records, and raises alarms about intrusive activity that bypasses the firewall. An IDS has
more capabilities to identify abnormal traffic than antimalware software. Routers and switches are
devices used for network routing.
Q. 18
Explanation: The major impact of a poorly configured IPS would be on the business processes or
systems that are blocked due to false alarms. This can have an adverse impact on business
profitability. The other options are not as significant.
Q. 19
Answer: A. Tuning
Explanation: Tuning is the most important element for the successful implementation of an IDS. It is
the process of adjusting the criteria to determine abnormal behavior. If the criteria are not properly
tuned, the IDS may generate false alarms or fail to identify actual abnormalities. A patch update is
more related to the OS. Logging and change management are not as relevant as tuning.
Q. 20
Explanation: A digital signature is used to validate the integrity, authentication, and non-repudiation
of messages. However, it does not ensure message confidentiality. A digital signature includes an
encrypted hash value of the message. This hash value would change if the message was subsequently
altered, thus indicating that an alteration has occurred. Hence, it helps to ensure message integrity.
Digital signatures will not be able to address and support any of the other options.
Q. 2
Explanation: A digital signature is used to validate the integrity, authenticity, and non-repudiation of
electronic messages. It does not ensure message confidentiality or the availability of data. A digital
signature is created as follows:
Step 2: Encrypt the hash value (as derived in the previous step) with the private key of the sender.
Q. 3
Answer: D. Alteration
Explanation: The hash value of a message is used to create the digital signature. Each message has a
unique hash value. If a message changes, its hash also changes. Thus, the hash value will not be the
same if the message is altered. A digital signature will not address other concerns.
Q. 4
Explanation: A digital signature is created by encrypting the hash value of a message. An encrypted
hash cannot be altered without the key of the sender.
Q. 5
Explanation: A digital signature is used to validate the integrity, authenticity, and non-repudiation of
electronic messages. It does not ensure message confidentiality, privacy, or availability of data.
Q. 6
Answer: B. Integrity
Explanation: Digital signatures confirm integrity because the hash value of a message changes in the
case of any unauthorized changes being made in the data (file, mail, document, etc.).
Q. 7
Answer: B. Non-repudiation
Explanation: Non-repudiation provides assurance that the sender of a message or the initiator of a
transaction cannot later deny sending the message or initiating the transaction. Non-repudiation is the
most effective way to validate that a specific action has occurred. Digital signatures are used to
provide non-repudiation.
Q. 8
Answer: A. The use of a sender's private key to encrypt the hash value of the message
Explanation: A sender encrypts the hash value of their message with their private key. If the
recipient is successful in decrypting the hash value with the public key of the sender, then
authenticity is established. That is, it is proved that the message is in fact sent by the sender. It
ensures non-repudiation; that is, the sender cannot repudiate having sent the message. For
authentication, the encryption of the entire message is not required. The encryption of the entire
message will involve more cost and time and hence the encryption of the hash alone is considered
sufficient.
Q. 9
Answer: B. The hash value of the message is transmitted and encrypted with the customer's private
key
Step 2: The hash value (derived in the previous step) is encrypted with the private key of the sender.
In the question, the sender is the customer. Hence, the hash is to be encrypted using the customer's
(sender's) private key.
Q. 10
Explanation: With the use of digital signatures, a sender can be tracked and authenticated. The
recipient will be able to set a configuration on their system to delete messages from specific senders
automatically. The file size of a digital signature is only a few bytes and will not have any impact on
the bandwidth. There will be no major impact on the workload of gateway servers. A digital
signature does not ensure confidentiality.
Q. 11
Explanation: The following example explains the outcome of hashing as well as encryption:
Now, from the hash value 4526dee03a36204cbb9887b3528fac4e, you cannot derive the message, but
from Mxxxxxx xx x xM, you can derive the original message by decryption.
Thus, hashing operates in one way and cannot be reversed. You can create a hash from the message,
but it is not possible to create a message from that particular hash value. Thus, a hash value is
irreversible, whereas encryption is reversible. This is the major difference between encryption and
hash.
Q. 12
Explanation: When employees digitally sign their email messages, the receiver will be able to
validate the integrity and authenticity by checking the digital signature.
Q. 13
Answer: C. Non-repudiation
Explanation: Non-repudiation provides the best evidence of the occurrence of a specific action or
transaction. The sender of the email or initiator of the transaction cannot deny their action. Digital
signatures are used to provide non-repudiation.
Q. 14
Answer: D. Non-repudiation
Explanation: Non-repudiation provides the best evidence of the occurrence of a specific action or
transaction. The initiator of the transaction cannot deny that transaction. Digital signatures are used to
provide non-repudiation.
Q. 15
Explanation: In the preceding case, the message is not encrypted (only the hash is encrypted) and
hence it will not ensure privacy or confidentiality. An encryption of the hash will ensure authenticity
and integrity.
Q. 16
Answer: B. The signer has the private key of the sender and the receiver has the public key of the
sender
Step 2: Encrypt the hash value (as derived from the previous step) with the private key of the sender.
At the recipient end, the hash is decrypted using the public key of the sender.
Q. 17
Explanation: A digital signature is created by calculating the hash value of the given message.
Recalculating the hash value for the original message should provide the same hash value. Thus, it
helps to ensure message integrity.
Q. 18
Explanation: A digital signature is used to determine the identity and integrity of the data. The other
options are not relevant to determining whether the message and the sender are genuine.
Q. 19
Explanation: A digital signature is used to validate the integrity, authenticity, and non-repudiation of
electronic messages. Non-repudiation is a process used to make sure that the sender of a message or
initiator of a transaction is not in the position to deny their action. Encryption and symmetric
encryption provide confidentiality but not non-repudiation. Hashing provides integrity but not non-
repudiation.
Q. 20
Answer: D. Create a hash value of the file, then compare the file hashes
Explanation: The best way is to create a hash of the original file and then compare this with the
suspected file to ensure that the files are the same. If the hash has changed, then it indicates that the
file has been modified. The last modified date can also be fabricated. File encryption and role-based
access control are good access controls but do not prevent the file from being corrupted or modified
by a valid user.
Explanation: The CA is an entity responsible for issuing digital certificates. It is also responsible for
the management of digital certificates.
Q. 2
To ensure that the applicant is in possession of a private key that matches the public key requested for a certificate; this is known
as POP
To generate shared secret keys during the initialization and certificate pickup phase of registration
Q. 3
Q. 4
Answer: C. Establishing a link between the applicant and their public key
Q. 5
Answer: C. The user organization is also the owner of the certificate authority
Explanation: It indicates a conflict of interest when the user and owner of the CA are the same. The
independence of the CA will be impaired in this scenario, and this is considered a major weakness.
Q. 6
To ensure that the applicant is in possession of a private key that matches the public key requested for a certificate; this is known
as POP
To generate shared secret keys during the initialization and certificate pickup phase of the registration
Q. 7
Explanation: A CPS is a document that prescribes the practice and process of issuing and managing
digital certificates by the CA. It includes details such as the controls in place, the methods for
validating applicants, and the usage of certificates.
Q. 8
To ensure that the applicant is in possession of a private key that matches the public key requested for a certificate; this is known
as POP
To distribute the physical tokens containing the private keys
To generate a shared secret key during the initialization and certificate pickup phase of the registration
Q. 9
Explanation: The objective of a CA is to support the identification of the key holder. In a case where
a user already attests to another user's identity, the CA may not be required. The CA is not relevant
for the other options.
Q. 10
Explanation: A CPS is a document that prescribes practices and processes for the issuing and
management of digital certificates by the CA. It also provides contractual requirements between the
relying parties and the CA. It includes details such as the controls that should be in place, the
methods for validating applicants, and the usage of certificates.
Q. 11
Explanation: The CA is responsible for the issuance and management of digital certificates. The CA
authenticates and validates the holder of the certificate after the issuance of the certificate. The other
options are not functions of a CA.
Q. 12
Explanation: The private key of a CA is used to issue the digital certificates to all parties in a PKI. If
the private key of a CA is compromised, it will lead to a single point of failure for the entire PKI
because the integrity of all digital certificates is based on this private key. If the private key of a
holder is compromised, it will affect only that holder. Public keys are published and pose no risk.
Explanation: The best method is to encrypt the communication, which will ensure the confidentiality
of the transactions. Multiple authentications, maximum password age, and digital signatures may
help in strong authentication but they will not help in the confidentiality of the data in transit.
Q. 2
Explanation: Secure sockets layer (SSL) is the protocol that operates at the transport layer. It is
used for privacy and data security while communicating over a network. SSL makes use of
cryptographic functions to protect the confidentiality, reliability, and integrity of private documents
traveling through the internet. A dynamic host configuration protocol (DHCP) is a protocol used to
manage the network configuration. DHCP assigns an IP address and other network configuration
parameters to every device on a network so that they can communicate with other IP networks.
Secure shell (SSH) and Telnet are remote terminal control protocols. Through these protocols, a user
can connect to a terminal from a remote location.
Q. 3
Explanation: Encryption is the most effective method to safeguard the data stored on mobile
devices. Encryption converts the data into an unreadable form such that it can only be read by the
person possessing the encryption key. The other options are good controls, but they are not as
effective.
Q. 4
Explanation: One of the limitations of symmetrical encryption is that it requires a key for each pair
of individuals who wish to have confidential communication. This results in an exponential increase
in the number of keys, resulting in complex distribution and storage problems. Public key encryption
does not have this issue. Public key encryption requires more computation efforts and maintenance
compared to symmetric encryption. A public key by itself does not provide greater encryption
strength.
Q. 5
Explanation: If passwords are sent over an internal network in plain text, they can easily be sniffed.
Passwords should be encrypted for adequate security. The other options do not present significant
exposures.
Q. 6
Answer: B. Implementing application-level encryption
Explanation: Encryption makes the database unreadable for the DBA and other staff. This helps the
DBA to perform this routine function without reading the data in cleartext. The other options cannot
prevent the DBA from reading the data in the database.
Q. 7
Explanation: The public key of the other party is used to decrypt the message and if the message is
successfully decrypted, it helps to authenticate the user, that is, the owner of the corresponding
private key. Authorization and compression are not functions of PKI. A private key is used for the
creation of digital signatures.
Q. 8
Explanation: The most effective method to secure a wireless network is to provide strong
encryption. An IDS and a router will not offer any protection from local attacks. Two-factor
authentication is for access control and will not protect data from being sniffed.
Q. 9
Explanation: Encryption is the most effective method to safeguard the data stored on removable
devices. Encryption converts the data on the USB to an unreadable form. It can only be read by the
person possessing the encryption key. The other options are good controls but not as effective.
Explanation: Aggregated risk refers to a significant impact caused by a large number of minor
vulnerabilities. Such minor vulnerabilities individually do not cause a major impact but when all are
exploited at the same time, they can cause a huge impact. The goal of risk aggregation is to identify
the significant overall risk from a single threat vector. Penetration testing is the best way to assess
aggregate risks by exploiting them one by one. Risk aggregation provides a good measurement for
prioritizing the risk.
Q. 2
Answer: A. Determine weaknesses in the network and server security
Explanation: The objective of penetration testing is to identify the weaknesses in the network and
server security of an organization. Based on the results of the penetration test, the identified weakness
are addressed to improve the security posture of the organization.
Q. 3
Explanation: The main objective of engaging an external company to perform penetration testing is
to get an independent view of the organization's security exposure. Even though the organization may
have the necessary skills and resources to conduct penetration testing, third-party penetration testing
is recommended to get an objective view from external experts. The other options are secondary
aspects.
Q. 4
Explanation: It is very important to establish a clear understanding of the scope of testing. In the
absence of a defined scope, a tester may cause a system outage or other major damage. Sometimes,
the test may have adverse impacts on business processes if the organization is not well prepared. The
other options are secondary aspects. In the case of a blind penetration test, IT and security monitoring
staff are not informed about the proposed test in order to determine their readiness with respect to any
attack. A demonstration of the test system will reduce the spontaneity of the test.
Q. 5
Explanation: It is very important to establish a clear understanding of the scope of testing. In the
absence of a defined scope, a tester may cause a system outage or other major damage. Sometimes, a
test may have adverse impacts on business processes if the organization is not well prepared. The
other options are secondary aspects. In the case of a blind penetration test, IT and security monitoring
staff are not informed about the proposed test in order to determine their readiness for any attack.
Q. 6
Explanation: In a black box testing attack scenario, the tester is provided with limited or no
knowledge of the target's information systems. Inappropriate planning and timing of the attack may
cause the system to fail. It is very important that the tester is well experienced and aware of the clear
scope of the test. The other options are not as significant.
Q. 7
Answer: A. More time is spent on exploitation rather than discovery and information gathering
Explanation: In cases of white box penetration testing, relevant details of the infrastructure are made
available to the tester in advance. They need not spend time gathering the information. This helps the
tester concentrate on exploitation. A black box approach, where no information is provided, better
simulates an actual hacking attempt. Cost is a secondary aspect. Penetration testing tools are required
for both white box as well as black box penetration tests.
Q. 8
Explanation: Ethical hacking (penetration testing) involves the use of tools and techniques available
to actual hackers to penetrate the network of an organization. The objective of ethical hacking is to
find out vulnerabilities in the existing control and address the loopholes. Ethical hacking is not
directly relevant to the other options.
Q. 9
Explanation: The most effective way to ensure that an organization's network is properly secured
against external attacks is to conduct penetration testing at regular intervals. The results of
penetration testing determine the effectiveness of the organization's security posture. Any loopholes
identified during penetration testing should immediately be rectified. The other options are not as
effective.
Q. 10
Explanation: The first step that a penetration tester conducts is to analyze the network mapping.
Network mapping is the process of understanding the target network topology. It helps to determine
the points of attack in a network. The IDS is a secondary aspect. The nature of data and data analytics
are not relevant to a tester.
Revision Questions
Q.1
Answer: C. It may be quarantined by the firewall or mail filters
Explanation: Generally, firewalls or mail filters would quarantine a password-protected ZIP file as
the filter (or the firewall) will not be able to determine whether the file contains malicious code. A
ZIP file does have the capability of using strong encryption. Generally, a firewall will not be able to
read the password-protected file. A password-protected file by itself does not use high network
bandwidth.
Q.2
Explanation: A firewall, by default, should be able to reject any traffic with IP source routing.
Source routing is a tool to get information about all the routers in a packet transit. This could be used
to bypass firewalls, hence it is a security threat. If source routing is allowed by a firewall, an intruder
can attempt spoofing attacks by stealing the IP addresses of the organization. Deploying a firewall in
a standalone server is a good practice. A firewall should be placed in a hardened server with
minimum services enabled. Firewall rules should be reviewed in a structured manner at periodic
intervals. Allowing unregistered ports is not recommended but does not necessarily pose a significant
security threat.
Q.3
Explanation: In a screened subnet, one bastion host is deployed along with two packet filtering
routers. It is considered the most secure type of firewall implementation. It acts as a DMZ. An
acceptable use policy and role-based access will not have an impact on external users. An IDS will be
able to identify the invalid attempts but will not be able to prevent them.
Q.4
Explanation: A DMZ is a separate area that is exposed to external-facing untrusted areas. Generally,
servers that interact with the internet are placed in a demilitarized area as this area is separate from
internal servers and properly hardened. Servers and resources placed in a DMZ are isolated and are
not directly connected to the internal network. A database should not be placed in a DMZ as it is
exposed to external connections.
Q.5
Q.6
Answer: A. One rule may conflict with another rule and create a loophole
Explanation: Firewall rules should be simple and easy to implement. A complex rule is difficult to
manage and there is a chance that a particular rule may conflict with another, resulting in a loophole.
Also, it becomes complex to test a high number of rules and so the operating effectiveness of a rule
cannot be determined. High expenditure and network performance are secondary concerns. A next-
generation firewall has the ability to handle any number of rules.
Q.7
Explanation: In signature-based IDSs, the IDS looks for specific predefined patterns to detect
intrusion. Patterns are stored as signatures and are updated at frequent intervals. This is also known
as a rule-based IDS. A signature-based IDS is not capable of identifying new types of attacks for
which the signatures are not yet available. The other options are not relevant.
Q.8
Answer: A. Simulating various attack scenarios and reviewing the performance of the intrusion
detection system
Explanation: The most effective way to determine whether an IDS is properly tuned is to simulate
various attack scenarios and review the performance of the IDS. The other options are secondary
aspects.
Q.9
Explanation: The main objective of an IDS is to identify attacks on the internal network and provide
alerts for immediate countermeasures. This helps minimize the impact of the attack. The other
options are secondary aspects.
Q.10
Answer: C. Ensuring the encrypted traffic is decrypted prior to being processed by the intrusion
detection system
Explanation: An IDS cannot read encrypted traffic. Encryption should be removed before the traffic
is processed by the IDS. Encryption should be removed at the SSL or VPN server to allow all traffic
to be monitored. Placing an IDS before the firewall will generate a high number of alerts, which will
eventually be blocked by the firewall. All end devices are not required to be connected to the IDS.
Network bandwidth is not relevant.
Q.11
Explanation: A honeypot is a decoy system set up to attract hackers and intruders. The purpose of
setting up a honeypot is to capture the details of intruders to proactively strengthen security controls.
As honeypots are closely monitored, any unauthorized attempt is more likely to be detected before
significant damage is inflicted. The other options will not directly help detect the intruder.
Q.12
Explanation: Anomaly-based detection works on the statistics of normal traffic patterns. It is also
known as statistic-based IDS. Any change from the normal traffic range is considered a deviation and
an alert is generated. In a DDoS attack, incoming traffic increases tremendously, hence it is detected
by anomaly-based detection. The other options will not be effective to detect a DDoS attack.
Q.13
Explanation: A decoy file is also known as a honeypot. A honeypot is a decoy system set up to
attract hackers and intruders. The purpose of setting up a honeypot is to capture the details of
intruders in order to proactively strengthen security controls. The other options are used to keep
hackers out of the internal network.
Q.14
Explanation: An IDS uses different logs, such as firewall logs, system logs, and application logs.
Logs are analyzed to determine the trends and patterns of attacks. Threshold refers to the acceptable
deviation from the normal pattern. A low threshold value means anything outside that value will be
considered an attack. Even genuine business traffic will be considered an attack if it is above the
threshold. A low threshold value generally increases the number of false positives.
Q.15
Answer: D. Hashing
Explanation: Hashing is the process of converting a given password into another value. The result of
a hash function is known as a hash value. When a user enters a password, it is converted into a hash
value and is compared with the stored hash. If the hashes match, then access is granted. The actual
password cannot be generated from the hash value (because it is a one-way algorithm), so the actual
password remains the same.
Chapter 9: Incident Management Readiness
Explanation: An incident response plan includes a detailed procedure to handle an incident. It also
includes the detailed roles and responsibilities of different teams for handling the incident. A security
breach can best be handled using an incident response plan. BCPs and DRPs will be applicable only
if an incident becomes a disaster and an alternative site needs to be activated. A change management
plan is used to manage changes and does not directly impact the handling of a security breach.
Q. 2
Explanation: The first step should be to check the facility access logs and determine the number of
employees in the facility. They should be evacuated on an emergency basis. The safety of human life
always comes first. The other options are secondary actions.
Q. 3
Explanation: In a DoS attack, numerous packets are sent to a particular IP address with the objective
of disrupting services. Installing a packet filtering firewall will help drop the suspected packets and
thus reduce the network congestion caused by a DoS attack. Patching the operating system will not
affect network traffic. Implementing NAT or load balancing would not be as effective to tackle a DoS
attack.
Q. 4
Explanation: The first step is to initiate the reporting process as defined in the incident response
procedure. The incident response procedure may include reporting it to the police or another
authority, wiping data remotely, removing users, and so on. Determining impact and removing it from
the inventory list are subsequent actions.
Q. 5
Answer: A. At the time the disaster recovery plan is established
Explanation: Roles and responsibilities should be assigned at the time of preparing the plan. An
unclear plan will have an adverse impact during execution. Without assigned roles and
responsibilities, testing and approval will not be effective.
Q. 6
Explanation: A BCP contains the step-wise process to ensure continuity of the business from an
alternative site. Without a copy of the BCP, recovery efforts may not be effective. Generally, a BCP
includes contact details of key employees, suppliers, and key service-level agreements.
Q. 7
Answer: D. Containment
Explanation: Containment refers to taking action to prevent the expansion of the incident. Incident
response procedures primarily focus on containing the incident and minimizing damage. For
example, when a virus is identified in a computer, the first action should be containing the risk, that
is, disconnecting the computer from the network so that it does not impact other computers. The
other options are subsequent actions.
Q. 8
Explanation: A Trojan horse is a type of illegitimate software that is often disguised as legitimate
software; it is a type of malware. Trojans are used by intruders to attempt unauthorized access to an
organization's network and systems. Finding a Trojan horse in an administrator's computer is a major
concern as the administrator has privileged access that could be exploited. The other options are still
serious issues, but not as significant.
Q. 9
Explanation: A delay in investigation is an area of major concern as it can have a large impact on
business processes. The other options do not pose significant risks.
Q. 10
Explanation: One of the most important objectives of problem management is to understand the root
cause of an incident and address it so that the same type of incident does not reoccur. Merely
restoring the service at the earliest is not the solution. Hence, if the incident is closed within a strict
timeline, this aspect may be missed. Quick resolution may not always give positive results. Forensics
are concerned with evidence analysis and preservation from a legal perspective and are not involved
in service continuity.
Q. 11
Explanation: The most important action is to isolate the network and contain the further spread of
the attack. Disconnecting all network access points will impact business processes and should be the
last resort. Analyzing and monitoring are subsequent actions.
Q. 12
Explanation: The safety of human life is of utmost priority for any emergency response plan.
Q. 13
Explanation: Escalation criteria include specific actions to be followed as per predefined timelines.
They also include defined roles and responsibilities for individual team members. For the smooth
execution of incident response, it is of utmost importance to follow the escalation criteria.
Q. 14
Explanation: The first course of action is to determine the extent of the impact on the organization.
Even when reporting to senior management and other stakeholders, the extent of the compromise
needs to be submitted.
Q. 15
Explanation: The first step is to contain the spread of the virus by disconnecting the infected
computer. The other options are subsequent steps.
Q. 16
Explanation: The main objective of incident response is the containment of the incident and thereby
minimization of damage. The other options are not primary objectives of incident response.
Q. 17
Explanation: Due to a compromise at the administrative level, malware may have already been
installed on the server. The best way is to rebuild the email server from the original media. This will
address the risk of the presence of any hidden malware. Isolation is a temporary solution. A change
of password and two-factor authentication will not address a hidden virus in the email server.
Q. 18
Explanation: The unavailability of the system due to disaster may result in losses for the
organization. Losses due to the unavailability of the system increase on a daily basis. A BCP is
considered on the basis of these losses. Based on the losses from the unavailability of the system, the
RTO, RPO, and recovery sites are finalized. The other options do not directly impact the BCP.
Q. 19
Explanation: It is very important to prioritize the incident based on its possible impact. Quickly
ranking the severity criteria of an incident is key to incident response. The other details are not
included in a computer incident response team manual but are included in the BCP.
Q. 20
Explanation: The most important action is to isolate the server and contain the further spread of the
virus. The other options are subsequent actions.
Explanation: The immediate step should be to confirm the incident to rule out any false positives. It
is very important for a security manager to verify and validate the incident before any containment
action is taken. Once the incident is confirmed, the next step is isolating the incident. The other
options are subsequent steps.
Q. 2
Answer: B. Blocking all emails containing picture file attachments
Explanation: The first step should be to block all emails containing picture files until the time the
signature files are updated. Deleting all picture files and quarantining mail servers is not necessary.
Blocking all incoming emails would hamper business processes.
Q. 3
Explanation: A vulnerability should be reported to the system owner to take appropriate corrective
action. The system owner should in turn report to the data owner if the vulnerability is in the database
arrangement. The system owner will coordinate with the development team for any development-
related changes to address the vulnerability.
Q. 4
Explanation: Slack space refers to the additional storage that is available on a computer's hard disk
drive. It is created when a computer file does not use all the space allocated to it by the operating
system. Slack space can be used to store hidden data. The verification of slack space is an important
aspect of computer forensics.
Q. 5
Explanation: The first step should be to confirm the incident to rule out any false positives. It is very
important for a security manager to verify and validate the incident before any containment action is
taken. Once the incident has been confirmed, the next step is to contain the incident. The other
options are subsequent steps.
Q. 6
Explanation: The installation of an IDS will help the security manager identify the source of the
attack. An IDS can be used to detect both internal as well as external attacks depending on where it is
placed. An IDS is used to monitor the network or systems for abnormal activities. IP addresses can be
spoofed and hence implementing a static IP may not be useful. If the attack is internal, two-factor
authentications may not be helpful either. Capturing logs will only be meaningful if the logs are
monitored through SIEM.
Q. 7
Answer: C. To obtain guidance from the firewall manufacturer
Explanation: The first course of action is to consult with the firewall manufacturer as they may have
a patch to address the vulnerability. They will also be in a position to suggest a workaround and any
compensating controls to address the issue. Blocking all incoming traffic may not be feasible as it
will hamper business processes. Updating OS patches and penetration testing will not help to address
the vulnerability.
Q. 8
Explanation: Once the incident has been confirmed, the next step is to contain the incident.
Containment means taking actions to prevent the expansion of the incident. Incident response
procedures primarily focus on containing incidents and minimizing damage.
Q. 9
Explanation: The first step should be to discuss the situation with the data owner and determine the
requirement of data access on a need-to-know basis. Based on the discussion, access should be
provided according to the relevant job function and should be removed for other users. The
encryption of data may not be feasible as the user may require access to data for further processing.
Q. 10
Explanation: The best way to justify the establishment of an incident management team is to
highlight the possible business benefits derived from structured incident management processes. The
trends of previous incidents and industry losses may not directly impact future losses.
Q. 11
Explanation: Frequent security awareness training for end users as well as help desk staff is one of
the most important factors for the early identification and reporting of any incident. The availability
of a well-structured communication and reporting procedure is also an important aspect but it is only
useful when staff are able to identify the incident. An IDS will not be able to identify non-IT-related
incidents. Determining the severity level is a subsequent step and will be useful only once the
incident is identified.
Q. 12
Answer: D. Promote business resiliency
Explanation: Business resilience refers to the capability of an organization to sustain disruption. The
main objective of an IRP is to minimize the impact of an incident by developing resilient processes.
An incident response plan is a means to reduce the impact of an incident but cannot prevent the
occurrence of an incident. Business continuity processes are addressed by the BCP and not the IRP.
Q. 13
Explanation: The first step should be to confirm whether the file is actually malicious and thereby
rule out a false positive. It is very important for a security manager to verify and validate the incident
before any containment action is taken. Once the incident has been confirmed, the next step is to
isolate the file. The other options are subsequent steps.
Q. 14
Explanation: Generally, the information security response is handled by the information security
manager and they should ensure that the team members consist of individuals with the requisite
knowledge and experience to handle incidents.
Q. 15
Explanation: The first step should be to confirm the incident to rule out any false positives. It is very
important for the security manager to verify and validate any incident before containment action is
taken. Once the incident has been confirmed, the file can be isolated. The other options are
subsequent steps.
Q. 16
Explanation: The data owner should be notified first as they will be in the best position to determine
the impact of the security breach. The data owner will then coordinate with the computer incident
response team for further action. The other options are to be notified later, as required by the incident
management policy.
Q. 17
Q. 18
Explanation: The main objective is to ensure that incidents are closed by taking appropriate
corrective actions as per the business requirements. A review by management helps align the security
policy with the business objectives. The other options are not the objectives of a management review.
Q. 19
Explanation: The incident response policy and procedure will have a defined escalation procedure
and timelines for each activity. If an activity is not completed within the defined timeline, then it
should be escalated to the next level.
Q. 20
Explanation: The two most important aspects for the timely identification of incidents are frequent
security awareness training for end users and a well-defined communication plan. A well-defined and
structured communication plan facilitates the information flow from the end user to senior
management in a time-bound manner. In this manner, incidents can be recognized, declared, and
appropriately addressed. An IDS will not be able to address non-technical incidents. Audits are
generally detective in nature and may not identify incidents in a timely manner. Reviews of network
logs will help to address only network-related incidents.
Explanation: Senior management is in the best position to understand and adopt the strategy that is
the most beneficial for the organization's continuity. A BCP is primarily based on the SDO of the
management. A strategy to cover all applications is not practical. If the objective of senior
management is achieved, they will definitely support the budget for business continuity processes
and alternative sites.
Q. 2
Explanation: While the goal of a BCP is to prevent and mitigate incidents, the goal of a DRP is to
restore operations if business operations are down due to an incident. Developing an RTO directly
relates to business continuity whereas the other options are more related to infrastructure disaster
recovery.
Q. 3
Explanation: The MTO is the maximum period of time that an organization can operate from an
alternative site. Various factors affect the MTO such as resource availability, location availability, raw
material availability, or electric power availability at the alternative site. SDOs and operational
capabilities should have been addressed when considering the available resources for the alternative
site.
Q. 4
Explanation: The RPO is the level of acceptable data loss. Whenever a database is corrupted, the
recovery process recovers only the completed transactions, and any incomplete transactions are rolled
back. This is known as before image processing. The extent of system downtime is referred to as the
RTO.
Q. 5
Explanation: A BIA is conducted to determine the critical processes of the organization and to help
decide the recovery strategy during a disaster.
Q. 6
Explanation: In a reciprocal arrangement, two organizations with similar capabilities and processing
capacities agree to provide support to one another in the event of an emergency. Reciprocal
agreements are not considered very reliable. They pose many challenges, such as both organizations
having different processing capabilities, difficulties in testing the plan, keeping the plan up to date,
and so on.
Q. 7
Explanation: The RPO is best determined by the business process owner, that is, the chief operating
officer. The chief operating officer has adequate knowledge to make this decision.
Q. 8
Explanation: The RPO is a measure of the user's tolerance to data loss. In other words, the recovery
point objective is the extent of acceptable data loss. For example, an RPO of 2 hours indicates that an
organization will not be overly impacted if it loses data for up to 2 hours.
Q. 9
Explanation: The business process owner is in the best position to determine the impact of the
unavailability of their system or processes and the appropriate recovery time and cost estimates
accordingly.
Q. 10
Explanation: The best method is to conduct tests on a periodic basis and determine whether the plan
supports the requirements of the business. The other options are not as effective.
Q. 11
Explanation: When selecting an alternative recovery site, it is of utmost importance to consider the
proximity of the site to hazards. A recovery site should have an appropriate distance from potential
hazards such as bodies of water, chemical factories, or other locations that could cause significant
risk to the recovery site. A recovery site should also be away from the primary site so that both are
not subject to the same environmental events.
Q. 12
Q. 13
Answer: A. The primary and offsite facilities should not be subject to the same environmental threats
Explanation: An offsite facility should be away from the primary site so that both are not subject to
the same environmental events. In the event of natural calamities, both sites would be impacted if
located in close proximity.
Q. 14
Explanation: The RTO is the amount of time required to restore a system. Normal functioning may
occur significantly later than the RTO. The RTO is the minimum acceptable operational level and is
generally lower than normal operations.
Q. 15
Answer: A. Test results show that the recovery time objective was not exceeded
Explanation: The RTO is the extent of acceptable system downtime. A system should be restored
within the RTO. The RTO is an important element of a BCP. If the RTO is achieved during testing, it
indicates that the BCP objectives have been achieved. Conducting BCP tests and assigning asset
ownership are not the core objectives of a BCP.
Q. 16
Answer: B. Adequate distance between the primary site and offsite facility so that the same disaster
does not simultaneously impact both
Explanation: Offsite facilities should be away from primary sites so that both cannot be subject to
the same environmental events. In the event of natural disasters, both sites would be impacted if
located in close proximity. The other options are secondary factors.
Q. 17
Explanation: The RTO is the length of time required to restore the system to a service level
acceptable to the organization.
Q. 18
Explanation: If an organization can establish an end-to-end transaction flow from the offsite facility,
then it can be validated that the key business processes are available at the offsite location. The
achievement of the RPO and staff requirements does not indicate the availability of the required
support and processes at the offsite location.
Q. 19
Explanation: BIA is a process used to determine the critical processes of an organization and,
accordingly, decide the priority level and recovery strategy during a disaster.
Q. 20
Answer: A. Conducting periodic and event-driven business impact analyses to determine the
business needs
Explanation: This situation could have been controlled if the organization had a practice of
conducting BIA on a periodic basis and also triggered by certain events (such as the purchase of a
new system). This helps to update the recovery strategy to meet current business requirements.
Answer: D. Fidelity insurance covers any losses suffered due to dishonesty or fraud by employees
Explanation: Fidelity insurance provides protection against business losses caused due to employee
dishonesty, theft, or fraud.
Q. 2
Explanation: Business interruption insurance is the best way to compensate for any loss incurred due
to business disruptions. The other options are focused on the restoration of services as early as
possible to minimize the downtime costs. However, they cannot compensate for losses that have
occurred already.
Explanation: The severity of an incident is best determined based on the level of impact on the
organization. A manager from the affected operational areas will be in the best position to determine
the impact. Past incidents and benchmarking will not give accurate impact estimates. Valuation is
based on the impact on the business as a whole and not only on asset value.
Q. 2
Explanation: In the detection and analysis phase, the emphasis is on the identification and detailed
analysis of the incident. The following activities are carried out in the identification phase:
Determining whether the reported incident is valid
Determining the severity of the incident and following the escalation process
Option A refers to the containment phase, Option B is eradication, and Option D is post-incident
review.
Q. 3
Explanation: Triage refers to the process of deciding the order of treatment based on urgency. It is
very important to prioritize the incident on the basis of its possible impact. Triage provides a
snapshot of the current status of all incidents reported to assign resources in accordance with
criticality.
Answer: C. The critical business processes are recovered and duplicated within the defined
timeframe
Explanation: For the success of a recovery test, it is very important to ensure that all critical
processes are successfully recovered and reproduced to support the business functions. This should
be done within the defined timeframe. The other options do not directly indicate the success of the
test.
Q. 2
Answer: A. All data and applications should be erased from the devices of the service provider
Explanation: It is of utmost importance to ensure the security of organizational data. After the
completion of the test, all data and applications should be erased from the devices of the service
provider. The other options are not as significant.
Q. 3
Answer: B. Periodically testing and improving the plan from the lessons learned
Explanation: Periodic testing will help the manager understand the capability of the plan. Any
deficiency noted during the test should be immediately addressed. This will help improve the
effectiveness of the plan. The other options are not as significant.
Q. 4
Explanation: A full interruption test provides the best assurance to the security manager because it
comes closest to an actual disaster. The primary site is completely shut down and operations are
carried out from the recovery site as per the DRP.
Q. 5
Explanation: The best indicator for incident risk management is a detailed and structured plan that is
tested at periodic intervals. The other options are not as effective.
Q. 6
Explanation: Out of all the above tests, a full interruption test is considered to be the most effective
to determine the readiness of the BCP and DRP. However, in a full interruption test, business
operations are impacted. In a simulation test, a roleplay is prepared for a disaster scenario and the
adequacy of the DRP is determined. A simulation test is more effective compared to the checklist or
walk-through tests.
Q. 7
Explanation: Periodic testing of the IRP helps to determine its effectiveness and identify its
shortcomings. It helps to improve the plan by plugging deficiencies. The other options are good
controls but are not as effective.
Q. 8
Explanation: Periodic testing of the DRP will help to determine its effectiveness and identify
whether it supports the current business processes and objectives. It helps to improve the plan by
plugging deficiencies. The other options are good controls but are not as effective.
Q. 9
Explanation: Restoration testing helps to determine the capability of the organization to restore data
from the recovery site during a disaster. The success of a restoration test indicates that the
organization is quite capable of recovering from the disaster as data drives the majority of business
processes. The other options will not be meaningful if the recovery of data is questionable.
Q. 10
Explanation: Out of all the above tests, a full interruption test is considered the most effective to
determine the readiness of the BCP and DRP. However, full interruption tests impact business
operations. In both parallel tests and simulation tests, normal business operations are not impacted. In
a parallel test, the recovery site is activated whereas in a simulation test, the recovery site is not
activated. When the objective of the test is to not disturb the normal business operations, a parallel
test is most effective followed by a simulation test.
Q. 11
Answer: D. In a parallel test, the recovery site is brought to operational readiness; this is not done in
a simulation test
Explanation: The difference between a parallel test and a simulation test is that in a parallel test, the
recovery site is activated, whereas in a simulation test, the recovery site is not activated. In both tests,
a walk-through is performed and fictitious scenarios are used. Neither test impacts normal business
operations. When the objective of the test is not to disturb normal business operations, a parallel test
is considered the most effective followed by a simulation test.
Q. 12
Answer: D. The aggregate recovery activities exceed the acceptable interruption window
Explanation: The AIW is based on the maximum time the organization can be down before major
financial impacts occur. If restoration does not occur within the AIW, then the test will not be
considered a success. The SDO is the minimum level of service to be continued at the recovery site.
If the level of service exceeds the expected SDO then this is a positive achievement. An old version
of the operating system might cause a delay but is not a major issue.
Q. 13
Answer: C. It poses the risk that the plan will not work when needed
Explanation: A major challenge is that an untested plan may not work as expected when a disaster
occurs. Testing of the plan helps to determine its effectiveness. The other options are secondary
concerns.
Q. 14
Explanation: The most important factor for the success of the test is active participation by business
management. Business process owners have a thorough understanding of processes and recovery
priorities. To conduct a test, sufficient resources are required, which may not be possible without
management support. The other options are secondary concerns.
Revision Questions
Q.1
Explanation: Containment means taking action to prevent the expansion of an incident. Incident
response procedures primarily focus on containing the incident and minimizing damage. The other
options also finally lead to minimizing damage.
Q.2
Explanation: The main objective of incident management is to minimize the impact and damage to
the organization. Containment, root cause analysis, and eradication are steps used to minimize
damage.
Q.3
Answer: D. Determining the category of the incident based on its likelihood and impact
Explanation: The first step is to determine the various categories of incidents based on their
likelihood and impact. Based on the categorization, the other options, such as turnaround time,
escalation process, and required resources, can be determined.
Q.4
Explanation: The main goal of an incident management process is to restrict incidents from growing
into problems and problems growing into disasters. The restoration of disrupted processes is the
objective of a disaster recovery procedure.
Q.5
Q.6
Answer: A. To determine whether a clear incident definition and criteria for severity exists
Q.7
Q.8
Explanation: In a risk-based approach, the focus is on high-risk events. A perpetrator may take
advantage of this and concentrate on exploiting low-risk areas multiple times. Even though the
impact will be small per incident, the accumulated damage may be much higher. Hence, it is also
important to review the possibility of repeated occurrences of low-risk events.
Q.9
Explanation: Containment means taking action to prevent the expansion of an incident. Incident
response procedures primarily focus on containing the incident and minimizing damage.
Disconnecting the server is the first part of the containment process. The other options are subsequent
steps.
Q.10
Explanation: The objective of an incident management plan is to not only recover from an incident
that has already occurred but to also take action to prevent future incidents. An incident management
plan should include a proactive security assessment to improve processes and reduce the chances of
occurrences of incidents. BCPs and DRPs concentrate on activities to deal with business interruptions
due to disasters. A BIA determines the critical processes of the organization.
Q.11
Explanation: The business impact is best determined by knowing the criticality of the affected
system. The other options will not help to determine the impact.
Q.12
Answer: A. Frequent testing of the plan and a dedicated team to provide oversight
Explanation: Testing the plan will help to understand the service provider's capability to address
incidents. Also, it is important to have an oversight team to monitor the service provider's activities.
Audit, structured communication channels, and documented plans are also important aspects, but in
the absence of a tested plan, it is difficult to determine the service provider's capabilities.
Q.13
Explanation: An incident response procedure should support the SDO. The SDO is the extent of
service and operational capability to be maintained during an incident. The other options are not as
significant.
Q.14
Q.15
Answer: B. Conduct a fresh business impact analysis and update the plan
Explanation: Generally, the MTO should be as long as the AIW. However, without conducting a
BIA there is no way to determine whether it is the MTO or the AIW that is incorrect. Based on a
fresh BIA, the AIW can be derived. The AIW is the maximum period of time for which normal
operations of the organization can be down. After this point, the organization will start to face major
financial difficulties threatening its existence. Based on the AIW, the MTO should be derived. The
MTO is the maximum period of time that an organization can operate from an alternative site.
Various factors affect the MTO, such as location availability, resource availability, raw material
availability, and electric power availability at the alternative site. All these constraints should be
addressed to ensure that the MTO is as long as the AIW.
Q.16
Q.17
Explanation: A BIA determines the critical processes of the organization. Incident response
activities are primarily focused on protecting the organization's critical processes. The other options
do not impact the prioritization of incident response activities.
Q.18
Explanation: A data restoration plan determines the amount of data that should be restored within a
predefined limit. The extent of data restoration is primarily based on the SDO. The SDO is the extent
of the service operational capability to be maintained from an alternative site. It is directly related to
business needs and is the level of service to be attained during disaster recovery. This is influenced by
business requirements.
Q.19
Explanation: Continuity can best be ensured if personnel who have to resume the key processes are
aware of the procedure. If procedural documents are not available at the alternative site, it will
hamper continuity arrangements. If key process documents are made available at the offsite location,
they can be utilized by employees operating there during a disaster. These documents will also
support employees who may not typically be involved in performing those functions. The other
options are not as significant.
Q.20
Explanation: The objective of incident escalation is to state how long a team member should wait
for an incident response and what to do if no such response occurs. Defined timeframes are important
steps of an effective escalation process. The communication process can also be part of the escalation
process, but a significant aspect is the timeframe. Determining the severity and impact is not part of
escalation.
Q.21
Explanation: Triage means deciding the order of treatment based on urgency. It is very important to
prioritize an incident based on its possible impact. Triage provides a snapshot of the current status of
all incidents reported so resources can be assigned in accordance with criticality. Triage does not
focus on already resolved incidents and does not determine the appropriateness of the post-incident
review procedure. Triage provides a view on both the tactical and strategic levels.
Q.22
Explanation: The objective of the escalation process is to highlight the issue to a higher authority in
accordance with the risk perceived and the expected impact of the incident. For example, minor
issues can be escalated to the manager, major issues can be escalated to the senior manager, and so
on. A risk and impact analysis will be the basis for determining what authority levels need to respond
to particular incidents.
Q.23
Q.24
Explanation: The readiness of the response team is best determined by the time between the
detection of the incident and the response provided. The time required to detect incidents determines
the control effectiveness. A response is more relevant compared to documentation and reporting to
senior management.
Q.25
Explanation: In the absence of a structured escalation process, there can be a substantial delay in
handling the incident. This can have a huge adverse impact on business processes. The IT team is
required to manage only incidents related to IT processes. The security policy is a high-level
statement and is not required to include the details of the key process owner. Unstructured reporting
is not a major concern compared to an inadequate escalation process.
Q.26
Explanation: A BIA is conducted to determine the business impact due to potential incidents. The
following are the key elements of a BIA:
Analysis of business loss due to processes or assets not being available
The other options do not directly consider the impact of the incident.
Q.27
Explanation: As all team members are new, it is advisable to conduct formal training. Formal
training involves a structured way of learning starting from basic concepts and moving to advanced-
level learning. This helps everyone, even if they are from different backgrounds. On-the-job training
and mentoring will be more relevant when the team is already established and has some senior and
experienced members.
Q.28
Explanation: The effectiveness of an incident response team is best determined by the closure of
incidents within the defined timeframe. Timely resolution helps to minimize the impact incidents
have. The other options, by themselves, do not provide any indication of effectiveness.
Q.29
Answer: A. Eradication
Q.30
Explanation: The RPO is the extent of acceptable data loss. For example, an RPO of 2 hours
indicates that an organization will not be overly impacted if it loses data for up to 2 hours. The RPO
is used to determine the various factors of a backup strategy such as frequency and type of backup
(that is, mirroring, tape backup, etc.).
Q.31
Explanation: The RTO is the extent of acceptable system downtime. It is primarily based on
business requirements. Generally, business requirements are inclusive of legal requirements.
Q.32
Explanation: The SDO is the level of service and operational capability to be maintained from an
alternative site. This is influenced by business requirements. Until the time a new offsite is available,
the SDO should be kept at a lower level. The other options are not directly impacted by the new
recovery site.
Q.33
Answer: B. Differences in the processing capacity load with the data center
Explanation: Due to a difference in capacity, the data center may not be able to handle the load of
the other data centers during a disaster. This is an area of major concern. The other options can be
addressed without much concern.
Q.34
Explanation: The area of most importance is the availability of the tool during a disaster. In the
absence of the tool, it will be extremely difficult to implement business continuity procedures. The
tool should be accessible from offsite locations also. The other options are not as serious.
Q.35
Explanation: The SDO is the level of service and operational capability to be maintained from an
alternative site. It is directly related to business needs and is the level of service to be attained during
disaster recovery. The other options are linked to SDO.
Q.36
Explanation: A structured walk-through helps to understand the capability of the IRP to support the
requirements of business continuity. The walk-through should include team members from the
incident response and business continuity teams. It will help to identify gaps or misalignments
between the plans.
Q.37
Explanation: The RPO is a measure of the user's tolerance to data loss. In other words, the RPO is
the level of acceptable data loss. For example, an RPO of two hours indicates that an organization
will not be overly impacted if it loses data for up to two hours.
The RPO is used to determine the various factors of the backup strategy such as frequency and type
of backup (i.e., mirroring, tape backup, etc.).
Q.38
Explanation: The RPO is a measure of the user's tolerance to data loss. It is the level of acceptable
data loss. For example, an RPO of two hours indicates that an organization will not be overly
impacted if it loses data for up to two hours. The RPO is used to determine the various factors of a
backup strategy such as frequency and type of backup (i.e., mirroring, tape backup, etc.). The extent
of acceptable system downtime is indicated by the RTO. The acceptable level of service is
determined by SDOs.
Q.39
Answer: A. A copy of the disaster recovery plan being maintained at the offsite facility
Explanation: If a copy of the DRP is not available during a disaster, business recovery will be
seriously impaired. The other options are generally addressed satisfactorily through the BCP.
Q.40
Explanation: The RTO refers to the time within which a system should be restored. If data is not
available within the defined timeline then the system will not be restored in line with the RTO. In this
case, it is advisable to increase the RTO. The AIW is based on the maximum time the organization
can be down before major financial impacts occur. It cannot be adjusted. Adjusting the MTO or
decreasing the security budget will not have any effect on the situation.
Q.41
Answer: B. All equipment at the hot site is provided at the time of disaster but is not available on the
data center floor.
Explanation: A hot site is a site already equipped with the required equipment and one that can be
activated at any time. If equipment is not available on the floor then it does not meet the requirements
of a hot site. A hot site can be arranged in another city. Many commercial providers arrange shared
hot sites. Substitution with equivalent equipment is not a major concern.
Q.42
Explanation: In a reciprocal arrangement, two organizations with similar capabilities and processing
capacities agree to provide support to one another in the event of an emergency. If both organizations
have different infrastructure and capacities then they may not be able to support the other
organization properly in the event of a disaster. Recovery becomes difficult in such cases. This is an
area of major concern for a reciprocal arrangement. The other options will not have a major impact
on the recovery aspect.
Chapter 10: Incident Management Operations
Explanation: Continuous monitoring helps to identify abnormalities in real time. This will help an
information security manager take corrective action on an immediate basis and thereby control the
impact of the incident. The other options are not the prime objectives of continuous monitoring.
Q. 2
Explanation: The ability to stay calm and make appropriate decisions in stressful situations is the
most important attribute of an incident handler. Any decision made by an individual who is unable to
stay calm under pressure may not be in the best interests of the organization. The other options are
secondary attributes of an incident handling team.
Answer: B. Applications being exposed to new viruses during the intervening week
Explanation: As a prudent practice, virus signature files should be updated on a daily basis to
address the risk of new viruses. In this case, files are updated every week, which makes the
application vulnerable to new viruses during the intervening week. The other options are secondary
concerns.
Q. 2
Answer: D. Rebuilding the server with original media and subsequent patches
Explanation: It is recommended to rebuild a server with original media and update it with
subsequent patches as a compromised server might have some hidden malicious files that cannot be
detected through mere scanning. Discontinuing the use of the server or using it as a honeypot may
not be a feasible option. There is no harm in using the server after rebuilding it with original media.
Q. 3
Answer: B. Check intrusion detection system logs and monitor for any active attacks
Explanation: An information security team should verify IDS logs and continue to monitor the
situation. The other options are not relevant at this point. Updating the IDS could cause further
temporary exposure until the time the updated version is properly tuned.
Q. 4
Explanation: A time server provides common time to all connected servers and applications. The
time element is very important during a forensic investigation. The other options will not directly
assist in log review and correlation.
Q. 5
Explanation: As the password was guessed, there will be multiple attempts to gain access. These
attempts are recorded in an invalid login log. Analyzing the logs for invalid login attempts can lead to
the discovery of this unauthorized activity. The other options will not directly give indications about
an unauthorized attempt. For a shared account, concurrent use is common, hence reviewing
concurrent logins will not be helpful.
Q. 6
Explanation: In the case of probing, it is advisable to monitor the situation and isolate the network
being probed. The other options are not warranted.
Q. 7
Explanation: Senior management is more interested in the impact caused by the breach as well as
the corrective actions taken to minimize the damage and prevent reoccurrence. The other options may
not be relevant at this point in time.
Q. 8
Explanation: The security manager is required to communicate the details of the incident along with
its severity and impact to management. Generally, communication to the regulator and insurance
company is handled by the legal and compliance team. Management will take the call for legal
proceedings and the security manager is not expected to directly report to legal.
Practice Question Set 3
Q. 1
Explanation: The most effective method to control damage due to a ransomware attack is to
implement a structured backup procedure. Generally, an organization adopts air gap backups. The air
gap technique is a backup and recovery strategy. It means that at any given time, a copy of the
organization's sensitive data is offline, disconnected, and inaccessible from the internet. This makes it
impossible for hackers to remotely access the data.
Q. 2
Explanation: Preserving evidence is the most crucial aspect while containing any incident. If
evidence is destroyed, it may not be possible to identify the attacker or to determine the root cause of
the incident. Root cause analysis is not conducted before containment. Meeting the recovery time
objective (RTO) should not be at the cost of evidence. Informing senior management is not as
important as preserving evidence.
Q. 3
Explanation: Preserving evidence is the most crucial aspect while containing any incident. If the
evidence is destroyed, it may not be possible to identify the attacker or to determine the root cause of
the incident. Meeting the RTO should not come at the cost of evidence. The other options are not as
significant.
Q. 4
Explanation: The first step should be to block all traffic moving to the attacker's server. This should
be done immediately. Containment will limit the damage. The other options are subsequent steps.
Q. 5
Answer: A. To isolate the systems that are affected from the network
Explanation: In the given situation, the first step is to contain the impact of the incident by isolating
the affected computers. Ransomware spreads quickly and if not contained can destroy more systems.
The other options are subsequent steps.
Practice Question Set 4
Q. 1
Answer: A. The detailed process on when and how to communicate with stakeholders
Explanation: The primary objective of a communication plan is to educate employees on their roles
and responsibilities with respect to the communication process. It includes processes such as who
should authorize the communication, who should communicate, how to communicate, whom to
communicate with, and what to communicate. Having a structured communication process improves
the effectiveness of incident response during an incident. The other options may be part of the overall
communication process.
Q. 2
Explanation: The primary objective of a communication plan is to educate employees on their roles
and responsibilities with respect to the communication process. It includes processes such as who
should authorize the communication, who should communicate, how to communicate, whom to
communicate with, and what to communicate. Having a structured communication process improves
the effectiveness of incident response during an incident. Compliance with laws and regulations and
providing updates on status to management are secondary aspects. Having a communication plan
does not directly impact the security posture of the organization.
Q. 3
Explanation: The primary goal of a communication plan is to educate employees on their roles and
responsibilities with respect to the communication process. It includes processes such as who should
authorize the communication, who should communicate, how to communicate, whom to
communicate with, and what to communicate. Having a structured communication process can
improve the effectiveness of incident response during an incident.
Explanation: The before image is a copy of the data made before the disruption. It is the point from
which data is corrupted or not available. To get the database updated, data processed after this point
should be restored. The other options will not provide an updated and correct database.
Q. 2
Explanation: The RTO is the extent of acceptable system downtime. After this time, the system
should be up and functioning. An RTO can be set as per the service delivery objective (SDO) or at
the level of normal business transactions. For example, a banking system is required to be live and
available 24 hours per day. This is normal business. The service delivery objective is 8 hours per day
(i.e., 8 hours per day is a must for the survival of the business). It will take 2 days to make the system
available for 8 hours and 5 days to make the system available for 24 hours.
If the bank sets its RTO to achieve its SDO, its RTO is 2 days. If the bank sets its RTO to achieve full
normal transactions, its RTO is 5 days.
Q. 3
Answer: B. Scanning the entire network and systems to remove and clean up any malware
Explanation: The objective of eradication is to identify and correct the root cause that led to the
incident. Once containment efforts have been implemented successfully, eradication should be
appropriately planned and performed. The following are some of the activities performed during
eradication:
Root cause analysis
Option A is containment. Option C is the recovery phase. Option D is the post-incident review.
Q. 4
Explanation: The objective of the containment process is to stop the spread of the incident. The
phase after containment is eradication which has the objective of identifying and correcting the root
cause that led to the incident. Once containment efforts have been implemented successfully,
eradication should be appropriately planned and performed. The following are some activities
performed during eradication:
Root cause analysis
Scanning the system to determine whether any artifacts are still left unnoticed
Practice Question Set 6
Q. 1
Answer: D. Implementing a security information and event management (SIEM) system to automate
log analysis
Explanation: SIEMs help to identify incidents through log analysis on the basis of predefined rules.
SIEMs can provide information on policy compliance as well as incident monitoring and other
capabilities. If properly deployed, configured, and tuned, it substantially reduces the time needed for
the detection of incidents compared to manual log reviews. The other options are not as effective.
Q. 2
Explanation: An EDR is an advanced solution that integrates the functions of an antivirus, a firewall,
whitelisting tools, monitoring tools, and so on. In addition to file analysis and threat detection, EDR
solutions have inbuilt machine learning capabilities to perform forensic analysis and identify
emerging threats and suspicious activities. The other options are secondary aspects.
Q. 3
Explanation: After successful containment and eradication of an incident, the next phase is recovery.
The objective of the recovery phase is to ensure that the business is brought back to its original state
by restoring the impacted systems.
Answer: A. To have an independent and objective review of the root cause of the incident
Explanation: It is always advisable to involve a third party in a post-incident review to avoid any
conflict of interest. The involvement of a third party will help the organization gain an independent
and objective review of the cause of the incident. Involving a third party will generally increase the
cost. The availability of expert service is one of the advantages but not a prime factor of involving a
third party. Lessons learned can be identified through an in-house team as well.
Q. 2
Answer: D. The expertise of the investigators
Explanation: Forensic investigation is the process of gathering and analyzing all crime-related
evidence to conclude an event. Investigators analyze the hard drives, computers, or other technology
to establish how a crime took place. The most important element of forensic investigation is the
expertise of the employees performing the investigation. The other options are secondary aspects.
The involvement of legal experts depends on the nature of the investigation.
Q. 3
Explanation: Forensic investigation is the process of gathering and analyzing all crime-related
evidence in order to conclude an event. Evidence will be accepted in legal proceedings only if it is
proved that the integrity of the evidence has not been compromised. Hence, it is of utmost
importance that the evidence is handled only by a qualified person. An end user is not qualified to
take an image copy. Evidence can be stored anywhere provided the appropriate controls are in place
to safeguard its integrity. The involvement of law enforcement is not mandatory while collecting
evidence.
Q. 4
Explanation: Chain of custody is a legal term referring to the order and manner in which evidence is
handled to ensure the integrity of the evidence and its admissibility in a court of law. The first step
should be to determine and safeguard the integrity of the hard drive. The other options are important
steps but must be completed after the chain of custody is established.
Q. 5
Explanation: The objective of a post-incident review is to learn from each incident and improve the
organization's response and recovery procedures. Lessons learned during incident management can
best be used to inform the overall improvement of the security posture of the organization as well as
the incident management process. The other options are secondary aspects.
Q. 6
Explanation: Explanation: The objective of a post-incident review is to learn from each incident and
improve the organization's response and recovery procedures. Lessons learned during incident
management can best be used to inform the overall improvement of the security posture of the
organization as well as the incident management process. The other options are secondary aspects.
Q. 7
Answer: B. Copying a bit-by-bit image from the original media to new media
Explanation: The first step is to create a copy of the original media by copying its bit-by-bit image
into new media. This is very important to ensure that all analysis is performed on the copy drive and
not on the original drive. A simple backup may not be able to copy 100 percent of the data, such as
erased or deleted files and the data in the slack space. The other options are subsequent steps.
Q. 8
Explanation: Chain of custody is a legal term referring to the order and manner in which evidence is
handled to ensure its integrity and its admissibility in a court of law. The first step should be to
determine and safeguard the integrity of the hard drive. The other options are secondary aspects.
Q. 9
Explanation: Chain of custody is a legal term referring to the order and manner in which evidence is
handled to ensure the integrity of the evidence and its admissibility in a court of law. The most
important aspect is to determine the integrity of the evidence. The other options are secondary
aspects.
Q. 10
Explanation: The first step should be to determine the status of the system in terms of damage and
other impacts. This status will help the security manager determine the subsequent course of action.
Penetration testing and notifying law enforcement are subsequent actions. Isolating the firewall after
the incident will not provide any benefit.
Q. 11
Answer: B. The suspected hard drive was kept in a tape library for further analysis
Explanation: In cases where a hard drive is stored in a tape library, the chain of custody cannot be
verified as many individuals would have access to the library. It is not mandatory to remove the disk
in the presence of the law enforcement agency. Storing the hard drive in a safe and handing it over to
an authorized investigator does not violate the chain of custody.
Q. 12
Explanation: The next step should be to take an image copy of the media. An analysis should be
performed on the copy and not on the original media. Preserving the evidence and maintaining the
chain of custody are very important factors to ensure legal admissibility. Documentation and
notification to law enforcement are subsequent steps. Scraping the server will result in the destruction
of the evidence.
Q. 13
Q. 14
Explanation: Analysis should not be conducted on the original affected server. This may impact the
integrity of the evidence. Analysis should be performed on a bit-level copy of the server. A bit-level
copy image supports the integrity and quality of forensic evidence in a way that is admissible in a
court of law. The other options will not provide a quality, exact image for investigative work.
Q. 15
Explanation: The objective of a post-incident review is to learn from each incident and improve the
organization's response and recovery procedure. Lessons learned during the incident management
process can best be used to inform the overall improvement of the security posture of the
organization as well as the incident management process. The other options are secondary aspects.
Q. 16
Explanation: The admissibility of evidence in legal proceedings depends on what processes are used
to collect, analyze, and preserve the evidence. Proven forensic processes help with the admissibility
of evidence.
Q. 17
Answer: B. Locating the evidence and preserving the integrity of the evidence
Explanation: The priority should be locating the electronic evidence and preserving its integrity. The
other options are secondary aspects.
Q. 18
Explanation: It is always advisable to provide details that are preapproved by senior management.
Any unnecessary information may create havoc and impact the reputation of the organization.
Q. 19
Explanation: Disconnecting the power may result in the loss of data stored in the volatile memory.
This data may be critical for the investigation and for understanding the impact of the incident.
Disconnecting power will generally not impact the safety of hard drives or cause a loss of the data in
the server logs and will help contain the spread. However, instead of disconnecting, the computer
should be isolated from the network.
Q. 20
Explanation: Overwriting the file makes it the most difficult to recover the data. Even highly
specialized tools may not be able to recover overwritten files in some instances. Deleted files that
have not been overwritten can easily be retrieved using forensic tools. Formatted disks and deleted
partition tables can also be recovered.
Explanation: One of the important challenges of implementing a SIEM is to reduce false positive
alerts. The most effective way to reduce false positive alerts is to develop business use cases.
Business use cases document the entire workflow, which provides the required results. In this
scenario, business cases would focus on the ability of a SIEM to analyze the logs for known threats.
The other options are components to develop the business case.
Q. 2
Q. 3
Explanation: A SIEM system collects data from various sources and analyzes it for possible security
events. The SIEM system can detect attacks by signature- or behavior-based (heuristics) analysis.
Further, SIEM has the capability to perform a granular assessment, can highlight developing trends,
and can alert the risk practitioner for an immediate response. SIEM is the most effective method to
determine aggregate risk from different sources. The other options are not as effective.
Revision Questions
Q.1
Q.2
Answer: D. It provides evidence of due diligence to support legal and liability claims
Explanation: A structured incident management process supports the legal and liability claims as
evidence is formally documented and handled in a methodical way. The other options are secondary
aspects.
Q.3
Explanation: It is most important for a security manager to understand the entry path of the virus.
The first step is to determine the entry path so that the investigation can identify which controls
failed. This loophole should be addressed at the earliest to prevent a reoccurrence.
Q.4
Answer: B. To determine the lessons learned
Explanation: On the basis of observations noted by staff involved in disaster recovery tests, the areas
of improvement can be determined. This will help improve the effectiveness of the test. The other
options are secondary aspects.
Q.5
Explanation: A structured communication and reporting process is an important aspect to ensure that
incidents are reported in a timely manner to the incident response team. Timely reporting will help in
a prompt response. An intrusion detection system may not be able to detect and report incidents that
are not related to IT. The capability of the help desk team is also an important aspect; however,
without reporting from end users, the help desk team will not be able to detect the incident.
Determining the severity level is a secondary aspect compared to the communication and reporting
process.
Q.6
Explanation: After a bit-by-bit copy is created, the next step is to generate the hash value for both
the original drive as well as the copied drive. A hash value is a fixed value derived from the content.
If the content changes, the hash value also changes. Both the hash values should be compared to
ensure that the copy is complete, correct, and accurate. Analysis should start only after ensuring that
the copy is an exact replica of the original. Tool validation should have happened prior to initiating
the copy. Encrypted images cannot be analyzed.
Q.7
Answer: C. Analysis
Explanation: The next step should be to analyze the vulnerability with respect to the possibility of
exposure, possible impact, applicable threat factors, and other relevant factors. The identification of a
vulnerability does not necessarily mean that an incident has occurred. Containment and eradication
are steps to be taken after the occurrence of an incident. Reporting is to be done after analysis.
Q.8
Explanation: If responsibilities for the service provider and the service receiver are defined and
documented, it will help in the smooth execution of processes. In the event of operational issues,
responsibility ownership will help to determine the course of action. The other options are secondary
aspects for resolving operational issues.
Q.9
Explanation: To the extent possible, forensic analysis should not be performed on original media. It
may impact the integrity of the evidence. The best way is to create a bit-by-bit image of the original
media. A bit-by-bit image will ensure that erased or deleted files and any data in slack memory are
also copied. A logical copy will only copy the files and folders and may not copy the other necessary
data to properly examine the hard drive for forensic evidence. Encryption is not required.
Q.10
Explanation: Traceability of control refers to demonstrating who had control of the evidence
throughout the process. It indicates the proper chain of custody. The other options are secondary
aspects.
Q.11
Answer: B. To record the progress of incident response and document the exceptions
Explanation: The documentation of incident history helps to keep a record of the incident starting
from detection until closure. This helps to determine whether all related aspects of incident
management are performed appropriately as per the defined process and timelines. Exceptions, if any,
are discussed and deliberated and appropriate actions are taken. The other options are secondary
aspects.
Q.12
Explanation: A structured method of monitoring helps in the early detection of incidents. In the
absence of any monitoring process, an incident may go undetected and can have a major impact on
business processes. Monitoring will help to improve the identification of threats and vulnerabilities.
Implementing a monitoring process may increase the security budget. Monitoring does not impact
risk appetite. Compliance with the security policy is a secondary aspect.
Q.13
Answer: C. A hash value should be generated from both the original as well as the copy
Explanation: After a bit-by-bit copy is created, the next step is to generate hash values for both the
original drive as well as the copied drive. A hash value is a fixed value derived from the content. If
the content changes, the hash value also changes. Both the hash values should be compared to ensure
that the copy is complete, correct, and accurate. Analysis should start only after ensuring that the
copy is an exact replica of the original. It is not necessary to have the same disk model. It is good
practice to have two copies, but creating a hash value is more important. Restoration is not relevant
when evaluating evidence.
Q.14
Explanation: For legal proceedings, the integrity of evidence is of utmost importance. Hence, the
first step in such a situation is to prevent contamination or alteration of the evidence. The other
options are subsequent actions.