33333dokumen - Pub - Certified-Information-Security-Manager-Exam-Prep-Guide-Hemang Doshi-2nd-Edition-9781804610633-1804610631

BIRMINGHAM—MUMBAI
Certified Information Security Manager Exam Prep

Guide
Second Edition
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of the publisher,
except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information
presented. However, the information contained in this book is sold without warranty, either express or
implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for
any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and
products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot
guarantee the accuracy of this information.
Author: Hemang Doshi
Reviewers: Zeshan Ahmad, Pushkar Nagle, Kartik Sharma, and Wei Tschang
Publishing Product Manager: Anindya Sil
Acquisitions Editor: Sneha Shinde
Development Editor: Shubhra Mayuri
Production Editor: Shantanu Zagade

Editorial Board: Vijin Boricha, Megan Carlisle, Elliot Dallow, Ketan Giri, Heather Gopsill, Akin
Babu Joseph, Bridget Kenningham, Alex Mazonowicz, Monesh Mirpuri, Aaron Nash, Abhishek
Rane, Ankita Thakur, Nitesh Thakur, and Jonathan Wray
First published: November 2021
Second edition: December 2022
Production reference: 1141222
ISBN 978-1-80461-063-3
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
Packt.com
Subscribe to our online digital library for full access to over 7,000 books and videos, as well as
industry leading tools to help you plan your personal development and advance your career. For more
information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and videos from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Fully searchable for easy access to vital information
Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files
available? You can upgrade to the eBook version at packt.com and as a print book customer, you are
entitled to a discount on the eBook copy. Get in touch with us at [email protected] for
more details.
At www.packt.com, you can also read a collection of free technical articles, sign up for a range of
free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Contributors
About the author

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and
compliance, internal audit, risk management, information security audit, third-party risk
management, and operational risk management. He has authored several books for certification such
as CISA, CRISC, CISM, DISA, and enterprise risk management.
About the reviewers

Zeshan Ahmad is a specialist in cybersecurity who has worked with Fortune 500 companies and
clients across banking and finance, life sciences, telecom, and technology sectors on application
security, project management, program design and maturity, risk management, and information
security governance.
He presently works as a senior analyst for a Fortune 100 financial services company and is certified
as a CISM, CISA and ISO 27001:2013 Lead Auditor.
Pushkar Nagle is an InfoSec professional with 12 years of experience, holding professional IT

certifications including CISM, CISSP, CEH, and CCNA. Pushkar attained a Licentiate Diploma in
Electronics from VJTI, a B.Engg. in Electronics from Mumbai University, and currently pursuing an
M.Sc. in Cyber Security from the University of York. Pushkar has held several positions, including
penetration tester, vulnerability manager, risk management advisor, and application security
consultant. Pushkar has experience in handling large and complex penetration testing projects,
providing risk advisory to businesses, and assisting organizations in vulnerability remediation.
Pushkar has managed 500+ onsite/offsite Web Application pentests, Mobile applications,
Infrastructure, Build & Code reviews, and other risk-based security testing projects.
"I would like to thank my parents, Sanjay and Kavita, and my wife, Ashvini for their motivation and
support."
– Pushkar
Kartik Sharma has over 18 years of experience in information technology. He holds certifications
like CISSP, CISM, CRISC, CDPSE, and Security certifications from all major cloud providers like
AWS, Google, Azure, Oracle, and Alibaba. He has contributed to the development of various
certification exams for ISC2, AWS, and Adobe, by serving as a subject matter expert (SME). He is
currently working as a Director, Solution Architect at Wiley. His areas of expertise include Cloud
Technologies, Cloud Security, Information Security, Data Privacy, Marketing Technologies, Identity
& Access Management, and Microservices.
He can be reached via LinkedIn at https://www.linkedin.com/in/kartiksharma84. You can find more

about him at his personal site http://www.kartiksharma.us.
"I would like to thank my wife, Punima Sharma, for her support, understanding, and patience during
the long hours of work. I would also like to thank my parents, siblings, and friends for their constant
encouragement."
– Kartik
Wei Tschang has more than 20 years of experience spanning various information technology
disciplines within the banking, legal, and manufacturing industries. He is a passionate member of the
ISACA Community, serving as a board member in various leadership roles for his local ISACA
chapter since 2013. He has received multiple volunteer awards for his contributions to the chapter. He
presented at conferences on cybersecurity topics. Wei holds the following certifications: CISA,
CISM, CGEIT, CISSP, CIPP, SSCP, and ABCP. Wei lives in New Jersey with his wife, daughter, and
golden retriever.
Packt is searching for authors like you

If you are interested in becoming an author for Packt, please visit authors. packtpub.com and apply
today. We have worked with thousands of developers and tech professionals, just like you, to help
them share their insight with the global tech community. You can make a general application, apply
for a specific hot topic that we are recruiting an author for, or submit your own idea.
Table of Contents
Preface
Enterprise Governance
Importance of Information Security Governance
Desired Outcomes of Good Information Security Governance
Responsibility for Information Security Governance
Steps for Establishing Governance
Governance Framework
Top-Down and Bottom-Up Approaches
Key Aspects from the CISM Exam Perspective
A Note on the Practice Questions
Practice Question Set 1
Organizational Culture
Acceptable Usage Policy
Ethics Training
Legal, Regulatory, and Contractual Requirements
Retention of Business Records
Electronic Discovery
Organizational Structure
Board of Directors
Security Steering Committee
Reporting of Security Functions
Centralized vis-à-vis Decentralized Security Functioning
Information Security Roles and Responsibilities
RACI Chart
Board of Directors
Senior Management
Business Process Owners
Steering Committee
Chief Information Security Officer
Chief Operating Officer
Data Custodian
Communication Channel
Indicators of a Security Culture
Maturity Model
Governance of Third-Party Relationships
Information Security Governance Metrics
The Objective of Metrics
Technical Metrics vis-à-vis Governance-Level Metrics
Characteristics of Effective Metrics
Summary
Revision Questions
Information Security Strategy

Information Security Strategy and Plan
Information Security Policies
Information Governance Frameworks and Standards
The Objective of Information Security Governance
Information Security/Cybersecurity Management Frameworks
The IT Balanced Scorecard
Information Security Programs
Enterprise Information Security Architecture
Challenges in Designing the Security Architecture
Benefits of Security Architecture
Awareness and Education
Increasing the Effectiveness of Security Training
Governance, Risk Management, and Compliance
Senior Management Commitment
Information Security Investment
Strategic Alignment
Business Case and Feasibility Study
Summary
Revision Questions
Information Risk Assessment

Understanding Risk
Differentiating Risk Identification, Risk Analysis, and Risk
Evaluation
Risk Management
Risk Assessment
Risk Analysis
Risk Evaluation
Differentiating Risk Capacity, Risk Appetite, and Risk Tolerance
Inherent Risk and Residual Risk
Inherent Risk
Residual Risk
Differentiating between Inherent Risk and Residual Risk
Phases of Risk Management
The Outcome of a Risk Management Program
Risk Awareness
Tailored Awareness Programs
Training Effectiveness
Awareness Training for Senior Management
Risk Assessment
Phases of Risk Assessment
Risk Identification
Risk Identification Process
Asset Identification
Asset Valuation
Aggregated and Cascading Risk
Risk Analysis
Quantitative Risk Analysis
Qualitative Risk Analysis
Semi-Quantitative Risk Analysis
The Best Method for Risk Analysis
Annual Loss Expectancy
Value at Risk (VaR)
OCTAVE
Other Risk Analysis Methods
Risk Evaluation
Risk Ranking
Risk Register
Emerging Risk and the Threat Landscape
Emerging Threats
Advanced Persistent Threats
Vulnerability and Control Deficiency
Security Baselines
Risk Communication
Summary
Information Risk Response

Risk Treatment/Risk Response Options
Risk Mitigation
Risk Sharing/Transferring
Risk Avoidance
Risk Acceptance
Risk Ownership and Accountability
Risk Monitoring and Communication
Risk Reporting
Key Risk Indicators
Reporting Significant Changes in Risk
Implementing Risk Management
Risk Management Process
Integrating Risk Management into Business Processes
Prioritization of Risk Response
Defining a Risk Management Framework
Defining the External and Internal Environment
Determining the Risk Management Context
Gap Analysis
Cost-Benefit Analysis
Other Kinds of Organizational Support
Change Management
Objectives of Change Management
Approval from the System Owner
Regression Testing
Involvement of the Security Team
Preventive Controls
Patch Management
Operational Risk Management
Recovery Time Objective
Recovery Point Objective
Difference between RTO and RPO
Service Delivery Objective
Maximum Tolerable Outage
Allowable Interruption Window
Risk Management Integration with Life Cycle
System Development Life Cycle
Summary
Revision Questions
Information Security Program Development

Information Security Program Overview
Ideal Outcomes of an Information Security Program
The Starting Point of a Security Program
Information Security Charter
Support from Senior Management
Defense in Depth
Information Security Program Resources
Information Asset Identification and Classification
Benefits of Classification
Understanding the Steps Involved in Classification
Success Factors for the Effective Classification of Assets
Criticality, Sensitivity, and Impact
Assessment
Business Dependency Assessment
Risk Analysis
Business Interruptions
Information Asset Valuation
Determining the Criticality of Assets
Industry Standards and Frameworks for Information Security
Framework – Success Factors
Some Industry-Recognized Frameworks
Information Security Policies, Procedures, and Guidelines
Reviewing and Updating Documents
Defining an Information Security Program Roadmap
Gap Analysis
The Value of a Security Program
Integration of the Security Program with Other Departments
Information Security Program Metrics
Objective of Metrics
Monitoring
Attributes of Effective Metrics
Information Security Objectives and Metrics
Useful Metrics for Management
Summary
Revision Questions
Information Security Program Management

Information Security Control Design and Selection
Countermeasures
General Controls and Application-Level Controls
Control Categories
Failure Modes – Fail Closed or Fail Open
Continuous Monitoring
Security Baseline Controls
Developing a Security Baseline
Information Security Awareness and Training
Management of External Services and Relationships
Evaluation Criteria for Outsourcing
Steps for Outsourcing
Outsourcing – Risk Reduction Options
Provisions for Outsourcing Contracts
The Security Manager's Role in Outsourcing
Service-Level Agreements
Right-to-Audit Clause
Impact of Privacy Laws on Outsourcing
Subcontracting/Fourth Party
Compliance Responsibility
Documentation
Information Security Program Objectives
Security Budget
Security Program Management and Administrative Activities
Information Security Team
Documentation
Project Management
Program Budgeting
Plan – Do – Check – Act
Security Operations
Privacy Laws
Cloud Computing
Cloud Computing – Deployment Models
Types of Cloud Services
Cloud Computing – the Security Manager's Role
Summary
Revision Questions
Information Security Infrastructure and Architecture

Information Security Architecture
Architecture Implementation
Access Control
Mandatory Access Control
Discretionary Access Control
Role-Based Access Control
Degaussing (Demagnetizing)
Virtual Private Networks
VPNs – Technical Aspects
Advantages of a VPN
VPN Security Risks
Virtual Desktop Environments
Biometrics
Biometrics – Accuracy Measure
Biometric Sensitivity Tuning
Control over the Biometric Process
Types of Biometric Attacks
Factors of Authentication
Password Management
Wireless Networks
Encryption
Enabling MAC Filtering
Disabling a Service Set Identifier
Disabling Dynamic Host Configuration Protocol
Common Attack Methods and Techniques for Wireless Networks
Different Attack Methods for Information Security
Summary
Revision Questions
Information Security Monitoring Tools and Techniques

Firewall Types and Implementations
Types of Firewalls
Types of Firewall Implementation
Placement of Firewalls
Source Routing
Firewall Types and Their Corresponding OSI Layers
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems
Intrusion Prevention Systems
Difference between IDSs and IPSs
Honeypots and Honeynets
Digital Signatures
Steps for Creating a Digital Signature
What is a Hash or a Message Digest?
Public Key Infrastructure
PKI Terminology
Processes Involved in PKI
CA versus RA
Single Point of Failure
Functions of an RA
Cryptography
Symmetric Encryption vis-à-vis Asymmetric Encryption
Encryption Keys
The Use of Keys for Different Objectives
Penetration Testing
Aspects to be Covered within the Scope of Penetration Testing
Types of Penetration Tests
White Box Testing and Black Box Testing
Risks Associated with Penetration Testing
Summary
Revision Questions
Incident Management Readiness

Incident Management and Incident Response Overview
The Relationship between Incident Management and Incident
Response
The Objectives of Incident Management
Phases of the Incident Management Life Cycle
Incident Management, Business Continuity, and Disaster
Recovery
Incident Management and the Service Delivery Objective
Maximum Tolerable Outage (MTO) and Allowable Interruption
Window (AIW)
Incident Management and Incident Response Plans
Elements of the IRP
Gap Analysis
Business Impact Analysis
Escalation Process
Help Desk/Service Desk Process for the Identification of
Incidents
Incident Management and Response Teams
Incident Notification Process
Challenges in Developing an Incident Management Plan
Business Continuity and Disaster Recovery Procedures
Phases of Recovery Planning
Recovery Sites
Continuity of Network Services
Insurance
Incident Classification/Categorization
Help/Service Desk Processes for Identifying Security Incidents
Testing Incident Response, BCP, and DRP
Types of Tests
Effectiveness of Tests
Category of Tests
Recovery Test Metrics
Success Criteria for Tests
Summary
Revision Questions
10
Incident Management Operations

Incident Management Tools and Technologies
Incident Management Systems
Personnel
Audits
Outsourced Security Providers
Executing Response and Recovery Plans
Incident Containment Methods
Incident Response Communications
Incident Eradication
Recovery
Post-Incident Activities and Investigations
Identifying the Root Cause and Taking Corrective Action
Documenting Events
Chain of Custody
Incident Response Procedures
The Outcome of Incident Management
The Role of the Information Security Manager
Security Information and Event Management
Incident Management Metrics and Indicators
Key Performance Indicators and Key Goal Indicators
Metrics for Incident Management
Reporting to Senior Management
The Current State of Incident Response Capabilities
History of Incidents
Threats and Vulnerabilities
Threats
Vulnerabilities
Summary
Revision Questions
Answers to Practice Questions

Preface
Apart from being well-versed in fundamentals and advanced information security concepts, a
candidate must be quick and accurate in solving questions to ace ISACA's Certified Information
Security Manager (CISM) certification. This book covers all four domains of the CISM Review
Manual and provides complete coverage of the exam content through comprehensive explanations of
core concepts.
With this book, you will unlock access to a powerful exam-prep platform that includes interactive
practice questions, exam tips, and flashcards. The platform perfectly complements the book and even
lets you clarify your doubts directly with the author.
This blended learning approach of shoring up key concepts through the book and applying them to
answer practice questions online is designed to help build your confidence in acing the CISM
certification.
By the end of this book, you will have everything you need to succeed in your information security
career and pass the CISM certification exam with this handy, on-the-job desktop reference guide.
Online Exam-Prep Tools

With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This
is your place to practice everything you have learned in the book.
Figure 0.1: Online exam-prep platform
Sharpen your understanding of concepts with multiple sets of practice questions and interactive
flashcards, accessible from all modern web browsers. If you get stuck, you can raise your concerns
with the author directly through the website. Before doing that, make sure to go through the list of
resolved doubts as well. These are based on questions asked by other users. Finally, go through the
exam tips on the website to make sure you are well prepared.
Who This Book Is For
This book is ideal for IT risk professionals, IT auditors, CISOs, information security managers, and
risk management professionals.
What This Book Covers
This book is aligned with the CISM Review Manual (16th Edition; 2022) and encompasses the
following topics:
Chapter 1: Enterprise Governance provides an overview of information security governance as a

whole. It covers aspects such as the importance of information security governance, the role of
organizational culture in information security, and security governance metrics.
Chapter 2: Information Security Strategy discusses information security strategy and highlights areas
such as security strategy development, senior management's role in an organization's security
strategy, and the security architecture.
Chapter 3: Information Risk Assessment covers the basic aspects of risk management and deals with
the basic definition of risk and its components, risk identification, analysis and evaluation, and the
security baseline.
Chapter 4: Information Risk Response covers the tools and techniques used for risk response: namely,
risk avoidance, risk mitigation, risk transfer, and risk acceptance. The chapter also details change
management and risk management integration with the project life cycle.
Chapter 5 Information Security Program Development explores the different procedures and
techniques for developing an information security program and also deals with the information
security program roadmap.
Chapter 6 Information Security Program Management discusses the basics of information security
program management and covers information security program objectives, the security baseline, and
security awareness and training.
Chapter 7 Information Security Infrastructure and Architecture defines information security

architecture and explores how to implement it effectively.
Chapter 8 Information Security Monitoring Tools and Techniques emphasizes the importance of
monitoring tools and techniques and introduces some of the most commonly used and most useful
ones, such as intrusion detection systems, intrusion prevention systems, and firewalls.
Chapter 9 Incident Management Readiness sets out what it means to be ready for information
security incidents. It covers aspects such as incident classification, business impact analysis, and
insurance.
Chapter 10 Incident Management Operations covers the implementation of business continuity and
disaster recovery processes and also deals with post-incident review practices.
How to Get the Most Out of This Book

This book is directly aligned with the CISM Review Manual (16th Edition; 2022) from ISACA. It is
advisable to stick to the following steps when preparing for the CISM exam:
Step 1: Read this book from end to end.
Step 2: Go through ISACA's QAE book or database.
Step 3: Refer to ISACA's CISM Review Manual.
Step 4: Memorize key concepts using the flashcards on the website.
Step 5: Attempt the online practice question sets. Make a note of the concepts you are weak in,
revisit those in the book, and re-attempt the practice questions.
Step 6: Keep repeating the practice question sets till you are able to answer all the questions in each
practice set correctly within the time limit.
Step 7: Review exam tips on the website.
CISM aspirants will gain a lot of confidence if they approach their CISM preparation as per these
mentioned steps.
Recorded Lectures
This book is also available in video lecture format along with 200+ exam-oriented practice questions
on Udemy. Buyers of this book are entitled to 30% off on Hemang Doshi's recorded lectures. For a
discount coupon, please write to [email protected].
Requirements for the Online Content

The online content includes interactive elements like practice questions, flashcards, and exam tips.
For optimal experience, it is recommended that you use the latest version of a modern, desktop (or
mobile) web browser such as Edge, Chrome, Safari, or Firefox.
Instructions for Unlocking the Online Content

To unlock the online content, you will need to create an account on our exam-prep website using the
unique sign-up code provided in this book.
WHERE TO FIND THE SIGN-UP CODES

Visit any of the following pages in this book to find the sign-up link and the sign-up code: page 180, page 284, page 327,
or page 379. Open the sign-up link, make a note of the sign-up code, and go through the following steps.
1. Open the sign-up link. Once the page loads, enter your name and email address (1).
Figure 0.2: Enter your name and email address in the sign-up form
2. Create a strong alphanumeric password (2) (minimum 6 characters in length):

Figure 0.3: Create a strong password in the sign-up form
3. Enter the unique sign-up code (3). As mentioned in Step 1, the sign-up code can be found on any of the following pages: page
180, page 284, page 327, or page 379. Once you have entered the code, click the Sign Up button.
NOTE
You only need to input the sign-up code once. After your account is created, you will be able to access the website
using just your email address and password from any device.
Figure 0.4: Enter the unique sign-up code
4. Upon a successful sign-up, you will be redirected to the dashboard (see Figure 0.5).
Figure 0.5: Online exam-prep platform dashboard
Going forward, you will simply need to login using your email address and password.
NOTE
If you are facing issues signing up, reach out to [email protected].
Quick Access to the Website

If you have successfully signed up, it is recommended that you bookmark this link for quick access to
the website: https://packt.link/cismexamguidewebsite. Click the Login link on the top-right corner of
the page to open the login page. Use the credentials you created in Steps 2 and 3 of the Instructions
for Unlocking the Online Content section above.
Alternatively, you can scan the following QR code to open the website:
Figure 0.6: QR Code for the CISM online exam-prep platform

CISM Syllabus – 2022
The CISM exam content was updated on June 1, 2022. There are minor changes in domain
nomenclature and substantial changes in the weightage of each domain tested in the new exam. The
following table presents the domains and their corresponding weightage:
Earlier Domains (Applicable up to May 31, 2022) Updated Domains (Applicable from
June 1, 2022)
Information Security Governance (24%) Information Security Governance (17%)
Information Risk Management (30%) Information Security Risk

Management (20%)
Information Security Program Development and Information Security Program (33%)

Management (27%)
Information Security Incident Management (19%) Incident Management (30%)
Figure 0.7: Previous and updated domains for CISM
Candidates who have based their studies so far on the previous weightings should take careful note of
the changes and adjust their preparations accordingly.
The CISM exam contains 150 questions and covers the 4 information security management areas
mentioned in the preceding table in Figure 0.7.
The following are the key topics that candidates will be tested on starting from June 1, 2022:
Number Key Domains and Topics
1 Information Security Governance
A Enterprise Governance
1A1 Organizational Culture
1A2 Legal, Regulatory, and Contractual Requirements
1A3 Organizational Structures, Roles, and Responsibilities

B Information Security Strategy
1B1 Information Security Strategy Development
1B2 Information Governance Frameworks and Standards
1B3 Strategic Planning (e.g., budgets, resources, and business case)
2 Information Security Risk Management
A Information Security Risk Assessment
2A1 Emerging Risk and Threat Landscape
2A2 Vulnerability and Control Deficiency Analysis
2A3 Risk Assessment and Analysis
B Information Security Risk Response
2B1 Risk Treatment/Risk Response Options
2B2 Risk and Control Ownership
2B3 Risk Monitoring and Reporting
3 Information Security Program
A Information Security Program Development
3A1 Information Security Program Resources (e.g., people, tools, and technologies)
3A2 Information Asset Identification and Classification
3A3 Industry Standards and Frameworks for Information Security

3A4 Information Security Policies, Procedures, and Guidelines
3A5 Information Security Program Metrics
B Information Security Program Management
3B1 Information Security Control Design and Selection
3B2 Information Security Control Implementation and Integrations
3B3 Information Security Control Testing and Evaluation
3B4 Information Security Awareness and Training/td>
3B5 Management of External Services (e.g., providers, suppliers, third parties, and fourth
parties)
3B6 Information Security Program Communications and Reporting
4 Incident Management
A Incident Management Readiness
4A1 Incident Response Plan
4A2 Business Impact Analysis (BIA)
4A3 Business Continuity Plan (BCP)
4A4 Disaster Recovery Plan (DRP)
4A5 Incident Classification/Categorization
4A6 Incident Management Training, Testing, and Evaluation
B Incident Management Operations

4B1 Incident Management Tools and Techniques
4B2 Incident Investigation and Evaluation
4B3 Incident Containment Methods
4B4 Incident Response Communications (e.g., reporting, notification, and escalation)
4B5 Incident Eradication and Recovery
4B6 Post-Incident Review Practices
Figure 0.8: Key CISM topics
Download a free PDF copy of this book

Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook
purchase not compatible with the device of your choice?
Don't worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, and on any device. Search, copy, and paste code from your favorite
technical books directly into your application.
The perks don't stop there; you can get exclusive access to discounts, newsletters, and great free
content in your inbox daily.
Follow these simple steps to get the benefits:

1. Scan the QR code or visit the link below:
https://packt.link/free-ebook/9781804610633
2. Submit your proof of purchase.
3. That's it! We'll send your free PDF and other benefits to your email directly.
1
Enterprise Governance
ACCESSING THE ONLINE CONTENT
With this book, you get unlimited access to web-based CISM exam prep tools which include practice questions, flashcards,
exam tips, and more. To unlock the content, you'll need to create an account using your unique sign-up code provided with
this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.
If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or
scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page
to access the content using your credentials.
Governance is an important aspect of the certified information security manager (CISM) exam. In
simple terms, governance means a set of policies, procedures, and standards used to monitor and
control an activity. Enterprise governance refers to policies, procedures, and standards put in place
to monitor an entire organization. Information security governance is a subset of overall enterprise
governance, and its objective is to monitor and control activities related to information security.
In this chapter, you will gain an overview of information security governance and understand the
impact of good governance on the effectiveness of information security projects.
You will learn about how organizational structure and culture impact information security governance
and details about the various roles and responsibilities of the security function. You will also be
introduced to the best practices for implementing information security governance.
This chapter will cover the following topics:

Maturity Model

In simple terms, governance can be defined as a set of rules to direct, monitor, and control an
organization's activities. Governance can be implemented in the form of policies, standards, and
procedures. The information security governance model is primarily impacted by the complexity of
an organization's structure. An organization's structure includes its objectives, vision, mission and
strategy, different function units, different product lines, hierarchy, and leadership structure. A review
of organizational structure helps the security manager to understand the roles and responsibilities of
information security governance, as discussed in the next section.
Information is one of the most important assets for any organization and its governance is mandated
by various laws and regulations. For these reasons, information security governance is of critical
importance.
Figure 1.1: Information security governance
Desired Outcomes of Good Information Security

Governance
A well-structured information security governance model aims to achieve the following outcomes:
To ensure that security initiatives are aligned with the business strategy and that they support organizational objectives
To optimize security investments and ensure the high-value delivery of business processes
To monitor the security processes to ensure that security objectives are achieved
To integrate and align the activities of all assurance functions for effective and efficient security measures
To ensure that residual risks are well within acceptable limits. This gives comfort to the management
Responsibility for Information Security Governance

The responsibility for information security governance primarily resides with the board of directors,
senior management, and the steering committee. They are required to make security an important
part of governance by monitoring its key aspects. Information security governance is a subset of
enterprise governance.
Senior management is responsible for ensuring that security aspects are integrated with business
processes. The involvement of senior management and the steering committee in discussions and the
approval of security projects indicates that the management is committed to aspects relating to
security.
Generally, a steering committee consists of senior officials from different departments. The role of an
information security steering committee is to provide oversight of the organization's security
environment.
Steps for Establishing Governance

Governance is effective if it is established in a structured manner. A CISM aspirant should
understand the following steps for establishing security governance:
1. First, determine the objectives of the information security program. Most often, these objectives are derived from risk
management and the acceptable level of risk that the organization is willing to take. For example, an objective for a bank may be
that their system should always be available for customers – that is, there should be zero downtime. In this manner, information
security objectives must align with and be guided by the organization's business objectives.
2. Next, the information security manager develops a strategy and a set of requirements based on these objectives. The security
manager is required to conduct a gap analysis and identify the best strategy to move to the desired state of security from its current
state of security. The desired state of security is also termed the security objectives. This gap analysis becomes the basis for the
strategy.
3. The final step is to create the road map and identify specific actionable steps to achieve the security objectives. The security
manager needs to consider various factors, such as time limits, resource availability, security budget, and laws and regulations.
These specific actions are implemented by way of security policies, standards, and procedures.
Governance Framework
A governance framework is a structure or outline that supports the implementation of information
security strategies. It provides the best practices for a structured security program. Frameworks are
flexible structures that any organization can adopt as per their environment and requirements. COBIT
and ISO 27001 are both examples of widely accepted and implemented frameworks for security
governance.
As information security governance is a subset of the overall enterprise governance of an

organization, the same framework should be used for both enterprise governance and information
security governance. This ensures better integration between the two.
Top-Down and Bottom-Up Approaches

There are two possible approaches to governance: top-down and bottom-up.
In a top-down approach, policies, procedures, and goals are reviewed and approved by senior
management, hence policies and procedures are directly aligned with business objectives.
A bottom-up approach may not directly address management priorities. In a bottom-up approach,
operational level risks are given more importance.

The following are some key aspects from the exam perspective:
Question Possible Answer
Which approach (that is, The effectiveness of governance is best ensured by a top-down
top-down or bottom-up) approach.
is more effective for
In a top-down approach, policies, procedures, and goals are set by
governance? senior management and hence policies and procedures are directly
aligned with business objectives. A bottom-up approach may not
directly address management priorities. The effectiveness of
governance is best ensured by a top-down approach.
What are the most Business priorities, objectives, and goals.

important aspects of an
information security
strategy from a senior
management
perspective?
What is a governance A governance framework is a structure that provides the outline to

framework? support processes and methods.
Figure 1.2: Key aspects from the CISM exam perspective
A Note on the Practice Questions

Throughout this book, and within the CISM certification exam itself, more than one of the answers
may address the problem posed by the question. For that reason, it is very important to carefully read
the question and ensure you pick the answer that represents the most important element of the
solution.
Please also note, as ISACA recommends only those with "technical expertise and experience in IS/IT
security and control" seek CISM certification, that this book assumes some prior experience in the
field. With that in mind, you will face some questions intended to test your expected pre-existing
knowledge. Do not worry if you do not get these questions right the first time; full explanations are
given after every question to help you fill any gaps in your understanding.
NOTE
The answer key and explanations for all practice and revision questions for this chapter can be found via this link.

1. An information security manager has been asked to determine the effectiveness of the information security governance model.
Which of the following will help them decide whether the information security governance model is effective?
A. Security projects are discussed and approved by a steering committee
B. Security training is mandatory for all executive-level employees
C. Security training module is available on the intranet for all employees
D. Patches are tested before deployment

2. An information security manager is reviewing the information security governance model. The information security governance
model is primarily impacted by:
A. The number of workstations
B. The geographical spread of business units
C. The complexity of the organizational structure
D. The information security budget
3. Which of the following is the first step in implementing information security governance?
A. Employee training
B. The development of security policies
C. The development of security architecture
D. The availability of an incident management team
4. Which of the following factors primarily drives information security governance?
A. Technology requirements
B. Compliance requirements
C. The business strategy
D. Financial constraints
5. Which of the following is the responsibility of the information security governance steering committee?
A. To manage the information security team
B. To design content for security training
C. To prioritize information security projects
D. To provide access to critical systems
6. Which of the following is the first step of information security governance?
A. To design security procedures and guidelines
B. To develop a security baseline
C. To define the security strategy
D. To develop security policies
7. Which of the following is the most important factor for an information security governance program?
A. To align with the organization's business strategy
B. To derive from a globally accepted risk management framework
C. be able to address regulatory compliance
D. To promote a risk-aware culture

8. Effective governance is best indicated by:
A. An approved security architecture
B. Certification from an international body
C. Frequent audits
D. An established risk management program
9. Which of the following is the effectiveness of governance best ensured by?
A. The use of a bottom-up approach
B. Initiatives by the IT department
C. Compliance-oriented approach
D. The use of a top-down approach
10. What is the prime responsibility of the information security manager in the implementation of security governance?
A. To design and develop the security strategy
B. To allocate a budget for the security strategy
C. To review and approve the security strategy
D. To train the end users
11. What is the most important factor when developing information security governance?
A. To comply with industry benchmarks
B. To comply with the security budget
C. To obtain a consensus from business functions
D. To align with organizational goals
12. What is the most effective way to build an information security governance program?
A. To align the requirements of the business with an information security framework
B. To understand the objectives of the business units
C. To address regulatory requirements
D. To arrange security training for all managers
13. What is the main objective of information security governance?
A. To ensure the adequate protection of information assets
B. To provide assurance to the management about information security
C. To support complex IT infrastructure
D. To optimize the security strategy to support the business objectives

14. The security manager notices inconsistencies in the system configuration. What is the most likely reason for this?
A. Documented procedures are not available
B. Ineffective governance
C. Inadequate training
D. Inappropriate standards
15. What is an information security framework best described as?
A. A framework that provides detailed processes and methods
B. A framework that provides required outputs
C. A framework that provides structure and guidance
D. A framework that provides programming inputs
16. What is the main reason for integrating information security governance into business activities?
A. To allow the optimum utilization of security resources
B. To standardize processes
C. To support operational processes
D. To address operational risks
17. Which of the following is the most important attribute of an effective information security governance framework?
A. A well-defined organizational structure with necessary resources and defined responsibilities
B. The availability of the organization's policies and guidelines
C. Business objectives supporting the information security strategy
D. Security guidelines supporting regulatory requirements
18. What is the most effective method to use to develop an information security program?
A. A standard
B. A framework
C. A process
D. A model
The culture of an organization and its service provider is the most important factor that determines
the implementation of an information security program. An organization's culture influences its risk
appetite, that is, its willingness to take risks. This will have a significant influence on the design and
implementation of the information security program. A culture that favors taking risks will have a
different implementation approach compared to a culture that is risk averse.
Figure 1.3: Organizational culture
Cultural differences and their impact on data security are generally not considered during security
reviews. Different cultures have different perspectives on what information is considered sensitive
and how it should be handled. This cultural practice may not be consistent with an organization's
requirements.
For some organizations, financial data is more important than privacy data. So, it is important to
determine whether the culture of the service provider is aligned with the culture of the organization.
Cultural differences and their impact on data security are generally not considered during security
reviews.

An acceptable usage policy (AUP) generally includes rules for access controls, information
classification, incident reporting requirements, confidentiality requirements, email, and internet usage
requirements. All participants must understand which behaviors and acts are acceptable and which
are not. This maintains a risk-aware culture.
A well-defined and documented AUP helps spread awareness about the dos and don'ts of information
security.
It is essential that the AUP is conveyed to all users, and acknowledgment should be obtained from
the users that they have read and understood the AUP. For new users, an AUP should be part of their
induction training.
Ethics Training
The information security manager should also consider implementing periodic training on ethics.
Ethical training includes emphasizing moral principles that govern a person's behavior or the conduct
of an activity. It includes guidance on what the company considers legal and appropriate behavior.
Training on ethics is of utmost importance for employees engaged in sensitive activities, such as
monitoring user activities or accessing sensitive personal data.
Some examples of unethical behavior include improper influence on other employees or service
providers, use of corporate information or assets for private benefit, accepting gifts or bribes, and
multiple employments.
Acknowledgment should be obtained from employees on understanding ethical behavior and the
code of conduct and this should be retained as part of the employment records.

1. A newly appointed information security manager is reviewing the design and implementation of the information security program.
Which of the following elements will have a major influence on the design and implementation of the information security
program?
A. Types of vulnerabilities
B. The culture of the organization
C. The business objectives
D. The complexity of the business
2. Which of the following is the most important factor to consider while developing a control policy?
A. Protecting data
B. Protecting life
C. Protecting the business's reputation
D. Protecting the business objectives

3. Which of the following risks is most likely to be ignored during an onsite inspection of an offshore service provider?
A. Cultural differences
B. Security controls
C. The network security
D. The documented IT policy
4. What does an organization's risk appetite mostly depend on?
A. The threat landscape
B. The size of the information security team
C. The security strategy
D. The organization's culture
5. What factor has the greatest impact on the security strategy?
A. IT technology
B. System vulnerabilities
C. Network bandwidth
D. Organizational goals
6. What is the most important consideration when designing a security policy for a multi-national organization operating in different
countries?
A. The cost of implementation
B. The level of security awareness of the employees
C. The cultures of the different countries
D. The capability of the security tools
7. What is the most important factor in determining the acceptable level of organizational standards?
A. The current level of vulnerability
B. The risk appetite of the organization
C. IT policies and processes
D. The documented strategy
8. What is the most important factor for promoting a positive information security culture?
A. Monitoring by an audit committee
B. High budgets for security initiatives
C. Collaboration across business lines
D. Frequent information security audits

An information security manager should be cautious about adherence to laws and regulations. Laws
and regulations should be addressed to the extent that they impact the organization.
Processes should be in place to scan all new regulations and determine their applicability to the
organization.
The information security manager is required to determine the processes and activities that may be
impacted and whether existing controls are adequate to address any new regulations. If not, further
controls should be implemented to address the new regulations.
Departments affected by any new regulations are in the best position to determine the impact of new
regulatory requirements on their processes, as well as the best ways to address them.

Who should determine the control The affected department (as they are in the best
processes for any new regulatory position to determine the impact of new regulatory
requirements? requirements on their processes and the best way to
address them)
What is the first step of an information To determine the processes and activities that may be
security manager who notices a new impacted
regulation impacting one of the
To assess whether existing controls meet the
organization's processes?
regulations
What is the major focus of privacy law? To protect identifiable personal data
Which factors have the greatest impact on Organizational goals and objectives
the security strategy?

1. An information security steering committee has approved the implementation of a bring your own device (BYOD) policy for
mobile devices. As an information security manager, what should your first step be?
A. To ask management to stop the BYOD policy implementation, stating the associated risk
B. To prepare a business case for the implementation of BYOD controls
C. To make the end users aware of BYOD risks
D. To determine the information security strategy for BYOD
2. New regulatory requirements impacting information security will mostly come from which of the following?
A. The chief legal officer
B. The chief audit officer
C. Affected departments
D. Senior management
3. Primarily, the requirements of an information security program are based on which of the following?
A. The IT policy
B. The desired outcomes
C. The management perceptions
D. The security strategy
4. Which of the following should be the first step of an information security manager who notices a new regulation impacting one of
the organization's processes?
A. To pass on responsibility to the process owner for compliance
B. To survey the industry practices
C. To assess whether existing controls meet the regulation
D. To update the IT security policy
5. Privacy laws are mainly focused on which of the following?
A. Big data analytics
B. Corporate data
C. Identity theft
D. Identifiable personal data
6. The information security manager notices a regulation that impacts the handling of sensitive data. Which of the following should
they do first?
A. Determine the processes and activities that may be impacted.
B. Present a risk treatment option to senior management.
C. Determine the cost of control.

D. Discuss the possible consequences with the process owner.
7. The information security manager should address laws and regulations in which way?
A. To the extent that they impact the organization
B. To meet the certification standards
C. To address the requirements of policies
D. To reduce the cost of compliance
8. What is the most important consideration for organizations involved in cross-border transactions?
A. The capability of the IT architecture
B. The evolving data protection regulations
C. The cost of network bandwidth
D. The incident management process
9. What should be the next step for the board of directors when they notice new regulations are impacting some of the organization's
processes?
A. Instruct the information security department to implement specific controls
B. Evaluate various solutions to address the new regulations
C. Require management to report on compliance
D. Evaluate the cost of implementing new controls
10. Which of the following factors is the most difficult to estimate?
A. Vulnerabilities in the system
B. Legal and regulatory requirements
C. Compliance timelines
D. The threat landscape
11. What should the next step be for an information security manager upon noticing new regulations impacting some of the
organization's processes?
A. To identify whether the current controls are adequate
B. To update the audit department about the new regulations
C. To present a business case to senior management
D. To implement the requirements of new regulations

The information security manager should ensure that an adequate record retention policy is in place
and that this is followed throughout the organization. A record retention policy will specify what
types of data and documents are required to be preserved, and what must be destroyed. It also
specifies the number of years for which that data is required to be preserved.
Figure 1.5: Record retention
Record retention should primarily be based on the following two factors:

Business requirements
Legal requirements
If a record is required to be maintained for three years as per the business requirements, and for two
years from a legal perspective, then it should be maintained for three years.
Organizations generally design their record retention policy in line with the relevant laws and
regulations.
Electronic Discovery
Electronic discovery (e-discovery) is the process of the identification, collection, and submission of
electronic records in a lawsuit or investigation. The best way to ensure the availability of electronic
records is to implement comprehensive retention policies. A retention policy dictates the terms for
storing, backing up, and accessing the records.

What is e- E-discovery is the process of identifying, collecting, and submitting

discovery? electronic records in a lawsuit or investigation.
What are the factors Business requirements.

on which record
Legal requirements.
retention is based?
(If both options are available, then preference should be given to business
requirements as it is generally assumed that business requirements already
include consideration of legal requirements.)

1. Which of the following has the most influence while planning business record retention?
A. Potential changes in storage capacity
B. Potential changes in regulatory requirements
C. Potential changes in business strategy
D. Potential changes in application systems and media
2. Which of the following is the most important consideration in business record retention?
A. Strategic objectives
B. Regulatory and legal requirements
C. Storage capacity
D. Level of control implemented
3. Due to changes in the business strategy, certain information now no longer supports the purpose of the business. What should be
done with this information?
A. It should be analyzed under the retention policy
B. It should have restricted access
C. It should be frequently backed up
D. It should be evaluated by a business impact analysis

4. As an information security manager, you have been asked to design a strategy to minimize the impact of an e-discovery in the
event of litigation. What is the most effective method to achieve this?
A. Keeping backups of sensitive data
B. Limiting access to sensitive data
C. Not storing sensitive data
D. Implementing comprehensive retention policies
The development of a security strategy is highly influenced by the organizational structure.
Organizational structure pertains to the roles and responsibilities of different individuals, the
reporting hierarchy, whether the organization functions in a centralized or decentralized way, and so
on. A flexible and evolving organizational structure is more open to the adoption of a security
strategy, whereas an organization with a more constrained structure might not adopt a security
strategy.
The independence of the security function is the most important factor to be considered, from a
practical as well as the exam perspective, while evaluating organizational functions. This can be
assessed through the reporting structure of the security function.
Board of Directors
The ultimate responsibility for the appropriate protection of an organization's information falls on the
board of directors. The involvement of board members in information security initiatives can be an
indicator of good governance. In the event of an incident, the company directors can be protected
from liability if the board has exercised due diligence. Many laws and regulations make the board
responsible in the event of data breaches. Even cyber security insurance policies require the board to
exercise due diligence as a prerequisite for insurance coverage.
Security Steering Committee

The security steering committee is generally composed of senior management from different business
units. The security steering committee is best placed to determine the level of acceptable risk (risk
capacity) for the organization. They monitor and control the security strategy. They also ensure that
the security policy is aligned with the business objectives.
Reporting of Security Functions

In the past, security functions in most organizations reported to the chief information officer (CIO).
However, it has since been observed that CIOs are primarily concerned with IT performance and
cost, with security as a secondary objective. During a conflict between performance and security,
security is sometimes ignored.
However, with increased awareness and more experience, the responsibility for security is now
entrusted to senior-level functionaries directly reporting to the chief operating officer (COO), chief
executive officer (CEO), or board of directors. This ensures the independence of security functions.
Organizations' security functions can work in either a centralized or decentralized way.
Centralized vis-à-vis Decentralized Security

Functioning
In a centralized process, information security activities are handled from a central location, usually
the head office of the organization. In a decentralized process, the implementation and monitoring of
security activities are delegated to the local offices of the organization.
The following table shows the differentiation between centralized and decentralized processes:
Centralized Process Decentralized Process
More consistency in security processes Less consistency
Optimum utilization of information security resources Greater resource requirements.

Better alignment with
decentralized unit requirements
Less alignment with the requirements of decentralized units Better alignment with
decentralized unit requirements
A centralized process will generally take more time to process Faster turnaround of requests
requests due to the larger gap between the information compared to centralized processes
security department and the end user
Figure 1.7: Differences between centralized and decentralized processes
Centralization of information security management results in greater uniformity and easier

monitoring of processes. This in turn promotes better adherence to security policies.
1. Which of the following is a characteristic of a centralized information security management process?
A. Processes are costlier to manage compared to decentralized processes
B. Better adherence to policy compared to decentralized processes
C. Better alignment with business unit requirements compared to decentralized processes
D. Faster turnaround of requests compared to decentralized processes
2. Who should determine the acceptable level of information security risk?
A. Legal department
B. CISO
C. Audit department
D. Steering committee
3. As an information security manager, how do you characterize a decentralized information security process?
A. Consistency in information security processes
B. Better compliance with policy
C. Better alignment with decentralized unit requirements
D. Optimum utilization of information security resources
Information Security Roles and Responsibilities

It is very important to ensure that security-related roles and responsibilities are clearly defined,
documented, and communicated throughout the organization. Each employee of the organization
should be aware of their respective roles and responsibilities. Clearly defined roles also facilitate
effective access rights management, as access is provided based on the respective job functions and
job profiles of employees – that is, on a need-to-know basis (least privilege) only.
RACI Chart
One of the simplest ways to define roles and responsibilities in a business or organization is to form a
matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed.
This chart indicates who is responsible for a particular function, who is accountable with regard to
the function, who should be consulted about the function, and who should be informed about the
function. Clearly defined RACI charts make the information security program more effective.
The following defines RACI in more detail:
Responsible: This is the person who is required to execute a particular job function.
Accountable: This is the person who is required to supervise a job function.
Consulted: This is the person who gives suggestions and recommendations for executing a job function.
Informed: This is the person who should be kept updated about the progress of the job function.
In the next section, you will go through the various roles that are integral to information security.
Board of Directors
The role of board members in information security is of utmost importance. Board members need to
be aware of security-related key risk indicators (KRIs) that can impact the business objectives. The
intent and objectives of information security governance must be communicated from the board level
down.
The current status of key security risks should be tabled and discussed at board meetings. This helps
the board to determine the effectiveness of the current security governance.
Another essential reason for the board of directors to be involved in security governance is liability.
Most organizations obtain specific insurance to deal with their financial liability in the event of a
security incident. This type of insurance requires those bound by it to exercise due care in the
discharge of their duties. Any negligence from the board in addressing the information security risk
may make the insurance void.
Senior Management
The role of senior management is to ensure that the intent and requirements of the board are
implemented in an effective and efficient manner. Senior management is required to provide ongoing
support to information security projects in terms of budgets, resources, and other infrastructure. In
some instances, there may be disagreement between IT and security. In such cases, senior
management can take a balanced view after considering performance, cost, and security. The role of
senior management is to map and align the security objectives with the overall business objectives.
Business Process Owners

The role of a business process owner is to take ownership of the security-related risks impacting their
business processes. They need to ensure that information security activities are aligned and support
their respective business objectives. Further, they need to monitor the effectiveness of security
measures on an ongoing basis.
Steering Committee
A steering committee comprises the senior management of an organization. The role of a steering
committee is as follows:
To ensure that security programs support the business objectives
To evaluate and prioritize the security programs
To evaluate emerging risks, security practices, and compliance-related issues
The roles, responsibilities, and scope of a steering committee should be clearly defined.
Chief Information Security Officer

The chief information security officer (CISO) is a senior-level officer who has been entrusted with
making security-related decisions and is responsible for implementing security programs. The CISO
should be an executive-level officer directly reporting to the CEO. The role of the CISO is
fundamentally regulatory, whereas the role of the CIO is to generally focus on IT performance.
Chief Operating Officer

The COO is the head of operational activities in the organization. Operational processes are reviewed
and approved by the COO. The COO has a thorough knowledge of the business operations and
objectives and is most likely the sponsor for the implementation of security projects as they have a
strong influence across the organization. Sponsoring means supporting the project financially or
through products or services. Although the CISO should provide security advice and
recommendations, the sponsor should be the COO for effective ground-level implementation.
Data Custodian
The data custodian is a staff member who is entrusted with the safe custody of data. The data
custodian is different from the data owner, though in some cases, both data custodian and data owner
may be the same individual. A data custodian is responsible for managing the data on behalf of the
data owner in terms of data backup, ensuring data integrity, and providing access to data for different
individuals on the basis of the approval of the data owner. From a security perspective, a data
custodian is responsible for ensuring that appropriate security measures are implemented and are
consistent with organizational policy.
Communication Channel
A well-defined communication channel is of utmost importance in the management of information
security. A mature organization has dedicated systems to manage risk-related communication. This
should be a two-way system, wherein management can reach all employees and at the same time
employees can reach a designated risk official to report identified risks. This will help in the timely
reporting of events, as well as disseminating important security information. In the absence of an
appropriate communication channel, the identification of events may be delayed.
Indicators of a Security Culture

The following list consists of some of the indicators of a successful security culture:
The involvement of the information security department in business projects
End users are aware of the identification and reporting of incidents
There is an appropriate budget for information security programs
Employees are aware of their roles and responsibilities regarding information security
Understanding the roles and responsibilities as covered in this section will help the security manager
to implement an effective security strategy.

What is the best course of action when To refer the matter to senior management along with
there is disagreement on the security any necessary recommendations
aspects between the IT team and the
security team?
What is the immediate benefit of well- Better accountability

defined roles and responsibilities?
Who has the ultimate responsibility for The board of directors and the senior management
legal and regulatory requirements? (when the board delegates them the responsibility)
What is the best way to prioritize Security projects should be assessed and prioritized
information security projects? based on their impact on the organization
Who has the responsibility to enforce the The data custodian/security administrators
access rights of employees?
What is the most important factor on The business requirements

which the data retention policy is based?
What is the prime responsibility of an To manage the risks to information assets

information security manager?
Which models are used to determine the The maturity model
extent and level of maturity of The process performance and capability model
processes?
What is the major concern if database The unauthorized modification of logs by the DBA
administrators (DBAs) have access to
DBA-related logs?
What is the main objective of integrating To address security gaps that exist between assurance
security-related roles and functions
responsibilities?
What is the role of the information To determine the level of classification for their
owner with regard to the data respective data
classification policy?
What is the role of the information To define and ratify the data classification process
security manager with regard to the data
classification policy?
What is the best way to ensure that Assign accountability

responsibilities are carried out?
Who is responsible for complying with All organizational units
the organization's security policies and Every employee
standards?
What is the principle of proportionality The principle of proportionality requires that access be
for providing system and data access? proportionate to the criticality of the assets and access
should be provided on a need-to-know basis
What is the segregation of duties? Segregation of duties (SoD) is a control wherein a critical function
or job is divided into two parts and each part is handled by a separate
individual
The objective of SoD is to prevent error and fraud
What is a compensatory control? Compensatory controls are controls that are placed in lieu of main
controls as main controls are difficult to implement. The objective of
compensatory controls is to address the risk until the main controls
are implemented.
Compensatory controls are also referred to as alternative controls.
What is the principle of least privilege? The principle of least privilege ensures that access is
provided only on a need-to-know basis, and it should
be restricted for all other users

1. The information security team is mapping job descriptions to relevant data access rights. This is based on:
A. The principle of accountability
B. The principle of proportionality
C. The principle of integration
D. The principle of the code of ethics

2. As an information security manager, you are reviewing the function of the data custodian. The data custodian is primarily
responsible for:
A. Approving access to the data
B. The classification of assets
C. Enhancing the value of data
D. Ensuring all security measures are in accordance with the organizational policy
3. You are an information security manager for a bank. One of your critical recommendations is not accepted by the IT head. What
should your next course of action be?
A. Refer the matter to an external third party for resolution
B. Request senior management to discontinue the relevant project immediately
C. Ask the IT team to accept the risk
D. Refer the matter to senior management along with any necessary recommendations
4. As an information security manager, you strongly recommend having well-defined roles and responsibilities from an information
security perspective. The most important reason for this recommendation is:
A. Adherence to security policies throughout the organization
B. Well-structured process flows
C. The implementation of SoD
D. Better accountability
5. What is the prime role of an information security manager in a data classification process?
A. To define and ratify the data classification process
B. To map all data to different classification levels
C. To provide data security, as per the classification
D. To confirm that data is properly classified
6. Which of the following is the area of most concern for the information security manager?
A. That there are vacant positions in the information security department
B. That the information security policy is approved by senior management
C. That the steering committee only meets on a quarterly basis
D. That security projects are reviewed and approved by the data center manager
7. An information security manager should have a thorough understanding of business operations with the prime objective of which
of the following?
A. Supporting organizational objectives
B. Ensuring regulatory compliance

C. Concentrating on high-risk areas
D. Evaluating business threats
8. In a big multi-national organization, the best approach to identify security events is to do which of the following?
A. Conduct frequent audits of the business processes
B. Deploy a firewall and intrusion detection system
C. Develop communication channels across the organization
D. Conduct vulnerability assessments of new systems
9. Legal and regulatory liability is the responsibility of which of the following?
A. The chief information security officer
B. The head of legal
C. The board of directors and senior management
D. The steering committee
10. What is the best way to gain support from senior management for information security projects?
A. Lower the information security budget
B. Conduct a risk assessment
C. Highlight industry best practices
D. Design an information security policy
11. Prioritization of information security projects is best conducted based on which of the following?
A. The turnaround time of the project
B. The impact on the organization's objectives
C. The budget of the security project
D. The resource requirements for the project
12. Who is responsible for enforcing the access rights of employees?
A. The process owner
B. The data owner
C. The steering committee
D. The security administrators
13. Who is responsible for information classification?
A. The data administrator
B. The information security manager

C. The information system auditor
D. The data owner
14. What is the data retention policy primarily based on?
A. Indus\try practices
B. Business requirements
C. Regulatory requirements
D. Storage requirements
15. What is the most important security aspect for a multi-national organization?
A. The local security program should comply with the corporate data privacy policy
B. The local security program should comply with the data privacy policy of the location where the data is collected
C. The local security program should comply with the data privacy policy of the country where the headquarters are
located
D. The local security program should comply with industry best practices
16. The ultimate accountability for the protection of sensitive data lies with which of the following?
A. The security administrators
B. The steering committee
C. The board of directors
D. The security manager
17. The most likely authority to sponsor the implementation of new security infrastructure for business processes is which of the
following?
A. The CISO
B. The COO
C. The head of legal
D. The data protection officer
18. Who should determine the requirements for access to data?
A. The security officer
B. The data protection officer
C. The compliance officer
D. The business owner
19. The responsibility for establishing information security controls in an application resides with which of the following?
A. The information security steering committee

B. The data owner
C. The system auditor
D. The system owner
Maturity Model
CISM aspirants are expected to understand the basic details of a maturity model.
A maturity model is a tool that helps the organization assess the current effectiveness of a process and
determine what capabilities they need to improve their performance.
Capability maturity models (CMMs) are useful to determine the maturity level of governance
processes. The following list defines the different maturity levels of an organization:
Level 0: Incomplete: On this level, the process is not implemented or does not achieve its intended purpose.
Level 1: Performed: On this level, the process can achieve its intended purpose.
Level 2: Managed: On this level, the process can achieve its intended purpose. Also, the process is appropriately planned,
monitored, and controlled.
Level 3: Established: Along with what is required for a Level 2 process, there is a well-defined, documented, and established
process to manage the process.
Level 4: Predictable: On this level, the process is predictable and operates within the defined parameters and limits to achieve its
intended purpose.
Level 5: Optimized: This is the level at which the process is continuously improved to meet the current as well as projected goals.
The CMM uses a scale of 0 to 5 based on process maturity level. It is the most common method
applied by organizations to measure their existing state and then determine the desired one.
Maturity models identify the gaps between the current state of the governance process and the desired
state. This helps the organization to determine the remediation steps required for improvement. A
maturity model calls for continuous improvement in the governance framework. This requires
continuous evaluation, monitoring, and improvement to move toward the desired state from the
current state.
The process performance and capabilities approach also provides a detailed perspective of the
maturity levels, just like the maturity model.


Which models are used to determine the extent and level of processes? The maturity model
Process performance and

capability models
What is the best way to determine the continuous improvement of the The adoption of the
risk management process? maturity model

1. As an information security manager, you recommend adopting a maturity model for the organization's information security
governance framework. The most important reason for this recommendation is:
A. Continuous evaluation, monitoring, and improvement
B. The return on technology investment
C. Continuous risk mitigation
D. Continuous KRI monitoring
2. What best indicates the level of information security governance?
A. A defined maturity model
B. The size of the security team
C. The availability of policies and procedures
D. The number of security incidents
3. What is the most effective indicator of the level of security governance?
A. The annual loss expectancy
B. The maturity level
C. A risk assessment
D. An external audit

In today's world, most organizations are heavily reliant on third parties to achieve one or more
business objectives. The primary reason to obtain the services of a third party is to benefit from
expert services in a cost-effective manner. These third parties can be service providers, trading
partners, group companies, and so on.
These third parties are connected to the systems of the organization and have access to its data and
other resources. To protect the organization, it is very important for an information security manager
to assess the risk of such third-party relationships and ensure that relevant controls are in place.
Policies and requirements of information security should be developed before the creation of any
third-party relationship.
Furthermore, the security manager should understand the following challenges of third-party
relationships:
The cultural differences between an organization and the service provider
Technology incompatibilities
The business continuity arrangements of the service provider may not be aligned with the requirements of the organization
Differences in incident management processes
Differences in disaster recovery capabilities
Effective governance is highly dependent on the culture of the organization. The next section
discusses this in more detail.

A metric is a measurement of a process to determine how well the process is performing. Security-
related metrics indicate how well the controls can mitigate the risks. For example, a system uptime
metric helps in understanding whether a system is available to a user as per the requirements.
Figure 1.10: Information security governance metrics
The Objective of Metrics

Based on effective metrics, an organization evaluates and measures the achievement and performance
of various processes and controls. The main objective of a metric is to help the management in
decision-making. A metric should be able to provide relevant information to the recipient so that
informed decisions can be made.
Technical Metrics vis-à-vis Governance-Level Metrics

Technical metrics help us to understand the functioning of technical controls such as IDSs, firewalls,
and antivirus software. They are useful for tactical operational management. However, these metrics
have little value from a governance standpoint.
Management is more concerned about the overall security posture of the organization. Full audits and
comprehensive risk assessments are a few of the activities that help management to understand
security from a governance perspective.
Characteristics of Effective Metrics

Good metrics should be SMART, that is, specific, measurable, attainable, relevant, and timely, as
detailed below:
Specific: The metric should be specific, clear, and concise.
Measurable: The metric should be measurable so that it can be compared over a period.
Attainable: The metric should be realistic and achievable.
Relevant: The metric should be linked to specific risks or controls.
Timely: The metric should be able to be monitored on a timely basis.

Questions Possible Answer
What is the Decision-making takes place based on effective metrics. Organizations evaluate and
prime measure the achievements and performance of various processes and controls using
objective of metrics. Effective metrics are primarily used for security-related decision-making.
a metric?

1. As an information security manager, your decisions should be primarily based on:
A. Market research
B. Predictive analysis
C. Industry standards
D. Effective metrics
2. Which of the following metrics is considered to have the most important strategic value?
A. A privileged access management process
B. Trends in incident occurrence
C. System downtime analysis
D. Results of penetration tests
3. What is the most important metric that indicates organizational risk?
A. The expected annual loss
B. The number of security incidents
C. The number of unplanned business interruptions
D. The number of open vulnerabilities

4. What is the most essential attribute for a metric?
A. Metrics should be easy to implement
B. Metrics should be meaningful to the process owner
C. Metrics should be qualitative
D. Metrics should be able to support regulatory requirements
5. What is the most important attribute of a key risk indicator?
A. A KRI should be flexible and adaptable
B. A KRI should be arrived at by consistent methodologies and practices
C. A KRI should be easy to understand
D. A KRI should be convenient for the process owner to use
6. What is the best indicator to determine the effectiveness of the security strategy?
A. The strategy helps to improve the risk appetite of the organization
B. The strategy helps to implement countermeasures for all the threats
C. The strategy helps to minimize the annual losses
D. The strategy helps to achieve the control objectives
7. The information security manager has been asked to implement a particular security standard. Which of the following is the most
effective to monitor this?
A. The key success factor
B. The key objective indicator
C. The key performance indicator
D. The key goal indicator
Summary
In this chapter, you learned about the importance of assurance functions, that is, governance, risk, and
compliance, and how their integration is key to effective and efficient information security
management. You also learned how organizations can use the maturity model to improve their
processes and explored the importance of the commitment of senior management toward the security
of an organization. The next chapter will cover the practical aspects of information security strategy.
Revision Questions
1. The effectiveness of SoD is best ensured by which of the following?
A. Implementing strong password rules

B. Making available a security awareness poster on the intranet
C. Frequent information security training
D. Reviewing access privileges when an operator's role changes
2. What is the prime responsibility of an information security manager?
A. To manage the risk to information assets
B. To implement the security configuration for IT assets
C. To conduct disaster recovery testing
D. To close identified vulnerabilities
3. To determine the extent of sound processes, the maturity model is used. Another approach is to use which of the following?
A. The Monte Carlo method
B. Process performance and capabilities
C. Vulnerability assessments
D. Risk analysis
4. Information system access should be primarily authorized by which of the following?
A. The information owner
B. The system auditor
C. The CISO
D. The system administrator
5. The information security manager observes that the incident log is stored on a production database server. Which of the following
is a major concern?
A. The unavailability of log details if the server crashes
B. The unauthorized modification of logs by the database administrator
C. Log capturing makes the transaction process slow
D. Critical information may not be captured in the log files
6. Appointing a CISO indicates which of the following?
A. The organization wants to enhance the role of senior management
B. The organization is committed to its responsibility for information security
C. The board of directors wants to pass on their accountability
D. The organization wants to improve its technology architecture
7. The main objective of integrating security-related roles and responsibilities is which of the following?
A. To address the security gaps that exist between assurance functions
B. To address the unavailability of manpower
C. To address the gap in business continuity and disaster recovery
D. To address the complications in system development processes
8. Which of the following is the best compensating control when the same employee is responsible for updating servers, maintaining
the access control, and reviewing the logs?
A. To verify that only approved changes are made
B. To conduct penetration tests
C. To conduct risk assessments
D. Reviews of log files conducted by the manager
9. What is the responsibility of the information owner when complying with the information classification scheme?
A. To implement security measures to protect their data
B. To determine the level of classification for their data
C. To arrange backups of their data
D. To delegate the processes of information classification to the system administrator
10. The effectiveness of the organization's security measures is the final responsibility of which of the following?
A. The security administrator
B. The CISO
C. Senior management
D. The information security auditor
11. What is the best way to ensure that responsibilities are carried out?
A. Signed non-disclosure agreements
B. Heavy penalties for non-compliance
C. Assigned accountability
D. Documented policies
12. Who is responsible for complying with the organization's security policies and standards?
A. The CISO
B. Senior management
C. The compliance officer
D. All organizational units

13. Continuous improvement of the risk management process is most likely ensured by which of the following?
A. The regular review of implemented security controls
B. Implementing an information classification policy
C. The adoption of a maturity model
D. Regular audits of risk management processes
14. Information security is the responsibility of which of the following?
A. All personnel
B. IT personnel
C. Security personnel
D. Operational personnel
15. Who should security policies be finally approved by?
A. Operation managers
B. The CISO
C. Senior management
D. The chief technical officer (CTO)
16. Confidentiality of information can be best ensured by which of the following?
A. Implementing an information classification policy
B. Implementing SoD
C. Implementing the principle of least privilege
D. Implementing information security audits
17. As an information security manager, how do you characterize a decentralized information security process?
A. Consistency in information security processes
B. Better compliance with policy
C. Better alignment with decentralized unit requirements
D. Optimum utilization of information security resources

2
Information Security Strategy

In this chapter, you will explore the practical aspects of an information security strategy and
understand how a well-defined strategy impacts the success of security projects. You will learn about
the different aspects of what a security strategy is and understand the role of an information security
manager in supporting business objectives.
The following topics will be covered in this chapter:

Information Security Strategy Development
Commitment from Senior Management
Business Case and Feasibility Studies
Information Security Strategy and Plan

An information security strategy is a set of actions designed to ensure that an organization achieves
its security objectives. This strategy includes what should be done, how it should be done, and when
it should be done to achieve the security objectives.
A strategy is basically a roadmap of specific actions that must be completed to achieve any objective.
Long-term and short-term plans are finalized based on the strategy adopted.
The primary objective of any security strategy is to support the business objectives, and the
information security strategy should be aligned with the business objectives. The first step for an
information security manager in creating a plan is to understand and evaluate the business strategy.
This is essential to align the information security plan with the business strategy.
A strategy plan should include the desired level of information security. A strategy is only
considered effective if the objectives of the controls are met. As discussed in Chapter 1, Enterprise
Governance, "the ultimate responsibility for the appropriate protection of an organization's
information falls on the board of directors. The involvement of board members in information
security initiatives indicates good governance. The liability of directors can be protected if the board
has exercised due care. Many laws and regulations make the board responsible in case of data
breaches. Even the cybersecurity insurance policy requires the board to exercise due care as a pre-
condition for insurance coverage."
NOTE
The preceding point is reiterated here to serve as a reminder. During the CISM certification exam, you can expect to face
at least one question on this subject.
The chief information security officer (CISO) is primarily responsible for the design and
development of the information security strategy in accordance with the security policy.
Information Security Policies

Policies are high-level documentation of the intent and direction of an organization's management.
Security policies are developed based on the company's security strategy and they indicate the
management's intent regarding security. Various procedures and architectures are designed based on
these security policies.
Any changes in the management's intent should be appropriately addressed in the policies.
It is important to ensure compliance with the policy requirements at regular intervals. Self-
assessment is the best way to determine the readiness and remediation of non-compliance items. This
helps the organization to prepare for regulatory reviews conducted as per different regulations.
Following are some of the key aspects from the perspective of the CISM exam:
What is the first step in To understand the business strategy

developing an information
security plan?
What is the main objective of To support the business objectives

designing an information security
strategy?
What is the first step in To ascertain the need and justification for creating the program
developing an information
security management program?
What is the best way to address The best way in such a situation is to establish a local version
the conflicting requirements of a of the policy that is aligned with the local laws and
multinational organization's regulations.
security policy with local
regulations?
What is the conflict of security The objective of security controls is to support the business objectives and
requirements.
controls with business
A security control should not restrict the users' ability to perform their jobs.
requirements?
When a security control is not supporting the business needs, it is termed as a
conflict of security controls with business requirements.
The objectives of information The requirements of the desired state (i.e., whatever is
security can be best described as: required to achieve the desired state).
What is value delivery in Value delivery means designing processes that give maximum
information security? benefit to the organization. It indicates high utilization of
available resources for the benefit of the organization.
What is the roadmap for The security strategy.

information security
implementation primarily based
on?
On what basis should intangible The ability of the assets to generate revenue.
assets be valued? In the absence of the availability of intangible assets, the
organization will lose the amount of revenue the asset
normally generates. The acquisition or replacement cost may
be more or less than the asset's actual ability to generate
revenue.
NOTE
The answer key and explanations for all practice and revision questions for this chapter can be found via this link.

1. A newly appointed information security manager is required to develop an information security plan. What should their first step
be?
A. To conduct a vulnerability assessment
B. To evaluate the current business strategy
C. To perform an information system audit
D. To evaluate the risk culture of the organization
2. An information security manager is designing an information security strategy plan for the approval of the security steering
committee. The most important factor to be included in this plan is:
A. Information security manpower requirements
B. Information security tools and technique requirements
C. Information security mission statement
D. Desired future state of information security
3. An information security manager is designing an information security strategy plan for the approval of the security steering
committee. The primary objective of designing an information security strategy is:
A. To monitor performance
B. To support the business objectives
C. To enhance the responsibility of the security manager
D. To comply with legal requirements
4. The most important factor to be included in an information security strategy is:
A. Details of key business controls
B. Security objectives and processes
C. Budget for specific security tools
D. Details of network security control
5. The best way to address a conflict between a multinational organization's security policy and local regulations is:
A. To give priority to policy requirements over local laws
B. To follow local laws only
C. To establish a local version of the organization's policy
D. To discontinue services in the conflicting jurisdiction
6. The best way to prepare for a regulatory audit is:
A. To nominate a security administrator as regulatory liaison
B. To conduct self-assessment using regulatory guidelines and reports
C. To discuss the previous year's regulatory reports with the process owner
D. To ensure that all regulatory inquiries are approved by the legal department
7. Who is responsible for the enforcement of an information security policy?
A. The information security steering committee
B. The chief technical officer
C. The chief information security officer
D. The chief compliance officer
8. The most important role for a Chief Information Security Officer is to:
A. Design and develop an information security strategy
B. Conduct business continuity plan testing
C. Approve system access
D. Deploy patch releases
9. The timeline for an information security strategy plan should be:

A. In accordance with the IT strategic plan
B. In accordance with technology changes
C. For a duration of five years
D. Aligned with business strategy
10. Commitment and support from senior management with respect to information security can be best addressed by:
A. Emphasizing the organizational risk
B. Emphasizing the requirements of global security standards
C. Emphasizing the industry benchmark
D. Emphasizing the responsibility of the organization
11. The primary objective of developing an information security strategy is:
A. To manage the risks impacting business objectives
B. To mitigate risks to zero
C. To transfer risks to insurers
D. To develop a risk-aware culture
12. Immediately after implementing access control for the internet, an organization's employees started complaining that they were
unable to perform business functions on internet sites. This is an example of:
A. A conflict of security controls with business requirements
B. Stringent security controls
C. Mandatory access control
D. Discretionary access control
13. Which of the following should be the first action when developing an information security strategy?
A. Identifying the assets
B. Performing a risk analysis
C. Defining the scope
D. Determining critical business processes
14. The most important objective of an information security strategy is:
A. To minimize the risk to an acceptable level
B. To support the business objectives and goals of the enterprise
C. To ensure optimum utilization of security resources
D. To maximize return on security investment

15. The most critical factor for designing an information security strategy is:
A. Defined objectives
B. A defined time frame
C. A defined framework
D. Defined policies
16. In an information security steering committee, there is no representation from user management. Which of the following is the
main risk in this scenario?
A. Functional requirements may not be adequately addressed.
B. Inadequate user training.
C. Inadequate budget allocation.
D. The information security strategy may not be aligned with business requirements.
17. Which of the following is the best approach for an information security manager when there is a disagreement between them and
the business manager regarding the security aspect of a new process?
A. To accept the business manager's decision as they are the process owner
B. To mandate the security manager's decision
C. To review the risk assessment with senior management for final consideration
D. To prepare a new risk assessment to address the disagreement
18. The connection between business objectives and security should be demonstrated by:
A. Indirect linkages
B. Mapping to standardized controls
C. Interconnected constraints
D. Direct traceability
19. The accountability for information categorization and protective measures resides with:
A. Security administrators
C. System administrators
D. End users
20. As a newly appointed information security manager, you are required to develop a strategic plan for the information security of
the organization. Your most important action should be:
A. To understand the key business objectives
B. To provide training to the information security team
C. To provide sufficient resources for information security

D. To develop a risk-aware culture

The governance framework is a structure or outline that supports the implementation of the
information security strategy. It provides the best practices for a structured security program.
Frameworks are flexible structures that any organization can adopt as per their environment and
requirements. COBIT and ISO 27001 are two widely accepted and implemented frameworks for
security governance.
The Objective of Information Security Governance

Information security governance is a subset of enterprise governance. The same framework
should be used for both enterprise governance and security governance to enable better integration of
one with the other.
The following are the objectives of security governance:

To ensure that security initiatives are aligned with the business strategy and that they support organizational objectives.
To optimize security investments and ensure the high-value execution of business processes.
To monitor security processes and ensure that security objectives are achieved
To integrate and align the activities of all assurance functions for effective and efficient security measures.
To support the security strategy in ensuring that residual risks are well within acceptable limits. This reassures the management.
Information Security/Cybersecurity Management

Frameworks
An information security manager should have a basic understanding of the following widely accepted
frameworks for information security. Please note that in the CISM exam, there will be no direct
questions on any of the frameworks.
Framework Particulars
Framework Particulars
ISO 27001 The ISO 27001 standard is a widely accepted framework for information security management
systems.
It recommends 14 areas of control consisting of a total of 114 controls. These include the
availability of information security policies, human resource securities, asset management,
access controls, and so on.
An organization needs to implement all the applicable controls and get them audited by a
certification body to be ISO 27001 certified.
An ISO 27001 certified organization is preferred as a service provider/supplier compared to a

non-certified organization.
NIST Cybersecurity NIST Cybersecurity Framework emphasizes the importance of effective risk management
integration and extensively promotes the improvement of supply chain risk management.
Framework
The NIST Cybersecurity Framework does not include any controls. Rather, it provides guidance
on the process of identifying gaps between present practices and a desirable target state.
Understanding these gaps helps the organization to adopt the desirable controls to improve
information security risk management.
NIST Risk NIST RMF was originally designed to assist US government agencies in evaluating and
improving information security.
Management
It has since been expanded to apply to any business and is free to use.
Framework (RMF)
It emphasizes the integration of security, privacy, and cyber supply chain risk management
activities into the system development life cycle.
NIST RMF includes a risk-based approach to categorizing relevant assets and selecting and
implementing controls to achieve adequate protection.
Figure 2.2: Information security management frameworks

Figure 2.3: IT balanced scorecard
The objective of an IT balanced scorecard (IT BSC) is to establish, monitor, and evaluate IT
performance in terms of (i) business contribution, (ii) future orientation, (iii) operational excellence,
and (iv) user orientation.
CISM aspirants should understand the following aspects of a balanced scorecard:

The primary objective of an IT balanced scorecard is to optimize performance.
The three indicators of an IT balanced scorecard are (a) customer satisfaction, (b) internal processes, and (c) the ability to
innovate.
NOTE
Though financial performance is an indicator of a generic balanced scorecard, it is not part of an IT BSC.
An IT BSC is the most effective means to aid the IT strategy committee and management in achieving IT governance through
proper IT and business alignment. The success of an IT balanced scorecard depends upon the involvement of senior management
in IT strategy planning.
It is of utmost importance that you define key performance indicators (KPIs) before implementing an IT BSC. KPIs help to
measure performance. Examples of KPIs include system uptime, incident response time, and system restoration time.

1. Which of the following is not considered while evaluating an IT balanced score card?
A. Financial performance
B. Customer satisfaction
C. Internal processes
D. Innovation capacity
2. Which of the following is the most important prerequisite before implementing an IT balanced scorecard?
A. Existence of effective and efficient IT services
B. Defining key performance indicators
C. Ensuring that IT projects add value to the business
D. IT expenses being within the allotted budget
3. As an information security manager, you note that senior management is not involved in IT strategy planning. Which of the
following is the area of most concern?
A. A lack of investment in technology
B. Absence of a structured methodology for IT security
C. Absence of IT alignment with business objectives
D. Absence of control over outsourced vendors
4. As an information security manager, you have been asked to review the parameters for measuring IT performance. The main
objective of the IT performance measurement process is:
A. To reduce errors
B. To obtain performance data
C. To finalize the requirement baseline
D. To improve performance

A program can be defined as a set of activities implemented in a structured manner to achieve a
common objective. A security program includes various activities, such as implementing controls,
raising awareness, monitoring, and reporting on controls and other related activities.
A security strategy is a guiding force for the implementation of a security program. The roadmap
detailing the security implementation, i.e., procedure, resources, and timelines, is developed based on
this strategy. Further, various implementation activities can be aligned and integrated on the basis of
this strategy to achieve security objectives more effectively and efficiently.
An information security program should be aligned with the business objectives of the organization.
The effectiveness of an information security program is determined based on its ability to address the
risks impacting the business objectives.

Define a program. A program can be defined as a set of activities

implemented in a structured manner to achieve a
common objective.
What is the first step in developing an To ascertain the need and justification for creating the
information security management program.
program?
What is the roadmap for information Security strategy.

security implementation primarily
based on?
What is the aim of cost-benefit analysis The cost of implementing a control should not exceed
when implementing controls? the expected benefits.

1. Which of the following should be the first step in implementing a new security monitoring solution?
A. To evaluate the various alternatives available for the solution
B. To determine a budget for the new solution
C. To evaluate and determine the correlation between the solution and the business objectives
D. To develop a team for implementation
2. An information security program is primarily created to:
A. Develop an information security strategy.
B. Establish a business continuity plan.
C. Ensure optimum utilization of security resources.

D. Mitigate the risks impacting the business.
3. The most important factor in developing a security strategy before implementing a security program is:
A. Reducing the cost of implementation
B. Aligning and integrating development activities
C. Obtaining support from management
D. Adhering to international requirements
4. The most likely reason for a sudden increase in the number of security events could be:
A. A higher amount of vulnerabilities being exploited
B. An increase in the number of threat actors
C. Failure of detective controls
D. The absence of an information system audit
5. The primary objective of an information security program is:
A. To protect information assets in accordance with the business strategy and objectives
B. To standardize operational risk management processes
C. To protect the confidentiality of information
D. To develop the information security policy
6. A combination of management, administrative, and technical controls is important for effective information security because:
A. An organization cannot completely depend on technical controls to address faulty processes.
B. Technical control is too expensive to manage.
C. Monitoring and reporting the effectiveness of technical control is difficult.
D. Implementing the right technical control is an iterative process.
7. The best way to learn and improve from a security incident is:
A. To improve the integration of business and security processes
B. To increase the information security budget
C. To set up a separate compliance monitoring department
D. To acquire high-end technical controls
8. As an information security manager, you are required to develop an information security management program. What should your
first step be?
A. To ascertain key business risks
B. To ascertain the need for creating the program

C. To ascertain who the information security program manager is
D. To ascertain the sufficiency of existing controls
Figure 2.5: Security budget
Enterprise Architecture (EA) defines and documents the structure and process flow of the
operations of an organization. It describes how different elements such as processes, systems, data,
employees, and other infrastructure are integrated to achieve the organization's current and future
objectives.
Security architecture is a subset of enterprise architecture. Its objective is to improve the security
posture of the organization. Security architecture clearly defines the processes that a business
performs and how those processes are executed and secured.
The first step for a security manager implementing the security strategy is to understand and evaluate
the IT architecture and portfolio. Once they have a fair idea of the IT architecture, they can determine
the security strategy.
Challenges in Designing the Security Architecture

While designing the security architecture, it is important for a security manager to understand the
possible challenges. This will help to address the challenges in an effective and efficient manner.
The following are some of these challenges:

Most security architecture projects are expensive and time-consuming.
A lack of competent security architects results in more effort being required to build reliable security architecture.
The potential benefits of a well-designed security architecture cannot be quantified, so gaining support from management can be
very difficult.
Benefits of Security Architecture

Security architecture provides detailed information about how a business operates and what security
controls are required. This helps the security manager determine the processes and systems where
more security efforts are required.

Information security architecture should be aligned with: Business goals and objectives.

1. As an information security manager, you are required to develop the information security architecture for an organization. The
information security architecture should be best aligned with:
A. International security standards
B. Business goals and objectives
C. IT architecture
D. Industry standards
2. An information security manager is entrusted with creating the information security strategy for the organization. Their first step
should be:
A. To understand the IT architecture and portfolio
B. To determine the security baseline
C. To document the information security policy
D. To conduct an IT risk assessment

Figure 2.7: Training for information security
End users are one of the most important stakeholders when considering the overall security strategy.
Training, education, and awareness are of extreme importance to ensure that policies, standards,
and procedures are appropriately followed.
Increasing the Effectiveness of Security Training

The most effective way to increase the effectiveness of training is to customize it as per the target
audience and to address the systems and procedures applicable to that particular group. For example,
a system developer needs to undergo an enhanced level of training that covers secure coding aspects.
By contrast, data entry operators only need to be trained on security aspects related to their functions.

What is the best method to increase the effectiveness of Customizing training for the target
security training? audience.

GRC is a term used to align and integrate the processes of governance, risk management, and
compliance. GRC emphasizes that governance should be in place for effective risk management and
the enforcement of compliance.
Governance, risk management, and compliance are three related aspects that help achieve
organizational objectives. GRC aims to lay down operations for more effective organizational
processes and avoid wasteful overlaps. Each of these three disciplines impacts the organization's
technologies, people, processes, and information. If GRC activities are handled independently of
each other, it may result in a considerable amount of duplication and a waste of resources. The
integration of these three functions helps to streamline assurance activities by addressing overlapping
and duplicated GRC activities.
Though GRC can be applied in any function of an organization, it focuses primarily on financial, IT,
and legal areas.
Financial GRC focuses on effective risk management and compliance for finance processes. IT
GRC focuses on information technology processes. Legal GRC focuses on enterprise-level
regulatory compliance.
GRC is an ever-evolving concept, and a security manager should understand the current state of GRC
in their organization and determine how to ensure its continuous improvement.

What is the main objective of implementing To improve risk management processes by integrating various
assurance-related activities
GRC procedures?
To synchronize and align an organization's assurance functions
What areas are focused on most in GRC? IT, finance, and legal

1. As an information security manager, you are part of a team that is responsible for implementing governance, risk, and compliance
procedures. Which of the following is the main reason to implement these procedures?
A. To minimize the governance cost
B. To improve risk management
C. To synchronize security initiatives
D. To ensure regulatory compliance
2. The primary objective of governance, risk, and compliance is:
A. To synchronize and align an organization's assurance functions
B. To address the requirements of information security policy
C. To address the requirement of regulation
D. To design a low-cost security strategy
3. The primary areas of focus of governance, risk, and compliance is:
A. Marketing and risk management
B. IT, finance, and legal
C. Risk and audit
D. Compliance and information security
Senior Management Commitment

For effective implementation of security governance, support and commitment from senior
management is the most important prerequisite. A lack of high-level sponsorship will have an
adverse impact on the effectiveness of security projects.
It is very important for the information security manager to gain support from senior management.
The most effective way is to ensure that the security program continues to be aligned with, and
supports, the business objectives. This is critical for promoting management support. Senior
management is more concerned about the achievement of business objectives and will be keen to
address all risks impacting key business objectives.
Obtaining commitment from senior managers is very important to ensure appropriate investment in
information security, as you will explore in the next section.
Information Security Investment

Any investment should be able to provide value to the business. The primary driver for investment in
an information security project is value analysis and a sound business case. To obtain approval for
an information security budget, the budget should primarily include a cost-benefit analysis. Senior
management is more interested in the benefit that is derived from the budget.
For example, as a security manager, if you request a budget of $5,000 for security investment, senior
management may not be convinced. But if you also project annualized savings of $10,000 against
that investment, senior management may be more willing to invest.
Strategic Alignment
Information security activities are said to have a strategic alignment when they support the
requirements of the key business stakeholders. Information security should support the achievement
of organizational objectives by minimizing business disruption. The most effective way to enhance
management commitment toward information security is to conduct a periodic review of alignment
between security and business goals. A discussion with key business stakeholders will provide an
accurate picture of the alignment of security programs to support business objectives.
A survey of management is the best way to determine whether the security program supports the
business objectives. Achieving strategic alignment means business process owners and managers
believe that information security is effectively supporting their goals. If business management is not
confident in the security programs, the information security manager should redesign the process to
provide better value to the business.
Another aspect of determining the strategic alignment is to review the business balanced scorecard.
A business scorecard contains important metrics from a business perspective. It helps to determine
the alignment of security goals with business goals.

What is the most important factor to be included in a Cost-benefit analysis

budget note while obtaining approval from
management?
What is the best way to gain support from senior Explain to management the impact of
management for security projects? security risks on key business
objectives.
What is the primary driver for investment in an A value analysis and a sound business
information security project? case

1. As an information security manager, you are required to obtain approval for an information security budget from senior
management. Your budget proposal should primarily include:
A. A cost-benefit analysis
B. Industry benchmarks
C. Total cost of ownership
D. All the resources required by business units
2. What is the most important role of senior management in supporting an information security program?
A. Evaluating the latest security products
B. Conducting risk assessments
C. Approving policy statements and funding
D. Mandating information security audits
3. Information security activities are said to have strategic alignment when:
A. They support the requirements of all key business stakeholders
B. They support the requirements of the IT team
C. They support the requirements of the globally accepted standards
D. They provide a reliable and cost-effective service
4. The best way to gain support from senior management is to:
A. Provide examples of security breaches in other organizations
B. Provide details of technical risks applicable to the organization
C. Showcase industry best practices

D. Explain the impact of security risks on key business objectives
5. For implementing a new project, support from senior management can be obtained by:
A. Conducting a risk assessment
B. Explaining regulatory requirements
C. Developing a business case
D. Selecting the latest technology
6. The most effective way to enhance the management's commitment to information security is:
A. To have the security policy approved by the chief executive officer
B. To conduct frequent security awareness training
C. To conduct periodic reviews of alignment between security and business goals
D. To conduct periodic information security audits
7. The most effective way to justify the information security budget is:
A. To consider the number of security breaches
B. To consider the expected annual loss
C. To consider a cost-benefit analysis
D. To consider industry benchmarks
8. Senior management's commitment to security programs is best indicated by their involvement in:
A. Asset risk assessment
B. Review and approval of risk management methodologies
C. Review and approval of residual risks
D. Review and approval of inherent risks
9. The most effective justification to gain support from senior management for security investment is:
A. Reduction in security budget
B. Adherence to regulatory requirements
C. Protection of information assets
D. Enhanced business value
10. The most likely position to sponsor the security steering committee is:
A. The chief audit officer
B. The information security manager
C. The chief operating officer

D. The head of legal
11. The best driver for investment in an information security project is:
A. An information security audit report
B. A value analysis
C. The business environment
D. A penetration test report
12. The most important prerequisite for implementing an information security program is:
A. Senior management commitment
B. A documented framework
C. A documented policy
D. Frequent security awareness training
13. An information security governance plan can be best approved by:
A. The system auditor
B. The security manager
D. The system administrator
14. The best method to change an organization's security culture is:
A. Stringent penalties for non-compliance
B. Strong management support
C. Strong security controls
D. Frequent system audits
15. Which of the following will have the most adverse impact on the effective implementation of security governance?
A. A complex organizational environment
B. Limited budget for information security
C. Improper business priorities
D. A lack of high-level sponsorship
16. What is the best method to measure the strategic alignment of an information security program?
A. To survey the business stakeholders
B. To conduct frequent audits
C. To analyze incident trends

D. To evaluate the business case
17. What is the best method to determine the level of alignment of the security objectives with the business objectives?
A. Interviewing the security manager
B. Reviewing the capability maturity model
C. Reviewing the risk assessment report
D. Reviewing the business balanced scorecard
18. The best factor to ensure a successful implementation of an information security program is:
A. Support from senior management
B. The level of security budget
C. The size of the security team
D. Regular information system audits
19. The most effective method to achieve strategic alignment is:
A. A periodic survey of management
B. Following an industry-accepted governance framework
C. Conducting frequent audits
D. Developing enterprise risk management
20. The objective of aligning information security governance with corporate governance is to:
A. Ensure that the security team understands the business objectives
B. Comply with regulations
C. Maximize the cost-effectiveness of the control
D. Reduce the number of rules required for governance
21. What is the best method to address the senior management's concerns regarding the effectiveness of the existing information
security program?
A. Redesign the program based on industry-recognized standards.
B. Analyze the cost-benefit of the existing program.
C. Discuss with senior management to understand their concerns.
D. Show the approved business case to senior management.
Business Case and Feasibility Study

A business case is a justification for a proposed project. It is prepared to justify the effort and
investment in a proposed project and captures the reasoning for initiating a new project or task.
Generally, the business case is a precursor to the start of any new project.
The business case is a key element in the decision-making for any project. The proposed return on
investment (ROI), along with any other expected benefits, is the most important consideration for
decision-making in any new project.
The first step in developing a business case is to define the need for and justification of the problem.
A feasibility study or analysis is an analysis that takes various factors into account, including
economic, technical, and legal factors, to ascertain the likelihood of completing the project
successfully.
A feasibility study should consider how the project will impact the organization in terms of risk,
costs, and benefits. It helps to assess whether a solution is practical and achievable within the
established budgets and schedule requirements.

What is the objective of a business To justify the implementation of a new project.

case?
What are the first steps for the To define issues to be addressed.
development of a business case? To define the need for the project.
On what basis is a business case Feasibility and value proposition.

primarily developed?
What does it mean if an Using "system thinking" means the organization views
organization implements "system overall systems as more than just the sum of their parts.
thinking"?

1. As an information security manager, you are required to develop a business case for a new information security initiative. The
business case should primarily include:
A. Appropriate justification
B. Results of a gap analysis
C. Legal requirements
D. Expected annual loss
2. As an information security manager, you are required to develop a business case for a new information security initiative. Your
first step should be:
A. To determine the budget
B. To determine the vendor
C. To define the need
D. To determine cost efficiency
3. When implementing a new project, support from senior management can be obtained by:
A. Conducting a risk assessment
B. Explaining regulatory requirements
C. Developing a business case
D. Selecting the latest technology
4. The main criterion for selecting a security technology is:
A. Whether the technology can mitigate the risk
B. Whether the technology is widely accepted in industry
C. Whether it's the latest technology available
D. Whether the technology provides benefits in comparison to its costs
5. Which of the following is of the least concern for an information security manager when implementing a new project?
A. Technical requirements
B. Regulatory requirements
C. Privacy requirements
D. Business requirements
6. The most effective report while proposing the implementation of a new security solution is:
A. A vendor evaluation report
B. A risk analysis report
C. A business case
D. A budget utilization report
7. What is the biggest challenge when preparing a business case in relation to obtaining approval from senior management for a new
security project?
A. To make the senior management understand the technical aspects of security
B. To demonstrate the project's value and benefit
C. To present various risk scenarios
D. To provide comparative data on the industry
8. The best way to obtain support from senior management for an information security initiative is to:
A. Develop and present a business case
B. Present various risk scenarios
C. Inform them about the financial benefits of the project
D. Align the initiative to the organization's goals
9. Which of the following is the first step for the development of a business case?
A. To conduct an industry survey
B. To work out the return on investment
C. To evaluate cost-effective alternatives
D. To define issues to be addressed
10. A business case is primarily developed based on:
A. Various risk scenarios
B. Return on investment
C. Organizational objectives
D. Feasibility and value proposition
11. What is the best way to address senior management's reluctance to provide a budget for new security initiatives?
A. To develop and present a business case
B. To develop and present various risk scenarios
C. To let the user management take the initiative
D. To organize security awareness training for the senior management
12. An information security manager is evaluating two technologies to address a particular risk and is required to select one for
implementation. The best approach for the security manager, with a limited budget, to choose between the two technologies is:
A. A risk assessment
B. A business impact analysis

C. To assess the ROI
D. A cost-benefit analysis
13. An information security program is best justified by:
A. An impact analysis
B. A detailed business case
C. An industry benchmark
D. Acceptance by users
14. Which factor is most likely to persuade management to approve a new information security budget?
A. A detailed risk assessment
B. Risk treatment options
C. A well-developed business case
D. Calculating the future value of the current budget
15. The development of a business case should primarily consider:
A. Various risk scenarios
B. Industry benchmarks
C. Implementation benefits
D. Affordability
Summary
In this chapter, you learned about the various aspects of security strategy, governance frameworks,
and information security programs. You also explored in detail the benefits of increasing the
effectiveness of security training. This helps the CISM aspirant understand the organization's security
program and architecture.
In the next chapter, you will go through the important aspects of information risk assessment.
Revision Questions
1. The most important consideration while developing an information security strategy is:
A. The availability of information security resources
B. Adherence to laws and regulations
C. Effectiveness in mitigating risk
D. Budget allocation for information security

2. The objectives of information security can be best described as:
A. The requirements of the desired state
B. The attributes of the current state
C. The key business processes
D. The control objectives for loss expectations
3. The most important factor when developing risk management strategies is:
A. Using an industry-adopted risk assessment framework
B. Aligning with business objectives and risk appetite
C. Technology architecture
D. The geographical spread of business units
4. "Systems thinking," in terms of information security, refers to:
A. The perspective of artificial intelligence
B. The perspective of the whole being greater than the sum of its individual parts
C. The perspective of supporting the business objective
D. The perspective of governance of the entire organization
5. An information security manager is asked to develop a cost-effective information security strategy. What will the most important
step be?
A. To identify information assets
B. To conduct a valuation of the information assets
C. To determine the objectives of the security strategy
D. To classify assets as per the risk assessment
6. Which of the following is considered to have the most important strategic value?
A. Privileged access management process
B. Trends in incident occurrence
C. System downtime analysis
D. The results of a penetration test
7. An information security manager is considered to have achieved value delivery when:
A. Resource utilization is high
B. Budget requirements are low
C. Low-cost vendors are appointed
D. Staff costs are reduced

8. The most effective factor to develop an information security strategy is:
A. IT architecture
B. Governance framework
C. The current state of security and future objectives
D. Support from senior management
9. While developing a security strategy, a security manager should be most concerned about:
A. Whether the strategy supports the business objectives
B. Whether the strategy ensures the optimum utilization of available resources
C. Whether the strategy ensures compliance with regulatory requirements
D. Whether the strategy minimizes the budget requirement
10. What is the main objective of an information security strategy?
A. To determine the goals of security and the plan to achieve them
B. To determine the configuration of security controls
C. To determine the acceptable usage of information assets
D. To determine the budget of an information security program
11. The roadmap for information security implementation is primarily based on:
A. IT architecture
B. IT policy
C. Security strategy
D. Regulatory requirements
12. Which of the following can be the main reason for a change in a policy?
A. Changes in regulation
B. Changes in security baseline
C. Changes in management intent and direction
D. Changes in organizational culture
13. The most important result of an information security strategy is:
A. Mature policies and procedures
B. Ensuring that residual risk is kept within acceptable levels
C. Mature vulnerability assessment procedures
D. Alignment of controls with international standards

14. The best indicator to determine the effectiveness of a security strategy is:
A. The strategy helps to improve the risk appetite of the organization
B. The strategy helps to implement countermeasures for all the threats
C. The strategy helps to minimize annual losses
D. The strategy helps to achieve the control objectives
15. The primary reason for the board of directors to be involved in information security initiatives is:
A. Concerns regarding IT architecture
B. Concerns regarding the organization's liability
C. Concerns regarding compliance
D. Concerns regarding the implementation of policy
16. The information security manager has been asked to implement a particular security standard. Which of the following is most
effective to monitor this?
A. Key success factors
B. Key objective indicators
C. Key performance indicators
D. Key goal indicators
17. What is the most effective way of measuring the degree of alignment between security objectives and business objectives?
A. Interviewing the security manager
B. Reviewing the capability maturity model
C. Reviewing the risk assessment report
D. Reviewing the business balanced scorecard
18. The best way to align security goals with business goals is:
A. To design functional goals that support security goals
B. To have business goals and security goals that support each other
C. To ensure that the security goals are derived from the business goals
D. To ensure that the business goals and security goals are independent of each other
19. The security baseline of a mature organization is most generally defined with reference to:
A. The availability of policies
B. The availability of IT architecture
C. Control objectives being met
D. Adherence to regulatory requirements

20. Which of the following is the area of most concern for the security manager of an organization that operates in multiple countries?
A. Difficulty in implementing a standardized security program
B. Difficulty in monitoring security posture across a wide geographical area
C. Difficulty in developing a customized security awareness program
D. Difficulty in monitoring compliance with laws and regulations
21. Which of the following is considered the most significant key risk indicator?
A. An abnormal deviation in employee attrition rate
B. High count of viruses quarantined by antivirus software
C. High count of packets filtered by the firewall
D. A low count of information security officers
22. The most important aspect of an information security strategy from senior management's perspective is:
A. The details of technology
B. The details of compliance requirements
C. The business priorities
D. The details of procedural aspects
23. The best method to develop an effective data protection strategy is:
A. To conduct a vulnerability assessment
B. To design a tailored methodology based on exposure
C. To obtain an insurance policy for data losses
D. To implement industry best practices
24. Out of the following, what is the most effective way to obtain commitment from senior management for the implementation of a
security program?
A. Discuss the industry best practices.
B. Discuss various risk scenarios.
C. Discuss the cost-benefit analysis.
D. Discuss the relationship between the security program and business goals.
25. Which of these factors most influences the success of an information security strategy?
A. Approval from the chief information officer
B. Alignment with IT plans
C. Alignment with the goals set by the board of directors
D. Measurement against a key performance indicator

26. The most effective method to obtain commitment from senior management for the implementation of any new security program,
given the following choices, is:
A. To demonstrate the success of industry peers
B. To demonstrate potential loss and other negative impacts due to a lack of support
C. To demonstrate the regulatory requirements related to security
D. To demonstrate support for the desired outcome

3
Information Risk Assessment

In this chapter, you will explore information risk management and learn about the tools and
techniques available to help you with risk management, along with other important concepts from the
perspective of the CISM exam. This chapter will help CISM candidates understand different aspects
of implementing a risk management strategy.

Understanding Risk
Differentiating Risk Identification, Risk Analysis, and Risk Evaluation
Differentiating Risk Capacity, Risk Appetite, and Risk Tolerance
Risk Awareness
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Register
Emerging Risk and Threat Landscape

Security Baselines
Understanding Risk
The following table illustrates the different definitions of risk:
Source Risk defined as Keywords
COSO- Potential events that may impact the entity probability/impact

ERM
Oxford The probability of something happening multiplied by the probability/cost/benefit

Dictionary resulting cost or benefit if it does
Business A probability or threat of damage, injury, liability, loss, or probability/damage

Dictionary any other negative occurrence that is caused by external or
internal vulnerabilities and that may be avoided through
preventive action
ISO 31000 The effect of uncertainty on objectives uncertainty/effect
ISO/IEC The combination of an event and its consequences event/consequences

Guide 73
Figure 3.1: Definitions of risk
NOTE
From a CISM exam perspective, you need not worry about any of the definitions in the table above; these are for your
knowledge.
If you observe, almost every definition speaks directly or indirectly about two terms: probability and
impact. In its simplest form, risk is the product of probability and impact. In other words:
Risk = Probability * Impact
Risk = P * I
Figure 3.2: Risk
NOTE
Probability is also known as likelihood, possibility, chance, and so on.
Both terms are equally important when determining risk. The following example will help you
understand. Suppose the probability of damage to a product is very high, signified as 1. However, the
product hardly costs anything, and the impact is nil, or zero, even if the product gets damaged.
Therefore, for instance, the risk of rain on this product will be:
Risk = P * I
That is, Risk = 1 * 0 = 0

Question Possible
Answer
What are the essential elements of risk? Probability

(likelihood)
Impact
(consequences)
Risk is the combination of probability and impact. Which one of them requires Probability
the greatest amount of speculation? (likelihood)
NOTE
The answers and explanations for all practice questions for this chapter can be found via this link.

1. As an information security manager, you have determined the likelihood of a risk event. What should you assess next to determine
the level of risk that the event poses?
A. The magnitude of impact
B. The tolerance for the risk
C. The appetite for the risk
D. The asset book value
2. What are the most important aspects for identifying the level of risk?
A. Threat and impact
B. Likelihood and consequences
C. Impact and insurance
D. Sensitivity and threat
3. Reduction in exposure will result in:
A. Reduction in impact if compromised
B. Reduction in vulnerability
C. Reduction in the likelihood of being exploited
D. Reduction in the time needed for recovery
Differentiating Risk Identification, Risk Analysis, and

Risk Evaluation
ISACA's qualifications are recognized around the globe and as a result people across the world enroll
for their examinations. It is of utmost importance for ISACA to use jargon and terminologies in their
study materials and examinations that are globally accepted and that are not restricted to particular
countries or continents. It is equally important for all candidates to understand the jargon and
terminologies in the way ISACA uses them. For this, you need to let go of local perceptions and wear
ISACA's thinking hat.
The following are some important terminologies from the perspective of ISACA's examinations.
Risk Management
Risk management indicates the combination of the following processes:
Risk assessment
Risk identification
Risk analysis
Risk evaluation
Risk response
Risk monitoring
Risk Assessment
Risk assessment is the combination of the following three processes:
Risk identification
Risk analysis
Risk evaluation
Risk assessment is the process used to identify, analyze, and evaluate risk. The results of risk
assessment are used to prioritize risks and decide the appropriate risk response option.
Risk Analysis
Risk analysis is the process of determining the level of risk. The level of risk can be either quantified
(i.e., numerical, percentage, dollar amount, and so on) or qualified (i.e., low risk, medium risk, or
high risk).
Risk Evaluation
Risk evaluation is the process of comparing the level of risk (as ascertained from risk analysis) with
what is considered an acceptable risk level (i.e., risk appetite).
Differentiating Risk Capacity, Risk Appetite, and Risk

Tolerance
The first step toward understanding risk management is to learn the following three important terms:
Risk capacity: This is the maximum risk an organization can afford to take.
Risk tolerance: Risk tolerance levels are acceptable deviations from the risk appetite.
Risk appetite: This is the amount of risk that an organization is willing to take.
The following example further explains these terms.
Mr. A's total savings are $1,000. He wants to invest in equities to earn some income. Since he is risk
averse, he decides to invest only up to $700. If the markets are good, he is willing to invest a further
$50. In terms of risk capacity, risk appetite, and risk tolerance, the following can be derived:
Risk capacity: Total amount available, i.e., $1,000
Risk appetite: Mr. A's willingness to take a risk i.e., $700
Risk tolerance: Acceptable deviation from the risk appetite, i.e., $750
The following diagram demonstrates the relationship between risk capacity, risk tolerance, and risk
appetite:
Figure 3.4: The relationship between risk capacity, risk tolerance, and risk appetite
You can infer the following from the diagram:

Risk capacity is always greater compared to tolerance and appetite.
Tolerance can either be equal to or greater than appetite. Risk tolerance levels are acceptable deviations from risk appetite.
Risk acceptance generally should be within the risk appetite of the organization. In no case should it exceed the risk capacity.
Another important aspect that a security manager should understand is risk communication, which you will learn about in the next
topic.

What are the circumstances in which management may not want to The risk falls within the risk
mitigate the risk even if the level of risk is above the organization's tolerance level.
risk appetite?
(Risk tolerance levels are
acceptable deviations from
risk appetite).

1. As an information security manager, you noted that the IT head has mitigated a risk even though it is within the organization's risk
tolerance. What is the most likely reason for this treatment?
A. A mandate from the board of directors to address all risks
B. Management does not want to accept the risk
C. Addressing the risk is very cost effective
D. Management may have concerns that the stated impact is underestimated
Inherent Risk
Inherent risk is considered the risk before implementing a control. It is the risk that a process would
pose if no control factors were in place (the gross risk, or, the risk before controls). It is the weakness
or the susceptibility of a process to introduce a material error when there are no internal controls.
Inherent risk depends on the number of users and business areas. The higher the number of users and
business processes, the higher the level of inherent risk will be.
Residual Risk
This is the risk that remains after controls have been considered (the net risk or the risk after
controls).
Residual Risk = Inherent Risk - Controls
For a successful risk management program, residual risk should always be within the risk appetite.
When the residual risk is within the risk appetite, it is considered an acceptable risk level.
The primary objective of a risk management program is to ensure that the residual risk is within a
level acceptable to management. If the residual risk is within the risk appetite of the organization, it
complies with the risk appetite. The achievement of acceptable risk indicates that residual risk is
minimized and within control.
Differentiating between Inherent Risk and Residual

Risk
Take this example. You purchased a machine costing $100,000, which is placed in an earthquake-
sensitive zone. Any damage to the machine will cost you $100,000. To safeguard against this loss,
you take insurance worth $80,000 for the machine. Now, if anything happens to your machine, the
insurance company will reimburse you up to $80,000. Your final loss will be only $20,000.
NOTE
The cost of the control (insurance in this case) is a cost and not a risk; hence, it is not factored into the equation.
In this case, your risk before taking insurance is $100,000. This risk is known as inherent risk i.e., the
gross risk or the risk before implementing any control.
The risk after taking the insurance is only $20,000. This risk is known as residual risk i.e., the net risk
or the risk after implementing any control.

What is the best way to determine the To ascertain whether the residual risk is less than or
sufficiency of risk control measures? equal to the acceptable risk level
The acceptable level of residual risk is Management discretion

determined by:

1. As an information security manager, you have identified the residual risk. What should your next step be?
A. To transfer the risk to an insurance company
B. To transfer the risk to a third-party service provider
C. To determine whether the residual risk is acceptable
D. To accept the residual risk
2. The most important factor to determine an acceptable level of IT risk is:
A. Organizational requirements
B. Security requirements
C. International standards
D. Audit requirements
3. The control level is said to be appropriate when:
A. The acceptable risk level is less than the total risk level
B. The residual risk level is less than the acceptable risk level
C. The residual risk level is more than the acceptable risk level
D. The annual risk expectancy is more than the acceptable risk level
4. Residual risk is best determined by:
A. Management discretion
B. Legal requirements
C. Level of security budget
D. Audit findings

The prime objective of a risk management process is to achieve the optimum balance between
maximizing business opportunities and minimizing vulnerabilities and threats. To achieve this
objective, the information security manager should have a thorough understanding of the nature and
extent of a risk applicable to the organization. A mature organization will have a dedicated
enterprise risk management (ERM) group to monitor and control risk.
The first step in the development of a risk management program is to establish the context and
purpose of the program. Management support can be gained only if the program has appropriate
context and purpose.
Risk management must operate at both the strategic as well as the operational level. The effectiveness
of a risk management program depends on how well it is integrated into an organization's culture and
the extent to which it becomes everyone's responsibility.

A risk management program includes the following four phases:
Step 1: Risk identification. In risk identification, various risks impacting the business objectives are identified by way of risk
scenarios. In this phase, the threat landscape and vulnerabilities are also identified.
Step 2: Risk analysis. In risk analysis, the impact and level of risks are determined (i.e., high, medium, or low). Risk analysis
helps to determine the exposure and helps to plan for remediation.
Step 3: Risk evaluation. In risk evaluation, it is determined whether the risk is within the acceptable range or whether it should
be mitigated. Based on risk evaluation, risk responses are decided.
Step 4: Risk response. Risk response can be in the form of risk mitigation, risk acceptance, risk avoidance, or risk transfer.
A security manager should also understand the outcome of a risk management program. This is
detailed in the next section.
The Outcome of a Risk Management Program

The most important outcome of an effective risk management program is to reduce the incidence of
risks impacting the business objectives. This is done by addressing the threat and reducing the
vulnerability and exposure. A risk management program supports the organization's ability to operate
effectively and efficiently.

What is the first step in the To establish the context and purpose of the program
development of a risk
management program?
What is the main objective In risk evaluation, it is determined whether any risk is within the
of risk evaluation? acceptable range or whether it should be mitigated. Based on risk
evaluation, risk responses are decided
What is the main objective To control the level of impact

of a risk response?
What is the main objective To determine the level of exposure/impact

of risk analysis?

1. As a newly appointed information security manager, you are required to develop an information security risk management
program. What should you first establish?
A. Management support
B. Security policy and procedures
C. Oversight committee
D. Context and purpose of the program
2. What is the main objective of risk evaluation?
A. It provides the basis for selecting the risk response
B. It ensures that all controls are effective
C. It provides the assessment of a risk management program
D. It ensures that all risks are appropriately categorized
3. What is the main objective of a risk response?
A. To decrease the cost of control
B. To decrease the level of vulnerability
C. To decrease the level of threat
D. To decrease the level of impact
4. What is the main objective of a risk analysis?
A. To justify the security budget
B. To prioritize the assets to be protected
C. To determine the residual risk
D. To assess the level of exposure and plan the remediation
5. The outcome of a successful risk management program is:
A. The organization can quantify risks
B. The organization can eliminate the inherent risk
C. The organization can minimize the residual risk
D. The organization can monitor control risks
Risk Awareness
Having good awareness of risk management programs improves the organization's risk culture. It is
the key element in impacting the behavior of end users. Through a risk awareness program, each
member of the organization can help to identify vulnerabilities, suspicious activities, and other
abnormal behavior patterns. This helps in having faster responses to attacks or incidents and thus
minimizes their impact.
Tailored Awareness Programs

For a risk awareness program to be effective, it should be tailored to the needs of individual groups.
The content of an awareness program should be specific and applicable to individual job functions.
This enhances the effectiveness of awareness training. For example, a developer should be made
aware of secure coding practices, whereas an end user may only need to be made aware of the risk of
phishing emails.
An awareness program should meet the following criteria:

Be capable of highlighting the relevant risks
Be able to highlight the impact if risks are not controlled
Avoid disclosing details about open vulnerabilities or ongoing investigations
Periodically change messages and communication channels to be more effective
Training Effectiveness
It is equally important to determine the effectiveness of awareness training at periodic intervals.
Metrics can be in the form of security quizzes, phishing attack simulations, blind penetration tests,
and so on.
Awareness Training for Senior Management

Senior management should be frequently reminded that they are the owners of the risk and are
responsible for implementing any relevant controls. Highlights for senior management should be
regulatory requirements, impact on business objectives, and liability of the organization. Senior
management plays an important role in adopting a risk-aware culture in the organization.

What is the main objective of a risk management program? To reduce risk to an acceptable level

1. As a newly appointed information security manager, you are required to develop an information security risk management
program. The most effective strategy for risk management is:
A. To achieve a balance between risk and business goals
B. To reduce risk to an acceptable level
C. To develop policy statements
D. To document all unmitigated risks
2. Risk assessment is always subjective. The best method to improve the accuracy of the assessment is:
A. To provide training to the assessor
B. To use a standardized assessment framework
C. To ensure the independence of the assessor
D. To use different frameworks
3. The primary objective of a risk management program is:
A. To reduce the inherent risk
B. To eliminate all risks
C. To establish effective controls
D. To achieve an acceptable level of risk
4. When will a risk management program be the most effective overall?
A. If the program is convenient to implement
B. If the program is adopted from industry standards
C. If the program is monitored by senior management
D. If the program is supported by all members of the organization
5. The objective of a risk management program is to reduce the risk to:
A. Nil
B. An acceptable level
C. An industry-adopted standard
D. Eliminate all hazards
6. An information security team noted that management has not mitigated the risk even though the risk exceeds the risk appetite.
What is the most likely reason for this?
A. The controls are already applied
B. The controls are expensive
C. The risk is within the risk tolerance level
D. The probability of occurrence is very low
7. For risk management to be effective, it should be applied to:
A. All organizational processes
B. Processes identified by a risk assessment
C. Processes for which the risk appetite is low
D. Processes that can have a potential impact
8. What is the best way to support the business objectives through risk management?
A. Risk assessment being performed by asset owners
B. Timely updates of the risk register
C. Monitoring by the steering committee
D. Risk activities being embedded in business processes
Risk Assessment
Risk assessment is an important process for the identification of significant risks and to ensure cost-
effective controls can be put in place to address the identified risks.
There are many methodologies available for assessing risks. An organization should use the
methodology that best fits its requirements. This methodology should be able to achieve the goals
and objectives of the organization in the identification of relevant risks. A common risk assessment
methodology is COBIT 5.
Phases of Risk Assessment

Generally, a risk assessment process has the following three phases:
1. Risk identification: In this phase, significant business risks are identified. Risk identification is generally conducted by the use of
risk scenarios. A risk scenario is a visualization of a possible event that could have some adverse impact on the business
objectives. Organizations use risk scenarios to imagine what could go wrong or what could create barriers to achieving the
business objectives.
2. Risk analysis: Risk analysis involves ranking risks based on their impact on business processes. The impact can be either
quantifiable in monetary terms or qualitative, such as high, medium, or low risk. Both the probability of an event and its impact on
the business are considered to determine the level of risk.
Risk analysis results help with the prioritization of risk responses and the allocation of resources; for
example, high-risk areas are given priority for treatment.
3. Risk evaluation: Risk evaluation is the process of comparing the result of risk analysis against the acceptable level of risk. If the
level of risk is more than the acceptable level, then risk treatment is required to bring down the risk level.
Here are some practical examples for each of the risk assessment phases:
Risk identification: The risk of the malfunction of a machine due to heavy rain.
Risk analysis: In this phase, the level of risk is determined. Suppose that the machine costs $100,000 and the probability of heavy
rain is 50%. In this case, the risk level is $50,000 (i.e., $100,000 * 50%).
Risk evaluation: In this phase, the risk level is compared with the risk level acceptable to management. Suppose the acceptable
level is only $20,000. The current risk of $50,000 exceeds the acceptable level of risk. In such a case, risk treatment is required to
bring the risk level down. The organization may choose to take out insurance worth $30,000 so that the net risk remains only
$20,000.

At what interval should a risk assessment typically be Annually, or whenever there is a

conducted? significant change
Why is it very important to conduct risk assessments on a Because the risk environment is
continuous basis? changing constantly
What is the output of a risk assessment? A list of risks impacting the

organization
What is the main advantage of performing risk It shows the trends in the evolving
assessments on a consistent basis? risk profile.

1. For the effective risk assessment of a project, it should be performed:
A. At the initial stage of the project
B. On a continuous basis
C. Before the implementation of the project
D. When there is a change in the process
2. The frequency for risk assessments should be:
A. Annually for each process
B. As per the risk management budget
C. Every 6 months for critical business processes
D. Annually or whenever there is a significant change
3. What is the prime objective of conducting risk assessments on a continuous basis?
A. For optimum utilization of the security budget
B. To comply with the security policy
C. To address the constantly changing risk environment
D. The optimum utilization of security resources
4. A security manager observes that an organization is using FTP access, which can be exploited. Which of the following can they
use to determine the necessity for remedial action?
A. A penetration test
B. A security baseline review
C. A risk assessment
D. A business impact analysis
5. What is the main objective for the use of risk assessment techniques?
A. To justify the selection of risk mitigation strategies
B. To maximize the return on investment
C. To comply with regulations
D. To ensure better documentation
6. What is the most important element of a risk assessment?
A. Protection of all types of assets
B. Benchmarking processes with other organizations
C. Evaluating both monetary value and likelihood of loss
D. Evaluating past threats
7. The main reason for repeating a risk assessment at regular intervals is:
A. To address constantly changing business threats

B. To rectify errors of earlier assessments
C. To apply different methodologies
D. To improve security awareness
8. What is the most important factor when reviewing the migration of IT operations to an offshore location?
A. Reviewing new regulations
B. Modifying operating processes
C. Reviewing budget adherence
D. Performing a risk assessment
9. A risk assessment produces output in the form of:
A. A list of implemented controls
B. A list of applicable threats
C. A list of possible impacts
D. A list of risks that may impact the organization
10. What is the most essential element for conducting a risk assessment?
A. Consequences
B. Likelihood
C. Vulnerability
D. Budget
11. As per good practices, a full reassessment of risk should be performed:
A. In the case of material control failure
B. In the case of the residual risk being higher than the acceptable risk
C. In the case of the installation of a new patch
D. In the case of the implementation of emergency changes
12. The main objective of conducting risk assessments on a consistent basis is:
A. To lower the cost of risk assessment
B. To adhere to the security budget
C. To comply with the security policy
D. To determine trends in the evolving risk profile
Risk Identification
Risk management begins with risk identification. Risk identification is the process of identifying and
listing risks in the risk register.
The primary objective of the risk identification process is to recognize threats, vulnerabilities, assets,
and controls of the organization. A risk practitioner can use the following sources for the
identification of any risk:
Review of past audit reports
Review of incident reports
Review of public media articles and press releases
Systematic approaches such as vulnerability assessments, penetration testing, review of business continuity plan (BCP) and
disaster recovery plan (DRP) documents, interviews with senior management and process owners, and scenario analysis
All the identified risks should be captured in the risk register along with details such as description,
category, probability, impact, and risk owner. In fact, maintenance of the risk register process starts
with the risk identification process.
Risk Identification Process

The following are the steps involved in risk identification:
Figure 3.10: Risk identification process
A security manager should thoroughly understand the process of risk identification. Generally, this
process begins with the identification of critical assets. A security manager should be aware of all
assets that need protection. After the identification of assets, threats should be determined, followed
by the identification of any existing controls, identification of vulnerabilities, and then determining
consequences.
Conducting Interviews
One method for risk identification is conducting interviews. The following are some good practices
for interview techniques when identifying risk:
Risk practitioners should ensure that staff whose interview is being taken have sufficient authority and knowledge about the
process.
To the extent possible, risk practitioners should study the business process in advance of the interview. This will help in
conducting smooth interviews and risk practitioners can concentrate on areas of concern.
Interview questions should be prepared in advance and shared with the interviewee so they come prepared and bring any
supporting documentation, reports, or data that may be necessary.
Risk practitioners should obtain and review relevant documentation, such as standard operating procedures (SOPs), reports,
and other notes that support the statements of the interviewee.
Risk practitioners should encourage interviewees to be open about various risk scenarios.
Information can be gathered through the Delphi technique.
Delphi Technique
Many organizations resort to the Delphi technique in which polling or information gathering is done
either anonymously or privately between the interviewer and interviewee.
Asset Identification
The first and most important step in a risk assessment process is to identify and list all the assets and
determine their value based on criticality or sensitivity. In the absence of a detailed asset inventory,
the organization may miss protecting some significant assets. Assets can be in the form of people,
processes, systems, network components, databases, or any other elements that can impact business
processes. Assets need not be only tangible assets. There are often also intangible assets, such as the
reputation of the organization.
Asset Valuation
Once all the assets have been identified, the next step is to determine their value. This is very
important to avoid the under-protection or over-protection of assets. The effort required to protect any
asset should be justified by its criticality. For instance, it would not make sense to spend $100 for the
protection of an asset valued at $10.
The security manager should be careful while valuing the assets. In some situations (as shown in the
following example), the valuation should not be based only on the actual cost or replacement cost,
but also on the impact on the business if said asset is not available.
For example, suppose a server costing $1,000 is hosting data that supports a project worth $20,000. If
this server is not available, then the entire project will be adversely impacted. In this case, the value
of the server will be considered $20,000 even though its cost is only $1,000.
This is also known as opportunity cost. The opportunity cost reflects the cost of loss to the
organization/business resulting from the unavailability of an asset.
Aggregated and Cascading Risk

A security manager should consider the impact of an aggregated risk as well as a cascading risk
when designing an overall control environment.
Aggregated Risk
Aggregated risk means that there is a significant impact caused by a large number of minor
vulnerabilities. Such minor vulnerabilities would not have any major impact individually, but when
all such vulnerabilities are exploited at the same time, they can cause a huge impact.
The goal of risk aggregation is to identify the overall significant risk posed by a single threat vector.
For example, suppose an organization has implemented multiple controls to protect a critical
database. Even if one control fails, the other controls can compensate. However, when a threat
exploits all the controls together, there can be a significant adverse impact.
Cascading Risk
Cascading risk is when one failure leads to a chain reaction of failures. This is more relevant where
IT and operations have close dependencies. The security manager should consider the impact of the
failure of one activity on other dependent systems.

Valuation of an asset in a Opportunity cost (opportunity cost reflects the cost to the
business impact analysis should organization/business loss resulting from the unavailability of
be based on: an asset).
What is the objective of risk To identify significant overall risk coming from a single threat vector.
aggregation? To identify the significant overall risk from multiple minor vulnerabilities that
are linked to each other being exploited at the same time.

1. As an information security manager, you are reviewing a homogeneous network. What will be the area of most concern for you?
A. Risk of reliability
B. A single point of failure
C. Slow network performance
D. The aggregated risk
2. Intangible assets should best be valued based on:
A. Acquisition cost
B. Replacement cost
C. Ability to generate revenue
D. Risk analysis
3. The best way to estimate potential loss is to:
A. Determine the productivity ratio
B. Determine the impact of data leakage
C. Determine the value of the information or asset
D. Determine the probability of occurrence
4. The objective of risk aggregation is to:
A. Merge all homogenous types of processes to reduce the overall risk
B. Increase the risk appetite of the organization
C. Simplify risk reporting
D. Identify significant overall risk from a single threat
Risk Analysis
Risk analysis is the ranking of risks based on their impact on business processes. A risk with high
impact is ranked higher and given priority when it comes to addressing risks. More resources are
allocated to high-risk areas.
Risk analysis results help with the prioritization of risk responses and the allocation of resources.
Risk analysis is the process of rating all identified risks in order to prioritize them. Risks with the
highest rating and impact are addressed first. Generally, the following techniques are used to rank
risks:
Quantitative method
Qualitative method
Semi-quantitative method
The availability of the correct data for risk assessment is a major factor in determining which of the
previously mentioned techniques is to be used. For instance, when a data source is trustworthy and
dependable, an organization will prefer a quantitative risk assessment since it expresses risk in
numerical terms, such as monetary value. The risk response can easily be determined when the risk is
measured in monetary (or other quantitative) values.
In the next section, you will get further insights into each method.
Quantitative Risk Analysis

In quantitative risk analysis, risks are measured based on numerical values. This helps in carrying out
a cost-benefit analysis as any risk expressed in monetary terms can easily be compared to the cost of
various risk responses. In quantitative risk analysis, various statistical methods are used to measure
the risk.
Risk is quantified as per this formula: Risk = Probability * Impact
CISM aspirants should always remember that risk is quantified as a product of probability and
impact. For example, suppose the probability of damage for equipment costing $1,000 is 0. Here, the
probability is 0 and the impact is $1,000. Now, risk will be probability * impact i.e., P * I. In this
case, the risk is 1,000 * 0 i.e., 0. Similarly, suppose the probability for another asset is 0.5 and the
asset costs $100. Then, the risk will be $50 (0.5 * 100), i.e., 50. Therefore, the risk of the equipment
costing $100 is more than the risk of the equipment costing $1,000. This is because probability plays
an important role in the quantification of risk.
Challenges in Implementing the Quantitative Method
One major challenge for conducting a quantitative risk analysis is the availability of reliable data. To
effectively quantify a risk, accurate details of probability and impact are required.
Determining the probability or frequency of occurrences of a threat is challenging. Mostly,

probability can be obtained on the basis of historical data. However, it is very difficult to ascertain the
probability of natural events, such as hurricanes, earthquakes, and tsunamis.
Quantitative risk assessment is not feasible for events where probability or impact cannot be
quantified or expressed in numerical terms.
Thus, a quantitative risk analysis:

Makes use of statistical methods to derive risk
Makes use of likelihood and impact
Helps derive the financial impact accurately
Qualitative Risk Analysis

In a qualitative risk analysis, risks are measured by some qualitative parameters, such as high,
medium, low, or on a scale of 1 to 5.
Qualitative analysis is considered more subjective compared to quantitative analysis.
Certain risks cannot be calculated in numeric terms. Qualitative assessments are useful in such
scenarios.
Qualitative risk analysis is more relevant to examining new emerging threats (which do not yet have
historic numerical data) and advanced persistent threats (APTs). Qualitative risk analysis involves
conducting interviews with various stakeholders or using techniques such as the Delphi method (as
discussed previously, under Risk Identification) wherein information can be gathered by way of
anonymous questionnaires.
Semi-Quantitative Risk Analysis

Semi-quantitative risk analysis is a combination of qualitative and quantitative methods. It is a hybrid
approach that considers the input of qualitative assessment combined with a numerical scale to
determine the impact on a quantitative basis.
In semi-quantitative risk analysis, descriptive rankings are associated with a numeric scale.
For example, the qualitative measure of "high" may be given a quantitative weight of 5, "medium"
may be given 3, and "low" may be given 1.
Such methods are frequently used when it is not possible to use only a quantitative method or when
the subjectivity in qualitative methods needs to be reduced.
Risk practitioners should ensure that a standardized process and scale are used throughout the
organization for semi-quantitative risk assessment. Furthermore, risk owners should not mistake the
origins of these values as coming from purely objective sources.
The Best Method for Risk Analysis

A risk practitioner generally always prefers a quantitative approach. The quantitative approach helps
with cost-benefit analysis as risk in monetary terms can easily be compared to the cost of various risk
responses. However, a major challenge in conducting a quantitative risk analysis is the availability of
accurate data. In the absence of proper data, or when data accuracy is questionable, qualitative
analysis is preferable.
Annual Loss Expectancy

Annual loss expectancy is a calculation that helps determine the expected monetary loss for an asset
due to a particular risk over a single year.
The annual loss expectancy is the product of the annual rate of occurrence (ARO) and the single
loss expectancy (SLE). It is mathematically expressed as SLE * ARO. For example, a particular risk
event can have an impact of $1,000 every time it occurs. $1,000 is the SLE. Now, it is expected that
this particular risk event will materialize five times in a year. So, 5 is the ARO. Therefore, the annual
loss expectancy will be $5,000.
Value at Risk (VaR)

Value at risk (VaR) is a statistical computation based on historical data that helps you to arrive at a
probability. VaR is mostly used in the financial sector to determine the risk of an investment.
However, though primarily used by financial organizations, it is also applicable to the information
security domain. The following are some characteristics of VaR:
VaR is a quantitative approach for evaluating risk.
VaR is used to determine the maximum probable loss over a period of time.
VaR calculations are typically complex and time consuming.
OCTAVE
Operationally critical threat asset and vulnerability evaluation (OCTAVE) is a risk assessment
approach with the following characteristics:
In this approach, critical assets are identified first.
The next step is to focus on risk analysis activities for the identified critical assets.
OCTAVE considers the relationship between critical assets and the threats and vulnerabilities applicable to those assets.
It evaluates the risk in terms of the operational aspect, that is, the impact on business operations due to risk on identified critical
assets.
It creates a protection strategy for risk mitigation to safeguard the critical assets of the organization.
Other Risk Analysis Methods

A consistent risk analysis technique should be used whenever the goal is to produce results that can
be compared over time. Each approach has certain advantages and possible weaknesses, and the risk
practitioner should choose a technique appropriate for the circumstances of the assessment.
The following are some common approaches:

Bayesian analysis
This is a method of statistical inference that uses prior distribution data to determine the probability of a result.
This technique relies on the prior distribution data to be accurate in order to be effective and produce accurate results.
Bow tie analysis
A bow tie analysis is a simple process for identifying areas of concern.
It makes the analysis more effective by linking possible causes, controls, and consequences.
The cause of the event is depicted in the middle of the diagram (the "knot" of the bow tie) and threats are placed on the left side
with consequences on the right side.
The following figure shows the flow of bow tie analysis:

Figure 3.12: Bow tie analysis
Delphi method
In the Delphi method, opinions from experts are obtained using two or more rounds of questionnaires.
After each round of questioning, the results are summarized and communicated to the experts by a facilitator.
This collaborative technique is often used to build a consensus among experts.
In the Delphi technique, polling or information gathering is done either anonymously or privately between the interviewer and the
interviewee.
Event tree analysis
In event tree analysis, an event is analyzed to examine all possible outcomes.
An event tree analysis is a forward-looking model used to assess the probability of different events resulting in possible outcomes.
Fault tree analysis
In fault tree analysis, an event is identified and then the possible sources for the event are determined.
Results are displayed in a logical tree diagram and attempts are made to reduce or eliminate potential causes of the event.
Markov analysis
Markov analysis is a method used to forecast the value of a variable whose predicted value is influenced only by its current state.
The Markov model assumes that future events are independent of past events.
Markov analysis is often used for predicting behaviors and decisions within large groups of people.
Markov analysis is used to analyze systems that can exist in multiple states.
Monte Carlo analysis
Monte Carlo analysis is a risk management technique used for conducting a quantitative analysis of risks.
Monte Carlo methods, or Monte Carlo experiments, are a broad class of computational algorithms that rely on repeated random
sampling to obtain numerical results.
This technique is used to analyze the impact of risks on a project.

Which risk analysis (quantitative/qualitative) is most appropriate to derive Quantitative risk

percentage estimates? analysis

1. As a newly appointed information security manager, you are required to conduct a risk analysis of an IT environment. Risk
analysis includes the assessment of:
A. Probability and visibility
B. Likelihood and impact
C. Impact and appetite
D. Appetite and tolerance
2. Quantitative risk analysis is best used to assess:
A. Reputational risk arising out of data leakage
B. The risk of electrical power outages on business processes
C. The risk of a defaced website
D. The risk of high staff turnover
3. The most important element of quantitative risk analysis is that the result:
A. Includes customer perceptions
B. Contains percentage estimates
C. Lacks specific details
D. Is subjective
4. What is the objective of calculating the value at risk?
A. To evaluate risks by applying a qualitative approach
B. To determine the maximum possible loss over a period of time
C. To evaluate risks only for financial organizations
D. To expedite the assessment process

5. A security manager is conducting a qualitative risk analysis. What will be the best way to get the most reliable result?
A. To estimate productivity losses
B. To determine possible scenarios with threats and impacts
C. To determine the value of assets
D. To conduct a vulnerability analysis
6. The best indicator of a quantifiable acceptable level of risk is:
A. An interview with senior management
B. The ratio of security budget to total budget
C. The ratio of insurance coverage to total cost of business interruption
D. Determining the count of incidents impacting the organization
Risk Evaluation
In the risk evaluation phase, the level of each risk is compared with acceptable risk criteria. If the risk
is within the acceptable level, then it is accepted as it is. If the risk exceeds the acceptable level, then
the treatment will be some form of mitigation.
Risk Ranking
A risk with a high impact is ranked higher and given priority. The process of ranking risk in terms of
its criticality is known as risk analysis. More resources are allocated to high-risk areas. Ranking each
risk based on impact and likelihood is critical in determining the risk mitigation strategy. Ranking the
risk helps the organization determine its priority.

1. As an information security manager, you are required to close the vulnerabilities identified by external auditors. What will the
most effective way to mitigate the vulnerabilities be?
A. All vulnerabilities should be addressed immediately
B. Mitigation should be based on threat, impact, and cost considerations
C. Mitigation should be based on the available security budget
D. Compensating controls must be implemented for major vulnerabilities
2. The most important factor for a risk-based information security program is:
A. Prioritization
B. Threat
C. Standardization
D. Budget
3. The prioritization of risk is based on:
A. Asset value
B. Frequency and impact
C. Legal requirements
D. Frequency and scope
4. The prioritization of risk treatment is primarily based on:
A. Identified threats and vulnerabilities
B. Likelihood of compromise and subsequent impact
C. Cost of risk treatment
D. Level of exposure of the asset
Risk Register
As previously noted, all identified risks should be captured in the risk register along with details such
as description, category, probability, impact, and risk owner. The maintenance of the risk register
starts with risk identification.
A risk register is the inventory of all existing risks of an organization. The best method to understand
any kind of risk is to review the risk register. It includes details of all risks along with relevant control
activities. The most effective use of a risk register is to facilitate a thorough review of all risks on a
periodic basis.

1. A risk register is best used for:
A. Identification of emerging risks
B. Identification of risk owners
C. Review of all IT-related risks on a periodic basis
D. Recording annualized loss due to an incident
Emerging Risk and the Threat Landscape

CISM aspirants should be able to establish the difference between a threat and a vulnerability. A
vulnerability means a weakness in the system. A threat is any element that attempts to exploit the
vulnerability. For example, when an anti-virus is not updated, it is considered a vulnerability. A
hacker who attempts to exploit this vulnerability is a threat. It is the objective of an internal control to
reduce vulnerability. Internal controls cannot directly control threats.
Emerging Threats
An information security manager must be aware of the constantly evolving threat landscape and how
it affects their organization. As infrastructures evolve, new risks can emerge in unexpected ways.
When a threat is combined with a lack of adequate monitoring, a breach might occur.
Unusual activity on a system, frequent alarms, delayed system or network performance, or new or
excessive activity in logs are all signs of emerging threats. Many affected organizations have
evidence of emergent risks in their logs well before an actual compromise occurs, yet the evidence
goes unnoticed or unaddressed.
Nowadays, new technologies are designed with a focus on performance, and security is often
considered less important. As a result, new technology tends to introduce new vulnerabilities. The
involvement of an information security team in the implementation of new technologies is vital for
the overall security environment of the organization. Technologies such as cloud computing offer
tremendous benefits for the organization. However, if implemented without due consideration of
security, it may bring disaster.
Similarly, the concept of bring your own device (BYOD) results in a good amount of cost saving for
the organization but comes with its own risks.
Advanced Persistent Threats

APTs are sophisticated, highly trained attackers with a strong desire to exploit systems and networks.
In APT, attackers are highly skilled and have access to advanced tools and techniques. An attacker
may gain and maintain unauthorized access to the targeted network while remaining undetected for
an extended period of time. The attacker will then monitor and abstract confidential and sensitive
data.
Although APTs have usually been connected with nation-state sponsorship, there have been several
examples of organizations not backed by a nation-state undertaking large-scale targeted attacks for
specific objectives in recent years.
The information security manager must be aware that APTs pose a substantial threat to the
organization and must ensure that proper measures are in place to detect and identify this threat.

1. The risk of a new application should be first assessed at the level of:
A. Feasibility
B. Design
C. Development
D. Testing
2. The most effective method to address the risk of acquisition of new IT resources is:
A. Acceptance of risk by the IT manager
B. To obtain the approval of compliance before acquiring any new system
C. To obtain the approval of the senior manager before acquiring any new system
D. To implement an appropriate procurement process

Vulnerabilities can arise from multiple sources, such as technological concerns, process lapses, and
human weakness. To be effective, a vulnerability assessment must include process, procedural, and
physical vulnerabilities in addition to technological flaws.
Audits, security reviews, vulnerability scans, and penetration tests are some methods that are
commonly used to find vulnerabilities.
Various types of testing, as well as subject matter expert estimates, can be used to determine the
degree of vulnerability. To the extent possible, the overall risk needs to be quantified. This helps
management take relevant action.


What is the most cost-effective Subscriptions to organizations publishing vulnerabilities.

method of identifying new External vulnerability sources are the most cost-effective
vulnerabilities for third-party method of identifying new vendor vulnerabilities.
products?
What is the prime objective of a To measure the current state vis-à-vis the desired state
gap analysis?
What is the best way to assess the To conduct a penetration test

aggregate risk of multiple minor A penetration test can determine the aggregate risk of linked
vulnerabilities linked together? vulnerabilities together by exploiting them sequentially.
What is the main objective of To identify weaknesses in network and server security
performing a penetration test?
What is the most important aspect Regular updates of signatures

of a vulnerability scanning tool?

1. The most effective way to determine the existing level of risk is:
A. Vulnerability analysis
B. Threat analysis
C. Impact analysis
D. Security review
2. The most effective option to address a defined threat is:
A. Implementing a deterrent control
B. Reducing the exposure
C. Implementing a compensating control
D. Implementing an administrative control

3. The best method to address the excessive exposure of a sensitive database is to:
A. Implement an incident response procedure
B. Reduce the attack surface
C. Compartmentalize the sensitive database
D. Implement a deterrent control
4. The most likely reason for a security manager to not be concerned about an identified major threat is:
A. The vulnerability being compartmentalized
B. The availability of an incident response procedure
C. The availability of a compensating control
D. The threat being unable to be exploited so far
5. As an information security manager, you are required to identify a new vulnerability of a particular technology. The best method
to identify the vulnerability in a cost-effective manner is:
A. External vulnerability reporting sources
B. Network scanning software
C. Periodic vulnerability assessment
D. Implementing honeypots
6. What is the main objective of a vulnerability assessment?
A. To eliminate all risks to the business
B. To adhere to a security policy
C. To provide assurance to management
D. To monitor the efficiency of the security team
7. The main objective for conducting a penetration test is to:
A. Determine the weaknesses in the network and server security
B. Determine the improvements in the incident management procedure
C. Determine the capability of threat vectors
D. Determine the strength of the security team
8. When evaluating a vulnerability scanning tool, a security manager should be most concerned about:
A. The tool's ability to perform multiple functions
B. Regular signature updates of the scanning tool
C. Complexity of the dashboard
D. The tool's ability to delete a virus

9. What is the best way to treat vulnerabilities?
A. All identified vulnerabilities should be treated even if there is no threat
B. Identified vulnerabilities should be prioritized based on the number of threats
C. Identified vulnerabilities should be prioritized based on the effectiveness of controls
D. Identified vulnerabilities should be evaluated for threat, impact, and cost of mitigation
10. The most cost-effective method to test the security of a legacy application is:
A. To determine the security weakness of a similar application
B. To use debugging software to identify code errors
C. To determine the system functionality using reverse engineering
D. To conduct a vulnerability assessment to detect the application's weaknesses
Security Baselines
A security baseline refers to the minimum security requirement across the organization. The baseline
may be different in accordance with asset classification. For highly classified assets, the baseline will
be more stringent. For example, for low-classified assets, the baseline can be single-factor
authentication. However, it would increase to two-factor authentication for high-classified assets.
Baseline security should form a part of the control objectives. The baseline should be reviewed at
regular intervals to ensure that it is aligned with the organization's overall objectives.
Risk Communication
The communication of risk management activities is key to the effective implementation of the
risk management strategy. Communication should involve all relevant stakeholders, and
communication channels should enable interaction in both directions. That is, management should be
able to communicate with end users and end users should be able to pass on information related to
risk to management.
Summary
In this chapter, you learned about the important aspects of risk management. You explored different
risk identification and risk assessment methods. This will help you as a security manager to identify
risk in the organization, assess the level of risk, and determine the most appropriate treatment
options.
The next chapter will cover the different methods for responding to identified risks.
4
Information Risk Response

In this chapter, you will learn about the practical aspects of information risk management and explore
risk management tools and techniques along with other important concepts from the perspective of
the CISM exam.
This chapter will cover the following topics:

Change Management
Patch Management

The treatment of risk is one of the most important aspects of risk management. Risk treatment is also
sometimes referred to as risk response
The following are the four options for responding to risk.
Risk Mitigation
In this approach, efforts are made to reduce the probability of risk or impact resulting from the risk event by designing appropriate
controls.
The objective of risk mitigation is to reduce the risk to an acceptable level.
Risk Sharing/Transferring
In this approach, risk is shared with partners or transferred via insurance coverage, contractual agreement, or other means.
For example, natural disasters have a very low probability of occurring but have a high impact if they
do. The response to such a risk should be risk transfer.
Risk Avoidance
In this approach, projects or activities that cause risk are avoided.
Risk avoidance is the last choice when no other response is adequate.
An example would be terminating a project when business cases show a high risk of failure.
Risk Acceptance
In this approach, risk is accepted as it is in accordance with the risk appetite of the organization.
Risk is accepted when the cost of controlling the risk is more than the cost of the risk event.
For example, for a few noncritical systems, the cost of antimalware installation is more than the
anticipated cost of damage due to any potential malware attack. In such a case, the organization
would generally accept the risk as it is.
In risk acceptance, no steps are taken to reduce the risk at this time (though the risk is recorded and reassessed at regular intervals
to determine if this remains the best course of action)
However, organizations need to be very careful when accepting any risk. If a risk is accepted without fully understanding its
potential impact, it may result in a higher level of liability.

Taking out insurance is an example of which risk treatment Risk transfer

strategy?
What is the most effective way to treat risks such as natural Risk transfer
disasters that have a low probability but a high impact level?
What are the components of risk treatment (risk response)? Risk mitigation
Risk acceptance
Risk avoidance
Risk transfer
What is the main objective of risk response? To control the impact

Prioritization of risk response is based on what? The likelihood of compromise and

the impact on business processes
NOTE
The answers and explanations for all practice and revision questions for this chapter can be found via this link.

1. As an information security manager, you have requested approval for cyber insurance from senior management. Taking out
insurance is an example of:
A. Risk avoidance
B. Risk acceptance
C. Risk transfer
D. Risk mitigation
2. The selection of a mitigating control is best decided by:
A. The senior manager
B. The business manager
C. The audit manager
3. An organization has started operations in a country where identity theft is widespread. The best course of action for the
organization is to:
A. Set up monitoring techniques to detect and react to fraud
B. Make customers liable for the fraud amount
C. Make customers aware of the possibility of fraud
D. Outsource the processes to a well-established service provider
4. The most effective way to mitigate phishing attacks is:
A. Conducting user awareness training
B. Email encryption
C. Developing two-factor authentication
D. Developing physical controls

5. The best response for a risk scenario with low probability and high impact, such as a natural disaster, is:
A. Risk avoidance
B. Risk acceptance
C. Risk transfer
D. Risk mitigation
6. The best way to mitigate the liability risk arising out of a breach of privacy law is:
A. To mitigate the impact by purchasing insurance
B. To implement an application-level firewall
C. To conduct a business impact analysis
D. To implement an intrusion prevention system
7. Risk acceptance is one of the components of:
A. Risk reporting
B. Risk treatment
C. Risk monitoring
D. Risk assessment
8. A recommendation for the implementation of information system controls, such as antivirus software, is an example of:
A. Risk acceptance
B. Risk mitigation
C. Risk transfer
D. Risk avoidance
9. What, from the following, is the best risk treatment method?
A. A method that eliminates risk completely
B. A method that is least costly
C. A method that addresses the control objectives
D. A method that reduces risk to the minimum level
10. The most effective risk treatment when the probability of occurrence of an event is very low, but where the impact can be very
high, is:
A. Accepting the high cost of controlling such an event
B. Installing detective controls
C. Avoiding the risk
D. Transferring the risk to a third party

11. An area in which the data owner is responsible for risk mitigation is:
A. Operating system security
B. User entitlement
C. Network security
D. Intrusion detection
12. The best way to protect confidential information from an insider threat is:
A. Implementing role-based access control
B. Capturing transaction logs
C. Developing a privacy policy
D. Defense in depth
13. The most effective way to manage a security program with low funding is to:
A. Remove security services that address low-risk activities
B. Accept all remaining risk
C. Use third-party service providers to manage low-risk activities
D. Eliminate monitoring and reporting activities

The following are some important aspects with respect to risk ownership and accountability:
For successful risk management, each risk should have assigned ownership and accountability.
Risk should be owned by a senior official who has the necessary authority and experience to select the appropriate risk response
based on an analysis and any guidance provided by the risk practitioner.
Risk owners should also own the associated controls and ensure the effectiveness and adequacy of those controls.
Risk should be assigned to an individual employee rather than a group or a department. Allocating accountability to a department
will circumvent ownership.
Accountability for risk management lies with senior management and the board.
Risk ownership is best established by mapping the risk to specific business process owners.
Details of the risk owner should be documented in the risk register.
The results of risk monitoring should be discussed and communicated with the risk owner as they own the risk and are
accountable for maintaining the risk within acceptable levels.

Who is in the best position to perform a risk analysis for a business The process owner
process?
Who should be the primary driver to implement new regulatory The business process
changes? owner

1. Which of the following functions is in the best position to conduct a risk analysis for a business process?
A. The audit team
B. The legal team
C. The business process owner
D. An external consultant
2. A project for implementing new regulatory requirements should be preliminarily driven by:
A. The audit department
B. The system analyst
C. The business process owners
D. The legal department

Risk monitoring and communication are important elements of risk management. Risk monitoring is
an ongoing process that helps to ensure continuous control effectiveness. There should be a
structured communication channel for employees to report a risk to management. At the same time,
management should provide relevant risk-related information to concerned employees.
Risk Reporting
The results of risk monitoring should be presented to management at regular intervals. These results
should be meaningful to the recipient and be presented in a simple manner without the excessive use
of technical terms. Red (high-risk), amber (medium-risk), and green (low-risk) reporting help
management understand the risk posture of the organization.
A risk analysis should also include details about potential impact as it will help determine the extent
of the risk mitigation measures required.
Key Risk Indicators

A risk indicator is a measure used by an organization to determine the level of current risk for an
activity. This helps the organization monitor the risk level and receive alerts if a risk approaches an
unacceptable level.
Thus, the objective of key risk indicators is to flag an exception as and when it occurs. This provides
an opportunity for the organization to respond to the risk before damage is caused. Examples of key
risk indicators are as follows:
Amount of unauthorized software detected in an audit
Hours of system downtime
Number of systems without antivirus software
Take the example of system downtime. The threshold (maximum limit) for key risk indicators can be
set as follows:
Description Risk Indicator
System downtime less than 5 hours Acceptable
System downtime between 5 and 10 hours Close monitoring
System downtime more than 10 hours Unacceptable
Figure 4.3: Example of a risk indicator
Reporting Significant Changes in Risk

As business processes and technology go through changes, the risk environment also changes, and
new types of threats can emerge. No system can be considered perpetually secure. This indicates that
risk assessments should be done at regular intervals to address emerging risks. The main benefit of
performing a risk assessment on a consistent basis is that it helps to understand trends in the risk
factor.
The prime objective of periodically analyzing the gap between existing controls and control
objectives is to address the change in exposure. Changes in exposure or the business environment
may require the implementation of additional controls.
Reporting a change in risk profile to management is the responsibility of the security manager. A
security manager should present to management the status of the organization's updated risk profile at
regular intervals. Management should also be updated about any significant events or incidents
impacting the organization.

What is the objective of periodically To address changes in exposure or the business

analyzing the gap between controls and environment (changes in either may require
control objectives? additional controls).
What is the primary goal of a risk To support the achievement of business objectives.
management program?
Why should risk be assessed periodically? Risk should be reassessed periodically because risk
changes over time.

1. As an information security manager, you have been instructed by senior management to include the potential impact in any risk
analysis presented to them. The most likely reason for this is:
A. The potential impact helps to determine risk treatment options
B. The potential impact indicates the cost of the assets
C. The potential impact affects the extent of mitigation
D. The potential impact helps determine the probability of occurrence of a risk event
2. As a newly appointed information security manager, you are required to identify new threats. Your first step should be:
A. Conducting frequent reviews of risk factors

B. Developing different security risk scenarios
C. Understanding the business objectives and the flow and classification of information
D. Reviewing post-incident reports prepared by IT
3. As an information security manager, you are evaluating the use of cloud services for the storage of an organization's data. An area
of major concern for the use of cloud services is:
A. Increase in cost
B. Difficulty in the identification of the source of business transaction
C. Increase in risk scenarios
D. Increase in the chance of being hit by attackers
4. An area of major concern for the use of mobile devices is:
A. High network connectivity issues
B. High cost of battery recharge
C. Unstructured operating system standardization
D. Probability of mobile devices being lost or stolen easily
5. A security manager received a request to approve an exception to the security standard for a proposed system change. What
should their first course of action be?
A. Calculating the risk
B. Mandating the security standard
C. Suggesting a new design for the system change
D. Implementing new controls
6. A security manager noted exceptions to a set of standards that result in significant risk. What should the first course of action for
the security manager be?
A. Updating the standard to approve the exceptions
B. Designing new guidelines to address the risk
C. Advising management of the risk and its potential impact
D. Benchmarking standards with industry practices
7. The security policy of an organization mandates the encryption of data that is sent to an external party. However, a regulatory
body insists that unencrypted data is shared with them. What should the security manager do?
A. Train the regulatory body's employees on the encryption process
B. Send the data with encryption to the regulatory body
C. Define an exception process for sending the data without encryption
D. Tell the regulator that unencrypted data will not be shared

8. Residual risk should be determined:
A. When determining the results of the implementation of controls
B. At the time of classification of assets
C. At the time of identification of new risk
D. At the time of valuation of the assets
9. The results of a risk analysis can be best used for:
A. Preparation of a business impact analysis
B. Preparation of a list of action items to mitigate the risk
C. Assigning the risk to the process owner
D. Quantification of the overall risk
10. A security manager received a request to approve an exception to a security standard for a proposed system change. What is their
best course of action?
A. To understand the risk due to noncompliance and recommend an alternate control
B. To reject the approval and insist on compliance with the security policy
C. To update the security policy and allow for the exception
D. To provide training to the business manager on the importance of security compliance
11. The effectiveness of a risk assessment can be best measured by:
A. Resource utilization and the cost of the risk assessment
B. The sensitivity of new risks discovered
C. The collective impact of identified risks
D. The percentage of incidents from unknown risks
12. A security manager notices that risk management activities are inconsistent throughout the organization. What should their first
course of action be?
A. Escalate the issue to senior management
B. Review compliance with the standards and policies
C. Ensure a stringent penalty for noncompliance
D. Ensure stringent enforcement
13. A continuous monitoring tool has flagged noncompliance. What should the security manager's first course of action be?
A. To validate the noncompliance
B. To report noncompliance to senior management
C. To include noncompliance in the risk register

D. To compare the noncompliance with the key risk indicator threshold
14. An organization uses electronic swipe cards for physical access. The security manager has requested access to physical access
data. What is the primary cause for asking for this data?
A. To ensure that employees are attending the office on time
B. To determine the correctness of wage payment
C. To compare logical access and physical access for deviations
D. To determine the operating effectiveness of the physical access control system
15. The risk of disruption due to distributed denial of service (DDoS) can be classified as:
A. Aggregate risk
B. Systemic risk
C. Residual risk
D. Operational risk
16. The most effective way to address an insider security threat is:
A. Penetration testing
B. Network address translation
C. Background checks for prospective employees
D. A security awareness program
17. Legal and regulatory requirements should be considered:
A. As per the security policy
B. As per business decisions
C. As per budget availability
D. In line with mandatory compliance
18. Which is the area of most concern for a security manager reviewing the parameters for the acquisition of a new system?
A. The functionality of the new system may not support business processes
B. Existing staff may not be able to provide ongoing support for the new system
C. The new system may affect the security or operations of other systems
D. The time required to install and implement the new system
19. A security manager has been advised by an enforcement agency about their organization being the target of a group of hackers.
What should the security manager's first step be?
A. Conducting a detailed review of the organization's exposure to the attack
B. Conducting awareness training for all staff members

C. Immediately informing top management about the elevated risk
D. Consulting experts to improve the security posture of the organization

The implementation of a risk management program is important for ensuring effective and efficient
governance, risk management, and compliance (GRC). A security manager should identify the
existing risk management activities and try to integrate them for optimum utilization of resources.
The integration of risk management activities helps to prevent duplication of efforts and minimize
gaps in assurance functions.
Risk Management Process

The implementation of a risk management program in a structured manner helps to achieve
maximum efficiency and effectiveness with minimum effort. It is recommended to implement the
program as per the following sequence:
Step 1: Determine the scope and boundaries of the program.
Step 2: Determine the assets and processes that need to be protected.
Step 3: Conduct a risk assessment by identifying risk, analyzing the level of risk based on impact,
and evaluating whether the risk meets the criteria for acceptance.
Step 4: Determine the risk treatment options for risks that are above the acceptable level. Risk
treatment can come in any of the following forms:
Mitigating the risk by implementing additional controls
Accepting the risk (generally, this option is selected when the impact is low and the cost of treatment exceeds the impact)
Avoiding the risk (generally, this option is selected when a feasibility study or a business case does not indicate positive results)
Transferring the risk to third parties, such as insurance companies (generally, this option is selected for low-probability risks that
have a high impact, such as a natural disaster)
An appropriate risk treatment method is one that helps to achieve the control objectives in an efficient
manner.
Step 5: Determine the acceptability of the residual risk (that is, risk remaining after the treatment) as
per the management.
Step 6: Monitor the risk on a continuous basis and develop an appropriate procedure to report the
results of the risk monitoring to management.
During all the mentioned steps, it is equally important to share the relevant information about risk
management activities with the concerned stakeholders. An effective communication process
improves the entire risk management process.
Effective risk management requires participation, support, and acceptance by all relevant members of
the organization, starting with senior management. Employees must understand their responsibilities
and be able to perform their required roles.
Risk controls are considered sufficient when the residual risk is less than or equal to the acceptable
risk.
Integrating Risk Management into Business Processes

For effective risk management, it should be ensured that risk management processes are integrated
with business processes. The best way to implement this is to conduct a workflow analysis and
understand each process's vulnerabilities and then build relevant controls within those processes.
Prioritization of Risk Response

It may not be feasible for an organization to address all risks. In such cases, risk should be prioritized
based on its criticality. High-level risks should be addressed first. Prioritization of treatment options
will be the most effective if based on the likelihood of compromise and its impact on the business.
Defining a Risk Management Framework

A framework is a structure or outline that supports the implementation of any program. Frameworks
are flexible structures that any organization can adopt as per their environment and requirements.
Many standards and guidelines on best practices are available for the effective management of IT
risks, such as the following:
COBIT
ISO 31000 on Enterprise Risk Management
ISO 27001 on Information Security Management System
Generally, all the preceding frameworks/standards have the following requirements:

Availability of documented policy that defines the objectives of the program
Availability of documented roles and responsibilities for the implementation of the program
Commitment from senior management to review the program at frequent intervals

Availability of procedure documents
Availability of adequate records to satisfy an independent audit
By defining the risk management framework, the basic parameters for managing risks are
established. Basic parameters include criteria for acceptable risk, the objective of controls, and
processes to monitor the effectiveness of those controls. Frameworks help to achieve the following
objectives:
Having a common understanding of organizational objectives
Developing a set of criteria for the measurement of risks
Developing a structured process for the identification of risk and assessment of the level of risk
Integration of different assurance functions
Defining the External and Internal Environment

When designing a risk management program, the requirements of the stakeholders should be
considered. Stakeholders can be either external or internal. The external context includes laws and
regulations, social and cultural conditions, the risk from competitors, and the financial and political
environment. It also includes consideration of threats and opportunities generated from external
sources.
The internal context includes management requirements, the organization's structure and culture,
goals and objectives, and the organization's strengths and weaknesses.
Determining the Risk Management Context

The risk management context refers to the scope and applicability of risk management activities. It
defines the environment in which risk management will operate. It is very important for a security
manager to understand the risk management context. It is generally determined by the culture of the
organization in terms of risk averseness or risk aggressiveness.
Gap Analysis
A gap analysis is the process used to determine the gap between the existing level of risk
management compared to the desired state of it. Based on the desired state, control objectives are
defined. The objective of a gap analysis is to identify whether the control objectives are being
achieved through the risk management process.
Periodically determining the gap between actual controls and their objectives should be routine
practice. A gap analysis is generally done by determining the effectiveness of controls through
control testing. If a gap is identified, then controls may need to be modified or redesigned to improve
their effectiveness.
Cost-Benefit Analysis
The most important factor in the selection of controls is the cost-benefit balance. The implemented
controls should be effective (that is, able to address the risk) as well as efficient (providing the most
benefit compared to the costs incurred).
A cost-benefit analysis is performed to ensure that the cost of a control does not exceed its benefit
and that the best control is implemented for the given cost. A cost-benefit analysis helps to justify the
implementation of a specific control measure.
Other Kinds of Organizational Support

An organization can rely on the services of external service providers to understand the current threat
landscape and identify industry-level best practices. These services help to use the expertise of
service providers and improve the security posture of the organization. Some widely used services
are as follows:
Organizations such as ISACA, NIST, (ISC)², and SANS often publish best practices and other industry-wide data, which can be
used to determine and evaluate a security program.
Many organizations sponsor security-related roundtables to discuss topics of common interest. This helps to accumulate
knowledge from experts in the industry.
Various organizations sponsor research and studies linked to security-related aspects.
Many institutes are involved in training related to security aspects, such as vulnerability assessment, penetration testing, secure
coding, and end user awareness.
Many organizations release a list of current vulnerabilities impacting specific technology. This can be either a free service or a
subscription-based service. External vulnerability sources are the most cost-effective methods of identifying new vendor
vulnerabilities.
Information security is an ever-evolving subject, and a security manager should keep themself
updated through the preceding sources.

What is the prime objective of an To reduce the risk of data leakage

acceptable usage policy?
In which phase of system The feasibility phase (risk should be addressed as early as
development should risk possible in the development cycle)
assessment be initiated?
Which factor influences the A cost-benefit balance

selection of controls the most?
What is the objective of a cost- A cost-benefit analysis is performed to ensure that the cost of
benefit analysis? a control does not exceed its benefit and that the best control
is implemented for the given cost.
What is the prime objective of a To measure the current state vis-à-vis the desired state
gap analysis?
What is the most effective way to User awareness

mitigate the risk of phishing?
What is the prime objective of a To reduce the risk to an acceptable level

risk management program?
What is the most effective method Implementing role-based access controls

to address insider threats to
confidential information?
What is the objective of To reduce the exposure of sensitive data

segmenting sensitive data? Reducing exposure reduces the likelihood of a vulnerability
being exploited.
What is the objective of an To reduce the financial impact on the organization

indemnity clause? An indemnity clause helps the organization claim financial
loss from a service provider if a loss is suffered due to an act
of the said service provider.
Indemnity clauses can transfer operational risk and financial

impacts. However, legal responsibility for the consequences
of a compromise generally remains with the original
organization.
Which type of analysis is used to Business impact analysis

determine the prioritization of
actions in a business continuity
plan (BCP)?
What is the objective of a network To identify misconfigurations and missing updates

vulnerability assessment?
In what scenario is policy When the risk is justified by the benefit

exception generally allowed?
Which of the following is the best To perform a risk analysis and decide, based on the cost-to-
resolution when a security standard benefit ratio, whether an exception to the standard is to be
is in conflict with a business allowed
objective?
What is the objective of integrating To achieve cost-effective risk mitigation across the
different assurance functions? organization

1. Which of the following is the best method to reduce the risk of data leakage?
A. Availability of backup procedures

B. Availability of data integrity checks
C. Availability of an acceptable usage policy
D. Availability of an incident management process
2. As an information security manager, you are required to implement controls and countermeasures. Your most important
consideration should be:
A. Reducing IT risk
B. Cost-benefit balance
C. Resource utilization
D. A count of assets protected
3. Which of the following is the most important objective of a gap analysis?
A. To evaluate the business impact analysis
B. To design a balanced scorecard
C. To determine the overall cost of controls
D. To measure the current state of control versus the desired future state
4. The main objective of including an indemnity clause in a service-level agreement is:
A. To decrease the probability of an incident
B. To limit the impact on the organization
C. To comply with regulatory requirements
D. To improve performance
5. The best method to evaluate and select a control when there is a budget constraint is:
A. A business impact analysis
B. A risk analysis
C. A cost-benefit analysis
D. A vulnerability analysis
6. Which of the following is the most effective technique to determine whether a specific risk reduction control should be
implemented?
A. A cost-benefit analysis
B. A vulnerability analysis
C. Penetration testing
D. Expected annual loss
7. The first step in establishing a data leakage program is to:

A. Create user awareness training
B. Develop an information classification program
C. Design a network control
D. Develop a physical control
8. The prime objective of segmenting a critical database is:
A. To reduce the threat
B. To reduce the sensitivity
C. To reduce the criticality
D. To reduce the exposure
9. The main objective of implementing security aspects during the first stage of a project's life cycle is:
A. To minimize the cost of security
B. To determine the project's feasibility
C. To obtain budget approval
D. To classify the project
10. An information security manager notices that due to slow biometric response and a large number of employees, a substantial
amount of time is wasted in gaining access to the building. This has also increased instances of piggybacking. What is the security
manager's best course of action?
A. To replace the biometric system with one that has a better response time
B. To escalate the issue to management
C. To discontinue the use of the biometric access system
D. To ensure strict enforcement
11. In a BCP, the prioritization of action is primarily dependent on:
B. A risk analysis
C. A threat analysis
D. A vulnerability assessment
12. What is the primary objective of periodic analysis of the gap between the control and the control objectives?
A. To reduce the count of audit findings
B. To address any change in exposure
C. To utilize the security budget
D. To comply with the regulatory requirements

13. The results of a risk management process are used for:
A. Changing business objectives
B. Updating audit charters
C. Making security policy decisions
D. Updating SDLC processes
14. What is the best way to determine the most critical factor among confidentiality, integrity, and availability?
A. On the basis of the threat applicable to each factor
B. Confidentiality should always be given preference
C. On the basis of the risk applicable to each factor
D. All three factors should be treated equally
15. What is the prime objective of a cost-benefit analysis before the implementation of a control?
A. It helps to adhere to the budget
B. It is a mandatory requirement set by senior management
C. It helps to determine the conducting industry benchmark
D. It ensures that costs are justified by a reduction in risk
16. The best quantitative indicator of an enterprise's current risk appetite is:
A. A count of the incidents and subsequent mitigation efforts
B. Layers of implemented controls
C. The level of security requirements in policy and standards
D. The ratio of cost-to-insurance coverage for business interruption protection
17. An organization has two servers that have similar content. However, only one of the servers is hardened. The most probable
reason for this choice is:
A. The second server is only a backup server
B. The second server supports noncritical functions
C. The second server is placed where there is no exposure
D. The second server is monitored on a continuous basis
18. The first step for integrating risk management practices into business processes is:
A. A workflow analysis
B. A threat analysis
C. A hierarchy analysis

19. An indemnity clause in a service agreement:
A. Addresses the legal as well as the financial liability of the organization
B. Is preferable to purchasing insurance
C. Addresses the reputational risk of the organization
D. Addresses the financial liability but leaves the legal and reputational risks generally unchanged
20. The most important outcome of a risk management program is:
A. Continuous monitoring of vulnerabilities
B. Continuous monitoring of threats
C. Determining the implementation of control objectives
D. Decreasing the number of incidents impacting the organization
21. The effective protection of information assets strongly supports:
A. The data workflow
B. The data classification policy
C. The security culture
D. A business-oriented risk policy
22. The best measure of the effectiveness of risk management is:
A. The number of incidents not detected by the security team
B. The number of security audits
C. The number of vulnerabilities not mitigated by the security team
D. The number of security incidents causing significant financial loss or business disruptions
Change Management
A change management process is used to change hardware, install software, and configure various
network devices. This process includes approval, testing, scheduling, and rollback arrangements.
Any changes to the system or the process are likely to introduce new vulnerabilities. Hence, it is
critical for a security manager to identify and address new risks.
Objectives of Change Management

The main objective of change management is to support the processing and traceability of changes
made to a system. Change management ensures that any modification or updating of the system is
carried out in a controlled manner.
Approval from the System Owner
A security manager should also ensure a structured change management process. While
implementing a change, all relevant personnel should be kept informed, and specific approval should
be obtained from the relevant information asset owners.
Regression Testing
Regression testing is a part of change management. The objective of regression testing is to prevent
the introduction of new security exposures when making modifications. Thus, change management is
the best way to ensure that modifications made to systems do not introduce new security exposures.
System users are in the best position to conduct user acceptance testing and determine whether any
new vulnerabilities have been introduced during the change management process.
Involvement of the Security Team

For effective change management, it is important that the security team be apprised of every major
change. It is recommended to include representation from the security team on the change control
board. This will ensure that security aspects are considered for any change.
Preventive Controls
Change management is considered a preventive control as it requires all change requests to pass
through formal approval, documentation, and testing via a supervisory process.

What is the prime objective of change management? To ensure that only authorized changes are
carried out
To ensure that modifications made to the

system do not introduce new security
exposures
What is the best way to reduce the risk arising from Implementing a change management
modifications of a system? process
Change management is considered as which of the A preventive control

following: a preventive, detective, or corrective
control?

1. As an information security manager, you are concerned about new security exposures when modifying the system. The most
effective method to address this is:
A. Load testing
B. Patch management
C. Change management
D. Security baseline
2. The most effective method to prevent a weakness from being introduced into an existing system is:
A. Antimalware software
B. Patch management
D. A firewall
3. Who is in the best position to determine that a new vulnerability has not been introduced during the change management process?
A. An internal auditor
B. A system user
C. A system administrator
D. A data security manager
4. What is the most effective method to evaluate a security risk while modifying applications?
A. Incident management process
B. Problem handling process
C. Change control process

D. System benchmarking
5. What is the most important aspect of a change management process?
A. The change management process should be handled by the information security team
B. The change management process should be monitored by the steering committee
C. The change management process should be a part of release and configuration management
D. The change management process should include mandatory involvement of the information security department
6. Which type of control is a change management process?
A. Compensating control
B. Corrective control
C. Preventive control
D. Deterrent control
7. For an emergency change, which of the following steps can be bypassed?
A. Detailed documentation
B. Impact analysis
C. Scheduling
D. Authorization
8. Production risk is primarily addressed by:
A. Audit management
B. Release management
D. Configuration management
9. Why it is important to get approval from the security manager for implementing any major changes?
A. To ensure that changes comply with the business objectives
B. To ensure that any risks arising from the proposed changes are managed
C. To ensure that rollback arrangements are incorporated
D. To ensure adherence to budget
10. Disruptions to the production system can be most effectively prevented by:
A. A structured patch management process
B. A structured security baseline
C. A structured antimalware system

D. A structured change management system
11. An organization's change management process includes threat and vulnerability assessments. The primary reason for this is:
A. To reduce the requirement for periodic full risk assessments
B. To reduce the expenses of risk management activities
C. To change policies to address new risks
D. To adhere to legal requirements
12. What is an area of major concern with respect to security risks for an organization with multiple locations?
A. System operational guidelines are not monitored
B. Poor change management procedures
C. Outsourcing of application development
D. Poor capacity management procedures
13. The main objective of including a threat and vulnerability assessment in a change management process is:
A. To reduce the requirement for periodic full risk assessments
B. To ensure that risk assessment is cost effective
C. To ensure that changes are approved by the information security team
D. To ensure legal compliance
Patch Management
Patch management is the process of updating operating systems and other software to correct errors
or enhance performance.
A well-defined and structured patch management process helps to address new vulnerabilities related
to operating systems. The timely update of patches helps to secure operating systems and
applications.
Patches are generally applied to operating systems, applications, and network software. They help fix
vulnerabilities in the system.
Patches should be applied through a structured change management process that includes approval,
testing, user acceptance testing, and proper documentation. The testing of a patch prior to
implementation is of utmost importance. Deploying untested patches may cause the system to fail.
Furthermore, appropriate rollback procedures should be in place in case of unexpected failure.

What is the best way to ensure that newly identified Patch management
security weaknesses in an operating system are
mitigated in a timely manner?
What is the first step when an organization receives a To validate the authenticity of the patch
patch update?
What is the correct frequency for a patch update? Whenever important security patches
are released. However, all patches
should be tested first.

1. What is the best method to determine whether all patch updates have gone through the proper change control process?
A. Verifying the change control request and tracing it to the patch logs
B. Verifying whether the last patch was properly documented and verified
C. Verifying the patch logs and tracing them to the change control request
D. Verifying whether the last change control request was properly documented
2. An area of major concern for an enterprise resource planning (ERP) system is:
A. User logs not being reviewed at regular intervals
B. Only a single switch being used for routing network traffic
C. Operating system security patches not being applied
D. Vendor default ERP settings have not been changed
3. The most important factor to be considered while implementing a patch management procedure is:
A. Testing of a patch prior to deployment
B. Technical expertise of the responsible team
C. Automated procedure for deployment
D. Adherence to the patch management budget
4. What is the first step when a system starts facing issues immediately after the deployment of a patch?
A. Assessing the problem and initiating rollback procedures if required
B. Switching off the network connection until the problem is corrected
C. Removing the patch from the system
D. Raising a ticket with the vendor regarding the problem
5. An organization has received a patch through email to be applied on an emergency basis. What should the first step be?
A. The patch should be downloaded to an isolated machine
B. The patch should be applied immediately
C. The patch should be validated to ensure its authenticity
D. The patch should be encrypted to prevent tampering
6. Which of the following is the best technique for timely mitigation of a newly identified vulnerability in an operating system?
A. Patch management
B. Internal audit
D. Security baseline
7. New patches for an operating system should be updated:
A. When new applications are rolled out
B. At the end of every month
C. At the time of hardware maintenance
D. As and when critical security patches are released

Operational risk means risk related to processes and systems that can interrupt business operations.
Managing operational risk is one of the key roles of an information security manager. Some of the
key aspects of operational risk that an information security manager must understand are as follows:
Recovery time objective (RTO)
Recovery point objective (RPO)
Service delivery objective (SDO)
Maximum tolerable outage (MTO)
Allowable interruption window (AIW)

The Recovery Time Objective (RTO) is a measure of the user's tolerance to system downtime. In
other words, the RTO is the extent of acceptable system downtime. For example, an RTO of 2 hours
indicates that an organization will not be overly impacted if its system is down for up to 2 hours.

The Recovery Point Objective (RPO) is a measure of the user's tolerance to data loss. In other
words, the RPO is the extent of acceptable data loss. For example, an RPO of 2 hours indicates that
an organization will not be overly impacted if it loses data for up to 2 hours.
Difference between RTO and RPO

The following is the difference between RTO and RPO:
RTO RPO
RTO is acceptable system downtime RPO is acceptable data loss
Figure 4.8: Difference between RTO and RPO
Remember, RTO (that is, time) is for system downtime, whereas RPO (that is, point) is for data loss.
The following practical examples further explain the difference between the two:
Example 1: An organization can accept data loss for up to 4 hours. However, it cannot afford to have any downtime. What are the
RTO and RPO?
Solution: RTO – 0 hours; RPO – 4 hours

Example 2: An organization takes a data backup twice daily, that is, at 12 a.m. and then at 12 p.m. What is the RPO?
Solution: Here, a data backup is done every 12 hours, so the maximum data loss is 12 hours. Hence,
the RPO is 12 hours.
Example 3: An organization takes a data backup three times a day. The first backup is at 8 a.m., the second at 4 p.m., and the third
at 12 a.m. What is the RPO?
Solution: Here, a data backup is done every 8 hours, so the maximum data loss is 8 hours. Hence, the
RPO is 8 hours.
Example 4: Following an incident, systems at the primary site went down at 3 p.m. and then resumed from the alternate site at 6
p.m., as per the defined RTO. What is the RTO?
Solution: The system was down for 3 hours, so the RTO is 3 hours.
Example 5: Identify the RTO and RPO in an instance where the BCP of an organization requires zero data loss (that is, no data
should be lost) and processing should resume in 36 hours.
Solution: Here, the organization is accepting a system downtime of up to 36 hours, so the RTO is 36
hours. However, the organization cannot afford to have any data loss, so the RPO is 0 hours.
RTO and RPO for Critical Systems
The RTO indicates a user's tolerance for system downtime. Similarly, the RPO indicates a user's
tolerance for data loss. In the case of critical systems and critical data, an organization cannot afford
to have much downtime or data loss. Hence, in the case of critical systems, the RTO and RPO are
generally zero or near zero. A low RTO indicates that a system should be resumed at the earliest
possible juncture. A low RPO indicates that data loss should be at a minimum.
To put it in another way, if the RTO and RPO are low (that is, zero or near zero), then the systems and
data are both critical to the organization.
RTO, RPO, and Maintenance Costs
A low RTO indicates that systems are critical and need to be resumed as soon as possible. To achieve
this objective, organizations need to invest heavily in redundancy, that is, duplicate or alternative
processing sites. A hot site is ideal where the RTO is lower, but this is a costly affair. A hot site refers
to a site where all the infrastructure is readily available.
On the other hand, if the RTO is high, this indicates that systems are not that critical and that the
organization can afford downtime to some extent. An organization need not invest in redundancy for
systems with a high RTO. A cold site is ideal when the RTO is higher. A cold site refers to a site
where there is only limited infrastructure.
A low RPO indicates that data is critical and should not be lost. That is, if the RPO is zero, the
security manager needs to ensure that there is no data loss. They should invest heavily in data backup
management. Data mirroring or data synchronization are some ideal techniques to use when the RPO
is zero or very low. Hence, for a low RPO, data maintenance costs will be higher compared with a
high RPO. Thus, if both the RTO and RPO are low (that is, zero or near zero), then the cost of
maintaining the environment is high.
RTO, RPO, and Disaster Tolerance
Disaster tolerance indicates an organization's tolerance to the nonavailability of IT facilities. A low
RTO/RPO indicates that the disaster tolerance is low; that is, the organization cannot tolerate system
downtime or data loss. A high RTO/RPO indicates that disaster tolerance is high; that is, the
organization can tolerate system downtime and/or data loss up to a certain level.
RTO, RPO, and BIA
The RTO and RPO are preliminarily based on business impact analysis (BIA). The BIA helps to
determine critical systems and processes of the organization. The RTO and RPO of critical systems
and processes are low compared to noncritical systems and processes. For example, online banking
systems have almost zero RTO and RPO. Banks cannot afford to lose even a single transaction.

The Service Delivery Objective (SDO) is the level of service and operational capability to be
maintained from an alternate site. The SDO is directly related to business needs and refers to the
level of service that needs to be attained during disaster recovery. It is influenced by business
requirements.

The Maximum Tolerable Outage (MTO is the maximum period of time that an organization can
operate from an alternate site. Various factors affect the MTO, such as location availability, resource
availability, raw material availability, and electric power availability at the alternate site, as well as
other constraints.

Allowable Interruption Window (AIW) is the maximum period of time for which normal
operations of an organization can be down. After this point, the organization starts facing major
financial difficulties threatening its existence. The MTO should be as long as the AIW to minimize
the risk to the organization.

1. The recovery time objective (RTO) is primarily derived from:
A. Risk assessment
B. Gap analysis
C. BCP testing
D. Business impact analysis
2. An information security manager observes that not enough details are documented in the recovery plan, and this may prevent
meeting the RTO. Which of the following compensates for the lack of details in the recovery plan and ensures that the RTO
is met?
A. Establishing more than one operation center
B. Delegating authority for recovery execution
C. Outsourcing the recovery process
D. Taking incremental backups of the database

A security manager should understand that risk management activities are not one-time events. Risk
management is a continuous process. For effective risk management, the related activities should be
integrated with the process life cycle.
System Development Life Cycle

A security manager should be aware of the following system development life cycle (SDLC)
phases:
Phase Description
Phase 1: The Objective, purpose, and scope of the system are discussed,
Initiation/Feasibility finalized, and documented.
In this phase, the system design is finalized and approved. Internal

controls should also be incorporated during the initial design stage.
During the feasibility phase (planning or initiation), the process for

change management should be defined. It is very important to prevent
scope creep.
Scope creep refers to uncontrolled changes in the scope of the

project. This can occur when the scope of a project is not properly
defined, documented, or controlled.
Phase 2: In this phase, alternatives are evaluated, and the system is developed
Development/Acquisition or acquired from a third party.
Phase 3: Implementation In this phase, the system is tested, and migration activities are
carried out.
Phase Description
Phase 4: In this phase, regular updates and maintenance are carried out for
Operations/Maintenance the upkeep of the system.
Phase 5: Disposal In this phase, obsolete systems are discarded by moving, archiving,
discarding, or destroying information and sanitizing the hardware
and software.
Figure 4.9: SDLC phases
A security manager should be involved in all phases of the SDLC. Furthermore, the security
requirements should be integrated into all SDLC phases. Performing risk assessments at each stage of
the SDLC is the most cost-effective way of addressing any flaws early.
The following aspects should be addressed during the risk assessment of any project:
What level of confidentiality is required for the system?
What level of availability is required for the system?
The impact of any laws or regulations on the project (for example, privacy laws)
Architectural and technological risks
The use of a secure information systems development process
Security training for the developers and staff members
The best way to implement risk management processes on a continuous basis is to develop a
structured change management procedure.

What is the most effective approach to ensure the continued Effective life cycle
effectiveness of information security controls? management
What is the best way to address risk at various life cycle stages? A structured change
management procedure

1. Risk assessment should first be conducted in which phase of the system development life cycle (SDLC)?
A. Implementation
B. Testing
C. Programming
D. Feasibility
2. A risk assessment should be performed:
A. Only before starting development
B. During the system deployment stage
C. During the feasibility stage
D. At each stage of the SDLC
3. Which of the following processes addresses risk at various life cycle phases?
A. Change management
B. Patch management
C. Release management
D. Configuration management
4. Which of the following is the most effective method for the continued effectiveness of controls?
A. Increasing the security budget
B. Ensuring strategic alignment
C. Ensuring effective life cycle management
D. Ensuring frequent benchmarking
Summary
In this chapter, you explored the practical aspects of risk management. This chapter helps you, the
CISM candidate, to classify assets and manage the operational risks of your organization. This
chapter also helps you integrate risk management with the asset life cycle.
The next chapter will cover the procedural aspects of information risk management.
Revision Questions
1. What is the primary objective of a risk management program?
A. To protect the IT assets

B. To implement preventive controls
C. To achieve the stated objectives
D. To ensure the availability of IT systems
2. Which of the following vulnerabilities will allow attackers to access data through a web application?
A. Validation checks are missing in data input fields
B. The password history rule is not implemented
C. Application logs are not monitored at frequent intervals
D. Two-factor authentication is not implemented
3. The best way to understand the evolving nature of attacks is:
A. To place a honeypot
B. A rogue access point
C. Industry tracking groups
D. Penetration test
4. A previously accepted risk:
A. Should be reassessed on a periodic basis as risks change over time
B. Does not need to be assessed again in the future
C. Should be removed from the risk register
D. Should be mitigated in the next assessment
5. A security manager notes an incident though none of the controls have failed. What is the most likely cause of there being no
failure?
A. Inadequate risk analysis
B. Absence of controls
C. A new type of attack
D. Operational error
6. What is the best metric to determine the effectiveness of a control monitoring program?
A. The count of key controls being monitored
B. The time gap between detection and initiation of corrective action
C. The cost of the control monitoring program
D. The time gap between the occurrence of the incident and its detection
7. An organization decides to not comply with a recent set of regulations. What is the most likely reason for this decision?
A. The regulation will increase the complexity of business processes
B. The regulation is difficult to interpret
C. The cost of implementation of the regulation is much higher than the risk of noncompliance
D. There are frequent changes in regulations
8. What is the main objective of a risk management program?
A. To eliminate all risks
B. To support management's due diligence
C. To comply with regulatory requirements
D. To improve the investment portfolio
9. What is the main objective of a network vulnerability assessment?
A. To identify deviation from a secure coding policy
B. To identify malware and spyware
C. To identify weaknesses in the security design
D. To identify misconfiguration and missing updates
10. Which of the following is used to identify deficiencies in a system?
A. Performance metrics
B. Business impact analysis
C. A security gap analysis
D. Incident management procedures
11. Which among the following is the main criterion for approving a policy exception?
A. Project deadlines
B. The risk being justified by the benefits
C. High cost of policy compliance
D. Inconvenience to the users
12. A security manager notes that a new regulatory requirement is applicable to the organization. What should their next course of
action be?
A. To take approval from the information security committee to implement the new requirement
B. To perform a gap analysis
C. To implement controls
D. To evaluate budget availability

13. A security manager notes that a new privacy requirement is enacted. What should their next course of action, to determine the
potential impact of this privacy law on the organization, be?
A. To develop a roadmap for the implementation of achieving compliance with the privacy law
B. To determine the systems and processes that contain the privacy components
C. To stop business processes until compliance is achieved
D. To determine the actions taken by other organizations
14. The most important aspect of an effective risk management program is:
A. A high security budget
B. A defined security baseline
C. The detection of new risks
D. A documented risk reporting process
15. The valuation of assets in a BIA is based on:
A. The cost of acquisition
B. The cost of replacement
C. The opportunity costs
D. The cost to recreate
16. Which of the following components of a risk assessment will require the highest amount of speculation?
A. Consequences
B. Exposure
C. Vulnerability
D. Likelihood
17. A security manager has received a request from a business unit to implement a new technology that goes against the information
security standards. What should their next course of action be?
A. Reject the request
B. Modify the standards to allow the use of the new technology
C. Conduct a risk assessment to quantify the risk
D. Engage experts to identify a better technology
18. A security manager has received a request from the IT function to not update the business impact analysis for a new application as
there is no change in the business process. What should their next course of action be?
A. To verify the decision of the business unit through a risk analysis
B. To reject the request
C. To provide instructions to modify the BIA after a post-implementation review of the new application
D. To recommend an audit review
19. What is the best way to address a conflict between a security requirement and a business objective?
A. Changing the security requirement
B. Changing the business objective
C. Conducting a risk analysis
D. Accepting the risk
20. A security manager notes a security breach in another organization that has employed a similar technology. What should their next
A. To evaluate the likelihood of incidents from the reported cause
B. To stop using the breached technology
C. To provide assurance to senior management about the security posture
D. To remind staff that the organization is not currently affected by security breaches
21. What is the most important aspect of the effective risk management of IT activities?
A. Risk management activities should be treated as a separate process
B. Risk management activities should be controlled by the IT department
C. Risk management activities should be integrated within the business processes
D. Risk management activities should be communicated to all staff
22. What is the most important element of a business impact analysis?
A. Downtime tolerance
B. Security budget
C. BCP testing process
D. Crisis management procedure
23. A security manager has determined the objectives of a review. The next step is to determine:
A. The limitations
B. The approach
C. The scope
D. The report structure
24. A security manager notes that there is a considerable delay between the identification of a vulnerability and the application of a
patch. What should be their first course of action to address the risk during this period?
A. To apply compensating controls for the vulnerable system
B. To discontinue the services of the vulnerable system

C. To communicate the weakness to the end users
D. To update the signatures of the antivirus system
25. A security manager notes that not all employees comply with the access control policy for the data center. To address this issue,
the security manager should first:
A. Determine the risk of noncompliance
B. Arrange security awareness training
C. Report it to senior management
D. Impose a heavy penalty for noncompliance
26. Which of the following is used to determine the level of effort required to improve risk management processes?
A. A workflow analysis
B. A program evaluation and review technique
C. A gap analysis
D. Return on investment
27. A security manager is implementing a bring your own device (BYOD) program. Their first step should be:
A. To allow or reject access to devices as per their approval status
B. To perform a comprehensive assessment before approving devices
C. To report compliance with the BYOD policy to senior management
D. To install a mobile device management system on each of the approved devices
28. A security manager notes that different criteria are used by different departments for measuring risk. To improve this situation, the
manager should recommend:
A. Applying standard risk measurement criteria throughout the organization
B. Introducing a common risk appetite across the organization
C. Mandating the quantification of each risk
D. Obtaining the results of a risk assessment reviewed by the department head
29. The most important aspect to be included in a BYOD policy is:
A. A requirement to return the device to the organization
B. Requirements to protect sensitive information on the device
C. Restrictions on the installation of third-party applications
D. A requirement to seize the device during a forensic investigation
30. A regulatory compliance requirement should be dealt with as:
A. A zero-deviation area
B. A risk management area of focus
C. An operational issue
D. Just another risk
31. Risk management should be considered an ongoing activity because:
A. Processes are prone to errors.
B. Technology gets updated.
C. The environment changes.
D. Policies get updated.
32. A security manager notes that a web-based service is gaining popularity on the market. They should first:
A. Conduct an annual vulnerability assessment
B. Obtain third-party liability insurance
C. Perform a business impact analysis
D. Arrange a real-time failover capability
33. What is the best way to achieve cost-effective risk mitigation activities throughout an organization?
A. A decentralized risk management function
B. Continuous risk assessments
C. Assurance process integration
D. A standard risk appetite across the organization
34. What is the most effective way to address a regulatory risk?
A. A regulatory risk should be treated like any other risk
B. A regulatory risk should be treated as a zero-deviation area
C. A regulatory risk should be complied with mandatorily
D. A regulatory risk should be transferred by taking out insurance
35. A security manager has received a request for overwriting the data stored on a magnetic tape due to limited storage availability.
They should refer to:
A. The data classification policy
B. The data retention policy
C. The data access policy
D. The data protection policy
36. The most essential element to consider the extent of protection requirements is:
A. Exposure
B. Threat
C. Vulnerability
D. Probability
37. The legal and regulatory requirements should be prioritized on the basis of:
A. The level of penalty action
B. The probability and consequences
C. The level of the director's liability
D. The discretion of the compliance manager
38. In which of the following circumstances is a high-risk tolerance useful?
A. When the risk appetite is high
B. When the uncertainty of the risk is high
C. When the impact of the risk is high
D. When the inherent risk is high
YOUR UNIQUE SIGN-UP CODE

Your unique sign-up code to unlock the online content is 456yt65. The sign-up link is http://packt.link/cismsignup.
5
Information Security Program Development

In this chapter, you will uncover an overview of information security program development and
understand the methods, tools, and techniques available for the development of information security
programs. The main objective of information security program development is to achieve the
objectives of information security in an effective and efficient manner. Program development
includes the processes of planning, implementing, testing, monitoring, and controlling activities
related to information security. A structured security program will help an organization manage its
security initiatives in an effective manner.

Industry Standards and Frameworks for Information Security
Information Security Policies, Procedures, and Guidelines

An information security program covers all the activities and processes that collectively provide
security services to an organization. Some common activities of security programs include the
design, development, and implementation of security-related controls throughout the organization.
Controls can be in the form of simple policies and processes or advanced technological structures.
Depending upon the size and nature of the organization, a security program can be managed by either
a single individual or a specific team headed by the chief information security officer (CISO).
Figure 5.1: The role of the chief information security officer
A security manager is expected to have thorough knowledge of information technology as it helps to

understand how changes in an organization's technical environment can affect its security posture. An
information security manager is required to evaluate the risk of technology and determine the
relevant controls to safeguard IT resources.
Apart from technical skills, a security manager is expected to have a thorough understanding of the
business processes and objectives. They should ensure that the objectives of the security program are
aligned with the business objectives. Security objectives should have the consensus of the business
management. Security objectives are important to the security program and without them, it will not
be possible to define metrics and monitor the progress of the program. The main goal of a security
program is to implement the security strategy and develop a defined program.
Ideal Outcomes of an Information Security Program

Security programs should deliver the following outcomes to support the business objectives.
Strategic Alignment
Security programs should be designed in a manner that ensures strategic alignment with business
requirements. Alignment should consider business processes, culture, governance, existing
technology, and organizational structure. Strategic alignment can best be achieved through a security
strategy committee that is composed of senior representatives from all relevant business units.
A security manager is required to have a thorough understanding of business processes and should
have regular interaction with business owners to understand their requirements. Strategic alignment
also requires informing senior management about the key aspects of the security program at regular
intervals.
Risk Management
Security programs should be able to manage the risk applicable to business objectives. For effective
risk management, security managers should be aware of threats, vulnerabilities, and the
organization's risk profile. Risk must be managed to a level acceptable to senior management.
Value Delivery
A security program should provide value to the organization. For value delivery, security should be
managed effectively and efficiently. The security investment should be managed to provide
maximum value to the organization.
Resource Management
A security manager should be able to utilize resources such as staff, finance, technology, and
knowledge efficiently and effectively. In case of resource constraints, protection efforts should be
prioritized to support the areas of greatest need, and those that provide the greatest benefit. These
efforts form the basis of good resource management.
Performance Management
A security manager should develop processes and metrics to monitor the performance of the security
program. Performance metric reports should be submitted to senior management at regular intervals.
Assurance Process Integration
A security manager should be aware of the organization's various assurance functions to ensure that
the security activities are aligned with the activities of other assurance functions. Assurance functions
generally include physical security, risk management, quality control, auditing, legal, HR, IT, and
business continuity.
The Starting Point of a Security Program

Most security frameworks start with a risk assessment and by establishing the objectives of controls.
An information security program is established to close the gap between the existing state of controls
(as identified by a risk assessment) and the desired state (that is, control objectives).
Information Security Charter

A charter is the formal grant of authority or rights. An information security charter states that the
organization formally recognizes the information security department. In the absence of this charter,
it will be difficult for the information security department to operate within the organizational
environment. The charter defines the scope, responsibility, and authority of the information security
function.
The information security charter can act as a foundation to provide guidance on information security
governance.
Support from Senior Management

Support from senior management is considered the biggest challenge for every security manager.
Investment in security does not provide any tangible benefits and calculating return on investment
(RoI) for security is not as simple as calculating RoI for any other business investment.
Figure 5.2: Senior management support
A security manager should consider the following aspects while seeking support and a budget from
senior management:
The security strategy should be aligned with the business objectives and goals.
The security manager should obtain consensus from other business units when designing the security strategy.
To the extent possible, the benefits of the proposed project should be quantified in a business case.
Thus, the best way to obtain support from senior management is to let them know how information
security is supporting the business objectives.
Defense in Depth
Defense in depth (DiD) is an arrangement wherein multiple layers of controls are implemented to
protect the information resources. Its intent is to provide redundancy in case one control fails. The
first layer of DiD prevents the event from occurring, that is, by implementing preventive controls
such as authentication. The second layer is containment, which involves isolating and minimizing the
impact. The third layer is reaction, that is, incident response procedures. The final layer is the
recovery and restoration procedure. This includes backup arrangements.

What is the most important reason that an information To understand the risk of technology
security manager must have an understanding of and its contribution to security
information technology? objectives
What is the most common starting point for the A risk assessment and defining
development of an information security program? control objectives
NOTE

1. Your organization has recently been impacted by a major security incident. As an information security manager, you should utilize
this learning:
A. To improve the integration of business and information security processes
B. To increase the information security budget
C. To improve the industry benchmarking process

D. To obtain better technical controls
2. An information security manager should have a thorough understanding of information technology:
A. To ensure that the latest and most feasible technology is being used
B. To understand the risk of technology and its contribution to security objectives
C. To provide consultation on the deployment of information technology
D. To improve the relationship between information security and business units
3. The requirement for information security resources is identified in the:
A. Risk assessment
B. Architecture
C. Strategy
D. Guidelines
4. An information security framework generally starts with:
A. The development of an information security policy
B. The remediation of internal audit findings
C. A risk assessment and control objectives
D. Allocating the security budget
5. What is the most important aspect to be considered at the time of establishing an information security program?
A. To understand the existing culture within the organization
B. To understand the existing control system of the organization
C. To understand the overall risk exposure of the organization
D. To determine the availability of security resources in the organization
6. The involvement of senior management in an information security program will first determine:
A. The charter
B. The security strategy
C. The budget
D. The security procedure
7. The first layer of the defense in depth (DiD) strategy is:
A. Containment
B. Prevention
C. Reaction
D. Recovery
8. The effectiveness of an information security program primarily depends on:
A. The availability of a documented security policy and procedures
B. Senior management commitment
C. Periodic awareness training
D. Developing an information security management system
9. The first layer of the DiD strategy is:
A. Isolation
B. Authentication
C. Incident procedures
D. Recovery procedure

The success of an information security program mainly depends on the available resources for
information security management. Resources can be in the form of technologies as well as qualified
employees. Apart from processes, policies, and people, an information security program involves a
number of technologies.
An information security manager must be capable of making technical decisions to ensure that the
deployed technologies are aligned with the information security program's goals and objectives. The
following are some of the technological aspects that an information security manager needs to deal
with:
Placement of firewalls
Antivirus/antimalware systems
Security information and event management (SIEM) software
Tools for AppSec and DevOps

Information asset classification refers to the classification of information assets based on their
criticality to the business. These assets can be classified as confidential, private, or public. This
classification helps organizations provide the appropriate level of protection for their assets. More
resources should be utilized for the protection of confidential data compared to public data.
Benefits of Classification
Classification helps to reduce the risk of under-protection of assets. Assets are protected in proportion to their criticality.
Classification helps to reduce the cost of over-protection of assets.
Understanding the Steps Involved in Classification

A CISM aspirant should understand the following steps for the successful implementation of an
information classification program:
Step 1: Create an inventory of all information assets the organization possesses.
Step 2: Establish ownership of each information asset. The identification of an asset owner is a
prerequisite for the implementation of the classification policy. In the absence of an owner, the true
value of the asset cannot be determined.
Step 3: Derive the value of the assets that need protection.
Step 4: Classify the information assets based on their valuation. Classification can be in the form of
high-value data, medium-value data, and low-value data, or in the form of confidential data, sensitive
data, private data, and public data. Classification should be kept simple considering the different
degrees of the criticality of the assets.
Step 5: Each asset should be labeled according to its classification.
Step 6: Implement the level of protection according to the level of classification. Confidential data
should be highly protected, whereas public data may not require any protection.
Success Factors for the Effective Classification of

Assets
It is critical for the data owner and custodian to understand and be aware of the organization's information classification policy.
This ensures that data is properly classified according to organizational needs.
The data owner/system owner should be responsible for maintaining effective security controls on information assets.
Information classification must take into account the following requirements:
Legal/regulatory/contractual
Confidentiality
Integrity
Availability
Information classification is primarily based on inputs from data owners. Business managers (data owners) will have thorough
knowledge of business impact due to the non-availability of their systems, data, or other assets.
Security managers need to ensure that the requirements of the data owners are properly identified and appropriately addressed in
the information classification policy.
Security managers need to ensure that the classification policy is made available to all users. The
content of the classification policy should be part of the security awareness program. Without user
awareness about the classification requirements, the policy will not be implemented in its true sense.
Criticality, Sensitivity, and Impact
Figure 5.4: Classification policy
Assessment
The prime basis for determining the classification of information assets is the criticality and
sensitivity of those assets in relation to achieving business objectives. An impact assessment is used
to determine the criticality and sensitivity of assets.
Business Dependency Assessment

Many organizations may find it difficult to implement comprehensive classification due to resources
or other constraints. In such cases, they can classify their resources based on a business dependency
assessment. In this approach, critical business functions are identified, and all the assets of critical
functions are given high priority for protection.
Risk Analysis
Risk analysis is the process of determining the level of risk. Risk level can be either quantified in
terms of cost or can be expressed as qualitative indicators such as high risk, medium risk, or low risk.
The results of a risk analysis help the security manager to determine the efforts that would be
required to address any risk. More resources may be required to mitigate high-risk areas, whereas
fewer resources may be required to mitigate low-risk areas.
Business Interruptions
The objective of a classification policy is to ensure that the appropriate level of protection is applied
to each class of information. However, it should not interrupt the business processes. Data should be
made available to authorized users. The classification policy should not create unnecessary hurdles
for normal business processes.
Figure 5.5: Classification policy

What is the main advantage of asset It determines the appropriate level of protection
classification? applicable to each asset. Classification helps to reduce
the risk of under-protection or over-protection of assets.
In essence: controls are commensurate with the impact.
Prime responsibility for determining the The data owner/business manager

level of information classification
resides with:
Which policy defines the level of The data classification policy

protection to be provided for each
category of data based on the business
value?
What should the prime basis for Criticality and sensitivity

determining the classification of
information assets be?
What should the prime basis for Impact assessment

determining the criticality and
sensitivity of information assets be?
What is the most important factor to Asset classification

achieve proportionality in the
protection of information assets?

1. As an information security manager, you are required to classify the assets of your organization. What should your first step be?
A. Assessing the risk
B. Asset categorization
C. Asset valuation
D. Implementing controls
2. As an information security manager, you are required to allot ownership of sensitive data that is only used by the employees of the
finance department. Who should have ownership of this data?
A. The finance department
B. The system administrator
C. The head of IT
D. The head of the finance department
3. As an information security manager, you are required to design an information classification policy. What should your most
important consideration be?
A. Benchmark with competitors
B. Availability of technology
C. Number of staff
D. Requirements of the data owners
4. Who is mainly responsible for the classification level of an information asset?
A. The data custodian
B. The data administrator
C. The data user
D. The data owner
5. The extent of resource utilization for the mitigation of risk is determined by:
A. Risk analysis results
B. Audit observations
C. A vulnerability assessment
D. Security budget
6. The main prerequisite to implementing an information classification policy is:
A. Defining roles and responsibilities
B. Conducting a risk assessment
C. Identifying data owners
D. Documenting a data destruction policy
7. What is the objective of asset classification?
A. It helps to determine critical business objectives
B. It helps to determine the amount of insurance coverage

C. It helps to determine the appropriate level of protection for the asset
D. It helps to benchmark against processes of the peer organization
8. The main advantage of conducting an information asset classification is:
A. To align security requirements with business objectives
B. To determine controls commensurate with impact
C. To establish access rights
D. To determine asset ownership
9. An organization has developed software code that gives it a competitive edge. Which of the following policies will govern the
protection level of the code?
A. The usage acceptance policy
B. The data classification policy
C. The access control policy
D. The IS training policy
10. The responsibility for the classification of information rests with:
A. Senior management
C. The data owner
D. The data administrator
11. The main reason for data classification in accordance with criticality and sensitivity is to:
A. Determine the owner for each set of data
B. Determine the appropriate level of access control
C. Calculate the RoI for each information asset
D. Decide the information security budget
12. For a publicly traded organization, the security manager is expected to provide the lowest protection to:
A. The business strategy plan
B. The customer's personally identifiable information
C. The personal information of key employees
D. The published financial results
13. The criticality and sensitivity of information assets are primarily based on:
A. Penetration testing
B. Vulnerability testing
C. The annualized expected loss
D. An impact assessment
14. The classification of an information asset should be determined by:
A. The data administrator
C. The security manager
D. The data manager
15. What is the most important factor when determining the appropriate protection level for an information asset?
A. The acquisition cost of the asset
B. The level of vulnerabilities reported in the asset
C. The level of exposure of the asset
D. The criticality of the business function supported by the asset
16. Data classification levels are mainly decided on the basis of:
A. Criticality and sensitivity
B. Probability and consequences
C. Cost of asset acquisition
D. Threat factors
17. Which of the following is a prerequisite for the classification of assets?
A. A vulnerability analysis
B. An impact assessment
C. A control assessment
D. A security test
18. The most important factor for an information classification scheme is:
A. It should consider the impact of a security breach
B. It should adhere to the security budget
C. It should be designed by the information security manager
D. It should be based on a vulnerability assessment
19. The most important factor for an information classification scheme is:
A. Vulnerability
B. Threat
C. Potential impact
D. Acquisition cost
20. A client has requested that a staff member share some information with them. What should the staff member's first course of
action be?
A. Obtain a non-disclosure agreement from the client
B. Determine the information classification level of the requested information
C. Encrypt the requested information
D. Transmit the requested information through a secure channel

Asset valuation provides a cost representation of what the organization stands to lose in the event of a
major compromise. From the risk management perspective, assets are generally valued based on the
business value and not only on simple acquisition or replacement costs. Business value is measured
in terms of revenue loss or other potential impacts when an asset is compromised.
For example, suppose software is acquired at a cost of $1,000 and it generates revenue of $5,000 per
day. In this case, the business value will be $5,000 per day and not merely the cost of acquisition
($1,000).
Determining the Criticality of Assets

The best method to determine the criticality of assets is a business impact analysis (BIA). A BIA
determines the critical business assets by analyzing the impact of the unavailability of assets on
business objectives. In case of a disaster, identified critical assets are recovered and restored as a
priority to minimize the damage.
For determining the business impact, two independent cost factors are considered. The first is the
downtime cost. Examples of downtime costs include a drop in sales, the cost of idle resources, and
the interest cost. Another element of cost is related to alternative collective measures such as the
activation of a business continuity plan (BCP) and other recovery costs.
Once the business impact is available for each asset, it is important to prioritize the assets in order of
their criticality. This criticality analysis should be performed in coordination with IT and business
users.
A BIA is the best tool for determining the priority of the restoration of applications. Recovery time
objectives (RTOs) are preliminarily based on a BIA.

What is the first step in performing an information risk analysis? Preparing an asset
inventory
What is the best tool for determining the priority of the restoration of A BIA
applications?
On what basis are RTOs primarily based? A BIA

1. As an information security manager, you are required to determine the impact of a disaster. To determine the impact, assets should
be valued at:
B. The net present value
C. The cost of identical assets
D. The replacement cost
2. As an information security manager, you are required to conduct an information risk analysis. What should your first step be?
A. To conduct a valuation of the assets
B. To establish the ownership of the assets
C. To create an inventory of the assets
D. To classify the assets
3. An incident was reported regarding the loss of a mobile device containing unencrypted data. What is the security manager most
concerned about?
A. Insurance coverage of the mobile device
B. Awareness regarding the handling of mobile devices

C. Potential impact of the data loss
D. Replacement cost of the mobile device
4. The value of information assets can best be determined by:
A. The business managers
B. The system administrator
D. Senior management
5. What is the most important factor for conducting a risk assessment?
A. Support from management
B. A documented process for calculating annual loss expectations
C. Identification of the asset inventory and the appropriate valuation of assets
D. Understanding the attack motives of threats
6. A security manager wants to determine the impact of losing network connectivity for 8 to 10 hours. The most important aspect is:
A. The service provider charges per hour
B. The quantum of data transmitted per hour
C. The aggregate RoI of all affected business users
D. The financial losses of the affected business units
7. The first step of performing a risk assessment is:
A. Identification of business assets
B. Identification of existing controls
C. Identification of asset vulnerabilities
8. What is the greatest challenge in using annual loss expectancy to predict losses?
A. The dependency on subjective information
B. It's a time-consuming process
C. The complexity of the calculation
D. The high cost
9. What is the most important aspect of the valuation of information assets?
A. Potential financial loss
B. Replacement cost
C. Insurance cost
D. Legal requirements
10. Asset value can be best judged through:
A. A vulnerability assessment
B. An audit finding
C. Certification
D. Classification
11. The impact of a major compromise can be best determined by:
A. A vulnerability assessment
B. Asset valuation
C. Audit findings
D. An architectural analysis
12. A business impact analysis involves:
A. Identification of vulnerabilities
B. Identification of threats
C. Designing incident notification procedures
D. Listing critical business resources
13. What is the area of most concern when prioritizing risk management activities?
A. An incomplete list of information assets
B. An incomplete threat assessment
C. An incomplete vulnerability assessment
D. An inaccurate valuation of information assets
14. The best use of a business impact analysis is to decide:
B. The restoration priority
C. The yearly rate of loss expectation
D. The residual risk
15. An RTO is derived from:
A. A risk assessment
B. A gap analysis
C. BCP testing
Industry Standards and Frameworks for Information

Security
A framework is a structure or outline that supports the implementation of an information security
strategy. Frameworks provide the best practices for a structured security program. They are flexible
structures that any organization can adopt as per its environment and requirements. Governance
frameworks such as COBIT 5 and ISO 27001 are examples of widely accepted and implemented
frameworks for security governance.
Generally, a security framework has the following components:

Technical components: Technical components are parts of the framework that cover technical and IT aspects of security.
Examples of technical aspects include configuration, monitoring, and maintenance of technical components such as firewalls,
intrusion detection systems (IDSs), and SIEM. It is very important to have assigned ownership for each technical asset to ensure
proper risk treatment and compliance with security policies.
Operational components: Operational components are parts of the framework that cover ongoing management and
administrative activities to ensure the required level of security assurance. Examples of operational components include preparing
standard operating procedures (SOPs), patch management, log analysis, change management, and other routine activities to
support security. Each of these activities should be assigned to individuals with the requisite authority and knowledge.
Management components: Management components are parts of the framework that cover oversight functions. Examples
include the availability of security policies, adequate resources for security, and regular monitoring of key aspects of information
security.
Administrative components: Administrative components are parts of the framework that cover support functions such as HR,
finance, and other functions. Examples of administrative components include personnel job descriptions, performance
management, budget preparation, and calculating RoI.
Educational and informational components: Educational and informational components are parts of the framework that cover
education, awareness, and training requirements for enhancing the security posture of the organization.
Framework – Success Factors

A security framework should be designed and developed considering the business objectives and
goals. It is important to have the consensus of the business units for the security framework.
Figure 5.8: Information security framework
A security manager should consider the following factors for the successful implementation of a
framework:
To get the security framework approved, the security manager should demonstrate a positive return on the security investment.
The best method to evaluate the return on security investment is to determine the level of support information security provides to
the business objectives.
The most important thing when developing a framework for an information security program is to determine the desired outcome.
If the desired outcome is not considered at the time of developing the framework, it will be difficult to determine a strategy,
control objectives, and logical architecture.
A security manager should consider the advantages and disadvantages of centralized as well as decentralized security functions.
As already discussed in Chapter 1, Enterprise Governance, centralized functions are more convenient to monitor and control.
Decentralized functions make it easier to promote security awareness and ensure faster turnaround for security requests as they are
closer to business units. Decentralized units are more responsive to business unit needs.
The security framework and the security policy should closely align with organizational needs. Policies must support the needs of
the organization. For the alignment of the security program, a security manager should have a thorough understanding of the
business plans and objectives. Effective strategic alignment of the information security program requires regular interaction with
business owners.
Before implementing the framework and security policy, sign-off should be obtained from all relevant stakeholders to ensure that
the policy supports the objectives and expectations of the business.
Support from senior management is critical for an effective information security program.
The framework should also define the process for handling exceptions to the policies and procedures. The inherent authority to
grant an exception to the information security policy should reside with the authority who approved the policy.
While implementing a framework, a policy, or a control, the most important consideration is the safety of human life.
Some Industry-Recognized Frameworks
The following are some of the industry-recognized frameworks that include essential aspects of
security. Some of them deal exclusively with security:
COBIT
ISO 27001 standard
Zachman Framework
Sherwood Applied Business Security Architecture (SABSA)
The Open Group Architecture Framework (TOGAF)
NOTE
In the CISM exam, there will be no direct questions on any of the frameworks. The list provided is for your general
knowledge and understanding.

What is the best method to evaluate the return By determining the extent of support provided to
on security investment? the business objectives.
What are the advantages of a centralized Easy to manage and control.
security function? Improved compliance with organizational policies and

standards.
Reduction of the total cost of ownership.
What are the advantages of a decentralized It is more responsive to the requirements of business units.
security function? It provides a faster turnaround for security requests as it is

closer to business units.
It ensures the easier promotion of security awareness.

1. A security manager notices that privileged access was granted to the entire HR team. The security manager should first:
A. Revoke privilege access for all
B. Report the issue to senior management
C. Discuss the situation with data owners to understand the business needs
D. Implement procedures to grant emergency access
2. What is the first step in the development of a well-defined information security program?
A. Determining the security budget
B. Determining the strategic requirements
C. Determining the desired outcomes
D. Determining the security architecture
3. As an information security manager, you are required to determine the return on security investment. This can be done by
evaluating:
A. The extent of support provided to business objectives
B. The number of security metrics developed
C. The industry standards
D. The process maturity model
4. Which of the following is a benefit of a centralized information security structure?
A. It is comparatively easy to promote security requirements
B. It is comparatively easy to manage and control
C. It is more responsive to business unit needs
D. It enables a quick turnaround time for security requests
5. Which of the following is the main advantage of a decentralized security function?
A. It is easy to manage and control
B. It increases compliance with policies and procedures
C. It ensures better alignment of security with the business needs
D. It ensures a reduction in the security budget
6. A security manager notes that compliance with a particular set of standards is weak. What should their first step be?
A. Removing that standard from the policy
B. Updating the policy to address the risk
C. Enforcing penalties for non-compliance
D. Performing a risk assessment

7. The strategic alignment of a security program can best be achieved by:
A. Active benchmarking with the industry
B. Increasing the security budget
C. Regular interaction with business owners
D. Addressing culture differences
8. A security manager has received a request for an exception from the standard configuration of an operating system. What should
their first step be?
A. Rejecting the request for an exception
B. Determining the risk and identifying the compensating controls
C. Seeking guidance from senior management
D. Determining the industry practice
Information Security Policies, Procedures, and

Guidelines
A security program is implemented through a specific set of policies, standards, and procedures:
Policies: These are sets of ideas or strategies used as a basis for decision-making. They are high-level statements of direction
made by management.
There can be multiple policies at the corporate level as well as at the department level. It should be
ensured that department-wise policies are consistent and aligned with corporate-level policies.
Standards: These are mandatory requirements to be followed to comply with a given policy, framework, certification, or
regulation. Standards provide detailed directions for compliance.
A standard helps to ensure the efficiency and effectiveness of processes, resulting in reliable products
or services. Standards are updated as and when required to incorporate new processes, technologies,
and regulatory requirements.
A standard is a dynamic document and is changed if control objectives are not achieved or based on
the results of risk assessments.
Procedures: These are detailed steps and actions that help to support the policies and standards. Generally, procedures are
changed more frequently compared to policies and standards.
Guidelines: In some cases, guidelines are required to implement procedures. Guidelines include information such as examples,
suggestions, requirements, and other details for executing procedures.
Policies, standards, procedures, and guidelines should be available in a documented format.
Reviewing and Updating Documents

The documents that lay out an organization's policies, standards, procedures, and guidelines should
be reviewed at periodic intervals to address new and emerging risks. Furthermore, an appropriate
version history should be maintained. The security manager should check the currency of documents.
The last review date confirms the currency of the documents and helps determine that management
has reviewed them and deemed that they meet and address the current business environment.
The security manager should also consider the applicability of policies, standards, procedures, and
guidelines to third-party vendors and service providers and their adherence to these documents.

Which document contains high-level statements indicating the direction of A policy

management?
Who should approve any exception to the information security policy? The policy
approver

1. What is the following statement an example of?
"All computers are required to have the Windows 10 operating system and all servers are required to
have Windows 2008."
1. The statement is an example of a policy
2. The statement is an example of a guideline
3. The statement is an example of a standard
4. The statement is an example of a procedure
2. Which of the following activities should be exclusively performed by the information security department?
A. Monitoring the performance of operating systems
B. Implementing user access for operating systems
C. Approving operating system access standards

D. Setting firewall rules to protect operating systems
3. Procedures are correctly linked to the security policy through:
A. Standards
B. Audit
C. Maturity model
D. Guidelines
4. Which of the following is the most appropriate document to ensure compliance with specific regulatory requirements?
A. Policies
B. Standards
C. Procedures
D. Guidelines
5. Information security standards should primarily include:
A. The date of creation
B. The name of the author of the document
C. The approval of the document
D. The last review date
6. Which of the following documents is updated most frequently?
A. Database hardening procedures
B. Password complexity standard
C. Information security policy
D. Document retention standard
7. Which of the following statements correctly relates a standard with a policy?
A. A policy provides detailed directions to comply with a standard
B. Both a policy and a standard have the same content
C. A standard provides detailed directions to comply with a policy
D. A standard is a standalone document that does not have a relationship with any policy
8. An information security standard is most likely to change because of:
A. A change in the effectiveness of controls
B. A change in the information security procedures
C. A change in security budgets

D. A change in the results of the periodic risk assessment
9. Who is ultimately responsible for ensuring that information policies are consistent with laws and regulations?
A. The quality assurance team
B. The head of auditing
C. The board of directors
D. The head of technology
10. An exception to the information security policy can be granted by:
A. The process owner
C. The policy approver
D. The audit manager
11. An information security standard is most likely to change because of:
A. A reduction in the security budget
B. A change in the security procedures
C. A change in security guidelines
D. Control objectives not being met

For the effective implementation of a security program, it is recommended to develop a roadmap
covering the different stages with clear objectives to be achieved during each stage. The initial stage
of program development is to have discussions with the concerned stakeholders, such as business
units, legal, HR, and finance. This will help the security manager determine the security requirements
of different units.
In the second stage, security requirements should be formalized and the basic security policy should
be drafted, and approval should be obtained from senior management. A security steering committee
consists of officials from different business functions. It plays an important part in the finalization of
security requirements. In the third stage, members of the security steering committee emphasize the
promotion of security awareness as a part of the policy and conduct security reviews to see whether
they are in compliance.
In the fourth stage, gaps identified during the security review are addressed and a continuous
monitoring process is developed. Gradually, the security manager can start developing consensus
around roles and responsibilities, processes, and procedures in support of the policy.
The roadmap for the development of a security program should revolve around the organization's
security strategy. The roadmap should consider objectives, resources, and constraints. It should also
include various milestones in terms of key goal indicators.
In the absence of a well-defined strategy, there can be a risk that the security program is not
integrated or prioritized as per the organization's requirements. Most of the information security
development efforts will revolve around the design, development, and implementation of the
controls.
Gap Analysis
The security manager should conduct a gap analysis at periodic intervals to determine the gap
between the control objectives and the performance of existing controls. Identified gaps should be
addressed for improvement. It is also important to develop a procedure for monitoring control
effectiveness. This will help the security program to evolve and mature.
Figure 5.11: Gap analysis
Thus, the final objective of a gap analysis is not only to identify gaps but also to address them for the
improvement of security processes.
The Value of a Security Program

A security program should provide value to the organization. A security manager should determine
the cost of implementation of controls and the corresponding value of assets to be protected. This will
form the basis for determining whether the information security program is delivering value. If the
cost of controls is higher than the value of the assets, then the program does not provide any value.
Integration of the Security Program with Other

Departments
A security program should be integrated with the processes of other departments, such as IT, audit,
risk management, quality assurance, and HR. This helps to improve the effectiveness of the security
program. The most important aspect is integration with IT processes. For instance, automated
controls are considered more effective than manual controls and are generally driven by the IT
department. Also, IT is responsible for the implementation and operation of information processing
systems. Further, for any new IT project, the security department should be involved right from the
feasibility stage all the way to the implementation stage. In fact, the security department should be
involved throughout all SDLC phases. A security manager should be well versed in IT so that they
can make informed decisions about technology risks.
A security program should also be integrated with HR processes. For example, in the case of the
termination of an employee, their details should be immediately made available to the security team
to revoke all their access rights.
Similarly, when an employee is transferred to another department, it is very important to review and
update their access rights to ensure that any access no longer needed is removed and appropriate
access for the new position is granted.

What is the initial stage of developing To determine the security needs and requirements based
an information security program? on discussion with concerned stakeholders such as
business units, legal, HR, and finance
What is the basis for determining By comparing the cost of achieving control objectives and
whether a security program is the value of the assets protected
delivering value?
Who should provide the final The business asset owner

approval for security patch
implementation?
For any new IT project, at what stage From the beginning, that is, from the feasibility stage
should the security department be
involved?
What is the basis for providing user Ascertaining the business needs
access authorization?
What are the main project activities Control design and deployment
undertaken in developing an
information security program?
What is the primary basis for the The level of risk

prioritization of security expenditure
and budgeting?

1. Which of the following is the most effective way to determine the value delivered by an information security program?
A. The number of controls implemented
B. The cost of achieving control objectives
C. The number of controls being monitored
D. The results of control testing
2. The final approval for a security patch's update hours should be provided by:
A. The system administrator

B. The business asset owner
D. The business continuity manager
3. When selecting the controls to meet business objectives, the security manager should primarily:
A. Focus on role-based access controls
B. Focus on key controls
C. Focus only on financial applications
D. Focus on preventive controls
4. An information security program should be primarily integrated with:
A. The audit department
B. The risk management department
C. Information technology
D. Quality assurance
5. To protect and control the mobile devices issued by the organization, which of the following activities carried out by HR should
be monitored?
A. Issuance of termination notice
B. Background checks
C. Release of paycheck
D. Security awareness program
6. For a new IT project, at which stage should the information security department first become involved?
A. Feasibility stage
B. Implementation stage
C. Design stage
D. Post-implementation stage
7. What is the best way for a data owner to determine what access and authorization should be provided to users?
A. The system administrator should have the authority to provide access
B. Access should be provided on the basis of user requests
C. Access should be provided on the basis of hierarchical preferences
D. Access should be provided according to business needs
8. What is the most important aspect to be considered when an employee is transferred to another function?
A. Reviewing and updating their access rights
B. Updating the job profile document
C. Conducting training for new assignments
D. Reviewing their performance in their last profile
9. An information security manager should have a thorough understanding of information technology primarily:
A. To ensure that IT staff cannot mislead the security manager
B. To implement new IT technology
C. To understand the IT budget
D. To understand IT issues to achieve adequate information security

A metric is the measurement of a process used to determine how well it is performing. Security-
related metrics indicate how well controls are able to mitigate risks. For example, a system uptime
metric indicates whether the system is available to users as per the requirements. The following are
some examples of security-related metrics:
Percentage of critical servers for which penetration testing has been conducted
Percentage of high-risk findings closed within a month
Percentage of deviation from the information security policy
Percentage of computers having unsupported operating systems
Percentage of computers with updated patches
Average response time to handle incidents
Objective of Metrics
By using effective metrics, organizations evaluate and measure the achievement and performance of
various processes and controls. The main objective of a metric is to help management in decision-
making and to facilitate and track continuous improvement in the organization's security posture.
A metric should provide useful information to the relevant assessor so that informed decisions can be
made.
Monitoring
Metrics should be designed and developed in such a way that the results of controls can be
monitored. If controls cannot be monitored, it leads to unacceptable risks, which should be avoided.
Monitoring enables proper goal setting, progress tracking, benchmarking, and prioritizing.
Monitoring of metrics is fundamental to a successful security program.
Attributes of Effective Metrics

CISM aspirants should understand the following attributes for effective metrics:
Meaningful: Metrics should be meaningful for the recipient and should provide a basis for sound decision-making.
Consistent: Metrics should provide consistent results to make them comparable over time. They should provide the same results
under the same conditions each time they are measured.
In the absence of a consistent method, the results of the metrics may not be comparable, and trends
may be misleading. Consistency is important for reasonably accurate and reliable results.
Reliable: The source of input data and information should be genuine and reliable.
Accurate: Appropriate controls should be in place to ensure the accuracy of metrics.
Timely: Metrics are useful when available to the user on a timely basis to support them in their decision-making.
Predictive: To the extent possible, metrics should be able to indicate future events.
Unambiguous: Metrics should not be ambiguous. It is better not to have any information rather than to have unclear information.
Information Security Objectives and Metrics

The main objective of defining information security objectives is to measure the effectiveness of the
security program. A security manager should consider designing metrics for each of the security
objectives. In the absence of metrics, it will be difficult to determine the achievement of those
objectives. The success of an information security program is determined on the basis of the
achievement of security objectives.
Primarily, metrics should be based on the security objectives so they can provide a measure to
evaluate the effectiveness and efficiency of the information security program and its objectives.
A defined metric helps to measure the current state of affairs for different security objectives. This
trend can be used to determine improvements in the security program over time. If an organization is
unable to take measurements over time that provide data regarding key aspects of its security
program, then continuous improvement is difficult to monitor.
The main objective of implementing security controls is to minimize the adverse impacts of
incidents. A reduction in the impacts of security incidents indicates that security controls are
effective.
Useful Metrics for Management

Management is generally interested in metrics that indicate the overall effectiveness of the security
program. They need to determine whether the security program is headed in the right direction. They
need to know the overall trend of security compliance to provide appropriate oversight.
Executive management will be more interested in achieving control objectives as they are directly
linked to business objectives. The achievement of control objectives is the best metric for executive
management to evaluate the effectiveness of the security program.

The following are some key aspects from the CISM exam perspective:
What is the prime objective of Decision-making: On the basis of effective metrics, organizations
having metrics? evaluate and measure the achievement and performance of various
processes and controls. Effective metrics are primarily used for
security-related decision-making.
What is the main reason for To measure the effectiveness of a security program
defining information security
objectives?
What is the most significant The metric should be meaningful to the recipient
attribute of a good
information security metric?
What is the best indicator that A reduction in the impact of security issues
security controls are
performing effectively?
In which phase of the SDLC The design phase

should metrics be designed to
assess the effectiveness of the
system over time?
What is the best metric for an Incident trends and their impact
information security manager
to use to support a request to
fund new controls?
What is the most useful The percentage of unauthorized penetration attempts that are
metric to determine the investigated
effectiveness of a log
monitoring process?

1. Which of the following is the most effective method to determine the effectiveness of an incident response process?
A. Increase in incident response team size
B. Reduction in the number of open incidents
C. Reduction in the average response time for incidents
D. Increase in the number of incidents handled per year
2. What is the primary objective of defining information security objectives?
A. To measure the effectiveness of the security program
B. To compare with industry standards
C. To gain management support
D. To justify the security budget
3. What is the most important aspect to measure the effectiveness of continuous improvements of a program?
A. Program metrics
B. Adhering to the security budget

C. Aligning the organization's security standards with the international standards
D. Complying with regulatory requirements
4. What is the most important characteristic of an effective information security metric?
A. It is meaningful to the recipient
B. It is complete and accurate
C. It is consistent
D. It is cost effective
5. The effectiveness of security controls can be best indicated by:
A. A reduction in the impact of security issues
B. A reduction in the cost of implementing controls
C. A high percentage of staff attending the security training program
D. An audit report without significant findings
6. To determine the effectiveness of security controls, a review should be conducted of:
A. The information security policies
B. The risk management policies
C. The security metrics
D. The user access rights
7. Executive management will be more interested in:
A. Trends showing the number of servers compliant with security requirements
B. The number of servers compliant with the security requirements
C. The number of security patches applied
D. Trends showing the number of security patches applied
8. Executive management will be more interested in:
A. The total number of controls applied
B. The percentage of control objectives achieved
C. The number of control objectives included in the policy
D. The number of reported security incidents
9. During which phase of system development should information security metrics be developed?
A. Implementation
B. Testing
C. Design
D. Feasibility
10. The most effective metric to be conveyed to senior management for security funding is:
A. Adverse incident trend reports
B. Internal audit observations
C. Vulnerability assessment reports
D. Penetration test reports
11. What is the most important consideration for the development of an effective information security metric?
A. Correct reporting time
B. Relevance to the recipient
C. Correct and complete measurement
D. Cost of measuring the metric
12. What is the best way to determine whether a security program is achieving its objectives?
A. A reduction in incident impacts
B. Budget approval by senior management
C. Employees adhering to security policies and procedures
D. A decrease in incident reporting
13. What is the best method to resolve non-compliance with information security standards?
A. Conducting regular audits of non-compliant areas
B. Conducting continuous vulnerability scanning
C. Conducting regular security awareness training
D. Providing non-compliance reports to executive management at regular intervals
14. What is the most accurate method to determine the RoI for a security investment?
A. Using only quantifiable risks
B. Developing cost-effective processes
C. Measuring monetary values in a consistent manner
D. Considering the investment amount as profit
15. What is the most useful metric to determine the effectiveness of a log monitoring process?
A. Percentage of penetration attempts investigated
B. Number of logs captured

C. Number of log reports generated
D. Number of staff engaged in a review of logs
16. To measure and monitor the information security program, metrics should be based on:
A. Financial risk
B. Operational risk
C. Security objectives
D. Industry standards
17. The main objective of developing security-related metrics is:
A. To identify any security weaknesses
C. To enable continuous improvement
D. To improve security awareness
18. The most effective approach to improve the information security management process is to:
A. Perform security audits
B. Conduct penetration testing
C. Define and monitor the security metrics
D. Increase the security budget
19. The metric for measuring the effectiveness of antivirus software is primarily relevant to:
A. The steering committee
B. The board of directors
C. The IT managers
D. The information security manager
Summary
In this chapter, you obtained an overview of information security program development. This chapter
will help CISM candidates understand the methods, tools, and techniques important for developing
an effective and efficient security program. This chapter will also help the CISM candidate define an
information security program roadmap.
The next chapter will cover the management of an information security program.
Revision Questions
1. What is the most important factor to determine the appropriate levels of information asset protection?
A. A vulnerability assessment of assets
B. A feasibility study report
C. Classification of assets
D. Valuation of assets
2. Information asset classification helps to determine:
A. The vulnerability of assets
B. The impact of a compromise
C. The value of assets
D. The annual loss expectancy
3. What is the main reason for information asset classification?
A. To maximize the utilization of resources
B. To adhere to the IS policy
C. To determine IT capability
D. To determine the protection level
4. What is the most important factor to determine the classification of data?
A. An assessment of impact by the data owner
B. Requirements of the information security policy
C. The existing level of protection
D. An assessment of impact by the security manager
5. What is the most important factor in achieving proportionality in the protection of information assets?
A. Classification of assets
B. A vulnerability assessment
D. Security architecture
6. The classification of an asset is mostly based on:
A. Its business value
B. Its cost of acquisition
C. Its replacement cost
D. Its current market value

6
Information Security Program Management

In this chapter, you will learn about the practical aspects of information security program
management and the methods, tools, and techniques used for the management of an information
security program. This chapter will help CISM aspirants understand different types of cloud
computing services and study different types of controls.

Documentation
Security Budget
Security Program Management and Administrative Activities
Privacy Laws
Cloud Computing

Control is one of the most important elements of an information security program. A major part of
security management is the development, implementation, testing, and monitoring of controls. The
objective of implementing a control is to address risks by preventing, detecting, or correcting them.
An effective control provides reasonable assurance that the business objectives are achieved.
Figure 6.1: Information security control design and selection
Countermeasures
Countermeasures are a type of control implemented to address specific threats. They can be either
technical or non-technical. While the objective of general controls is to protect information assets
from all threats, countermeasures are put in place in response to specific threats. Countermeasures are
generally expensive and are implemented only when existing general controls cannot mitigate
specific threats. The following are some common examples of countermeasures:
Certain operating system commands can be disabled to address specific types of ransomware attacks.
Filtering all incoming emails may not be practical and will be expensive. In such a scenario, a countermeasure could be filtering
emails from known spammers.
It may not be possible to restrict mobile phones on an organization's premises. In such a scenario, a countermeasure could be
using cell phone jammers in sensitive areas.
Countermeasures can also be non-technical, such as incentives offered for providing information with respect to a specific attack.
Arranging specific security training sessions for employees who failed in a phishing exercise.
General Controls and Application-Level Controls

IT controls can be categorized as IT general controls (ITGCs) and IT application controls
(ITACs). ITGCs protect the entire IT system, which includes monitoring the network through
firewalls and IDSs, updating operating systems, the security of computer operations, and facility
security. ITGCs support the entire organization in a centralized manner.
ITACs are designed specifically for an application. Examples of ITACs include transaction-
processing controls, user access controls, and other application-specific controls.
A security manager must ensure the appropriate deployment of ITGCs and ITACs in such a way that
they both complement each other and do not overlap. Limitations of ITGCs should be addressed by
ITACs and vice versa. When general controls are weak, more emphasis should be placed on
application-level controls.
Control Categories
A security manager should evaluate the organization's current control environment to determine the
effectiveness, efficiency, and adequacy of the controls implemented. For effective control
management, the security manager should determine the following:
Whether controls are adequate
Whether controls have any scope for being bypassed
Whether controls are reviewed and tested
Whether segregation of duties is maintained
The security manager should also be aware of the following control categories:
Control Descriptions
categories
Preventive The objective is to prevent an incident from occurring. Examples include locked
doors, user authentication, and encryption.
Detective The objective is to detect an incident after it has occurred. Examples include
auditing, IDSs, CCTV cameras, and checksum.
Corrective The objective is to correct errors or omissions caused by incidents. Examples

include data backup and forward error control.
Control Descriptions
categories
Deterrent The objective is to deter an event by providing warnings to attackers or intruders.

An example is warning signs.
Directive The objective is to mandate behaviors by specifying dos and don'ts, for example,
including an acceptable usage policy (AUP).
Compensating The objective is to address the absence of controls or weak controls within a
particular domain. An example is a weak physical control being compensated by
stringent logical access control.
Figure 6.2: Categories of controls
Failure Modes – Fail Closed or Fail Open

Controls can be designed either to fail closed or fail open. The failure mode of controls impacts
safety, confidentiality, and availability. For example, in the case of the failure of an automatic door,
an organization can opt for fail open (door remains open) or fail closed (door remains closed). In the
case of fail open, confidentiality and integrity may be compromised, and in the case of fail closed,
availability and safety may be compromised. In such a situation, the risk is determined for each
element and a decision is made accordingly.
The safety of human life is always considered first. For example, even if a data center has highly
confidential data, a failure of physical access controls should not enable fail closed, which prevents
employees from exiting during an emergency.
Continuous Monitoring
Continuous monitoring is the process of monitoring compliance on an ongoing basis. The prime
objective of continuous monitoring is to provide immediate feedback about the performance of
servers, networks, and cloud environments. This helps to enhance operational, security, and business
performance.
A security manager should understand that implementing continuous monitoring is expensive. The
use of continuous monitoring may not always be feasible or practical, so it should only be used in
areas with the highest risk levels. Continuous monitoring is best deployed in areas where incidents
may happen frequently and/or have a high impact.

Who is required to perform the day-to-day duties The data custodian (generally the system
that ensure the protection and integrity of data? administrator)
What is the most effective way to identify an Source code review

application's backdoor?
What is the risk of "fail open" in the case of a Confidentiality and integrity may be
control failure? compromised.
What is the risk of "fail closed" in the case of a Availability and safety may be compromised.
control failure?
What is the most important activity in the Control design and deployment
development of an information security program?
In which situations is continuous monitoring Situations where risk is high, that is, where
more cost effective? incidents may have a high impact and
frequency
NOTE

1. As an information security manager, you are required to emphasize corrective controls. What is the objective of a corrective
control?
A. To decrease the number of adverse events
B. To detect vulnerabilities
C. To mitigate impact
D. To promote adherence to policies
2. Who is responsible for performing routine duties required to ensure the protection of information?
A. The data owner
B. End users
C. The audit team
D. The data custodian
3. As an information security manager, you are required to identify and remove backdoors from a newly launched application. What
is the most effective method for this?
A. An internal audit
B. Penetration testing
C. A source code review
D. Antivirus software
4. What is the most effective deterrent control against employees misusing their privileges?
A. An internal audit
B. Log capturing and monitoring
C. A signed acceptable use policy
D. Two-factor authentication
5. An external security attack can be prevented by:
A. Analyzing system access logs
B. Conducting background verification of temporary staff
C. Performing a network address translation
D. Performing an internal audit
6. A data backup policy primarily includes:
A. Criteria for data backup
B. Responsibility for data backup
C. Procedures for data backup
D. A data backup schedule
7. A security manager is involved in the development of a system. In which phase should they finalize the access control and
encryption algorithm?
A. The feasibility stage

B. The procedural design stage
C. The system design specifications stage
D. The software development stage
8. What is the most effective method of removing data from tape media that is to be reused?
A. Multiple overwriting
B. Erasing the tapes
C. Burning the tapes
D. Degaussing the tapes
NOTE
Some modern media (such as hard disks and tape drives) may not be reused if degaussing overwrites the servo
pattern of the device.
9. Which of the following is an area of concern for implementing native database auditing?
A. Native database auditing may interfere with event logging
B. Native database auditing impacts the production database's performance
C. Native database auditing increases the security budget
D. Native database auditing makes configuration management more complex
10. Enabling database audit log functions will result in a risk of:
A. Degradation of performance
B. Database confidentiality being impacted
C. Database integrity being impacted
D. Configuration issues
11. Which of the following is an example of a corrective control?
A. Diverting the incoming traffic during a denial-of-service attack
B. Filtering the network traffic
C. Conducting a network audit
D. Logging network administrator activity
12. When should an application-level control be implemented?
A. When general controls are weak
B. When detective controls are to be implemented
C. When preventive controls are to be implemented
D. When corrective controls are to be implemented

13. A system administrator is entrusted with analyzing network events, taking appropriate action, and providing reports to the security
team. The following additional control will be most relevant for a risk-based review of network activities:
A. The activity of the system administrator should be monitored by a separate reviewer.
B. A system administrator should conduct an audit of their own activity on a monthly basis.
C. Monitoring should be done by members of the security team only.
D. Monitoring should be done by members of the steering committee.
14. Which risk will be applicable to a control that fails closed (secured)?
A. A risk to confidentiality
B. The risk of non-repudiation
C. A risk to integrity
D. A risk to availability
15. Which of the following primarily determines how a control is being implemented?
A. The security budget
B. Measuring capabilities
C. Training capabilities
D. Failure modes
16. An organization is using an electronic data interchange (EDI) system to get orders from its distributors. What is the most
effective way to ensure the authenticity of the orders received?
A. To conduct a background check on all distributors
B. To conduct a reasonableness check for all orders received from the distributor
C. To acknowledge the receipt of orders
D. To verify the sender's identity and determine whether orders are in accordance with the contract terms
17. What is the objective of segmenting a network?
A. To limit the consequences of a compromise
B. To reduce vulnerability
C. For better administrative vulnerability
D. To implement a data classification scheme
18. A control policy should primarily consider:
A. The risk of control failure
B. The safety of human life
C. The control monitoring process

D. Existing vulnerabilities
19. What is the most important activity in the development of an information security program?
A. Development of a security budget
B. Development of a security architecture
C. Development of a security team
D. Control design and development
20. Continuous monitoring is best employed:
A. In areas where incidents may have a high impact and high frequency
B. In areas where incidents may have a low impact and high frequency
C. In areas where regulation requires strong security controls
D. In areas where business is driven by an online system

The term "baseline" refers to basic requirements. A security baseline refers to an organization's
minimum basic requirements for security. The objective of implementing a security baseline
throughout an organization is to ensure that controls are consistently implemented as per the
acceptable risk levels. The baseline is set as per asset classification. For example, for critical
applications, it is mandatory to have at least two-factor authentication, whereas for non-critical
applications, it is mandatory to have at least one-factor authentication.
The following are the benefits of having a security baseline:

It helps to standardize the basic security requirements throughout the organization.
A baseline provides a point of reference against which improvements can be measured.
It helps to establish a uniform process of system hardening for similar types of systems.
Developing a Security Baseline

A security manager can refer to the following sources when developing a security baseline:
Different frameworks for security controls, such as NIST, COBIT, and ISO
Legal and regulatory requirements impacting the organization
Industry-specific requirements
Although the preceding references provide the necessary information for developing a security
baseline, the security manager should also consider the needs and priorities of the organization.
What is the best way to define a minimum requirement A security baseline

for security?
What is the best way to ensure a uniform security A security baseline

arrangement across the organization?
What is the importance of an information security It mandates the minimum acceptable

baseline? security to be implemented.

1. As an information security manager, you are required to implement a security baseline throughout the organization. What is the
primary advantage of an information security baseline?
A. It helps to identify sensitive information assets
B. It helps to design the security policy for the organization
C. It helps to define the minimum acceptable security required across the organization
D. It helps to design system controls
2. What is the most effective way to make sure that each application is complying with the organization's information security
requirements?
A. Conducting a vulnerability assessment
B. Implementing a security baseline
C. Using settings provided by a vendor
D. Conducting frequent user awareness training
3. What is the primary use of a security baseline?
A. To secure critical assets
B. To establish a uniform process of system hardening
C. To prioritize risk treatment
D. To develop an information security policy

4. What is the most effective way to determine the minimum requirements for an application's security setting?
A. Guidelines
B. Policies
C. A baseline
D. Procedures
5. What is the most effective method to handle regulatory and legal requirements in a multinational organization with operations in
different countries?
A. To prepare a list of aggregate requirements and mandate it for all locations
B. To prepare baseline requirements for all locations and add location-wise supplementary standards as per the local
requirements
C. To let each location decide on their own requirements
D. To let all locations agree on a standard set of requirements
6. Which of the following is the primary objective of a security baseline?
A. To improve the network bandwidth
B. To establish a uniform process of system hardening
C. To improve the security budget
D. To comply with privacy laws

Security awareness training is the most important element of an information security program. In the
absence of structured and well-defined security awareness training programs, the security program
will not be able to provide the desired results. It is not possible to address the security risks only
through technical security measures. It is important to address the behavior of employees through
continuous awareness training and education. Compliance with the requirements of the information
security policy is best ensured by education and improving the awareness of employees.
Figure 6.5: Human weakness
A security manager should consider the following aspects of security awareness training and
education:
The most effective way to increase the effectiveness of training is to customize it as per the target audience and address the
systems and procedures applicable to that particular group. For example, a system developer needs to undergo an enhanced level
of training that covers secure coding aspects, while data entry operators should only be trained on security aspects related to their
functions.
To address common user security concerns, a security awareness program should concentrate on password selection, acceptable
use of information resources, social engineering attacks, email safety, web browser safety, and so on.
For new joiners, a security awareness program should be part of the orientation program. It must be ensured that users have been
trained on the acceptable usage of information resources before any system or data access is provided. Security awareness training
and education is a continuous activity and should start from the point of joining the organization.
The following are some of the common mechanisms used for raising security awareness:
Classroom-based security awareness and training programs
Email-based security tips
Circulating security policies and procedures
Obtaining non-disclosure statements from users
Awareness raised through different media, such as the intranet, newsletters, posters, and login banners
Documented security-related job descriptions
Incentives for reporting suspicious events
Security-related simulation exercises
The security manager should design some quantitative evaluation criteria to determine the effectiveness of security training and
user comprehension, for example, quizzes or other types of assessments. One such metric could be the number of incidents
reported. Such incident reporting indicates the awareness level of the staff. An increase in incident reporting indicates that the
staff is paying more attention to security.
Security awareness training and education play an important role in changing an organization's culture toward security
consciousness. However, a security manager should understand that this is a gradual process and employees should be trained at
frequent intervals.
A security program should be launched through a top-down approach. A top-down approach means that commitment to the
success of security awareness should be seen from the senior management level. Support from senior management will ensure
enough resources are provided for the success of the program.
A security manager can obtain support from influential people within the organization to promote security awareness. Influential
people in the organization are employees with substantial authority and who have a greater interest in promoting the security
culture. They act as ambassadors for the security culture within their department and can bring significant change to the
organization's security culture.

What is the most important success factor to design an The customization of content as per
effective IT security awareness program? the target audience
What is the most effective method to change an Security awareness campaigns

organization's culture to a more security-conscious one?
When should security awareness training be provided to Before they have access to any
new employees? system or data
What is the primary objective of a security awareness To influence employee behavior

program? toward security consciousness
To decrease security incidents
For which group of employees is ethics training primarily Employees involved in monitoring
organized? user activity

1. The prime responsibility of the human resources department for promoting information security is:
A. To allot the information security budget

B. To support the recruitment of the best technicians
C. To conduct periodic risk assessments
D. To conduct security awareness training for employees
2. As an information security manager, you are required to improve the effectiveness of the security training program. The most
effective method for this is:
A. To customize the content of the program as per the target audience
B. To emphasize more of the technical aspects of security
C. To conduct mandatory training for all senior management
D. To use industry-recognized training programs
3. What is the most effective way to improve an organization's culture in terms of security consciousness?
A. Documented security policies and procedures
B. Periodic audits of the organization's security posture
D. Security awareness campaigns
4. A security awareness program should primarily focus on:
A. The number of open incidents
B. The details of ongoing investigations
C. What employees should or should not do in the context of their job responsibilities
D. A cost-benefit analysis for establishing various controls
5. The most effective method to make the end user aware of their security responsibility at regular intervals is:
A. Logon banners displayed at every logon
B. Frequent security-related email messages
C. To make the security policy available on the organization's intranet
D. Periodic audits of end user behavior
6. The best time to provide security awareness training to a new employee is:
A. As and when the employee asks for training
B. Once the user becomes comfortable with the processes
C. Before access to data is provided
D. When a substantial number of new joiners are available
7. The main objective of a security awareness program is:

A. To comply with regulatory requirements
B. To influence employee behavior
C. To adhere to the security budget
D. To comply with the requirements of the standard
8. The effectiveness of a security awareness program can best be measured by:
A. A decrease in security violation reports
B. Some quantitative evaluation used to ensure user comprehension
C. The amount spent on security training
D. A reduced number of help desk requests
9. As an information security manager, you have been asked to select a third-party consultant for conducting a maturity assessment
of your organization's information security program. What should the primary consideration for the selection of the consultant be?
A. The methodology to be used in the assessment
B. The experience of the consultant
C. References from the industry
D. The fees charged by the consultant
10. The best method to improve the effectiveness of a security awareness program is:
A. Sufficient security budget
B. The number of employees covered
C. A top-down approach
D. The expertise level of trainers
11. The security awareness of employees can best be provided in a cost-effective manner by:
A. Incentivizing the employees' actions
B. User education and training
C. Heavy penalties for non-compliance
D. Setting up a help desk service
12. The deployment of security awareness and training materials for relevant users is the responsibility of:
A. The internal audit department
B. The business manager
C. The human resources department
D. The information security department

13. The fundamental component of any information security program is:
A. The encryption technology
B. Stringent access controls
C. Security awareness training
D. Automated access provisioning
14. A security awareness program for new staff with general operational duties generally includes:
A. A discussion on the constraints of the various security frameworks
B. A discussion on how to construct a strong password
C. A discussion on operating system vulnerabilities
D. A discussion on vulnerability assessment results
15. What is the most effective method to improve security awareness among employees?
A. Discuss industry-wide incident statistics.
B. Discuss different attack methods.
C. Implement a heavy penalty for non-compliance.
D. Continually reinforce the security policy.
16. What is the most effective method to improve the effectiveness of an information security program?
A. Increase the information security budget.
B. Obtain the service of security training from specialized external experts.
C. Conduct role-specific awareness training.
D. Conduct general online security awareness training for all staff.
17. The prime objective of a security awareness training program is:
A. To decrease the likelihood of information security incidents
C. To comply with regulations
D. To encourage compliance with policies
18. What is the prime objective of an information security awareness and training program?
A. To comply with security policies
B. To obtain support from senior management
C. To establish an organizational culture that is favorable to security
D. To define roles and responsibilities with respect to security

19. An organization receives a call, via voice over internet protocol (VoIP), from an employee of another branch asking for a
customer's information. What is the most effective way to authenticate this call?
A. Asking for the name and designation of the caller
B. Calling back the branch number listed in the office phone directory
C. Asking some business questions and if found genuine, providing the relevant information
D. Asking the caller to pass on the phone to their superior to validate the caller
20. The most important reason security awareness training is to be imparted at regular intervals is to address the change in:
A. The security budget
B. Information technology
C. Compliance requirements
D. Threats and vulnerabilities

Today, outsourcing services to a third-party vendor is a widely accepted practice for two major
reasons. One of them is the tremendous cost savings and the other is to allow the organization to
benefit from the service of experts in a specific field.
CISM aspirants should be aware of the following terms with respect to outsourcing:
Insourced: Activities performed by the organization's own staff
Outsourced: Activities performed by the vendor's staff
Hybrid: Activities performed jointly by staff from both the organization and the vendor
Onsite: Staff working onsite in the IT department
Offsite: Staff working from remote locations in the same geographical area
Offshore: Staff working from remote locations in different geographical areas
Evaluation Criteria for Outsourcing

CISM aspirants should understand the evaluation criteria for outsourcing any function. Certain
functions cannot be outsourced.
The following functions should not be outsourced:

The core functions of the organization
Roles that require specific expertise, procedures, and key resources that cannot be replicated externally or anywhere else
Functions that cannot be outsourced due to contractual or regulatory constraints
Outsourcing of functions can be done if the following apply:

The functions can be carried out by another party to the same level of quality or better, at the same price or lower, without
increasing risk.
The organization has sufficient experience in managing third parties working on its behalf.
Steps for Outsourcing

The following steps will help you determine whether outsourcing will enable the company to achieve
its desired goal considering the costs and risks involved:
1. Define the function to be outsourced: The organization should first define and determine the functions that need to be
outsourced. This step should also include a risk assessment for outsourcing any function.
2. Define a service-level agreement (SLA): Defining an SLA is a very important aspect of outsourcing. SLAs should be approved
by the legal, risk management, and compliance teams.
3. Determine the cost: Here, you need to determine the cost of outsourcing.
4. Conduct due diligence: Due diligence includes verifying the profile of the service provider, their market credibility, their
financial stability, their capability to serve on a long-term basis, and other relevant details.
5. Confirm contractual or regulatory requirements for outsourcing: It is of utmost importance to determine any regulatory and
contractual requirements when outsourcing any activity.
Once the contract is signed, the security manager should ensure that continuous vendor monitoring
processes and metrics are developed and implemented. This control will help identify and address
areas of concern.
Outsourcing – Risk Reduction Options

The security manager should be involved in the third-party management process from the beginning
of the selection process, which is when the business is defining what it needs. This will ensure that all
security requirements are considered in the initial phase to reduce any outsourcing risks. The
following are important aspects for reducing the risk related to outsourcing:
Including a requirement for achievable outputs in the SLA
Using an escrow arrangement for software assets
Using multiple suppliers helps to lower the risk of dependence
Periodic reviews of performance
Building a cross-functional contract management team
Setting up appropriate controls for any anticipated contingencies
Provisions for Outsourcing Contracts

SLAs serve as a monitoring tool for the outsourcing process. They should contain at least the
following clauses:
Requirements for achievable outputs
Confidentiality, integrity, and availability (CIA) requirements for resources, systems, and data
Confidentiality agreements to protect both parties
A right-to-audit clause
Business continuity and disaster recovery provisions
Intellectual property rights
The Security Manager's Role in Outsourcing

The following are some of the important functions of the security manager when monitoring
outsourced activities:
To review contracts at the service level at periodic intervals
To review documented procedures and outcomes of the outsourcer's quality assurance programs
Periodic checks to ensure that the processes and procedures comply with the organization's quality standards
Service-Level Agreements
The most important contractual element when contracting with an outsourcer to provide a service is
the SLA. The SLA defines the level of service expected from a service provider and apart from the
operational parameters, it also includes security-related clauses such as adherence to security
requirements, penalty clauses, indemnity clauses, and right-to-audit clauses.
The security manager can enforce security requirements only if the contract mandates compliance
with the information security policy. An SLA ensures that the service provider is contractually
obliged to comply with the requirements of the service receiver. This protects both organizations.
Right-to-Audit Clause
A right-to-audit clause in a contract is essential to ensure contract compliance. The absence of a
right-to-audit clause would prevent the organization from determining the security arrangement of
the service provider. Furthermore, the organization would not have any assurance about contractual
and legal compliance from the service provider.
Periodic auditing is the most effective method to ensure that the service provider is complying with
the security requirements of the service receiver. The SLA should include clauses with respect to the
right to audit the systems and processes of the service provider. The service provider may not allow
the service receiver to audit them directly. In such cases, there should be a provision to assess
compliance by an independent auditor. If such a provision is not included in the agreement, then the
service receiver has no way to ensure compliance or proper handling of their data.
Impact of Privacy Laws on Outsourcing

Privacy is the right of the individual to demand the utmost care for their personal information that has
been shared with any organization or individual. Individuals can demand for the use of their
information to be appropriate, legal, and only for the specific purpose for which the information was
provided. Non-compliance to any privacy requirements may lead to legal consequences.
Security managers need to ensure that applicable privacy laws are adhered to before sharing
personally identifiable data with a third-party service provider.
Subcontracting/Fourth Party
Subcontracting is a term used when a service provider also outsources the task to another entity.
The SLA should specifically restrict subcontracting to a fourth party. If subcontracting is allowed
considering the business requirements, the security manager should consider its risks. In cases of
subcontracting, the service receivers generally do not have control over the fourth party. The
subcontracting process must be thoroughly reviewed when it involves sharing critical data.
Compliance Responsibility
The service receiver retains the responsibility for ensuring compliance with regulatory requirements.
The service receiver is deemed to be the owner of the data and responsible for its safe custody. If the
service provider fails to safeguard the data, the authorities will generally hold the service receiver
responsible for non-compliance and take appropriate action, including penalties.


What is the primary objective of outsourcing? To obtain the services of expert

firms and to save costs
What is the primary concern about outsourcing to offshore Privacy laws and regulatory
locations? requirements
What is the primary function of IT management when a To monitor the outsourcing

service has been outsourced? provider's performance
What is the best way to determine whether the terms of the Independent audit
contract are adhered to in accordance with the SLA?
What is the primary requirement for the development of Escrow arrangements for the
software from a vendor? source code
What is the primary risk of subcontracting? The requirement to protect

information may be compromised
What is the most important contractual element when The SLA

contracting with a service provider?
What is the best way to ensure the ongoing security of To conduct regular security audits
outsourced IT services? and reviews of the third-party
provider
What is the most important reason for a security manager to To help ensure that appropriate
review the outsourcing contract? controls are included
At what point should information security become involved in At the initial stage when
the vendor management process? requirements are being
established
What should the next step of a security manager be, once the To establish the processes and
contract with the service provider is effective? metrics for monitoring the service
provider
What should the first step be when making a decision to allow To conduct a risk assessment
access to a new external party?
To address the resolution of an operational issue, what is the Defined responsibilities

most important aspect to include in an SLA?
What is the most effective method to ensure that no backdoor To conduct security code reviews
code is implemented when an application is developed by a for the entire application
third party?

1. As an information security manager, you are reviewing an outsourcing arrangement. Which of the following is the most critical
contractual element?
A. A penalty clause
B. An indemnity clause
C. A service level agreement
D. A right-to-terminate clause
2. The information security policy of an organization requires independent assessment for all third parties associated with the
organization. In the contract, the security manager should ensure the inclusion of:
A. A right-to-audit clause
B. An indemnity clause
C. The requirement for a firewall
D. The requirement for an exclusive security manager
3. As an information security manager, you are reviewing your organization's relationship with some third-party service providers.
Your most important consideration should be:
A. The outsourcing arrangement should be within the approved budget.

B. The availability of a business continuity arrangement.
C. Whether the service provider is contractually obliged to follow all relevant security requirements.
D. Obtaining industry references for the service provider.
4. What is the most effective method to ensure an ongoing security arrangement with a third-party service provider?
A. Conducting continuous security awareness programs for the employees of the third-party service provider
B. Conducting regular security reviews of the third-party service provider
C. Increasing the contract rate every year
D. Including security requirements in the service contract
5. Which of the following should be included in an SLA to ensure that the confidentiality requirement is complied with by the third-
party service provider?
A. An access control matrix
B. The security budget
C. An authentication mechanism
D. The encryption strength
6. What is the most important aspect a security manager should consider while entering into an agreement with a third-party service
provider?
A. The contract rate being approved by the security steering committee
B. The contract should include a confidentiality clause
C. The contract should mandate that the service provider complies with the organization's security requirements
D. The contract should mandate that the service provider conducts regular security audits
7. A third-party service provider is handling sensitive customer data. The security manager is most likely to be interested in:
A. The security arrangement for stored and transmitted sensitive data
B. Adherence to industry benchmarks
C. The implementation of security technologies
D. Adherence to operational processes
8. An organization shares critical data with a third-party service provider for processing. The security manager should primarily
ensure that the data classification requirements of the organization are:
A. Aligned with the requirements of the third-party service provider
B. Communicated to the third-party provider
C. Included in the training module
D. Included in the contract

9. The best method to ensure that outsourced service providers comply with the organization's information security policy would be:
A. To obtain periodic reports from the service provider
B. To conduct periodic meetings with the manager of the service provider
C. To conduct periodic audit reviews of the service provider
D. To include performance parameters in the service level agreement
10. Before executing the contract, it should be reviewed by the information security manager to:
A. Ensure that operational issues are clearly defined
B. Ensure that the contract rate is within the approved budget
C. Ensure that appropriate controls are included
D. Ensure that the right-to-audit clause is included
11. An organization is unable to convince one of its major trading partners to comply with its own security requirements. What is the
best course of action for the security manager?
A. Ask the trading partner to sign a legal agreement to own all liability for any breach
B. Revoke all connection and access rights of the trading partner
C. Implement a firewall to restrict network traffic from the trading partner's location
D. Continue issuing periodic reminders to comply with the security requirements
12. The most important factor before outsourcing customer relationship management to a third-party service provider is:
A. Conducting a background check of the service provider's employees
B. Conducting a risk assessment to determine the required controls
C. Conducting a security assessment to determine the security vulnerabilities
D. Conducting an audit of the third-party service provider to determine their controls
13. From a security perspective, the most important aspect that needs to be negotiated with a third-party service provider is:
A. The right to conduct an independent security review
B. The right to carry out background verification of the third party's employees
C. The right to encrypt the data transmission between the organization and the service provider
D. The right to conduct a joint risk assessment of the system
14. An information security manager should be involved in an outsourcing arrangement:
A. At the time of contract negotiation
B. As and when business units require assistance
C. When requirements are being established
D. Only when there is a security incident

15. An organization has provided access to its system to a supplier to remotely access important business data. The most effective
method to ensure that the supplier does not improperly access or modify the database is:
A. Limiting user access rights
B. Implementing two-factor authentication
C. Implementing biometric access control
D. Conducting user awareness training
16. From a security perspective, the most important aspect of outsourcing a critical process to a third-party service provider is:
A. Compliance with international standards
B. Implementing two-factor authentication
C. Availability of an alternative processing site
D. Adherence to the organization's information security requirements
17. A request for proposal (RFP) for the selection of a third-party service provider is to be issued:
A. Prior to the project's feasibility stage
B. After due diligence of the service provider
C. Prior to developing a project budget
D. Prior to the business case stage
18. What should the next step of the information security manager be after the contract has been signed with a third-party service
provider for IT support services?
A. To establish the process for monitoring the service provider
B. To define the roles and responsibilities of the service provider
C. To finalize the contract rate
D. To get the service provider to sign a non-disclosure agreement
19. When sensitive data is stored at a third-party location, the security manager will require:
A. Assurances that the third party will comply with the requirements of the contract
B. Background checks of the employees of the third party
C. Frequent security training of all third-party employees
D. Periodic review of the security policy
20. Which of the following is the area of most concern for a security manager when payroll processes are outsourced to a third-party
service provider?
A. Whether a cost-benefit analysis has been conducted
B. Whether privacy requirements are complied with
C. Whether secure data transfer has been ensured

D. Whether a background reference for the service provider has been obtained
Documentation
Structured documentation regarding risk management policies, standards, registers, and other
relevant processes is of utmost importance for the effective management of risk. The need and
process for documentation should be defined in the risk management policy, strategy, and program.
Generally, the following aspects of risk management processes should be documented:
Risk register: A risk register should include details such as the following:
The source and nature of known risks
Risk owners
Risk ranking and severity
Risk score
Details about existing controls and additional recommendations
Asset inventory: An asset inventory should include details such as the following:
A description of assets
Asset owners
Asset classifications
Risk mitigation and action plan: It should include details such as the following:
The mitigation plan
The responsibility for mitigation
The timelines for mitigation
Results of risk monitoring: This should include the following:
The monitoring process
The results of the monitoring process, such as audit reports and security review reports
The closure status of recommendations
All the documents should include the appropriate version control, classification level, document
owner and approver, revision date, and number.
Though the process of documentation is not easily adopted by end users, the security manager needs
to gradually develop a culture for this.
Figure 6.8: Documentation
Generally, documentation is considered an additional burden by employees. Security managers need

to highlight the benefits of having the right documentation.

The security manager should understand the following objectives of the security program while
implementing it:
Providing maximum support to business functions
Minimizing operational disruptions
Implementing the strategy in the most cost-effective manner
After establishing the objectives, key goal indicators (KGIs) to reflect these objectives should be
developed. After developing the KGIs, the next step is to determine the current state of security. The
current state is compared with the established objectives and any gaps identified are addressed to
improve the security processes.


A security policy should be closely aligned with: Organizational needs
What is the best method to evaluate the return on By determining the extent of support to
security investment? business objectives
What is the most important step before Obtaining sign-off from all stakeholders
implementing a security policy?

1. As an information security manager, you noted that senior management is dissatisfied with the current state of information
security. To address this, you should align the security strategy with:
A. The industry benchmark
B. The business strategy
C. Technology advancement
D. User awareness
2. A security policy should be most closely aligned with:
A. Industry-recognized practices
B. Organizational needs
C. International standard organization
3. Before implementing a security strategy, it is most important to:
A. Communicate with the IT department
B. Train all end users
C. Determine the technology to be used
D. Obtain sign-off from all stakeholders
Security Budget
Budgeting plays a significant role in the effective implementation of an information security
program. The availability of adequate security personnel and other security resources is dependent on
the security budget. An information security manager should be familiar with the budgeting process
and methods used by the organization.
Primarily, the security budget is derived from and supported by the information security strategy.
Before seeking approval for the budget, the security manager should ensure that senior management
has approved the strategy and that there is consensus from the other business units. This is a key
element in a successful budget proposal.
Apart from routine expenditure, the budget should also consider unanticipated costs. Generally, in the
area of incident response, it is difficult to predict expenditure. A security manager may require the
obtaining of external services to support the incident response processes, where the organization does
not have the necessary skills or bandwidth. The best approach to budget for this kind of situation is to
use historical data of incidents and any related expenditure. If this information is not available, a
security manager may rely on statistics from a peer organization to arrive at a reasonable budget.
Adequate funding for information security is the biggest challenge for a security manager. When
funds are inadequate, the best option is to allocate those resources that are available to the areas of
highest risk and, at the same time, to educate management about the potential impact of
underfunding.

Question Possible
Answer
What is the primary basis for the prioritization of security spending and Level of risk
budgeting?

1. Awareness for security funding should be raised by:
A. The chief financial officer
B. The chief information officer
C. The information security manager
D. The business process management

2. What is the best approach for a security manager who does not have adequate funding for a security program?
A. Discontinuing low-priority security controls
B. Asking management to accept unaddressed risks
C. Prioritizing risk mitigation and educating management
D. Reducing reliance on technology and performing more manual processes
3. As an information security manager, you should prioritize the security budget primarily on the basis of:
A. The identified levels of risk
B. Incident trends
C. Your own discretion
D. Industry benchmarking
Security Program Management and Administrative

Activities
Information security program management includes activities to direct, monitor, and control
procedures related to information security. It includes both short-term and long-term planning for the
achievement of the organization's security objectives. A security manager should ensure that the
security program supports the requirements of management. In most organizations, a security
manager is responsible for executing the security program. An information security steering
committee that consists of senior leadership from the relevant functions of the organization is
responsible for ensuring that the security objectives are aligned with the business objectives. Senior
management represented in the security steering committee is in the best position to support and
advocate the information security program. The role of the steering committee, as well as the security
manager, is of utmost importance to ensure that security resources are utilized in an optimized
manner. It is the responsibility of the CEO and senior management to support the security initiatives
and provide adequate resources and authority to ensure that objectives can be achieved.
A security program should be aligned with the programs of other assurance functions to ensure that
roles and responsibilities are not overlapping and at the same time that there are adequate controls to
protect the information assets of the organization.
The information security manager is required to be well versed in major security frameworks and
international standards such as ISO 27001 and COBIT and should be able to implement these as per
the requirements of the organization. A framework is generally dependent on the structure, culture,
and business objectives of the organization.
The most effective way for an information security manager to perform their responsibilities is to act
as a facilitator or consultant to help address any issues that impact the business objectives. They
should be able to understand the impact of security on the organization's performance level. There is
no use in implementing heavy security if it degrades performance drastically. A security manager is
required to resolve competing objectives between security and performance. As a facilitator and
consultant, the security manager is likely to achieve support from senior management, which
improves the effectiveness of the security program.
Information Security Team

For the effective implementation of a security program, the most important element is the availability
of skilled personnel. An information security team generally includes security engineers, quality
assurance and testing specialists, access controllers, project managers, security architects, ethical
hackers, security trainers, and security auditors. Each team member should have the appropriate
technical and administrative skills in accordance with their job functions. Skills usually come in the
form of education, expertise, and experience held by the individual. These skills should be mapped
with the required job functions.
Figure 6.11: Information security skills

A security manager should ensure that each security team member possesses and maintains relevant
skills.
Roles and Responsibilities
A role is a designation assigned to an individual in accordance with their job function.
Responsibilities refer to a set of actions an individual is required to perform. For instance, a system
administrator is a role and this person's responsibilities include assigning access to the system,
monitoring system performance, ensuring backup schedules, and so on.
Clear and documented details of roles, responsibilities, and accountability are necessary to ensure the
effective implementation of an information security program.
Role-based access control is very important from a security perspective. An individual is assigned
different types of access on the basis of their role. This helps ensure that various accesses are
provided on a need-to-know basis only.
External Resources
Many organizations obtain external resources (both external staff and outsourced resources) to help
manage their information security program. It is of utmost importance to conduct a cost-benefit
analysis before appointing any external resources. External resources are generally preferred where
skill is required for a short time or for specific projects.

An acceptable usage policy (AUP) is a summary of information security policy and procedures and
includes all the details about the acceptable usage of information resources in a user-friendly manner.
It helps to effectively communicate the dos and don'ts for improving the security posture of the
organization.
Security managers need to ensure that an AUP is made available to all end users and that it is read
and understood. An AUP generally includes information about access controls, information
classification, document handling, incident reporting procedures, and other requirements related to
end users. An AUP provides the general security baseline for the entire organization.
Documentation
The documentation of security policies and procedures helps to ensure that security procedures are
repeatable and sustainable. A security manager is required to provide oversight over the creation and
maintenance of security-related documentation. For better handling of documents, it is recommended
to assign an owner for each document. The document owner is responsible for updating the
documents as per the defined procedures of approval and review. The document owner is also
responsible for safeguarding the document in accordance with its classification level.
A defined process should be in place for the creation, approval, change, maintenance, distribution,
and expiration of the document. Each document should have the appropriate classification and
labeling to ensure that it is handled and distributed in a secure manner.
Also, document version control is an important element to ensure the integrity of the document and
that all recipients are using the current documentation.
Project Management
A security manager should ensure that security-related projects are appropriately managed in
accordance with the generally accepted project management techniques. Each major project should
have defined goals, completion timelines, processes for measuring the progress and adherence to
budget, assigned responsibilities, and other elements of project management. This will increase the
effectiveness of all security-related projects.
In the case of a large organization with multiple projects, the security manager should have a
documented portfolio of the projects so they can determine the progress of each project. A project's
portfolio will help to determine the priorities for each project and ensure that projects do not overlap,
resources are appropriately allocated, and progress is continuously monitored.
Program Budgeting
Budgeting plays a significant role in the effective implementation of an information security
program. The availability of adequate security personnel and other security resources is dependent on
the security budget. An information security manager should be familiar with the budgeting process
and methods used by the organization.
Primarily, the security budget is derived from and supported by the information security strategy.
Before seeking approval for the budget, the security manager should ensure that senior management
has approved the strategy and other business units have a consensus on it as well. This is a key
element of a successful budget proposal.
Apart from routine expenditure, the budget should also consider unanticipated costs. Generally, in the
area of incident response, it is difficult to predict expenditure. A security manager may need to obtain
external services to support the incident response processes where the organization does not have the
necessary skills or bandwidth. The best approach to a budget for this kind of situation is to use the
historical data of incidents and the related expenditure. If this information is not available, the
security manager may rely on statistics from a peer organization to arrive at a reasonable budget.
Adequate funding for information security is the biggest challenge for a security manager. When
funds are inadequate, the best option is to allocate the available resources to areas of highest risk and
at the same time educate management about the potential impact of underfunding.
Plan – Do – Check – Act

To ensure effective and efficient management of the information security program, a security
manager should implement the following four elements of total quality management (TQM):
Plan: Structured planning is the most important element for the success of any program. Planning includes developing a strategy
to achieve the program objectives and scheduling the different activities of the program.
Do: Execute the strategy as per the plan.
Check: Monitor the progress of the program and determine the areas of improvement. This requires the development of various
metrics that indicate the progress or otherwise of the program.
Act: Take action and address the risks and other irregularities identified by the monitoring processes.
The TQM approach helps in the effective and efficient management of security processes with
continuous improvement.
Security Operations
A security manager should consider the following aspects of security operations to improve the
effectiveness and efficiency of an information security program:
A security manager should ensure that the security monitoring processes, such as scanning, testing, and auditing, do not interrupt
any running production process.
Patches need to be applied as and when important updates are released after being tested. The patch management process should
include the appropriate process for testing and approvals.
It is highly recommended to update the antivirus signature files daily. New attack patterns are introduced almost that regularly and
if signature files are not updated daily, an organization is exposed to new types of attacks. The effectiveness of antivirus software
primarily depends on the virus signatures stored in definition files.
The most effective way to verify that all critical systems are utilizing up-to-date virus signature files
is to check sample systems and ensure that the signature files installed are the latest ones.
For antivirus software to be effective, it must be easy to maintain and must be updated frequently to
address new viruses.
A security manager should take adequate steps to protect the wireless network. Strong encryption is the most effective method to
secure a wireless network as a point of entry into a corporate network.
The implementation of monitoring products such as firewalls, IDSs, and antivirus may slow down the performance of the systems
and networks. It can have a major impact on system overheads for servers and networks.
Overhead refers to excess or indirect utilization of computation time, memory, bandwidth, and other resources. A security
manager should consider this aspect when evaluating products to monitor security across the organization. The monitoring
product should support the business processes and should not become a cause for unnecessary interruption.
The most important element for the success of an information security program is support and commitment from senior
management. If senior management is committed to robust information security for the organization, there will be no constraint on
security budgets and resources.
Thus, security operations should support the business operations in the most effective and efficient
manner.

What is the most appropriate frequency for On a daily basis

updating antivirus signature files?
What does the effectiveness of virus detection Virus definition files (signature files)
software most depend on?
What is the best way to prevent an accidental To use protective switch covers
system shutdown from the console or operations
area?
What is the best method for securing data on Strong encryption

USB drives or other mobile devices?
Who should be a part of the information security Senior management from different
steering committee? departments, such as IT, HR, business, and
marketing
What is the main reason for obtaining external External resources are a cost-effective
resources to execute an information security alternative to getting expertise that is not
program? available internally
What is the most effective method to ensure the To ensure that all logical access of the
protection of data upon the termination of terminated employee is removed
employment?
What is the most important reason for formally For ensuring that processes are repeatable and
documenting security procedures? sustainable
When should the risk assessment of a new Throughout the project's life cycle
project be carried out?

1. As an information security manager, you should ensure that a vulnerability scan:
A. Is not conducted with open source tools
B. Scans only critical servers
C. Adheres to the security budget
D. Does not interrupt the production process
2. Which of the following authorities can best ensure the effectiveness of an information security program?
A. The chief information officer
B. The head of auditing
D. The chief operating officer
3. As an information security manager, you should ensure that antivirus signature files are updated:
A. On a daily basis
B. On a weekly basis
C. During the hardware maintenance schedule

D. After the occurrence of a major incident
4. The effectiveness of antivirus software primarily depends on:
A. Operating systems
B. Updated patches
C. Application upgrades
D. Definition files
5. Which of the following is the most important criterion for the selection of antivirus software?
A. The availability of the security budget
B. The ability to integrate with the firewall and IDS
C. An automatic alert notification feature
D. Ease of maintenance and frequency of updates
6. The best way to reduce the risk of an accidental system shutdown through the power button is to:
A. Use redundant power supplies
B. Use protective switch covers
C. Set system down alarms
D. Install biometric readers
7. An information security steering committee should consist of:
A. External penetration testers
B. Representation from regulatory bodies
C. Board members
D. Leadership from IT, business management, and human resources
8. The most important consideration for implementing a system monitoring device is:
A. Product documentation
B. Ease of configuration
C. Ease of available support
D. System overheads
9. An organization is using a digital certificate along with a secure socket layer to authenticate a web server. The organization is still
vulnerable to:
A. IP spoofing
B. A man-in-the-middle attack
C. Repudiation
D. A Trojan program
10. The most effective way to ensure compliance with an information security policy isto:
A. Circulate copies of the policy to all employees
B. Perform periodic reviews for compliance
C. Charge a heavy penalty for non-compliance
D. Establish a dedicated help desk to support employees
11. The main advantage of using an external resource for managing an information security program is that:
A. It is a cost-effective way to take advantage of expertise not available internally.
B. It is the most effective way to delegate responsibility for maintaining a security program.
C. It helps to reduce dependency on internal resources.
D. It helps to adhere to the security budget.
12. A server containing the accounting database is maintained by a database administrator. Who should determine the appropriate
level of classification?
A. Database administrator
B. Finance department
C. Security department
D. IT department
13. A particular module is accessible to all the members of the development team. The module is used to test the business data. From
the security perspective, which of the following is the best option?
A. Restrict access to read only
B. Capture and review log for all access
C. Implement two-factor authentication
D. Suspend the module and activate only as and when required
14. The involvement of the following group is very important in the design of security processes to make them accurate and
functional:
A. Audit management
B. Compliance management
C. Operational units
D. Legal management
15. Which of the following roles should not be given the right to update the database access control list to ensure proper segregation
of duties?
A. A team member of the department owning the data
B. The data custodian
C. The system programmer
D. The security administrator
16. As a business requirement, an application programmer requires access to production data. What is the best way to ensure that the
production data is used for authorized purposes only?
A. Make the application programmer a privileged user.
B. Log all of the application programmer's activity for a review by their manager.
C. Take a non-disclosure agreement letter from the application programmer.
D. Conduct regular audits of the application.
17. The most important step upon the termination of employment is:
A. To take back the identity card
B. To take back the company-provided laptop
C. To delete all the employee's files
D. To remove all logical access provided to the employee
18. The main objective of documenting the security processes is:
A. To ensure that the process is repeatable and sustainable
B. To comply with the requirements of the policy
C. To ensure alignment with the business objectives
D. To ensure evidence is available for audits
19. The process document for use of cryptography should primarily include:
A. The various circumstances in which cryptography should be used
B. The type of cryptographic algorithms and key lengths
C. The handling procedures of cryptographic keys
D. The technical aspect of cryptographic solutions
20. Risk assessment for a new process should be conducted:
A. Before the process starts
B. Throughout the entire life cycle of the process
C. During the post-implementation review

D. During the development of a business case
Privacy Laws
Privacy is the right of an individual to demand the utmost care of their personal information that has
been shared with any organization or individual. Individuals can demand the use of their information
to be appropriate, legal, and only for the specific purpose for which the information was provided.
Figure 6.13: Privacy laws
ISACA describes several privacy principles that can be considered as a framework for privacy audits.
The following are some of the privacy principles:
Organizations should obtain appropriate consent before the transfer of personal information to another jurisdiction.
Organizations should specify the purposes for which personal information is being collected.
Organizations are required to retain personal information only as long as necessary.
Organizations should have appropriate security safeguards for protecting personal information.
Organizations should have an appropriate process for reporting compliance with privacy policies, standards, and laws.
Organizations should have appropriate governance mechanisms over any third-party service providers processing privacy data on
behalf of the organization.
Organizations should comply with the applicable data protection regulations for the transfer of personal information across
country borders.

1. A privacy statement primarily includes:
A. The privacy budget of the organization
B. A notification about the accuracy of the information
C. A notification about what the company will do with the information it collects
D. A notification about the information classification process
Cloud Computing
Cloud computing is the process of utilizing servers hosted on the internet for storing and processing
data instead of on a personal computer or a local server. Cloud computing enables users to access
computer resources through the internet from any location without worrying about the physical
availability of the resources. The following are some characteristics of cloud computing:
It provides the capability for organizations to access data or applications from anywhere, anytime, and on almost any device.
It provides the capability for organizations to scale their IT resources as per the business requirements at the optimum cost.
It provides the capability to monitor, control, and report the usage of resources.
Resources such as storage, processing power, memory, network bandwidth, and virtual machines
(VMs) can be used through cloud computing.
Cloud Computing – Deployment Models

The following sections will cover the important details of the deployment models of
cloud computing.
The Private Cloud
A private cloud is used for the exclusive benefit of the organization. It is considered the most secure
type of deployment as it can be controlled and centralized by the organization. A cloud server is
either deployed on-premises or off-premises.
The Public Cloud
The public cloud is open to all, based on pay per use. It is considered highly scalable as services can
be reduced or increased as per the requirements of the organization.
It is very important to consider the following requirements for the use of the public cloud:
Legal and regulatory compliance (such as data localization)
Backup
Right to audit
Security requirements
The Community Cloud

Community cloud services are used by specific communities of consumers who have shared
concerns. Community clouds can be managed by the organization or by a third party. An area of
concern when using a community cloud is that the data may be stored in the same cloud as a
competitor's data.
The Hybrid Cloud
The hybrid cloud is a combination of private and public cloud infrastructure. An organization initially
uses their private cloud and then, for additional requirements, a public cloud is used. It makes cloud
storage more complex as more than one model is used.
Types of Cloud Services

A CISM aspirant should understand the following types of cloud service models:
Infrastructure as a Service (IaaS):
In this type of cloud service, services such as storing data, processing capability, memory, and network resources are
provided to the user as per their requirements.
This helps the user utilize computing resources without having to own or manage their own resources.
The end users or IT architects use VMs as per their requirements. A VM is a resource that uses software instead of a
physical computer to run programs and deploy apps.
The user is not required to maintain or manage any physical servers as these are managed by the service provider.
Some examples of infrastructure service providers are Google Compute Engine, Amazon Web Services (AWS), and
OpenStack.
Software as a Service (SaaS):
With the help of SaaS, an end user can access an application through the internet.
Instead of local storage and processing, the application is hosted on a cloud managed by a third-party service provider.
The application development platform and supporting infrastructure are not required to be maintained or controlled by
users.
For example, without installing Office software, you can create a Word document in Google Docs online, or edit a
photo on Pixlr.com without installing any editing software.
Platform as a Service (PaaS):
In PaaS, users can develop and deploy an application on a development platform made available by the service
provider.
In the traditional method, an application or piece of software is developed on local machines and hosted on a local
server.
In PaaS, an application or a piece of software is developed online.
For example, applications such as Google App Engine and Microsoft Azure Compute provide tools to develop
applications.
Cloud Computing – the Security Manager's Role

Today, cloud computing is considered a solution to all computing problems, but end users have many
misunderstandings. The role of a security manager is to address all these misunderstandings so that
security is not compromised.
Figure 6.14: Cloud services

A security manager should consider the following risks and security controls for a
cloud arrangement:
Ensure compliance with relevant laws, regulations, and standards
Ensure compliance with privacy laws that restrict the movement of personal data to offshore locations
Ensure the availability of information systems and data on a continuous basis
Evaluate the business continuity and disaster recovery plan of the cloud service provider
Evaluate implemented controls for safeguarding the CIA triad regarding data
Ensure that the SLA includes clauses with respect to ownership and custody of the data and security administration of cloud-
related services
Ensure the inclusion of the right-to-audit clause in the SLA

What is the benefit of cloud computing compared to The ability to expand storage and
local hosting? bandwidth on demand

1. As an information manager, you are required to evaluate the physical security arrangement of a cloud service provider. What is the
most effective method?
A. Verify the service provider's physical security policy and make sure that it is aligned with the organization's security
policy
B. Verify a copy of independent security reviews or audit reports for the cloud service provider
C. Bind the service provider through a contract to align with the organization's security policy
D. Verify the service provider's disaster recovery plans and make sure that they include the necessary arrangements to
protect the organization's assets
2. As an information security manager, you are reviewing an SLA with a cloud service provider. The area of major focus for you is
that:
A. The contract should specify that upon contract expiration, a mandatory data wipe will be carried out in the presence of
a representative from the enterprise.
B. The contract should also include a non-compete clause

C. The contract should include a right-to-audit clause
D. The contract should restrict the movement of data within the territory allowed as per the relevant law or regulation
3. As an information security manager, you are reviewing a service level agreement with a cloud service provider. The area of major
focus for you is:
A. Clarity with respect to data ownership, data custody, and intellectual property rights (IPR)-related requirements
B. Clarity with respect to non-disclosure requirements
C. Clarity with respect to data backup requirements
D. Clarity with respect to data access requirements
4. As an information security manager, you are required to evaluate the arrangement of a cloud service provider. You should be
majorly concerned about:
A. Inadequate disaster recovery procedures
B. The data in the multitenancy environment being accessed by competitors
C. Inadequate incident management procedures
D. Inadequate business continuity arrangements
5. As an information security manager, you are reviewing an SLA with a cloud service provider. The area of major focus for you is:
A. Physical security
B. Compliance with legal requirements
C. The data disposal policy
D. The application disposal policy
6. As an information security manager, you need to deploy a cloud application in a way that will be very secure with very little
chance of data leakage. You should deploy a:
A. Public cloud
B. Private cloud
C. Community cloud
D. Hybrid cloud
7. Which of the following is the main benefit of cloud computing compared to local hosting?
A. Ability to expand storage and bandwidth on demand
B. No training requirements for end users
C. Ability to encrypt the data
D. Ability to enforce proper access control

Summary
In this chapter, you learned about the practical aspects of information security program management.
This chapter will help a CISM candidate understand the important methods, tools, and techniques
needed to manage a security program in an effective and efficient manner.
The next chapter will cover information security infrastructure and architecture.
Revision Questions
1. Ethics training is primarily meant for:
A. Employees engaged in monitoring activities
B. Employees engaged in designing training modules
C. Employees engaged in assessing user access
D. Employees engaged in managing the risk of the organization
2. Which of the following is influenced by an effective information security awareness program?
A. Inherent risk
B. Residual risk
C. Acceptable risk
D. Business objectives
3. The most effective way to promote a security culture is:
A. To promote the advantages of a good security culture through influential people
B. To increase the security budget
C. To mandate online security training for each employee
D. To upload the security policy on the organization's intranet
4. The area of most concern for a security manager when an organization is storing sensitive data with a third-party cloud service
provider is:
A. High cost of maintenance
B. Unavailability of proper training to end users
C. Unavailability of services due to network failure
D. The possibility of disclosure of sensitive data in transit or storage
5. An organization is planning to provide access to a third-party service provider. Which of the following should be the first step?
A. Deciding terms of access
B. Risk assessment
C. Determining the level of exposure
D. Conducting due diligence of the third party
6. Which of the following is the most important clause to be included in an SLA for outsourcing an IT support service?
A. A clause for staff background checks
B. A clause for the right to audit
C. A clause for a non-disclosure agreement
D. A clause for staff training
7. The most important consideration for an information security manager when selecting a third-party service provider for a critical
business function is:
A. Whether the service provider agrees with the penalty for non-compliance
B. Whether the service provider has alternate site processing
C. Whether the contract rate is within the approved budget
D. Whether the service provider meets the organization's security requirements on an ongoing and verifiable basis
8. The most difficult factor to determine while conducting a security review of an offshore service provider is:
A. Technological capability
B. Incompatible culture
C. Network controls
D. Adequate procedures
The other areas can be evaluated and determined during a security review.
9. An organization has renewed its agreement with a third-party service provider every year for the last 5 years without a change in
the agreement clauses. However, it recently received complaints with respect to security lapses by the service providers. Which of
the following actions should be taken FIRST by the information security manager?
A. Ensure that the security requirements included in the service agreement meet the current business requirements
B. Determine whether the service provider complies with the service agreement
C. Impose a heavy penalty for non-compliance with the service agreement
D. Automate the compliance monitoring process
10. To address the resolution of an operational issue, the most important aspect to be included in an SLA is:
A. An escalation matrix
B. A documented process
C. The court of jurisdiction
D. The defined responsibilities

11. The most important area of concern for an information security manager when selecting a cloud service provider is:
A. Whether the SLA provides a guarantee of continuous application availability
B. Whether the service provider's security architecture meets the organization's requirements
C. Whether the contract rate is within the approved budget
D. Whether the service provider has alternate site processing
12. An application has been developed by a third-party service provider. The most effective method to ensure that no backdoor code is
implemented is:
A. By monitoring the network traffic
B. By conducting penetration testing
C. By conducting an internal audit
D. By conducting a security code review for the entire application
13. A security manager notes that employees of the marketing department are sending some critical customer data through email.
What should they do first?
A. Discuss the finding with the marketing manager to evaluate the risk and impact
B. Report the finding to the audit committee
C. Report the finding to the incident management team for further investigation
D. Conduct awareness training for the marketing department
14. A security manager has obtained commitment and approval from senior management for the establishment of an information
security program. What should their next step be?
A. Developing metrics for measuring the program's effectiveness
B. Conducting a risk assessment
C. Conducting a gap analysis
D. Obtaining security resources
15. A security manager is creating security procedures for the entire organization. Which department should be given priority to write
the procedure?
A. The security department
B. The legal department
C. The HR department
D. The operations department
16. The best method to address the risk of sending confidential information in email attachments is:
A. To implement content filtering
B. To conduct email audits

C. To perform security training
D. To encrypt the attachment

7
Information Security Infrastructure and Architecture

In this chapter, you will learn about information security infrastructure and architecture and explore
the methods, tools, and techniques available to you for the development of a robust information
security program. This chapter will help CISM aspirants to understand security architecture in line
with industry best practices. The CISM aspirant will also gain basic knowledge about access control
requirements and authentication factors—including biometrics.

Access Control
Biometrics
Wireless Networks

Just as conventional architecture defines the rules and standards for the construction of buildings,
information security architecture addresses the design and implementation of the security posture of
the organization. Architecture helps to integrate different components of information security in an
effective manner. A security architecture also defines the baseline, that is, the minimum level of
security for the infrastructure.
A security architecture generally addresses the following aspects:

Where to place and deploy security tools, such as firewalls, intrusion detection systems (IDSs), and antimalware
How to configure the security of applications and servers
How to build the overall security environment
A structured architecture provides the framework to manage a complex environment. As the size and
complexity of the organization grow, a well-defined architecture helps the security manager to
monitor and control the security aspects. Architecture provides the framework within which many
large projects can be managed effectively and efficiently.
In the absence of a well-designed architecture, there can be a lack of integration, haphazard project
management, and other weakness and vulnerabilities in the security environment. Enterprise
information security architecture (EISA) was developed as a part of the overall enterprise IT
system design. The following are some of the objectives of EISA:
To manage security processes and performance
To establish a common language for security within the organization
To serve as a program development roadmap
To ensure strategic alignment between business and security
To support the business strategy
To implement security policies and strategy
A security practitioner should ensure that these objectives are achieved to improve the effectiveness
of the information security architecture.

The following are some of the key aspects from the exam perspective:
For best results, the security architecture should be aligned with: Business objectives
and goals
What is the best method for the effective integration of different To develop a
components of the information security infrastructure? security architecture
NOTE

1. The minimum level of security required for infrastructure is defined by:
A. The available security budget
B. The information security guidelines
C. The information security strategy
D. The information security architecture

2. Security architecture should be aligned with:
A. Industry-accepted frameworks
B. Information technology strategy
C. Information security budget
D. Business objectives and goals
3. What is the best method to integrate different components of information security infrastructure?
A. Developing a business plan
B. Developing an architecture
C. Developing a system specification
D. Conducting a system audit
A security manager should consider the following aspects while implementing the architecture:
Termination process: An effective termination process is one of the most important aspects of the information security process.
Terminated employees can misuse their credentials for unauthorized activity. Hence, the termination process should ensure timely
revocation of all access as soon as an individual is terminated or otherwise ceases to be in employment.
Security rules: A security manager should ensure that rules related to security tools, such as firewalls, IDS, antimalware software,
and security information and event management (SIEM), should be reviewed at periodic intervals. Rules should be simple and
easy to implement. It is difficult to manage an excessive number of rules, and there is a chance that a particular rule may conflict
with another, which may lead to security vulnerabilities. Furthermore, it becomes difficult to test complex security rules and
architecture.
Phishing: Phishing is a social engineering attack with the objective of obtaining user data in an unauthorized manner. In a
phishing attack, an attacker acts as a trusted entity and tries to lure the victim to part with confidential information. The best
method to address the risk of phishing is to conduct periodic awareness training for users. Educating users will help to address the
risk of visits to untrusted websites or email links.
Steganographic techniques: In a steganographic technique, secret data is hidden in an ordinary file or image to avoid detection.
An ordinary file or image is sent to the recipient along with secret data. For highly confidential data, an organization generally
uses this technique to protect the data from any third party. The advantage of sending messages using the steganographic
technique compared to encryption is that in the case of the steganographic technique, the existence of the message itself is
unknown.
Middleware: Middleware is software that acts as a link between operating systems and applications. It can provide additional
services to applications that are not provided by the operating system. Some examples of functions handled by middleware
software are data management, application services, messaging, and authentication. A major risk associated with middleware is
that data integrity may be adversely affected if the middleware gets corrupted.

What is the most important element of the Timely revocation of access rights of the
termination process from the security perspective? terminated employee
Who is required to ensure that the appropriate level The process owner/the system owner
of information security is applied to a business
application?
What is the best method to control a phishing attack? User awareness training
What are the prime objectives of change To ensure that only authorized changes are
management? carried out
To ensure that modifications made to the

system do not introduce new security
exposures
What is the major risk of an excessive number of One rule may conflict with another rule
firewall rules? and create a security weakness.

1. What is the most effective method to control the unauthorized activity of a former employee?
A. Background verification
B. User awareness training
C. User monitoring
D. Effective termination process
2. Who is responsible for implementing and maintaining the required level of security for a business application?
A. The system administrator
B. The quality analyst
C. The process owner

3. Data owners are generally responsible for:
A. Carrying out the change management procedure
B. Implementing security over the database server
C. Regular updates with operating system patches
D. Determining the extent of application security required
4. The best method to protect against the risk of a phishing attack is:
A. System hardening
B. Email filtering
C. Intrusion detection systems
D. User awareness training
5. Which of the following is the area of most concern for organizational security?
A. Locally managed file servers
B. Enterprise-level data servers
C. Centrally managed load balancers
D. Centrally managed data centers
6. The task of eradicating malicious code will become more difficult if:
A. A patch is applied after the data is infected
B. An access rule is changed after the data is infected
C. Hardware is upgraded after the data is infected
D. A backup is taken after the data is infected
7. What is the most effective method to reduce a social engineering attack?
A. Implementing a strong password policy
B. Conducting periodic security awareness programs
C. The password should be changed on a frequent basis
D. Automatic lockout facility
8. Who will be best able to determine that a new vulnerability has not been introduced during change management?
A. The internal auditor
B. The system user
C. The system administrator
D. The data security manager

9. What is the advantage of a steganographic control compared to the encryptiontechnique?
A. The existence of the message is not known
B. The steganographic technique does not require a key
C. It is not possible to sniff the steganographic traffic
D. Steganographic traffic is not reliable
10. What is the major risk of middleware?
A. It becomes difficult to update the operating system with patches
B. It becomes difficult to take a system backup
C. Data integrity may be affected
D. End user authentication becomes difficult
Access Control
The main objective of the access control process is to ensure that only authorized users are granted
access. To achieve this, it is very important for user activities to be uniquely identifiable for
accountability purposes. The security manager should be aware of the following categories of access
control.
Mandatory Access Control

In mandatory access control (MAC), control rules are governed by an approved policy. Users or
data owners cannot modify the access role. MAC ensures that files are shared only with authorized
users as per the security classification of the file, and files cannot be shared with unauthorized users.
Discretionary Access Control

In discretionary access control (DAC), control access can be activated or modified by the data
owner as per their discretion.
MAC is considered more robust and stringent in terms of information security compared to DAC. To
increase the effectiveness of DAC, it should be aligned in accordance with MAC.
Role-Based Access Control

Role-based access control (RBAC) is a control technique that allows access to only authorized
users. In RBAC, access is allowed only on a need-to-know basis. It helps to simplify the security
administration for large organizations with thousands of users and multiple permissions. Components
of RBAC, such as role permissions, make it convenient and simple to allow access to authorized
users. Though RBAC is different from the MAC and DAC frameworks, it can enforce these policies
without any complications.
Furthermore, RBAC is considered the most effective method to implement segregation of duties
(SoD). It requires the definition of roles and their corresponding access requirements. Access is
provided on the basis of these roles.
The best method to implement RBAC is to create a matrix of different roles and corresponding work
descriptions.
Degaussing (Demagnetizing)
The right kind of formatting is critical to ensure that residual data from media cannot be recovered by
an unauthorized person. To the extent possible, the media should be physically destroyed in such a
way that it cannot be reused. However, it may not always be economical to physically destroy all
media. Hence, for these cases, extreme care should be taken for the complete deletion of the data
such that it is not recoverable by any tool or technique. One of these methods is the demagnetization
of media records.
Demagnetization involves gradually increasing the alternating current field from 0 to a maximum
value and back to 0, thereby leaving a very low residue of magnetic induction on the media. This
process of demagnetization is also known as degaussing.

What is the most effective access control for an Role-based access control
organization that has a large number of
employees with multiple roles?
What is the best approach for implementing role- Creating a matrix of work functions
based access?
What is the best way to erase data? Physical destruction. Demagnetization or

degaussing if media is to be reused. (Please
refer to the Note under Q.13)

1. The most effective way to ensure that temporary employees are not provided excess access rights is:
A. Not providing any access to temporary staff
B. Implementing a virtual private network
C. Implementing mandatory access controls
D. Implementing role-based access control
2. What is the most effective method to ensure that temporary staff does not get access to sensitive information?
A. To set an expiry date for access rights
B. To avoid granting system administration roles
C. To conduct background checks
D. To get them to sign a non-disclosure agreement
3. What is the most effective method to prevent users from sharing files with unauthorized users?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. To install an intrusion detection system
4. What is the most effective method to prevent a user from copying files from a computer to a USB drive?
A. Restricting the available drive allocation on all personal computers
B. Enabling role-based access control
C. Performing periodic awareness training on USB-related risks
D. Disabling the USB ports on all the computers
5. What is the most appropriate access control approach for an organization with more than 1,000 employees with multiple
departments and roles?
B. Discretionary access control
C. Ad hoc access control
D. Role-based access control
6. What is the most effective method to implement segregation of duties (SoD)?
A. Conducting background verification of employees
B. Implementing role-based access control
C. Implementing a heavy penalty for non-compliance to SoD
D. Updating job profiles on a periodic basis
7. What is the most cost-effective access control for a large organization?
B. Role-based access control
C. Discretionary access control
D. Rule-based access control
8. Which access control is preferable for an organization that has regular job rotation?
A. Rule-based
B. Role-based
C. Discretionary
D. Mandatory
9. An access control process will be meaningful and effective:
A. When it reduces administrative cost
B. When it ensures that all user activities are uniquely identifiable
C. When it uses two-factor authentication
D. When it integrates access control across the organization
10. To determine whether access controls are appropriately applied for a critical application, the security manager should refer to the:
A. End user documentation
B. Business process flow
C. IT security standard
11. The best way to protect the critical data of an organization is by:
A. Performing periodic security awareness sessions
B. Obtaining non-disclosure agreements from all the employees
C. Removing all logical access of employees leaving the organization
D. Restricting access to data on a need-to-know basis
12. Which of the following is a common reason for the introduction of vulnerabilities in security software?
A. Patch updates
B. Changes in access rules
C. Upgrades of hardware
D. Taking backups of files
13. What is the most effective method of removing data from a tape media that is to be reused?
A. Multiple overwriting
B. Erasing the tapes
C. Burning the tape
D. Degaussing the tape
NOTE
Some modern media, such as hard disks and tape drives, may not be reused if degaussing overwrites the servo
pattern of the device.
14. Role-based access control (RBAC) can best be implemented by:
A. Creating a matrix of work functions
B. Creating a specialized team for access control
C. Implementing two-factor authentication
D. Using individual logon scripts
15. What is the most effective method for the success of a data classification scheme?
A. Classification of data on the basis of its protection level
B. Classification of data on the basis of the likelihood of leakage
C. Ensuring the same level of protection for all types of data
D. Creating awareness of the benefits of data classification
16. What is the objective of comparing logical access records with physical attendance records maintained by the security
department?
A. To monitor a key risk indicator
B. To determine instances of tailgating

C. To evaluate the performance of the security department
D. To reconcile wage payout

A virtual private network (VPN) is used to extend a private network through the use of the internet
in a secured manner. It provides a platform for remote users to get connected to the organization's
private network.
With the help of VPN technology, remote users and branch offices can connect to the resources and
applications hosted in the private network of the organization. To enable a VPN, a virtual point-to-
point connection is established using dedicated circuits of tunneling protocols.
VPN technology ensures the safeguarding of critical data traveling through the internet.
VPNs – Technical Aspects

A VPN provides a platform to hide information from any sniffers on the internet. Instead of using
expensive dedicated leased lines, a VPN relies on public IP infrastructure, which is cost efficient. To
protect the data, a VPN encrypts the packets with IP Security (IPSec) standards.
A VPN is enabled either through IPSec tunnel mode or IPSec transport mode. In IPSec tunnel mode,
an entire packet (including the header) is encrypted, whereas in IPSec transport mode, only the data
portion is encrypted. A VPN uses data encapsulation or tunneling to encrypt the traffic payload for
the secure transmission of the data.
Advantages of a VPN
The following are some of the advantages of a VPN:
A VPN helps organizations expand their corporate network in a cost-efficient manner.
A VPN provides a platform to authorized remote users in terms of a secure and effective way of connecting to corporate networks.
A VPN provides a platform for secure communication with business partners.
A VPN provides a platform for efficient and effective supply chain management.
VPN Security Risks

The following are some of the risks associated with the use of a VPN:
The risk of malware entering the network through remote access.
If a remote computer is compromised, an intruder may send malicious code through a VPN to enter the organization's private
network.
The risk of poor configuration management.
Virtual Desktop Environments

Another method for remote connection is the use of a virtual desktop environment or virtual desktop
infrastructure (VDI). In a VDI setup, each user has their own dedicated Windows-based system that
can be configured to their liking. Users can connect to virtual desktops from any location with any
device.
In a VDI setup, all processing is done on a host server. Also, data is stored in the host server rather
than on the users' devices. This helps to safeguard the data if an endpoint device is lost or
compromised.
Furthermore, it establishes the segregation of personal and organizational data while using a remote
PC. A user cannot download or copy data from a virtual desktop to their PC. This serves as a control
against unauthorized copies of business data on a user's PC.

What is the advantage of using a VDI It establishes segregation of personal and

from a security perspective? organizational data while using a remote PC.
This serves as a control against unauthorized copies of

business data on a user's PC.
What is the benefit of VPN tunneling? It provides a secured communication channel.

1. As an information security manager, you are required to ensure confidentiality in a wireless access point. What is the most
effective method?
A. Deploying a wireless intrusion prevention system

B. Preventing the broadcasting of the service set identifier
C. Deploying wired equivalent privacy (WEP) authentication
D. Enforcing a virtual private network (VPN) over the wireless network
2. The most effective way to ensure the confidentiality of data transmitted over the internet is:
A. Virtual private networks
B. Intrusion prevention systems
C. Routers
3. What is the benefit of VPN tunneling?
A. It ensures secured communication
B. It ensures strong authentication
C. It ensures strong passwords
D. It ensures strong network connectivity
4. The function of a virtual private network is to:
A. Implement security policies
B. Compress data traveling in the network
C. Hide data traveling in the network
D. Verify the content of the data packet
5. Which of the following ensures security in a virtual private network?
A. Data diddling
B. Data encapsulation
C. Data hashing
D. Data compression
6. What is the benefit of a virtual desktop infrastructure (VDI) from a security perspective?
A. It helps to reduce the IT resource budget
B. It helps to segregate personal and organizational data while using a remote computer
C. It helps to wipe data remotely
D. It waives the requirement of antimalware software for a remote computer
Biometrics
Biometric verification is a process through which a person can be uniquely identified and
authenticated by verifying one or more of their biological features. Examples of these biometric
identifiers include palm or hand geometry, fingerprints, retina and iris patterns, voice, and DNA.
Biometrics – Accuracy Measure

The accuracy of a biometric system determines how well a system meets the objective. Accuracy
measures determine the success factor of the biometric system. This section will present a few
biometric accuracy measures.
False Acceptance Rate
False acceptance rate (FAR) is the rate of acceptance of a false person (that is, an unauthorized
person). In this case, a biometric control does not restrict an unauthorized person and allows them
access.
False Rejection Rate
False rejection rate (FRR) is the rate of rejection of a correct person (that is, an authorized person).
In this case, biometrics reject even an authorized person, denying them access.
Cross Error Rate or Equal Error Rate
Cross error rate (CER) or equal error rate (EER) is the rate at which the FAR and FRR are equal.
In general, the lower the EER value, the higher the accuracy of the biometric system.
Relationship between FAR and FRR
It must be noted that both the FAR and FRR are inversely proportionate. An increase in FAR will
result in a decrease in FRR and vice versa. The CER or EER is an adjustment point where both the
FAR and FRR are equal.
The Most Reliable Biometric Identifier
Among the current biometric identifiers, a retina scan is considered the most accurate and reliable
identifier with the lowest FAR. An iris scan is also considered a very reliable biometric feature.
Biometric Sensitivity Tuning

A biometric device can generally be tuned in the following three ways:
High FRR: This is the most stringent access control. Here, the biometric matching criteria are set as extremely high, and in a few
cases, even valid users are rejected. But overall, it provides good protection for critical databases.
High FAR: Here, access control is not rigorous. Biometric matching criteria are set at a low level. Sometimes, even unauthorized
users are accepted.
EER: This is a moderate type of access control. Here, the sensitivity is tuned in such a way that the FRR is equal to the FAR, that
is, neither high false rejection nor high false acceptance.
Thus, for a critical database, a security manager would always prefer a high FRR, that is, biometric
matching criteria being set at a high level.
Control over the Biometric Process

Due to its immense benefits and ease of use and maintenance, biometric recognition is widely used in
large organizations for employee identification and authentication.
Figure 7.5: Biometric features
A security manager should verify that appropriate controls are in place to protect the biometric
information of users. The following are some important aspects:
Biometric information should be stored securely.
Access to biometric information should only be available to authorized staff.
The data flow between biometric devices and the server should be encrypted.
User access should be revoked immediately on resignation or termination.
An information security manager should be aware of the different types of biometric access.
Types of Biometric Attacks
A CISM aspirant should be aware of the following attacks that exploit the weaknesses in biometric
controls:
Replay attack: In a replay attack, an intruder attempts to use residual biometric characteristics (for example, residual fingerprints
left on a biometric device) to gain unauthorized access.
Brute-force attack: In a brute-force attack, an attacker sends numerous biometric samples with the objective of making the
biometric device malfunction.
Cryptographic attack: In a cryptographic attack, an attacker attempts to obtain information by targeting algorithms or the
encrypted information that is transmitted between biometric devices and access control systems.
Mimic attack: In a mimic attack, the attacker attempts to reproduce a fake biometric feature of a genuine biometric user, for
example, imitating the voice of an enrolled user.

1. The most accurate and reliable biometric identifier with the lowest FAR is:
A. A voice wave
B. Face identification
C. Hand geometry
D. A retina scan
2. As an IS manager, you should be most concerned about which of the following biometric performance indicators?
A. False rejection rate (FRR)
B. False acceptance rate (FAR)
C. Cross error rate (CAR)
D. Equal error rate (ERR)
3. Which of the following is considered the most important overall quantitative performance indicator for a biometric system?
A. Percentage of employees enrolled
B. False rejection rate
C. False acceptance rate
D. Equal error rate
4. Which of the following is considered to be the most effective biometric system?
A. A system with the highest equal error rate
B. A system with the lowest equal error rate
C. A system with the highest false acceptance rate

D. A system with the lowest false acceptance rate
5. The accuracy of a biometric system is evaluated by:
A. The server utilization rate
B. The network connection rate
C. The system response rate
D. The false acceptance rate
6. The effectiveness of a biometric system can be best measured by evaluating:
A. The false acceptance rate
B. The cross error rate
C. The staff enrolled rate
D. The false rejection rate
7. An information security auditor is reviewing a biometric control for an organization's data center. What is the area of most
concern?
A. The use of a virtual private network for biometric access.
B. All restricted areas are not protected through biometric control.
C. Transit data between a biometric device and the control server is not encrypted.
D. Biometric controls were last reviewed over a year ago.
8. An information security auditor should first review which of the following biometric life cycle stages?
A. The termination process
B. The enrollment stage
C. The storage process
D. The identification process
9. Which of the following is considered to be the most effective access control mechanism?
A. Session-based password
B. Iris scan
C. Fingerprint
D. Photo ID card
10. Which of the following is the most effective access control mechanism?
A. A fingerprint scanner
B. A password
C. A cipher lock
D. An electronic access card
11. An attack with the unauthorized use of residual biometric information is known as:
A. A brute-force attack
B. An encrypted attack
C. A mimic attack
D. A replay attack
12. An attack in which the attacker attempts to reproduce the characteristics of a genuine biometric user is known as:
A. A mimic attack
B. A cryptographic attack
C. A replay attack
D. A brute-force attack
13. What is an attack in which data transmitted between a biometric device and an access control server is targeted?
A. A mimic attack
B. A brute-force attack
C. A cryptographic attack
D. A replay attack
14. An attack in which numerous biometric samples are sent to a biometric device is known as:
A. A mimic attack
B. A brute-force attack
C. A cryptographic attack
D. A replay attack
15. An organization is implementing biometric control for access to its critical server. This will:
A. Help to completely eliminate false acceptance
B. Require the enrollment of all users that access the critical server
C. Require a separate password for access to the biometric device
D. Help to completely eliminate false rejection
16. A security manager generally desires which of the following sensitivity for a biometric access control to protect a critical
database?
A. A high false rejection rate

B. A high false acceptance rate
C. An equal error rate
D. A below-equal error rate
There are three authentication factors that can be used for granting access:
Something you know (for example, a password, PIN, or some other personal information)
Something you have (for example, a token, a one-time password, or a smart card)
Something you are (for example, biometric features such as a fingerprint or iris scan or voice recognition)
Two-factor authentication means the use of two authentication methods from the preceding list. For
critical systems, it is advisable to use more than one factor of authentication for granting access.
From the user's perspective, two-factor authentication can cause additional hassle. Hence, the security
manager should strike the correct balance between ease of access and control.
Password Management
Password strength is a measure of the effectiveness of a password against guessing or brute-force
attacks.
Strong and complex passwords should be one of the most important requirements of a password
policy. A security manager should also ensure that the password policy is properly implemented. The
most effective way to ensure compliance with the password policy is to enable system-enforced
password configuration.
Many organizations prefer implementing automatic password synchronization for administrative

convenience. Password synchronization facilitates the syncing of user passwords across different
devices. So, a user needs to remember only a single password in place of multiple passwords for
different devices or machines.
This helps to reduce the administrative workload of resetting passwords.

Figure 7.6: Password management
Frequent guidance and awareness are key factors in promoting the requirements of a password policy.
It gradually helps to obtain buy-in from end users.

What is the best way to ensure that users comply To enable system-enforced password
with the organization's password policy? configuration
What is the prime benefit of implementing Automated password synchronization

automated password synchronization? decreases the overall administrative workload.

1. Which of the following provides the strongest authentication control for logging on to a corporate network?
A. Biometrics
B. Encryption keys
C. Secure sockets layer

2. As an information security manager, you are required to improve the password strength of all users. The most effective method is:
A. Enabling single sign-on
B. Conducting a password audit
C. Discussing the password policy with users
D. Installing an automatic strong password setting
3. What is the best method to share the password for a confidential file?
A. Email the password along with a digital signature
B. Email the password and the file together
C. Share passwords through an out-of-band channel
D. Enable delivery path tracing
4. A security manager notices that an application does not comply with one of the requirements of the organization's password
policy. What would their best course of action be?
A. Reporting the non-compliance to the steering committee
B. Performing a risk assessment to quantify the risk
C. Separating the system from the corporate network
D. Accepting the risk of non-compliance
5. The most effective method to ensure that the end users comply with the password requirements is:
A. Including the requirement for password complexity in the security policy
B. Taking acknowledgment from the users for compliance
C. Implementing a heavy penalty for non-compliance
D. Enabling system-enforced password configuration
6. A critical device with a single user ID needs to be accessed by multiple users. What is the most efficient way to ensure that all
access to the device is authorized?
A. Enabling access through a different device that requires adequate authentication
B. Changing the password after each use
C. Purchasing multiple such devices
D. Reviewing access logs to detect any unauthorized users
7. The primary benefit of automated password synchronization is:
A. It decreases the overall administrative workload
B. The availability of a permanent password

C. It increases security between multi-tier applications
D. Compliance with the information security policy
8. The best way to improve the effectiveness of a password policy is:
A. To conduct password audits
B. To implement a single sign-on system
C. To conduct frequent security awareness programs
D. To implement a heavy penalty for non-compliance
Wireless Networks
A network connection supporting communication between devices without the use of a cable or a
wire is known as a wireless network. Cell phone networks and wireless local area networks are
examples of wireless networks.
CISM aspirants should know about the following controls regarding the protection of wireless (Wi-
Fi) security:
Encryption
Media access control filtering
Disabling service set identifier
Disabling dynamic host configuration protocol
Encryption
Encryption is the process of converting data into an unreadable form. Encryption helps to scramble
the data sent through the wireless network into a code. It is an effective way of restricting intruders
when it comes to accessing the wireless network. Wi-Fi Protected Access (WPA) and Wired
Equivalent Privacy (WEP) are the two main types of encryption. For wireless connections, Wi-Fi
Protected Access II (WPA 2) is the strongest encryption standard. These encryption methods only
protect data in transit and not data on the device.
Enabling MAC Filtering

Each system/PC/laptop/mobile has a unique identification number, which is known as the MAC
(media access control) address. This control helps to allow access to only selected and authorized
devices. Hence, the router restricts other unauthorized devices from accessing the network. Blacklist
features can be used to specifically reject some MAC addresses.
MAC addresses can easily be sniffed and then spoofed to gain unauthorized access. Hence, MAC
address filtering alone is not considered a good security mechanism.
Disabling a Service Set Identifier

The service set identifier (SSID) is the name of a wireless network. SSID is also known as network
ID. If not disabled, this name is viewable to anyone with a wireless device within reachable distance
of the network.
Such open broadcasting is not required or necessary unless it is purposefully done to promote Wi-Fi,
as in the case of a hotel, restaurant, lounge, mall, and so on.
Disabling Dynamic Host Configuration Protocol

Dynamic host configuration protocol (DHCP) is a network management tool that automatically
assigns an IP address to each device connected to a network. This helps said devices communicate
with other IP networks. If DHCP is disabled, then the IP address can be configured manually, that is,
the static IP. This helps to reduce the risk of unauthorized access.
Common Attack Methods and Techniques for Wireless

Networks
Rogue Access Points
A rogue access point is installed by a hacker on a secured network to gain unauthorized access. A
rogue access point facilitates a wireless backdoor for unauthorized users. It can bypass the network
firewalls and other monitoring devices and expose the network to attack. It specifically targets
wireless networks.
Wardriving
Wardriving is a technique used by a hacker to search for wireless networks from a moving car or
vehicle using a laptop or other wireless device with hacking tools or software. The same technique is
used by information security auditors to test the wireless security of an organization.
Warwalking
Warwalking is similar to wardriving, except here, hackers search for wireless networks by walking
with their devices instead of driving. This is commonly practiced in public areas, such as malls,
hotels, and city streets.
Warchalking
Warchalking is a technique of drawing a mark or symbol in a public area indicating the existence of
an open wireless network. These symbols are subsequently used by others to exploit weak wireless
networks.

The following table covers the important aspects from the CISM exam perspective:
Question Possible
Answer
What technique is used by a hacker to search for wireless networks from a moving Wardriving
vehicle using hacking tools and software? (The same technique is used by an
information security auditor to test the wireless security of an organization.)
What is the strongest encryption standard for a wireless connection? WPA 2

1. As an information security manager, you are required to implement a secure wireless network. What is the most effective way to
do so?
A. Enabling media access control address filtering
B. Enabling the Wi-Fi Protected Access 2 protocol
C. Enabling the Wired Equivalent Privacy protocol
D. Enabling two-factor authentication
2. Which of the following exposures is introduced specifically by the use of wireless local area network technology?
A. Buffer overflow
B. Data spoofing
C. Rogue access points
D. Session hijacking

A CISM aspirant should be aware of the following methods and techniques for information system
attacks:
Alteration attack: In this type of attack, an alteration or modification is done of data or code without authorization.
Cryptographic code is used to prevent an alteration attack.
Botnets: Botnets are compromised computers, also known as zombie computers. They are primarily used to run malicious
software for distributed denial of service (DdoS) attacks, adware, or spam.
Buffer overflow: A buffer overflow, also known as buffer overrun, is the most common software coding error that can be
exploited by an attacker to gain unauthorized access to a system. A buffer overflow occurs when more data is fed in than the
buffer can handle. Excess data overflows to adjacent storage.
Due to this, the attacker gets an opportunity to manipulate the coding errors for malicious actions.
A major cause of buffer overflow is poor programming and coding practices.

Denial of service (DoS) attack: In a DoS attack, a network or system is flooded with an enormous amount of traffic with the
objective of shutting down the network or the system.
Data diddling: In a data diddling attack, data is modified as it enters into a computer system.
This is done mostly by a data entry clerk or a computer virus. Data is altered before computer
security can protect it. Very limited technical knowledge is required for data diddling. Currently,
there are no preventive controls for data diddling, so organizations need to rely on compensatory
controls.
Dumpster diving: In a dumpster diving attack, an attempt is made to retrieve confidential information from the trash or a garbage
bin.
To address the risk of dumpster diving, employees should be made aware of this kind of risk through
frequent security awareness training.
A document discarding policy should be in place to define the appropriate methods for discarding
various types of information. One example is the use of a shredder to discard confidential documents.
Figure 7.9: Dumpster diving
War dialing: War dialing is a technique in which tools are used to automatically scan a list of telephone numbers to determine the
details of computers, modems, and other machines.
Wardriving: In wardriving, an attempt is made to locate and get unauthorized access to a wireless network with the use of
specialized tools.
An intruder drives around the building with specialized tools to identify unsecured networks.
The same technique is used by an information security auditor to identify unsecured networks and
thereby test the wireless security of the organization.
Eavesdropping: Through eavesdropping, an intruder gathers the information flowing into the network through unauthorized
methods.
Using tools and techniques, sensitive information such as email addresses, passwords, and even
keystrokes can be captured by the intruder.
Email attacks and techniques:
Email bombing: In this technique, abusers repeatedly send an identical email to a particular address.
Email spamming: In this attack, unsolicited emails are sent to thousands of users.
Email spoofing: In this attack, emails appear to have originated from some legitimate source but not the actual (illegitimate)
source. It is often attempted to trick the user into disclosing sensitive information.
Flooding: This is a type of DDoS attack that brings down a network by flooding it with huge amounts of traffic.
The host's memory buffer cannot handle such a volume of traffic.

Interrupt attack: In this type of attack, the operating system is invoked to execute a particular task, thereby interrupting ongoing
tasks.
Juice jacking: In this type of attack, data is copied from a device attached to a charging port (mostly available in public places).
Figure 7.10: Juice jacking – high risk at public charging points
Malicious code:
Trojan horse: In this attack, malicious software is disguised as some legitimate software. Once installed on the system, it starts
taking control of the user's system.
Logic bomb: In this type of attack, a program is executed when a certain event happens. For example, a logic bomb can be set to
delete files or databases at a future date.
Trap door: Another name for a backdoor. A backdoor is a type of malware that bypasses normal authentication procedures to
access a system.
Man-in-the-middle attack: In this attack, an attacker interferes when two devices are establishing a connection.
Alternately, an attacker actively establishes a connection between two devices and pretends to be the
other device with each of them.
If any device asks for authentication, the attacker sends a request to the other device and then
forwards the response to the first device.
Once a connection is established, the attacker can communicate and obtain information as needed.
Masquerading: In this type of attack, an intruder hides their original identity and acts as someone else. This is done to access a
system or data that is restricted.
Impersonation can be done by both people and machines.

Two-factor authentication requires an individual to authenticate themselves twice, which reduces the
risk of masquerading. It provides additional security mechanisms over and above a password alone.
IP spoofing: In IP spoofing, a forged IP address is used to break a firewall.
IP spoofing can be considered masquerading by a machine.

Message modification: In this type of attack, a message is captured and altered or deleted without authorization.
These attacks can have serious impacts in certain instances, for example, when the message is for a
bank to make a payment.
Network analysis: In this type of attack, an intruder creates a repository of information about a particular organization's internal
network, such as internal addresses, gateways, or firewalls.
The intruder then determines what services and operating systems are running on the targeted system
and how they can be exploited.
Packet replay: In this type of attack, an intruder captures the data packet as data moves along a vulnerable network.
Pharming: In this type of attack, the traffic of a website is redirected to a bogus website.
This is done by exploiting a vulnerability in the DNS server.
Pharming is a major concern for e-commerce and online banking websites.

Piggybacking: In this type of attack, an intruder follows an authorized person through a secured door and, hence, enters a
restricted area without authentication.
Piggybacking is considered a physical security vulnerability.
Figure 7.11: Piggybacking
Password sniffing: In a password sniffing attack, tools are used to listen to all the traffic in a network. Then, tools are used to
build data streams out of TCP/IP packets and usernames and passwords are extracted. These tools are known as password sniffers.
These passwords are then used to gain unauthorized access to the system.
Parameter tampering: The unauthorized modification of a web application parameter with malicious intent is known as
parameter tampering.
As the hidden files on the web page are not visible, a developer may feel safe transferring the data
without proper validation. This creates a risk as an intruder may intercept the hidden data and modify
the parameter for malicious purposes.
Privilege escalation: In a privilege escalation attack, a high-level system authority is obtained by the employee through some
unauthorized methods by exploiting security flaws
Race condition: This is also known as a time-of-check time-of-use (TOC–TOU) attack.
In this attack, an intruder exploits a small window between the time a service is used and when the
security control is applied.
The larger the time gap between the time of use and the time of service, the higher the chances of
race condition attacks.
Salami: In this technique, a small amount of money is sliced from a computerized transaction and transferred to unauthorized
accounts.
Social engineering: In a social engineering attack, an attempt is made to obtain sensitive information from users by tricking and
manipulating them.
An attacker does not require any technical tools or techniques to obtain information.
A social engineering attack is generally conducted through dialogue, an interview, an inquiry, and/or
other social methods of interaction.
The objective of a social engineering attack is to exploit human nature and weakness to obtain critical
and sensitive information.
By carrying out adequate and effective security awareness training, the impact of social engineering
attacks can be minimized.
Shoulder surfing: In a shoulder surfing attack, an intruder or a camera captures sensitive information by looking over the
shoulder of a user entering details on a computer screen.
Passwords entered on a computer screen should be masked to prevent shoulder surfing attacks.
Figure 7.12: Shoulder surfing
Traffic analysis: In traffic analysis, the communication pattern between entities is studied and information is deduced.
Virus: A virus is a type of malicious code that can self-replicate and spread from computer to computer.
A virus can take control of the user's computer and delete or alter sensitive files. It can also disrupt
system functioning.
Worms: Worms are destructive programs that can destroy sensitive data. However, worms do not replicate like viruses.
Biometric attacks:
Replay attack: In a replay attack, an attacker makes use of residual biometric characteristics (such as fingerprints left
on a biometric device) to gain unauthorized access.
Brute-force attack: In a brute-force attack, an attacker sends numerous biometric samples with the objective of
making the biometric device malfunction.
Cryptographic attack: In a cryptographic attack, an attacker attempts to obtain information by targeting the
algorithm or the encrypted information that is transmitted between the biometric device and the access control system.
Mimic attack: In a mimic attack, an attacker attempts to reproduce fake biometric features of a genuine biometric
user, for example, imitating the voice of an enrolled user.
A CISM aspirant should also understand the differences between active and passive attacks. Passive
attacks are types of attacks in which information is only captured but not modified, inserted, or
deleted. Examples of passive attacks include traffic analysis, network analysis, and eavesdropping.
Active attacks are where an attacker attempts to modify, delete, or corrupt the data or make the
system or network inaccessible. An example of an active attack is DDoS.

The following table covers the important aspects from the CISM exam perspective:
An attack in which internet traffic appears to originate from the internal IP IP spoofing
of the organization:
A hidden file on a web page can expose the risk of: Parameter tampering
An attack which does not require any technical tools and/or techniques to Social engineering
obtain critical information:
A technique to reduce the risk of shoulder surfing: Passwords on the

screen should be
masked
Inherent risk in a data entry process for which apparently there is no Data diddling
preventive control:
Examples of passive attacks: Traffic analysis,

network analysis, and
eavesdropping
Technique used to test wireless security while in a moving vehicle: Wardriving
Technique to execute DDoS, spam, and other types of attacks by using Botnet
other computers as zombie devices:
An attack that can circumvent two-factor authentication: Man in the middle
Risk due to poor programming and coding practices: Buffer overflow
Risk due to URL shortening services: Phishing
What is the most effective defense to address the risk of structured query Strict controls on
language (SQL) injection attacks? input fields
The most effective method to address the risk of masquerading: Two-factor

authentication
When a credit card is swiped on a point-of-sale (POS) machine, data is Encryption of data
transferred from the card to the machine. Which is the most important
control for such data transfers?

1. The use of hidden files on web pages to save certain information about client sessions can pose the risk of:
A. A race condition
B. Parameter tampering
C. Flooding
D. Juice jacking
2. In which of the following attacks does internet traffic appear to originate from the internal IP of the organization?
A. A DDoS attack
B. Parameter tampering
C. IP spoofing
D. Port scanning
3. A voice over internet protocol (VoIP) infrastructure is mostly impacted by:
A. A DDoS attack
B. Social engineering
C. Juice jacking
D. Premium rate fraud
4. An employee runs a task scheduler without authorization to access restricted applications. What type of attack is this?
A. Privilege escalation
B. Race condition
C. Social engineering
D. Buffer overflow
5. Which of the following techniques does not require any tools and tactics to obtain critical information?
A. Privilege escalation
B. Race condition
C. Social engineering
D. Buffer overflow
6. The best method to limit the consequences of a social engineering attack is:
A. Implementing robust physical security
B. Implementing robust logical security
C. Providing security awareness training
D. Preparing an information security policy
7. Passwords entered on the computer screen should be masked to prevent:
A. Juice jacking
B. Tailgating
C. Shoulder surfing
D. Impersonation
8. The mandatory process of reading employee ID badges at the entrance door prevents:
A. Shoulder surfing
B. Piggybacking
C. Race condition
D. Dumpster diving
9. Which of the following techniques is considered an inherent risk in data entry for which apparently there is no preventive control?
A. Shoulder surfing
B. Data diddling
C. Race condition
D. Dumpster diving
10. Which of the following is considered a passive cyber security attack?
A. Traffic analysis
B. Juice jacking
C. Denial of service
D. IP spoofing
11. A password sniffing attack can:
A. Help an intruder to act as another party
B. Help an intruder bypass physical security
C. Help an intruder gain unauthorized access to the system
D. Help an intruder impersonate
12. What technique is used to test the wireless security of an organization?
A. Wardriving
B. Juice jacking
C. War dialing
D. Social engineering
13. Which of the following is used for distributed denial of service?
A. Phishing techniques
B. Logic bombs
C. Botnets
D. Social engineering
14. Wireless infrastructure increases which of the following risks?
A. Port scanning
B. Wardriving
C. War dialing
D. Backdoor
15. In which of the following attacks is residual biometric information used to gain unauthorized access?
A. A brute-force attack
B. An encrypted attack
C. A mimic attack
D. A replay attack
16. Which of the following methods has the capability to circumvent two-factor authentication?
A. DDoS
B. Man in the middle
C. Juice jacking
D. Brute force
17. Which of the following risks increases due to poor programming and coding practices?
A. Juice jacking
B. Social engineering
C. Buffer overflow
D. Brute force
18. Which of the following risks increases due to URL shortening services?
A. Social engineering
B. Phishing
C. Vishing
D. DDoS
19. Social engineering can succeed due to:
A. Technical error
B. Judgmental error
C. A highly qualified intruder
D. Computer error
20. Which of the following techniques is used to gather information about encrypted data being transmitted over a network?
A. DDoS
B. IP spoofing
C. Traffic analysis
D. Masquerading
Summary
In this chapter, you learned about the infrastructure and architecture of information security. This
chapter will help the CISM candidate understand important methods, tools, and techniques to develop
a security program in an effective and efficient manner.
You also explored security architecture in line with industry best practices and access control
requirements including biometrics and authentication factors.
The next chapter will cover the practical aspects of information security program development and
management.
Revision Questions
1. Which of the following is most effective to address the risk of dumpster diving?
A. Security awareness training
B. Policy for discarding documents
C. Placing CCTV above bins
D. Purchasing high-speed shredders
2. The best way to control the activity of an intruder masquerading as an authorized user and connecting to the corporate network is:
A. Encrypting the network traffic
B. Deploying an intrusion prevention system
C. Two-factor authentication
D. Use of a digital signature
3. What is the most important aspect to secure credit card data while using the card at point of sale?
A. Authorization
B. Authentication
C. Encryption
D. Digital signature
4. A SQL injection attack can best be prevented by:
A. An intrusion prevention system
B. An intrusion detection system
C. Periodic audits
D. Periodic security awareness training
5. A man-in-the-middle attack between two computers can be prevented by:
A. Use of two-factor authentication
B. Establishing a connection through an IPv6 security virtual private network
C. Conducting periodic security audits
D. Deploying an intrusion detection system
6. The risk of tailgating/piggybacking can best be addressed by:
A. An access card
B. A photo identity card
C. Awareness training
D. A biometric reader
7. A form-based authentication requiring a user to input a user ID and a password can be bypassed by:
A. The use of a weak password
B. Structured query language injection
C. Lack of an account lockout facility
D. Lack of a session time-out facility
8. Which of the following exposures is introduced by the use of Simple Network Management Protocol version 2 (SNMP v2)?
A. Slow network bandwidth
B. Unstable processing
C. Cleartext authentication
D. Cross-site scripting
9. What is the best way to control a brute-force attack?
A. Implementing maximum password age rules
B. User education
C. Automating controls to construct strong passwords
D. Enabling system lockouts after multiple wrong attempts

8
Information Security Monitoring Tools and Techniques

In this chapter, you will learn about the methods, tools, and techniques for monitoring information
security. You will explore the technical aspects of firewall implementation and understand the
functions of intrusion prevention systems (IPSs) and intrusion detection systems (IDSs). You will
also discover some important aspects of digital signatures, public key infrastructure (PKI), and
asymmetric encryption, which are very important from the CISM exam perspective.

Intrusion Detection Systems and Intrusion Prevention Systems
Digital Signatures
Elements of Public Key Infrastructure
Cryptography
Penetration Testing

A firewall is a device that monitors and controls network traffic. It is generally placed between an
enterprise's internal network and the internet to protect the organization's systems and infrastructure.
A security manager should understand the following types of firewalls, as well as how they should be
structured for better protection of information assets:
Figure 8.1: Types of firewalls
Types of Firewalls
The following are the basic characteristics of these different types of firewalls.
Packet filtering Router
A packet filtering router is the simplest, and the standard, version of a firewall. It tracks the IP
addresses and port numbers of both the destination and source and acts (either to allow or deny the
connection) as per the defined rules. A packet filtering router functions at the network layer of the
Open Systems Interconnection (OSI) model.
Stateful Inspection
A stateful inspection firewall monitors and tracks the destination of each packet being sent from an
internal network. It only allows incoming messages that are in response to requests sent out from the
internal network. A stateful inspection firewall operates at the network layer of the OSI.
Circuit-Level
A circuit-level firewall operates on the concept of a bastion host and proxy server. It provides the
same proxy for all services. It operates at the session layer of the OSI.
Application-Level
Here are a few characteristics of an application-level firewall:
An application-level firewall is regarded as the most secure type of firewall.
It operates at the application layer of the OSI.
It controls applications such as FTP and HTTP.
It also works on the concept of a bastion host/demilitarized zone and proxy server but provides a separate proxy for each service.
CISM aspirants should understand the concept of a bastion host, proxy, and demilitarized zone, as
discussed in the following sections.
Proxy
What is a proxy? The following diagram is a visual representation of how a proxy works:
Figure 8.2: Proxy server
The following are some features of a proxy server:

A proxy can be regarded as a mediator. It stands between internal and external networks.
No direct communication is allowed between the internal and external networks. All communication passes through the proxy
server.
The outside world cannot see the addresses of the internal networks. It can only recognize proxy servers.
The proxy technology operating at the session layer is known as a circuit-level proxy, and the proxy technology operating at the
application layer is referred to as an application-level proxy.
Demilitarized Zone/Bastion Host

A demilitarized zone (DMZ) is the area that is accessible to the external network. The objective of
setting up a DMZ is to prevent external traffic from having direct access to the critical systems of the
organization. All systems placed in a DMZ should be hardened and all required functionalities should
be disabled. Such systems are also referred to as bastion hosts.
The firewall ensures that traffic from the outside is routed into the DMZ. Nothing valuable is kept in
a DMZ because it is subject to attack (and compromise resulting from the attack).
The following simple example further explains proxies, bastion hosts, and DMZs.
Your office has a receptionist. The receptionist has a phone number that is easily available in the
phone directory. You and your colleagues have been given specific extension numbers. Only your
receptionist and internal staff know the extension numbers:
Proxy: You cannot directly call outside the organization from your extension. First, you need to call your receptionist and request
an external connection. Your receptionist will do all the due diligence and get you connected. An outsider will only know the
receptionist's phone number. They will not be able to track your extension. The receptionist is thus a proxy.
Bastion host/DMZ: Similarly, an outsider cannot directly contact you on your extension. They need to call the receptionist first.
The receptionist will do the necessary due diligence and then pass the call on to you. Since your receptionist has direct contact
with multiple outsiders, they are more vulnerable to attacks or threats, for instance, intruders trying to gain sensitive information.
Thus, you need to ensure that they do not possess any sensitive or critical data. This is the bastion host or the DMZ.
Types of Firewall Implementation

A CISM aspirant needs to understand the following types of firewall implementation.
Dual-Homed Firewall
A dual-homed firewall includes one packet filtering router and one bastion host with two network
interface cards (NICs).
The following diagram illustrates the concept of a dual-homed firewall:

Figure 8.3: Dual-homed firewall
Screened Host Firewall

A screened host firewall includes one packet filtering router and one bastion host.
The following diagram illustrates the concept of a screened host firewall:
Figure 8.4: Screened host firewall

Screened Subnet Firewall (DMZ)
A screened subnet firewall consists of two packet filtering routers. It also has one bastion host.
Of the preceding firewall implementations, a screened subnet firewall (DMZ) is regarded as the most
secure type of firewall implementation.
The following diagram illustrates the concept of a screened subnet firewall:

Figure 8.5: Screened subnet firewall
Generally, servers that interact with the internet (extranet) are placed in a demilitarized area as this
area is separate from internal servers and properly hardened. Also, generally, an IDS is placed on a
screened subnet, which is a DMZ.
Placement of Firewalls
Firewalls should be placed in a hardened server with minimum services enabled. It is not
recommended to place firewalls and IDSs in the same physical server. A firewall should be
implemented on a domain boundary to monitor and control incoming and outgoing traffic.
The most effective way to ensure that firewall rules are adequate is to conduct penetration tests
periodically. Gaps identified during penetration tests should be addressed immediately. This helps to
improve the security posture of the organization.
Source Routing
Firewalls, by default, should be able to reject traffic with IP source routing. Source routing is the way
to get information about all the routers in a packet transit. This could potentially be used to bypass
firewalls, and hence it is a security threat. If a firewall permits source routing, it is possible to execute
spoofing attacks by capturing the IP address of the organization.
Firewall Types and Their Corresponding OSI Layers

CISM aspirants should have a basic understanding of the OSI layer for each type of firewall. The
following table illustrates the types of firewalls and their corresponding OSI layers:
Figure 8.6: Firewalls and OSI layers
The functionality of the firewall improves with the increase in layers. An application-level firewall
that operates at the seventh layer is the most robust.

What is the objective of a firewall? To connect only authorized users to trusted

networks (thereby restricting unauthorized access)
What is the most secure type of firewall? Application-level (as it works on the highest layer,
that is, the application layer of the OSI model)
The most secured implementation technique A screened subnet firewall

is:
The most stringent and robust configuration To reject all traffic and allow only specific traffic
setting in a firewall is:
The firewall that permits traffic from A stateful inspection firewall

external sources only if it is in response to
traffic from internal hosts is:
An internet-facing server (extranet) is best A screened subnet (DMZ)

placed in:
Where should an intrusion detection system A screened subnet (DMZ)

ideally be placed?
What is the best technique to validate the Penetration testing on a regular basis
adequacy of firewall rules?
What is the primary disadvantage of the use A mail filter or firewall may quarantine the
of password-protected ZIP files to email password-protected file as it cannot verify whether
files across the internet? the file contains malicious code.
What is the major risk when there is an One rule may override another rule and create a
excessive number of firewall rules? loophole.
NOTE

1. Which of the following is considered the most robust firewall rule?
A. The rule to permit all traffic by default and deny specific traffic
B. The rule to deny all traffic by default and permit only specific traffic
C. The rule to decide dynamically on the basis of the nature of the traffic
D. The rule to provide discretionary power to the network administrator to permit or deny all traffic
2. A packet filtering firewall operates at:
A. The network layer of the OSI
B. The application layer of the OSI
C. The transport layer of the OSI
D. The session layer of the OSI
3. Which of the following is considered the most robust and secure firewall system implementation?
A. A screened host firewall
B. A screened subnet firewall
C. A dual-homed firewall
D. A stateful inspection firewall

4. The firewall that provides the most robust and secure environment is:
A. Stateful inspection
B. Packet filter
C. Application gateway
D. Circuit gateway
5. Which of the following firewall structures will best protect a network from internet attacks?
A. A screened subnet firewall
B. A screened host firewall
C. A packet filtering router
D. A circuit-level gateway
6. As an information security manager, you want to deploy a firewall that permits external traffic only in response to traffic sent
from an internal host. Which of the following is the best choice?
A. An application-level gateway firewall
B. A stateful inspection firewall
C. A packet filtering router
D. A circuit-level gateway
7. Which of the following firewalls will not allow the download of a file through the file transfer protocol (FTP)?
A. A stateful inspection firewall
B. An application gateway firewall
C. A packet filtering firewall
D. A circuit-gateway firewall
8. Which of the following firewalls will safeguard the most against a hacking attempt?
A. A stateful inspection firewall
B. A remote access server
C. An application-level gateway
D. A packet filtering firewall
9. The area of most concern for a risk practitioner when reviewing a firewall implementation is:
A. The availability of a documented security policy
B. The availability of updated firewall infrastructure with the most secure algorithm
C. The effectiveness of the firewall in enforcing compliance with the information security policy
D. The technical skills of end users

10. Which of the following is the most common type of error while setting a firewall configuration?
A. Incorrect configuration of the access lists
B. Inadequate protection of the administrator password
C. End users are not trained in the firewall configuration
D. Antivirus software is not updated at frequent intervals
11. Which of the following is the first step of implementing a firewall within a big organization?
A. Developing a security policy
B. Conducting a gap analysis
C. Reviewing the access control list
D. Setting the firewall configuration rules
12. The most significant job of a firewall is:
A. Providing routing services to connect different networks
B. Supporting load balancing
C. Connecting authorized users to a trusted network
D. Improving the network performance
13. The area of most concern for a security manager reviewing the firewall infrastructure is:
A. The firewall administrator has not been trained on the security aspect
B. The firewall rules are not reviewed at periodic intervals
C. The firewall configuration is not approved by the security manager
D. The implementation of the firewall above a commercial operating system with all installation options enabled
14. What is the most effective method to ensure that a firewall is configured as per the security policy?
A. To conduct a review of the security policy
B. To conduct a review of the reported incidents
C. To conduct a review of the access control list
D. To conduct a review of the parameter settings
15. The primary function of a firewall is to address the issue of:
A. Unauthorized attempts to access the network outside the organization
B. Unauthorized attempts to access the network within the organization
C. Slow bandwidth
D. Input processing errors

16. The primary objective for installing two parallel firewalls attached directly to the internet and the same DMZ is:
A. To establish multi-layer defense
B. To distinguish between test and production environments
C. To allow traffic load balancing
D. To control denial of service risks
17. An internet-facing server (extranet) is best placed:
A. Before the firewall
B. Outside the router
C. On a screened subnet
D. On the firewall server
18. An intrusion detection system (IDS) is best placed:
A. Before the firewall
B. Outside the router
C. On a screened subnet
D. On the firewall server
19. The best place to deploy a firewall is:
A. On the database server
B. On the web server
C. On the IDS server
D. On the domain boundary
20. The most effective method to ensure that firewall rules and settings are adequate is:
A. To survey the IT team members
B. Periodic analysis of system logs to determine any abnormal activity
C. To conduct penetration testing at frequent intervals
D. To conduct system audits at frequent intervals
Intrusion Detection Systems and Intrusion Prevention

Systems
Monitoring security events is a very important aspect of information security. Two important
monitoring tools are Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems
(IPSs).
Intrusion Detection Systems
An IDS helps to monitor a network (network-based IDS) or a single system (host-based IDS) with
the objective of recognizing and detecting intrusions.
Network-Based and Host-Based IDSs
The following table differentiates between network-based and host-based IDSs:
Network-based IDS Host-based IDS
Monitors activity on the entire network Monitors activity of a single system or

host
Has high false positives (that is, high rates of false Has low false positives (that is, low rates
alarms) of false alarms)
Generally used to detect attacks from the outside The preferred choice to detect attacks from
the inside
Inspects the contents and header information of all Detects activity on a host computer, such
packets moving across a network and identifies any as the deletion of files or the modification
irregular behavior of programs
Figure 8.8: Differences between network-based IDS and host-based IDS

Components of an IDS
The following table shows various components of an IDS:
Components Description
Sensors The function of sensors is to collect data. Data may be in the form of IP
packets, log files, and so on.
Analyzers An analyzer analyzes the data and determines any intrusive activity.
Administration The administration console helps the administrator control and monitor IDS
console rules and functions.
User interface The user interface helps the user view the results and carry out the required
tasks.
Figure 8.9: Components of IDS
Limitations of an IDS
The following are some limitations of an IDS:
IDSs operate on the basis of policy definition. A weakness in policy definitions weakens the function of IDSs.
IDSs cannot control application-level vulnerabilities.
IDSs cannot control backdoors into applications.
IDSs cannot analyze data that is tunneled into an encrypted connection.
Types of IDS
The following are some types of IDSs:
Type Description
Signature- In signature-based IDSs, the IDS looks for specific predefined patterns to detect intrusions.
based Patterns are stored as signatures and are updated at frequent intervals.
This is also known as a rule-based IDS.
Signature-based IDSs are not capable of identifying new types of attacks for which signatures are not yet
available.
Statistical- Statistical-based IDSs attempt to identify abnormal behavior by analyzing statistical algorithms.
based Any abnormal activity is flagged as an intrusion. For example, if normal logon hours are between 7 A.M.
and 5 P.M., and a logon is performed at 11 P.M., the IDS will raise this as an intrusion.
Statistical-based IDSs generate the most false positives compared to other types of IDSs.
Neural Neural network-based IDSs work on the same principle as statistical-based IDSs.
network- However, it has the advanced functionality of self-learning.
based A neural network keeps updating the database by monitoring the general patterns of activity.
Neural networks are most effective at addressing problems that can be solved by analyzing many input
variables.
Figure 8.10: Types of IDS
For any type of IDS, tuning is the most important element for its successful implementation. Tuning
is the process of adjusting the criteria to determine abnormal behavior. If criteria are not properly
tuned, the IDS may generate false alarms or may fail to identify an actual abnormality. The most
effective way to determine whether an IDS is properly tuned is to simulate various attack scenarios
and review the performance of the IDS.
Placement of IDSs
Network-based IDSs can be installed either between the firewall and the external network (the
internet) or between the firewall and the internal network.
If an IDS is installed between the firewall and the external network, it can identify all intrusion
attempts irrespective of whether the intrusion packets bypass the firewall or not:
Figure 8.11: IDS placed before the firewall
If an IDS is installed between the firewall and the internal network, it can only detect those attempts
that bypass the firewall rules:
Figure 8.12: IDS placed after firewall
The next section will cover IPSs.
Intrusion Prevention Systems

IPSs can not only detect intrusion attempts but can also prevent the impact of an intrusion attack by
blocking the traffic.
Difference between IDSs and IPSs

IDSs only monitor, record, and raise alarms about intrusive activities, whereas IPSs also prevent
intrusion activities.
Honeypots and Honeynets

A honeypot is a decoy system set up to attract hackers and intruders. The purpose of setting a
honeypot is to capture the details of intruders to proactively strengthen security controls. High-
interaction honeypots provide a real environment to attack, whereas low-interaction honeypots
provide only limited information.
A honeynet is a combination of linked honeypots. It is used for large network setups.

What is the objective of installing an IDS? To identify attacks on the internal

network
What is the disadvantage of a statistical-based IDS? False alarms are generated even
for minor abnormalities
What is the disadvantage of a signature-based IDS? The inability to detect a new

attack method
Which IDS has the capacity to update its database and self- A neural network-based IDS
learn?
The component of an IDS that collects data is: A sensor
The type of IDS with the highest false alarms is: A statistical-based IDS
The setup that captures the information of intruders for A honeypot

proactively strengthening the security controls is:
The first step in the preparation of a system attack is: Gathering information
Which types of IDSs are effective in mitigating a denial or Statistical-based or anomaly-based
distributed denial of service attack? Neural network-based
What will happen if an IDS is set with a low threshold value to An increase in the number of
determine an attack? false positives

1. Which of the following intrusion detection systems observes the general pattern of activities and updates its database?
A. A neural network-based IDS
B. A statistical-based IDS
C. A signature-based IDS
D. A role-based IDS
2. Which part of an intrusion detection system collects data?
A. The console
B. The sensor
C. The analyzer
D. The user interface
3. Which of the following intrusion detection systems gives the highest false alarms?
A. A neural network-based IDS
B. A statistical-based IDS
C. A signature-based IDS
D. A host-based IDS
4. Which of the following is a major concern for an auditor verifying an intrusion detection system?
A. The number of false alarms
B. Being unable to identify intrusions
C. The use of an automated tool for log capturing and monitoring
D. The intrusion detection system being placed between the internal network and the firewall
5. What is the best location to place an intrusion detection system for the detection of an intrusion that bypasses the firewall?
A. Between the firewall and the external network
B. Between the firewall and the internal network
C. Between the external network and the internal network
D. Alongside the firewall
6. Which of the following is a characteristic of an intrusion detection system (IDS)?
A. Collecting evidence on intrusive activities
B. Routing traffic as per the defined rules
C. Blocking restricted websites
D. Acting as access control software
7. Which of the following is the most frequent problem with respect to an intrusion detection system?
A. False rejection rate
B. False acceptance rate
C. False positives
D. DDoS attacks
8. The risk of intrusion attacks and network penetration can be detected on the basis of unusual system behavior by:
A. A hub
B. Packet filters
C. A switch
D. An intrusion detection system
9. Which of the following is the most important control to detect an intrusion?
A. Access control procedures
B. Automatic logoffs on inactive computers
C. Monitoring of unsuccessful logon attempts
D. Account lockouts after a specified number of unsuccessful logon attempts
10. Which of the following is the most important concern with respect to an intrusion detection system (IDS)?
A. Many false alarms generated by a statistical-based IDS
B. A firewall being installed between the IDS and the external network
C. The IDS being used to detect encrypted traffic
D. Zero-day threats not being identified by a signature-based IDS

11. What is the most important factor impacting the effectiveness of a neural network?
A. A neural network detects all the known types of intrusion
B. A neural network flags all activities that are not normal
C. A neural network monitors the general patterns of activity and creates a database, addressing complex problems
involving input variables from different sources
D. A neural network solves the problem where a large database is not required
12. An organization with the objective of protecting a public-facing website on its server should install the network intrusion
detection system:
A. In a DMZ
B. On the same web server where the website is hosted
C. Between the firewall and the external network
D. In the organization's internal network
13. To prevent the installation of a rootkit on a web server hosting an application, which of the following should be installed?
A. A packet filtering firewall
B. A network-based intrusion detection system
C. The latest operating system patch
D. A host-based intrusion prevention system
14. Which of the following helps to capture information for proactively strengthening security controls?
A. A honeypot
B. A proxy server
C. An IDS
D. An IPS
15. Which of the following systems can block a hacking attempt?
A. An intrusion prevention system
B. A honeypot
C. A switch
16. Which of the following is the first action in the preparation of a system attack?
A. To capture information
B. To erase the evidence
C. To gain access
D. To launch a DoS attack
17. After the firewall, which of the following is considered the next line of defense for network security?
A. Antimalware software
B. Router
C. Switch
18. A major concern of a poorly configured intrusion prevention system is:
A. The administrator has to verify high instances of alarms
B. Critical services or systems are blocked due to false alarms
C. Slowing down of the network
D. The high cost of the intrusion prevention system
19. What is the most important aspect to be considered while deploying an intrusion detection system?
A. Tuning
B. Patch updating
C. Logging
D. Change management
20. Statistical-based IDSs are not as popular as signature-based IDSs because statistical-based IDSs:
A. Are more expensive than signature-based IDSs
B. Require specialized staff to monitor
C. Generate false alarms from different users or system actions
D. Are not capable of detecting new types of attacks
Digital Signatures
A digital signature is a method in which a unique code is attached to an electronic message. This
unique code acts as a signature. It helps to verify a document's integrity and the sender's identity.
Steps for Creating a Digital Signature

1. Create a hash of the message. A hash is also known as a message digest.
2. Encrypt the hash (from Step 1) with the private key of the sender.
The following figure explains the process in detail:

Figure 8.14: Digital signature
What is a Hash or a Message Digest?

A hash value is a value derived from a message using a mathematical algorithm. A hash value is
unique for each message. If a message changes, its hash value also changes.
The following figure further illustrates this:
Figure 8.15: Hash value
The following is a screenshot of software showing a hash value of the message Meeting at 8 AM:
Figure 8.16: Hash software

The following is a screenshot of the same software showing the hash value of the message Meeting
at 8 PM:
Figure 8.17: Hash software
The table in Figure 8.15 shows the hash value for the first message (i.e., 8 AM) and the second table
shows the hash value for the second message (i.e., 8 PM). If you note in the preceding screenshot, the
entire hash value changed even though there was only a change in one character:
Figure 8.18: Matching the hash value
The following explains how a message is encrypted by a sender and decrypted by the receiver:
Figure 8.19: Verifying a digital signature
Receiver Mr. B will perform the following steps:

1. He will independently calculate the hash value of the message Meeting at 8 AM. The hash value comes to
4526dee03a36204cbb9887b3528fac4e.
2. Then, he will decrypt the digital signature, that is, 4xxxxxxxxxxxxxxxxxxxxxxxxx4e, using the public key of the sender,
Mr. A. (This proves authentication and non-repudiation.)
3. Now, he will compare the value derived in step 1 with the value derived in step 2. If they match, the integrity of the message is
proved.
Thus, a digital signature is used to verify the following:

Integrity (that the message has not been tampered with)
Authentication (that the message was actually sent by the sender)
Non-repudiation (that the sender cannot later deny sending the message)
However, a digital signature does not ensure confidentiality.

The table below covers important aspects from the CISM exam perspective:

What is the objective of a digital signature? A digital signature is used to verify:

Integrity (that the message has not been tampered with)
Authentication (that the message has actually been sent by the

sender)
Non-repudiation (that the sender cannot later deny sending the

message)
Does a digital signature provide In the creation of a digital signature, only the hash
confidentiality? value of the message is encrypted (not the entire
message). Hence, a digital signature does not provide
confidentiality or privacy.
Which key is to be used for the creation of The private key of the sender
a digital certificate, that is, for the
encryption of the hash of the message?
Which key is to be used to validate the The public key of the sender
digital certificate, that is, for the decryption
of the hash of the message?
What provides the best evidence that a Non-repudiation

specific action or transaction occurred (i.e.,
when the initiator of the transaction cannot
deny that transaction)?

1. The primary objective of using a hash function is:
A. To ensure the confidentiality of the message
B. To ensure the integrity of the message
C. To ensure the availability of the message
D. The compression of the message

2. As an information security manager, you have been advised by your consultant to deploy digital signatures for electronic
communication. The primary objective of using a digital signature is:
A. The authentication and integrity of data
B. The authentication and confidentiality of data
C. The confidentiality and integrity of data
D. The authentication and availability of data
3. As an information security manager, you have been advised by your consultant to deploy a digital signature for electronic
communication. A digital signature will help address the risk of:
A. Unauthorized archiving
B. Loss of confidentiality
C. Unauthorized copying
D. Alteration
4. What is the best method to protect the hash value of a message from being compromised?
A. Digital signatures
B. Message encryption
C. Staff training
D. Disabling SSID broadcasts
5. The objective of a digital signature is to provide:
A. Non-repudiation, confidentiality, and integrity
B. Integrity, privacy, and non-repudiation
C. Integrity, authentication, and non-repudiation
D. Confidentiality, privacy, and non-repudiation
6. The primary objective of using digital signatures is to ensure data:
A. Privacy
B. Integrity
C. Availability
D. Confidentiality
7. Which of the following provides the strongest evidence of the occurrence of a specific action?
A. Proof of delivery
B. Non-repudiation
C. Proof of submission
D. Authorization
8. Which of the following is the best way to validate a sender's authenticity?
A. The use of a sender's private key to encrypt the hash value of the message
B. The use of a receiver's public key to encrypt the entire message
C. The use of a sender's public key to encrypt the hash value of the message
D. The use of a receiver's private key to encrypt the entire message
9. As an information security manager of an e-commerce organization, you have been advised by your consultant to validate
customer communication through a digital signature. How is this done?
A. The hash value of the message is transmitted and encrypted with the organization's private key
B. The hash value of the message is transmitted and encrypted with the customer's private key
C. The hash value of the message is transmitted and encrypted with the customer's public key
D. The hash value of the message is transmitted and encrypted with the organization's public key
10. As an information security manager, you have been advised by your consultant to deploy digital signatures. Digital signatures:
A. Help detect spam
B. Provide confidentiality
C. Decrease the workload of gateway servers
D. Increase the available bandwidth
11. The primary difference between hash and encryption is that a hash value:
A. Cannot be reversed
B. Can be reversed
C. Is concerned with integrity and security
D. Creates an output of a bigger length than the original message
12. As an information security manager, you noted that some critical information is sent to third-party vendors through email. You
want to ensure that the recipients of emails (that is, vendors) can authenticate the identity of the senders (that is, employees). This
can best be done by:
A. Employees digitally signing their email messages
B. Employees encrypting their email messages
C. Employees compressing their email messages
D. Password protecting all email messages
13. As an information security manager, you are required to deploy a digital signature to ensure that the sender of the message cannot
deny generating and sending the message. This is known as:
A. Integrity
B. Authentication
C. Non-repudiation
D. Security
14. As an information security manager of an e-commerce organization, which of the following is the best way for you to validate the
occurrence of a transaction?
A. Proof of delivery
B. Authentication
C. Encryption
D. Non-repudiation
15. A sender has sent a message along with an encrypted (by the sender's private key) hash of the message to the receiver. This will
ensure:
A. Authenticity and integrity
B. Authenticity and confidentiality
C. Integrity and privacy
D. Privacy and non-repudiation
16. For the implementation of a digital signature, it is essential that:
A. The signer has the public key of the sender and the receiver has the private key of the sender
B. The signer has the private key of the sender and the receiver has the public key of the sender
C. Both the signer and the receiver possess a public key
D. Both the signer and the receiver possess a private key
17. The primary objective of including a hash value (message digest) in a digital signature is:
A. Ensuring the integrity of the message
B. Defining the encryption algorithm
C. Confirming the identity of the originator
D. Compressing the message
18. The best method to ensure that information transmitted over the internet is genuine and actually transmitted by the known sender
is:
A. By using a steganographic technique
B. By using an encryption technique
C. By using two-factor authentication
D. By using the embedded digital signature

19. What is the most effective way to ensure non-repudiation?
A. Encryption
B. Hashing
C. Symmetric encryption
D. Digital signatures
20. The most effective way to ensure that a data file has not changed is to:
A. Validate the last modified date of the file
B. Encrypt the file
C. Provide role-based access control
D. Create a hash value of the file, then compare the file hashes
Public Key Infrastructure

A public key infrastructure (PKI) is a set of rules and procedures used for the creation,
management, distribution, storage, and use of a digital certificate and public key encryption.
PKI Terminology
CISM aspirants should have a basic understanding of the following terms with respect to PKI:
Digital certificate: A digital certificate is an electronic document that proves the ownership of a public key. A digital certificate
includes details about the key, details about the owner, and a digital signature of its issuer. It is also known as a public
key certificate.
Certificate Authority: A certificate authority (CA) is an entity that is responsible for issuing digital certificates.
Registration Authority: A registration authority (RA) is an entity that verifies user requests for digital signatures and
recommends the CA issue certificates.
Certificate Revocation List: A certificate revocation list (CRL) is a list of digital certificates that have been revoked and
terminated by the CA before their expiry date. These certificates should no longer be trusted.
Certification Practice Statement: A certification practice statement (CPS) is a document that prescribes the practice and
process of issuing and managing digital certificates by the CA. It includes details such as the controls in place, methods for
validating applicants, and how certificates should be used.
PKI: PKI is a set of rules, policies, and procedures for the issuance, maintenance, and revocation of public key certificates.
Processes Involved in PKI

The issuance of a public key involves the following process:
1. The applicant applies to the CA for the issuance of a digital certificate
2. The CA delegates the verification process to the RA
3. The RA verifies the correctness of the information provided by the applicant
4. If the information is correct, the RA recommends that the CA issues the certificate
5. The CA issues the certificate and manages it through its life cycle. The CA also maintains the details of the certificates that have
been terminated or revoked before their expiry date. This list is known as the CRL. The CA also maintains a document known as
the CPS containing the standard operating procedure (SOP) for the issuance and management of certificates.
CA versus RA
The following table presents the differences between CAs and RAs:
CA RA
A CA is responsible for the issuance and An RA is delegated the function of verifying

management of digital certificates. the correctness of information provided by
applicants.
A CA delegates some of the administrative After authentication of information, the RA

functions, such as the verification of information recommends whether or not the CA should
provided by applicants. issue the certificate.
A CA authenticates and validates the holder of a An RA authenticates information about the

certificate after issuance of the certificate. applicant before the issuance of a certificate.
Figure 8.21: Differences between CA and RA
Single Point of Failure

The private key of a CA is used to issue the digital certificate to all parties in the PKI. If the private
key of the CA is compromised, it will lead to a single point of failure for the entire PKI because the
integrity of all digital certificates is based on this private key.
Functions of an RA
An RA has the following functions:
To verify and validate the information provided by the applicant.
To ensure that the applicant is in possession of a private key and that it matches the public key requested for a certificate. This is
known as proof of possession (POP).
To distribute physical tokens containing private keys.
To generate shared secret keys during initialization and the certificate pickup phase of the registration.

The following table covers important aspects from the CISM exam perspective:
What is the authority that manages the life cycle of a digital certificate Certificate authority
called?
In which document is the procedural aspect of dealing with a Certification practice

compromised private key prescribed? statement
Contractual requirements between the relying parties and the certificate The certification practice
authority are prescribed in: statement

1. The life cycle of a digital certificate is primarily managed by:
A. The registration authority
B. The certificate authority
C. The public key authority
D. The private key authority
2. The registration authority is primarily responsible for:
A. The issuance of digital certificates
B. Managing a certificate throughout its life cycle
C. Documentation and maintenance of certificate practice statements
D. Validating the information of the applicants for a certificate
3. Which of the following authorities manages the life cycle of a digital certificate to ensure the existence of security in digital
signatures?
A. The certificate authority
B. The registration authority

C. The certification practice statement
D. The public key authority
4. A certificate authority can delegate the process of:
A. Certificate issuance
B. Certificate life cycle management
C. Establishing a link between the applicant and their public key
D. Maintenance of a certificate revocation list
5. Which of the following is considered a weakness in a public key infrastructure process?
A. Centralized location of the certificate authority
B. Transactions can be executed from any device
C. The user organization is also the owner of the certificate authority
D. The availability of multiple data centers to manage the certificate
6. Which of the following is the function of the registration authority?
A. Issuance of certificates
B. Validation of information provided by the applicants
C. Signing the certificate to achieve authentication and non-repudiation
D. Maintaining a certificate revocation list
7. The procedural aspects of dealing with a compromised private key are prescribed in:
A. The certificate practice statement
B. The certificate revocation list
C. The certificate disclosure statement
D. D The applicant disclosure form
8. Which of the following is a function of a registration authority?
A. To ensure the availability of a secure communication network based on certificates
B. To validate the identity and authenticity of certificate owners
C. To ensure that both communicating parties are digitally certified
D. To host the private keys of subscribers in the public domain
9. In public key infrastructure, a certificate authority is not required:
A. When users are not related to each other
B. When two-factor authentication is used

C. When users attest to each other's identity
D. When role-based access control is used
10. In a public key infrastructure, the contractual relationship between parties is provided in:
A. A certificate revocation list
B. A digital certificate
C. A non-repudiation certificate
D. A certification practice statement
11. What is the role of a certificate authority in public key infrastructure?
A. It supports the accuracy and integrity of the transferred data
B. It prevents the repudiation of transactions
C. It attests to the validity of a user's public key
D. It reduces the cost of data transfer
12. The single point of failure in public key infrastructure (PKI) is:
A. The public key of the certificate authority
B. The private key of the holder of a digital certificate
C. The private key of the certificate authority
D. The public key of the holder of a digital certificate
Cryptography
Cryptography is defined as the art or science of secret writing with the use of techniques such as
encryption. Encryption is the process of converting data into unreadable code so it cannot be
accessed or read by unauthorized people. This unreadable data can again be converted into a readable
form by the process of decryption. Different types of algorithms are available for encryption and
decryption.
Symmetric Encryption vis-à-vis Asymmetric Encryption

Encryption can be of two types, that is, symmetric encryption and asymmetric encryption. The
following table will help you understand the differences between the two:
Symmetric Encryption Asymmetric Encryption

Symmetric Encryption Asymmetric Encryption
A single key is used to encrypt and decrypt messages Two keys are used: one for encryption
and another for decryption.
It is known as symmetric encryption because the It is known as asymmetric encryption

encryption and decryption keys are the same. because the encryption and decryption
keys are different.
A message encrypted by a private key can

only be decrypted by the corresponding
public key.
Similarly, a message encrypted by a

public key can only be decrypted by the
corresponding private key.
Faster computation and processing Slower computation and processing
Symmetric encryption is cheaper. Asymmetric encryption is costlier.
A major disadvantage of symmetric encryption is the No such challenge is faced in asymmetric

sharing of the key with another party. encryption as two separate keys are used.
For large key distributors, symmetric encryption is not For large key distributors, asymmetric
preferable, as scaling will result in complex encryption is preferred as scaling is more
distribution and storage problems. convenient.
Figure 8.23: Symmetric and asymmetric encryption
The following section will dive into the different types of encryption keys.
Encryption Keys
In an asymmetric environment, a total of four keys are available with different functions. The
following table indicates who possesses the different keys:
Type of Key Availability

Type of Key Availability
Sender's private key This key is available only to the sender.
Sender's public key This key is available in the public domain. Public keys can be accessed by
anyone.
Receiver's private This key is available only to the receiver.

key
Receiver's public This key is available in the public domain. Public keys can be accessed by
key anyone.
Figure 8.24: Types of encryption keys and their availability
The Use of Keys for Different Objectives

The preceding keys are used to achieve the following objectives:
Confidentiality
Authentication and non-repudiation
Integrity
Confidentiality
In asymmetric encryption, two keys are used: one for encryption and the other for decryption.
Messages are encrypted by one key and can be decrypted by the other key. These two keys are known
as private and public keys. A private key is available only to the owner of the key and a public key is
available in the public domain.
A message can be encrypted by the following means:

Receiver's public key: If a message is encrypted using the public key of the receiver, then only the receiver can decrypt it as they
are the only one with access to their corresponding private key. This will ensure message confidentiality as only the owner of the
corresponding private key can read the message.
Receiver's private key: The sender will not be in possession of the receiver's private key and hence this option is not feasible.
Sender's public key: If a message is encrypted using the public key of the sender, then it can be decrypted only by using the
corresponding private key of the sender. The receiver will not be in possession of the sender's private key, so this option is not
feasible.
Sender's private key: If a message is encrypted using the private key of the sender, then anyone with the public key can decrypt
it. The public key is available in the public domain and hence anyone can decrypt the message. This will not ensure the
confidentiality of the message.
Hence, for message confidentiality, the receiver's public key is used to encrypt the message and the
receiver's private key is used to decrypt the message.
Authentication
Authentication is ensured by verifying and validating some unique features of the sender. Generally,
you validate a document by verifying the signature of the sender. This signature is unique for
everyone. Similarly, for digital transactions, a private key is unique for each owner. Only the owner is
in possession of their unique private key. Each private key has a corresponding public key. A third
person can authenticate the identity of the owner with the use of this public key. When the objective
is to authenticate the sender of the message, the sender's private key is used to encrypt the hash value
of the message. The receiver then tries to decrypt it with the sender's public key and if it is
successfully decrypted, it indicates that the message is genuine, and the sender is authenticated.
Hence, for the authentication of a message, the sender's private key is used to encrypt the message
and the sender's public key is used to decrypt the message.
Non-Repudiation
Non-repudiation refers to a situation wherein a sender cannot take back their responsibility for a
digital message or transaction. Non-repudiation is established once the sender is authenticated.
Hence, for non-repudiation, the same concept of authentication will apply.
For the non-repudiation of a message, a sender's private key is used to encrypt the message and the
sender's corresponding public key is used to decrypt the message.
Integrity
Integrity refers to the correctness, completeness, and accuracy of the message/data. To achieve
integrity, the following steps are followed:
1. A sender creates a hash value of the message.
2. This hash value is encrypted using the sender's private key.
3. The message along with the encrypted hash value is sent to the receiver.
4. The receiver will do two things. First, they will decrypt the hash value using the sender's public key, and second, they will again
calculate the hash value of the message received.
5. The receiver will then compare both the hash values, and if both hash values are the same, the message is considered as correct,
complete, and accurate.
The following table will help you understand the use of different keys to achieve each of the
preceding objectives:
Objective Use of Keys What to Encrypt

Objective Use of Keys What to Encrypt
Confidentiality Receiver's public key Full message
Authentication/non- Sender's private key Hash value of the message

repudiation
Integrity Sender's private key Hash value of the message
Confidentiality and For confidentiality: the use of a receiver's public key to encrypt
authentication/non-repudiation the full message
For authentication (non-repudiation): the use of a sender's private

key to encrypt the hash value of the message
Confidentiality, integrity, and For confidentiality: the use of the receiver's public key to encrypt
authentication/non-repudiation the full message
For integrity, authentication, and non-repudiation: the use of the

sender's private key to encrypt the hash value of the message
Figure 8.25: The use of keys as per the objectives

The following are some of the key aspects from the CISM exam perspective:
In asymmetric encryption, message The use of the receiver's public key for encryption and
confidentiality can be ensured by: the use of the receiver's private key for decryption
In asymmetric encryption, message The use of the sender's private key to encrypt the
authentication can be ensured by: message or hash value and the use of the sender's public
key to decrypt the message or the hash value
In asymmetric encryption, message non- The use of the sender's private key to encrypt the
repudiation can be ensured by: message or hash value and the use of the sender's public
key to decrypt the message or the hash value
In asymmetric encryption, message The use of the sender's private key to encrypt the hash
integrity can be ensured by: value and the use of the sender's public key to decrypt
the hash value
What is the most effective security Encryption of stored data

measure to protect data held on mobile
computing devices?
What is most effective for protecting Strong encryption

Wi-Fi (wireless) networks as a point of
entry into an enterprise network?

1. As an information security manager, you are required to secure customer communication in an e-commerce application. What
would your best choice be?
A. Data encryption
B. Multiple authentications
C. Digital signature
D. Maximum password age
2. What is the most commonly used protocol to safeguard the confidentiality of data transmitted in an e-commerce application?
A. A secure socket layer
B. A dynamic host control protocol
C. A secure shell
D. A telnet
3. What is the most effective method to protect the data on a mobile computing device?
A. To conduct data integrity checks

B. To encrypt the data stored on the mobile
C. To enable a locked screen
D. To enable biometric access control
4. For a large number of key distributions, asymmetric encryption is preferred over symmetric encryption because:
A. Computation is more efficient in public key encryption
B. Scaling is more convenient in public key encryption
C. Maintenance costs are less in public key encryption
D. Public key encryption provides greater encryption
5. Which of the following has the greatest risk of an internal attack on a network?
A. No minimum timeframe defined for password expiry
B. Security training not being given in a structured manner
C. User passwords not being encrypted
D. All PCs are placed in a single subnet
6. What is the most effective method to prevent a database administrator (DBA) from reading sensitive data from the database?
A. Capturing the log for database access
B. Implementing application-level encryption
C. Implementing a data leakage prevention (DLP) solution
D. Providing security awareness training to the database administrator
7. In public key infrastructure, the public key of the other party is required to:
A. Authorize the user
B. Create the digital signature
C. Authenticate the sender
D. Compress the file
8. What is the best way to secure a wireless network as a point of entry into an organization's network?
A. An intrusion detection system
B. Strong encryption
C. Two-factor authentication
D. A packet filtering router
9. The best control to secure data on a USB is:
A. Authentication-based access
B. Read-only data in the USB device
C. Encrypting the USB device
D. Restricted use of the USB device
Penetration Testing
In penetration testing, a tester deploys the same tools, techniques, and methods that hackers use to
obtain unauthorized access to systems and networks. Penetration testing helps the organization
determine its security environment. Gaps and vulnerabilities identified by penetration testing are
evaluated and remediated to improve the security posture of the organization. It aids in the
identification of any risks to the information systems' confidentiality, integrity, and availability. Only
a qualified and experienced professional should conduct penetration testing.
Aspects to be Covered within the Scope of Penetration

Testing
From a risk perspective, the following aspects need to be covered within the scope of penetration
testing:
The scope should contain the exact details of the IP address to be tested.
The scope should include the testing technique to be deployed (SQL injection, DoS/DDoS, social engineering, and so forth).
The scope should include the date and time of the attack (either during business hours or after business hours).
It is the penetration tester's responsibility to give adequate warning before the test in order to avoid false alarms being raised with
law enforcement agencies.
Types of Penetration Tests

The following are examples of penetration tests that can be used to evaluate the security environment
of an organization.
External Testing
In external testing, a penetration attack is performed on the target network from an external network,
that is, mostly from the internet.
Internal Testing
In internal testing, an attack is conducted on the target from within the perimeter. This is done to
determine the security risk if an intruder happens to be within the organization.
Blind Testing
In blind penetration testing, the tester is not provided with any information or details about the
network. Here, the tester is regarded as blind as they do not have any knowledge of the target
environment. Such a test is expensive because detailed analysis, study, and research are required for
the attack.
Double-Blind Testing
Double-blind testing is the extended version of blind testing where even the administrator and other
information security staff of the target entity are not aware of the test. Both the tester and security
team are blind as no one is aware of the test details. It simulates a real kind of attack. Double-blind
testing helps to determine the incident handling and response capability of the target organization.
Targeted Testing
In targeted testing, an organization's IT team, as well as the penetration tester, is aware of the testing
scenario. A penetration tester is aware of the target details and their network structure.
White Box Testing and Black Box Testing

A CISM aspirant should understand the difference between white box penetration tests and black box
penetration tests. In white box penetration testing, the relevant details of the infrastructure are made
available to the tester in advance. They need not spend time gathering information. This helps the
tester concentrate on exploitation.
In a black box approach, no information is provided about the infrastructure to the tester. This
simulates an actual hacking attempt.
Risks Associated with Penetration Testing

The following are some of the risks associated with penetration testing:
A penetration attempt by an unqualified auditor may have an adverse impact on the target's system.
Sensitive information relating to the target environment gathered during penetration testing can be misused by the tester.
Inappropriate planning and timing of the attack may cause the system to fail.
This is a simulation of a real attack and may be restricted by law or regulations. Such attacks without appropriate approvals may
have adverse impacts.

The following are some of the key aspects from the CISM exam perspective:
What is the main objective of performing a To identify weaknesses in the network and
penetration test? server security of an organization
What are the most important actions prior to To ensure that the goals and objectives are clearly
defined
contracting a third party to perform a penetration
To ensure that the rules of engagement are clearly
test against an organization?
defined
What is the advantage of a white box penetration More time is spent on exploitation rather than
approach? discovering and information gathering
What is the most effective method to determine To perform periodic penetration testing
that a network is adequately secured against an
external attack?
What is the primary area of interest for a Network mapping (i.e., determining which
penetration tester when conducting a penetration network is used for different applications,
test? databases, and other devices)

1. What is the most effective method to assess the aggregate risk of linked vulnerabilities?
A. System audits
B. Penetration tests
C. Auditing of the code
D. Vulnerability analysis
2. The main objective of conducting a penetration test is to:
A. Determine weaknesses in the network and server security
B. Determine improvements in the incident management procedure
C. Determine the capability of threat vectors to compromise systems or data
D. Determine the strength of the security team

3. The prime reason for getting a penetration test conducted by an external company is:
A. To adhere to the security budget
B. To provide training to internal users
C. To get an independent view of security exposures
D. To determine a complete list of vulnerabilities
4. The most important aspect when appointing a penetration tester is:
A. To ensure that a demonstration has been obtained on a test system
B. To ensure that goals and objectives are clearly defined
C. To instruct the security monitoring staff to prepare for the test
D. To instruct the IT staff to prepare for the test
5. The most important aspect when appointing a penetration tester is:
A. Asking for the tools to be used in testing
B. Instructing IT staff to prepare for the test
C. Instructing security monitoring staff to prepare for the test
D. Establishing clear rules of engagement
6. The most important requirement before conducting a black box penetration test is:
A. A clear scope of the test
B. A documented incident response plan
C. A recommendation from the internal audit team
D. Proper communication with the incident management team
7. What is the advantage of a white box penetration testing scenario, where information about the infrastructure to be tested is
provided to the tester in advance?
A. More time is spent on exploitation rather than discovery and information gathering.
B. Helps to simulate actual hacking
C. Test can be conducted with less cost
D. No need to use penetration testing tools
8. Ethical hacking is generally used:
A. For testing an alternate processing site
B. As an alternative to substantive testing
C. For control assessments of legacy applications
D. To determine the requirement for cyber insurance

9. What is the most effective method to ensure that an organizational network is adequately secured against an external attack?
A. Implementing an intrusion detection system
B. Implementing a security baseline
C. Changing the vendor default settings
D. Conducting periodic penetration testing
10. The area of primary interest for a penetration tester is:
A. The nature of data
B. Network mapping
C. Data analytics
Summary
In this chapter, you learned about information security monitoring tools and techniques, such as
firewall implementation and various types of IDSs and IPSs. This chapter will help the CISM
candidate understand the important methods, tools, and techniques used to develop an effective and
robust security program. You also explored digital signatures and encryption technology from an
information security perspective.
The next chapter will provide an overview of incident management procedures.
Revision Questions
1. A disadvantage of emailing a password-protected ZIP file is that:
A. It does not use strong encryption
B. The firewall administrator can read the file
C. It may be quarantined by the firewall or mail filters
D. It utilizes a high network bandwidth
2. An area of primary concern for a security manager reviewing a firewall configuration is:
A. The firewall allows source routing
B. The firewall server is standalone
C. The firewall rules are reviewed on an ad hoc basis
D. The firewall allows unregistered ports
3. What is the best method to prevent external individuals from accessing and modifying a critical database of the organization?
A. A screened subnet
B. An acceptable usage policy
C. Role-based access control
4. A device that can normally be placed in a DMZ is:
A. A financial database
B. A web server
C. An operational database
D. A print server
5. Generally, an intranet is placed:
A. On the internal network
B. Outside the firewall
C. In a demilitarized zone
D. On an external router
6. An area of major concern when there is an excessive number of firewall rules is:
A. One rule may conflict with another rule and create a loophole
B. High expenditure for maintaining the rules
C. It may impact network performance
D. A firewall may not be able to support excessive rules
7. What is the main disadvantage of a signature-based intrusion detection system?
A. High instances of false alarms
B. Inability to detect new attack methods
C. High cost of maintenance
D. Use of high network bandwidth
8. What is the most effective method to determine the proper deployment of an intrusion detection system?
A. Simulating various attack scenarios and reviewing the performance of the intrusion detection system
B. Deploying a honeypot to determine abnormal activity
C. Reviewing the configuration of the intrusion detection system
D. Comparing the intrusion detection system rules with the industry benchmark
9. The main objective of deploying an intrusion detection system is:

A. To comply with the information security policy
B. To comply with regulatory requirements
C. To determine patterns of suspicious activity
D. To identify attacks on the internal network
10. Which of the following is very important to ensure that an intrusion detection system is able to view all the traffic in a
demilitarized zone?
A. Placing the intrusion detection system before the firewall
B. Ensuring that all the end devices are connected to the intrusion detection system
C. Ensuring the encrypted traffic is decrypted prior to being processed by the intrusion detection system
D. Ensuring appropriate network bandwidth
11. What is the most effective way to detect an intruder who successfully penetrates a network?
A. Perform periodic audits
B. Perform periodic penetration testing
C. Establish vendor-provided default settings
D. Install a honeypot on the network
12. A denial or distributed denial of service (DDoS) attack is mitigated by:
A. Signature-based detection
B. An external router
C. An antivirus software
D. Anomaly-based detection
13. The most effective way to lure hackers to get their information without exposing the information assets is:
A. To set up a firewall
B. To set up a proxy
C. To set up decoy files
D. To set up a router
14. What will happen if an intrusion detection system (IDS) is set with a low threshold value to determine an attack?
A. An increase in the number of false positives
B. An increase in the number of false negatives
C. Logs will not be captured
D. Active monitoring will be ignored

15. What is the most effective method of validating the password entered by a user?
A. Packet filtering
B. Encryption
C. System hardening
D. Hashing

9
Incident Management Readiness

This chapter provides an overview of information security incident management and the advantages
of a structured and effective incident management process. CISM aspirants will be able to gain an
understanding of the different aspects of incident management.

Business Continuity Plans and Disaster Recovery Plans
Insurance

Figure 9.1: Incident management
Incident management is defined as the process of handling disruptive events in a structured manner to
minimize their impact on business processes. In most organizations, the responsibility for developing
and testing incident management lies with the information security manager.
The Relationship between Incident Management and

Incident Response
An information security manager needs to understand the difference between incident management
and incident response. Incident management encompasses the entire process of managing any
incident, which includes planning, testing, communicating, documenting, reviewing, approving, and
allocating different tasks for the successful management of the incident.
Incident response includes only those activities that are performed when responding to an incident
and focuses on the identification, triage, containment, eradication, and recovery actions taken to
resume normal, planned operations.
Thus, incident management includes all processes, practices, and activities before, during, and after
an event. On the other hand, incident response only includes those activities carried out when an
organization declares an incident.
The Objectives of Incident Management

Security managers need to understand the following objectives of incident management:
Early detection of the incident
Accurate investigation of the incident
Containment and minimization of damage
Early restoration of services
Determination of the root cause and addressing it to prevent reoccurrence
All the preceding activities ultimately lead to minimizing the impact of the incident on
the organization.
Phases of the Incident Management Life Cycle

It is very important to have a structured and well-defined process to manage incidents. The following
life cycle phases are recommended for the effective management of incidents:
Phase 1 – Planning and Preparation
This phase involves preparing the incident management policy, assigning roles and responsibilities,
developing communication channels, creating user awareness, and developing systems and
procedures to manage incidents.
An incident response plan is a very important document that includes the step-by-step process to be
followed along with the assigned roles and responsibilities. An incident response plan helps the
security manager handle incidents.
Phase 2 – Detection, Triage, and Investigation
This phase concerns detection techniques and processes such as the implementation of an intrusion
detection system (IDS), an intrusion prevention system (IPS), and security incident and event
management (SIEM) tools. Timely detection is of utmost importance for effective incident
management. It is very important for a security manager to verify and validate the incident before any
containment action is taken.
Triage refers to the process of deciding the order of treatment on the basis of urgency. It is very
important to prioritize an incident based on its possible impact. Quickly ranking the severity criteria
of an incident is a key element of incident response. To determine the severity of an incident, it is
recommended to consult the business process owner of the affected operations.
Phase 3 – Containment and Recovery
This phase involves executing the containment process for the identified incident. Containment refers
to the process of taking action to prevent the expansion of the incident. Incident response procedures
primarily focus on containing the incident and minimizing damage. For example, when a virus is
identified in a computer, the first action should be to contain the risk by disconnecting the computer
from the network so it does not impact other computers.
After successful containment, forensic analysis is performed, ensuring a proper chain of custody.
Chain of custody is a legal term that refers to the proper handling of evidence to ensure its integrity.
In cases of major incidents, the recovery procedure should be executed in accordance with the
business continuity and disaster recovery plans.
Phase 4 – Post-Incident Review
This phase helps to evaluate the cause and impact of the incident. It also helps to understand the
loopholes in processes and provides the opportunity for improvement based on the lessons learned.
Phase 5 – Incident Closure
This phase evaluates the effectiveness of the incident management process. A final report is
submitted to the management and other stakeholders.
In the next topic, we will discuss the relationship between incident management, business continuity,
and disaster recovery.
Incident Management, Business Continuity, and

Disaster Recovery
Security managers should understand the relationship between incident management, business
continuity, and disaster recovery. The incident management process is generally the first step when an
adverse incident is identifieThe goal of an incident management process is to prevent an incident
from becoming a disaster. Incidents vary in nature, extent, and impact.
Minor incidents can be effectively handled by the incident management process. However, there can
be incidents that lead to major business disruptions and in such cases, organizations need to activate
their business continuity plan (BCP) and/or disaster recovery plan (DRP) processes.
Responsibility for declaring a disaster should be entrusted to an individual at a senior level who has
enough experience to determine the likely impact of an incident on business processes. The
responsibility for declaring a disaster should be determined when the incident response plan is
establisheBusiness continuity and disaster recovery processes involve the activation of alternative
recovery sites.
Incident Management and the Service Delivery

Objective
The service delivery objective (SDO) is the level of service required to be maintained during
disruption. For example, during the course of normal operation, an organization provides services to
100 clients. This same organization wants to provide continuous service to its top 20 clients even
during business disruptions. In this case, the SDO is to still serve the top 20 clients. The SDO should
be sufficient to sustain the credibility of the organization.
The primary focus of the incident response process is to ensure that the defined SDO is achieveThe
acceptability of partial system recovery after a security incident is most likely based on the SDO. The
SDO also has a direct impact on the level and extent to which data restoration is required.
Maximum Tolerable Outage (MTO) and Allowable

Interruption Window (AIW)
The maximum tolerable outage (MTO) is the maximum period of time that an organization can
operate from an alternative site. Various factors affect the MTO such as location availability, resource
availability, raw material availability, and electric power availability at the alternative site, among
other constraints. The RTO is determined on the basis of the maximum tolerable outage.
For example, a disaster occurred on January 1 and from January 2 onward, services were made
available to 20% of the clients (that is the SDO) from an alternative site. However, the organization
can only operate from the alternative site for 2 months due to location-based constraints. These 2
months are considered the MTO.
The allowable interruption window (AIW) is the maximum period of time for which normal
operations of the organization can be down. After this point, the organization will start to face major
financial difficulties that might threaten its existence. Continuing with the preceding example, if
within 2 months of disaster the main site is not made operational, the organization will not be able to
sustain operations due to financial scarcity. This indicates that the organization only has the financial
capability to operate at a reduced capacity for 2 months. These 2 months are considered the AIW.
Security managers should try to ensure that the MTO is equal to, or higher than, the AIW. Generally,
the MTO should be as long as the AIW to minimize the risk to the organization. That means the
arrangements for an alternative site should be made to last at least until the time the organization has
returned to financial stability.

Following are some of the key aspects from the exam perspective:
When is the best time to At the time of preparing the incident response plan
determine who is
responsible for declaring a
disaster?
What is the objective of To reduce the impact of the incident

containment?
What should be the highest Safety of human life

priority when designing an
incident response plan?
What is the primary To minimize the business impact (incident response procedures
objective of incident primarily focus on containing the incident and minimizing damage)
response?
Who can best determine the The business process owners of the affected operational areas
severity of an incident?
The acceptability of partial The service delivery objective

system recovery after a
security incident is most
likely based on what?
What is an MTO? The maximum tolerable outage is the maximum period of time that
an organization can operate from an alternative site due to resource
constraints.
What is an AIW? The allowable interruption window is the maximum period of time
for which normal operations of the organization can be down. After
this point, the organization will start facing major financial
difficulties that threaten its existence.
What should the The MTO should be equal to, or longer than, the AIW. Generally,
relationship between the the MTO should be as long as the AIW to minimize the risk to the
MTO and the AIW be? organization.
On what basis is the Based on a business impact analysis

prioritization of incident
response determined?
NOTE

1. As a newly appointed information security manager, you are required to prepare a plan that can support the organization in
handling a security breach. Which of the following plans will help you?
A. A change management plan
B. A business continuity plan
C. An incident response plan
D. A disaster recovery plan

2. As an information security manager, you have been informed about a fire in the facility. What should your immediate course of
action be?
A. To check the facility access logs
B. To call a meeting for an emergency response team
C. To activate the business continuity plan
D. To activate alternative site operations
3. As an information security manager, you are required to address the risk of network denial of service (DoS) attacks. What is the
most effective way to address this?
A. Regular updating of operating system patches
B. Installing a packet filtering firewall to drop suspicious packets
C. Employing network address translation (NAT) to make internal addresses non-routable
D. Employing load-balancing devices
4. As an information security manager, you have been informed about a stolen laptop. What should your first course of action be?
A. To determine the impact of the information loss
B. To remove the stolen laptop from the inventory list
C. To ensure compliance with reporting procedures
D. To remove access from the user immediately
5. The person responsible for declaring a disaster should be established:
A. At the time the disaster recovery plan is established
B. After the incident is confirmed by the security team
C. After the incident management plan has been tested
D. After the incident management plan is approved
6. Apart from backup data, an offsite location should also store:
A. The contact details of any key suppliers
B. Copies of the business continuity plan
C. Copies of key service-level agreements
D. Contact details of key employees
7. When an incident is reported, what should the security manager's first priority be?
A. Investigation
B. Documentation
C. Restoration
D. Containment
8. Which of the following is the area of most concern for a security manager?
A. Logs are not captured for the production server
B. Access rights of a terminated employee are not revoked
C. An increase in incident reporting with respect to phishing emails
D. The installation of a Trojan horse on a system administrator's computer
9. Which of the following is the area of most concern for a security manager?
A. Anti-malware software is updated on a daily basis
B. Security logs are reviewed after office hours
C. It takes 24 hours to update patches after their release
D. It takes 6 days to investigate security incidents
10. Solving incidents quickly can:
A. Always give positive results
B. Often clash with effective problem management
C. Increase the attrition rate of the security team
D. Support forensic investigation
11. A security manager notes that a network attack is in progress. What should their first course of action be?
A. Disconnecting all network access points
B. Analyzing the event logs
C. Isolating the impacted network
D. Monitoring the attack to trace the perpetrator
12. An emergency response plan should primarily concentrate on:
A. Protection of sensitive data
B. Protection of infrastructure
C. Safety of personnel
D. Activation of recovery sites
13. The most important aspect of an incident response policy is:
A. The details of key suppliers
B. The escalation criteria
C. The communication process

D. The backup requirements
14. A security manager notes a security incident. What should their next course of action be?
A. To inform senior management
B. To determine the impact of the compromise
C. To report the incident to the stakeholders
D. To investigate the root cause of the security breach
15. A security manager notes that a computer has been infected with a virus. What should their first course of action be?
A. Determining the source of the virus infection
B. Scanning the entire network to determine whether another device has also been infected
C. Disconnecting the computer from the network
D. Formatting the hard disk
16. What is the main objective of incident response?
A. To provide the status of the incident to senior management
B. To evaluate the evidence
C. To minimize business disruptions
D. To support authorities in their investigation
17. A security manager notes that an email server has been compromised at the administrative level. What is the best way to make the
system secure?
A. To change the system's administrative password
B. To configure two-factor authentication
C. To rebuild the system from the original media
D. To isolate the server from the network
18. A business continuity program is primarily based on:
A. The cost of building an offsite recovery site
B. The cost of the unavailability of the system
C. The cost of the incident response team
D. The cost of the disaster recovery team
19. Which of the following documents is most important to include in a computer incident response team manual?
A. The results of the risk analysis
B. Incident severity criteria

C. The details of key suppliers
D. A call tree directory
20. A security manager notes that a server is infected with a virus. What is the most important action?
A. Immediately isolating the server from the network
B. Determining the possible impact of the infection
C. Determining the source of virus entry
D. Determining the security loophole in the firewall

An Incident Response Plan (IRP) is one of the most important components of incident
management. An IRP determines the activities to be carried out in the event of an incident. It includes
different processes for handling the incident along with the assigned roles and responsibilities of staff
to manage the incident.
Elements of the IRP

A security manager should understand the following stages for the development of an IRP.
Preparation
The detailed preparation of an IRP helps in smooth execution. The following activities are carried out
in the preparation phase:
Defining processes to handle incidents
Developing the criteria for deciding the severity of incidents
Developing a communication plan for stakeholders
Developing processes to activate the incident management team
Identification and Triage

In this phase, the emphasis is on identification and a detailed analysis of the incident. The following
activities are carried out in the identification phase:
Determining whether the reported incident is valid
Assigning the incident to a team member
Detailed analysis of the incident
Determining the severity of the incident and following the escalation process
Triage refers to deciding the order of treatment on the basis of urgency. It is very important to
prioritize the incident based on its possible impact. Quickly ranking the severity criteria of an
incident is a key element of incident response. To determine the severity of the incident, it is
recommended to consult the business process owner of the affected operations.
Triage provides a snapshot of the current status of all incidents reporteThis allows resources to be
assigned in accordance with criticality.
Containment
In this phase, the incident management team coordinates with the business process owner for a
detailed assessment and to contain the impact of the incident. The following activities are carried out:
Coordination with the relevant business process owner
Deciding on the best course of action to limit the exposure
Coordination with the IT team and other relevant stakeholders to implement the containment procedure
Eradication
After containment, the next phase of action is to determine the root cause of the incident and
eradicate it. The dictionary definition of eradication is the complete destruction of something. To
ensure complete destruction (meaning it will not reoccur), determining the root cause of the incident
and addressing it is of utmost importance. Hence, the incident response team addresses the root cause
during the eradication process. The following activities are carried out in this phase:
Determining the root cause of the incident
Addressing the root cause
Improving defenses by implementing further controls
In the event of a virus infection, the existing viruses are eradicated, and further antivirus systems are implemented to prevent
reoccurrence
An organization should have a defined and structured method for root cause analysis. Ad hoc
processes may lead to ineffective solutions.
The objective of root cause analysis is to eliminate the cause of reoccurring incidents.
Figure 9.3: Root cause analysis
Recovery
In this phase, an attempt is made to restore the system to a degree specified in the SDO or the BCP.
This phase should be completed as per the defined RTO. The following activities are carried out in
this phase:
Restoring the systems as defined in the SDO
Testing the system in coordination with the system owner
Lessons Learned
In this last phase, the lessons learned are documented, including details of what happened, the actions
initiated, what went wrong, what happened correctly, and areas for further improvement. The report
should be submitted to senior management and other stakeholders.
Gap Analysis
A gap analysis is the most effective way to determine the gap between current incident management
capabilities and the desired level. Once gaps are identified, the security manager can work to address
them and improve the incident management processes. A gap analysis report is used to determine the
steps needed for improvement.

A Business impact analysis (BIA) is conducted to determine the business impact due to potential
incidents. A BIA is done for all identified potential incidents. The following are the key elements of a
BIA:
Analysis of business losses due to processes or assets not being available
Establishing the escalation criteria for prolonged incidents
Prioritization of processes or assets for recovery
The objective of a BIA is to understand what impact an incident could have on the business and what
processes or assets (that might be affected by that incident) are critical to the organization.
Participation from the business process owner, senior management, IT, risk management, and end
users is required for an effective BIA.
The identification of critical processes, systems, and other resources is one of the most important
aspects of a BIA.
Figure 9.4: Business Impact Analysis
Goals of a BIA
Following are some of the primary goals of a BIA:
To identify and prioritize critical business unit processes, the impact of an incident must be evaluateThe higher the impact, the
higher the priority.
A BIA is also used to estimate the maximum tolerable downtime (MTD) or MTO for the business. This helps to design the
recovery strategy.
It also determines the longest period of unavailability of critical systems, processes, or assets before the organization starts facing
a financial crisis, that is, the AIW.
A BIA helps to allocate resources as per the criticality of processes.
Steps of a BIA
The following are the steps for conducting a BIA:
1. Identify the critical processes and assets of the organization.
2. Identify the dependencies of the above identified critical processes and assets.
3. Determine the possible disruptions that could impact the critical processes or their dependencies.
4. Develop a strategy to restore the processes and assets in the event of a disruption.
5. Document the assessment results and create a report for the business process owners and senior management.
Escalation Process
An IRP should contain a structured process of escalation for various categories of incidents. The
objective of the escalation process is to highlight the issue to the appropriate authority in accordance
with the risk perceived and the expected impact of the incident. For example, minor issues can be
escalated to the manager, major issues can be escalated to the senior manager, and so on. A risk and
impact analysis will be the basis for determining what authority levels are needed to respond to
particular incidents.
An escalation process should also state how long a team member should wait for an incident response
and what to do if no such response occurs. For each type of possible incident, a list of actions should
be documenteRoles and responsibilities should be defined for each action.
An IRP should also contain the names of the officials who are authorized to activate the BCP and
DRP in the event of a major disruption.
A security manager should determine the escalation process in coordination with business
management and it should be approved by senior management.
Help Desk/Service Desk Process for the Identification

of Incidents
The help desk/service desk will most likely be the first team to receive information about any
incident. A help desk team should be trained to determine the severity of the incident and escalate it
to the appropriate team for further action. Timely detection of the incident and quick activation of the
IRP is key to effective incident management.
A security manager should have a well-defined process for the help desk team to differentiate a
typical incident from a possible security incident. Help desk executives should have the relevant
skills as well.
Figure 9.5: Help desk management
Frequent security awareness training for end users as well as help desk staff is one of the most
important factors for the early identification and reporting of incidents.
Incident Management and Response Teams

The IRP should determine the staff requirements for handling any incident. Each team should have
predefined assigned responsibilities for managing incidents. They should have relevant experience
and should be appropriately trained in accordance with their responsibilities. The team size may
depend on the size and complexity of the organization. The defined roles and responsibilities of the
incident response team increase the effectiveness of incident management. The following are some
teams that are involved in handling incidents:
Emergency action team: They are generally the first responders to deal with incidents such as a fire or other emergency
situations.
Damage assessment team: They are qualified professionals capable of assessing the damage to infrastructure. They determine
whether an asset is a complete loss or whether it is restorable.
Emergency management team: They are responsible for making key decisions and coordinating the activities of other teams.
Relocation team: They are responsible for the smooth execution of relocation to alternative sites from the affected site.
Security team: They are responsible for monitoring the security of information assets. They are required to limit exposure to the
security incident and to resolve any security-related issues.
Incident Notification Process

Timely notification of the incident to the relevant stakeholders is key to effective incident
management. An effective notification process helps to limit the potential loss and/or damage due to
the incident.
Most detection systems have automated notification processes enabled, which helps the employees
concerned act quickly.
Challenges in Developing an Incident Management

Plan
A security manager should be aware of the following challenges in the development of an incident
management plan:
A lack of management support and organizational consensus: Two of the key challenges for a security manager are to obtain
support from senior management and to come to a consensus with the business process owners on the incident management
processes.
This can best be achieved by highlighting the benefits of incident management from the
organization's perspective.
The incident management plan not being aligned with organizational goals: An incident management plan is effective only if
it supports the goals of the organization. However, business processes change significantly over time. A security manager should
ensure that incident management processes are kept aligned with business requirements.
Experienced and trained professionals: Another important challenge is the availability of experienced and well-trained staff to
handle incidents.
Lack of a communication process: Ineffective communication processes are a major challenge. Incomplete or untimely
communication causes hurdles in the incident handling process.
A complex incident management plan: A security manager should keep the incident management plan simple and meaningful
for all stakeholders. Also, the plan should be realistic and achievable.

What is the immediate next Validating the incident

step once an incident has
been reported to the
security manager?
Who is the best person to The system owner

notify first when a major
vulnerability is identified?
What are the most Security awareness training
important factors for the Well-defined communication channels
early identification of an
incident?
Who should determine the The information security manager

members of the incident
response team?
What should the escalation The escalation process document should state how long a team
process document contain? member should wait for an incident response and what to do if no
such response occurs.
What does the triage phase Triage provides a snapshot of the current status of all incidents
indicate? reported so as to assign resources in accordance with criticality.
What is the basis for Risk and impact analysis

developing escalation
guidelines?
In which phase of incident The eradication phase

management is root cause
analysis conducted (i.e.,
containment, eradication,
lessons learned, or
recovery)?
What is slack space? Slack space means the additional storage available on a computer's
hard disk drive. Slack space is created when a computer file does
not need all the space allocated to it by the operating system. Slack
space can be used to store hidden datThe verification of slack space
is an important aspect of computer forensics.

1. As an information security manager, you note a security breach. What should your immediate course of action be?
A. To confirm the incident
B. To evaluate the impact
C. To notify the stakeholders
D. To isolate the incident
2. As an information security manager, you have noted a new type of attack in the industry, wherein a virus is disguised in the form
of a picture file. What should your first course of action be?
A. Deleting all picture files stored on the file server
B. Blocking all emails containing picture file attachments
C. Blocking all incoming emails containing attachments
D. Quarantining all mail servers connected to the internet
3. Who should be notified immediately upon the discovery of a vulnerability in the web server?
A. The system owner
B. The forensic investigators
C. The data owner

D. The development team
4. An investigation team is in the process of collecting forensic evidence for a recent security breach. They have a strong suspicion
that the slack space was compromiseWhat is the relevance of slack space during an incident investigation?
A. Slack space can be used to store hidden data
B. Slack space contains passwords
C. Slack space is used to capture logs
D. Slack space contains the investigation process
5. A security manager has received a report about the breach of a customer database by a hacker. What should their first step be?
A. To confirm the incident
B. To report to the senior management
C. To initiate containment
D. To report to the law authority
6. Which of the following is the most effective method to address network-based security attacks generated internally?
A. Implementing two-factor authentication
B. Implementing static IP addresses
C. Capturing logs at the centralized location
D. Installing an intrusion detection system
7. A security manager notes a serious vulnerability in the installed firewall. What should their next course of action be?
A. To patch the operating system
B. To block incoming traffic until the vulnerability is addressed
C. To obtain guidance from the firewall manufacturer
D. To conduct a penetration test
8. Once a security incident has been confirmed, what should the security manager's next task be?
A. To determine the source of the incident
B. To contain the incident
C. To determine the impact of the incident
D. To conduct a vulnerability assessment
9. A security manager notes that confidential human resource data is accessible to all users of the human resource department. What
should the security manager's first step be?
A. Recommending encryption of the confidential data
B. Disabling access to confidential data for all users

C. Discussing the situation with the data owner
D. Providing security training to all HR personnel
10. What is the most effective metric to justify the establishment of an incident management team?
A. Business impact of earlier incidents
B. Industry-wide monetary loss due to incidents
C. Trends in improvements in security processes
D. Possible business benefits from incident impact reduction
11. What is the most important factor for the early identification of a security incident?
A. Structured communication and reporting procedures
B. Documented criteria for determining the incident severity level
C. The capability of the installed intrusion detection system
D. Security awareness training of end users
12. The main objective of an incident response plan is to:
A. Prevent incident occurrence
B. Streamline business continuity processes
C. Train users to deal with incidents
D. Promote business resiliency
13. An end user notes a suspicious file on a computer. They report it to the security manager. What should the security manager's first
step be?
A. Isolating the file
B. Reporting it to senior management
C. Verifying whether the file is malicious
D. Determining the source of the file
14. The members of an organization's information security response team are determined by:
A. The board of directors
B. The operations department
C. The risk management department
D. The information security department
15. A security manager has received an alert from the intrusion detection system (IDS) about a possible attack. What should their first
step be?
A. Determining the severity of the attack

B. Determining whether it is an actual incident
C. Isolating the affected machines
D. Activating the incident response plan
16. After confirming a security breach related to customer data, a security manager should first notify:
A. The board of directors
B. The affected customers
C. The data owner
D. The regulatory authority
17. The efficiency of an incident response team can best be improved by:
A. A defined security policy
B. Defined roles and responsibilities
C. A structured communication channel
D. Forensic skills
18. What is the main objective of a senior manager reviewing the security incident status and procedures?
A. To ensure that adequate corrective actions are implemented
B. To comply with the security policy
C. To determine the capability of the security team
D. To demonstrate management commitment toward security
19. A response team notes that the investigation of an incident cannot be completed as per the timeframe. What should their next
action be?
A. Continuing to work until the investigation is complete
B. Escalating to the next level for resolution
C. Ignoring the current investigation and taking up a new incident
D. Changing the incident response policy to increase the timeline
20. Which of the following is the most important factor for the timely identification of a security incident?
A. Installation of an intrusion detection system
B. Frequent audits
C. A well-defined and structured communication plan
D. Frequent reviews of network traffic logs
Business Continuity and Disaster Recovery Procedures

A business continuity plan (BCP) is defined as the laid down processes used to prevent, mitigate,
and recover from disruptions. A disaster recovery plan (DRP) is a subset of an overall BCP. While
the goal of a BCP is to prevent and mitigate incidents, the goal of a DRP is to restore business
operations if they are down due to an incident. Thus, a BCP is a continuous process of implementing
various controls to prevent or mitigate the impact of incidents, whereas a DRP is activated only when
preventive measures have failed and business processes have already been impacted due to an
incident.
Apart from having a well-defined BCP, it is of utmost importance for the organization to ensure that
both the BCP and DRP and any related documents are available at offsite locations as well.
Phases of Recovery Planning

A security manager should understand the following phases for the implementation of the BCP and
the DRP:
Conducting a risk assessment and BIA to understand the critical processes and assets of the organization
Developing and documenting a response and recovery strategy
Training staff on the response and recovery procedures
Testing the response and recovery plans
Auditing the response and recovery plans
Before developing a detailed BCP, it is important to conduct a BIA BIA helps to determine the
incremental costs of losing different systems. Based on the BIA, recovery efforts required for the
system are determineFor critical systems, the RTO will be low and hence the recovery cost will be on
the higher side. By comparison, for non-critical systems, the RTO will be high and the recovery cost
will be comparatively low. The following example will further illustrate this:
An organization has two systems: system A and system System A is a critical system and the
organization cannot afford system downtime of more than one day. Hence, the RTO, in this case, is
one day. To restore the system within one day, the organization needs to have a hot site equipped with
all the required arrangements. This results in a high recovery cost.
System B is non-critical. It will not have any impact even if it is down for 10 days. Hence the RTO is
10 days. The organization can manage through a cold site without much arrangement needeHence,
comparatively, the recovery cost will be low.
In a nutshell, critical systems have a low RTO and a high recovery cost whereas non-critical systems
have a high RTO and a low recovery cost.
Recovery Sites
As already alluded to, in the case of an incident, a primary site may not be available for business
operations. To address such scenarios, an organization should have an arrangement for the
resumption of services from an alternative site to ensure the continuity of business operations. Many
business organizations cannot afford the discontinuation of business processes for even a single day,
and so they need to invest heavily in an alternative recovery site. These arrangements can vary
according to the needs of the business.
From the perspective of the CISM exam, candidates should have an understanding of the following
alternative recovery site types:
Figure 9.7: Alternative recovery sites
Mirrored Site
A mirrored site is regarded as an exact replica of the primary site. When arranging a mirrored site,
the following components are already factored in:
The availability of space and basic infrastructure
The availability of all business applications
The availability of an updated data backup
A mirrored site can be made available for business operations in the shortest possible timeframe as
everything (in terms of systems and data) has already been considered and made available. It must be
noted that the cost of maintaining a mirrored site is very high compared to the alternatives.
Hot Site
A hot site is the second-best alternative after a mirrored site. The following components are already
factored in while arranging a hot site:
The availability of all business applications
However, for a hot site to function, an updated data backup is also required.
Warm Site
The following components are already factored in while arranging a warm site:
The availability of a few business-critical applications
However, for a warm site to function, the following components are also needed:
An arrangement for the required IT applications
An arrangement for the required data
Cold Site
The availability of space and basic infrastructure are already factored in while arranging a cold site:
However, for a cold site to function, the following components are also needed:
An arrangement for the required IT applications
An arrangement for the required data
Mobile Site
At a mobile site, a moveable vehicle is used, which is equipped with the required computing
resources. A mobile site can be moved to any warm or cold site depending upon the requirements.
The scale of business operations determines the need for a mobile site.
Reciprocal Agreements
In a reciprocal agreement, two organizations with similar capabilities and processing capacities agree
to provide support to one another in the event of an emergency. Reciprocal agreements are not
considered very reliable. A reciprocal agreement is the least expensive as this relies solely on an
arrangement between two organizations.
The following table summarizes the characteristics of each alternative recovery site:
Figure 9.8: Characteristics of alternative recovery site
A mirrored site is the fastest mode of recovery, followed by a hot site. A cold site is the slowest mode
of recovery. For a critical system, mirrored/hot sites are appropriate options, while for non-critical
systems, cold sites are appropriate. A reciprocal agreement has the lowest expenditure in terms of a
recovery arrangement.
Factors Impacting Recovery Site Selection
Security managers need to consider the requirements of the organization as well as the costs of
maintaining a recovery site. The following factors impact the selection of a recovery site.
The AIW is the maximum period of time for which normal operations of the organization can be
down. After this point, the organization will start facing major financial difficulties.
The RTO is the extent of system downtime that the organization can tolerate. In other words, the RTO
is the extent of acceptable system downtime. For example, an RTO of 2 hours indicates that an
organization will not be overly impacted if its system is down for up to 2 hours.
The RTO is said to be achieved when a system is restored within the defined RTO.
A recovery point objective (RPO) is the extent of acceptable downtime an organization can tolerate.
For example, an RPO of two hours indicates that an organization will not be overly impacted if it
loses up to two hours of data.
An RPO is used to determine the various factors of a backup strategy, such as the frequency and type
of backups used (i.e., mirroring, tape backup, etc.).
The SDO is the level of service and operational capability to be maintained from an alternative site.
The SDO is directly related to business needs and is the level of service to be attained even during
disaster recovery. It is influenced by business requirements.
The MTO is the maximum period of time that an organization can operate from an alternative site.
Various factors affect the MTO, such as resource availability, location availability, raw material
availability, electric power availability at the alternative site, and other constraints.
Apart from the above, the following factors are also considered when selecting an alternative site:
The recovery site should have the appropriate distance from potential hazards such as bodies of water, chemical factories, or other
locations that might cause significant risk to the recovery site.
A recovery site should be away from the primary site so that both are not subject to the same environmental events.
Operating from a recovery site should also be feasible for a longer duration. Major disruptions can make primary sites unavailable
for months. The MTO (that is, the arrangement to operate from the recovery site) should be planned for at least the period defined
in the AIW (that is, until the time the organization starts facing a financial crisis).
Continuity of Network Services

In modern business scenarios, it is very important to arrange for redundant telecommunication and
network devices to ensure the continuity of business operations. The following are some network
protection methods:
Alternative routing such as last-mile circuit protection and long-haul network diversity
Diverse routing
Alternative Routing
In alternative routing, information is routed through cables such as copper cable and fiber optics
cable.
The following are two types of alternative routing:

Last-mile circuit protection: Last-mile circuit protection is used to have redundancy for local communication.
Long-haul network connectivity: This is used to have redundancy for long-distance communication.
Diverse Routing
This is a method for routing information through split or duplicate cables:
Figure 9.9: Diverse routing
In diverse routing, a single cable is split into two parts, whereas in alternative routing, two entirely
different cables are used.

Question Possible answer
What is the primary basis on which The recovery strategy approved by senior management
a business continuity plan is
developed?
What is an MTO? The maximum tolerable outage (MTO) is the maximum

period of time that an organization can operate from an
alternative site.
What is the primary factor for The resources available to operate from an alternative site
determining the MTO?
Which recovery site has the A reciprocal arrangement

greatest chance of failure?
What is the most important factor A business impact analysis

for deciding the prioritization of a
BCP?
What is the RTO? The extent of acceptable system downtime
What is the RPO? The extent of acceptable data loss

Question Possible answer
A backup strategy is primarily The RPO

influenced by:

1. As an internet security manager, you are required to review the business continuity plan. A business continuity plan is primarily
based on:
A. The available alternative site
B. The available continuity budget
C. The strategy to cover all applications of the organization
D. The strategy validated by senior management
2. A business continuity program includes:
A. A detailed review of the technical recovery plan
B. Detailed testing of network redundancy
C. Updating of equipment at the hot site
D. Developing a recovery time objective for critical functions
3. Maximum tolerable outage (MTO) is arrived at on the basis of:
A. Available resources
B. Service delivery objectives
C. Operational capabilities
D. The size of the recovery team
4. Which of the following is relevant to a recovery point objective?
A. The extent of system downtime
B. Before image restoration
C. Maximum tolerable outage
D. After image restoration
5. Which of the following ensures the correct prioritization of operations in the event of disaster recovery?
A. Business impact analysis

B. Risk assessment
C. Organization hierarchy
D. Threat assessment
6. A recovery arrangement that has the highest chance of failure is:
A. A warm site
B. A hot site
C. A reciprocal arrangement
D. A cold site
7. The recovery point objective (RPO) for an application is best determined by:
A. The security manager
B. The chief operating officer
C. Risk management
D. Internal audit
8. What is the objective of a recovery point objective?
A. To determine the maximum tolerable period of data loss
B. To determine the maximum tolerable downtime
C. To determine the level of business resiliency
D. To determine the best type of alternative site
9. For conducting a business impact analysis, who is the best person to determine the recovery time and cost estimates?
A. The business continuity manager
D. The IT department
10. The best way to ensure that a business continuity plan supports the organization's needs is:
A. To conduct an external audit of the business continuity plan
B. To determine the size of the business continuity team
C. To periodically test the plan with varied scenarios
D. To update management on a regular basis
11. When will a proximity factor be of most importance?
A. During a business impact analysis

B. During a business continuity plan test
C. When developing a disaster recovery procedure
D. When selecting an alternative recovery site
12. What is the most important factor to consider when designing the technical aspects of a disaster recovery site?
A. Standby resources
B. The recovery point objective
C. The allowable interruption window
D. The maximum tolerable outage
13. Which of the following is the most important factor for the selection of an offsite facility?
A. The primary and offsite facilities should not be subject to the same environmental threats
B. The primary and offsite facilities should be in the same perimeter for ease of operation
C. The maintenance cost of the offsite facility
D. The facility to transport media at a low cost
14. The recovery time objective is said to be achieved when:
A. A disaster is declared
B. The recovery of the backup is completed
C. Systems are restored
D. Normal functioning has resumed
15. Which of the following indicates that the business continuity plan (BCP) objective has been achieved?
A. Test results show that the recovery time objective was not exceeded
B. BCP testing was conducted consistently
C. Test results show that the recovery point objective was inadequate
D. Assets have been assigned to the owners and proper valuation has been achieved
16. Which of the following is the most important factor for the selection of an offsite facility?
A. The outcome of the business impact analysis
B. Adequate distance between the primary site and offsite facility so that the same disaster does not simultaneously
impact both
C. The location of the offsite facilities of other organizations of the same industry
D. Applicability of regulatory requirements to the offsite location
17. The time required for the restoration of processing is determined by:
A. Recovery time objectives
B. The maximum tolerable outage
C. Recovery point objectives
D. Service delivery objectives
18. A security manager is required to ensure the availability of key business processes at an offsite location. They should verify:
A. The recovery point objective
B. The operational hierarchy
C. The staff requirements at the offsite location
D. The end-to-end transaction flow
19. The priority of action in a business continuity plan is determined by:
B. Risk evaluation
C. An internal audit report
D. A vulnerability analysis
20. While conducting a business continuity test, a security manager notes that a piece of new software that is important for business
processes is not included in the recovery strategy. This type of concern can be avoided in the future by:
A. Conducting periodic and event-driven business impact analyses to determine the business needs
B. Giving priority for recovery to all new applications
C. Not changing business processes for a consistent recovery strategy
D. Conducting a thorough risk assessment before the acquisition of a new application
Insurance
A security manager should consider insurance as one of the important factors to minimize the impact
of loss due to incidents. Insurance can be obtained to recover losses. The following are some relevant
types of insurance coverage:
Insurance to cover damage to IT equipment and facilities
Insurance to cover damage to computer-related media
Insurance to cover damage on account of cyberattacks
Insurance to cover third-party claims and liability
Insurance to cover loss of profits due to business disruptions
Insurance to cover legal liability arising from errors and omissions
Insurance to cover financial loss due to fraud or dishonesty committed by employees (fidelity insurance)
Insurance to cover damage to media in transit

What is the most effective way to Business interruption insurance

reduce the financial impact due to
downtime caused by an incident?
What is fidelity insurance? Fidelity insurance is a business insurance product that

provides protection against business losses caused due to
employee dishonesty, theft, or fraud.

1. As an information security manager, you recommend senior management obtains fidelity insurance. What is the prime objective
of fidelity insurance?
A. Fidelity insurance covers any losses suffered due to natural calamities
B. Fidelity insurance covers any losses suffered due to offshore transactions
C. Fidelity insurance covers any losses suffered due to cyberattacks
D. Fidelity insurance covers any losses suffered due to dishonesty or fraud by employees
2. What is the most effective way to compensate for the financial impact of downtime due to a disaster?
A. Offsite media storage
B. Business interruption insurance
C. A business continuity plan
An information security manager needs to develop a process to classify incidents based on their
criticality. Classification helps the organization concentrate on areas of high risk and thus ensures
optimum utilization of its limited resources.
The most effective method to deal with multiple incidents is to triage them by considering their
criticality.
An information security manager needs to ensure the availability of a documented escalation process.
The process should include criteria for the classification of events and the responsibility and authority
for each type of event and set of actions along with the desired escalation to be implementeThe
information security manager should design this process in consultation with senior management.
Help/Service Desk Processes for Identifying Security

Incidents
It is of utmost importance to provide training to help desk personnel to enable them to distinguish
between a normal event and a possible security incident. Early identification of security events is
critical to minimizing the damage from them.
In addition to identifying a potential security event, help desk employees should also be familiar with
the required reporting and response processes.

1. The severity of an incident is best determined by:
A. Analyzing past incidents
B. Benchmarking with a similar industry
C. The value of the impacted assets
D. Involving managers from the affected operational areas
2. As an information security manager, your team informs you that they are in the detection and analysis phase of a recent
cyberattack on the organization. Which of the following activities is part of this phase?
A. Isolating impacted systems to limit the spread of the incident
B. Conducting root cause analysis of the incident
C. Determining the category of the incident based on impact
D. Analyzing the incident response process for learning and improving
3. What is the main reason for conducting triage for incident handling?
A. To arrive at the root cause of the incident
B. To determine the cost of controlling the incident
C. To prioritize resources for handling multiple incidents

D. To support the early detection of incidents

Regular testing and exercises are very important for determining the continued adequacy and
effectiveness of the BCP and the DRP. It helps to validate the compatibility of the offsite facility to
support the organization in the event of a disaster. Testing the BCP helps determine its effectiveness
and identify any gaps therein, thereby providing an opportunity to improve the plan.
Types of Tests
The following are some of the important methods for testing the BCP and DRP:
Checklist Review
This test is performed prior to a real test. A checklist is provided to all members of the recovery team
for review and for ensuring that the checklist is up to date.
Structured Walk-through
This includes a review of the BCP and DRP on paper. Team members review each step to evaluate
the effectiveness of the plans. Identified gaps, deficiencies, and constraints are addressed to improve
the plans.
Simulation Test
In this type of test, a roleplay is prepared for a disaster scenario and the adequacy of the DRP is
determineThis does not include activation of the recovery site.
Parallel Test
In this type of test, the recovery site is activated to determine the readiness of the site. The primary
site continues to operate normally.
Full Interruption Test
A full interruption test provides the information security manager good assurance because it comes
the closest to an actual disaster. The primary site is completely shut down and operations are carried
out from the recovery site as per the DRP.
This type of testing is the most expensive and potentially disruptive. It is advisable that testing should
start with a simple exercise and once confidence is established, it should gradually expand to a full
restoration test.
Tests should be scheduled in a manner that will minimize disruptions to normal operations. Key
recovery team members should be actively involved in the test procedures. It is recommended to
conduct full interruption tests on an annual basis once individual tests have been performed
satisfactorily.
Effectiveness of Tests
Out of all the above tests, a full interruption test is considered the most effective to determine the
readiness of the BCP and DRP.
In both parallel and simulation tests, normal business operations are not impacteIn a parallel test, the
recovery site is activated, and in a simulation test, the recovery site is not activateWhen the objective
of the test is not to disturb normal business operations, a parallel test is the most effective followed
by a simulation test.
Category of Tests
A security manager should also understand the following categories of tests with respect to the
recovery process:
Paper Test/Desk-based Evaluation
In this type of testing, the relevant staff have a walk-through of the BCP and discuss what might
happen if service disruptions of a particular type occur. This is also referred to as a tabletop exercise.
A paper test is conducted prior to the preparedness test.

Preparedness Test
In this type of testing, with the help of a simulated system crash, preparedness is verified in a
localized environment. A preparedness test is the most cost-effective way to evaluate the adequacy of
a plan. It helps to improve the plan gradually. A preparedness test is the localized version of a full
test. It includes phase-wise simulation of the entire environment at a very reasonable cost and helps
the recovery team understand the various challenges associated with the actual test scenario.
Full Operational Test
A full operational test is conducted once the paper and preparedness tests have been carried out. This
test is one step prior to a full disruption test. A full operational test is a costly and time-consuming
affair that involves many challenges. In a full disruption test, complete production activities are
carried out from an alternative site.
Recovery Test Metrics

To determine the effectiveness of a plan, critical metrics should be evaluated during testing. These
metrics should be based on the key objectives of the plan.
Figure 9.12: Test metrics
The following are some of the important metrics for a recovery plan:
Whether recovery processes are completed within the predefined timelines
Whether the amount of work performed from the recovery site is within the service delivery objective
Whether the accuracy of transactions performed from the recovery site is acceptable
Success Criteria for Tests

A security manager should consider the following important factors for the conducting of tests:
The results of the test should be properly documented and evaluated otherwise it will not be possible to evaluate the effectiveness
of the BCP.
The success of a disaster recovery test depends on whether all critical business functions were successfully recovered and
reproduced.
If a test is performed by a third-party service provider, the security manager needs to ensure that all the data and applications have
the appropriate protection level. Data should be erased from the third-party infrastructure once the test is completed.
Frequent testing and improving from lessons learned will help to ensure that the incident management response plan is aligned
with the current business priorities.
It is essential for testing to be conducted in realistic conditions after considering all the crises in an actual disruptive event.
The security manager should understand the risk of untested plans. An untested plan may not work as expected and the
organization might face severe consequences in the event of a disaster.

Which type of test provides the best assurances about Full interruption tests
the effectiveness of BCPs and DRPs?
Which type of testing provides the best assurances Parallel tests (first preference)
about the effectiveness of a BCP and DRP without Simulation tests (second preference)
impacting normal business operations?
What is the most effective method to determine that a Regular testing of the disaster recovery
disaster recovery plan is current? plan
What is the best way to determine the ability of an Restoration testing

organization to resume operations after a disaster?
What is the difference between a parallel test and a In a parallel test, the recovery site is
simulation test? activated, whereas in a simulation test,
the recovery site is not activated.

1. As an information security manager, you are evaluating a recovery test. A recovery test is considered successful if:
A. Restoration is done with the help of the data available from the recovery site
B. The IT team and the business owners are involved in the recovery test
C. The critical business processes are recovered and duplicated within the defined timeframe
D. The recovery test results are documented and presented to senior management
2. As an information security manager, you are using the infrastructure of a third-party service provider to conduct a recovery test of
your organization. After completion of the test, what is the most important consideration?
A. All data and applications should be erased from the devices of the service provider
B. A meeting should be conducted at the site to evaluate the test results
C. The assessment of the recovery site should be discussed with the service provider
D. The test should be conducted within the security budget
3. What is the most effective way to improve the performance of the incident response team?
A. Training the incident response team about new threats
B. Periodically testing and improving the plan from the lessons learned
C. Ensuring that all members of the incident response team have an expert level of IT knowledge
D. Inviting ideas from all team members
4. Which test provides the best assurance about the effectiveness of a recovery plan?
A. A walk-through test
B. A tabletop exercise
C. A full interruption test
D. A simulation test
5. What is the most effective method to ensure that operational incident risks are managed effectively?
A. Tested business continuity plan/disaster recovery plan
B. Timely reporting of incidents
C. Incident management awareness
D. Increases in the security budget
6. An organization wants to test the effectiveness of its business continuity plan. However, it does not want to impact its normal
business operations. Which of the following tests will give the best assurance?
A. Checklist tests
B. Simulation tests
C. Walk-through tests
D. Full interruption tests
7. A security manager notes that the system administrator failed to report an attempted attack. This situation can be prevented in the
future by:
A. Periodic testing of the incident response plan
B. Periodic vulnerability assessments
C. Mandatory training for all staff
D. Periodic audits of the incident response plan
8. What is the most effective way to determine that a disaster recovery plan is current?
A. Periodic audits of the disaster recovery plan
B. Periodic training provided to the disaster recovery team
C. Periodic testing of the disaster recovery plan
D. Periodic risk assessments
9. Which of the following activities increases the chance of a full return of operations after a disaster?
A. Restoration testing
B. Checklist reviews
C. Arranging for a warm site
D. Developing an incident response plan
10. An organization does not want to disturb its continuous operations. Which test will best determine the effectiveness of the
response and recovery process without impacting normal business operations?
A. A full interruption test
B. A simulation test
C. A parallel test
D. A structured walk-through
11. Which of the following demonstrates the fundamental difference between a parallel test and a simulation test?
A. In a parallel test, the team members do a walk-through of the necessary recovery tasks; this is not done in a simulation
test
B. In a parallel test, normal business operations are stopped; this is not done in a simulation test
C. In a parallel test, a fictitious scenario is used for testing; this is not done in a simulation test
D. In a parallel test, the recovery site is brought to operational readiness; this is not done in a simulation test
12. A security manager reports a DRP test as a failure even though all essential services were restored at the hot site. What is the main
reason for the failure?
A. The expenditure on the test exceeded the security budget
B. The level of service exceeded the service delivery objective
C. A few systems were updated with an old version of the operating system
D. The aggregate recovery activities exceed the acceptable interruption window
13. What is the major challenge of an untested response plan?
A. It may not contain up-to-date contact information
B. It may not be approved by senior management
C. It poses the risk that the plan will not work when needed
D. It will not be possible to determine the budget for the recovery site
14. The success of a disaster recovery test primarily depends on:
A. Minimum interruption to normal business processes
B. The predefined scope of the test
C. The preparedness of the recovery site
D. Active participation by business management
Summary
In this chapter, you gained an overview of incident management. This chapter will help the CISM
candidate determine and document incident response procedures for effective incident management.
It will also help the CISM candidate define resilient business processes and determine different
aspects of a BCP and DRP, and to test various plans and improve their effectiveness.
The next chapter will cover the practical aspects of incident management operations.
Revision Questions
1. What is the primary purpose of an incident response procedure?
A. Containing incidents to reduce the damage
B. Determining the root cause behind the incident
C. Implementing corrective controls to prevent re-occurrence
D. Maintaining records of the incident
2. What is the most important objective of incident management?
A. To contain
B. To conduct a root cause analysis
C. To eradicate
D. To control the impact
3. A security manager is developing an incident response plan. What should their first step be?
A. Determining the time required to respond to the incident
B. Determining the escalation process
C. Determining the resource requirements
D. Determining the category of the incident based on its likelihood and impact
4. What is the main objective of incident management and response?
A. Restoring the disruptive processes within the defined timeframe

B. Conducting walk-throughs to recover from an adverse event
C. Complying with the clause of an insurance policy
D. Addressing the incident to control the impact to an acceptable level
5. What is the most effective factor for an incident management process?
A. Capability to detect the incident
B. Capability to respond to the incident
C. Capability to classify the incident
D. Capability to document the incident
6. A security manager notes that incident reports from different business units are not consistent and correct. What should their first
A. To determine whether a clear incident definition and criteria for severity exists
B. To implement training programs for all the employees of the organization
C. To escalate the issue to senior management for appropriate action
D. To impose a heavy penalty for the inconsistent approach
7. What is the best way to detect a security violation in a timely and effective manner?
A. To develop a structured communication channel
B. To conduct third-party audits of incident reporting logs
C. To implement an automatic compliance monitoring system
D. To enable anonymous reporting
8. What is an area of major concern for a risk-based incident response program?
A. Fraud due to collusion among employees
B. Poor quality of investigation
C. Reduction in false positive alerts
D. Repeated low-risk events
9. A security manager notes that a server has been compromised and sensitive data has been stolen. After confirming the incident,
the next step is to:
A. Report it to law enforcement
B. Start containment
C. Ensure the availability of backup data
D. Disconnect the affected server
10. In which of the following plans is proactive security assessment and evaluation completed for computing infrastructure?
A. A business continuity plan
B. A business impact analysis
C. An incident management plan
11. What is the most effective way to determine the impact of a denial-of-service attack?
A. To determine the source of the attack
B. To determine the number of hours for which the attack was active
C. To determine the criticality of the affected services
D. To review the firewall logs
12. What is the most effective way to monitor outsourced incident management functions?
A. Frequent testing of the plan and a dedicated team to provide oversight
B. Availability of a documented plan with the service provider
C. Structured communication channels
D. Frequent audits of the service provider's functions
13. What is the most important aspect when defining incident response procedures?
A. Closing the incident within the defined timeline
B. Minimizing the number of incidents
C. Collecting evidence for audit
D. Meeting service delivery objectives
14. After an incident, a security manager notes that full system recovery will take a long time. Their efforts are concentrated on the
partial recovery of the system. This level of partial system recovery is most likely based on:
A. The capability of the recovery manager
B. The maximum tolerable outage
C. The service delivery objectives
D. The availability of the recovery budget
15. As an information security manager, you note that the business continuity plan (BCP) has not been updated in the last 5 years and
the maximum tolerable outage (MTO) is much less than the allowable interruption window (AIW). Your best action should be to:
A. Take no action as they are approved by business management
B. Conduct a fresh business impact analysis and update the plan
C. Increase the maximum tolerable outage
D. Decrease the allowable interruption window

16. Incident management supports the organization primarily by:
A. Removing external threats
B. Optimizing risk management efforts
C. Streamlining recovery plans
D. Structuring the reporting process
17. Which of the following determines the priority of incident response activities?
A. The disaster recovery plan
B. The business continuity plan
C. The security team structure
D. The business impact analysis
18. A data restoration plan is primarily based on:
A. The transaction processing time
B. The backup budget
C. The service delivery objectives
D. The data restoration software
19. What is the most important factor for a global organization to ensure the continuity of business in an emergency situation?
A. Documented delegation of authority at the alternative site
B. Key process documents at the alternative site
C. Documentation on key service providers at the alternative site
D. Support from senior management
20. The incident escalation process should primarily state:
A. The timelines for responses and what to do if no response occurs
B. How to define the criticality of the incident
C. The process for communication to senior management and other stakeholders
D. How to calculate the impact of the incident
21. With the use of the triage phase of an incident response plan, a security manager can determine:
A. The current status of all incidents reported
B. The turnaround time for the closure of each incident
C. The appropriateness of the post-incident review procedure
D. A strategic review of the incident's resolution

22. Escalation guidelines are mostly derived from:
A. Management discretion
B. Risk and impact analysis
C. Audit reports
D. The capability of resources
23. An incident management program is considered most effective when:
A. It detects, assesses, and prevents the reoccurrence of incidents
B. It follows proper documentation for all incidents
C. It has sufficient resources to deal with incidents
D. It provides a dashboard for the management
24. The best metric to determine the readiness of an incident response team is:
A. The time required to detect an incident
B. The time between detection and reporting to management
C. The time between detection and response
D. The time between detection and documentation
25. The area of most concern for establishing an effective incident management program is:
A. Incident reporting to senior management is not structured
B. Details of the key process owners are not defined in the security policy
C. All incidents are not managed by the IT team
D. The escalation process is inadequately defined
26. A security manager notes that if a server fails for three days, it could cost the organization $100,000, that is, two times more than
if it could be recovered in one day. This calculation is derived from:
A. Incident management planning
B. The business impact analysis
C. Business continuity planning
D. Alternative site planning
27. What is the most effective method of training the members of a newly established incident management team?
A. Formal training
B. Virtual training
C. On-the-job training
D. Mentoring
28. What is the best way to determine the effectiveness of an incident response team?
A. The percentage of incidents resolved within the defined timeframe
B. The number of employees in the incident response team
C. The percentage of open incidents at the end of the month
D. The number of incidents arising from internal sources
29. In which of the following processes does the incident response team address the root cause?
A. Eradication
B. Containment
C. Reporting
D. Recovery
30. A security manager is designing a backup strategy. What is the most important factor?
A. The quantum of data
C. The recovery time objective
D. The maximum tolerable outage
31. The recovery time objective is primarily based on:
A. Legal requirements
B. Business requirements
C. The recovery budget
D. Resource availability
32. An organization is in the process of acquiring a new recovery site as the old site is no longer adequate to support the business
objectives. Until the new site is available, which of the following objectives for recovery will have to be changed?
A. The recovery budget
C. The service delivery objective
D. The business continuity plan (BCP) test
33. A new security manager notes that the organization has multiple data centers and has arranged one of its own data centers as a
recovery site instead of having a dedicated recovery site. Which is the area of major concern?
A. Difficulty in establishing communication with the data center
B. Differences in the processing capacity load with the data center
C. Difficulty in conducting business continuity plan testing

D. Differences in the system software version with the data center
34. An organization has developed an automated tool to manage and store its business continuity plan. The security manager should
be most careful:
A. To ensure the availability of the tool when a disaster occurs
B. To ensure that the maintenance cost is within the approved budget
C. To ensure that the tool has appropriate version control
D. To ensure that access is available to the authorized individuals
35. An incident response team has activated a recovery site. Even though the processing capability is only half of the primary site, the
team notifies the management that they have restored the critical system. This indicates that the team has achieved:
A. A key performance indicator
C. The service delivery objective
D. The recovery time objective
36. What is the most effective way to ensure that incident response activities are aligned with the requirements of business continuity?
A. To conduct a scenario-based structured walk-through
B. To distribute the incident response procedure enterprise-wide
C. To develop a working group represented by each department
D. To benchmark the incident response procedure with industry standards
37. "In the event of a disaster, the backup of the end of the previous day should be restored." Which of the following is relevant to this
statement?
A. The recovery time objective
D. The service delivery objective
38. The recovery point objective is determined on the basis of:
A. The acceptable system downtime
B. The available security budget
C. The acceptable level of service
D. The extent of acceptable data loss
39. The most important factor for the successful recovery of a business is:
A. A copy of the disaster recovery plan being maintained at the offsite facility
B. Separate ISPs for network redundancy
C. Equipment required for a hot site being determined on a regular basis
D. Documented criteria for declaring a disaster being available
40. A security manager notes that it is not possible to restore the data in the available time considering various constraints. What
solution should they suggest?
A. To increase the recovery time objective
B. To decrease the security budget
C. To adjust the maximum tolerable outage
D. To adjust the allowable interruption window
41. Which of the following is not a characteristic of hot site provisioning?
A. A hot site is situated in another city.
B. All equipment at the hot site is provided at the time of disaster but is not available on the data center floor.
C. A hot site will be shared with multiple clients.
D. Equipment at the hot site will not be an exact replica of the original site. Some equipment may be substituted with
equivalent models.
42. An area of major concern for a reciprocal arrangement for disaster recovery is:
A. Variations in processes between both organizations
B. Variations in the BCP testing procedures between both organizations
C. Variations in infrastructure and capacity between both organizations
D. Variations in the security policy and procedures between both organizations

10
Incident Management Operations

In this chapter, you will learn about the practical aspects of information security incident
management and understand the importance of building resilient business processes. You will also
explore the practical aspects of business continuity, and disaster recovery plans and processes, as well
as the various aspects of testing incident responses.

Incident Response Communication
Recovery
Post-Incident Review Practices

An information security manager needs to have a basic understanding of the following tools and
technologies for managing incidents:
Incident management systems
Personnel
Audits
Outsourced security providers
Incident Management Systems

In recent years, a high volume of data and activities has prompted organizations to invest in and
adopt automated incident management systems (IMSs). Many previously manual processes are
automated by these systems, which filter data to help identify potential incidents and alert the
incident management team (IMT).
An IMS can be in the form of a distributed or a centralized system. In a distributed system, multiple
devices are placed to monitor incidents. For example, network intrusion detection systems
(NIDSs), host-based intrusion detection systems (HIDSs), logs, and so on.
Security information and event management (SIEM) is a centralized system. SIEM is an

automatic log reader that obtains and co-relates significant events and logs from a variety of systems
and devices. This collected data is analyzed to arrive at meaningful information about incidents.
An information security manager needs to have a basic understanding of the following incident
management systems:
Security information and event management
Endpoint detection and response
Extended detection and response
Managed detection and response

Security information and event management (SIEM) is the most effective method to determine
aggregate risk from different sources. It is also the best method to counter advanced persistent
threats. Further, the SIEM system has the capability to detect attacks by signature or behavior
(heuristics-based) analysis.
If properly deployed, configured, and tuned, it reduces the time needed for the detection of incidents
substantially when compared to manual log reviews.
Endpoint Detection and Response
It is a generally accepted fact that most security attacks originate from endpoint devices such as
personal computers, laptops, and mobile devices. Hence, organizations emphasize the protection of
endpoint devices. Endpoint detection and response (EDR) aims to be proactive (rather than only
reactive) and focuses on detecting threats and malware that are meant to circumvent typical security
measures. EDR solutions often establish a historical audit trail of system/user behavior and security
events that security analysts can examine later. Not only can EDR solutions help with incident
responses, but they can also help with root cause analysis.
EDR is an advanced solution that integrates the functions of an antivirus, a firewall, whitelisting
tools, and monitoring tools.
In addition to file analysis and threat detection, most EDR solutions also have inbuilt machine
learning capabilities.
Extended Detection and Response
Extended detection and response (XDR) is an improved version of EDR. As the name implies,
XDR extends beyond individual endpoints and also covers servers, clouds, and networks.
XDR expands on EDR's capabilities by using automation, machine learning, and artificial
intelligence to enhance an organization's defense system.
Managed Detection and Response
Managed detection and response (MDR) is a combination of technology and a service provider.
MDR is beneficial for organizations that lack the necessary expertise and abilities, as well as the
resources, to effectively monitor potential attack vectors. The implementation of technology is
usually the responsibility of the service provider.
Personnel
The composition of an IMT varies from organization to organization depending on the nature and
complexity of business processes. An information security manager generally leads the team. Large
organizations generally prefer to have a separate incident response team leader who can concentrate
on responding to incidents.
An incident management team is generally monitored by a security steering group/committee

(SSG/SSC) or advisory boarThe steering committee is represented by a set of senior management
executives and members of the boarThe SSG is responsible for approving the IMT charter. Any
deviation from the incident management policy needs to be approved by the SSG.
Incident Response Teams
As discussed earlier, the role of an incident response team (IRT) is to respond to incidents to limit
the damage to the organization. The following are some models for deploying an IRT.
Central IRTs
In a small business, or one that is centrally located, a single IRT manages all incidents for the entire
organization.
Distributed IRTs
Generally, in large organizations, different IRTs are made responsible for specific infrastructure. This
model is generally prevalent for organizations that have multiple units scattered geographically.
Coordinating IRTs
A central team may provide direction to distributed IRTs, set policies and standards, provide training,
conduct drills, and coordinate or support incident responses. Incident response is managed and
implemented by the distributed teams.
Audits
Audits are conducted to ensure that an organization's policies, standards, and processes are being
followeRegular audits of the processes and procedures help to ensure that security controls are
effective and that they are implemented as per the requirements of the incident management policy.
Audits provide the opportunity to address identified gaps and improve the overall incident
management procedures of the organization.
Outsourced Security Providers

Many small organizations lack the internal resources to manage incidents. In these cases, outsourcing
the incident management capability is a cost-effective solution. When incident management functions
are entirely or partially outsourced, the information security manager should consider the following:
To clearly understand the outsourcer's capabilities and response times and develop adequate SLAs containing the security
requirements of the organization
Periodic reconciliation of the service provider's data with the organization's data to ensure that incident management efforts are
aligned
Ensure the availability of end-to-end incident management systems and processes by integrating the service provider's systems
with the organization's systems
Periodic audits of the service provider
Conducting root cause analysis for each incident identified by the service provider
NOTE

1. As a newly appointed information security manager, you are required to implement a continuous monitoring process for critical
applications. Continuous monitoring helps with:
A. Minimizing the impact of incidents
B. Adherence to regulatory requirements
C. Identifying critical applications
D. Evaluating the performance of IT resources
2. As an information security manager, you are required to set up an incident handling team. What is the most desired attribute for an
incident handler?
A. The ability to communicate with senior management
B. The ability to train and educate fellow employees
C. The ability to maintain a relationship with departmental heads
D. The ability to handle stress amidst chaos

Security managers need to consider various aspects with respect to the execution of a response and
recovery plan. For the smooth execution of the plan, it is very important to have defined roles and
responsibilities for each individual. For the overall management of the plan, there should be a
facilitator or director who is in charge of execution. This role should be assigned to a senior executive
who has sufficient authority to make decisions during the crisis.
A security manager should consider the following aspects for the execution of the plan:
To ensure that control procedures are implemented in such a way that risks are appropriately addresseFor example, the mere
installation of anti-malware is not sufficient. Virus signature files should be updated at regulator intervals (ideally they should be
automated to update daily). Any time gap between the updates can be subject to exposure.
In the case of a malware-infected server, it is advisable to rebuild the server from the original media and update it with subsequent
patches. This will address the risk of hidden malware.
It is advisable to synchronize all applications and servers with a common time server. This will help during a forensic
investigation. A time server will provide a common time reference that will help to accurately reconstruct the course of events.
In the event of a security breach, a security manager should keep senior management informed about the impact on the
organization and details of the corrective actions taken.

What is the ideal Ideally, it should be automated to update daily.

frequency for updating
the virus signature files
for anti-malware
software?
What information should The impact on the organization and details of corrective actions taken.
be provided to senior
management in the event
of a security breach?
What is the air gap The air gap technique is a backup and recovery strategy. It means that
technique for data at any given time, a copy of the organization's sensitive data is offline,
backup? disconnected, and inaccessible from the internet. This makes it
impossible for hackers to remotely access the data.

1. As a newly appointed information security manager, you notice that your organization has implemented automatic updating of
virus signature files every Saturday morning. What is the area of most concern?
A. The unavailability of technical staff to support the update
B. Applications being exposed to new viruses during the intervening week
C. Systems not being tested after signature file updates
D. A failed batch can be rectified only on Monday
2. A compromised server has been isolated and appropriate forensic processes have been completeWhat should the next step be?
A. Reusing the server after due scanning

B. Discontinuing the use of the server
C. Using the server as a honeypot
D. Rebuilding the server with original media and subsequent patches
3. A security manager has discovered that a hacker is analyzing the network perimeter. What action should they take?
A. Reboot the firewall
B. Check intrusion detection system logs and monitor any active attacks
C. Update the intrusion detection system version
D. Initiate server trace logging
4. A security manager is investigating a breach by analyzing logs from different systems. What will best support the correlation
between these logs?
A. An application server
B. A domain name server
C. A time server
D. A database server
5. A hacker was successful in gaining access to an application by guessing the password of a shared administrative account. The
security manager can detect this breach by analyzing the:
A. Router logs
B. Invalid login attempts
C. Password complexity rules
D. Concurrent logins
6. A security manager has discovered that a hacker is probing the organization's network. What should their first action be?
A. Rebooting the router connecting to the demilitarized zone
B. Switching off all servers located in the demilitarized zone
C. Monitoring the probe and isolating the affected segment
D. Initiating the server trace logging
7. Once a security breach has occurred in an organization, what is the most important aspect to be reported to senior management?
A. Details of security logs indicating the source of the breach
B. Reports of similar incidents at the organization
C. A business case for increasing the security budget
D. The impact of the incident and corrective action taken
8. An incident with serious consequences should be communicated by the security manager:

A. To the appropriate regulatory body once the perpetrator is identified
B. To management after determining the severity of the incident
C. To the insurance company to compensate for business disruption
D. To the legal department to initiate legal proceedings

Containment includes all activities and procedures undertaken to reduce the impact of an incident.
The objective of containment is to stop the spread of the incident. It does not necessarily identify or
correct the root cause of the incident. The following are some examples of containment:
Removing the infected device from the network
Escalation to relevant stakeholders
Updating the firewall rules to block/deny/drop traffic
Because each incident is different, the methods used for containment must be tailoreThe
responsibility for initiating a containment action should reside with a senior officer as it is critical to
consider the benefits and drawbacks before initiating any action.

1. As an information security manager, you note that your organization is at risk of a ransomware attack. What is the most effective
method to minimize the impact of a successful ransomware attack?
A. Increase the number of information security staff/resources
B. Discontinue the use of third-party services
C. Implement structured backup procedures
D. Increase user awareness
2. As an information security manager, you have instructed your team to contain the impact of an ongoing server hack. Which of the
following is the most crucial when containing the incident?
A. Conducting a root cause analysis before containment
B. Preserving evidence
C. Meeting the recovery time objective
D. Informing senior management
3. What is the most important consideration while containing an incident?
A. The use of automated tools
B. Logging containment procedures

C. Preserving forensic evidence
D. Meeting the recovery time objective
4. As an information security manager, you note an active security attack in which data is being extracted piecemeal from the
organization's database. What should your first course of action be?
A. Updating senior management
B. Conducting a root cause analysis to address the gap
C. Recording the activities of the attacker
D. Preventing traffic from reaching the attacker's servers
5. As an information security manager, you note ransomware on a few of the network computers. Your first step should be:
A. To isolate the systems that are affected from the network
B. To notify the affected colleagues
C. To conduct a root cause analysis
D. To restore the affected system with the latest backup file
Incident Response Communications

The primary objective of a communication plan is to educate employees on their roles and
responsibilities with respect to the communication process. It includes processes such as who should
authorize the communication, who should communicate, how to communicate, whom to
communicate with, and what to communicate. A structured communication process during an
incident improves the effectiveness of the incident response.
It is essential to define the various communication channels for the passing of information during an
incident. Further, communication should be done only by authorized officials. This is to ensure that
the chances of misunderstanding and disinformation are minimized to the greatest extent possible.
The list of official communication channels and authorized officials must be documented and
communicated with each member. An information security manager should consider the availability
of alternate communication channels in case the original channel gets corrupted or compromised.
An incident management team needs to document the contact details (phone number email, etc.) of
key stakeholders such as senior management, legal counsel, HR, service providers, PR officials, law
enforcement, and insurance companies.

1. As an information security manager, you have instructed your team to prepare a draft version of the incident communication plan.
Primarily, a communication plan should include:
A. The detailed process on when and how to communicate with stakeholders
B. The legal clauses impacting incident communication
C. The social media handling process
D. The insurance handling process
2. As an information security manager, you have instructed your team to prepare a draft of the incident communication plan. What is
the most important reason for having a defined communication plan?
A. Compliance with laws and regulations
B. Providing updated statuses to stakeholders
C. Improvements in the security posture of the organization
D. Improvements in incident response
3. As an information security manager, you have instructed your team to prepare a draft of the incident communication plan. What is
the primary benefit you expect from the communication plan?
A. Compliance with laws and regulations
B. Ease in conducting a root cause analysis
C. Effective communication with stakeholders
D. Ready-made templates for incident communication
As you learned previously in this chapter, the objective of the containment process is to stop the
spread of an incident. The phase after containment is eradication. The objective of eradication is to
identify and correct the root cause that led to the incident. Once containment efforts have been
implemented successfully, eradication should be appropriately planned and performeThe following
are some activities performed during eradication:
Root cause analysis
Updating the firewall and anti-virus to address any gaps
Scanning the system to determine whether any vulnerabilities remain unnoticed

1. As an information security manager, you are required to determine the point from which the recovery point objective is
calculateYour best choice would be:
A. The point at which incident response is initiated

B. As deemed fit by the recovery manager considering the crisis
C. Before image restoration
D. The point that aligns with the recovery time objective
2. As an information security manager, you are required to determine the point at which restoration will be considered complete.
Your best choice would be:
A. The recovery time objective
B. The service delivery objective
D. The resumption of normal business transactions
3. As an information security manager, your team informs you that they are in the eradication phase of a recent cyberattack on the
organization. Which of the following activities is part of the eradication phase?
A. Isolating the impacted systems to limit the spread of the incident
B. Scanning the entire network and systems to remove and clean up any malware
C. Restoring the impacted systems to normal operations
D. Analyzing the incident response process for learning and improving
4. As an information security manager, you were successful in containing a malware incident. Before restoring the systems, the most
important step is to:
A. Get approval from senior management
B. Analyze the incident response efforts for learning
C. Eradicate malware from the network
D. Conduct an impact analysis
Recovery
After the successful eradication of an incident, the next phase is recovery. The objective of the
recovery phase is to ensure that the business is brought back to its original state by restoring the
impacted systems.
While implementing recovery procedures, information security management needs to be careful and
vigilant to ensure that the same vulnerabilities are not reintroduceOnce a system is compromised,
there is no assurance that all abnormalities will be eradicateAn information security manager should
avoid rushing to recover. Recovery procedures should be planned, tested, and implemented under the
supervision of a senior official. The following are some activities performed during recovery:
Configuration of the security baseline
Testing
Monitoring performance

1. As a newly appointed information security manager, you notice that an organization relies on the manual review of event logs to
detect incidents. This leads to a considerable time lag for the identification of incidents. Which of the following is the best way to
address the issue?
A. Appointing more resources to review the event logs
B. Recording only high-impact event logs
C. Proactively looking for incidents reported by other organizations
D. Implementing a security information and event management (SIEM) system to automate log analysis
2. As an information security manager, you are in the process of seeking approval for the installation of an EDR system. The most
appropriate capability of an EDR that should be included in your business case is:
A. An EDR is capable of monitoring user performance
B. An EDR is capable of blocking blacklist websites
C. An EDR is capable of identifying and blocking malware
D. An EDR is capable of performing forensic analysis and identification of emerging threats and suspicious activities
3. As an information security manager, you were successful in containing and restoring the system after a malware incident. What
should your next step be?
A. Presenting a post-incident review report to senior management
B. Analyzing the incident response efforts for learning
C. Restoring the system to normal operations
D. Conducting an impact analysis
Post-Incident Activities and Investigations

The objective of a post-incident review is to learn from each incident and improve the organization's
response and recovery procedures. Lessons learned during incident management can best be used to
inform the overall improvement of the security posture of the organization as well as the incident
management process.
During a post-incident review, the overall cost of the incident is determineCost includes loss or
damage to infrastructure, loss of business, cost of recovery, and the cost of the resources used to
handle the incident. This cost provides useful metrics to justify the existence of the incident
management team.
Identifying the Root Cause and Taking Corrective
Action
An information security manager should appoint an event review team. This team should be
responsible for determining the root cause of the incident and suggesting the appropriate actions that
should be taken to prevent any reoccurrence of the incident.
Sometimes a security manager obtains the services of third-party experts for an independent and
objective review of the root causes of incidents.
Documenting Events
It is very important to have a structured process for documenting all the events related to the incident.
This serves as crucial evidence for further investigation. It can also be provided to authorities for
forensic analysis. This process of recording events should be entrusted to an employee who is well-
versed in forensic processes.
Documentation also helps to analyze complete incidents during the post-incident review.
Chain of Custody
A security manager should make sure that the appropriate chain of custody process is defined and
documented for the correct handling of evidence. Chain of custody is a legal term referring to the
order and manner in which evidence is handleIt ensures the integrity of the evidence and its
admissibility in a court of law.
The first step in any forensic investigation is to determine the process to ensure chain of custody. The
evidence handling procedure should be designed in consultation with the legal department, the IT
department, business process owners, and forensic experts.
Figure 10.2: Forensic investigation
A security manager should establish the following framework to establish the chain of custody:
Evidence should be handled by authorized officials only. The expertise of employees is the most important factor in a forensic
investigation.
In the case of an ongoing incident, power should be disconnected only after consulting forensic experts as sudden power loss may
corrupt the information on the hard disk or may cause the loss of data in volatile memory. Other means of isolation and
containment should be given preference.
Forensic tools should be used to create bit-by-bit copies of the hard disk and other media to ensure legal admissibility. A bit-by-bit
image ensures that erased or deleted files and data in slack memory are also copieAny further analysis or testing should be done
on this copy. The original media should remain unchanged.
A dedicated custodian should be appointed who will keep safe custody of the evidence.
Data from the original device should be copied using a cable with a write protect diode (write block) to prevent writing on the
original drive.
Once data has been copied from the original media, the hash value of the original media and the copy should be calculated and
compared to ensure that the copy is an exact image of the original media.
The procedure followed for detection, extraction, and analysis of all the evidence should be appropriately recorded along with
details of time, date, tools used, forensic experts present, and other relevant records. This will help to establish that the
investigation is fair, unbiased, and well documented.
The above procedures should be well documented and frequent training should be given to the
concerned employees.
What is the reason for consulting third-party For independent and objective reviews of the root
teams to carry out post-event reviews of causes of incidents
incidents?
What is the first step when initiating a Determining the process to ensure a chain of
forensic investigation? custody
What is the most important objective of a To document and analyze the lessons learned and
post-incident review? to improve the process
What is the best process to copy from media To create a bit-by-bit image of the original media
that is part of forensic evidence? source in new media
What is the most important factor of forensic Chain of custody

investigations that will potentially involve
legal action?
What is the most important consideration for Chain of custody

collecting and preserving admissible evidence
during an incident response?
What is the reason for not immediately Power loss may corrupt the information on the
disconnecting power during an ongoing hard disk or may cause a loss of data in volatile
incident? memory.
What is the best way to determine that the Comparing the hash image of both files
copy of the original media is complete,
correct, and accurate?
What is the primary purpose for maintaining To track and record the progress of the incident
incident history? handling process
What are the basic steps for investigating a 1. The first action is to create a bit-by-bit image of the original
media.
suspected hard disk or server?
2. The second step is to create and compare the hash value of the
original media and the copied mediThis will help to ensure
that the copy is an exact replica of the original.
3. Start analyzing from the copied drive. To the extent possible,

forensic analysis should not be performed on original mediIt
may impact the integrity of the evidence.

1. What is the prime objective of involving a third-party team in a post-incident review?
A. To have an independent and objective review of the root cause of the incident
B. To lower costs on the post-incident review
C. To utilize the expertise of third-party teams
D. To identify the lessons learned
2. As an information security manager, you are required to set up a process for forensic investigation. The most important element of
a forensic investigation is:
A. A structured incident management system
B. Defined roles and responsibilities for the incident management team
C. The involvement of a legal expert
D. The expertise of the investigators
3. An organization is impacted by a major security incident. The incident has been contained and a forensic investigation is in
process. What is the most important aspect while collecting the evidence for forensic analysis?
A. Assigning the job to a qualified person
B. Asking the end user to create an image copy
C. Ensuring that evidence is stored at an offsite location
D. Ensuring that evidence is collected in the presence of law enforcement
4. What should the first step be while taking a forensic image of a hard drive?
A. Determining the forensic software to take the image

B. Establishing the chain of custody log
C. Enabling a write blocker on the hard disk
D. Creating a cryptographic hash of the hard disk contents
5. The prime purpose of conducting a post-incident review is:
A. To determine the lessons learned to improve the process
B. To ensure adherence to the security budget
C. To review the performance of the incident response team
D. To determine the effectiveness of new incident management software
6. The prime purpose of conducting a post-incident review is:
A. To determine the integrity of evidence for legal proceedings
B. To identify the lessons learned
C. To identify the source of the incident
D. To identify vulnerable areas
7. A security manager has discovered that original data was inadvertently altered while collecting forensic evidence. What should
have been the first action in a forensic investigation?
A. Creating a backup of all media that is to be used for investigation
B. Copying a bit-by-bit image from the original media to new media
C. Creating a cryptographic hash of the hard disk contents
D. Installing an error-checking program to ensure that there is no disk error
8. What is the most important aspect of collecting and preserving admissible evidence?
A. Isolating the system
B. Chain of custody
C. Segregation of duties
D. Time synchronization
9. What is the most important aspect when evidence is to be used in legal proceedings?
A. Whether the investigator is independent
B. Whether the investigation was done in a timely manner
C. Whether the perpetrator has been identified
D. Whether the chain of custody was maintained
10. What should the security manager's first step in the aftermath of a distributed denial of service attack be?
A. To perform a penetration test to determine system vulnerability
B. To conduct an assessment to determine the system status
C. To notify law enforcement
D. To isolate the firewall
11. Which of the following is considered a violation of the chain of custody?
A. The suspected hard drive was not removed in the presence of a law enforcement agency
B. The suspected hard drive was kept in a tape library for further analysis
C. The suspected hard drive was stored in a safe under dual control
D. The suspected hard drive was handed over to authorized independent investigators
12. A rootkit was installed on a server and the organization's critical data was stolen. What should the security manager's next step be
to ensure the admissibility of evidence in legal proceedings?
A. Proper documentation of events
B. Timely notification to law enforcement
C. Taking an image copy of the media
D. Scrapping the affected server
A. Timely detection of evidence
B. Preserving the integrity of the evidence
C. Isolating all IT equipment
D. Documenting the sequence of events
14. What is the best source to analyze a compromised server for forensic investigation?
A. A bit-level copy of the server
B. Backup data of the server maintained at an offsite location
C. Volatile memory data
D. Original compromised server
15. What is the main reason to conduct a post-incident review?
A. To adhere to the incident management policy
B. To preserve forensic evidence
C. To improve the response process
D. To ensure proper documentation

A. The hard drives should be encrypted
B. The use of generic audit software for data analytics
C. Proven forensic processes are applied
D. The use of automated log review software
17. Which among the following should be the priority during a forensic analysis of electronic information?
A. Documenting the events
B. Locating the evidence and preserving the integrity of the evidence
C. Creating a quality forensic image
D. Identifying the perpetrator
18. When handling an incident, what should the most important aspect be during interaction with the media?
A. The use of specially drafted messages by an authorized person
B. Providing all evidence under investigation
C. Denying any response until recovery has taken place
D. Reporting the impact and recovery status
19. What is the main reason for not disconnecting power when analyzing the suspicious behavior of a computer?
A. To ensure the safety of the hard drive
B. To contain the spread of exposure
C. To prevent the loss of data in server logs
D. To prevent the loss of data available in the volatile memory
20. Data recovery from a specific file will be most challenging when:
A. All files in the directory have been erased
B. The disk has been formatted
C. The file contents have been overwritten multiple times
D. The partition table on the disk has been deleted

The most effective method to handle an incident is to lay down a structured process for incident
management.
Figure 10.4: The preparedness of the incident management team
A well-defined incident management process will yield far better results in reducing business
disruptions compared to unorganized incident management processes.
The Outcome of Incident Management

A security manager should understand that good incident management will have the following
outcomes:
The organization can effectively handle any unanticipated events.
The organization will have robust detection techniques and processes for the timely identification of incidents.
The organization will have well-defined criteria for defining the severity of incidents and an appropriate escalation process
The availability of experienced and well-trained staff for effective handling of incidents
The organization will have proactive processes to manage the risk of incidents in a cost-effective manner.
The organization will have well-defined metrics to monitor its response capabilities and incident management performance.
The organization will have well-defined communication channels for timely communication of incidents to different stakeholders
and external parties.
The organization will have a well-defined process to analyze the root cause of incidents and address any gaps to prevent
reoccurrence.
The Role of the Information Security Manager

The extent of involvement of the information security manager in managing incidents varies with
different organizations. However, for any information security-related incident, the prime
responsibility of handling the incident resides with the information security manager.
To manage security incidents, an information security manager should have a good conceptual
understanding of the incident management procedures. They should also have a thorough
understanding of the business continuity and disaster recovery processes. This will ensure that the
incident management plan is integrated with the business continuity and disaster recovery plans.

The SIEM system collects data from various sources and analyzes it for possible security events.
The SIEM system has the capability to detect attacks by signature- or behavior-based (heuristics)
analysis. It also has the capability for granular assessment. SIEM can highlight developing trends and
can alert the risk practitioner for an immediate response. SIEM is the most effective method to
determine aggregate risk from different sources. It is also the best method to counter advanced
persistent threats.
Figure 10.5: SIEM

The following are some of the characteristics of an effective SIEM:
It can consolidate and correlate inputs from different systems.
It can identify incidents.
It can notify staff.
It can prioritize incidents based on the possible impact.
It can track the status of each incident.
It can integrate with other IT systems.
Thus, a SIEM can provide information on policy compliance as well as incident monitoring and other
capabilities, if properly deployed, configured, and tuned.
A properly installed SIEM will help to automate the incident management process and lead to
considerable cost savings by minimizing the impact of incidents. Though SIEM itself may be costly,
it helps to save on the operating costs of manual processes (in place of SIEM) and recovery costs
(with early detection of incidents).
SIEM helps to identify incidents through log analysis on the basis of predefined rules. One of the
important challenges of implementing SIEM is reducing the number of false positive alerts. The most
effective way to reduce the number of false positive alerts is to develop business use cases. A
business use case documents the entire workflow, which provides the required results. A scenario
business case would focus on the SIEM's ability to analyze the logs for known threats.

What is the most effective way to Building business use cases

reduce the false positive alerts
generated by SIEM?
What is the most important To promote compliance with security policies (SIEM can
characteristic of SIEM? provide information on policy compliance and has incident
monitoring and other capabilities)

1. As an information security manager, you are implementing a Security Information and Event Management (SIEM) system for
critical applications. What is the best method to reduce the false positive alerts generated by a SIEM system?
A. To build business cases
B. To analyze the network traffic
C. To conduct a risk assessment
D. To improve the quality of logs
2. What is the most effective utilization of security information and event management (SIEM)?
A. SIEM supports compliance with security policies
B. SIEM is used to reduce residual risk
C. SEIM replaces a packet filtering firewall
D. SIEM promotes compensating controls
3. Advanced persistent threats can be most effectively countered by:
A. An intrusion detection system
B. A security information and event management system
C. An automated penetration test
D. A comprehensive network management system

The effectiveness and efficiency of the incident management process can best be measured through
various metrics. Metrics are measures used to track and compare the performance of various
processes. Metrics are generally developed in the form of key performance indicators (KPIs) and
key goal indicators (KGIs).
Key Performance Indicators and Key Goal Indicators

KPIs are generally quantifiable measures used to measure an activity. For example, the percentage of
incidents detected within 24 hours. KGIs can either be quantitative or qualitative depending upon the
process. KGIs are intended to show progress toward a predefined goal. For example, a goal could be
to install antivirus software on all systems within 1 month. This could be monitored on a daily basis.
The KGI for day 1 would be 5%, day 2 would be 10%, day 3 would be 20%, and so on. KPIs should
provide value to the process owner as well as management. They should not be too complex or
difficult to understand.
Figure 10.7: KPIs
Defined KPIs and KGIs should be agreed upon by relevant stakeholders and approved by senior
management.
Metrics for Incident Management

Metrics for incident management help the security manager understand the capability of the incident
management processes and find areas where improvement is needeThe following are some metrics
for measuring the performance of incident management processes:
The number of reported incidents
The number of detected incidents
The average time taken to detect an incident
The average time taken to close an incident
The percentage of incidents resolved successfully
The number of employees trained on security awareness
Trends indicating total damage over the period
The above metrics should help the organization achieve its defined objectives in an efficient and cost-
effective manner. Defined KPIs and KGIs should be agreed upon by the relevant stakeholder and
approved by senior management.
Reporting to Senior Management
Key metrics should be reported to senior management at frequent intervals. It helps senior
management to understand the capability of incident management processes and to identify any gaps.

Every organization has some sort of incident management capability, either structured or
unstructureThe information security manager must determine the current state of capability. This will
help them understand the areas in need of further improvement. An information security manager can
determine the current state in any of the following ways:
The current state can be determined by conducting a survey of senior management, business managers, and IT employees. This
will help them understand the perception of the focus group about incident management capabilities.
The current state can also be determined by self-assessment. This can be done by comparing the current processes with some
standard criteriIn this method, the views of other stakeholders are ignored, and this can be a major challenge.
The current state can be determined by external assessment or audit. This is the most comprehensive
method as it involves interviews, simulations, benchmarking with best practices, and other aspects.
This approach is generally used by organizations that already have adequate incident response
capabilities but want to further improve their processes.
It is also important for security managers to have a thorough understanding of the history of
incidents.
History of Incidents
A history of past incidents can provide valuable information about trends, business impact, and
incident response capabilities. This information can be used to prepare a strategy for dealing with
future incidents.
Threats and Vulnerabilities

A security manager should understand the basic differences between threats and vulnerabilities as
follows:
Threat Vulnerability
Threat Vulnerability
A threat is what an organization is trying to A vulnerability is a weakness in a system or

protect against. process.
Examples of threats include natural disasters, Examples of vulnerabilities include the lack of an
fires, hackers, and other unknown forces. anti-virus, weak coding, and poor access control.
Threats are not in an individual's or an Vulnerabilities can be controlled.

organization's control.
Figure 10.8: The difference between threats and vulnerabilities
The following sections will explain the responsibility of the security manager in threat and
vulnerability assessments.
Threats
The key responsibility of a security manager is to ensure that various types of threats applicable to
their organization are identified and documenteThreats that are not identified are more dangerous
than threats that are well documented.
The following are some sources of threats:

Environmental threats such as natural disasters
Technical threats such as electrical failure, fire, and IT issues
Human-made threats such as corporate sabotage, disgruntled employees, political instability, and so on.
Sources of threat identification include past incidents, audit reports, media reports, information from
national computer emergency response teams (CERTs), data from security vendors, and
communication from internal groups. Risk scenarios are used at the time of threat and vulnerability
assessment to identify various events and their likelihood and impact.
Vulnerabilities
Vulnerabilities are weaknesses in security. The existence of vulnerabilities is a potential risk. It
represents a lack of adequate controls. A security manager should conduct regular vulnerability
assessments and bridge gaps before they are found by an adversary and exploiteVulnerability
management is a proactive way to ensure that incidents are prevented.
Summary
In this chapter, you explored the practical aspects of information security incident management. This
chapter will help CISM candidates understand the different types of incident management tools and
techniques. You will be able to execute a response and recovery plan in a more effective manner. This
chapter will also help you design incident management metrics and indicators and determine the
current state of the organization's incident response capability. You also learned how, as a CISM
candidate, you can implement different post-incident activities and investigations.
This book has discussed all four domains of the CISM Review Manual by ISACA and will have
helped CISM aspirants gain a sufficient theoretical, as well as practical, understanding of those
domains. Aspirants should now feel prepared to pass the CISM exam.
Revision Questions
1. A security manager discovered an attempted SQL injection attack on an application. However, they could not determine whether
it was successful. Who is in the best position to assess the possible impact of the attack?
A. The application support team
B. The incident response team
D. The network security team
2. What is the most important advantage of implementing a systematic and methodological incident management program?
A. It reduces the cost of incident management
B. It makes incident management more flexible
C. It helps the responder gain experience
D. It provides evidence of due diligence to support legal and liability claims
3. Once a virus incident has been resolved, the security manager will be most interested in knowing the:
A. Configuration of the anti-malware software
B. Other organizations impacted by the same virus
C. Path of the virus's entry
D. Author of the virus
4. What is the objective of reviewing the observations of staff involved in a disaster recovery test?
A. To determine the efficiency level of the staff
B. To determine the lessons learned
C. To determine the effectiveness of DRP training

D. To identify resource requirements
5. The effectiveness of incident management is mostly dependent on:
A. The criteria set for determining the severity level
B. The capability of the intrusion detection system
C. The capability of the help desk team
D. An effective communication and reporting process
6. A security manager has taken a bit-by-bit copy image of a suspicious hard drive. What should their immediate next step be?
A. Encrypting the original as well as the image
B. Analyzing the contents of the image
C. Creating hashes for the original and the image
D. Validating the tool used to create the image
7. A security manager has identified a vulnerability in a server. Their next step should be:
A. Reporting
B. Eradication
C. Analysis
D. Containment
8. The best way to resolve operation issues with a third-party service provider is to include which of the following in a service-level
agreement?
A. A penalty clause
B. An audit requirement
C. The jurisdiction for legal action
D. The defined responsibilities
9. With respect to a recent incident, an investigation revealed the involvement of an internal employee. The security team has
confiscated their computer. What should the next step be?
A. Creating a bit-by-bit image of the hard drive
B. Analyzing the content of the original hard drive
C. Creating a logical copy of the hard drive
D. Encrypting the data on the hard drive
10. What is the most important aspect to ensure the admissibility of evidence in legal proceedings?
A. Aging of the evidence
B. Media used for storing the evidence should be write blocked

C. Evidence should be reviewed by an independent authority
D. Traceability of control
11. The main objective of documenting the history of a security incident is:
A. To maintain evidence for forensic investigation
B. To record the progress of incident response and document the exceptions
C. To assign the severity level of the incident
D. To determine the accountability of the incident response team
12. The root cause of a security incident indicates that one important process was not monitoreAs a result, a monitoring process has
been starteMonitoring will best help in:
A. Compliance with the security policy
B. A reduction in the security budget
C. Improvements in identification
D. Increasing risk appetite
13. With respect to a forensic investigation, data is to be copied from the original drive for further analysis. Which of the following
must be ensured?
A. That the disk model is the same as the original
B. Two copies should be made available
C. A hash value should be generated from both the original as well as the copy
D. A restoration test should be conducted
14. The priority when evidence is to be used in legal proceedings is to:
A. Notify law enforcement
B. Prevent contamination of the evidence
C. Initiate an incident response plan
D. Document events sequentially

Answers to Practice Questions
Chapter 1: Enterprise Governance

Q. 1
Answer: A. Security projects are discussed and approved by a steering committee
Explanation: The involvement of a steering committee in the discussion and approval of security
projects indicates that the management is committed to security governance. The other options are
not as significant.
Q. 2
Answer: C. The complexity of the organizational structure
Explanation: The information security governance model is primarily impacted by the complexity of
the organizational structure. The organizational structure includes the organization's objectives,
vision and mission, hierarchy, leadership structure, different function units, and different product
lines. The other options are not as significant.
Q. 3
Answer: B. The development of security policies
Explanation: Security policies indicate the intent of the management. The security architecture and
various procedures are designed based on these policies.
Q. 4
Answer: C. The business strategy
Explanation: Information security governance should support the business strategy.

An organization's security must be aligned with the business objectives.
Q. 5
Answer: C. To prioritize information security projects
Explanation: One of the responsibilities of a steering committee is to discuss, approve, and prioritize
information security projects and to ensure that they are aligned with the goals and objectives of the
enterprise.
Q. 6
Answer: C. To define the security strategy
Explanation: The first step is to adopt a security strategy. The next step is to develop security
policies based on this strategy. The final step is to develop security procedures and guidelines based
on the security policies.
Q.7
Answer: A. To align with the organization's business strategy
Explanation: The most important objective of an information security governance program is to

ensure that the information security strategy is in alignment with the strategic goals and objectives of
the enterprise. The other options are secondary factors.
Q.8
Answer: D. An established risk management program
Explanation: An effective and efficient risk management program is a key element of effective
governance. A structured risk management program indicates that senior management is aware of the
organization's risk appetite and their willingness to address unacceptable risks. The other options are
not as significant.
Q.9
Answer: D. The use of a top-down approach
Explanation: In a top-down approach, policies, procedures, and goals are set by senior management,
and as a result, the policies and procedures are directly aligned with the business objectives. A
bottom-up approach may not directly address management priorities. Initiatives by the IT department
and a compliance-oriented approach are not as significant.
Q.10
Answer: A. To design and develop the security strategy
Explanation: The prime responsibility of the information security manager is to develop the security
strategy based on the business objectives in coordination with the business process owner. The
review and approval of the security strategy is the responsibility of the steering committee and senior
management. The security manager is not directly required to train end users, and budget allocation is
the responsibility of senior management.
Q.11
Answer: D. To align with organizational goals

Explanation: The objective of security governance is to support the business objectives, so the most
important factor is to align with organizational objectives and goals.
Q.12
Answer: B. To understand the objectives of the business units
Explanation: The information security governance program will not be effective if it is not able to
address the requirements of the business units. The objective of the business units can be best
understood by reviewing their processes and functions. Option A is not correct as security
requirements should be aligned with the business and not the other way around. Options C and D are
not as significant.
Q.13
Answer: D. To optimize the security strategy to support the business objectives
Explanation: The primary objective of security governance is to ensure that the business objectives
are achieved. Unless the information security strategy is aligned with the business objectives, the
other options will not offer any value.
Q. 14
Answer: B. Ineffective governance
Explanation: Governance is the process of having oversight to ensure the availability of effective
and efficient processes. A lack of procedures, training, and standards is a sign of ineffective
governance.
Q. 15
Answer: C. A framework that provides structure and guidance
Explanation: A framework is a structure intended to support processes and methods. It provides the
outline and basic structure rather than detailed processes and methods. Frameworks are generally not
intended to provide programming inputs.
Q. 16
Answer: D. To address operational risks
Explanation: The main objective of integrating the security aspect in business processes is to address
operational risks. The other options may be considered secondary benefits.
Q.17
Answer: A. A well-defined organizational structure with necessary resources and
defined responsibilities
Explanation: The most important attribute is a well-defined organizational structure that minimizes
any conflicts of interest. This ensures better governance. Options B and D are important aspects, but
option A is more critical. Option C is not correct, as the security strategy supports the business
objectives and not the other way around.
Q. 18
Answer: B. A framework
Explanation: A framework is the most suitable method for developing an information security
program as it is more flexible in adoption. Some common frameworks include ISO 27001 and
COBIT. Standards, processes, and models are not as flexible as frameworks.

Q.1
Answer: B. The culture of the organization
Explanation: The culture of the organization influences the risk appetite, which in turn has a
significant influence on the design and implementation of the information security program. The
business objective is important to prioritize the risk treatment. However, the culture of the
organization will have a major influence on the design and implementation of the security program.
A pro-risk culture will have a different implementation approach compared to a risk-averse culture.
Q. 2
Answer: B. Protecting life
Explanation: The most important consideration when developing a control policy is to protect
human life. For example, carbon dioxide fire extinguishers should be restricted in areas where
employees are working. Also, electric door access should be set to fail open in case of fire. The other
options are secondary factors.
Q. 3
Answer: A. Cultural differences
Explanation: Cultural differences and their impact on data security are generally not considered
during security reviews. Different cultures have different perspectives on information that is
considered sensitive and how it should be handled. This cultural practice may not be consistent with
the organization's legal requirements.
Q. 4
Answer: D. The organization's culture
Explanation: The culture of an organization determines its risk appetite. Pro-risk organizations tend
to have a higher risk appetite compared to risk-averse organizations. The other options do not directly
impact the risk appetite.
Q. 5
Answer: D. Organizational goals
Explanation: The prime objective of a security strategy is to facilitate and support organizational
goals. The other options are secondary factors.
Q. 6
Answer: C. The cultures of the different countries
Explanation: Culture plays an important role when designing security policies. Different countries
have different cultures, and this impacts their local legal requirements. The organization needs to
ensure that the local laws of all the countries are appropriately addressed. The other options are not as
significant as the local culture.
Q. 7
Answer: B. The risk appetite of the organization
Explanation: The risk appetite is the level of willingness of an organization to take risks. It sets the
boundary of acceptable risk, which also determines the acceptable limit for the organizational
standards. The other options do not directly impact the acceptable level of organizational standards.
Q. 8
Answer: C. Collaboration across business lines
Explanation: Collaboration across business lines is of utmost importance to promote a positive

information security culture. This will ensure collective effort toward common security goals. The
other options are not as significant.

Q.1
Answer: D. To determine the information security strategy for BYOD
Explanation: The first step for the information security manager is to determine a strategy to protect
the organization from the risks of BYOD. Option A is not feasible, as the role of the security manager
is to facilitate business processes by mitigating the risk. Options B and C will be based on the
security strategy.
Q. 2
Answer: C. Affected departments
Explanation: Departments affected by new regulations are most likely to raise these requirements.
They are in the best position to determine the impact of new regulatory requirements on their
processes and the best ways to address them.
Q. 3
Answer: B. The desired outcomes
Explanation: The desired outcomes should dictate the input requirements of an information security
program. It is the responsibility of the security manager to ensure that the program is implemented in
such a manner that it achieves the desired outcomes. The security strategy should also be based on
the desired outcomes of the information security program.
Q. 4
Answer: C. To assess whether existing controls meet the regulation
Explanation: The first step is to determine whether existing controls are adequate to address the new
regulation. If existing controls are adequate, the other options are not required.
Q. 5
Answer: D. Identifiable personal data
Explanation: The prime focus of privacy law is to protect identifiable personal data. Identity theft is
one way that personal data can be misused. There are other possible consequences too. If analytics
are performed on identifiable personal data, it could impact privacy, but only if it violates regulatory
provisions.
Q. 6
Answer: A. Determine the processes and activities that may be impacted.
Explanation: The very first step is to determine the processes and activities that may be impacted.
Based on this, the security manager can do a risk assessment and determine the level of impact. The
other options are subsequent steps.
Q. 7
Answer: A. To the extent that they impact the organization
Explanation: Laws and regulations should be addressed to the extent that they impact the
organization, irrespective of whether they are required for certification standards or the requirements
of policies.
Q. 8
Answer: B. The evolving data protection regulations
Explanation: Privacy laws vary from country to country and organizations must comply with the
applicable laws in each country where their data is collected, processed, or stored.
Q. 9
Answer: C. Require management to report on compliance
Explanation: The board of directors has oversight responsibilities, and they should monitor
compliance. The board would not be directly involved in evaluating various options and the cost of
implementation. Furthermore, the board will not directly instruct the information security
department.
Q. 10
Answer: D. The threat landscape
Explanation: A threat is something that exploits a vulnerability. Threat factors are not under the
control of the organization. Examples of threat factors are hackers, fires, earthquakes, and changes in
the regulatory environment. All the given factors are difficult to estimate and control but not as much
as the threat landscape.
Q. 11
Answer: A. To identify whether the current controls are adequate
Explanation: The first step is to analyze and identify whether the current controls are adequate. If
current practices already adhere to the regulations, then there is no need to implement further
controls.

Q. 1
Answer: D. Potential changes in application systems and media

Explanation: The type and nature of application systems and media and their capability to read and
interpret different data formats is the most important factor in planning record retention. New
application systems may not be able to read and interpret data generated by earlier applications. This
is a major risk.
Q. 2
Answer: B. Regulatory and legal requirements
Explanation: Record retention should be primarily based on two factors: business requirements and
legal requirements. If a record is required to be maintained for two years as per the business
requirements, and three years from the legal perspective, then it should be maintained for three years.
Organizations generally design their business requirements after considering the relevant laws and
regulations.
Q. 3
Answer: A. It should be analyzed under the retention policy
Explanation: From an information security perspective, such data should be analyzed under the
retention policy. It should then be determined whether the data is required to be maintained for
business or regulatory reasons. If the data is no longer required, it should be removed in a secure
manner.
Q. 4
Answer: D. Implementing comprehensive retention policies
Explanation: E-discovery is the process of identifying, collecting, and submitting electronic records
in a lawsuit or investigation. The best way to ensure the availability of electronic records is to
implement comprehensive retention policies. A retention policy will dictate the terms of storage and
backup of, and access to, the records.

Q.1
Answer: B. Better adherence to policy compared to decentralized processes
Explanation: The centralization of information security management will result in greater uniformity
and easier monitoring of processes. This in turn will help achieve better adherence to security
policies. Decentralized processes are generally more expensive to manage but will be more aligned
with business unit requirements. Centralized processes will generally have a slower turnaround for
requests due to a larger gap between the information security department and the end user.
Q. 2
Answer: D. Steering committee
Explanation: Senior management members who are on the steering committee are best placed to
determine the level of acceptable risk for the organization.
Q. 3
Answer: C. Better alignment with decentralized unit requirements
Explanation: In a decentralized environment, more emphasis is placed on the needs and

requirements of business units. Options A and D are more relevant for centralized processes.
Decentralized processes may not always ensure compliance with the policy.

Q. 1
Answer: B. The principle of proportionality
Explanation: The principle of proportionality requires that the access be proportionate to the
criticality of the assets and access should be provided on a need-to-know basis. The principle of
accountability is important for the mapping of job descriptions; however, people with access to data
may not always be accountable. Options C and D are not directly relevant to mapping job
descriptions.
Q. 2
Answer: D. Ensuring all security measures are in accordance with the organizational policy
Explanation: The data custodian is responsible for ensuring that appropriate security measures are
implemented and are consistent with the organizational policy. The other options are not the
responsibility of the data custodian.
Q. 3
Answer: D. Refer the matter to senior management along with any necessary recommendations
Explanation: The best option for a security manager in this case is to highlight the issue to senior
management. Senior management will be in the best position to make a decision after considering
business and security aspects.
Q. 4
Answer: D. Better accountability
Explanation: Having clearly set-out roles and responsibilities ensures better accountability, as
individuals are aware of their key performance areas and expected outcomes. The other options may
be indirect benefits, but the only direct benefit is better accountability.
Q. 5
Answer: A. To define and ratify the data classification process
Explanation: The primary role of an information security manager is to define the structure of data
classification. They need to ensure that the data classification policy is consistent with the
organization's risk appetite. The mapping of data as per the classification is the responsibility of the
data owner. Providing security is the responsibility of the data custodian. Confirming proper
classification may be the role of the information security manager or the information security auditor.
Q. 6
Answer: D. That security projects are reviewed and approved by the data center manager
Explanation: Security projects should be approved by the steering committee (which consists of
senior management). The data center manager may not be in a position to ensure the alignment of
security projects with the overall enterprise objectives. This will have an adverse impact on security
governance. The approval of the security policy by senior management is seen as an indicator of
good governance. Vacant positions are not a major concern. The steering committee meeting on a
quarterly basis is also not an issue.
Q. 7
Answer: A. Supporting organizational objectives
Explanation: The main objective of the security manager having a thorough understanding of the
business operations is to support the organization's objectives. The other options are specific actions
to support the business objectives.
Q. 8
Answer: C. Develop communication channels across the organization
Explanation: The best approach is to develop communication channels that will help in the timely
reporting of events as well as disseminating security information. The other options are good
practices; however, without an appropriate communication channel, the identification of events may
be delayed.
Q. 9
Answer: C. The board of directors and senior management
Explanation: The ultimate responsibility for compliance with legal and regulatory requirements is
with the board of directors. The board delegates this responsibility to senior management. The CISO,
head of legal, and steering committee implement the directives of the board and senior management,
but they are not individually liable for the failure of security.
Q. 10
Answer: B. Conduct a risk assessment
Explanation: The best way to gain the support of senior management is to conduct a risk assessment
and present it to management in the form of an impact analysis. A risk assessment will help
management to understand the areas of concern. The other options may be considered secondary
factors.
Q. 11
Answer: B. The impact on the organization's objectives
Explanation: Security projects should be assessed and prioritized based on their impact on the
organization. This will ensure optimum utilization of resources. The other options are secondary
factors.
Q. 12
Answer: D. The security administrators
Explanation: The security administrators are custodians of data, and they need to ensure that data is
in safe custody. They are responsible for enforcing and implementing security measures in
accordance with the information security policy. The data owner and process owner are responsible
for classifying the data and approving access rights. However, they do not enforce and implement
security controls. The steering committee is not responsible for enforcement.
Q. 13
Answer: D. The data owner
Explanation: The data owner has responsibility for the classification of their data in accordance with
the organization's data classification policy. The data administrator is required to implement security
controls as per the security policy. The security manager and system auditor oversee the data
classification and handling process to ensure conformance to the policy.
Q. 14
Answer: B. Business requirements
Explanation: The primary basis for defining the data retention period is the business requirements as
these will already consider any legal and regulatory aspects. If data is not retained as per the business
needs, it may have a negative impact on the business objectives.
Q. 15
Answer: B. The local security program should comply with the data privacy policy of the location
where the data is collected.
Explanation: Data privacy laws are country specific. It is very important to ensure adherence to local
laws, and the organization's data privacy policy cannot supersede the local laws. The organization's
privacy policy may not be able to address all the local laws and requirements.
Q. 16
Answer: C. The board of directors
Explanation: The board of directors has the ultimate accountability for information security. The
other options, the security administrators, steering committee, and security managers, are responsible
for implementing, enforcing, and monitoring security controls as per the directive of the board.
Q. 17
Answer: B. The COO
Explanation: The COO is the head of operational activities in the organization. Operational
processes are reviewed and approved by the COO. The COO has the most thorough knowledge of the
business operations and objectives and is most likely the sponsor for the implementation of security
projects as they have a strong influence across the organization. Sponsoring means supporting the
project financially or through products or services. Although the CISO should provide security
advice and recommendations, the sponsor should be the COO for effective ground-level
implementation.
Q. 18
Answer: D. The business owner
Explanation: The business owner needs to ensure that their data is appropriately protected, and
access is provided on a need-to-know basis only. The security officer, data protection officer, and
compliance officer can advise on security aspects, but they do not have final responsibility.
Q. 19
Answer: B. The data owner

Explanation: The data owner is responsible for determining the level of security controls for the
data, as well as for the application that stores the data. The system owner is generally responsible for
platforms rather than applications or data. The system auditor is responsible for evaluating the
security controls. The steering committee consists of senior-level officials and is responsible for
aligning the security strategy with the business objectives.

Q.1
Answer: A. Continuous evaluation, monitoring, and improvement
Explanation: The maturity model requires continuous improvement in the governance framework. It
requires continuous evaluation, monitoring, and improvement to move toward the desired state from
the current state.
Q. 2
Answer: A. A defined maturity model
Explanation: A defined maturity model will be the best indicator to determine the level of security
governance. The maturity model indicates the maturity of the governance processes on a scale of 0 to
5, where Level 0 indicates incomplete processes and Level 5 indicates optimized processes.
Q. 3
Answer: B. The maturity level
Explanation: A defined maturity model is the best indicator to determine the level of security
governance. A maturity model indicates the maturity of the governance processes on a scale of 0 to 5,
where Level 0 indicates incomplete processes and Level 5 indicates optimized processes.

Q. 1
Answer: D. Effective metrics
Explanation: Based on effective metrics, organizations evaluate and measure the achievements and
performance of various processes and controls. Effective metrics are primarily used for security-
related decision-making. The other options are secondary factors.
Q. 2
Answer: B. Trends in incident occurrence
Explanation: Trends in incidents will be more valuable from a strategic perspective as they will
indicate whether a security program is heading in the right direction or not. The other options are
more of an operational metric.
Q. 3
Answer: C. The number of unplanned business interruptions.
Explanation: The number of unplanned business interruptions is the best indication to evaluate
organizational risk by determining how much business may be lost due to interruptions. Annual loss
expectancy is based on projections and does not indicate actual value. Security incidents and open
vulnerabilities do not reveal impact.
Q. 4
Answer: B. Metrics should be meaningful to the process owner
Explanation: Metrics are measurements used to evaluate and monitor a particular process. Metrics
are most effective when they are meaningful to the person receiving the information. The process
owner should be able to take appropriate action based on the metrics. Metrics can be either
quantifiable or qualitative based on the nature of the process. Options A and D are important, but
more significant is the ability of metrics to convey meaning.
Q. 5
Answer: B. A KRI should be arrived at by consistent methodologies and practices
Explanation: A KRI will be effective only if it is arrived at by consistent methodologies and

practices. In the absence of this, the KRI will be meaningless as it cannot be compared over different
periods of time and hence may not be able to indicate actual risk. The other options are good
attributes but do not provide a consistent approach to determine deviation over time.
Q. 6
Answer: D. The strategy helps to achieve the control objectives.
Explanation: The control objectives are developed to achieve an acceptable level of risk. The
strategy is effective if the control objectives are met. The other options may be part of the control
objectives, but the effectiveness of the security strategy is best measured by evaluating the extent to
which the overall control objectives are met.
Q. 7
Answer: C. The key performance indicator

Explanation: Key performance indicators measure how well a process is performing compared to its
expectations. The key success factor determines the most important aspects or issues to achieve the
goal. The key objective indicator and key goal indicator define the objective set by the organization.
Revision Questions
Q. 1
Answer: D. Reviewing access privileges when an operator's role changes
Explanation: In the absence of access privilege reviews, there is the risk that a single staff member
can acquire excess operational capabilities. This will defeat the objective of SoD. In order to maintain
the effectiveness of SoD, it is important to review access privileges more frequently and more
specifically when an operator's role changes.
Q. 2
Answer: A. To manage the risk to information assets
Explanation: The prime responsibility of an information security manager is to evaluate and manage
the information security risk by involving risk owners.
Implementing the security configuration is the responsibility of the asset owner. Disaster recovery
testing should be conducted by the process owner, and the closing of vulnerabilities is the
responsibility of the asset owner.
Q. 3
Answer: B. Process performance and capabilities
Explanation: Process performance and capabilities provide a detailed perspective of the maturity
levels, just like the maturity model. The other options will not help to determine the level of maturity
of the process. The Monte Carlo method is a risk assessment method that uses simulations.
Vulnerability assessments are used to identify the vulnerability and risk analysis is used to determine
the current state of risk. They will not help to determine the maturity of the process.
Q. 4
Answer: A. The information owner
Explanation: The information owner is ultimately responsible for the protection of their data. The
information owner is the best person to know the criticality of the data and who should have access to
the data. Therefore, information system access should be primarily authorized by the information
owner.
Q. 5
Answer: B. The unauthorized modification of logs by the database administrator
Explanation: The DBA will have access to logs if they are stored in the database server. The
administrator can modify or delete the log entries, and this is a major cause of concern. The DBA
should not have access to logs related to the database. Backing up the logs will address the issue of
server crashes. Log capturing may not always impact transaction processing. If critical information is
not captured in logs, it is a design failure and has nothing to do with log entries stored in the
production database.
Q. 6
Answer: B. The organization is committed to its responsibility for information security
Explanation: Appointing a CISO indicates that the organization wants to have a clear line of
responsibility for information security. Information security is one of the focus areas of the
organization. Having a CISO does not impact the role of senior management. Even if the CISO is
appointed, accountability lies with the board of directors. The CISO is generally not accountable for
technology projects.
Q. 7
Answer: A. To address the security gaps that exist between assurance functions
Explanation: Whenever there are shared responsibilities for information security, gaps tend to exist.
Integrating the roles and responsibilities is the best way to address these gaps and ensure consistent
risk management. The other options are secondary factors.
Q. 8
Answer: A. To verify that only approved changes are made
Explanation: In the absence of SoD, the best compensatory control is to ensure that only approved
changes are made by the employee. This verification can either be done for all cases or on a sample
basis depending on the risk involved. The review of logs by the manager may not be meaningful as
an employee can manipulate the logs and hide activities from the supervisor. Penetration tests and
risk assessments may not be able to detect unauthorized activities.
Q. 9
Answer: B. To determine the level of classification for their data
Explanation: The information owner is required to determine the level of classification for their
respective data. Based on its classification, the system administrator implements the required security
measures and data backups. The information owner may delegate the process of classification to
some other responsible employee but not to the system administrator.
Q. 10
Answer: C. Senior management
Explanation: Senior management has the final responsibility for the effectiveness of the
organization's security measures. Although the authority to implement, monitor, and evaluate the
security measures is delegated to the security administrator, CISO, and information security auditor,
the responsibility cannot be delegated. The final responsibility rests with senior management.
Q. 11
Answer: C. Assigned accountability
Explanation: If accountability is properly assigned and made known to the individuals, individuals
will be more proactive and concerned about their responsibilities, and this will ensure that duties are
properly carried out.
Q. 12
Answer: D. All organizational units
Explanation: Every employee is required to comply with security policies and standards, as
applicable to their performance areas. Though the CISO and senior management monitor the level of
compliance, all organizational units should adhere to policies and standards.
Q. 13
Answer: C. The adoption of a maturity model
Explanation: A maturity model such as the CMM can be used to determine the maturity level of the
risk management process from Level 0 (that is, initial) to Level 5 (that is, optimized). The
organization can know under which level the process falls and can gradually move toward higher
levels, thereby improving their risk management process. The other options are secondary factors.
Q. 14
Answer: A. All personnel
Explanation: It is the responsibility of all personnel to adhere to the security requirements of the
organization.
Q. 15
Answer: C. Senior management

Explanation: Senior management is in the best position to understand the key business objectives
and how they should be protected through policies and procedures. Other officials (for example, the
operation manager, CISO, and CTO) may provide necessary inputs, but final approval should be
provided by senior management.
Q. 16
Answer: C. Implementing the principle of least privilege
Explanation: The most effective method to protect the confidentiality of information assets is to
follow the principle of least privilege. The principle of least privilege ensures that access is provided
only on a need-to-know basis, and it should be restricted for all other users. The other options are
good measures; however, in the absence of the principle of least privilege, they may not be effective.
Q. 17
Answer: C. Better alignment with decentralized unit requirements
Explanation: In a decentralized environment, more emphasis is placed on the needs and

requirements of business units. Options A and D are more relevant to centralized processes.
Decentralized processes may not always ensure compliance with the policy.
Chapter 2: Information Security Strategy

Q. 1
Answer: B. To evaluate the current business strategy
Explanation: The first step for an information security manager is to understand and evaluate the
current business strategy. This is essential to align the information security plan with the business
strategy. The other options are subsequent steps.
Q. 2
Answer: D. Desired future state of information security
Explanation: A strategy plan should include the desired level of information security. This desired
state will impact options A and B. A mission statement is a high-level statement that may not indicate
the detailed desired state for information security.
Q. 3
Answer: B. To support the business objectives
Explanation: The primary objective of any security strategy is to support the business objective.
Thus, it should be aligned with business objectives. Other options are secondary objectives.
Q. 4
Answer: B. Security objectives and processes
Explanation: A security strategy consists of the desired security objectives and the supporting
processes, methods, and relevant tools and techniques. The other options are not as significant.
Q. 5
Answer: C. To establish a local version of the organization's policy
Explanation: The best way to tackle such a situation is to establish a local version of the policy that
is aligned with local laws and regulations. The other options are not sensible.
Q. 6
Answer: B. To conduct a self-assessment using regulatory guidelines and reports

Explanation: Self-assessment is the best way to determine the readiness and remediation of non-
compliant items. This will help the organization prepare for regulatory review. The other options are
not as effective as option B.
Q. 7
Answer: C. The chief information security officer
Explanation: Generally, the CISO is responsible for enforcing the information security policy. The
steering committee monitors the enforcement process but is not responsible for enforcement. The
steering committee ensures that the security policy is aligned with business objectives. The chief
technical officer and compliance officer may to some extent be involved in the enforcement of policy
but are not directly responsible for it.
Q. 8
Answer: A. Design and develop an information security strategy
Explanation: The CISO is primarily responsible for designing and developing the organization's
information security strategy. The other functions are normally carried out by IT and operational
staff.
Q. 9
Answer: D. Aligned with business strategy
Explanation: The timeline for an information security strategic plan should be designed and aligned
with the organization's business strategy. The other options should be secondary considerations. The
business strategy and requirements should be the primary consideration.
Q. 10
Answer: A. Emphasizing the organizational risk
Explanation: Emphasizing the organizational risk and its impact on the business objectives is the
best way to gain commitment and support from senior management. The other options are secondary
factors.
Q. 11
Answer: A. To manage the risks impacting business objectives
Explanation: The primary objective of a security strategy is to manage and reduce any risk that
could impact the business objectives. It is not feasible to mitigate risks to zero. The transfer of risks
to insurers and developing a risk-aware culture may also be aspects of managing risk.
Q. 12
Answer: A. A conflict of security controls with business requirements
Explanation: This is an example of a conflict between security controls and business requirements.
In this case, the security controls are not supporting the business needs. Controls should not restrict
employees' ability to perform their jobs.
Q. 13
Answer: C. Defining the scope
Explanation: The first step should be to define the scope of the strategy. Scope means determining
the extent of functions/units/departments to be covered in the strategy. The other options are
subsequent steps to be performed.
Q. 14
Answer: B. To support the business objectives and goals of the enterprise
Explanation: The most important objective of an information security strategy is that it should
support the objectives of the organization. The other options are secondary objectives.
Q. 15
Answer: A. Defined objectives
Explanation: Defined objectives are the most important element. Without objectives, a strategy to
achieve the objectives cannot be developed. Policies are developed after the strategy. Having a
defined time frame and framework are not as important.
Q. 16
Answer: D. The information security strategy may not be aligned with business requirements.
Explanation: The security steering committee monitors and controls the security strategy. In the
absence of inputs from user management (the user department), the developed strategy may not
support the business requirements. Other options are not as significant as the strategy not supporting
the business requirements. User training and budget allocation are not normally under the purview of
the steering committee.
Q. 17
Answer: C. To review the risk assessment with senior management for final consideration
Explanation: Senior management will be in the best position to evaluate the impact of the risk on
business requirements. They will be able to balance security and business processes. The other
options would not address the issue.
Q. 18
Answer: D. Direct traceability
Explanation: Direct traceability is the best way to ensure that business and security objectives are
connected and that security is adding value to the business objectives. The other options are not as
good as traceable connections.
Q. 19
Answer: B. Senior management
Explanation: The overall accountability resides with senior management, though they may delegate
this responsibility to different functions. The security administrator and system administrator support
the security objectives of senior management.
Q. 20
Answer: A. To understand the key business objectives
Explanation: Understanding key business objectives is the most critical factor in aligning any
security strategy with the business strategy, as the security strategy should support business
objectives. The other options are secondary factors.

Q.1
Answer: A. Financial performance
Explanation: The IT BSC considers factors such as customer satisfaction, innovation capacity, and
internal processes. Financial performance is not part of an IT balanced scorecard.
Q. 2
Answer: B. Defining key performance indicators.
Explanation: For measuring the performance of IT services, it is required to define the key
performance areas along with benchmarks of the expected performance level. The other choices are
the objectives of an IT BSC.
Q. 3
Answer: C. Absence of IT alignment with business objectives
Explanation: A major risk can be the absence of IT alignment with business objectives. A steering
committee should exist to ensure that IT strategies support the organization's goals.
Q. 4
Answer: D. To improve performance
Explanation: The primary objective of an IT measurement process is to optimize the performance of

IT services. An IT performance measurement process can be used to optimize performance, measure,
and manage products/services, assure accountability, and make budget decisions. The other options
are aspects of performance measurement but not primary objectives.

Q. 1
Answer: C. To evaluate and determine the correlation between the solution and the business
objectives
Explanation: The first step should be to assess and determine that the proposed solution is aligned
with the business objectives and requirements. Once this is established, the other options can follow.
Q. 2
Answer: D Mitigate the risks impacting the business.
Explanation: The most important objective of an information security program is to reduce any risk
and its impact on business objectives. The other options are secondary factors.
Q. 3
Answer: B. Aligning and integrating development activities
Explanation: A strategy is a roadmap to achieve objectives. Various implementation activities can be

aligned and integrated based on a developed strategy to achieve security objectives more effectively
and efficiently. The other options may be secondary factors.
Q. 4
Answer: A. A higher amount of vulnerabilities being exploited
Explanation: A threat by itself cannot harm the organization unless it finds a vulnerability in the
system to exploit. Detective controls will not be able to prevent the event. The absence of a system
audit is an unlikely explanation for an increase in the number of security events.
Q. 5
Answer: A. To protect information assets in accordance with the business strategy and objectives
Explanation: The primary objective of an information security program is to align the security
implementation with an organization's business strategy and objectives. An information security
program is not limited to only operational risks. It should also consider the confidentiality, integrity,
and availability of assets. A security policy is developed as a part of a security program to achieve the
protection of information assets.
Q. 6
Answer: A. An organization cannot completely depend on technical controls to address faulty

processes.
Explanation: Structured and resilient processes in addition to technical controls is the most effective
way to manage and address the risk. The right combination of management, administrative, and
technical controls is the most effective and efficient way to address the risk.
Q. 7
Answer: A. To improve the integration of business and security processes
Explanation: The integration of security governance and overall governance is the best way to
ensure that key business processes are well protected. The other options are actions that may arise
due to close integration between business and security processes.
Q. 8
Answer: B. To ascertain the need for creating the program
Explanation: The first step is to justify the need for the program by conducting a cost-benefit
analysis. Once the requirement of the program is established, the other options may be acted upon.

Q. 1
Answer: B. Business goals and objectives
Explanation: Security architecture should primarily be aligned with business goals and objectives.
The other options may be secondary considerations.
Q. 2
Answer: A. To understand the IT architecture and portfolio
Explanation: The primary step of the security manager is to understand and evaluate the IT
architecture and portfolio. Once they have a fair idea about the IT architecture, they can determine
the security strategy. The other options are to be followed once the security strategy is defined.

Q. 1
Answer: B. To improve risk management
Explanation: GRC is implemented by integrating interrelated control activities across the

organization for improving risk management activities. The other options are secondary objectives.
Q. 2
Answer: A. To synchronize and align an organization's assurance functions
Explanation: GRC is an effort to synchronize and align the assurance activities across the
organization for greater efficiency and effectiveness. The other options can be considered as
secondary objectives.
Q. 3
Answer: B. IT, finance, and legal
Explanation: Though GRC programs can be applied in any function of the organization, it primarily
focuses on financial, IT, and legal areas. Financial GRC focuses on effective risk management and
compliance for finance processes. IT GRC focuses on IT processes. Legal GRC focuses on
enterprise-level regulatory compliance. GRC is mainly focused on IT, finance, and legal processes to
ensure that regulatory requirements are adhered to and that risk is appropriately addressed.

Q.1
Answer: A. A cost-benefit analysis
Explanation: Senior management is more interested in the benefits derived from the budget, so a
cost-benefit analysis is the most important factor. The other options are also important considerations
while evaluating and approving the budget.
Q. 2
Answer: C. Approving policy statements and funding
Explanation: A policy statement contains the intent and direction of the management. Senior
management should approve policy statements and provide a sufficient budget to achieve the
organization's information security objectives. Management may be involved in evaluating products,
risk assessments, and mandating information security audits, but their primary role is to provide
direction, oversight, and governance.
Q. 3
Answer: A. They support the requirements of all key business stakeholders
Explanation: Information security should support the achievement of organizational objectives by

minimizing business disruptions. When information security supports the requirements of key
business units, there is alignment. The IT department is one of the stakeholders. The other options are
secondary factors.
Q. 4
Answer: D. Explain the impact of security risks on key business objectives
Explanation: Senior management is more concerned about the achievement of business objectives
and will be keen to address all the risks impacting key business objectives. The other options will not
be as effective.
Q. 5
Answer: C. Developing a business case
Explanation: A business case contains the need and justification for the project. It will be the most
important document to gain support from senior management. The other options will not be as
effective.
Q. 6
Answer: C. To conduct periodic reviews of alignment between security and business goals
Explanation: The most effective way is to ensure that the security program continues to be aligned
with and supports business objectives. This is critical for continued management support. Other
options will not have as much of an effect on management.
Q. 7
Answer: C. To consider a cost-benefit analysis
Explanation: The most effective way to justify the budget is to consider a cost-benefit analysis. The
other options may be considered while conducting a cost-benefit analysis.
Q. 8
Answer: B. Review and approval of risk management methodologies

Explanation: Management involvement in the review of risk management methodology is the best
indicator of management support and commitment to effective information security. The other
options do show some level of management support and commitment but are not the best indicators.
Q. 9
Answer: D. Enhanced business value
Explanation: The objective of security investment is to increase the business value by addressing
instances of business disruptions, reduction in losses, and improvements in productivity. The
protection of information assets is one of the elements of enhanced business value.
Q. 10
Answer: C. The chief operating officer
Explanation: The steering committee should be sponsored by an authority who is well versed in the
business objectives and strategy. The chief operating officer has the most knowledge of business
operations and objectives and is in the best position to align the security strategy with business
objectives.
Q. 11
Answer: B. A value analysis
Explanation: Any investment should be able to provide value to the business. The primary driver for
investment in an information security project is a value analysis and having a sound business case.
The other options are secondary factors.
Q. 12
Answer: A. Senior management commitment
Explanation: Support and commitment from senior management is the most important prerequisite.
Without that, the other options may not add value to an information security program.
Q. 13
Answer: C. The steering committee
Explanation: The steering committee consists of senior officials from different departments. They
are well informed about business objectives and strategy. They can ensure that security governance is
aligned with the business strategy and objectives.
Q. 14
Answer: B. Strong management support

Explanation: Intention and support from senior management are of utmost importance to changing
an organization's security culture. In the absence of management support, the other options will not
add value.
Q. 15
Answer: D. A lack of high-level sponsorship
Explanation: A lack of high-level sponsorship means a lack of commitment and support from senior
management. Support from senior management is a prerequisite for effective security governance.
With high-level sponsorship, budget constraints and business priorities can be set right.
Q. 16
Answer: A. To survey the business stakeholders
Explanation: Discussions with key business stakeholders will provide an accurate picture of the
alignment of security programs with supporting business objectives. Incident trends will help you
understand the effectiveness of security programs, but they are not directly about alignment. A
business case is prepared at the time of initiation of the project and a discussion with business owners
will help you understand whether alignment, as indicated in the business case, is being adhered to.
Q. 17
Answer: D. Reviewing the business balanced scorecard
Explanation: Reviewing the business balanced scorecard will help to determine the alignment of the
security goals with the business goals. The business scorecard contains important metrics from the
business perspective. The other options do not address the alignment directly.
Q. 18
Answer: A. Support from senior management
Explanation: The most important factor in the successful implementation of an organization's

information security program is support and commitment from senior management. The other options
are secondary factors. Without appropriate support, it will be difficult for the program to achieve the
desired objectives.
Q. 19
Answer: A. A periodic survey of management
Explanation: A survey of management is the best way to determine whether the security program
supports the business objectives. Achieving strategic alignment means that the business process
owners and managers believe that the organization's information security is effectively supporting
their goals. If business management is not confident in the security programs, the information
security manager should redesign the process to provide value to the business. The other options do
not directly indicate strategic alignment.
Q. 20
Answer: C. Maximize the cost-effectiveness of the control
Explanation: Alignment ensures that assurance functions are integrated to maximize cost-
effectiveness. A lack of alignment can result in potential duplicates or contradictory controls. These
would negatively impact cost-effectiveness. The others are secondary factors.
Q. 21
Answer: C. Discuss with senior management to understand their concerns.
Explanation: The best method to address the concern is to first discuss the same and try to
understand the area of concern. Based on that, the program can be redesigned to be more meaningful
for the management.

Q. 1
Answer: A. Appropriate justification
Explanation: The objective of a business case is to justify the implementation of any new project.
Justifications can be either the results of a gap analysis linked to a legal requirement or expected
annual loss, or any other reason.
Q. 2
Answer: C. To define the need
Explanation: The first step in developing a business case is to define the need for and justification of
the project. Without defining the need for the new project, the other options cannot be evaluated and
determined.
Q. 3
Answer: C. Developing a business case
Explanation: A business case contains the need and justification for the project. It will be the most
important document to gain support from senior management. The other options will not be as
effective.
Q. 4
Answer: D. Whether the technology provides benefits in comparison to its costs
Explanation: A technology should provide benefits by mitigating risk and at the same time it should
be cost-effective. A technology should be effective as well as efficient. If the technology is not cost-
effective, then it will not be meaningful even if it mitigates the risk.
Q. 5
Answer: A. Technical requirements
Explanation: Business requirements are the most important aspect for an information security
manager, followed by privacy and other regulatory requirements. Regulatory requirements and
privacy requirements are more important for a security manager compared to technical requirements.
Q. 6
Answer: C. A business case
Explanation: A business case contains the need and justification for the proposed project. It helps to
illustrate the costs and benefits of the project. The other options can be considered as part of the
information required in the business case.
Q. 7
Answer: B. To demonstrate the project's value and benefit
Explanation: It is very important and challenging to include the value and benefit in a business case
in a manner that convinces senior management. Technical aspects are generally not covered in the
business case. Risk scenarios and comparative data can be used to demonstrate value and benefit.
Q. 8
Answer: A. Develop and present a business case
Explanation: All options are important, but a significant aspect is developing and presenting a
business case to demonstrate that the security initiative is aligned to the organization's goals and that
it provides value to the organization. A business case includes all the given options.
Q. 9
Answer: D. To define issues to be addressed
Explanation: The first step in the development of a business case is to understand the issues that
need to be addressed. Without clear requirements being defined, the other options may not add value.
Q. 10
Answer: D. Feasibility and value proposition
Explanation: The most important basis for developing a business case is the feasibility and value
proposition. It helps to determine whether a project should be implemented. The feasibility and value
proposition indicates whether the project will be able to address risks with an effective ROI and
whether it will help to achieve the organizational objectives.
Q. 11
Answer: A. To develop and present a business case
Explanation: A business case is the best way to present the link between a new security project and
an organization's business objective. Senior management is keen to protect and achieve the business
objectives. If they see value in the project in terms of business support, there will not be any
reluctance. Risk scenarios should be considered as a part of the business case. Other options will not
be effective to address this concern.
Q. 12
Answer: D. A cost-benefit analysis
Explanation: A cost-benefit analysis will be the best way to make a decision. It indicates the cost of
implementing the control and the expected benefit from the investment. The cost of a control should
not exceed the benefit to be derived from it. The risk assessment is a step prior to the evaluation and
implementation of a control. In security parlance, ROI is difficult to calculate as returns are in the
form of safety and security.
Q. 13
Answer: B. A detailed business case
Explanation: A business case is the justification for the implementation of the program. It contains
the rationale for making an investment and indicates the cost of the project and its expected benefits.
The other options by themselves are not sufficient to justify the information security program. User
acceptance may not always be reliable for a security program, and security and performance often
clash.
Q. 14
Answer: C. A well-developed business case
Explanation: A business case is the justification for the implementation of a program. It contains the
rationale for making an investment and indicates the cost of the project and its expected benefits. The
other options by themselves are not sufficient to justify the information security budget.
Q. 15
Answer: C. Implementation benefits
Explanation: A business case is the justification for the implementation of the program. It contains
the rationale for making an investment and indicates the cost of the project and its expected benefits.
The other options by themselves are not sufficient to justify the information security budget.
Revision Questions
Q. 1
Answer: C. Effectiveness in mitigating risk
Explanation: The most important factor is the effectiveness of the information security program in
addressing the risk impacting the business objectives. The other options are secondary factors. Even a
considerable budget will be meaningless if a security program is not effective in mitigating risks.
Q. 2
Answer: A. The requirements of the desired state
Explanation: The objective of a security strategy can be best described as what is required to achieve
the desired state. It is not restricted to only key processes or loss expectations.
Q. 3
Answer: B. Aligning with business objectives and risk appetite
Explanation: The risk management strategy should support and be aligned with the business
objectives and risk appetite of the organization. The other options are not as significant.
Q. 4
Answer: B. The perspective of the whole being greater than the sum of its individual parts
Explanation: Systems thinking in terms of information security, refers to the idea that a system is
greater than the sum of its individual parts.
Q. 5
Answer: C. To determine the objectives of the security strategy
Explanation: Determining the objectives of the security strategy is a must before any other steps are
taken, as all other steps are developed based on this strategy. The other factors are important but not
as significant.
Q. 6
Answer: B. Trends in incident occurrence
Explanation: Trends in incident occurrence will be more valuable from a strategic perspective as
they will indicate whether a security program is headed in the right direction or not. The other
options are more like operational metrics.
Q. 7
Answer: A. Resource utilization is high
Explanation: Value delivery means designing a process that brings the maximum benefit to the
organization. It indicates high utilization of the available resources for the benefit of the organization.
The other options by themselves do not indicate value delivery.
Q. 8
Answer: C. The current state of security and future objectives
Explanation: It is very important to understand the current state of security and the desired future
state or objective. In the absence of clearly defined objectives, it will not be possible to develop a
strategy. The other options are important but not as significant.
Q. 9
Answer: A. Whether the strategy supports the business objectives
Explanation: The most important objective of a security strategy is to support the business
requirements and goals. The strategy should support the business objectives. The other options are
secondary objectives.
Q. 10
Answer: A. To determine the goals of security and the plan to achieve them
Explanation: The primary objective of a security strategy is to set out the goals of the information
security program and the plan to achieve these goals. The budget is linked with security objectives. A
strategy is a high-level management intent and does not generally include implementation aspects as
mentioned in options B and C.
Q. 11
Answer: C. Security strategy
Explanation: The security strategy is the guiding force for the implementation of a security program.
The roadmap detailing security implementation, i.e. procedure, resources, timelines, and so on, is
developed based on the strategy. The other options may be input factors for designing the strategy.
However, once a strategy is developed, it is considered to be the overall guiding principle for the
implementation of a security program.
Q. 12
Answer: C. Changes in management intent and direction
Explanation: A policy reflects the intent and direction of the management. Any changes in
management intent should also be appropriately addressed in the policy. Changes in regulation and
baseline should be addressed in procedures, guidelines, and standards. Changes in culture may or
may not impact the policy; however, management intent is more significant here.
Q. 13
Answer: B. Ensuring that residual risk is kept within acceptable levels
Explanation: Residual risk is the risk that remains after controls are implemented. One of the
objectives of a security strategy is to ensure that residual risks are well within the acceptable limit.
This reassures management. The other options are not as significant as residual risk being within
acceptable levels.
Q. 14
Answer: D. The strategy helps to achieve the control objectives
Explanation: Control objectives are developed to achieve an acceptable level of risk. A strategy is
considered effective if control objectives are met. The other options may be a part of a control
objective, but effectiveness is best measured by evaluating the extent to which the overall control
objectives are met.
Q. 15
Answer: B. Concerns regarding the organization's liability
Explanation: The involvement of board members in information security initiatives indicates good
governance. The liability of directors can be protected if the board has exercised due care. Many laws
and regulations make the board responsible in cases of data breaches. Even a cybersecurity insurance
policy requires the board to exercise due care as a precondition for insurance coverage. The board is
not required to involve themselves in routine compliance and policy implementation processes.
Q. 16
Answer: C. Key performance indicator

Explanation: A key performance indicator is a measure to determine how well a process is
performing compared to expectations. A key success factor determines the most important aspects or
issues to achieve the goal. A key objective indicator and key goal objective define the objectives set
by the organization.
Q. 17
Answer: D. Reviewing the business balanced scorecard
Explanation: The business balanced scorecard contains many important metrics from the perspective
of the business. Reviewing these metrics will help in determining whether the security goals are in
line with the goals of the business. The other options do not directly address alignment between the
two.
Q. 18
Answer: C. To ensure that the security goals are derived from the business goals
Explanation: Security goals should be developed based on the overall business objective. The
security strategy should support the business goals and objectives.
Q. 19
Answer: C. Control objectives being met
Explanation: "Baseline" means the basic standard to be complied with. In a mature organization, it is
expected that the control objectives of security should be met. The other options may be part of the
control objectives, but all objectives defined should be met in a mature organization.
Q. 20
Answer: D. Difficulty in monitoring compliance with laws and regulations
Explanation: The area of most concern is compliance with laws and regulations. Security managers
need to ensure that local laws are appropriately addressed. Local laws vary from country to country,
and sometimes they might be in conflict with the organization's global security requirements. Non-
compliance with laws and regulations may have a major impact on business processes. The other
options are not as significant.
Q. 21
Answer: A. An abnormal deviation in employee attrition rate
Explanation: A sudden increase in employee attrition rate indicates some suspicious activity that
requires the attention of the security manager. For example, if a large number of developers are
leaving the organization, it may indicate that a competitor is trying to obtain the organization's
development plan. A large number of viruses and filtered packets may indicate a change in the threat
environment; however, there would be no impact as that will have been controlled by the antivirus
software or the firewall. A low amount of security officers does not necessarily indicate a risk.
Q. 22
Answer: C. The business priorities
Explanation: Senior management will be more interested in understanding how the security strategy
is supporting the business objectives, that is, whether the top-level goals and objectives are being
supported by security. The other options are not relevant at the strategic level.
Q. 23
Answer: B. To design a tailored methodology based on exposure
Explanation: The classification of data in accordance with its value and exposure, followed by the
development of a strategy for each class, is the best process for effective data protection. This will
address the risk of under-protection as well as over-protection of data. Vulnerability assessments do
not consider threat and other factors that impact the risk treatment. Insurance policies and industry
practices may be considered based on risk and the classification of data.
Q. 24
Answer: D. Discuss the relationship between the security program and business goals.
Explanation: Senior management is keen to protect and achieve the business goals and objectives. If
they see value in the project in terms of business support, there will not be any reluctance. The other
options can be secondary factors.
Q. 25
Answer: C. Alignment with the goals set by the board of directors
Explanation: A security strategy is said to be successful if it supports the achievement of goals set
up by the board of directors. The other options do not directly indicate that the security program is
successful.
Q. 26
Answer: D. To demonstrate support for the desired outcome
Explanation: Demonstrating support for the desired outcome is the best approach. This can be done
by demonstrating improvements in performance metrics related to business objectives. Senior
management is keen to protect and achieve the desired outcome in the form of business goals and
objectives. The other options are secondary factors.
Chapter 3: Information Risk Assessment

Q. 1
Answer: A. The magnitude of impact
Explanation: To determine the risk level, two things are required, i.e., the probability (likelihood) of
the event and the impact of the event. Risk is the product of probability and impact. Once the
likelihood has been determined, the next step is to assess the magnitude of the impact. Once the level
of risk is determined, it can be compared against risk appetite and risk tolerance.
Q. 2
Answer: B. Likelihood and consequences
Explanation: To determine the level of risk, two things are necessary: the probability of an event
happening and the impact if it does take place. Risk is the product of probability (likelihood) and
impact (consequence).
Q. 3
Answer: C. Reduction in the likelihood of being exploited
Explanation: Reducing the exposure refers to keeping the information assets away from public
reach. For example, consider a sensitive database that was previously accessible through the public
internet but now is not. This reduction in exposure will reduce the likelihood of this database being
exploited. However, this will not automatically reduce other vulnerabilities. Also, it will not reduce
the impact if the database is compromised.

Q. 1
Answer: D. Management may have concerns that the stated impact is underestimated.
Explanation: The most likely reason is that management has doubts regarding the estimation of the
level of risk. In such cases, management might choose to mitigate the risk even if it is within the risk
tolerance level. It is much less likely that the board requires all risks to be mitigated. This is neither
practical nor feasible. Also, management generally accepts risks if they are within the organization's
risk appetite. There is no sense in addressing any risk that is within the risk appetite even if the
treatment is cost effective.

Q. 1
Answer: C. To determine whether the residual risk is acceptable
Explanation: Once the residual risk is determined, the next step is to validate whether it is acceptable
or not. If it is within the risk appetite, it can be accepted. Otherwise, further controls would need to be
implemented to reduce it.
Q. 2
Answer: A. Organizational requirements
Explanation: The acceptable level of risk is determined by the overall organizational requirements.
Organizational requirements refer to what the organization wants to achieve by taking the risk. The
other options may not directly determine the acceptable level of IT risk.
Q. 3
Answer: B. The residual risk level is less than the acceptable risk level
Explanation: Controls are said to be effective when the residual risk is less than the acceptable risk
level. Residual risk is the risk that remains after controls have been implemented. The acceptable
level of risk is the management's willingness to take a risk.
Q. 4
Answer: A. Management discretion
Explanation: Residual risk means the risk that management is willing to accept. It is ultimately
subject to the management's discretion. The objective of a risk management program is to ensure that
the risks applicable to the organization are brought down to an acceptable level by the
implementation of various mitigation strategies. It is not possible to completely eliminate all inherent
or control risks.

Q. 1
Answer: D. Context and purpose of the program

Explanation: The first step is to establish the context and purpose of the risk management program.
Management support can be gained only if the program has appropriate context and purpose. Security
policy and assignment of an oversight committee are subsequent steps.
Q. 2
Answer: A. It provides the basis for selecting the risk response
Explanation: A risk evaluation determines whether any risk is within the acceptable range or
whether it should be mitigated. Based on this evaluation, risk responses are decided.
Q. 3
Answer: D. To decrease the level of impact
Explanation: The most important objective of a risk response is to ensure that the impact of the risk
is within acceptable levels. Lowering the vulnerability or addressing the threat is one of the
approaches to controlling the risk's impact. The objective of a risk response is not to decrease the cost
of control.
Q. 4
Answer: D. To assess the level of exposure and plan the remediation
Explanation: In a risk analysis, the impact and level of risk are determined (i.e., high, medium, or
low). Risk analysis helps determine the exposure and helps to plan for remediation. The prioritization
of assets, justification of the security budget, and determining the residual risks are indirect benefits
of risk analysis but not the main objectives.
Q. 5
Answer: C. The organization can minimize the residual risk
Explanation: The prime objective of a risk management program is to minimize residual risk so that
it is within the organization's risk appetite. It is not practical and/or feasible to eliminate inherent risk.
Quantification and monitoring of risks are good indicators of a successful risk management program;
however, they are not as significant.

Q. 1
Answer: B. To reduce risk to an acceptable level

Explanation: The most effective strategy for risk management is to reduce the risk to an acceptable
level. This will help the organization manage risks as per their risk appetite. It may not always be
practical to achieve a balance between the risks and the business goals. Developing a policy
statement and documentation of risks are not as significant.
Q. 2
Answer: A. To provide training to the assessor
Explanation: The best approach to reduce the subjectivity of the risk assessment is to provide
frequent training to the risk assessor. It improves their accuracy. Without appropriate training, the
other options may not be effective.
Q. 3
Answer: D. To achieve an acceptable level of risk
Explanation: The main objective of a risk management program is to ensure that the risk is within a
level that is acceptable to management. If the inherent risk is already within the acceptable level,
there is no need to further reduce it. It is not practical or feasible to eliminate all risks. The ultimate
objective of establishing an effective control is to ensure that risks are within the agreed acceptable
level.
Q. 4
Answer: D. If the program is supported by all members of the organization
Explanation: For effective risk management, the most important criterion is that the program should
be supported by all the members of the organization. All staff members should be able to understand
their roles and responsibilities with respect to risk management. The other options are secondary
criteria.
Q. 5
Answer: B. An acceptable level
Explanation: The objective of a risk management program is to reduce the risk to a level that is
acceptable to management. Reducing the risk to zero or eliminating all hazards is not possible.
Industry-adopted standards may not always be acceptable.
Q. 6
Answer: C. The risk is within the risk tolerance level
Explanation: Risk tolerance is the acceptable level of deviation from the risk appetite. Generally,
risk tolerance is slightly higher than risk appetite. The other options are not the main factors for
ignoring a risk.
Q. 7
Answer: A. All organizational processes
Explanation: Risk management should be applied to all the processes within the organization.
Whether a risk level is acceptable can be determined only when the risk is known.
Q. 8
Answer: D. Risk activities being embedded in business processes
Explanation: The main objective of a risk management process is to ensure that any risk is identified
and mitigated in a timely manner. This can best be done by embedding the risk activities in all
business processes. The other options are not as significant.

Q. 1
Answer: B. On a continuous basis
Explanation: The effectiveness of a risk assessment increases if it is conducted on a continuous

basis. This helps the organization address any emerging risks and other significant changes in the
business environment. It must be noted that risk assessment is not a one-time activity.
Q. 2
Answer: D. Annually or whenever there is a significant change
Explanation: The risk environment for any organization changes constantly. The most effective risk
assessment frequency is annual or whenever there is a significant change. This helps to assess risks
within a reasonable timeframe and allows the flexibility to assess risks when there are significant
changes. Risk assessment is applicable to all processes, not just critical business processes.
Q. 3
Answer: C. To address the constantly changing risk environment
Explanation: A change in the risk environment introduces new threats and vulnerabilities to the
organization. To address this, risk assessments should be conducted on a continuous basis. The other
options are not the prime objectives for conducting riskassessments.
Q. 4
Answer: C. A risk assessment

Explanation: Risk assessments help determine the impact of a vulnerability, and based on the
impact, necessary remedial measures can be decided. The other options will not help determine the
impact of the vulnerability.
Q. 5
Answer: A. To justify the selection of risk mitigation strategies
Explanation: Risk assessments help determine the impact of a vulnerability, and based on the
impact, necessary remedial measures can be decided. They help to justify the selection of risk
mitigation strategies.
Q. 6
Answer: C. Evaluating both monetary value and likelihood of loss
Explanation: Risk is the combination of two components: probability (likelihood) and impact. Both
components are essential for the analysis of risk. Hence, likelihood and impact are the primary
elements to be determined in a risk analysis.
Q. 7
Answer: A. To address constantly changing business threats
Explanation: The business environment changes constantly and new threats emerge. Therefore, risk
assessments should be repeated at regular intervals.
Q. 8
Answer: D. Performing a risk assessment
Explanation: A risk assessment will help the organization to determine any new risks introduced by
the migration of IT operations to an offshore location. The new risks may be in the form of non-
adherence to regulations, overspending, or perhaps some operational aspects.
Q. 9
Answer: D. A list of risks that may impact the organization
Explanation: A risk assessment helps to derive a list of all the applicable risks impacting the
organization.
Q. 10
Answer: A. Consequences
Explanation: If there are no impacts or consequences of the exploitation of a vulnerability, then there
is no risk. Risk analysis, risk evaluation, and risk treatment are primarily based on the impacts of a
risk.
Q. 11
Answer: A. In the case of material control failure
Explanation: A failure of material control indicates that the control was not designed and monitored
properly. It requires a full reassessment of the risk. All other options do not require full reassessment.
Q. 12
Answer: D. To determine trends in the evolving risk profile
Explanation: Consistency in the risk assessment process will help to determine trends over a period.
If risk assessments are not consistent, then the results of those risk assessments cannot be comparable
with the previous results.

Q. 1
Answer: D. The aggregated risk
Explanation: A homogenous network is a computer network comprised of similar configurations

and protocols. This allows for a common threat to impact all devices. Thus, the area of major concern
is the aggregated risk of all devices being impacted by a single threat. The other options are not
directly impacted by a homogeneous network.
Q. 2
Answer: C. Ability to generate revenue
Explanation: The valuation of intangible assets should be done based on the ability of the asset to
generate revenue for the organization. In the absence of availability of these assets, an organization
will lose that amount of revenue. Acquisition or replacement costs may be more or less than the
actual ability to generate revenue.
Q. 3
Answer: C. To determine the value of the information or asset
Explanation: The best way to estimate potential loss is to determine the value of the information or
assets. Value can be in the form of productivity loss, the impact of data leakage, or the opportunity
cost due to the unavailability of assets.
Q. 4
Answer: D. Identify significant overall risk from a single threat
Explanation: The goal of risk aggregation is to identify significant overall risk from a single threat
vector. Aggregated risk means the significant impact caused by a large number of minor
vulnerabilities. Such minor vulnerabilities do not cause any major impact individually, but when all
vulnerabilities are exploited at the same time, they can cause a huge impact.

Q. 1
Answer: B. Likelihood and impact
Explanation: Risk is the product of two components: probability (likelihood) and impact. Both
components are essential for the analysis of risk. Hence, likelihood and impact are the primary
elements determined in a risk analysis.
Q. 2
Answer: B. The risk of electrical power outages on business processes
Explanation: The impact due to loss of power can be more easily measurable and quantifiable
compared to the other options.
Q. 3
Answer: B. Contains percentage estimates
Explanation: The results derived from a quantitative risk analysis are measurable. Percentage
estimates are characteristics of quantitative risk analysis. The other options are generally
characteristics of a qualitative risk analysis.
Q. 4
Answer: B. To determine the maximum possible loss over a period of time
Explanation: Value at risk is the statistical computation based on historical data to arrive at the
probability. Value at risk is mostly used in the financial sector to determine the risk of an investment.
However, it is also applicable to the information security domain.
Q. 5
Answer: B. To determine possible scenarios with threats and impacts
Explanation: For qualitative risk analysis, the best way is to list down all possible threats and impact
scenarios. This will facilitate an informed risk management decision. The other options are generally
used for the quantification of risk.
Q. 6
Answer: C. The ratio of insurance coverage to total cost of business interruption
Explanation: The objective here is to determine the level of risk acceptable to management. The best
quantification is to derive the cost of business interruption and the level of insurance taken to protect
against such losses. For example, suppose the cost of business disruption is $100,000 and insurance
coverage is up to $80,000. Then, the risk appetite of the organization can be considered as $20,000.
The other options will provide only a rough estimation of the risk appetite.

Q. 1
Answer: B. Mitigation should be based on threat, impact, and cost considerations
Explanation: Mitigation must consider the level of risk and the cost of various treatment options.
High-risk vulnerabilities should be addressed on priority. Low-risk vulnerabilities may not be
addressed immediately. Resources should be first utilized to address high-risk vulnerabilities.
Q. 2
Answer: A. Prioritization
Explanation: Prioritization helps determine the importance of assets/processes that need to be

addressed first. Prioritization is organized based on the level of the risk. The highest risks are
addressed first. Threat alone is not sufficient as you need to consider vulnerability as well as impact.
Q. 3
Answer: B. Frequency and impact
Explanation: Risk is the product of probability and impact. Frequency (i.e., probability) and impact
can help determine the actual level of risk. Both terms are equally important to determine the level of
risk. Once the risk is determined based on its frequency (i.e., probability) and impact, then high-level
risks are prioritized and addressed first. The other options are not as important.
Q. 4
Answer: B. Likelihood of compromise and subsequent impact
Explanation: Risk is the product of probability and impact. Probability (i.e., likelihood) and impact
can help determine the actual level of risk. Both terms are equally important to determine the level of
risk. Each risk is determined based on its probability (i.e., likelihood) and impact. Then, high-level
risks are prioritized and addressed first. The other options are not as important.

Q. 1
Answer: C. Review of all IT-related risks on a periodic basis
Explanation: A risk register contains the details of all identified risks. The main objective of the risk
register is to facilitate a thorough review of all risks on a periodic basis. The other options are
secondary factors.

Q. 1
Answer: A. Feasibility
Explanation: It is always advisable to identify and address the risk at an early stage of any new
system development. The risk of a new system may challenge the feasibility of the system's
development.
Q. 2
Answer: D. To implement an appropriate procurement process
Explanation: The most important aspect is to implement a structured process that will help to
identify the risk that may be introduced by a new system. Options A, B, and C can be made part of a
structured process.

Q. 1
Answer: D. Security review
Explanation: A security review is conducted to determine the current state of the security posture of
the organization. Vulnerability and threat analysis will help determine the level of vulnerability and
threat but without knowing the existing security arrangement, the risk cannot be determined. An
impact analysis is more effective in determining the potential impact of a loss event.
Q. 2
Answer: B. Reducing the exposure
Explanation: If a threat is already known, the best way to address it is to reduce the exposure to the
extent possible. This reduces the probability of exploitation of the risk. The other options are not as
effective as reducing the exposure itself.
Q. 3
Answer: B. Reduce the attack surface
Explanation: An attack surface refers to the various entry points from which an attack can happen. It
determines the level of exposure. By decreasing the attack surface, the level of exposure decreases.
The attack surface can be reduced by limiting entry points, ports, and protocols and disabling unused
services. The other options are not as effective.
Q. 4
Answer: A. The vulnerability being compartmentalized
Explanation: Compartmentalization means separating sensitive information assets in a manner that

reduces exposure or eliminates it. If compartmentalization of the vulnerability results in no exposure,
then there is no risk. The availability of an incident response procedure and compensating control are
not as effective. Even if there has been no exploitation so far, the threat can materialize at any time.
The appropriate safeguards should be in place.
Q. 5
Answer: A. External vulnerability reporting sources
Explanation: Many agencies publish new vulnerabilities and provide recommendations to address
vulnerabilities. This is the most cost-effective method of understanding new vulnerabilities. The other
options may not be as cost effective as external vulnerability sources.
Q. 6
Answer: C. To provide assurance to management
Explanation: A vulnerability assessment helps identify all existing vulnerabilities and plans to
address them. This assures management that the risks to business objectives are actively monitored
and controlled. It is not possible to eliminate all risks. A vulnerability assessment is not primarily
conducted to adhere to the security policy or to monitor the efficiency of the security team.
Q. 7
Answer: A. Determine the weaknesses in the network and server security

Explanation: The objective of a penetration test is to identify weaknesses in the network and server
security. Based on the results of the penetration test, the identified weaknesses can be addressed to
improve the security posture of the organization.
Q. 8
Answer: B. Regular signature updates of the scanning tool
Explanation: The most important aspect of a scanning tool is to get it updated with new signatures to
address new and emerging risks. A vulnerability scanner need not delete viruses. Multiple functions
and user-friendly graphical user interfaces are good-to-have features but not as important.
Q. 9
Answer: D. Identified vulnerabilities should be evaluated for threat, impact, and cost of mitigation
Explanation: To prioritize and decide on the treatment of a vulnerability, it should be evaluated

based on threat, impact, and cost of mitigation. All three factors should be considered
Q. 10
Answer: D. To conduct a vulnerability assessment to detect the application's weaknesses
Explanation: The most cost-effective approach to test the security of a legacy application is to
conduct a vulnerability assessment. The other options are not as effective as vulnerability
assessments to test the security of legacy applications.
Chapter 4: Information Risk Response

Q.1
Answer: C. Risk transfer
Explanation: Taking out insurance is an example of risk transfer. In risk transfer, the risk is shared
with partners or is transferred via insurance coverage, contractual agreement, or other means. For
instance, natural disasters have a very low probability but a high impact. The response to such a risk
should be risk transfer.
Q. 2
Answer: B. The business manager
Explanation: The business manager will be in the best position to decide on any particular control on
the basis of risk assessment as they are thoroughly aware of the risks relevant to their processes. The
senior manager should provide the appropriate funding for the control. The audit and security
managers support the business manager in reviewing and monitoring the effectiveness of the control.
Q. 3
Answer: A. Set up monitoring techniques to detect and react to fraud
Explanation: The best course of action for the organization in the given situation is to set up
monitoring techniques to detect and react to potential fraud. It is not possible to make customers
liable for fraud. Making customers aware of the risks of fraud is a good option but not as effective.
To outsource the processes, a business case needs to be reviewed and decisions should be taken
accordingly. However, the most effective method will be setting up monitoring techniques to detect
and react to fraud.
Q. 4
Answer: A. Conducting user awareness training
Explanation: In a phishing attack, employees are approached via email by someone posing as an
authorized representative. This is done to trick employees into divulging sensitive information, such
as personal information, banking and credit card information, and passwords. The best way to combat
this attack is to conduct frequent user awareness training.
Q. 5
Answer: C. Risk transfer
Explanation: Taking out insurance is an example of risk transfer. In risk transfer, the risk is shared
with partners or transferred via insurance coverage, contractual agreement, or other means. Natural
disasters have a very low probability but a high impact. The response to such a risk should be risk
transfer.
Q. 6
Answer: A. To mitigate the impact by purchasing insurance
Explanation: The best approach in this situation is to purchase insurance to compensate for the
financial liability. Privacy laws are aimed to protect customers and generally mandate heavy penalties
for data breach incidents. A breach can still happen even after implementing technical controls, so the
best solution is to purchase insurance.
Q. 7
Answer: B. Risk treatment
Explanation: Risk treatment consists of four types: risk acceptance, risk avoidance, risk mitigation,
and risk transfer.
Q. 8
Answer: B. Risk mitigation
Explanation: Risk mitigation is the act of implementing security controls to reduce the impact of risk
and to bring risk down to an acceptable level.
Q. 9
Answer: C. A method that addresses the control objectives
Explanation: A control objective is met when risk is mitigated in the most effective and efficient
manner. The best risk treatment should be both effective (that is, it should be able to address the risk)
and efficient (that is, the cost of treatment should be optimum).
Q. 10
Answer: D. Transferring the risk to a third party
Explanation: The best risk response in such a scenario (low probability and high impact) is to
transfer the risk to a third party. Insurance for natural calamities is one such example. This will help
the organization compensate for the financial losses they face.
Q. 11
Answer: B. User entitlement
Explanation: The data owner is accountable for ensuring that access to their data is provided based
on user entitlement and a need-to-know basis. The other options are the responsibilities of the
security team.
Q. 12
Answer: A. Implementing role-based access control
Explanation: The best way is to provide access to confidential information on a need-to-know basis,
that is, role-based access control. Defense in depth is generally for external threats. A privacy policy
details how information is collected and used. It will not be able to prevent a threat. Capturing
transaction logs is a detective control. A detective control will not be able to prevent a threat.
Q. 13
Answer: C. Use third-party service providers to manage low-risk activities
Explanation: The best option in this situation is to use the services of a third party with expertise in
information security. This will result in cost reduction and, at the same time, adherence to security
requirements. The other options are not feasible and will result in an increase in security risks.

Q. 1
Answer: C. The business process owner
Explanation: Business process owners are in the best position to conduct the risk analysis for their
respective processes. They have detailed knowledge of the risks and controls applicable to their
processes.
Q. 2
Answer: C. The business process owners
Explanation: A business process owner will be in the best position to drive a project for
implementing regulatory requirements. They have a thorough understanding of their processes and
the impact of regulatory requirements on those processes. The other options do support the business
process owner in the implementation of the project but are not primary.

Q. 1
Answer: C. The potential impact affects the extent of mitigation
Explanation: The potential impact helps management determine the extent of mitigation required. If
the impact is on the higher side, management may allow more budget for mitigation efforts. The
potential impact does not directly relate to risk treatment options. The potential impact can be more
than the cost of the assets as it may include the cost of recovery, business downtime, and other costs.
The potential impact is in no way useful in determining the probability.
Q. 2
Answer: C. Understanding the business objectives and the flow and classification of information
Explanation: The most important factor to determine new threats is to first understand the business
objectives and the flow and classification of information. It is of utmost importance to have
knowledge of the threats to business processes. The other options can be subsequent steps.
Q. 3
Answer: C. Increase in risk scenarios
Explanation: The use of cloud services will introduce new risk scenarios as the dependency will be
on a third-party cloud service provider. This new risk has to be included in the risk profile of the
organization. A cloud service is generally considered a cost-effective resource. The source of a
business transaction is not impacted by the cloud service. Cloud service providers generally have
more stringent security controls to prevent attacks.
Q. 4
Answer: D. Probability of mobile devices being lost or stolen easily
Explanation: Because of the small size and ease of mobility, mobile devices are subject to a high
risk of being lost or stolen. This can result in unauthorized disclosure of any sensitive data present on
the mobile devices. The other options are not significant security concerns.
Q. 5
Answer: A. Calculating the risk
Explanation: The first course of action for a security manager is to calculate the risk of exception
and make a call for approval on that basis. If the potential benefit from the exception is more than the
potential loss from the risk, an exception may be granted.
Q. 6
Answer: C. Advising management of the risk and its potential impact

Explanation: The best course of action for the security manager is to discuss with management the
risk and the potential impact of noncompliance. Management is in the best position to address any
conflict between security requirements and business requirements. An exception can be approved if
management considers the potential benefit of the exception to be more significant than the perceived
risk. Designing new guidelines and benchmarking standards are not relevant.
Q. 7
Answer: C. Define an exception process for sending the data without encryption
Explanation: In the given situation, the best course of action is to work out an exception process to
send the data without encryption. The security manager should work out another secure way of
communicating and implement other compensating controls for the protection of unencrypted data.
Q. 8
Answer: A. When determining the results of the implementation of controls
Explanation: Residual risk refers to the remaining risk after controls have been implemented.
Residual risk is compared to the acceptable risk level to determine whether controls are effective. If
the residual risk is higher than the acceptable risk then more controls are required. The classification
of assets is based on their value. Residual risk is not relevant at the time of the identification of risk
or the valuation of assets.
Q. 9
Answer: B. Preparation of a list of action items to mitigate the risk
Explanation: Risk analysis results provide a list of the most critical risks that need to be addressed
on a priority basis. The other options are not directly impacted by the results of a risk analysis.
Q. 10
Answer: A. To understand the risk due to noncompliance and recommend an alternate control
Explanation: The best course of action for the security manager is to evaluate the risk due to
noncompliance. If the potential benefit from the exception is more than the potential loss from the
risk, an exception may be granted along with some alternate controls.
Q. 11
Answer: D. The percentage of incidents from unknown risks
Explanation: An incident from an unidentified risk indicates the effectiveness of the risk assessment.
A low percentage indicates that almost all sources of risk have been identified, whereas a high
percentage indicates that the risk assessment was unable to identify major sources of risk. The other
options do not directly indicate the effectiveness of a risk assessment.
Q. 12
Answer: B. Review compliance with the standards and policies
Explanation: The first course of action is to review compliance with the standards and policies. If
risk management procedures are in accordance with those and the risk management procedures are
still inadequate and inconsistent, it indicates that standards and policies have not been drafted
appropriately. Policies and standards need to be reviewed to determine whether they are adequate.
The other options will not be meaningful if policies and standards are inconsistent and inadequate.
Q. 13
Answer: A. To validate the noncompliance
Explanation: The first step for the security manager is to validate the noncompliance to rule out any
false positives. The other options are subsequent actions.
Q. 14
Answer: C. To compare logical access and physical access for deviations
Explanation: The security manager should be most concerned about loopholes in the physical and
logical access controls. By comparing physical access records with logical access records, the
security manager can identify issues such as tailgating, password sharing, and other forms of
compromise. Options A and B are not relevant from the information security perspective. Option D is
less significant.
Q. 15
Answer: D. Operational risk
Explanation: Operational risk is a risk related to failed processes and systems due to either internal
or external events. The objective of a DDoS attack is to bring down the system by flooding it with
excessive traffic. Aggregate risk is defined as the overall impact of a single threat vector. Systemic
risk is the risk of the collapse of an entire system. Residual risk refers to the risk that remains after
controls are implemented.
Q. 16
Answer: C. Background checks for prospective employees
Explanation: Background checks help determine the integrity of new employees. A security
awareness program will not necessarily guarantee that the employee will behave with honesty.
Penetration testing and network address translation will be more effective to address external attacks.
Q. 17
Answer: B. As per business decisions
Explanation: Compliance with legal and regulatory requirements should be considered on the basis
of business decisions. Business decisions are based on a cost-benefit analysis. Legal and regulatory
requirements, like any other requirements, should be considered for risk assessment and decision-
making. Sometimes the cost of compliance is much more than the expected benefit; in such cases,
management needs to make a business call.
Q. 18
Answer: C. The new system may affect the security or operations of other systems
Explanation: The area of most concern for a security manager is the impact of a new system on the
security and operational aspects of other systems. Functionality, support staff, and time needed for
installation are the responsibility of the business and IT departments.
Q. 19
Answer: C. Immediately informing top management about the elevated risk
Explanation: In this scenario, the first step is to advise management about the elevated risk. In
consultation with management, subsequent actions can be taken.

Q. 1
Answer: C. Availability of an acceptable usage policy
Explanation: An acceptable usage policy is a document stipulating constraints and practices that a
user must agree to for the usage of organizational resources. Many organizations require employees
to sign an acceptable usage policy before access is granted to them. The other options may not
directly impact data leakages.
Q. 2
Answer: B. Cost-benefit balance
Explanation: The selection of controls and countermeasures is primarily dependent on a cost-benefit

analysis. If the cost of control is more than the benefit derived, control is not efficient. The others are
secondary factors.
Q. 3
Answer: D. To measure the current state of control versus the desired future state
Explanation: The objective of a gap analysis is to identify the gap between the current level of
control and the desired level of control. This gap is also known as control deficiencies. Risk
practitioners first analyze the desired state of risk management required by the organization and then
determine the current condition of risk management. This helps them identify any gaps. They should
recommend actions to close such gaps.
Q. 4
Answer: B. To limit the impact on the organization
Explanation: The objective of an indemnity clause is to compensate for or recover any losses due to
any breach of the service-level agreement. It helps to reduce the financial impact on the organization.
An indemnity clause may not always be a regulatory requirement. Merely incorporating an indemnity
clause will neither reduce probability nor ensure performance improvement.
Q. 5
Answer: C. A cost-benefit analysis
Explanation: The objective of a cost-benefit analysis is to determine the benefits compared to the
costs of a project. If the benefit realized from the control is less than the cost of implementation of
the control, then it does not justify the implementation of that control. The selection of a control is
primarily based on the cost-benefit analysis.
Q. 6
Answer: A. A cost-benefit analysis
Explanation: The objective of a cost-benefit analysis is to determine the benefits compared with the
cost of the project. If the benefit realized from the control is less than the cost of implementation of
the control, then it does not justify the implementation of the control. The selection of a control is
primarily based on a cost-benefit analysis. The other options do not indicate the benefit of a control.
Q. 7
Answer: B. Develop an information classification program
Explanation: The first step is to develop a classification program. Based on this, critical data can be
identified. The other options are subsequent steps.
Q. 8
Answer: D. To reduce the exposure

Explanation: Segmenting the data helps reduce the exposure as more controls are implemented for a
segmented critical database. Segmentation by itself does not reduce the threat, sensitivity, or
criticality.
Q. 9
Answer: B. To determine the project's feasibility
Explanation: Information security requirements may directly impact the feasibility of a project. The
cost of security must be considered while calculating the business case and feasibility study.
Sometimes, the cost of security may exceed the benefit expected from the project and hence the
implementation of the project may not be feasible.
Q. 10
Answer: B. To escalate the issue to management
Explanation: Management will be in the best position to address such issues where security
requirements are adversely impacting the business. The best action for a security manager is to
escalate such an issue to management.
Q. 11
Answer: A. A business impact analysis
Explanation: A business impact analysis helps to determine the critical processes/assets of the
organization. These critical processes/assets should be recovered as a priority.
Q. 12
Answer: C. On the basis of the risk applicable to each factor
Explanation: The most important factor is considered based on the risk applicable to each of them.
For example, in the case of the failure of an automatic door, the organization can opt for fail open
(door should remain open) or fail closed (door should remain closed). In the case of fail open,
confidentiality and integrity may be compromised, and in the case of fail closed, availability may be
compromised. In such a situation, the risk is determined for each element and accordingly, a decision
is made. Considering only the threat element will not serve the purpose as both threat and impact
need to be considered.
Q. 13
Answer: C. Making security policy decisions
Explanation: Risk management helps to highlight the critical risks that can impact business
processes. It helps to make security policy decisions to address the highlighted risks. Risk
management is aimed at supporting the business objectives and is not designed to change them. An
audit charter highlights the roles and responsibilities of the audit department and is not directly
impacted by the risk management process.
Q. 14
Answer: C. On the basis of the risk applicable to each factor
Explanation: The most important factor is considered based on the risk applicable to each of them.
For example, in the case of the failure of an automatic door, the organization can opt for fail open
(door should remain open) or fail closed (door should remain closed). In the case of fail open,
confidentiality and integrity may be compromised, and in the case of fail closed, availability may be
compromised. In such a situation, the risk is determined for each element and accordingly, a decision
is made. Considering only the threat element will not serve the purpose as both threat and impact
need to be considered.
Q. 15
Answer: D. It ensures that costs are justified by a reduction in risk
Explanation: The main objective of a cost-benefit analysis is to ensure that the cost of the project
does not exceed the benefit expected from the project. The cost should be justified by an appropriate
reduction in the risk.
Q. 16
Answer: D. The ratio of cost-to-insurance coverage for business interruption protection
Explanation: The best quantification is to derive the cost of business interruption and the level of
insurance taken to protect against such losses. For example, if the cost of business disruption is
$100,000 and insurance coverage is up to $80,000, then the risk appetite of the organization can be
considered as $20,000. The other options will provide only a rough estimation of the risk appetite.
Q. 17
Answer: C. The second server is placed where there is no exposure
Explanation: If the second server is placed where there is no exposure, then there is no chance of
compromise; hence, hardening may not be required. In the case of the other options, that is, the
second server being a backup server, supporting noncritical functions, or being monitored on a
continuous basis, the risk remains the same as it contains identical content and hence it should be
given the same level of protection as the first server.
Q. 18
Answer: A. A workflow analysis
Explanation: A workflow analysis is the process of understanding the workflow. It helps to

determine the risk and build relevant controls. The other steps can be subsequent steps.
Q. 19
Answer: D. Addresses the financial liability but leaves the legal and reputational risks generally
unchanged
Explanation: The objective of an indemnity clause is to compensate the organization for any
financial loss due to an act of the service provider. However, it does not reduce the legal or reputation
risks for the organization.
Q. 20
Answer: D. Decreasing the number of incidents impacting the organization
Explanation: The most important objective of a risk management program is to reduce the number
of incidents having an adverse impact on the objectives of the organization. The other options are
specifically actionable to address adverse incidents.
Q. 21
Answer: D. A business-oriented risk policy
Explanation: A risk policy that is aligned with the business objectives helps in achieving the
organization's objectives. A business-oriented risk policy is strongly supported by the effective
management of information assets. The other options do not directly impact the effectiveness or
efficiency of information assets.
Q. 22
Answer: D. The number of security incidents causing significant financial loss or

business disruptions
Explanation: The main objective of risk management is to reduce the number of security incidents
that can cause significant financial loss or business disruption. If such incidents are high, then the
effectiveness of risk management is questionable. The other options are not as significant.

Q. 1
Answer: C. Change management

Explanation: Change management is the process of requesting, planning, implementing, testing, and
evaluating changes made to a system. Regression testing is a part of change management. The
objective of regression testing is to prevent the introduction of new security exposures when making
modifications. Thus, change management is the best way to ensure that modifications made to
systems do not introduce new security exposures.
Q. 2
Explanation: Change management is the process of requesting, planning, implementing, testing, and
evaluating changes made to a system. Regression testing is a part of change management. The
objective of regression testing is to prevent the introduction of new security exposures when making
modifications. Thus, change management is the best way to ensure that modifications made to
systems do not introduce new security exposures.
Q. 3
Answer: B. A system user
Explanation: Change management is the best way to ensure that modifications made to systems do
not introduce new security exposures. System users are in the best position to conduct user
acceptance testing and determine whether any new vulnerabilities have been introduced during
change management.
Q. 4
Answer: C. Change control process
not introduce new security exposures. System users are in the best position to conduct user
acceptance testing and determine whether any new vulnerabilities have been introduced during the
change management process.
Q. 5
Answer: D. The change management process should include mandatory involvement of the
information security department
Explanation: For effective change management, it is important that the security team be apprised of
every major change. Representation from the security team on the change control board is
recommended. This will ensure that the security aspects of any change are considered. It is not
required for change management to be handled by the information security team; representation is
sufficient. Monitoring the change management process may not be the responsibility of the steering
committee. Change management should be separate from release and configuration management.
Q. 6
Answer: C. Preventive control
Explanation: Change management is considered a preventive control as it requires all change

requests to pass through formal approval, documentation, and testing via a supervisory process. An
effective change management process can prevent and detect unauthorized changes. The primary
function of change management is not compensating or corrective or deterrent control.
Q. 7
Answer: C. Scheduling
Explanation: Scheduling in change management is the process of planning implementation at a time

that causes the least disturbance to business processes. However, for an emergency change,
maintaining the schedule may not be possible. The other options, documentation, impact analysis,
and authorization, are integral to change management and in the case of an emergency change, they
may be performed after implementation.
Q. 8
Explanation: A major risk related to production is the continuity of operations. This can be best
addressed by a structured change management process. Change management is a structured process
of change request, approval, planning, implementation, and testing. The main objective of change
management is to support the processing and traceability of changes made to a system. Change
management ensures that changes or updates are processed in a controlled manner.
Q. 9
Answer: B. To ensure that any risks arising from the proposed changes are managed
Explanation: Any major change may introduce new risks to the system. The security manager is
required to ensure that any new change does not have an adverse impact on the organization's
security environment. The other options are not the primary reasons.
Q. 10
Answer: D. A structured change management system
Explanation: A change management process includes approval, testing, scheduling, and rollback
arrangements. Any change made to a system or process is likely to introduce new vulnerabilities.
Hence, it is very important for a security manager to identify and address new risks. Changes that are
not properly reviewed can disrupt the production system. The other options, that is, patch
management, baseline management, and antimalware management, should also be implemented
through the proper change management process.
Q. 11
Answer: A. To reduce the requirement for periodic full risk assessments
Explanation: Threat and vulnerability assessments during change management help to identify the
potential risks in the proposed changes at an early stage. This helps to keep the risk assessment
updated. This eventually reduces the requirement for a full assessment. The other options are not
primary objectives. Policy is a high-level statement and is generally not impacted by new risks.
Q. 12
Answer: B. Poor change management procedures
Explanation: The lack of an effective change management process can pose a significant risk of
disruption to systems and procedures. The other options are not as significant. Guidelines are
generally not mandatory. Outsourcing activities can be controlled and monitored. Poor capacity
management may not impact security risks.
Q. 13
Answer: A. To reduce the requirement for periodic full risk assessments
Explanation: Threat and vulnerability assessments during change management help to identify
vulnerabilities at the initial stages so that they can be addressed early without the need for a full risk
assessment. This keeps the risk assessment up to date without the need to complete a full
reassessment.

Q. 1
Answer: C. Verifying the patch logs and tracing them to the change control request
Explanation: To determine whether all patches went through the change control process (change
management), it is necessary to use patch logs as a starting point and then verify whether the change
control requests for those patch updates are available. When a change request is taken as the starting
point and then traced back to patch logs, it will not be possible to determine whether all patches went
through the change control process.
Q. 2
Answer: C. Operating system security patches not being applied
Explanation: Patch management is the process of applying updates to operating systems and other
software. These patches are often necessary to correct errors in the software. If patches are not
applied as and when released, then this is an area of serious concern. The other options are not as
significant.
Q. 3
Answer: A. Testing of a patch prior to deployment
Explanation: Patches should be applied through a structured change management process, which
includes approval, testing, user acceptance testing, and proper documentation. The testing of a patch
prior to implementation is one of the most important aspects as deploying an untested patch may
cause system failure. Furthermore, the appropriate rollback procedures should be in place in case of
unexpected failure.
Q. 4
Answer: Assessing the problem and initiating rollback procedures if required
Explanation: Patches should be applied through a structured change management process that
includes approval, testing, user acceptance testing, and proper documentation. The testing of a patch
prior to implementation is of utmost importance as deploying an untested patch may cause the system
to fail. Furthermore, appropriate rollback procedures should be in place in case of unexpected failure.
The other options are secondary steps to be followed after the problem has been assessed.
Q. 5
Answer: C. The patch should be validated to ensure its authenticity
Explanation: The first step is to validate the authenticity of the patch before taking any further
action. If the patch is not from an authentic source, it may be malicious.
Q. 6
Answer: A. Patch management
Explanation: Patch management is the process of applying updates to operating systems and other
software. These patches are often necessary to correct errors in the software. A well-defined and
structured patch management process helps to address the new vulnerabilities related to operating
systems. The timely update of patches helps to secure the operating systems and applications.
Q. 7
Answer: D. As and when critical security patches are released
Explanation: Patches should be applied as and when new patches are released. This is required to
ensure that zero-day vulnerabilities are not exploited. However, patch management should include
appropriate testing and approvals.

Q. 1
Answer: D. Business impact analysis
Explanation: The RTO determines the time within which the system should be restored. The RTO is
derived from the BIA. The BIA helps to determine the critical systems of the organization and the
impact due to the downtime of systems.
Q. 2
Answer: B. Delegating authority for recovery execution
Explanation: During an incident, considerable time is taken up in escalation procedures, as decisions

need to be made at each management level. The delegation of authority for recovery execution makes
the recovery process faster and more effective. However, the scope of the recovery delegation must
be assessed beforehand and appropriately documented. Having multiple operation centers is too
expensive to implement. Outsourcing is not a feasible option. Incremental backups do facilitate faster
backups; however, they generally increase the time needed to restore the data.

Q. 1
Answer: D. Feasibility
Explanation: Risk assessment should commence at the earliest phase of the SDLC, that is, the
feasibility phase. A feasibility analysis should include risk assessment so that the cost of controls can
be determined at the beginning.
Q. 2
Answer: D. At each stage of the SDLC
Explanation: Risk assessment is most effective when it is performed at every stage of the SDLC.
This helps in the early identification of any risk that might occur during any stage.
Q. 3
Answer: A. Change management
Explanation: A change management process includes approval, testing, scheduling, and rollback
arrangements. Changes at various life cycle stages should be appropriately controlled through a
structured change management process. The other options do not relate to complete life cycle stages.
Q. 4
Answer: C. Ensuring effective life cycle management
Explanation: If controls are managed throughout the life cycle, it will reduce the scope of the
degradation of controls and ensure control effectiveness throughout the life cycle.
Revision Questions
Q.1
Answer: C. To achieve the stated objectives
Explanation: The primary goal of a risk management program is to achieve the stated objective. The
stated objective can be in the form of the protection of assets, availability of systems, or
implementation of preventive controls.
Q. 2
Answer: A. Validation checks are missing in data input fields
Explanation: In the absence of validation checks in data input fields, attackers can exploit other
weaknesses in the system. For example, through SQL injection attacks, hackers can illegally retrieve
application data. Other options may also make the applications vulnerable, but these can be countered
in other ways.
Q. 3
Answer: C. Industry tracking groups
Explanation: Industry tracking groups provide insights into the nature of attacks at the industry-
specific as well as the global levels. They are engaged in different surveys and closely monitor attack
types. Their publications can either be free or subscription based, and they provide detailed
overviews of current scenarios. A honeypot is used to trap attackers and understand their attack
methods. However, all hackers may not fall into honeypot traps. A rogue access point is a trap set up
by hackers to lure legitimate users to connect to it. Penetration testing involves assessing the security
posture of the organization and will not be able to identify the evolving nature of attacks.
Q. 4
Answer: A. Should be reassessed on a periodic basis as risks change over time
Explanation: Risks change over time, hence even if a risk was accepted previously, it should be
assessed again on a periodic basis to determine its current impact.
Q. 5
Answer: B. Absence of controls
Explanation: An incident can take place either due to a failure of controls or an absence of controls.
Inadequate risk analysis may be one of the reasons for the absence of a control. A new attack or
operational error can have an impact only if there is no control or if controls have failed.
Q. 6
Answer: D. The time gap between the occurrence of the incident and its detection
Explanation: The level of impact of an incident depends on the time gap between the occurrence of
the incident and its detection. The early detection of an incident helps to reduce the damage. The
other options are important but not as significant.
Q. 7
Answer: C. The cost of implementation of the regulation is much higher than the risk
of noncompliance.
Explanation: An organization may decide to accept the risk of noncompliance if the cost of the
implementation of a new regulation is much higher than the risk of noncompliance. The other options
are the major factors affecting the decision of whether to comply or not.
Q. 8
Answer: B. To support management's due diligence
Explanation: It is the responsibility of management to conduct due diligence for organizational

processes. A risk management program supports this objective.
Q. 9
Answer: D. To identify misconfiguration and missing updates
Explanation: The objective of a network vulnerability assessment is to identify

common misconfigurations.
Q. 10
Answer: C. A security gap analysis

Explanation: The objective of a security gap analysis is to identify deficiencies in the control
environment by comparing them with the desired state of control.
Q. 11
Answer: B. The risk being justified by the benefits
Explanation: Generally, policy exceptions are approved when the impact of noncompliance is less
than the benefit of taking the risk.
Q. 12
Answer: B. To perform a gap analysis
Explanation: The first step is to perform a gap analysis to determine whether the organization has
already complied or whether some action is required for compliance. Based on the gap analysis,
further action can be taken.
Q. 13
Answer: B. To determine the systems and processes that contain the privacy components
Explanation: The best course of action in this case is to determine the systems and processes that can
be impacted due to the new privacy laws. The other options may be subsequent steps.
Q. 14
Answer: C. The detection of new risks
Explanation: Though all options are very important for an effective risk management program, if the
program does not have the ability to identify new risks, the other procedures will only be useful for a
limited period.
Q. 15
Answer: C. The opportunity costs
Explanation: For a BIA purpose, valuation should be based on the opportunities lost due to the
unavailability of assets. This is known as opportunity cost.
Q. 16
Answer: D. Likelihood
Explanation: Likelihood is the most difficult to estimate and will require the highest amount of
speculation. The other options can be determined within a range.
Q. 17
Answer: C. Conduct a risk assessment to quantify the risk
Explanation: The first course of action for a risk manager is to conduct a risk assessment and
determine the level of risk. Policy exceptions are generally allowed where benefits from the project
outweigh the perceived risks. The other options can be meaningful only if the security manager is
aware of the level of risk.
Q. 18
Answer: A. To verify the decision of the business unit through a risk analysis
Explanation: The best course of action in this scenario is to conduct a risk analysis and determine
the impact of the new application via the BIA. If there is no impact, then there is no need to update
the BIA.
Q. 19
Answer: C. Conducting a risk analysis
Explanation: The first course of action for a risk manager is to conduct a risk assessment and
determine the level of risk. Policy exceptions are generally allowed when benefits from the project
outweigh the perceived risks. The other options can be meaningful only if the security manager is
aware of the level of risk. It is unlikely that a business objective is changed to accommodate a
security requirement.
Q. 20
Answer: A. To evaluate the likelihood of incidents from the reported cause
Explanation: The first course of action for the security manager is to evaluate the likelihood of an
incident from the reported cause. Once the likelihood is determined, other suitable actions can be
taken.
Q. 21
Answer: C. Risk management activities should be integrated within the business processes
Explanation: The integration of risk management activities within business processes is a more
effective way to enhance risk management. Risk management should not be treated as a separate
activity.
Q. 22
Answer: A. Downtime tolerance
Explanation: A BIA is a process to determine the critical processes of an organization and decide the
recovery strategy during a disaster. The prime criterion to determine the severity of service
disruptions is the period for which the system will remain down. The higher the system downtime,
the higher the severity of the disruption. The other options are not directly related to the BIA.
Q. 23
Answer: C. The scope
Explanation: Once the objectives are finalized, the next step is to determine the scope of the review.
The limitations and approach must be defined after the scope. The report structure is the last step.
Q. 24
Answer: A. To apply compensating controls for the vulnerable system
Explanation: The best course of action in this case is to apply compensating controls until the patch
is installed. This will help to address the risk. Updating signatures for the antivirus does not address
zero-day vulnerabilities.
Q. 25
Answer: A. Determine the risk of noncompliance
Explanation: The most important aspect for a security manager is to know the level of risk for this
noncompliance. The risk may be either very high or negligible. Based on the level of risk, further
courses of action can be determined.
Q. 26
Answer: C. A gap analysis
Explanation: The objective of a gap analysis is to identify the gap between the current level of
controls and the desired level of controls. A gap analysis is used to improve the maturity level of risk
management processes. A workflow analysis is used to understand the current level of risk
management processes, but it does not provide support for improvement opportunities. A program
evaluation and review technique (PERT) is used to determine the project timelines.
Q. 27
Answer: B. To perform a comprehensive assessment before approving devices
Explanation: The first step is to develop a comprehensive assessment process based on which
approval should be granted to devices. The other options are subsequent steps.
Q. 28
Answer: A. Applying standard risk measurement criteria throughout the organization

Explanation: The best way to address this situation is to apply standard risk measurement criteria for
all the departments throughout the organization. This will help in arriving at a standard risk level
where each risk can be compared to others for the prioritization of risk responses. The other options
will not help to address the issue directly.
Q. 29
Answer: B. Requirements to protect sensitive information on the device
Explanation: The most important aspect is to ensure that users understand the various requirements
for the protection of sensitive data on the device. Generally, personal devices are not returned to the
organization. The other options are not as important as the protection of data.
Q. 30
Answer: D. Just another risk
Explanation: It should be dealt with as just another risk. Regulatory risk, like every other risk,
should be addressed considering its impact on the business processes. Priority should be given based
on feasibility, possible impact, and cost of compliance.
Q. 31
Answer: C. The environment changes.
Explanation: Existing controls may not be relevant to address new and emerging risks arising due to
changes in the environment. As a result, risk management is most effective when it is completed on
an ongoing basis.
Q. 32
Answer: C. Perform a business impact analysis
Explanation: The first action for the security manager in this case is to determine the level of risk of
nonavailability of the service. This can be done by performing a BIA. The other options can be
considered based on the results of the BIA.
Q. 33
Answer: C. Assurance process integration
Explanation: Integrating the activities of various assurance functions helps to ensure that there are
no overlapping activities or gaps in risk management activities. It is the most cost-effective method as
duplicate efforts are removed. The decentralization of the risk management function actually
increases the cost of risk management. The other options do not directly impact the cost effectiveness
of risk management functions.
Q. 34
Answer: A. A regulatory risk should be treated like any other risk
Explanation: A regulatory risk should be treated just like any other risk and should be addressed
considering its impact on business processes. Priority should be given based on feasibility, possible
impact, and the cost of compliance.
Q. 35
Answer: B. The data retention policy
Explanation: The data retention policy defines the minimum period of data retention. Overwriting of
data may impact the data retention policy.
Q. 36
Answer: A. Exposure
Explanation: The level of exposure of the data affects the threat, vulnerability, probability, as well as
impact. It is the most important aspect when considering the level of protection required.
Q. 37
Answer: B. The probability and consequences
Explanation: Risk can be determined based on the probability and consequences. The product of
probability and consequences will help to derive the level of risk for noncompliance. Hence, both
probability and consequences should be considered to prioritize the requirements.
Q. 38
Answer: B. When the uncertainty of the risk is high
Explanation: Risk tolerance is the acceptable deviation from the risk appetite. For example, suppose
the risk appetite of an organization is $100 and the risk tolerance is $125. In this case, the
organization is comfortable even if the risk level reaches $125. High risk tolerance means a wider
gap between risk appetite and risk tolerance. This will be more helpful when the uncertainty of the
risk is high.
Chapter 5: Information Security Program Development

Q.1
Answer: A. To improve the integration of business and information security processes
Explanation: The most important challenge for a security manager is to obtain support from senior
management and other business units for changing the business processes to include the security
aspect. As the incident has already happened, business units will be more open to supporting security
processes. In the absence of close integration of business and security processes, the other options
will not be effective.
Q. 2
Answer: B. To understand the risk of technology and its contribution to security objectives
Explanation: An information security manager is required to evaluate the risk of technology and
determine the relevant controls to safeguard IT resources. The other options are secondary aspects.
Q. 3
Answer: C. Strategy
Explanation: An information security strategy is a set of actions taken to achieve security objectives.
This strategy includes what should be done, how it should be done, and when it should be done to
achieve the security objectives. A strategy also includes the details of the resources necessary to
implement the program.
Q. 4
Answer: C. A risk assessment and control objectives
Explanation: Generally, the framework starts with conducting a risk assessment and establishing the
objectives of control. Once the objectives are established, the information security policy is
developed and the security budget is allotted. An internal audit is not relevant.
Q. 5
Answer: C. To understand the overall risk exposure of the organization
Explanation: It is of utmost importance that the security manager is aware of the overall risk
exposure of the organization. The other options will be evaluated as a part of risk exposure.
Q. 6
Answer: A. The charter
Explanation: A charter is the formal grant of authority or rights. An information security charter
states that the organization formally recognizes the information security department. In the absence
of a charter, it will be difficult for the information security department to operate within the
environment. All the other choices follow the charter.
Q. 7
Answer: B. Prevention
Explanation: DiD is an arrangement wherein multiple layers of controls are implemented to protect
the information resources. Its intent is to provide redundancy in case one control fails. The first layer
of DiD aims to prevent any event from occurring by implementing preventive controls such as
authentication. The second layer is containment, which involves isolating and minimizing the impact.
The third layer is reaction, which is incident response procedures. The final layer is a recovery and
restoration procedure that includes backup arrangements.
Q. 8
Answer: B. Senior management commitment
Explanation: The most important element for an effective information security program is support
and commitment from senior management. If senior management is committed to robust information
security across the organization, there will be no constraints on security budgeting and resources. The
other options are secondary aspects.
Q. 9
Answer: B. Authentication
Explanation: DiD is an arrangement wherein multiple layers of controls are implemented to protect
information resources. Its intent is to provide redundancy in case one control fails. The first layer of
DiD prevents any event from occurring and involves implementing preventive controls such as
authentication. The second layer is containment, which involves isolating and minimizing the impact.
The third layer is reaction, that is, incident response procedures. The final layer is recovery and
restoration procedures, which include backup arrangements.

Q. 1
Answer: C. Asset valuation
Explanation: Among all the given options, the first step is to value the assets. Based on the
valuation, an asset can be classified and then risk can be assessed and controls can be implemented.
Q. 2
Answer: D. The head of the finance department
Explanation: Ownership should be assigned to an individual with sufficient authority in the

department. To the extent possible, ownership should not be assigned to a department or group as
individual accountability cannot be established. The head of IT and the system administrator will not
be in a position to determine the usage and importance of the data and any relevant security concerns.
Q. 3
Answer: D. Requirements of the data owners
Explanation: It is very important to consider the requirements of the data owners when defining the
information classification policy. Data owners may have specific requirements to address the risk
related to their data. The other options do not directly impact the design of the classification policy.
Q. 4
Answer: D. The data owner
Explanation: The data owner has the prime responsibility for determining the appropriate level of
classification as they are the one who owns the risk related to their data.
Q. 5
Answer: A. Risk analysis results
Explanation: Risk analysis is the process of determining the level of risk. Risk level can either be
quantified in monetary terms or be expressed as qualitative indicators such as high risk, medium risk,
and low risk. The results of a risk analysis help the security manager determine the efforts required to
address any risk. More resources may be required to mitigate high-risk areas, whereas fewer
resources may be required to mitigate low-risk areas.
Q. 6
Answer: C. Identifying data owners
Explanation: Identification of asset/data owners is an essential prerequisite for the implementation

of a classification policy. In the absence of an owner, the true value of the asset cannot be determined.
The other options are not prerequisites for implementing a classification policy.
Q. 7
Answer: C. It helps to determine the appropriate level of protection for the asset
Explanation: Information asset classification means the classification of assets based on their
criticality to the business. Assets can be classified as confidential data, private data, or public data.
This classification helps the organization to provide an appropriate level of protection for the assets.
More resources should be utilized for the protection of confidential data compared to public data.
Q. 8
Answer: B. To determine controls commensurate with impact
criticality to the business. It determines the appropriate level of protection applicable to the asset; that
is, controls are commensurate with the impact. Classification helps to reduce the risk of the under-
protection of assets and at the same time reduces the cost of the over-protection of assets.
Q. 9
Answer: B. The data classification policy
Explanation: Data classification means the classification of data on the basis of its criticality to the
business. Data can be classified as confidential data, private data, or public data. This classification
helps the organization to provide an appropriate level of protection for the assets. More resources
should be utilized for the protection of confidential data as compared to public data.
Q. 10
Answer: C. The data owner
Explanation: The responsibility for the maintenance of proper security controls over information
assets should reside with the data owner. The ultimate responsibility resides with senior management.
The security manager and data administration support the data owner in classification and providing
appropriate controls.
Q. 11
Answer: B. Determine the appropriate level of access control
More resources should be utilized for the protection of confidential data compared to public data.
Q. 12
Answer: D. The published financial results
Published financial results are considered public data and hence require the lowest level of
protection.
Q. 13
Answer: D. An impact assessment
Explanation: The prime basis for determining the classification of information assets is the criticality
and sensitivity of the assets in achieving the business objectives. An impact assessment is used to
determine the criticality and sensitivity of the assets.
Q. 14
Answer: D. The data manager
Explanation: Information classification is primarily based on inputs from data owners. Business
managers (data owners) have thorough knowledge and an understanding of an asset's impact on
business processes. They are in the best position to determine the value of the information assets.
Q. 15
Answer: D. The criticality of the business function supported by the asset
Explanation: Assets can be classified and protected on the basis of business dependency
assessments. In this approach, critical business functions are identified, and all the assets of critical
functions are given high priority for protection.
Q. 16
Answer: A. Criticality and sensitivity
Explanation: The primary basis for determining the classification of information assets is their
criticality and sensitivity in achieving business objectives. An impact assessment is used to determine
the criticality and sensitivity of assets.
Q. 17
Answer: B. An impact assessment
Explanation: The primary basis for determining the classification of information assets is their
criticality and sensitivity in achieving business objectives. An impact assessment is used to determine
the criticality and sensitivity of the assets.
Q. 18
Answer: A. It should consider the impact of a security breach
Explanation: Classification should be based on an impact assessment, that is, the potential impact
due to asset loss. The classification should be performed by the asset owner rather than the security
manager. Vulnerability should not be the basis of classification—the potential impact due to the loss
of the asset should be.
Q. 19
Answer: C. Potential impact
Explanation: Classification should be based on an impact assessment, that is, potential impact due to
asset loss.
Q. 20
Answer: B. Determine the information classification level of the requested information
Explanation: The first step is to determine the classification level of the requested information. If the
information is classified as confidential, then such information should not be made available to any
unauthorized users. The other steps could be subsequent actions.

Q. 1
Answer: D. The replacement cost
Explanation: An asset should be valued at the replacement cost, which is the cost to replace the asset
if it is damaged or destroyed. The replacement cost gives a realistic impact assessment. The other
options are not true indicators for an impact assessment.
Q. 2
Answer: C. To create an inventory of the assets
Explanation: The first step is to create an inventory of all the information assets of the organization.
Once the inventory is available, ownership is established and assets are valued. Based on this
valuation, assets are classified.
Q. 3
Answer: C. Potential impact of the data loss

Explanation: An organization can suffer a huge impact if data lost is critical and sensitive from the
business perspective. In the case of leakage of personally identifiable information (PII) data, the
organization is liable for legal consequences. The other options are not as critical.
Q. 4
Answer: A. The business managers
Explanation: Valuation is done on the basis of an impact assessment. Business managers are in the
best position to understand the impact of an asset on the business. The other options (including senior
management) will not have detailed knowledge of each process and its impact on the business.
Q. 5
Answer: C. Identification of the asset inventory and the appropriate valuation of assets
Explanation: The identification of all available assets is the first step in risk assessment. If the
identification process is not properly followed, some assets may not be appropriately protected.
Valuation is performed to understand the criticality and sensitivity of assets needing protection.
Support from management, annual loss expectations, and threat motives are important, but risk
assessment would be meaningless without asset inventory and valuation.
Q. 6
Answer: D. The financial losses of the affected business units
Explanation: Impact can be considered as the financial losses incurred by the affected business units.
Impact is not merely restricted to service provider charges or the quantity of data transmitted. RoI is
not based on connectivity and would not be useful in calculating impact.
Q. 7
Answer: A. Identification of business assets
Explanation: The first step is to create a list of all assets. This will ensure that no assets are missed
during risk assessment. The other options are subsequent steps.
Q. 8
Answer: A. The dependency on subjective information
Explanation: A lack of accurate information is always a challenge in calculating annual loss

expectancy. It is calculated on the basis of assumptions. The other options are comparatively less
significant.
Q. 9
Answer: A. Potential financial loss
Explanation: Assets should be valued on the basis of potential financial loss due to their
unavailability. The other options are not key considerations.
Q. 10
Answer: D. Classification
Explanation: Information asset classification involves the classification of assets on the basis of their
criticality to the business. If an asset is classified as confidential, it means that it holds a high value
for the organization.
Q. 11
Answer: B. Asset valuation
Explanation: Asset valuation indicates the impact from the cost perspective that the organization
may face in the event of a major compromise. The other options will not be able to provide a direct
cost representation.
Q. 12
Answer: D. Listing critical business resources
Explanation: A BIA determines the critical business assets by analyzing the impact of the
unavailability of an asset on business objectives. In the event of a disaster, identified critical assets
are recovered and restored by priority to minimize the damage. Identification of threats and
vulnerabilities is performed during risk assessment. Incident notification procedures are a part of the
business continuity and disaster recovery plans.
Q. 13
Answer: D. An inaccurate valuation of information assets
Explanation: Prioritization is based on the valuation of the assets. High-value assets are given
priority for risk treatment. An inaccurate valuation may impact prioritization. An incomplete list may
also impact the prioritization as some assets may be missed. However, generally, organizations will
adopt procedures to identify at least all the critical assets. Hence, concern about an incomplete list is
not as major a concern. Incomplete vulnerability and threat assessments are less significant compared
to no assessment at all due to impropriate valuation.
Q. 14
Answer: B. The restoration priority

Explanation: A BIA is the best way to determine the criticality of assets. A BIA determines the
critical business assets by analyzing the impact of their unavailability on business objectives. In the
event of a disaster, identified critical assets are recovered and restored by priority to minimize the
damage.
Q. 15
Answer: D. A business impact analysis
Explanation: An RTO determines the time within which a system should be restored. An RTO is
derived from a BIA, which helps to determine the critical systems of the organization and the impact
due to the downtime of systems.

Q. 1
Answer: C. Discuss the situation with data owners to understand the business needs
Explanation: The first step is to determine the business needs for granting privilege access to all HR
team members as it may be a business process requirement. Without understanding the business
requirements, the security manager should not revoke access or report to senior management.
Q. 2
Answer: C. Determining the desired outcomes
Explanation: The most important aspect when developing a framework for an information security
program is to determine the desired outcomes. If the desired outcome is not considered at the time of
developing the framework, it will be difficult to determine the strategy, control objectives, and
security architecture.
Q. 3
Answer: A. The extent of support provided to business objectives
Explanation: To get the framework approved, the security manager should demonstrate a positive
return on security investment. The best method to evaluate the return on security investment is to
determine how information security supports the achievement of business objectives. The other
options do not directly help to determine the RoI.
Q. 4
Answer: B. It is comparatively easy to manage and control

Explanation: Due to centralized control, it is easy to manage the security functions compared to
decentralized functions. Decentralized functions are more convenient, allow easier promotion of
security awareness, and ensure faster turnaround for security requests as they are closer to business
units. Decentralized units are more responsive to business unit needs.
Q. 5
Answer: C. It ensures better alignment of security with the business needs
Explanation: Decentralized units are more responsive to business unit needs as they are closer to the
business units. The other options are advantages of centralized functions. Centralized management is
easy to manage and control and ensures increased compliance and a reduction in the cost of security.
Q. 6
Answer: D. Performing a risk assessment
Explanation: The first step is to conduct a risk assessment and determine the impact of non-
compliance. Based on the potential impact, subsequent actions should be determined.
Q. 7
Answer: C. Regular interaction with business owners
Explanation: The security framework and security policy should closely align with organizational
needs. Policies must support the needs of the organization. For the alignment of the security program,
the security manager should have a thorough understanding of the business plans and objectives.
Effective strategic alignment of the information security program requires regular interaction with
business owners.
Q. 8
Answer: B. Determining the risk and identifying the compensating controls
Explanation: The first step for the security manager is to determine the risk associated with granting
the exception and evaluate whether any compensatory controls are in place to address the risk. Based
on the risk perceived, other options can be considered.

Q. 1
Answer: C. The statement is an example of a standard

Explanation: A standard is a mandatory requirement to be followed to comply with a given policy,
framework, certification, or regulation. Standards help to ensure the efficiency and effectiveness of
processes, which results in reliable products or services. A policy is a high-level statement of
management intent and does not cover the preceding type of requirements. Guidelines and
procedures provide detailed dos and don'ts to support the organization's policies.
Q. 2
Answer: C. Approving operating system access standards
Explanation: Standards should be approved by the information security team. The team should
ensure that standards meet the requirements of the security policy. Implementation of the approved
standard is performed by the IT department. The other options are generally performed by the IT
department.
Q. 3
Answer: A. Standards
Explanation: Standards are sets of minimum requirements to be followed to comply with the
requirements of a security policy. Standards (minimum requirements) are included in procedures to
ensure that they comply with the intent of policies. Guidelines are generally detailed descriptions of
procedures. A maturity model is adopted to ensure continuous improvement in the security process.
Q. 4
Answer: B. Standards
Explanation: A standard is a mandatory requirement to be followed to comply with a given

framework, certification, or regulation. Standards help to ensure an efficient and effective process
that results in reliable products or services. A policy is a high-level statement of management intent
and does not cover specific regulatory requirements. Guidelines and procedures provide detailed dos
and don'ts to support the organization's policies and standards.
Q. 5
Answer: D. The last review date
Explanation: The most important element in an information security standard is the last review date,
which helps to ensure the currency of the standard and provides assurance that the document has
been reviewed and updated to address current issues.
Q. 6
Answer: A. Database hardening procedures

Explanation: Generally, procedures are changed more frequently compared to policies and
standards. As operating systems change, procedures for hardening also need to be changed. Policies
and standards should be more static and less subject to frequent change.
Q. 7
Answer: C. A standard provides detailed directions to comply with a policy
Explanation: A policy is a high-level statement of management intent and does not cover specific
requirements or actionable steps. A standard is a mandatory requirement to be followed to comply
with a given framework or policy. That is, a standard provides detailed directions to comply with a
policy.
Q. 8
Answer: D. A change in the results of the periodic risk assessment

framework, certification, or policy. If the results of a risk assessment are not encouraging, then the
standard should be updated to ensure that it appropriately addresses the organization's security
objectives. The other options do not directly impact standards.
Q. 9
Answer: C. The board of directors
Explanation: The final responsibility for compliance with laws and regulations resides with the
board of directors. The other options support the board to execute the security policy.
Q. 10
Answer: C. The policy approver
Explanation: A framework defines the process for handling exceptions to policies and procedures.
The inherent authority to grant an exception to the information security policy resides with the one
who approved the policy.
Q. 11
Answer: D. Control objectives not being met

framework, certification, or policy. If the current standard does not help to achieve the intended
control objectives, the standard should be modified to ensure that it appropriately addresses the
organization's security objectives. The other options do not directly impact standards.
Q. 1
Answer: B. The cost of achieving control objectives
Explanation: A security program should provide value to the organization. The security manager
should determine the cost of implementation of controls and the corresponding value of the assets to
be protected. This will form the basis for determining whether the information security program is
delivering value. If the cost of controls is higher than the value of the assets, then the program does
not provide any value. The other options are secondary aspects.
Q. 2
Answer: B. The business asset owner
Explanation: It is very important to take approval from the business asset owner for patch update
timings as patch updates may lead to unexpected problems and can interrupt business processes.
Generally, business asset owners prefer non-working hours for patch updates.
Q. 3
Answer: B. Focus on key controls
Explanation: A security manager should primarily focus on the key controls to reduce risks and
protect information assets. Role-based control may be one of the key control areas. Focusing only on
financial applications is not as justifiable as the protection of other data (for example, customer data
may be equally critical). Key controls need not necessarily be only preventive controls.
Q. 4
Answer: C. Information technology
Explanation: A security program should be integrated with the processes of other departments, such
as IT, audit, risk management, quality assurance, and HR. This helps to improve the overall
effectiveness of the security program. The most important aspect is integration with IT processes. For
instance, automated controls are considered more effective than manual controls and are generally
driven by the IT department. Also, IT is responsible for the implementation and operations of
information processing systems. The other options are secondary aspects.
Q. 5
Answer: A. Issuance of termination notice

Explanation: In the event of the termination of an employee, details should be immediately made
available to the security team to revoke all access rights of that employee, including de-provisioning
of mobile devices. The other options are not as significant.
Q. 6
Answer: A. Feasibility stage
Explanation: For any new IT project, the security department should be involved right from the
feasibility stage until the project completion stage. In fact, the security department should be
involved throughout all SDLC phases. Security considerations affect feasibility. Thus, involving the
security team only in the later stages may not be an effective and efficient strategy.
Q. 7
Answer: D. Access should be provided according to business needs
Explanation: Access should be provided on a need-to-know basis, that is, according to the business
needs. The other options are not justifiable if users do not require data to perform their duties.
Q. 8
Answer: A. Reviewing and updating their access rights
Explanation: When an employee is transferred to another department, it is very important to review

and update their access rights to ensure that any access no longer needed is removed and appropriate
access for the new position is granted. The other options are secondary aspects.
Q. 9
Answer: D. To understand IT issues to achieve adequate information security
Explanation: A security manager should be well versed in IT in order to make informed decisions
about technology risks. Technology knowledge will help the security manager understand IT issues
and help them achieve adequate information security. A security manager is not expected to
implement IT technology or adhere to the IT budget.

Q. 1
Answer: C. Reduction in the average response time for incidents
Explanation: An early response time helps to minimize the impact of the incident. Hence, to
determine the effectiveness of an incident response team, the best indicator is the reduction of the
average response time per incident. The other options are not direct indicators of the effectiveness of
an incident response team.
Q. 2
Answer: A. To measure the effectiveness of the security program
Explanation: Defined objectives can be used to measure the effectiveness of the information security
program. The success of the program is determined based on the achievement of the security
objectives. The other observations are secondary aspects.
Q. 3
Answer: A. Program metrics
Explanation: Program metrics measure how well a process is doing in terms of achieving its goals
and objectives. A defined metric helps to measure the current state of different security objectives.
This trend can be used to determine the improvement in a security program over time. If an
organization is unable to take measurements over time that provide data regarding the key aspects of
its security program, then continuous improvement is difficult to monitor. The other options are
secondary aspects.
Q. 4
Answer: A. It is meaningful to the recipient
Explanation: A metric should be meaningful to the recipient and should provide the basis for sound
decision-making. Unless it is meaningful to the recipient, all other attributes are of no use.
Q. 5
Answer: A. A reduction in the impact of security issues
Explanation: The main objective of implementing security controls is to minimize the adverse
impacts of incidents. A reduction in impacts from security incidents indicates that security controls
are effective. The other options do not directly indicate the effectiveness of security controls.
Q. 6
Answer: C. The security metrics
Explanation: Security metrics measure how well a process is doing in terms of its goals and
objectives. A well-defined metric helps to measure the current state of different security objectives.
This trend can be used to determine the improvement in the security program over time. The other
options are secondary aspects.
Q. 7
Answer: A. Trends showing the number of servers compliant with security requirements
Explanation: Overall trends of security-compliant servers indicate the level of effectiveness of the
information security program compared to standalone counts. Trends in the number of patch updates
would be less relevant as they depend on the number of vulnerabilities. A high patch update rate will
not necessarily indicate the effectiveness of a security program.
Q. 8
Answer: B. The percentage of control objectives achieved
Explanation: Executive management will be more interested in the achievement of control

objectives as they are directly linked to business objectives. The achievement of control objectives is
the best metric for executive management to evaluate the effectiveness of the security program. The
Q. 9
Answer: C. Design
Explanation: Security metrics are developed during the design phase of system development.
Metrics should be developed before the testing and implementation phases. The feasibility stage is
too early for the development of security metrics. In the feasibility phase, the possibility of
implementing a project is determined.
Q. 10
Answer: A. Adverse incident trend reports
Explanation: Adverse incident trend reports indicate the impact on business objectives. Security
incidents occur because either a control failed or there was no control in place. This will be taken
seriously by management to fund the appropriate budget for information security. The other options
are secondary aspects.
Q. 11
Answer: B. Relevance to the recipient
Explanation: A metric should be meaningful for the recipient and should provide a basis for sound
decision-making. Unless it is meaningful to the recipient, all other attributes are of no use. The other
Q. 12
Answer: A. A reduction in incident impacts

Explanation: The prime objective of any security program is to reduce the impact of incidents. A
reduction in incident impacts indicates that the security program is effective in achieving its
objectives. The other options do not directly indicate the achievement of security objectives.
Q. 13
Answer: D. Providing non-compliance reports to executive management at regular intervals
Explanation: Providing reports to executive management will create performance pressure on the
business units. This will motivate them to address the non-compliant areas at the earliest opportunity.
The other options are secondary aspects.
Q. 14
Answer: C. Measuring monetary values in a consistent manner
Explanation: In the absence of a consistent method, the results of the metrics can be incomparable,
and trends can be misleading. Consistency is important to have reasonably accurate and reliable
results. It is not practical to simply exclude qualitative risks because of difficulties in measurement.
Developing cost-effective processes and considering investment amounts as profits are not relevant to
the calculation of RoI.
Q. 15
Answer: A. Percentage of penetration attempts investigated
Explanation: The objective of capturing a log is to conduct follow-up investigations for suspected
penetration attempts. Investigation helps to take various preventive and corrective actions. Merely
capturing the logs or generating reports will not serve the ultimate purpose. Hence, the most useful
metric for measuring the success of log monitoring is to determine the percentage of suspected
penetration attempts investigated. If organizations do not investigate and only keep capturing logs,
the ultimate objective of log capturing will not be achieved.
Q. 16
Answer: C. Security objectives
Explanation: Primarily, metrics should be based on the security objectives so they can provide a
useful measure to evaluate the effectiveness and efficiency of the information security program and
its objectives. Avoiding financial and operational risks can be one of the security objectives. Industry
standards may or may not be aligned with the security objectives of the organization.
Q. 17
Answer: C. To enable continuous improvement

Explanation: The main objective of security-related metrics is to measure performance and facilitate
and focus on the continuous improvement of the security program. Metrics may indicate security
weaknesses but do not directly identify them. The other options are secondary aspects.
Q. 18
Answer: C. Define and monitor the security metrics
Explanation: Metrics help measure performance over a period of time. They indicate the trend of
security performance by comparing against the baseline and help identify areas of improvement. The
Q. 19
Answer: D. The information security manager
Explanation: Metrics are generally relevant to the owner of the control. Metrics for measuring the
effectiveness of antivirus software are primarily relevant to the information security manager. It helps
them determine the current state of a control. If a control is not performing as per expectations, the
security team can investigate and address the issue.
Revision Questions
Q. 1
Answer: C. Classification of assets
Explanation: Information asset classification refers to the classification of information assets based
on their criticality to the business. Information assets can be classified as confidential data, private
data, or public data. This classification helps the organization provide the appropriate level of
protection for data. More resources should be utilized for the protection of confidential data
compared to public data.
Q. 2
Answer: B. The impact of a compromise
Explanation: Information asset classification refers to the classification of assets based on their
criticality to the business. Critical assets can have a significant impact in the event of a compromise
compared to less critical assets.
Q. 3
Answer: D. To determine the protection level

Explanation: Information asset classification refers to the classification of assets based on their
This classification helps the organization provide an appropriate level of protection for the assets.
More resources should be utilized for the protection of confidential data as compared to public data.
Q. 4
Answer: A. An assessment of impact by the data owner
Explanation: Data classification refers to the classification of data based on its criticality to the
business. Data classification is primarily based on inputs from the data owner. Data owners (business
managers) have thorough knowledge and understanding of an asset's impact on overall business
processes. They are in the best position to determine the value of the information assets.
Requirements of the information security policy are generally applicable after the classification of
assets. The level of protection is determined on the basis of classification and not the other way
around as indicated in option C.
Q. 5
Answer: A. Classification of assets
Explanation: Information asset classification refers to the classification of assets on the basis of their
criticality to the business. Assets are then protected in proportion to their criticality. Assets can be
classified as confidential data, private data, or public data. This classification helps the organization
provide the appropriate level of protection for the assets. More resources should be utilized for the
protection of confidential data as compared to public data.
Q. 6
Answer: A. Its business value
Explanation: The classification of an asset is generally based on its business value, that is, the
impact on the business if the asset is compromised. From the risk management perspective, an asset
is generally valued on the basis of its business value and not merely on the basis of simple acquisition
or replacement costs. Business value is measured in terms of revenue loss or other potential impacts
when an asset is compromised. For example, suppose software is acquired at a cost of $1,000 and
generates a revenue of $5,000 in a single day. Its business value will be $5,000 per day and not
merely its acquisition cost.
Chapter 6: Information Security Program Management

Q. 1
Answer: C. To mitigate impact
Explanation: Corrective controls are implemented to reduce the impact once a threat event has
occurred. They facilitate the quick restoration of normal operations. Examples of corrective controls
include the following:
Business continuity planning
Disaster recovery planning
Incident response planning
Backup procedures
Q. 2
Answer: D. The data custodian
Explanation: The data custodian is required to provide and implement adequate controls for the
protection of data. The data owner is required to classify the level of protection required for their
data.
Q. 3
Answer: C. A source code review
Explanation: The most effective method to identify and remove an application backdoor is to
conduct a review of the source code. The other options will not be as effective.
Q. 4
Answer: C. A signed acceptable use policy
Explanation: The purpose of a deterrent control is to give a warning signal to deter or discourage a
threat event. When employees sign an acceptable use policy, they are made aware of the
consequences of not adhering to it. This acts as a deterrent control. Two-factor authentication will not
be able to prevent the activities of authorized users. Internal audits and log capturing are used after
the fact (detective control) and may not be effective to prevent the event.
Q. 5
Answer: C. Performing a network address translation
Explanation: External security threats can be prevented by the use of network address translation, as
they have internal addresses that are non-routable. The other options are not as effective.
Q. 6
Answer: A. Criteria for data backup
Explanation: A policy is a high-level statement indicating the intent of management. With respect to
backups, the policy will include the criteria for data backup. These criteria will help the user
determine which data is to be considered critical and accordingly the frequency at which data
backups should be taken. The other options are generally included in procedure documents.
Q.7
Answer: C. The system design specifications stage
Explanation: System specifications, with respect to the type of access control and encryptions, are
considered in the system design specification. The feasibility phase includes a cost-benefit analysis of
system development. In the procedural design phase, structured components are converted into
procedural descriptions. The software development stage would be too late as in this stage, the
system is already being coded.
Q.8
Answer: D. Degaussing the tapes
Explanation: Degaussing is the best way to erase data from a tape. In the degaussing process, an
alternating current field is increased gradually from 0 to a maximum value and again reduced to 0,
thus leaving a very low residue of magnetic induction on the device.
This is known as demagnetization or degaussing. The other options are not as secure. Multiple
overwriting and erasing of the tape are not fool-proof methods of removing data. Burning the tape
will physically destroy it, so it cannot be reused.
Q.9
Answer: B. Native database auditing impacts the production database's performance
Explanation: With respect to database security, a native audit refers to the use of tools and
techniques that help the administrator perform an audit of database activities. However, enabling a
native audit may lead to performance degradation of the database. This is a major concern. The other
options are less significant.
Q.10
Answer: A. Degradation of performance
Explanation: Enabling an audit log function may create a burden on database processing, which may
result in a degradation of the database's performance. The more elaborate the logging becomes, the
slower the performance will be. It is important to strike a balance. The other options will not be
impacted by enabling an audit log function.
Q.11
Answer: A. Diverting the incoming traffic during a denial-of-service attack
Explanation: The prime objective of a corrective control is to reduce the impact of an event once it
has occurred and to ensure restoration to normal operations.
The process of diverting the incoming traffic helps correct the situation and hence it is a corrective
control. Filtering network traffic is a preventive control. Auditing and logging are detective controls.
Q.12
Answer: A. When general controls are weak
Explanation: Application controls are controls implemented for a particular application, whereas
general system controls are implemented for the overall environment. An application is protected by
a combination of application as well as general controls. When general controls are weak, more
emphasis is to be placed on application-level control. Detective, preventive, and corrective controls
exist at both the general and the application levels.
Q.13
Answer: A. The activity of the system administrator should be monitored by a separate reviewer.
Explanation: The activities of a system administrator should be monitored to ensure that their
performance is in accordance with the information security program. Monitoring by a third party will
be more effective than a self-audit. It is not necessary for the monitoring to be done by a member of
the security team. The steering committee is not involved in routine monitoring.
Q. 14
Answer: D. A risk to availability
Explanation: Controls can be designed to either fail close or fail open. For example, in case of the
failure of an automatic door, an organization can opt for a fail open (the door remains open) or a fail
closed (the door remains closed). In case of a fail open, confidentiality and integrity may be
compromised, and in case of fail closed, availability and safety may be compromised. In such a
situation, the risk is determined for each element and a decision is made accordingly.
Q. 15
Answer: D. Failure modes
Explanation: Failure modes describe the mode in which the controls operate in cases of failure, that
is, whether a control fails open or fails closed. The failure mode of the control impacts safety,
confidentiality, and availability. For example, in case of the failure of an automatic door, an
organization can opt for fail open (door should remain open) or fail closed (door should remain
closed). In case of fail open, confidentiality and integrity may be compromised, and in case of fail
closed, availability and safety may be compromised. In such a situation, the risk is determined for
each element and a decision is taken accordingly.
Q. 16
Answer: D. To verify the sender's identity and determine whether orders are in accordance with the
contract terms
Explanation: In an EDI environment, there are primarily two challenges with respect to the receipt
of an order. The first challenge is to ensure that an order received is from a trusted partner and the
second is to ensure that the order quantity is correct. Hence, a control should be available for the
verification of the sender's identity and to determine the correctness of the order quantity. The other
options will not be as effective.
Q.17
Answer: A. To limit the consequences of a compromise
Explanation: Segmentation refers to dividing a network into parts. Segmentation limits the
consequences of an attack by constraining the scope of impact. Segmentation by itself does not
reduce vulnerability, but may result in complex administration, and is not implemented primarily to
support the data classification scheme.
Q. 18
Answer: B. The safety of human life
Explanation: While implementing any framework, policy, or control, the most important
consideration is the safety of human life. The other options are secondary aspects.
Q. 19
Answer: D. Control design and development
Explanation: Control design and development is the prime activity in the development of an
information security program. Most program development activities will involve designing, testing,
and implementing controls. The other options are secondary aspects.
Q. 20
Answer: A. In areas where incidents may have a high impact and high frequency
Explanation: A security manager should understand that implementing continuous monitoring is

expensive. The use of continuous monitoring may not always be feasible or practical, so it should be
used in areas with the highest risk levels. Therefore, continuous monitoring is best deployed in the
areas where incidents may have a high impact and frequency.

Q.1
Answer: C. It helps to define the minimum acceptable security required across the organization
Explanation: A baseline refers to basic requirements. A security baseline refers to the minimum
basic requirement for an organization's security.
Establishing a security baseline across the entire organization will help to ensure that controls are
consistently applied in accordance with acceptable risk levels.
Q. 2
Answer: B. Implementing a security baseline
Explanation: A security baseline refers to the minimum basic requirement for an organization's
security. The objective of implementing a security baseline throughout the organization is to ensure
that controls are consistently implemented as per the acceptable risk levels. The other options do not
directly address compliance with the information security policy. Frequent user awareness training
need not necessarily ensure compliance.
Q. 3
Answer: B. To establish a uniform process of system hardening
Explanation: The objective of implementing a security baseline throughout the organization is to

ensure that controls are consistently implemented as per the acceptable risk levels. A baseline helps
to establish a uniform and consistent security standard throughout the organization.
Q. 4
Answer: C. A baseline
Explanation: A baseline describes basic requirements. A security baseline refers to the minimum
basic requirement for an organization's security. The objective of implementing a security baseline
throughout the organization is to ensure that controls are consistently implemented as per the
acceptable risk levels. Procedures determine the detailed processes but do not include configuration
requirements. Guidelines are not mandatory in nature. Policies are high-level statements indicating
management's intent but do not include details about configuration requirements.
Q. 5
Answer: B. To prepare baseline requirements for all locations and add location-wise supplementary
standards as per the local requirements
Explanation: The most effective and efficient method in this scenario is to determine a baseline
standard and then add additional requirements as per the local needs. Mandating all locations to
follow all requirements will place an undue burden and may also result in contradictory requirements.
Letting each location decide on its own requirements may cause the failure of some of the corporate-
level compliances. Hence, deciding on a baseline is a must.
Q. 6
Answer: B. To establish a uniform process of system hardening
Explanation: A security baseline refers to the minimum basic security requirements for a specific
group of applications. It helps to establish a uniform security standard for system hardening. The

Q.1
Answer: D. To conduct security awareness training for employees
Explanation: Human resources should primarily aid in creating awareness about the information
security requirements of the organization. Recruitment is a secondary factor. Budget allocation and
risk assessment may not be the responsibility of the human resources department.
Q. 2
Answer: A. To customize the content of the program as per the target audience
Explanation: The most effective way to increase the effectiveness of the training is to customize it as
per the target audience and to address the systems and procedures applicable to that particular group.
For example, a system developer needs to undergo an enhanced level of training covering secure
coding aspects, while data entry operators can be trained on the security aspects related to their
functions. The other options are secondary aspects.
Q. 3
Answer: D. Security awareness campaigns
Explanation: Frequent security awareness campaigns are the best way to improve an organization's
security culture. The other options are secondary aspects.
Q. 4
Answer: C. What employees should or should not do in the context of their job responsibilities
Explanation: An awareness program will be more relevant if it is customized to include the dos and
don'ts of the job responsibilities of employees. A security awareness program should focus on
employee behavior and its impact on the organization's security posture. The other options are
secondary aspects.
Q. 5
Answer: A. Logon banners displayed at every logon
Explanation: The most effective method is to create awareness through the use of logon banners. A
security message will be displayed every time the user logs on, and they will be required to read and
agree to the message before access is granted. This will help to enforce the security requirements
throughout the organization. The other options are not as effective.
Q. 6
Answer: C. Before access to data is provided
Explanation: Security awareness training should be completed before the new joiner is given access
to data. They should be aware of the secure data handling process.
Q. 7
Answer: B. To influence employee behavior
Explanation: Frequent awareness training efforts can influence the behavior of employees from a
security aspect. It helps employees make security-conscious decisions and actions.
Q. 8
Answer: B. Some quantitative evaluation used to ensure user comprehension
Explanation: The security manager should design some quantitative evaluation criteria to determine
the understanding level of the user, for example, a quiz or other type of assessment that is
measurable. The other options are secondary aspects.
Q. 9
Answer: A. The methodology to be used in the assessment
Explanation: The methodology helps you to understand the process and formulae for the assessment.
It is the most important element in the selection of a consultant. The other options, though important,
are not as significant.
Q. 10
Answer: C. A top-down approach
Explanation: A top-down approach means that commitment to the success of the security awareness
program comes from the senior management level. Support from senior management will ensure
enough resources are provided for the program's success. The other options, though important, are
not primary success factors.
Q. 11
Answer: B. User education and training
Explanation: Periodic education and training is the most cost-effective method to improve the
security awareness of employees. The other options will not be effective in the absence of user
education and training.
Q. 12
Answer: D. The information security department
Explanation: The information security program is generally managed by the information security
department. Security awareness training and materials are part of the information security program.
Q. 13
Answer: C. Security awareness training
Explanation: In the absence of structured security awareness training, the other components of the
program may not be effective.
Q. 14
Answer: B. A discussion on how to construct a strong password
Explanation: To improve the effectiveness of awareness training, modules should be customized as

per the job functions of the audience. An employee engaged in general operational duties is expected
to create a strong password for their authentication. They are not required to have a thorough
understanding of the other options.
Q. 15
Answer: D. Continually reinforce the security policy.
Explanation: The most effective method is to continuously reinforce the security policy and
management expectations of the behavior of the employees. The other options are not as effective.
Q. 16
Answer: C. Conduct role-specific awareness training
Explanation: The best way to increase the effectiveness of the training is to customize the training as
per the target audience and to address the systems and procedures applicable to that particular group.
For example, a system developer needs to undergo an enhanced level of training that covers secure
coding aspects, while data entry operators can be trained on security aspects related to their functions.
Q. 17
Answer: A. To decrease the likelihood of information security incidents
Explanation: The prime objective of security training is to influence the behavior of the employees
and thereby reduce the likelihood of information security incidents. Although compliance with the
information security policy is important, the objective of security training is to influence the cultural
and behavioral elements of information security. The other options are secondary factors.
Q. 18
Answer: C. To establish an organizational culture that is favorable to security
Explanation: A structured and well-defined security awareness training program will help to build a
favorable environment for secure business processes. The other options are secondary factors.
Q. 19
Answer: B. Calling back the branch number listed in the office phone directory
Explanation: The best way to authenticate the caller is to call back the branch number listed in the
office phone directory. The recipient should not use any phone number or email address provided by
the caller. Once the call has been reasonably verified, the information may be provided to the caller.
The other options are not as effective.
Q. 20
Answer: D. Threats and vulnerabilities

Explanation: Security awareness training should be a continuous process as threats and
vulnerabilities change over time. Regular refresher training is an important part of security
awareness. Changes in technology and compliance requirements are covered by addressing changes
in threats and vulnerabilities.

Q.1
Answer: C. A service level agreement
Explanation: An SLA defines the level of service expected from a vendor and includes the other
options, such as penalty clauses, indemnity clauses, and the right to terminate.
Q.2
Answer: A. A right-to-audit clause
Explanation: To conduct independent assessments of the service provider, it is critical that a right-to-
audit clause is included in the contract. In the absence of this clause, a service provider may not allow
the auditing of their processes. The other options depend upon the nature of the services outsourced
and should be evaluated during the audit.
Q.3
Answer: C. Whether the service provider is contractually obliged to follow all relevant security
requirements.
Explanation: In the absence of contractual liability, the security manager will not be able to ensure
compliance with security requirements by the service provider. Contractual obligations help both
parties to commit to the contract. Adherence to the budget and obtaining industry references is the
responsibility of the business unit and not the security manager. The availability of a business
continuity arrangement is a secondary aspect.
Q.4
Answer: B. Conducting regular security reviews of the third-party service provider
Explanation: Frequent audits and security reviews of the third-party service provider are the best
way to ensure an appropriate security arrangement on an ongoing basis. Including security
requirements in the service contract is important but it does not help to ensure ongoing effectiveness.
Security training and increasing contract rates are secondary aspects.
Q.5
Answer: A. An access control matrix
Explanation: The required level of an access control matrix (discussed in Chapter 7, Information
Security Infrastructure and Architecture) should be included in the SLA to ensure the confidentiality
of data. The other options are generally not included in an SLA.
Q.6
Answer: C. The contract should mandate that the service provider complies with the organization's
security requirements
Explanation: A security manager can enforce security requirements only if a contract mandates
compliance with the information security policy. A confidentiality clause and a security audit should
be part of the security requirements. The contract rate is required to be approved by business
management, not by the steering committee.
Q.7
Answer: A. The security arrangement for stored and transmitted sensitive data
Explanation: As the third party is involved in handling sensitive customer data, the primary
consideration for the security manager is to determine the security arrangement for the storage and
transmission of sensitive data. The other options are secondary aspects.
Q.8
Answer: D. Included in the contract
Explanation: The most effective method is to ensure that the requirements are included in the
contract. This will help to enforce those requirements. The other options are secondary aspects.
Q.9
Answer: C. To conduct periodic audit reviews of the service provider
Explanation: The best control to monitor the services of the third-party service provider is to
conduct periodic audit reviews of the provider. The other options are not as effective. An audit will
help to determine the level of actual compliance with the security requirements.
Q.10
Answer: C. Ensure that appropriate controls are included
Explanation: The role of the security manager is to ensure that appropriate controls are included in
the contract. In the absence of a well-defined contractual agreement, the organization cannot enforce
security requirements. The right to audit is one of the controls to be included in the contract.
Operational issues and the contract rate are not within the purview of the security manager.
Q.11
Answer: C. Implement a firewall to restrict network traffic from the trading partner's location
Explanation: The best way to continue the business relationship and at the same time address the
risk is to set up firewall rules restricting network traffic from the trading partner. Options A and D
will not prevent security incidents. Option B is not feasible considering business requirements.
Q.12
Answer: B. Conducting a risk assessment to determine the required controls
Explanation: The most important step is to conduct a risk assessment to identify the risks and
determine the required controls. A background check of the service provider's employees is the
responsibility of the service provider. Audits and security assessments are carried out subsequent to
risk assessment.
Q.13
Answer: A. The right to conduct an independent security review
Explanation: The most important aspect is the right to conduct an independent security review of the
third-party service provider. This will help the organization determine the service provider's security
posture. The other options are secondary aspects.
Q.14
Answer: C. When requirements are being established
Explanation: It is important to get the information security manager involved right from the
beginning when the requirements are being established. The security requirements should be
considered at the time of bids and other negotiations with the third party.
Q.15
Answer: A. Limiting user access rights
Explanation: The most effective method is to limit access to the extent required for the user to
perform their job. User authentication by way of two-factor authentication and biometric controls is
important, but once access is granted, the users should have only specific rights.
Q.16
Answer: D. Adherence to the organization's information security requirements
Explanation: The most important aspect is to ensure compliance with the organization's information
security requirements. Authentication and alternate processing sites will already be included in the
organization's security requirements. Compliance with international standards is a secondary aspect.
Q.17
Answer: C. Prior to developing a project budget
Explanation: RFP is a process of requesting technical details and costs for the proposed project. The
budget is generally finalized based on a proposal from the service providers. Project feasibility and
business cases are initial steps to decide whether a project should be implemented or not.
Q.18
Answer: A. To establish the process for monitoring the service provider
Explanation: After the contract has been signed, the next step will be to ensure that continuous
service provider monitoring is established. This will help to control and monitor the activities of the
service provider and irregularities, if any, can be addressed immediately. All the other options are
actions taken prior to signing the contract.
Q.19
Answer: A. Assurances that the third party will comply with the requirements of the contract
Explanation: The service provider is required to provide assurance about compliance with the
requirements of the contract. One of the methods to do this is through independent security audit
reports. Awareness training and background checks may be among the requirements of the contract.
A review of contracts and policies is important, but it does not assure compliance.
Q.20
Answer: B. Whether privacy requirements are complied with
Explanation: Privacy is the right of the individual to demand the utmost care of any personal
information that they have shared with any organization or individual. Individuals can demand that
the use of their information be appropriate, legal, and only for the specific purpose for which the
information was provided. Non-compliance with privacy requirements may lead to legal
consequences. The other options are secondary aspects.

Q.1
Answer: B. The business strategy

Explanation: The security framework and policy should closely align with organizational needs.
Policies must support the needs of the organization. For the alignment of the security program, the
security manager should have an understanding of the business strategy, plans, and objectives. An
effective strategic alignment of the information security program requires regular interaction with
business owners.
Q.2
Answer: B. Organizational needs
Explanation: The security framework and security policy should closely align with organizational
needs. Policies must support the needs of the organization. The other options are secondary aspects.
Q.3
Answer: D. Obtain sign-off from all stakeholders
Explanation: Before implementing the security framework and policy, sign-off should be obtained
from all relevant stakeholders to ensure that the policy supports the objectives and expectations of the
business. The other options are secondary aspects.

Q.1
Answer: C. The information security manager
Explanation: The responsibility for raising awareness for sufficient funds for security initiatives
resides with the information security manager. Even though the chief information officer, business
process owner, and chief audit officer do play important roles in the final approval of funds, the
information security manager has the ultimate responsibility for raising awareness for adequate
security funds.
Q.2
Answer: C. Prioritizing risk mitigation and educating management
Explanation: When funds are inadequate, the best option is to allocate the available resources to
those areas of highest risk and, at the same time, to educate management about the potential impact
of underfunding. The other options are secondary factors.
Q.3
Answer: A. The identified levels of risk

Explanation: On the basis of the risk assessment, areas of high risk should be identified. Priority
should be given to these areas of high risk. Security investment should then be prioritized by the level
of each risk. Prioritization should not be based on trends or the discretion of the security manager or
industry benchmarking.

Q.1
Answer: D. Does not interrupt the production process
Explanation: The most important aspect is to ensure that the scan process does not interrupt the
production process. There is no harm in using industry-recognized open source tools. A scan should
concentrate on all servers within the network because if any of the servers is compromised, then the
entire network will be in danger. Adherence to the budget is not a major concern.
Q.2
Answer: C. The steering committee
Explanation: The security steering committee consists of senior officials from different business
functions. It plays an important part in the finalization of security requirements. The security steering
committee is in the best position to support the establishment of an information security program.
Q.3
Answer: A. On a daily basis
Explanation: New attack patterns are introduced almost on a daily basis. If signature files are not
updated daily, the organization could be exposed to new types of attacks. The other options are not
effective.
Q.4
Answer: D. Definition files
Explanation: The effectiveness of antivirus software depends on virus definition files. If definitions
are not updated on a frequent basis, antivirus software will not be able to control new types of
attacks. The other options are secondary aspects.
Q.5
Answer: D. Ease of maintenance and frequency of updates

Explanation: For antivirus software to be effective, it must be easy to maintain and must be updated
frequently to address new viruses. The other options are secondary factors.
Q.6
Answer: B. Use protective switch covers
Explanation: Installing protective switch covers will help reduce instances of an individual
accidentally pressing the power button and shutting down the system. A redundant power supply will
not prevent accidental system shutdowns. Shutdown alarms will come on after the event. Biometric
readers are generally used for granting access to a system and not for switching on/off the power.
Q.7
Answer: D. Leadership from IT, business management, and human resources
Explanation: The role of a steering committee is to ensure that the security initiatives are in harmony
with the organization's mission and objectives. A steering committee monitors and facilitates the
deployment of security resources for specific projects in support of business plans. Senior
management and representatives from IT, business management, human resources, information
security, and so on should make up the steering committee.
Q.8
Answer: D. System overheads
Explanation: Overhead means excess or indirect utilization of computation time, memory,

bandwidth, and other resources. A monitoring product can have a significant impact on system
overheads for servers, applications, and networks. A security manager should ensure that the
monitoring device does not degrade the performance of the servers, applications, and networks. The
Q.9
Answer: D. A Trojan program
Explanation: If a computer is infected with a Trojan program, the attacker can take full control of the
system and hijack, copy, or modify the information after authentication is completed by the user. An
IP is not used for authentication and hence IP spoofing will not work. A secure socket layer along
with a digital certificate will prevent a man-in-the-middle attack. A digital certificate will prevent the
risk of repudiation.
Q.10
Answer: B. Perform periodic reviews for compliance

Explanation: The best method is to conduct a periodic review and determine the status of
compliance. Gaps, if any, should be addressed appropriately. The other options are secondary factors.
Q.11
Answer: A. It is a cost-effective way to take advantage of expertise not available internally.
Explanation: The primary driver for taking advantage of the services of an external resource is that it
helps to contribute cost-effective expertise that is generally not available internally. The other options
are secondary factors.
Q.12
Answer: B. Finance department
Explanation: The responsibility for determining the appropriate level of classification resides with
the data owner. In this case, the finance department is the owner of the accounting data and hence the
finance department should determine the level of classification for the server.
Q.13
Answer: A. Restrict access to read only
Explanation: The best way is to only allow read-only access for the module. The developer should
not have the right to modify or download the base data. The other options will not be as effective as
read-only access.
Q.14
Answer: C. Operational units
Explanation: The most effective way to optimize the security program is to embed the security
processes with the operational processes. The involvement of operation units is of utmost importance
to ensure that the security process is accurate and functional.
Q.15
Answer: C. The system programmer
Explanation: The system programmer should not have the privilege to update the access control list
as it enables them to have unlimited control over the system. The data owner, the data custodian, or
the security administrator may be required to carry out updates of the access control list as per their
defined job responsibilities.
Q.16
Answer: B. Log all of the application programmer's activity for a review by their manager.
Explanation: The best way to mitigate the situation is to capture a log of the programmer's activities,
which needs to be reviewed by their manager. This will help to detect any inappropriate action on the
part of the application programmer. The other options will not be as effective.
Q.17
Answer: D. To remove all logical access provided to the employee
Explanation: The most important step is to remove all logical access provided to the employee.
Upon termination, the employee should not be able to access the organization's data. Taking back the
identity card and laptop does not prevent the employee from logging in from external machines.
Deleting the employee's files needs to be considered after analyzing the nature of the data.
Q.18
Answer: A. To ensure that the process is repeatable and sustainable
Explanation: The primary objective of documenting the security processes is to ensure that they are
repeatable and sustainable. This helps to ensure that the security processes are performed correctly
and consistently.
Q.19
Answer: A. The various circumstances in which cryptography should be used
Explanation: The objective of a process document is to support users in ensuring that the process is
followed in a consistent and correct manner. The most important aspect that should be included in a
cryptography process document is the circumstances in which cryptography should be used. The
other options are generally automated and system driven, so users may not need to be involved much.
Q.20
Answer: B. Throughout the entire life cycle of the process
Explanation: Risk assessment is not a one-time activity. It should be conducted at every stage of the
newly implemented process for the most effective result.

Q.1
Answer: C. A notification about what the company will do with the information it collects
Explanation: Generally, all privacy laws mandate the disclosure of how information collected will
be used. The privacy budget is generally not included in a privacy statement. Notifications about the
accuracy of information are included in the website disclaimer. Information classification is not part
of a privacy statement.

Q.1
Answer: B. Verify a copy of independent security reviews or audit reports for the cloud service
provider
Explanation: The best way to evaluate a provider is to obtain and verify independent security
reviews or audit reports of the company. The other options are not sufficient in themselves to verify
the physical security arrangements.
Q.2
Answer: D. The contract should restrict the movement of data within the territory allowed as per the
relevant law or regulation.
Explanation: It is very important to validate and verify whether the regulations of the locations
(where the infrastructure is located) are aligned with the enterprise's requirements. A contract should
include terms to restrict the movement of assets within approved locations. The other options are
comparatively less important.
Q.3
Answer: A. Clarity with respect to data ownership, data custody, and IPR-related requirements
Explanation: It is very important that the contract has proper clarification with respect to data
ownership, data custodian, and other IPR-related requirements.
Q.4
Answer: B. The data in the multitenancy environment being accessed by competitors
Explanation: The most important concern about the storage of personal data in a cloud environment
is unauthorized access by competitors. Data leakage may have serious consequences.
Q.5
Answer: B. Compliance with legal requirements
Explanation: The most important items to consider are legal requirements, laws, and regulations.
The other options are comparatively less important.
Q.6
Answer: B. Private cloud
Explanation: A private cloud is considered the most secure deployment method as it can be
controlled and centralized by the organization.
Q.7
Answer: A. Ability to expand storage and bandwidth on demand
Explanation: The main benefit of cloud computing is flexibility in obtaining the storage and
bandwidth capacity as per the business requirements. This is very difficult to manage in a locally
hosted environment. End user training is required irrespective of whether it is a cloud or local
environment. Encryption and access control can be established in both local and cloud environments.
Revision Questions
Q.1
Answer: A. Employees engaged in monitoring activities
Explanation: Ethics training is important for all employees but is primarily useful for employees
engaged in monitoring activities as they have access to sensitive corporate and personal information.
Ethics training includes guidance on appropriate legal behavior to reduce corporate liability and
awareness of data privacy and ethical behavior.
Q. 2
Answer: B. Residual risk
Explanation: Residual risk refers to the risk that remains after controls are implemented. The
objective of an awareness program is to improve the controls and reduce vulnerability, which thereby
reduces the residual risk. The other options are not primarily influenced by a security awareness
program.
Q. 3
Answer: A. To promote the advantages of a good security culture through influential people
Explanation: Influential people in the organization are usually employees with substantial authority
and who have a greater interest in promoting the security culture. They act as ambassadors for the
security culture within their department and can bring significant change across the entire
organization's culture. The other options are not as effective.
Q. 4
Answer: D. The possibility of disclosure of sensitive data in transit or storage
Explanation: A primary area of concern is the disclosure of sensitive data, which may lead to
regulatory, financial, as well as reputational loss. Generally, cloud storage is cost effective. The
unavailability of proper training and network problems are secondary aspects.
Q. 5
Answer: B. Risk assessment
Explanation: The first step is to conduct a risk assessment to determine the level of risk involved in
providing access to a third-party service provider. The other options are covered in the risk
assessment process.
Q. 6
Answer: B. A clause for the right to audit
Explanation: The absence of a right-to-audit clause would prevent an organization from determining
the security arrangements of the service provider. The organization would not have any assurance
about contractual and legal compliance from the service provider. The other options are not as
significant as the right-to-audit clause.
Q. 7
Answer: D. Whether the service provider meets the organization's security requirements on an
ongoing and verifiable basis
Explanation: From a security perspective, the most important consideration is the service provider's
capability to meet the organization's security requirements. The other options are secondary aspects.
Q. 8
Answer: B. Incompatible culture
Explanation: It is very difficult to determine the culture of another organization. The incompatible
culture of a third-party service provider possesses a high risk for any organization. Employees with
different cultures often have different perspectives on data privacy. Sometimes, the perspectives of
the employees may not be consistent with the organization's requirements. Employees from different
cultures may have different perspectives on what information is considered sensitive or confidential
and how such information should be handled.
Q. 9
Answer: A. Ensure that the security requirements included in the service agreement meet the current
business requirements
Explanation: The first step is to ensure that current business and security requirements are included
in the service agreement. As the service agreement has not been significantly revised in 5 years, it is
possible that the third-party service provider is not aware of the current requirements of the
organization. If requirements are not included in the service agreement, even compliance with the
service agreement, a heavy penalty, and automatic monitoring will not be meaningful.
Q. 10
Answer: D. The defined responsibilities
Explanation: It is easy to assign ownership of and accountability for an operational issue if roles and
responsibilities are properly defined in the SLA. If there are any concerns, it is most important to
identify the owner of responsibility. This helps to determine the next action to be taken. The other
Q. 11
Answer: B. Whether the service provider's security architecture meets the

organization's requirements
Explanation: From a security perspective, the most important consideration is the service provider's
capability to meet the organization's security requirements. The security manager is generally not
concerned about the contract rate. Application availability and alternate site processing will already
be included in the organization's security requirements.
Q. 12
Answer: D. By conducting a security code review for the entire application
Explanation: The best security measure when a third party is engaged in application development is
to conduct a security code review for the entire application to detect all the malware, including
backdoors.
Q. 13
Answer: A. Discuss the finding with the marketing manager to evaluate the risk and impact
Explanation: The first step for the security manager is to discuss the finding with the marketing
manager and determine the risk and impact of such an act. Input from business unit management is
very important in deciding the next step. The findings should not be directly highlighted to the audit
committee without understanding the risk and impact. The other options are subsequent actions.
Q. 14
Answer: B. Conducting a risk assessment

Explanation: The first step is to conduct a risk assessment to identify the current needs and
requirements of the organization and accordingly develop a security strategy. The other options are
subsequent steps.
Q. 15
Answer: D. The operations department
Explanation: Most of the critical processes and data of the organization are generally handled by the
operations department. This department has first-hand knowledge of the organization's processes and
responsibilities and will help to ensure that written procedures are sound, repeatable, and sustainable.
Q. 16
Answer: A. To implement content filtering
Explanation: Content filtering is the best tool to address the issue as it has the ability to examine the
content of an attachment and prevent any information containing certain words or phrases from being
sent out of the organization. Encryption will not be effective because it does not prevent confidential
information from going out. In fact, the content filtering tool will not be able to read encrypted
information. Email audit and security training will not be as effective.
Chapter 7: Information Security Infrastructure and
Architecture

Q. 1
Answer: D. The information security architecture
Explanation: Just as conventional architecture defines the rules and standards for the construction of
buildings, information security architecture addresses the design and implementation of the security
posture of the organization. An architecture helps to integrate the different components of
information security in an effective manner. A security architecture also defines minimum levels of
security for the infrastructure.
Q. 2
Answer: D. Business objectives and goals
Explanation: The prime objective of the security architecture is to support business objectives and
goals. The other options are secondary factors.
Q. 3
Answer: B. Developing an architecture
Explanation: Information security architecture supports the design and implementation of the
organization's security posture, just as traditional architecture specifies the guidelines and standards
for building construction. An architecture helps in the efficient integration of the various information
security components.

Q. 1
Answer: D. Effective termination process
Explanation: An effective termination process is one of the most important aspects of the
information security process. Terminated employees may use their active credentials to access the
system or data for unauthorized activities. Therefore, it is of utmost importance to ensure timely
revocation of all access of the terminated employee. The other options are not as effective at
preventing this type of situation.
Q. 2
Answer: C. The process owner
Explanation: The responsibility to implement and maintain the required level of security for a
specific business application resides with the business process owner. Process owners have thorough
knowledge of the business needs and security requirements for the business application for which
they are responsible.
Q. 3
Answer: D. Determining the extent of application security required
Explanation: The data owner is responsible for determining the extent of application security
required for their data. Data owners have thorough knowledge of the business needs and information
security requirements for their systems and processes. The other options are the responsibility of the
system administrator.
Q. 4
Answer: D. User awareness training
Explanation: In a phishing attack, an attacker acts as a trusted entity and tries to lure the victim to
part with confidential information. The best method to address the risk of phishing is to conduct
periodic awareness training with the users. Educating users will help to address the risk of visits to
untrusted websites or email links. The other options will not be as effective.
Q. 5
Answer: A. Locally managed file servers
Explanation: The area of most concern will be the locally managed file servers as they are not
subject to centralized oversight and monitoring. The other options are subject to close scrutiny and
monitoring.
Q. 6
Answer: D. A backup is taken after the data is infected
Explanation: A backup of the infected file will increase the spread of the infected code. It will then
become difficult to eradicate the malicious code. The other options do not significantly increase the
level of difficulty.
Q. 7
Answer: B. Conducting periodic security awareness programs
Explanation: In a social engineering attack, an attacker acting as a trusted entity lures a victim into
opening an email. Security awareness training is the best method to address the risk of social
engineering attacks such as phishing. Educating users will help to address the risk of visits to
untrusted websites or email links. The other options are secondary aspects.
Q. 8
Answer: B. The system user
not introduce new security exposures. System users will be in the best position to conduct user
acceptance testing and determine whether the change in the system has introduced any new exposure.
Q. 9
Answer: A. The existence of the message is not known
Explanation: Using the steganography technique, secret data is hidden in an ordinary file or image to
avoid detection. An ordinary file or image is sent to the recipient along with secret data. For highly
confidential data, an organization generally uses this kind of technique to protect the data from any
third party. The benefit of using steganographic techniques compared to an encryption technique is
that the existence of the message is itself unknown.
A steganographic technique does require a key to view the hidden message, can be sniffed, and does
not impact traffic reliability.
Q. 10
Answer: C. Data integrity may be affected
Explanation: Middleware is software that acts as a link between the operating system and
applications. It has the capability to provide additional services to applications that are not provided
by the operating system. Some examples of functions handled by middleware are data management,
application services, messaging, and authentication. The major risk associated with middleware is
that data integrity may be adversely affected if the middleware is corrupted. The other options are not
relevant.

Q. 1
Answer: D. Implementing role-based access control

Explanation: RBAC involves granting access on the basis of the role of the staff. They are provided
access on a need-to-know basis only. This best ensures that any staff is not provided excess access
rights. Virtual private networks help with secured connectivity from remote locations. MAC prevents
delegation for granting access but obtaining clearance for temporary employees from higher
authorities is time consuming and expensive.
Q. 2
Answer: B. To avoid granting system administration roles
Explanation: Administration rights can entitle temporary staff with unlimited access privileges.
Temporary staff should not be assigned any administrative roles that can provide them with
privileged rights. Administrative access rights, if misused, can have a huge impact on the
organization. The other options are secondary aspects.
Q. 3
Answer: A. Mandatory access control
Explanation: MAC rules are governed by an approved policy. Users or data owners cannot modify
the access role. Mandatory access control helps to control access on the basis of the security
classification of the file. This prevents users from sharing files with unauthorized users. The other
options are not as effective as MAC for the prevention of file sharing.
Q. 4
Answer: A. Restricting the available drive allocation on all personal computers
Explanation: The most effective method is to restrict the drive allocation. This will prevent any users
from allocating a USB drive on their system. Furthermore, a user will also be unable to attach a
compact disc writer as this would not be recognized by the operating system. Disabling the USB port
may not be practical as mice and other peripherals depend on these ports. Role-based access or
periodic training will not be able to prevent users from copying files.
Q. 5
Answer: D. Role-based access control
Explanation: RBAC is a control technique to allow access to only authorized users. In RBAC,
access is allowed on a need-to-know basis. RBAC helps to simplify the security administration for
large organizations with thousands of users and multiple permissions. Other options will not be as
effective as role-based access control.
Q. 6
Answer: B. Implementing role-based access control
Explanation: Role-based access control is considered the most effective method to implement SoD.
It requires defining the roles and corresponding access requirements. Access is provided on the basis
of the roles. The other options do support the proper implementation of SoD but are not as effective.
Q. 7
Answer: B. Role-based access control
Explanation: RBAC is a control technique that allows access to only authorized users. In RBAC,
access is allowed only on a need-to-know basis. RBAC helps to simplify the security administration
for large organizations with thousands of users and multiple permissions. Due to administrative
convenience, RBAC is considered the most cost-effective method compared to the other options.
Q. 8
Answer: B. Role-based
Explanation: RBAC allows access to authorized users only on a need-to-know basis. RBAC helps to
simplify the security administration for large organizations with thousands of users and multiple
permissions. The other options are not as effective.
Q. 9
Answer: B. When it ensures that all user activities are uniquely identifiable
Explanation: The main objective of the access control process is to ensure that only authorized users
are granted access. To achieve this, it is very important for user activities to be uniquely identifiable
for accountability purposes. The other options will have no meaning if users are not individually
identifiable.
Q. 10
Answer: C. IT security standard
Explanation: A standard defines the minimum security requirements to be applied for each type of
application. A security manager should ensure that access controls are implemented in line with the
IT security standards.
Q. 11
Answer: D. Restricting access to data on a need-to-know basis
Explanation: The most effective approach is to provide access to only those employees who are
required to access that data for their function. Access should not be allowed to anyone else. The other
Q. 12
Answer: B. Changes in access rules
Explanation: The most common area that exposes the security software to vulnerabilities is access
rules. Major vulnerabilities generally occur when access rules are changed as access may be provided
to undesirable candidates. The other options do not cause significant exposure.
Q. 13
Answer: D. Degaussing the tape
Explanation: Degaussing (also known as demagnetization) involves gradually increasing the

alternating current field from 0 to a maximum value and back to 0, thereby leaving a very low residue
of magnetic induction on the media. The other options are not as secure as degaussing the tapes.
Multiple overwriting and erasing of the tape is not a foolproof method of removing the data. Burning
the tape will physically destroy the tape, so it cannot be reused.
Q. 14
Answer: A. Creating a matrix of work functions
Explanation: RBAC is a control technique that provides access on a need-to-know basis only. This is
a simplified approach where a matrix of work functions along with their corresponding access
requirements is created. RBAC helps to simplify the security administration for large organizations
with thousands of users and multiple permissions. Some components of RBAC, such as role
permissions, make it convenient and simple to allow access to authorized users. RBAC does not
require a specialized team. The factor of authentication is not relevant to RBAC. Using automated
logon scripts for assigning permissions to individual accounts is contrary to the intent of RBAC.
Q. 15
Answer: D. Creating awareness of the benefits of data classification
Explanation: The success of the data classification scheme depends on accurate data classification
by users, and for that, it is of utmost importance to create user awareness. Data is not classified on the
basis of its protection level. In fact, protection levels are decided based on the classification. Data is
classified based on its criticality and not on the basis of the possibility of leakage. Data classification
does not require the same level of protection for all types of data. The objective of a data
classification scheme is to ensure that the appropriate level of protection is provided based on the
criticality of data.
Q. 16
Answer: A. To monitor a key risk indicator
Explanation: The difference between logical and physical records indicates the existence of a
discrepancy. A discrepancy can be due to any reason. It can indicate piggybacking, sharing of
passwords, unauthorized logical access, or any other risks. Hence, this monitoring can serve as a key
risk indicator. Tailgating, lapses of the security department, and wrong payments are some of the
risks.

Q. 1
Answer: D. Enforcing a virtual private network (VPN) over the wireless network
Explanation: Deploying a VPN over wireless is the best method to ensure confidentiality. A VPN is
used to secure the wireless network. It provides a platform for remote users to get connected to the
organization's private network. Deploying a wireless intrusion prevention system would not prevent
sniffing of the information. Preventing the broadcast of the service set identifier (SSID) is a good
control; however, it does not prevent sniffing of the information. WEP is a compromised protocol.
Q. 2
Answer: A. Virtual private networks
Explanation: A VPN is used to extend a private network through the use of the internet in a secured
manner. It provides a platform for remote users to get connected to the organization's private
network. To enable a VPN, a virtual point-to-point connection is established by dedicated circuits of
tunneling protocols. VPN technology ensures the safeguarding of critical data traveling through the
internet.
The other options do not impact the confidentiality of data transmission through the internet.
Q. 3
Answer: A. It ensures secured communication
Explanation: A VPN tunnel helps to hide the IP address and encrypt messages, thereby securing the
communication channel. The other options are not relevant for VPN tunneling.
Q. 4
Answer C: Hide data traveling in the network
Explanation: The objective of a VPN is to hide data from sniffers. A VPN uses data encapsulation or
the tunneling method to encrypt the traffic payload for the secure transmission of data.
Q. 5
Answer B: Data encapsulation
Explanation: A VPN uses data encapsulation or the tunneling method to encrypt the traffic payload
for the secure transmission of the data. A VPN uses and is enabled through either IPSec tunnel mode
or IPSec transport mode. In IPSec tunnel mode, an entire packet (including the header) is encrypted,
whereas in IPSec transport mode, only a data portion is encrypted. Mere data hashing and
compression will not ensure data confidentiality. Data diddling is an attack method.
Q. 6
Answer: B. It helps to segregate personal and organizational data while using a remote computer
Explanation: Through VDI, a user can connect to their desktop from a remote location. Users can
connect to virtual desktops from any location with any device. In a VDI setup, all processing is done
on a host server. Also, data is stored in the host server rather than on the device of the user. It helps to
safeguard the data if an endpoint device is lost or compromised.
VDI establishes the segregation of personal and organizational data while using a remote PC. A user
cannot download or copy data from a virtual desktop to their PC. This serves as a control against
unauthorized copies of business data on a user's PC. Remote data wiping is not possible through VDI.
Also, antivirus software is recommended even for a VDI environment.

Q. 1
Answer: D. A retina scan
Explanation: Among the current biometric identifiers, a retina scan is considered to be the most
accurate and reliable identifier with the lowest FAR.
Q. 2
Answer: B. False acceptance rate (FAR)
Explanation: An IS manager should be most concerned about FAR as one of the critical performance
indicators. FAR poses the risk of unauthorized access to the systems as unauthorized users are
granted access.
Q. 3
Answer: D. Equal error rate

Explanation: To evaluate the overall quantitative performance of a biometric system, it is important
to consider the CER or the EER.
Q. 4
Answer: B. A system with the lowest equal error rate
Explanation: EER is the rate at which the FAR is equal to the FRR. A biometric system with the
lowest CER or EER is the most effective system. A biometric system with the highest CER or EER is
the most ineffective system.
Q. 5
Answer: D. The false acceptance rate
Explanation: The FAR, FRR, and CER are the three main accuracy measures for a biometric control.
The other options are more related to performance measures.
Q. 6
Answer: A. The false acceptance rate
Explanations: FAR is the rate of acceptance of unauthorized persons, that is, the rate at which the
biometric device provides access to unauthorized people. For critical systems, the FAR should be nil
or very low. In cases of a high FAR, the biometric control may not be considered effective. CRR is
generally used when two systems are compared. In general, the lower the EER value, the higher the
accuracy of the biometric system.
Q. 7
Answer: C. Transit data between a biometric device and control server is not encrypted.
Explanation: It is of utmost importance to implement a secured, encrypted tunnel to protect the

confidentiality of the biometric data transmitted from the biometric device to the access control
system. The other options are not as critical.
Q. 8
Answer: B. The enrollment stage
Explanation: The process of biometric control starts with the enrollment of users, which is followed
by storage, verification, identification, and termination. The first step is to get the users enrolled in
the device. The enrollment process involves the iterative process of getting the user's sample,
extracting the data from the sample, validating the data, and developing a final template that is stored
and used subsequently to authenticate the user.
Q. 9
Answer: B. Iris scan
Explanation: Among all the options, an iris scan is the most reliable for authentication. An intruder
would find it very difficult to duplicate an iris scan for bypassing the biometric controls. The other
options are not as reliable.
Q. 10
Answer: A. A fingerprint scanner
Explanation: Among all the options, the most reliable control is the fingerprint scanner. A
fingerprint is a biometric control, which is very difficult to break. It is very difficult for an intruder to
duplicate a user's fingerprint. As no two fingerprints are alike (very rare chance), authentication can
be done with confidence. The other options are not as reliable.
Q. 11
Answer: D. A replay attack
Explanation: In a replay attack, an attacker makes use of residual biometric characteristics (such as
fingerprints left on a biometric device) to gain unauthorized access.
Q. 12
Answer. A. A mimic attack
Explanation: In a mimic attack, an attacker attempts to reproduce fake biometric features of a

genuine biometric user, for example, imitating the voice of an enrolled user.
Q. 13
Answer: C. A cryptographic attack
Explanation: In a cryptographic attack, an attacker attempts to obtain information by targeting the

algorithm or the encrypted information transmitted between a biometric device and an access control
system.
Q. 14
Answer: B. A brute-force attack
Explanation: In a brute-force attack, an attacker sends numerous biometric samples with the
objective of making the biometric device malfunction.
Q. 15
Answer: B. Require the enrollment of all users that access the critical server
Explanation: To set up a biometric control, relevant users need to enroll themselves by registration
of their biometric features. Choices A and D are incorrect, as the risk of false acceptance as well as
the FRR cannot be eliminated completely. Option C is not correct as a biometric reader is not
required to be protected by a password.
Q. 16
Answer: A. A high false rejection rate
Explanation: A biometric device can generally be tuned in the following three ways:
High FRR: This is the most stringent access control. Here, the biometric matching criteria are set as
extremely high, and in a few cases, even valid users are rejected. However, overall, it provides good
protection for critical databases.
High FAR: Here, access control is not rigorous. Biometric matching criteria are set at a low level.
Sometimes, even unauthorized users are accepted.
EER: This is a moderate type of access control. Here, the sensitivity is tuned in such a way that the
FRR is equal to the FAR, that is, neither high false rejection nor high false acceptance.
Thus, for a critical database, a security manager would always prefer a high FRR, that is, biometric
matching criteria being set at a high level.

Q. 1
Answer: D. Two-factor authentication
Explanation: Two-factor authentication is a more secure control as it requires more than one type of
authentication. Apart from a password requirement, a user also needs a smart card, a token OTP, or a
biometric feature to log on. Biometrics alone is single-factor authentication. Encryption is more
relevant to the confidentiality of the information and is not concerned with authentication. Secure
sockets layer is used to establish an encrypted link between a browser and a web server and is not
relevant to authentication.
Q. 2
Answer: D. Installing an automatic strong password setting
Explanation: Password strength can best be improved by installing an automatic control to allow
only strong passwords that include numbers, special characters, and uppercase and lowercase letters.
Single sign-on by itself does not ensure a strong password. Conducting a password audit and
discussing the password policy are not as effective.
Q. 3
Answer: C. Share passwords through an out-of-band channel
Explanation: Generally, passwords should not be shared through the same channel. It is risky to send
passwords to a file by the same channel the file was sent through. Using an out-of-band channel, such
as the telephone, reduces the risk of interception. Digital signatures prove the identity of the sender
but do not ensure confidentiality. Delivery path tracing helps in the identification of the route used
but does not confirm the identity of the sender.
Q. 4
Answer: B. Performing a risk assessment to quantify the risk
Explanation: The most important aspect for the security manager is to determine the impact of non-
compliance by conducting a risk assessment. The other options can be determined only after
conducting a risk assessment.
Q. 5
Answer: D. Enabling system-enforced password configuration
Explanation: Strong and complex passwords are one of the most important requirements of a
password policy. A security manager should also ensure that the password policy is properly
implemented. The most effective way to ensure compliance with the password policy is to enable a
system-enforced password configuration. The other options are not as effective.
Q. 6
Answer: A. Enabling access through a different device that requires adequate authentication
Explanation: Authentication through a separate device helps prevent unauthorized access as well as
sharing of user IDs. It also helps to capture the logs of user access. Neither purchasing multiple
devices nor changing passwords after each user are feasible and cost-effective solutions. Analyzing
the log will not be effective as there is only one user ID.
Q. 7
Answer: A. It decreases the overall administrative workload
Explanation: Many organizations prefer implementing automatic password synchronization for

administrative convenience. Password synchronization facilitates syncing user passwords across
different devices, so a user only needs to remember a single password instead of multiple passwords
for different devices or machines. Password synchronization facilitates smooth administration of
password management as it reduces the workload of resetting many passwords. Password
synchronization by itself does not improve the security between multi-tier applications.
Q. 8
Answer: C. To conduct frequent security awareness programs
Explanation: Frequent guidance and awareness training are key factors in promoting the requirement
of a password policy. It gradually helps to obtain buy-in from end users. The other options are not as
effective.

Q. 1
Answer: B. Enabling the Wi-Fi Protected Access 2 protocol
Explanation: Currently, the most secure protocol for a wireless network is the WPA2 protocol. MAC
filtering is a good practice but it can easily be sniffed with technical tools. WEP is no longer a secure
encryption mechanism. Two-factor authentication will not address the issue of network sniffing.
Q. 2
Answer: C. Rogue access points
Explanation: A rogue access point is installed by a hacker on a secured network to gain

unauthorized access. It facilitates wireless backdoors for unauthorized users and can bypass the
network firewalls and other monitoring devices, exposing a network to attack. Rogue access attacks
specifically occur with wireless networks, whereas the other options do not depend on the use of
WLAN technology.

Q. 1
Answer: B. Parameter tampering
Explanation: Unauthorized modification of web application parameters with malicious intent is

known as parameter tampering. As the hidden files on the web page are not visible, a developer may
feel safe transferring the data without proper validation. This creates a risk as an intruder may
intercept the hidden data and modify the parameter for malicious purposes.
Q. 2
Answer: C. IP spoofing
Explanation: In IP spoofing, a forged IP address is used to break a firewall. In this attack, an intruder
hides their original identity and acts as someone else. The intruder generally makes use of a spoofed
internal IP to get access to a system or some data that is restricted for outside IPs. IP spoofing can be
considered masquerading by a machine.
Q. 3
Answer: A. A DDoS attack
Explanation: In a DDoS attack, a network or system is flooded with an enormous amount of traffic
with the objective to shut it down. DDoS is considered a significant risk for a VoIP infrastructure.
Premium rate fraud occurs when a phone system is compromised and used for making long-distance
calls. Juice jacking and social engineering do not have any direct impact on VoIP infrastructure.
Q. 4
Answer: A. Privilege escalation
Explanation: In a privilege escalation attack, high-level system authority is obtained by some

unauthorized methods by exploiting security flaws. In this example, a security flaw in the task
scheduler is exploited by the employee to gain unauthorized access to restricted applications.
Q. 5
Answer: C. Social engineering
Explanation: In a social engineering attack, an attempt is made to obtain sensitive information from
users by tricking and manipulating them. In a social engineering attack, an attacker does not require
any tools and techniques to obtain information. Social engineering is generally conducted through
dialogue, an interview, an inquiry, and other social methods of interaction.
Q. 6
Answer: C. Providing security awareness training
Explanation: The objective of a social engineering attack is to exploit human nature and its
weaknesses for obtaining critical and sensitive information. With adequate and effective security
awareness training, the impact of social engineering attacks can be minimized. The other options will
not help to directly address the impact of social engineering attacks.
Q. 7
Answer: C. Shoulder surfing

Explanation: In a shoulder surfing attack, an intruder or a camera captures sensitive information by
looking over the shoulder of a user entering details on a computer screen. Passwords entered on a
computer screen should be masked to prevent shoulder surfing attacks.
Q. 8
Answer: B. Piggybacking
Explanation: In this type of attack, an intruder follows an authorized person through a secured door
and gains entry to a restricted area without authentication. Piggybacking is considered a physical
security vulnerability.
Q. 9
Answer: B. Data diddling
Explanation: In a data diddling attack, data is modified as it enters into a computer system. This
attack is generally carried out by a data entry clerk or a computer virus. Data is altered before
computer security can protect the data. Very limited technical knowledge is required for data
diddling. There are no preventive controls for data diddling, so organizations need to rely on
compensatory controls.
Q. 10
Answer: A. Traffic analysis
Explanation: Passive attacks are types of attacks in which information is only collected but not
modified, inserted, or deleted in an active way. Examples of passive attacks include traffic analysis,
network analysis, and eavesdropping. The other options are examples of active attacks.
Q. 11
Answer: C. Help an intruder gain unauthorized access to the system
Explanation: In a password sniffing attack, tools are used to listen to all the traffic in the network
and to build data streams out of TCP/IP packets to extract usernames and passwords. These tools are
known as password sniffers. This password is then used to gain unauthorized access to the system.
Q. 12
Answer: A. Wardriving
Explanation: Wardriving is a technique for locating and getting access to a wireless network with the
use of specialized tools. An intruder drives around the building to identify unsecured networks. The
same technique is used by information security auditors to identify unsecured networks and thereby
test the wireless security of an organization. A similar technique is warwalking; the principle is the
same but no vehicle is used.
Q. 13
Answer: C. Botnets
Explanation: A botnet is a network of zombie computers controlled by an intruder. Botnets can be

used to execute DDoS, spam, and other types of attacks.
Q. 14
Answer: B. Wardriving
Explanation: Wardriving is a technique to exploit the weaknesses of a wireless infrastructure. It is

used to locate and gain access to a wireless network with the use of specialized tools, such as wireless
Ethernet cards. An intruder drives around a building to identify unsecured networks.
Q. 15
Answer: D. A replay attack
Explanation: In a replay attack, an attacker makes use of residual biometric characteristics (such as
fingerprints left on a biometric device) to gain unauthorized access.
Q. 16
Answer: B. Man in the middle
Explanation: In this attack, an attacker interferes while two devices are establishing a connection. If
any device asks for authentication, the attacker sends the request to the other device and then
forwards the response to the first device. Once a connection is established, the attacker can
communicate and obtain information as needed, thus circumventing two-factor authentication.
Q. 17
Answer: C. Buffer overflow
Explanation: Buffer overflow, also known as buffer overrun, is the most common software coding
error that can be exploited by an attacker to gain unauthorized access to a system. Buffer overflow
occurs when more data is fed into the buffer than it can handle. Excess data overflows to adjacent
storage.
Due to this, an attacker gets the opportunity to manipulate coding errors for malicious actions. A
major cause of buffer overflow is poor programming and coding practices.
Q. 18
Answer: B. Phishing
Explanation: A URL shortening service converts long URLs (web addresses) into shorter versions.
A hacker attempts to fool users by using URL shortening services for the creation of a URL
resembling some genuine website. This is done to spread malicious software or collect sensitive data
through phishing.
Q. 19
Answer: B. Judgmental error
Explanation: Social engineering succeeds due to judgmental errors on the part of employees who
provide sensitive information to the intruder. The intruder builds a level of trust with the
user/employee and takes advantage.
Q. 20
Answer: C. Traffic analysis
Explanation: In traffic analysis, an intruder attempts to capture and analyze the nature of traffic flow
between hosts, the frequency of messages, the length of messages, session length, and other relevant
information. Through all this information, the intruder attempts to understand and guess the type of
communication. This is typically done when messages are encrypted.
Revision Questions
Q.1
Answer: A. Security awareness training
Explanation: Dumpster diving is a technique in which an intruder attempts to gather sensitive

information from bins and other areas where documents are not properly discarded. Users should be
appropriately trained on discarding sensitive information. In the absence of security awareness
training, the other options may not be effective to prevent dumpster diving.
Q.2
Answer: C. Two-factor authentication
Explanation: Two-factor authentication requires an individual to authenticate themselves twice,

which reduces the risk of successful masquerading. It provides additional security over and above
passwords alone. The other options are not relevant for authentication and access to a corporate
network.
Q.3
Answer: C. Encryption
Explanation: Data communication from a card to a POS device should be encrypted to protect the
confidentiality of the data. Strong encryption should be used to protect the cardholder's data. The
other options will not prevent the reading of data by an intruder.
Q.4
Answer: A. An intrusion prevention system
Explanation: In a SQL injection attack, a SQL query is injected or inserted in the input field of an
application. By entering some command in the data entry field of a web page, the hacker tries to
bypass the authentication requirements. SQL injection attacks occur at the application layer. Most
intrusion prevention systems will detect at least basic sets of SQL injection and will be able to stop
them. The other options will not be as effective.
Q.5
Answer: B. Establishing a connection through an IPv6 security virtual private network
Explanation: IPv6 security is resilient to man-in-the-middle attacks. It includes source and

destination IPs within encrypted portions and hence effectively prevents man-in-the-middle attacks.
The other options are not effective for preventing this kind of attack.
Q.6
Answer: C. Awareness training
Explanation: Piggybacking/tailgating is the act wherein an intruder follows authorized users and
enters a restricted area. The best method to prevent such an act is to provide training to all authorized
users to be careful while entering the premises. Authorized users should challenge such intruders.
Q.7
Answer: B. Structured query language injection
Explanation: In a SQL injection attack, an SQL query is injected or inserted in the input field of the
application. By entering some command in the data entry field of the web page, the hacker tries to
bypass the authentication requirements. After gaining access, an intruder can read confidential data,
modify the database by updating or deleting data, or execute the administration operations on the
database. The best way to prevent a SQL injection attack is to implement input controls so that any
programming commands can be rejected. The other options, though areas of weakness, will not
bypass the authentication requirement.
Q.8
Answer: C. Cleartext authentication
Explanation: The objective of SNMP is to monitor network behavior. SNMP collects and organizes
information about managed devices on a network. SNMP is also used to change the device's
behavior. Devices such as routers, modems, switches, servers, printers, and workstations support
SNMP.
One of the security-related vulnerabilities of the use of SNMP is that it uses cleartext passwords for
authentication. Such passwords can easily be sniffed and reused.
Q.9
Answer: D. Enabling system lockouts after multiple wrong attempts
Explanation: In a brute-force attack, an intruder uses trial and error to determine the password of a
user. The intruder uses multiple passwords with the hope of finding the correct password. Many
software programs are available to execute brute-force attacks. The best way to control a brute-force
attack is to enable system lockout when multiple wrong attempts are detected. Generally, three
attempts are allowed, and the system is locked out on the fourth wrong attempt.
Chapter 8: Information Security Monitoring Tools and
Techniques

Q. 1
Answer: B. The rule to deny all traffic by default and permit only specific traffic
Explanation: From the preceding options, the most robust firewall configuration is to deny all traffic
by default and permit only specific traffic. This is the most effective method to prevent unknown
traffic from entering the organization's network.
Q. 2
Answer: A. The network layer of the OSI
Explanation: A CISM aspirant should note that packet filtering and stateful inspection operate at the
network layer (3rd layer). The circuit level operates at the session layer (5th layer) and the
application-level firewall operates at the application layer (7th layer).
Q. 3
Answer: B. A screened subnet firewall
Explanation: A screened subnet firewall (DMZ) is regarded as the safest type of firewall
implementation. A screened subnet firewall includes two packet filtering routers and one bastion
host. A screened subnet firewall acts as a proxy and does not allow direct communication between
external and internal networks. A DMZ and a screened subnet firewall function in the same way. It
must be noted that in a screened subnet firewall, there are two packet filtering routers, and in a
screened host firewall, there is only one packet filtering firewall.
Q. 4
Answer: C. Application gateway
Explanation: An application-level firewall is considered the most secure type of firewall. It

functions at the highest level of the OSI model, that is, the application layer. It also works on the
concept of bastion hosts and proxy servers but provides a separate proxy for each service. It controls
applications such as FTP and HTTP. Application firewalls function at the application layer of the
OSI, whereas circuit gateways function at the session layer. Application gateways operate in a more
granular way compared to other firewalls.
Q. 5
Answer: A. A screened subnet firewall
Explanation: A screened subnet firewall (DMZ) is regarded as the safest kind of firewall
implementation. A screened subnet firewall includes two packet filtering routers. It also has one
bastion host. A screened subnet firewall acts as a proxy and does not allow direct communication
between external and internal networks. A DMZ and a screened subnet firewall function in the same
way. It must be noted that in a screened subnet firewall, there are two packet filtering routers, and in a
screened host firewall, there is only one packet filtering firewall.
Q. 6
Answer: B. A stateful inspection firewall
Explanation: A stateful inspection firewall monitors and tracks the destination of each packet that is
sent from the internal network. It ensures that the incoming message is in response to the request that
went out from the internal network. A stateful inspection firewall functions at the network layer of
the OSI.
Q. 7
Answer: B. An application gateway firewall
Explanation: An application-level firewall is regarded as the most secure type of firewall. It

functions at the application layer of the OSI model. It also works on the concept of bastion hosts and
proxy servers but provides a separate proxy for each service. It controls applications such as FTP and
HTTP. An application firewall operates at the application layer of the OSI, whereas a circuit gateway
operates at the session layer. An application gateway operates in a more granular way compared to
other firewalls.
Q. 8
Answer: C. An application-level gateway
Explanation: An application-level gateway or firewall is regarded as the most secure type of

firewall. It functions at the application layer of the OSI model. It also works on the concept of bastion
hosts and proxy servers but provides a separate proxy for each service. It controls applications such
as FTP and HTTP. An application firewall operates at the application layer of the OSI, whereas
circuit gateways operate at the session layer. An application gateway operates in a more granular way
compared to other firewalls.
Q. 9
Answer: C. The effectiveness of the firewall in enforcing compliance with the information security
policy
Explanation: If a firewall is unable to enforce the requirements of the security policy, then it is a
major loophole. The availability of a good security policy is important, but it will be of little value if
it is not effectively implemented. The other options are not as significant.
Q. 10
Answer: A. Incorrect configuration of the access lists
Explanation: An accurate update of the current access list is a major challenge faced by most
organizations. Hence, the wrong configuration of an access list is the most common type of error
while setting up a firewall configuration. The other options are not relevant to firewall configuration.
Q. 11
Answer: A. Developing a security policy
Explanation: A security policy is the basis on which firewall rules are configured. In the absence of
a security policy, firewall rules will be ad hoc and may not support the objectives of the organization.
The other options are subsequent steps.
Q. 12
Answer: C. Connecting authorized users to a trusted network
Explanation: The prime function of a firewall is to connect authorized users to a trusted network,
thereby preventing unauthorized access to the server. The other options are secondary factors.
Q. 13
Answer: D. The implementation of the firewall above a commercial operating system with all
installation options enabled
Explanation: When a firewall is placed on top of a commercial operating system without blocking
the installation options, firewall security can be compromised. The other options are not as
significant.
Q. 14
Answer: D. To conduct a review of the parameter settings
Explanation: A review of the parameter settings helps to understand the actual configuration. This
can then be compared with the requirements of the security policy. The other options are not as
significant.
Q. 15
Answer: A. Unauthorized attempts to access the network outside the organization
Explanation: The primary function of the firewall is to protect the network from external sources.
The other options are not the objectives of implementing a firewall.
Q. 16
Answer: C. To allow traffic load balancing
Explanation: Two parallel firewalls with two separate entries are useful to allow traffic load
balancing. Multi-level defense is established only if firewalls are installed in a series, that is, one
behind another. If firewalls are deployed in parallel, then they provide concurrent paths for
compromise and do not provide multi-layer defense. Both firewalls are connected to the same DMZ
and hence it cannot separate the test and production environments. Firewalls generally cannot control
denial of service (DoS) risks.
Q. 17
Answer: C. On a screened subnet
Explanation: Generally, servers that interact with the internet (extranets) are placed in the
demilitarized area as this area is separate from the internal servers and is properly hardened. Placing
the server before the firewall or outside the router would make it defenseless. A firewall should be
placed in a hardened server with minimum services enabled. It is not recommended to place anything
else on the firewall server.
Q. 18
Answer: C. On a screened subnet
Explanation: Generally, the IDS is placed on the screened subnet, which is the DMZ. A DMZ is
separate from the internal servers and is properly hardened. Placing the IDS before the firewall or
outside the router is not recommended as the IDS will generate alerts for all malicious traffic even
though the majority of such traffic will eventually be blocked by the firewall and never reach the
internal network. Firewalls should be placed in a hardened server with minimum services enabled. It
is not recommended to place anything else on the firewall server.
Q. 19
Answer: D. On the domain boundary
Explanation: A firewall should be placed on a domain boundary to monitor and control incoming
and outgoing traffic. A firewall should be placed in a hardened server with minimum services
enabled. It is not recommended to place a firewall along with other services such as an IDS, database,
or web server.
Q. 20
Answer: C. To conduct penetration testing at frequent intervals
Explanation: The most effective way to ensure that firewall rules are adequate is to conduct
penetration testing periodically. Gaps identified during the penetration test should be addressed
immediately. This will help to improve the security posture of the organization. The other options are
not as effective as penetration testing.

Q. 1
Answer: A. A neural network-based IDS
Explanation: A neural network-based IDS works on the same principle as a statistical-based IDS.
However, it has the advanced functionality of self-learning. The neural network keeps updating its
database by monitoring the general patterns of activity.
Q. 2
Answer: B. The sensor
Explanation: The function of the sensor is to collect data. Data may be in the form of IP packets, log
files, and so on. The function of an analyzer is to analyze the data and determine whether there is any
intrusive activity. The administration console helps the administrator control and monitor IDS rules
and functions. The user interface helps the user view the results and carry out any required tasks.
Q. 3
Answer: B. A statistical-based IDS
Explanation: A statistical-based IDS attempts to identify abnormal behavior by analyzing a

statistical algorithm. Any abnormal activity is flagged as an intrusion. For example, if the normal
logon hours are between 7 A.M. and 5 P.M. and a logon is detected at 11 P.M., the IDS will raise this
as an intrusion. Therefore, a statistical-based IDS generates the most number of false positives,
compared to other types of IDS.
Q. 4
Answer B. Being unable to identify intrusions

Explanation: The area of most concern is if the IDS is unable to identify and detect intrusions. This
defeats the core purpose of installing the IDS. Attacks will go unnoticed if not identified by the IDS
and hence no corrective and preventive action can be taken for such attacks. The number of false
alarms is not as significant. Options C and D are not areas of concern.
Q. 5
Answer: B. Between the firewall and the internal network
Explanation: If an IDS is installed between the firewall and the internal network, it will be able to
detect only those attempts that bypass the firewall rules. If an IDS is installed between the firewall
and the external network, it will be able to identify all intrusion attempts irrespective of whether
intrusion packets bypass the firewall or not.
Q. 6
Answer: A. Collecting evidence on intrusive activities
Explanation: An IDS helps to monitor a network (network-based IDS) or a single system (host-
based IDS) with the objective of recognizing and detecting any intrusions. The function of an IDS is
to analyze the data and determine the presence of intrusive activities. IDSs do not have features to
achieve the other options.
Q. 7
Answer: C. False positives
Explanation: The identification of false positives is a routine and frequent issue in the
implementation of an IDS. IDSs operate on the basis of policy definitions. Any weakness in the
policy definitions weakens the function of the IDS. False acceptance rates and false rejection rates
are associated with biometric implementation. A DDoS is a type of attack and is not an issue with the
operations of an IDS.
Q. 8
Answer: D. An intrusion detection system
Explanation: An IDS attempts to identify abnormal behavior by analyzing a statistical algorithm.

Any abnormal activity is flagged as an intrusion. Hubs and switches are networking devices for
routing. A packet filter is a type of firewall that restricts blocked traffic.
Q. 9
Answer: C. Monitoring of unsuccessful logon attempts

Explanation: The most important control to identify and detect intrusions is to actively monitor
unsuccessful logon attempts. The other options will not directly help detect an intrusion.
Q. 10
Answer: A. Many false alarms generated by a statistical-based IDS
Explanation: High instances of false alarms indicate that the IDS configuration needs to be tuned
further. A major impact of a poorly configured IDS would be on the business processes or systems
that need to be closed due to false alarms. It can have an adverse impact on business profitability. An
IDS cannot read encrypted traffic; however, it can be compensated by a next-generation firewall. The
other options are not as significant as blocking off critical services and systems due to false alarms.
Q. 11
Answer: C. A neural network monitors the general patterns of activity and creates a database,
addressing complex problems involving input variables from different sources.
Explanation: A neural network-based IDS works on the same principle as a statistical-based IDS.
However, it has the advanced functionality of self-learning. Neural networks keep updating their
database by monitoring the general patterns of activity. A neural network is the most effective at
addressing problems that can only be solved by analyzing a large number of input variables.
Q. 12
Answer: A. In a DMZ
Explanation: Public-facing websites are placed in a DMZ to safeguard the internal network from
external attacks. An IDS should be placed in the same DMZ. The IDS would monitor the network
traffic to detect any intrusions. A network-based IDS would not be installed on a web server, unlike a
host-based IDS. Placing the IDS outside the firewall would not be helpful in specifically protecting
the website. Placing an IDS in the internal network is good to ensure that the website is not prone to
internal attacks; however, the IDS would normally be placed in a DMZ.
Q. 13
Answer: D. A host-based intrusion prevention system
Explanation: The most viable option is to install a host-based IPS. A host-based IPS will prevent
activities on the host computer or server such as deletion of files or modification of programs. A
network-based IDS will be able to detect irregular traffic but if signatures are not updated or the
traffic is encrypted, that traffic may still bypass the IDS. A regular OS patch update addresses
vulnerabilities; however, a host-based IPS is more effective in preventing unauthorized installation. A
packet filtering firewall will not be able to restrict the rootkit if the incoming IP is correct.
Q. 14
Answer: A. A honeypot
Explanation: A honeypot is a decoy system set up to attract hackers and intruders. The purpose of
setting up a honeypot is to capture the details of intruders in order to proactively strengthen security
controls.
Q. 15
Answer: A. An intrusion prevention system
Explanation: IPSs can not only detect intrusion attempts but also prevent the impact of the intrusion
attack. An IDS only monitors, records, and raises alarms about intrusive activities, whereas an IPS
also prevents intrusive activities. Routers and switches are devices used for network routing.
Q. 16
Answer: A. To capture information
Explanation: The first step that an intruder takes is to capture and gather relevant information about
the target environment. Based on this information, they attempt various techniques to gain access and
once the objective is accomplished, they try to eliminate the evidence.
Q. 17
Answer: D. An intrusion detection system
Explanation: A network-based IDS is considered the next line of defense after a firewall. An IDS
monitors, records, and raises alarms about intrusive activity that bypasses the firewall. An IDS has
more capabilities to identify abnormal traffic than antimalware software. Routers and switches are
devices used for network routing.
Q. 18
Answer: B. Critical services or systems are blocked due to false alarms
Explanation: The major impact of a poorly configured IPS would be on the business processes or
systems that are blocked due to false alarms. This can have an adverse impact on business
profitability. The other options are not as significant.
Q. 19
Answer: A. Tuning
Explanation: Tuning is the most important element for the successful implementation of an IDS. It is
the process of adjusting the criteria to determine abnormal behavior. If the criteria are not properly
tuned, the IDS may generate false alarms or fail to identify actual abnormalities. A patch update is
more related to the OS. Logging and change management are not as relevant as tuning.
Q. 20
Answer: C. Generate false alarms from different users or system actions
Explanation: A statistical-based IDS attempts to identify abnormal behavior by analyzing a

statistical algorithm. Any abnormal activity is flagged as an intrusion. For example, if normal logon
hours are between 7 A.M. and 5 P.M. and a logon happens at 11 P.M., the IDS will raise this as an
intrusion. A statistical-based IDS generates more false alarms compared to the other types of IDSs. A
statistical-based IDS is capable of identifying a new attack; a signature-based IDS cannot detect a
new type of attack. Statistical-based IDSs may be more expensive and may require specialized staff;
however, the more important aspect is the false alarms.

Q. 1
Answer: B. To ensure the integrity of the message
Explanation: A digital signature is used to validate the integrity, authentication, and non-repudiation
of messages. However, it does not ensure message confidentiality. A digital signature includes an
encrypted hash value of the message. This hash value would change if the message was subsequently
altered, thus indicating that an alteration has occurred. Hence, it helps to ensure message integrity.
Digital signatures will not be able to address and support any of the other options.
Q. 2
Answer: A. The authentication and integrity of data
Explanation: A digital signature is used to validate the integrity, authenticity, and non-repudiation of
electronic messages. It does not ensure message confidentiality or the availability of data. A digital
signature is created as follows:
Step 1: Create a hash value (message digest) of the message.
Step 2: Encrypt the hash value (as derived in the previous step) with the private key of the sender.
Q. 3
Answer: D. Alteration
Explanation: The hash value of a message is used to create the digital signature. Each message has a
unique hash value. If a message changes, its hash also changes. Thus, the hash value will not be the
same if the message is altered. A digital signature will not address other concerns.
Q. 4
Answer: A. Digital signatures
Explanation: A digital signature is created by encrypting the hash value of a message. An encrypted
hash cannot be altered without the key of the sender.
Q. 5
Answer: C. Integrity, authentication, and non-repudiation
electronic messages. It does not ensure message confidentiality, privacy, or availability of data.
Q. 6
Answer: B. Integrity
Explanation: Digital signatures confirm integrity because the hash value of a message changes in the
case of any unauthorized changes being made in the data (file, mail, document, etc.).
Q. 7
Answer: B. Non-repudiation
Explanation: Non-repudiation provides assurance that the sender of a message or the initiator of a
transaction cannot later deny sending the message or initiating the transaction. Non-repudiation is the
most effective way to validate that a specific action has occurred. Digital signatures are used to
provide non-repudiation.
Q. 8
Answer: A. The use of a sender's private key to encrypt the hash value of the message
Explanation: A sender encrypts the hash value of their message with their private key. If the
recipient is successful in decrypting the hash value with the public key of the sender, then
authenticity is established. That is, it is proved that the message is in fact sent by the sender. It
ensures non-repudiation; that is, the sender cannot repudiate having sent the message. For
authentication, the encryption of the entire message is not required. The encryption of the entire
message will involve more cost and time and hence the encryption of the hash alone is considered
sufficient.
Q. 9
Answer: B. The hash value of the message is transmitted and encrypted with the customer's private
key
Explanation: A digital signature is created as follows:
Step 1: The hash value (message digest) of the message is created.
Step 2: The hash value (derived in the previous step) is encrypted with the private key of the sender.
In the question, the sender is the customer. Hence, the hash is to be encrypted using the customer's
(sender's) private key.
Q. 10
Answer: A. Help detect spam
Explanation: With the use of digital signatures, a sender can be tracked and authenticated. The
recipient will be able to set a configuration on their system to delete messages from specific senders
automatically. The file size of a digital signature is only a few bytes and will not have any impact on
the bandwidth. There will be no major impact on the workload of gateway servers. A digital
signature does not ensure confidentiality.
Q. 11
Answer: A. Cannot be reversed
Explanation: The following example explains the outcome of hashing as well as encryption:
For the message Meeting at 8 AM, the hash value is 4526dee03a36204cbb9887b3528fac4e.
For the message Meeting at 8 AM, encryption leads to Mxxxxxx xx x xM.
Now, from the hash value 4526dee03a36204cbb9887b3528fac4e, you cannot derive the message, but
from Mxxxxxx xx x xM, you can derive the original message by decryption.
Thus, hashing operates in one way and cannot be reversed. You can create a hash from the message,
but it is not possible to create a message from that particular hash value. Thus, a hash value is
irreversible, whereas encryption is reversible. This is the major difference between encryption and
hash.
Q. 12
Answer: A. Employees digitally signing their email messages
Explanation: When employees digitally sign their email messages, the receiver will be able to
validate the integrity and authenticity by checking the digital signature.
Q. 13
Answer: C. Non-repudiation
Explanation: Non-repudiation provides the best evidence of the occurrence of a specific action or
transaction. The sender of the email or initiator of the transaction cannot deny their action. Digital
signatures are used to provide non-repudiation.
Q. 14
Answer: D. Non-repudiation
Explanation: Non-repudiation provides the best evidence of the occurrence of a specific action or
transaction. The initiator of the transaction cannot deny that transaction. Digital signatures are used to
provide non-repudiation.
Q. 15
Answer: A. Authenticity and integrity
Explanation: In the preceding case, the message is not encrypted (only the hash is encrypted) and
hence it will not ensure privacy or confidentiality. An encryption of the hash will ensure authenticity
and integrity.
Q. 16
Answer: B. The signer has the private key of the sender and the receiver has the public key of the
sender
Explanation: A digital signature is created as follows:
Step 1: Create a hash value (message digest) of the message.
Step 2: Encrypt the hash value (as derived from the previous step) with the private key of the sender.
At the recipient end, the hash is decrypted using the public key of the sender.
Q. 17
Answer: A. Ensuring the integrity of the message
Explanation: A digital signature is created by calculating the hash value of the given message.
Recalculating the hash value for the original message should provide the same hash value. Thus, it
helps to ensure message integrity.
Q. 18
Answer: D. By using the embedded digital signature
Explanation: A digital signature is used to determine the identity and integrity of the data. The other
options are not relevant to determining whether the message and the sender are genuine.
Q. 19
Answer: D. Digital signatures
electronic messages. Non-repudiation is a process used to make sure that the sender of a message or
initiator of a transaction is not in the position to deny their action. Encryption and symmetric
encryption provide confidentiality but not non-repudiation. Hashing provides integrity but not non-
repudiation.
Q. 20
Answer: D. Create a hash value of the file, then compare the file hashes
Explanation: The best way is to create a hash of the original file and then compare this with the
suspected file to ensure that the files are the same. If the hash has changed, then it indicates that the
file has been modified. The last modified date can also be fabricated. File encryption and role-based
access control are good access controls but do not prevent the file from being corrupted or modified
by a valid user.

Q. 1
Answer: B. The certificate authority
Explanation: The CA is an entity responsible for issuing digital certificates. It is also responsible for
the management of digital certificates.
Q. 2
Answer: D. Validating the information of the applicants for a certificate
Explanation: An RA has the following functions:

To verify and validate information provided by applicants
To ensure that the applicant is in possession of a private key that matches the public key requested for a certificate; this is known
as POP
To distribute the physical tokens containing private keys
To generate shared secret keys during the initialization and certificate pickup phase of registration
Q. 3
Answer: A. The certificate authority

Explanation: The CA is an entity that issues digital certificates. It is responsible for the issuance and
management of digital certificates throughout their life cycle.
Q. 4
Answer: C. Establishing a link between the applicant and their public key
Explanation: The CA delegates some of the administrative functions, such as verification of

information provided by the applicants. The RA is delegated with the function of verifying the
correctness of information provided by applicants. The RA verifies that the applicant is in possession
of a private key that matches the public key requested for the certificate. This is known as POP.
Q. 5
Answer: C. The user organization is also the owner of the certificate authority
Explanation: It indicates a conflict of interest when the user and owner of the CA are the same. The
independence of the CA will be impaired in this scenario, and this is considered a major weakness.
Q. 6
Answer: B. Validation of information provided by the applicants

To verify and validate the information provided by applicants
as POP
To distribute the physical tokens containing the private keys
To generate shared secret keys during the initialization and certificate pickup phase of the registration
Q. 7
Answer: A. The certificate practice statement
Explanation: A CPS is a document that prescribes the practice and process of issuing and managing
digital certificates by the CA. It includes details such as the controls in place, the methods for
validating applicants, and the usage of certificates.
Q. 8
Answer: B. To validate the identity and authenticity of certificate owners

To verify and validate the information provided by the applicant
as POP
To distribute the physical tokens containing the private keys
To generate a shared secret key during the initialization and certificate pickup phase of the registration
Q. 9
Answer: C. When users attest to each other's identity
Explanation: The objective of a CA is to support the identification of the key holder. In a case where
a user already attests to another user's identity, the CA may not be required. The CA is not relevant
for the other options.
Q. 10
Answer: D. A certification practice statement
Explanation: A CPS is a document that prescribes practices and processes for the issuing and
management of digital certificates by the CA. It also provides contractual requirements between the
relying parties and the CA. It includes details such as the controls that should be in place, the
methods for validating applicants, and the usage of certificates.
Q. 11
Answer: C. It attests to the validity of a user's public key
Explanation: The CA is responsible for the issuance and management of digital certificates. The CA
authenticates and validates the holder of the certificate after the issuance of the certificate. The other
options are not functions of a CA.
Q. 12
Answer: C. The private key of the certificate authority
Explanation: The private key of a CA is used to issue the digital certificates to all parties in a PKI. If
the private key of a CA is compromised, it will lead to a single point of failure for the entire PKI
because the integrity of all digital certificates is based on this private key. If the private key of a
holder is compromised, it will affect only that holder. Public keys are published and pose no risk.

Q. 1
Answer: A. Data encryption
Explanation: The best method is to encrypt the communication, which will ensure the confidentiality
of the transactions. Multiple authentications, maximum password age, and digital signatures may
help in strong authentication but they will not help in the confidentiality of the data in transit.
Q. 2
Answer: A. A secure socket layer
Explanation: Secure sockets layer (SSL) is the protocol that operates at the transport layer. It is
used for privacy and data security while communicating over a network. SSL makes use of
cryptographic functions to protect the confidentiality, reliability, and integrity of private documents
traveling through the internet. A dynamic host configuration protocol (DHCP) is a protocol used to
manage the network configuration. DHCP assigns an IP address and other network configuration
parameters to every device on a network so that they can communicate with other IP networks.
Secure shell (SSH) and Telnet are remote terminal control protocols. Through these protocols, a user
can connect to a terminal from a remote location.
Q. 3
Answer: B. To encrypt the data stored on the mobile
Explanation: Encryption is the most effective method to safeguard the data stored on mobile
devices. Encryption converts the data into an unreadable form such that it can only be read by the
person possessing the encryption key. The other options are good controls, but they are not as
effective.
Q. 4
Answer: B. Scaling is more convenient in public key encryption
Explanation: One of the limitations of symmetrical encryption is that it requires a key for each pair
of individuals who wish to have confidential communication. This results in an exponential increase
in the number of keys, resulting in complex distribution and storage problems. Public key encryption
does not have this issue. Public key encryption requires more computation efforts and maintenance
compared to symmetric encryption. A public key by itself does not provide greater encryption
strength.
Q. 5
Answer: C. User passwords not being encrypted
Explanation: If passwords are sent over an internal network in plain text, they can easily be sniffed.
Passwords should be encrypted for adequate security. The other options do not present significant
exposures.
Q. 6
Answer: B. Implementing application-level encryption
Explanation: Encryption makes the database unreadable for the DBA and other staff. This helps the
DBA to perform this routine function without reading the data in cleartext. The other options cannot
prevent the DBA from reading the data in the database.
Q. 7
Answer: C. Authenticate the sender
Explanation: The public key of the other party is used to decrypt the message and if the message is
successfully decrypted, it helps to authenticate the user, that is, the owner of the corresponding
private key. Authorization and compression are not functions of PKI. A private key is used for the
creation of digital signatures.
Q. 8
Answer: B. Strong encryption
Explanation: The most effective method to secure a wireless network is to provide strong
encryption. An IDS and a router will not offer any protection from local attacks. Two-factor
authentication is for access control and will not protect data from being sniffed.
Q. 9
Answer: C. Encrypting the USB device
Explanation: Encryption is the most effective method to safeguard the data stored on removable
devices. Encryption converts the data on the USB to an unreadable form. It can only be read by the
person possessing the encryption key. The other options are good controls but not as effective.

Q. 1
Answer: B. Penetration tests
Explanation: Aggregated risk refers to a significant impact caused by a large number of minor
vulnerabilities. Such minor vulnerabilities individually do not cause a major impact but when all are
exploited at the same time, they can cause a huge impact. The goal of risk aggregation is to identify
the significant overall risk from a single threat vector. Penetration testing is the best way to assess
aggregate risks by exploiting them one by one. Risk aggregation provides a good measurement for
prioritizing the risk.
Q. 2
Answer: A. Determine weaknesses in the network and server security
Explanation: The objective of penetration testing is to identify the weaknesses in the network and
server security of an organization. Based on the results of the penetration test, the identified weakness
are addressed to improve the security posture of the organization.
Q. 3
Answer: C. To get an independent view of security exposures
Explanation: The main objective of engaging an external company to perform penetration testing is
to get an independent view of the organization's security exposure. Even though the organization may
have the necessary skills and resources to conduct penetration testing, third-party penetration testing
is recommended to get an objective view from external experts. The other options are secondary
aspects.
Q. 4
Answer: B. To ensure that goals and objectives are clearly defined
Explanation: It is very important to establish a clear understanding of the scope of testing. In the
absence of a defined scope, a tester may cause a system outage or other major damage. Sometimes,
the test may have adverse impacts on business processes if the organization is not well prepared. The
other options are secondary aspects. In the case of a blind penetration test, IT and security monitoring
staff are not informed about the proposed test in order to determine their readiness with respect to any
attack. A demonstration of the test system will reduce the spontaneity of the test.
Q. 5
Answer: D. Establishing clear rules of engagement
Explanation: It is very important to establish a clear understanding of the scope of testing. In the
absence of a defined scope, a tester may cause a system outage or other major damage. Sometimes, a
test may have adverse impacts on business processes if the organization is not well prepared. The
other options are secondary aspects. In the case of a blind penetration test, IT and security monitoring
staff are not informed about the proposed test in order to determine their readiness for any attack.
Q. 6
Answer: A. A clear scope of the test
Explanation: In a black box testing attack scenario, the tester is provided with limited or no
knowledge of the target's information systems. Inappropriate planning and timing of the attack may
cause the system to fail. It is very important that the tester is well experienced and aware of the clear
scope of the test. The other options are not as significant.
Q. 7
Answer: A. More time is spent on exploitation rather than discovery and information gathering
Explanation: In cases of white box penetration testing, relevant details of the infrastructure are made
available to the tester in advance. They need not spend time gathering the information. This helps the
tester concentrate on exploitation. A black box approach, where no information is provided, better
simulates an actual hacking attempt. Cost is a secondary aspect. Penetration testing tools are required
for both white box as well as black box penetration tests.
Q. 8
Answer: C. For control assessments of legacy applications
Explanation: Ethical hacking (penetration testing) involves the use of tools and techniques available
to actual hackers to penetrate the network of an organization. The objective of ethical hacking is to
find out vulnerabilities in the existing control and address the loopholes. Ethical hacking is not
directly relevant to the other options.
Q. 9
Answer: D. Conducting periodic penetration testing
Explanation: The most effective way to ensure that an organization's network is properly secured
against external attacks is to conduct penetration testing at regular intervals. The results of
penetration testing determine the effectiveness of the organization's security posture. Any loopholes
identified during penetration testing should immediately be rectified. The other options are not as
effective.
Q. 10
Answer: B. Network mapping
Explanation: The first step that a penetration tester conducts is to analyze the network mapping.
Network mapping is the process of understanding the target network topology. It helps to determine
the points of attack in a network. The IDS is a secondary aspect. The nature of data and data analytics
are not relevant to a tester.
Revision Questions
Q.1
Answer: C. It may be quarantined by the firewall or mail filters
Explanation: Generally, firewalls or mail filters would quarantine a password-protected ZIP file as
the filter (or the firewall) will not be able to determine whether the file contains malicious code. A
ZIP file does have the capability of using strong encryption. Generally, a firewall will not be able to
read the password-protected file. A password-protected file by itself does not use high network
bandwidth.
Q.2
Answer: A. The firewall allows source routing
Explanation: A firewall, by default, should be able to reject any traffic with IP source routing.
Source routing is a tool to get information about all the routers in a packet transit. This could be used
to bypass firewalls, hence it is a security threat. If source routing is allowed by a firewall, an intruder
can attempt spoofing attacks by stealing the IP addresses of the organization. Deploying a firewall in
a standalone server is a good practice. A firewall should be placed in a hardened server with
minimum services enabled. Firewall rules should be reviewed in a structured manner at periodic
intervals. Allowing unregistered ports is not recommended but does not necessarily pose a significant
security threat.
Q.3
Answer: A. A screened subnet
Explanation: In a screened subnet, one bastion host is deployed along with two packet filtering
routers. It is considered the most secure type of firewall implementation. It acts as a DMZ. An
acceptable use policy and role-based access will not have an impact on external users. An IDS will be
able to identify the invalid attempts but will not be able to prevent them.
Q.4
Answer: B. A web server
Explanation: A DMZ is a separate area that is exposed to external-facing untrusted areas. Generally,
servers that interact with the internet are placed in a demilitarized area as this area is separate from
internal servers and properly hardened. Servers and resources placed in a DMZ are isolated and are
not directly connected to the internal network. A database should not be placed in a DMZ as it is
exposed to external connections.
Q.5
Answer: A. On the internal network

Explanation: An intranet server is not required to communicate with external networks as external
people do not need access to it. Hence, for security purposes, it should be placed on an internal
network. Placing the intranet server outside the firewall, in the DMZ, or on an external router will
expose it to external threats.
Q.6
Answer: A. One rule may conflict with another rule and create a loophole
Explanation: Firewall rules should be simple and easy to implement. A complex rule is difficult to
manage and there is a chance that a particular rule may conflict with another, resulting in a loophole.
Also, it becomes complex to test a high number of rules and so the operating effectiveness of a rule
cannot be determined. High expenditure and network performance are secondary concerns. A next-
generation firewall has the ability to handle any number of rules.
Q.7
Answer: B. Inability to detect new attack methods
Explanation: In signature-based IDSs, the IDS looks for specific predefined patterns to detect
intrusion. Patterns are stored as signatures and are updated at frequent intervals. This is also known
as a rule-based IDS. A signature-based IDS is not capable of identifying new types of attacks for
which the signatures are not yet available. The other options are not relevant.
Q.8
Answer: A. Simulating various attack scenarios and reviewing the performance of the intrusion
detection system
Explanation: The most effective way to determine whether an IDS is properly tuned is to simulate
various attack scenarios and review the performance of the IDS. The other options are secondary
aspects.
Q.9
Answer: D. To identify attacks on the internal network
Explanation: The main objective of an IDS is to identify attacks on the internal network and provide
alerts for immediate countermeasures. This helps minimize the impact of the attack. The other
Q.10
Answer: C. Ensuring the encrypted traffic is decrypted prior to being processed by the intrusion
detection system
Explanation: An IDS cannot read encrypted traffic. Encryption should be removed before the traffic
is processed by the IDS. Encryption should be removed at the SSL or VPN server to allow all traffic
to be monitored. Placing an IDS before the firewall will generate a high number of alerts, which will
eventually be blocked by the firewall. All end devices are not required to be connected to the IDS.
Network bandwidth is not relevant.
Q.11
Answer: D. Install a honeypot on the network
Explanation: A honeypot is a decoy system set up to attract hackers and intruders. The purpose of
setting up a honeypot is to capture the details of intruders to proactively strengthen security controls.
As honeypots are closely monitored, any unauthorized attempt is more likely to be detected before
significant damage is inflicted. The other options will not directly help detect the intruder.
Q.12
Answer: D. Anomaly-based detection
Explanation: Anomaly-based detection works on the statistics of normal traffic patterns. It is also
known as statistic-based IDS. Any change from the normal traffic range is considered a deviation and
an alert is generated. In a DDoS attack, incoming traffic increases tremendously, hence it is detected
by anomaly-based detection. The other options will not be effective to detect a DDoS attack.
Q.13
Answer: C. To set up decoy files
Explanation: A decoy file is also known as a honeypot. A honeypot is a decoy system set up to
attract hackers and intruders. The purpose of setting up a honeypot is to capture the details of
intruders in order to proactively strengthen security controls. The other options are used to keep
hackers out of the internal network.
Q.14
Answer: A. An increase in the number of false positives
Explanation: An IDS uses different logs, such as firewall logs, system logs, and application logs.
Logs are analyzed to determine the trends and patterns of attacks. Threshold refers to the acceptable
deviation from the normal pattern. A low threshold value means anything outside that value will be
considered an attack. Even genuine business traffic will be considered an attack if it is above the
threshold. A low threshold value generally increases the number of false positives.
Q.15
Answer: D. Hashing
Explanation: Hashing is the process of converting a given password into another value. The result of
a hash function is known as a hash value. When a user enters a password, it is converted into a hash
value and is compared with the stored hash. If the hashes match, then access is granted. The actual
password cannot be generated from the hash value (because it is a one-way algorithm), so the actual
password remains the same.
Chapter 9: Incident Management Readiness

Q. 1
Answer: C. An incident response plan
Explanation: An incident response plan includes a detailed procedure to handle an incident. It also
includes the detailed roles and responsibilities of different teams for handling the incident. A security
breach can best be handled using an incident response plan. BCPs and DRPs will be applicable only
if an incident becomes a disaster and an alternative site needs to be activated. A change management
plan is used to manage changes and does not directly impact the handling of a security breach.
Q. 2
Answer: A. To check the facility access logs
Explanation: The first step should be to check the facility access logs and determine the number of
employees in the facility. They should be evacuated on an emergency basis. The safety of human life
always comes first. The other options are secondary actions.
Q. 3
Answer: B. Installing a packet filtering firewall to drop suspicious packets
Explanation: In a DoS attack, numerous packets are sent to a particular IP address with the objective
of disrupting services. Installing a packet filtering firewall will help drop the suspected packets and
thus reduce the network congestion caused by a DoS attack. Patching the operating system will not
affect network traffic. Implementing NAT or load balancing would not be as effective to tackle a DoS
attack.
Q. 4
Answer: C. To ensure compliance with reporting procedures
Explanation: The first step is to initiate the reporting process as defined in the incident response
procedure. The incident response procedure may include reporting it to the police or another
authority, wiping data remotely, removing users, and so on. Determining impact and removing it from
the inventory list are subsequent actions.
Q. 5
Answer: A. At the time the disaster recovery plan is established
Explanation: Roles and responsibilities should be assigned at the time of preparing the plan. An
unclear plan will have an adverse impact during execution. Without assigned roles and
responsibilities, testing and approval will not be effective.
Q. 6
Answer: B. Copies of the business continuity plan
Explanation: A BCP contains the step-wise process to ensure continuity of the business from an
alternative site. Without a copy of the BCP, recovery efforts may not be effective. Generally, a BCP
includes contact details of key employees, suppliers, and key service-level agreements.
Q. 7
Answer: D. Containment
Explanation: Containment refers to taking action to prevent the expansion of the incident. Incident
response procedures primarily focus on containing the incident and minimizing damage. For
example, when a virus is identified in a computer, the first action should be containing the risk, that
is, disconnecting the computer from the network so that it does not impact other computers. The
other options are subsequent actions.
Q. 8
Answer: D. The installation of a Trojan horse on a system administrator's computer
Explanation: A Trojan horse is a type of illegitimate software that is often disguised as legitimate
software; it is a type of malware. Trojans are used by intruders to attempt unauthorized access to an
organization's network and systems. Finding a Trojan horse in an administrator's computer is a major
concern as the administrator has privileged access that could be exploited. The other options are still
serious issues, but not as significant.
Q. 9
Answer: D. It takes 6 days to investigate security incidents
Explanation: A delay in investigation is an area of major concern as it can have a large impact on
business processes. The other options do not pose significant risks.
Q. 10
Answer: B. Often clash with effective problem management
Explanation: One of the most important objectives of problem management is to understand the root
cause of an incident and address it so that the same type of incident does not reoccur. Merely
restoring the service at the earliest is not the solution. Hence, if the incident is closed within a strict
timeline, this aspect may be missed. Quick resolution may not always give positive results. Forensics
are concerned with evidence analysis and preservation from a legal perspective and are not involved
in service continuity.
Q. 11
Answer: C. Isolating the impacted network
Explanation: The most important action is to isolate the network and contain the further spread of
the attack. Disconnecting all network access points will impact business processes and should be the
last resort. Analyzing and monitoring are subsequent actions.
Q. 12
Answer: C. Safety of personnel
Explanation: The safety of human life is of utmost priority for any emergency response plan.
Q. 13
Answer: B. The escalation criteria
Explanation: Escalation criteria include specific actions to be followed as per predefined timelines.
They also include defined roles and responsibilities for individual team members. For the smooth
execution of incident response, it is of utmost importance to follow the escalation criteria.
Q. 14
Answer: B. To determine the impact of the compromise
Explanation: The first course of action is to determine the extent of the impact on the organization.
Even when reporting to senior management and other stakeholders, the extent of the compromise
needs to be submitted.
Q. 15
Answer: C. Disconnecting the computer from the network
Explanation: The first step is to contain the spread of the virus by disconnecting the infected
computer. The other options are subsequent steps.
Q. 16
Answer: C. To minimize business disruptions
Explanation: The main objective of incident response is the containment of the incident and thereby
minimization of damage. The other options are not primary objectives of incident response.
Q. 17
Answer: C. To rebuild the system from the original media
Explanation: Due to a compromise at the administrative level, malware may have already been
installed on the server. The best way is to rebuild the email server from the original media. This will
address the risk of the presence of any hidden malware. Isolation is a temporary solution. A change
of password and two-factor authentication will not address a hidden virus in the email server.
Q. 18
Answer: B. The cost of the unavailability of the system
Explanation: The unavailability of the system due to disaster may result in losses for the
organization. Losses due to the unavailability of the system increase on a daily basis. A BCP is
considered on the basis of these losses. Based on the losses from the unavailability of the system, the
RTO, RPO, and recovery sites are finalized. The other options do not directly impact the BCP.
Q. 19
Answer: B. Incident severity criteria
Explanation: It is very important to prioritize the incident based on its possible impact. Quickly
ranking the severity criteria of an incident is key to incident response. The other details are not
included in a computer incident response team manual but are included in the BCP.
Q. 20
Answer: A. Immediately isolating the server from the network
Explanation: The most important action is to isolate the server and contain the further spread of the
virus. The other options are subsequent actions.

Q. 1
Answer: A. To confirm the incident
Explanation: The immediate step should be to confirm the incident to rule out any false positives. It
is very important for a security manager to verify and validate the incident before any containment
action is taken. Once the incident is confirmed, the next step is isolating the incident. The other
options are subsequent steps.
Q. 2
Answer: B. Blocking all emails containing picture file attachments
Explanation: The first step should be to block all emails containing picture files until the time the
signature files are updated. Deleting all picture files and quarantining mail servers is not necessary.
Blocking all incoming emails would hamper business processes.
Q. 3
Answer: A. The system owner
Explanation: A vulnerability should be reported to the system owner to take appropriate corrective
action. The system owner should in turn report to the data owner if the vulnerability is in the database
arrangement. The system owner will coordinate with the development team for any development-
related changes to address the vulnerability.
Q. 4
Answer: A. Slack space can be used to store hidden data
Explanation: Slack space refers to the additional storage that is available on a computer's hard disk
drive. It is created when a computer file does not use all the space allocated to it by the operating
system. Slack space can be used to store hidden data. The verification of slack space is an important
aspect of computer forensics.
Q. 5
Answer: A. To confirm the incident
Explanation: The first step should be to confirm the incident to rule out any false positives. It is very
important for a security manager to verify and validate the incident before any containment action is
taken. Once the incident has been confirmed, the next step is to contain the incident. The other
options are subsequent steps.
Q. 6
Answer: D. Installing an intrusion detection system
Explanation: The installation of an IDS will help the security manager identify the source of the
attack. An IDS can be used to detect both internal as well as external attacks depending on where it is
placed. An IDS is used to monitor the network or systems for abnormal activities. IP addresses can be
spoofed and hence implementing a static IP may not be useful. If the attack is internal, two-factor
authentications may not be helpful either. Capturing logs will only be meaningful if the logs are
monitored through SIEM.
Q. 7
Answer: C. To obtain guidance from the firewall manufacturer
Explanation: The first course of action is to consult with the firewall manufacturer as they may have
a patch to address the vulnerability. They will also be in a position to suggest a workaround and any
compensating controls to address the issue. Blocking all incoming traffic may not be feasible as it
will hamper business processes. Updating OS patches and penetration testing will not help to address
the vulnerability.
Q. 8
Answer: B. To contain the incident
Explanation: Once the incident has been confirmed, the next step is to contain the incident.
Containment means taking actions to prevent the expansion of the incident. Incident response
procedures primarily focus on containing incidents and minimizing damage.
Q. 9
Answer: C. Discussing the situation with the data owner
Explanation: The first step should be to discuss the situation with the data owner and determine the
requirement of data access on a need-to-know basis. Based on the discussion, access should be
provided according to the relevant job function and should be removed for other users. The
encryption of data may not be feasible as the user may require access to data for further processing.
Q. 10
Answer: D. Possible business benefits from incident impact reduction
Explanation: The best way to justify the establishment of an incident management team is to
highlight the possible business benefits derived from structured incident management processes. The
trends of previous incidents and industry losses may not directly impact future losses.
Q. 11
Answer: D. Security awareness training of end users
Explanation: Frequent security awareness training for end users as well as help desk staff is one of
the most important factors for the early identification and reporting of any incident. The availability
of a well-structured communication and reporting procedure is also an important aspect but it is only
useful when staff are able to identify the incident. An IDS will not be able to identify non-IT-related
incidents. Determining the severity level is a subsequent step and will be useful only once the
incident is identified.
Q. 12
Answer: D. Promote business resiliency
Explanation: Business resilience refers to the capability of an organization to sustain disruption. The
main objective of an IRP is to minimize the impact of an incident by developing resilient processes.
An incident response plan is a means to reduce the impact of an incident but cannot prevent the
occurrence of an incident. Business continuity processes are addressed by the BCP and not the IRP.
Q. 13
Answer: C. Verifying whether the file is malicious
Explanation: The first step should be to confirm whether the file is actually malicious and thereby
rule out a false positive. It is very important for a security manager to verify and validate the incident
before any containment action is taken. Once the incident has been confirmed, the next step is to
isolate the file. The other options are subsequent steps.
Q. 14
Answer: D. The information security department
Explanation: Generally, the information security response is handled by the information security
manager and they should ensure that the team members consist of individuals with the requisite
knowledge and experience to handle incidents.
Q. 15
Answer: B. Determining whether it is an actual incident
Explanation: The first step should be to confirm the incident to rule out any false positives. It is very
important for the security manager to verify and validate any incident before containment action is
taken. Once the incident has been confirmed, the file can be isolated. The other options are
subsequent steps.
Q. 16
Answer: C. The data owner
Explanation: The data owner should be notified first as they will be in the best position to determine
the impact of the security breach. The data owner will then coordinate with the computer incident
response team for further action. The other options are to be notified later, as required by the incident
management policy.
Q. 17
Answer: B. Defined roles and responsibilities

Explanation: Defined roles and responsibilities of the incident response team increase the
effectiveness of incident management. Each team should have predefined and assigned
responsibilities for managing incidents. They should also have the relevant experience and should be
appropriately trained in accordance with their responsibilities. The other options are important but
not as significant.
Q. 18
Answer: A. To ensure that adequate corrective actions are implemented
Explanation: The main objective is to ensure that incidents are closed by taking appropriate
corrective actions as per the business requirements. A review by management helps align the security
policy with the business objectives. The other options are not the objectives of a management review.
Q. 19
Answer: B. Escalating to the next level for resolution
Explanation: The incident response policy and procedure will have a defined escalation procedure
and timelines for each activity. If an activity is not completed within the defined timeline, then it
should be escalated to the next level.
Q. 20
Answer: C. A well-defined and structured communication plan
Explanation: The two most important aspects for the timely identification of incidents are frequent
security awareness training for end users and a well-defined communication plan. A well-defined and
structured communication plan facilitates the information flow from the end user to senior
management in a time-bound manner. In this manner, incidents can be recognized, declared, and
appropriately addressed. An IDS will not be able to address non-technical incidents. Audits are
generally detective in nature and may not identify incidents in a timely manner. Reviews of network
logs will help to address only network-related incidents.

Q. 1
Answer: D. The strategy validated by senior management
Explanation: Senior management is in the best position to understand and adopt the strategy that is
the most beneficial for the organization's continuity. A BCP is primarily based on the SDO of the
management. A strategy to cover all applications is not practical. If the objective of senior
management is achieved, they will definitely support the budget for business continuity processes
and alternative sites.
Q. 2
Answer: D. Developing a recovery time objective for critical functions
Explanation: While the goal of a BCP is to prevent and mitigate incidents, the goal of a DRP is to
restore operations if business operations are down due to an incident. Developing an RTO directly
relates to business continuity whereas the other options are more related to infrastructure disaster
recovery.
Q. 3
Answer: A. Available resources
Explanation: The MTO is the maximum period of time that an organization can operate from an
alternative site. Various factors affect the MTO such as resource availability, location availability, raw
material availability, or electric power availability at the alternative site. SDOs and operational
capabilities should have been addressed when considering the available resources for the alternative
site.
Q. 4
Answer: B. Before image restoration
Explanation: The RPO is the level of acceptable data loss. Whenever a database is corrupted, the
recovery process recovers only the completed transactions, and any incomplete transactions are rolled
back. This is known as before image processing. The extent of system downtime is referred to as the
RTO.
Q. 5
Answer: A. Business impact analysis
Explanation: A BIA is conducted to determine the critical processes of the organization and to help
decide the recovery strategy during a disaster.
Q. 6
Answer: C. A reciprocal arrangement
Explanation: In a reciprocal arrangement, two organizations with similar capabilities and processing
capacities agree to provide support to one another in the event of an emergency. Reciprocal
agreements are not considered very reliable. They pose many challenges, such as both organizations
having different processing capabilities, difficulties in testing the plan, keeping the plan up to date,
and so on.
Q. 7
Answer: B. The chief operating officer
Explanation: The RPO is best determined by the business process owner, that is, the chief operating
officer. The chief operating officer has adequate knowledge to make this decision.
Q. 8
Answer: A. To determine the maximum tolerable period of data loss
Explanation: The RPO is a measure of the user's tolerance to data loss. In other words, the recovery
point objective is the extent of acceptable data loss. For example, an RPO of 2 hours indicates that an
organization will not be overly impacted if it loses data for up to 2 hours.
Q. 9
Answer: C. The business process owner
Explanation: The business process owner is in the best position to determine the impact of the
unavailability of their system or processes and the appropriate recovery time and cost estimates
accordingly.
Q. 10
Answer: C. To periodically test the plan with varied scenarios
Explanation: The best method is to conduct tests on a periodic basis and determine whether the plan
supports the requirements of the business. The other options are not as effective.
Q. 11
Answer: D. When selecting an alternative recovery site
Explanation: When selecting an alternative recovery site, it is of utmost importance to consider the
proximity of the site to hazards. A recovery site should have an appropriate distance from potential
hazards such as bodies of water, chemical factories, or other locations that could cause significant
risk to the recovery site. A recovery site should also be away from the primary site so that both are
not subject to the same environmental events.
Q. 12
Answer: C. The allowable interruption window

Explanation: The AIW is the maximum period of time for which normal operations of the
organization can be down. After this point, the organization will start to face major financial
difficulties threatening its existence. The technical specification of the disaster recovery site will be
based on this constraint. Based on the AIW, the organization needs to choose between a mirrored,
hot, warm, or cold site.
Q. 13
Answer: A. The primary and offsite facilities should not be subject to the same environmental threats
Explanation: An offsite facility should be away from the primary site so that both are not subject to
the same environmental events. In the event of natural calamities, both sites would be impacted if
located in close proximity.
Q. 14
Answer: C. Systems are restored
Explanation: The RTO is the amount of time required to restore a system. Normal functioning may
occur significantly later than the RTO. The RTO is the minimum acceptable operational level and is
generally lower than normal operations.
Q. 15
Answer: A. Test results show that the recovery time objective was not exceeded
Explanation: The RTO is the extent of acceptable system downtime. A system should be restored
within the RTO. The RTO is an important element of a BCP. If the RTO is achieved during testing, it
indicates that the BCP objectives have been achieved. Conducting BCP tests and assigning asset
ownership are not the core objectives of a BCP.
Q. 16
Answer: B. Adequate distance between the primary site and offsite facility so that the same disaster
does not simultaneously impact both
Explanation: Offsite facilities should be away from primary sites so that both cannot be subject to
the same environmental events. In the event of natural disasters, both sites would be impacted if
located in close proximity. The other options are secondary factors.
Q. 17
Answer: A. Recovery time objectives
Explanation: The RTO is the length of time required to restore the system to a service level
acceptable to the organization.
Q. 18
Answer: D. The end-to-end transaction flow
Explanation: If an organization can establish an end-to-end transaction flow from the offsite facility,
then it can be validated that the key business processes are available at the offsite location. The
achievement of the RPO and staff requirements does not indicate the availability of the required
support and processes at the offsite location.
Q. 19
Answer: A. A business impact analysis
Explanation: BIA is a process used to determine the critical processes of an organization and,
accordingly, decide the priority level and recovery strategy during a disaster.
Q. 20
Answer: A. Conducting periodic and event-driven business impact analyses to determine the
business needs
Explanation: This situation could have been controlled if the organization had a practice of
conducting BIA on a periodic basis and also triggered by certain events (such as the purchase of a
new system). This helps to update the recovery strategy to meet current business requirements.

Q. 1
Answer: D. Fidelity insurance covers any losses suffered due to dishonesty or fraud by employees
Explanation: Fidelity insurance provides protection against business losses caused due to employee
dishonesty, theft, or fraud.
Q. 2
Answer: B. Business interruption insurance
Explanation: Business interruption insurance is the best way to compensate for any loss incurred due
to business disruptions. The other options are focused on the restoration of services as early as
possible to minimize the downtime costs. However, they cannot compensate for losses that have
occurred already.

Q. 1
Answer: D. Involving managers from the affected operational areas
Explanation: The severity of an incident is best determined based on the level of impact on the
organization. A manager from the affected operational areas will be in the best position to determine
the impact. Past incidents and benchmarking will not give accurate impact estimates. Valuation is
based on the impact on the business as a whole and not only on asset value.
Q. 2
Answer: C. Determining the category of the incident based on impact
Explanation: In the detection and analysis phase, the emphasis is on the identification and detailed
analysis of the incident. The following activities are carried out in the identification phase:
Determining whether the reported incident is valid
Assigning the incident to a team member
Detailed analysis of the incident
Determining the severity of the incident and following the escalation process
Option A refers to the containment phase, Option B is eradication, and Option D is post-incident
review.
Q. 3
Answer: C. To prioritize resources for handling multiple incidents
Explanation: Triage refers to the process of deciding the order of treatment based on urgency. It is
very important to prioritize the incident on the basis of its possible impact. Triage provides a
snapshot of the current status of all incidents reported to assign resources in accordance with
criticality.

Q. 1
Answer: C. The critical business processes are recovered and duplicated within the defined
timeframe
Explanation: For the success of a recovery test, it is very important to ensure that all critical
processes are successfully recovered and reproduced to support the business functions. This should
be done within the defined timeframe. The other options do not directly indicate the success of the
test.
Q. 2
Answer: A. All data and applications should be erased from the devices of the service provider
Explanation: It is of utmost importance to ensure the security of organizational data. After the
completion of the test, all data and applications should be erased from the devices of the service
provider. The other options are not as significant.
Q. 3
Answer: B. Periodically testing and improving the plan from the lessons learned
Explanation: Periodic testing will help the manager understand the capability of the plan. Any
deficiency noted during the test should be immediately addressed. This will help improve the
effectiveness of the plan. The other options are not as significant.
Q. 4
Answer: C. A full interruption test
Explanation: A full interruption test provides the best assurance to the security manager because it
comes closest to an actual disaster. The primary site is completely shut down and operations are
carried out from the recovery site as per the DRP.
Q. 5
Answer: A. Tested business continuity plan/disaster recovery plan
Explanation: The best indicator for incident risk management is a detailed and structured plan that is
tested at periodic intervals. The other options are not as effective.
Q. 6
Answer: B. Simulation tests
Explanation: Out of all the above tests, a full interruption test is considered to be the most effective
to determine the readiness of the BCP and DRP. However, in a full interruption test, business
operations are impacted. In a simulation test, a roleplay is prepared for a disaster scenario and the
adequacy of the DRP is determined. A simulation test is more effective compared to the checklist or
walk-through tests.
Q. 7
Answer: A. Periodic testing of the incident response plan
Explanation: Periodic testing of the IRP helps to determine its effectiveness and identify its
shortcomings. It helps to improve the plan by plugging deficiencies. The other options are good
controls but are not as effective.
Q. 8
Answer: C. Periodic testing of the disaster recovery plan
Explanation: Periodic testing of the DRP will help to determine its effectiveness and identify
whether it supports the current business processes and objectives. It helps to improve the plan by
plugging deficiencies. The other options are good controls but are not as effective.
Q. 9
Answer: A. Restoration testing
Explanation: Restoration testing helps to determine the capability of the organization to restore data
from the recovery site during a disaster. The success of a restoration test indicates that the
organization is quite capable of recovering from the disaster as data drives the majority of business
processes. The other options will not be meaningful if the recovery of data is questionable.
Q. 10
Answer: C. A parallel test
Explanation: Out of all the above tests, a full interruption test is considered the most effective to
determine the readiness of the BCP and DRP. However, full interruption tests impact business
operations. In both parallel tests and simulation tests, normal business operations are not impacted. In
a parallel test, the recovery site is activated whereas in a simulation test, the recovery site is not
activated. When the objective of the test is to not disturb the normal business operations, a parallel
test is most effective followed by a simulation test.
Q. 11
Answer: D. In a parallel test, the recovery site is brought to operational readiness; this is not done in
a simulation test
Explanation: The difference between a parallel test and a simulation test is that in a parallel test, the
recovery site is activated, whereas in a simulation test, the recovery site is not activated. In both tests,
a walk-through is performed and fictitious scenarios are used. Neither test impacts normal business
operations. When the objective of the test is not to disturb normal business operations, a parallel test
is considered the most effective followed by a simulation test.
Q. 12
Answer: D. The aggregate recovery activities exceed the acceptable interruption window
Explanation: The AIW is based on the maximum time the organization can be down before major
financial impacts occur. If restoration does not occur within the AIW, then the test will not be
considered a success. The SDO is the minimum level of service to be continued at the recovery site.
If the level of service exceeds the expected SDO then this is a positive achievement. An old version
of the operating system might cause a delay but is not a major issue.
Q. 13
Answer: C. It poses the risk that the plan will not work when needed
Explanation: A major challenge is that an untested plan may not work as expected when a disaster
occurs. Testing of the plan helps to determine its effectiveness. The other options are secondary
concerns.
Q. 14
Answer: D. Active participation by business management
Explanation: The most important factor for the success of the test is active participation by business
management. Business process owners have a thorough understanding of processes and recovery
priorities. To conduct a test, sufficient resources are required, which may not be possible without
management support. The other options are secondary concerns.
Revision Questions
Q.1
Answer: A. Containing incidents to reduce the damage
Explanation: Containment means taking action to prevent the expansion of an incident. Incident
response procedures primarily focus on containing the incident and minimizing damage. The other
options also finally lead to minimizing damage.
Q.2
Answer: D. To control the impact
Explanation: The main objective of incident management is to minimize the impact and damage to
the organization. Containment, root cause analysis, and eradication are steps used to minimize
damage.
Q.3
Answer: D. Determining the category of the incident based on its likelihood and impact
Explanation: The first step is to determine the various categories of incidents based on their
likelihood and impact. Based on the categorization, the other options, such as turnaround time,
escalation process, and required resources, can be determined.
Q.4
Answer: D. Addressing the incident to control the impact to an acceptable level
Explanation: The main goal of an incident management process is to restrict incidents from growing
into problems and problems growing into disasters. The restoration of disrupted processes is the
objective of a disaster recovery procedure.
Q.5
Answer: A. Capability to detect the incident
Explanation: Timely detection of an incident is of utmost importance for an effective incident

management process. The other options are not as significant.
Q.6
Answer: A. To determine whether a clear incident definition and criteria for severity exists
Explanation: The first step is to determine whether an organizational-level incident management

procedure exists. If not, this should be established as a priority. The other options are secondary
actions.
Q.7
Answer: A. To develop a structured communication channel
Explanation: An organization should have well-defined communication channels for timely

communication of incidents to different stakeholders and external parties. The channel should
support two-way communication, that is, employees should be able to communicate with the incident
management team and management should be able to communicate with employees. Ineffective
communication is a major challenge as incomplete or untimely communication causes hurdles in
incident handling. The other options are not as significant.
Q.8
Answer: D. Repeated low-risk events
Explanation: In a risk-based approach, the focus is on high-risk events. A perpetrator may take
advantage of this and concentrate on exploiting low-risk areas multiple times. Even though the
impact will be small per incident, the accumulated damage may be much higher. Hence, it is also
important to review the possibility of repeated occurrences of low-risk events.
Q.9
Answer: B. Start containment
Explanation: Containment means taking action to prevent the expansion of an incident. Incident
response procedures primarily focus on containing the incident and minimizing damage.
Disconnecting the server is the first part of the containment process. The other options are subsequent
steps.
Q.10
Answer: C. An incident management plan
Explanation: The objective of an incident management plan is to not only recover from an incident
that has already occurred but to also take action to prevent future incidents. An incident management
plan should include a proactive security assessment to improve processes and reduce the chances of
occurrences of incidents. BCPs and DRPs concentrate on activities to deal with business interruptions
due to disasters. A BIA determines the critical processes of the organization.
Q.11
Answer: C. To determine the criticality of the affected services
Explanation: The business impact is best determined by knowing the criticality of the affected
system. The other options will not help to determine the impact.
Q.12
Answer: A. Frequent testing of the plan and a dedicated team to provide oversight
Explanation: Testing the plan will help to understand the service provider's capability to address
incidents. Also, it is important to have an oversight team to monitor the service provider's activities.
Audit, structured communication channels, and documented plans are also important aspects, but in
the absence of a tested plan, it is difficult to determine the service provider's capabilities.
Q.13
Answer: D. Meeting service delivery objectives
Explanation: An incident response procedure should support the SDO. The SDO is the extent of
service and operational capability to be maintained during an incident. The other options are not as
significant.
Q.14
Answer: C. The service delivery objectives

Explanation: The SDO is the extent of service and operational capability to be maintained from an
alternative site. It is directly related to business needs and is the level of service to be attained during
disaster recovery. This is influenced by business requirements. MTO and available budget are
determined based on the SDO.
Q.15
Answer: B. Conduct a fresh business impact analysis and update the plan
Explanation: Generally, the MTO should be as long as the AIW. However, without conducting a
BIA there is no way to determine whether it is the MTO or the AIW that is incorrect. Based on a
fresh BIA, the AIW can be derived. The AIW is the maximum period of time for which normal
operations of the organization can be down. After this point, the organization will start to face major
financial difficulties threatening its existence. Based on the AIW, the MTO should be derived. The
MTO is the maximum period of time that an organization can operate from an alternative site.
Various factors affect the MTO, such as location availability, resource availability, raw material
availability, and electric power availability at the alternative site. All these constraints should be
addressed to ensure that the MTO is as long as the AIW.
Q.16
Answer: B. Optimizing risk management efforts
Explanation: Incident management is a component of risk management that focuses on the

prevention and containment of the adverse impacts of incidents. Incident management does not
remove threats. The other options are not the primary objectives of incident management.
Q.17
Answer: D. The business impact analysis
Explanation: A BIA determines the critical processes of the organization. Incident response
activities are primarily focused on protecting the organization's critical processes. The other options
do not impact the prioritization of incident response activities.
Q.18
Answer: C. The service delivery objectives
Explanation: A data restoration plan determines the amount of data that should be restored within a
predefined limit. The extent of data restoration is primarily based on the SDO. The SDO is the extent
of the service operational capability to be maintained from an alternative site. It is directly related to
business needs and is the level of service to be attained during disaster recovery. This is influenced by
business requirements.
Q.19
Answer: B. Key process documents at the alternative site
Explanation: Continuity can best be ensured if personnel who have to resume the key processes are
aware of the procedure. If procedural documents are not available at the alternative site, it will
hamper continuity arrangements. If key process documents are made available at the offsite location,
they can be utilized by employees operating there during a disaster. These documents will also
support employees who may not typically be involved in performing those functions. The other
options are not as significant.
Q.20
Answer: A. The timelines for responses and what to do if no response occurs
Explanation: The objective of incident escalation is to state how long a team member should wait
for an incident response and what to do if no such response occurs. Defined timeframes are important
steps of an effective escalation process. The communication process can also be part of the escalation
process, but a significant aspect is the timeframe. Determining the severity and impact is not part of
escalation.
Q.21
Answer: A. The current status of all incidents reported
Explanation: Triage means deciding the order of treatment based on urgency. It is very important to
prioritize an incident based on its possible impact. Triage provides a snapshot of the current status of
all incidents reported so resources can be assigned in accordance with criticality. Triage does not
focus on already resolved incidents and does not determine the appropriateness of the post-incident
review procedure. Triage provides a view on both the tactical and strategic levels.
Q.22
Answer: B. Risk and impact analysis
Explanation: The objective of the escalation process is to highlight the issue to a higher authority in
accordance with the risk perceived and the expected impact of the incident. For example, minor
issues can be escalated to the manager, major issues can be escalated to the senior manager, and so
on. A risk and impact analysis will be the basis for determining what authority levels need to respond
to particular incidents.
Q.23
Answer: A. It detects, assesses, and prevents the reoccurrence of incidents

Explanation: The objective of an incident management program is the timely detection and
containment of the incident and also to implement controls to prevent future occurrences. The other
Q.24
Answer: C. The time between detection and response
Explanation: The readiness of the response team is best determined by the time between the
detection of the incident and the response provided. The time required to detect incidents determines
the control effectiveness. A response is more relevant compared to documentation and reporting to
senior management.
Q.25
Answer: D. The escalation process is inadequately defined
Explanation: In the absence of a structured escalation process, there can be a substantial delay in
handling the incident. This can have a huge adverse impact on business processes. The IT team is
required to manage only incidents related to IT processes. The security policy is a high-level
statement and is not required to include the details of the key process owner. Unstructured reporting
is not a major concern compared to an inadequate escalation process.
Q.26
Answer: B. The business impact analysis
Explanation: A BIA is conducted to determine the business impact due to potential incidents. The
following are the key elements of a BIA:
Analysis of business loss due to processes or assets not being available
Establishing escalation criteria for prolonged incidents
Prioritization of processes or assets for recovery
The other options do not directly consider the impact of the incident.
Q.27
Answer: A. Formal training
Explanation: As all team members are new, it is advisable to conduct formal training. Formal
training involves a structured way of learning starting from basic concepts and moving to advanced-
level learning. This helps everyone, even if they are from different backgrounds. On-the-job training
and mentoring will be more relevant when the team is already established and has some senior and
experienced members.
Q.28
Answer: A. The percentage of incidents resolved within the defined timeframe
Explanation: The effectiveness of an incident response team is best determined by the closure of
incidents within the defined timeframe. Timely resolution helps to minimize the impact incidents
have. The other options, by themselves, do not provide any indication of effectiveness.
Q.29
Answer: A. Eradication
Explanation: The dictionary meaning of eradication is "the complete destruction of something." To

ensure complete destruction (so the incident does not reoccur), determining the root cause of the
incident and addressing it is critical. Hence, the incident response team addresses the root cause
during eradication.
Q.30
Answer: B. The recovery point objective
Explanation: The RPO is the extent of acceptable data loss. For example, an RPO of 2 hours
indicates that an organization will not be overly impacted if it loses data for up to 2 hours. The RPO
is used to determine the various factors of a backup strategy such as frequency and type of backup
(that is, mirroring, tape backup, etc.).
Q.31
Answer: B. Business requirements
Explanation: The RTO is the extent of acceptable system downtime. It is primarily based on
business requirements. Generally, business requirements are inclusive of legal requirements.
Q.32
Answer: C. The service delivery objective
Explanation: The SDO is the level of service and operational capability to be maintained from an
alternative site. This is influenced by business requirements. Until the time a new offsite is available,
the SDO should be kept at a lower level. The other options are not directly impacted by the new
recovery site.
Q.33
Answer: B. Differences in the processing capacity load with the data center
Explanation: Due to a difference in capacity, the data center may not be able to handle the load of
the other data centers during a disaster. This is an area of major concern. The other options can be
addressed without much concern.
Q.34
Answer: A. To ensure the availability of the tool when a disaster occurs
Explanation: The area of most importance is the availability of the tool during a disaster. In the
absence of the tool, it will be extremely difficult to implement business continuity procedures. The
tool should be accessible from offsite locations also. The other options are not as serious.
Q.35
Answer: C. The service delivery objective
Explanation: The SDO is the level of service and operational capability to be maintained from an
alternative site. It is directly related to business needs and is the level of service to be attained during
disaster recovery. The other options are linked to SDO.
Q.36
Answer: A. To conduct a scenario-based structured walk-through
Explanation: A structured walk-through helps to understand the capability of the IRP to support the
requirements of business continuity. The walk-through should include team members from the
incident response and business continuity teams. It will help to identify gaps or misalignments
between the plans.
Q.37
Answer: B. The recovery point objective
Explanation: The RPO is a measure of the user's tolerance to data loss. In other words, the RPO is
the level of acceptable data loss. For example, an RPO of two hours indicates that an organization
will not be overly impacted if it loses data for up to two hours.
The RPO is used to determine the various factors of the backup strategy such as frequency and type
of backup (i.e., mirroring, tape backup, etc.).
Q.38
Answer: D. The extent of acceptable data loss
Explanation: The RPO is a measure of the user's tolerance to data loss. It is the level of acceptable
data loss. For example, an RPO of two hours indicates that an organization will not be overly
impacted if it loses data for up to two hours. The RPO is used to determine the various factors of a
backup strategy such as frequency and type of backup (i.e., mirroring, tape backup, etc.). The extent
of acceptable system downtime is indicated by the RTO. The acceptable level of service is
determined by SDOs.
Q.39
Answer: A. A copy of the disaster recovery plan being maintained at the offsite facility
Explanation: If a copy of the DRP is not available during a disaster, business recovery will be
seriously impaired. The other options are generally addressed satisfactorily through the BCP.
Q.40
Answer: A. To increase the recovery time objective
Explanation: The RTO refers to the time within which a system should be restored. If data is not
available within the defined timeline then the system will not be restored in line with the RTO. In this
case, it is advisable to increase the RTO. The AIW is based on the maximum time the organization
can be down before major financial impacts occur. It cannot be adjusted. Adjusting the MTO or
decreasing the security budget will not have any effect on the situation.
Q.41
Answer: B. All equipment at the hot site is provided at the time of disaster but is not available on the
data center floor.
Explanation: A hot site is a site already equipped with the required equipment and one that can be
activated at any time. If equipment is not available on the floor then it does not meet the requirements
of a hot site. A hot site can be arranged in another city. Many commercial providers arrange shared
hot sites. Substitution with equivalent equipment is not a major concern.
Q.42
Answer: C. Variations in infrastructure and capacity between both organizations
Explanation: In a reciprocal arrangement, two organizations with similar capabilities and processing
capacities agree to provide support to one another in the event of an emergency. If both organizations
have different infrastructure and capacities then they may not be able to support the other
organization properly in the event of a disaster. Recovery becomes difficult in such cases. This is an
area of major concern for a reciprocal arrangement. The other options will not have a major impact
on the recovery aspect.
Chapter 10: Incident Management Operations

Q. 1
Answer: A. Minimizing the impact of incidents
Explanation: Continuous monitoring helps to identify abnormalities in real time. This will help an
information security manager take corrective action on an immediate basis and thereby control the
impact of the incident. The other options are not the prime objectives of continuous monitoring.
Q. 2
Answer: D. The ability to handle stress amidst chaos
Explanation: The ability to stay calm and make appropriate decisions in stressful situations is the
most important attribute of an incident handler. Any decision made by an individual who is unable to
stay calm under pressure may not be in the best interests of the organization. The other options are
secondary attributes of an incident handling team.

Q. 1
Answer: B. Applications being exposed to new viruses during the intervening week
Explanation: As a prudent practice, virus signature files should be updated on a daily basis to
address the risk of new viruses. In this case, files are updated every week, which makes the
application vulnerable to new viruses during the intervening week. The other options are secondary
concerns.
Q. 2
Answer: D. Rebuilding the server with original media and subsequent patches
Explanation: It is recommended to rebuild a server with original media and update it with
subsequent patches as a compromised server might have some hidden malicious files that cannot be
detected through mere scanning. Discontinuing the use of the server or using it as a honeypot may
not be a feasible option. There is no harm in using the server after rebuilding it with original media.
Q. 3
Answer: B. Check intrusion detection system logs and monitor for any active attacks
Explanation: An information security team should verify IDS logs and continue to monitor the
situation. The other options are not relevant at this point. Updating the IDS could cause further
temporary exposure until the time the updated version is properly tuned.
Q. 4
Answer: C. A time server
Explanation: A time server provides common time to all connected servers and applications. The
time element is very important during a forensic investigation. The other options will not directly
assist in log review and correlation.
Q. 5
Answer: B. Invalid login attempts
Explanation: As the password was guessed, there will be multiple attempts to gain access. These
attempts are recorded in an invalid login log. Analyzing the logs for invalid login attempts can lead to
the discovery of this unauthorized activity. The other options will not directly give indications about
an unauthorized attempt. For a shared account, concurrent use is common, hence reviewing
concurrent logins will not be helpful.
Q. 6
Answer: C. Monitoring the probe and isolating the affected segment
Explanation: In the case of probing, it is advisable to monitor the situation and isolate the network
being probed. The other options are not warranted.
Q. 7
Answer: D. The impact of the incident and corrective action taken
Explanation: Senior management is more interested in the impact caused by the breach as well as
the corrective actions taken to minimize the damage and prevent reoccurrence. The other options may
not be relevant at this point in time.
Q. 8
Answer: B. To management after determining the severity of the incident
Explanation: The security manager is required to communicate the details of the incident along with
its severity and impact to management. Generally, communication to the regulator and insurance
company is handled by the legal and compliance team. Management will take the call for legal
proceedings and the security manager is not expected to directly report to legal.
Q. 1
Answer: C. Implement structured backup procedures
Explanation: The most effective method to control damage due to a ransomware attack is to
implement a structured backup procedure. Generally, an organization adopts air gap backups. The air
gap technique is a backup and recovery strategy. It means that at any given time, a copy of the
organization's sensitive data is offline, disconnected, and inaccessible from the internet. This makes it
impossible for hackers to remotely access the data.
Q. 2
Answer: B. Preserving evidence
Explanation: Preserving evidence is the most crucial aspect while containing any incident. If
evidence is destroyed, it may not be possible to identify the attacker or to determine the root cause of
the incident. Root cause analysis is not conducted before containment. Meeting the recovery time
objective (RTO) should not be at the cost of evidence. Informing senior management is not as
important as preserving evidence.
Q. 3
Answer: C. Preserving forensic evidence
Explanation: Preserving evidence is the most crucial aspect while containing any incident. If the
evidence is destroyed, it may not be possible to identify the attacker or to determine the root cause of
the incident. Meeting the RTO should not come at the cost of evidence. The other options are not as
significant.
Q. 4
Answer: D. Preventing traffic from reaching the attacker's servers
Explanation: The first step should be to block all traffic moving to the attacker's server. This should
be done immediately. Containment will limit the damage. The other options are subsequent steps.
Q. 5
Answer: A. To isolate the systems that are affected from the network
Explanation: In the given situation, the first step is to contain the impact of the incident by isolating
the affected computers. Ransomware spreads quickly and if not contained can destroy more systems.
The other options are subsequent steps.
Q. 1
Answer: A. The detailed process on when and how to communicate with stakeholders
Explanation: The primary objective of a communication plan is to educate employees on their roles
and responsibilities with respect to the communication process. It includes processes such as who
should authorize the communication, who should communicate, how to communicate, whom to
communicate with, and what to communicate. Having a structured communication process improves
the effectiveness of incident response during an incident. The other options may be part of the overall
communication process.
Q. 2
Answer: D. Improvements in incident response
Explanation: The primary objective of a communication plan is to educate employees on their roles
and responsibilities with respect to the communication process. It includes processes such as who
should authorize the communication, who should communicate, how to communicate, whom to
communicate with, and what to communicate. Having a structured communication process improves
the effectiveness of incident response during an incident. Compliance with laws and regulations and
providing updates on status to management are secondary aspects. Having a communication plan
does not directly impact the security posture of the organization.
Q. 3
Answer: C. Effective communication with stakeholders
Explanation: The primary goal of a communication plan is to educate employees on their roles and
responsibilities with respect to the communication process. It includes processes such as who should
authorize the communication, who should communicate, how to communicate, whom to
communicate with, and what to communicate. Having a structured communication process can
improve the effectiveness of incident response during an incident.

Q. 1
Answer: C. Before image restoration
Explanation: The before image is a copy of the data made before the disruption. It is the point from
which data is corrupted or not available. To get the database updated, data processed after this point
should be restored. The other options will not provide an updated and correct database.
Q. 2
Answer: A. The recovery time objective
Explanation: The RTO is the extent of acceptable system downtime. After this time, the system
should be up and functioning. An RTO can be set as per the service delivery objective (SDO) or at
the level of normal business transactions. For example, a banking system is required to be live and
available 24 hours per day. This is normal business. The service delivery objective is 8 hours per day
(i.e., 8 hours per day is a must for the survival of the business). It will take 2 days to make the system
available for 8 hours and 5 days to make the system available for 24 hours.
If the bank sets its RTO to achieve its SDO, its RTO is 2 days. If the bank sets its RTO to achieve full
normal transactions, its RTO is 5 days.
Q. 3
Answer: B. Scanning the entire network and systems to remove and clean up any malware
Explanation: The objective of eradication is to identify and correct the root cause that led to the
incident. Once containment efforts have been implemented successfully, eradication should be
appropriately planned and performed. The following are some of the activities performed during
eradication:
Root cause analysis
Scanning the system to determine whether any vulnerabilities remain unnoticed
Option A is containment. Option C is the recovery phase. Option D is the post-incident review.
Q. 4
Answer: C. Eradicate malware from the network
Explanation: The objective of the containment process is to stop the spread of the incident. The
phase after containment is eradication which has the objective of identifying and correcting the root
cause that led to the incident. Once containment efforts have been implemented successfully,
eradication should be appropriately planned and performed. The following are some activities
performed during eradication:
Root cause analysis
Scanning the system to determine whether any artifacts are still left unnoticed
Q. 1
Answer: D. Implementing a security information and event management (SIEM) system to automate
log analysis
Explanation: SIEMs help to identify incidents through log analysis on the basis of predefined rules.
SIEMs can provide information on policy compliance as well as incident monitoring and other
capabilities. If properly deployed, configured, and tuned, it substantially reduces the time needed for
the detection of incidents compared to manual log reviews. The other options are not as effective.
Q. 2
Answer: D. An EDR is capable of performing forensic analysis and identification of emerging

threats and suspicious activities
Explanation: An EDR is an advanced solution that integrates the functions of an antivirus, a firewall,
whitelisting tools, monitoring tools, and so on. In addition to file analysis and threat detection, EDR
solutions have inbuilt machine learning capabilities to perform forensic analysis and identify
emerging threats and suspicious activities. The other options are secondary aspects.
Q. 3
Answer: C. Restoring the system to normal operations
Explanation: After successful containment and eradication of an incident, the next phase is recovery.
The objective of the recovery phase is to ensure that the business is brought back to its original state
by restoring the impacted systems.

Q. 1
Answer: A. To have an independent and objective review of the root cause of the incident
Explanation: It is always advisable to involve a third party in a post-incident review to avoid any
conflict of interest. The involvement of a third party will help the organization gain an independent
and objective review of the cause of the incident. Involving a third party will generally increase the
cost. The availability of expert service is one of the advantages but not a prime factor of involving a
third party. Lessons learned can be identified through an in-house team as well.
Q. 2
Answer: D. The expertise of the investigators
Explanation: Forensic investigation is the process of gathering and analyzing all crime-related
evidence to conclude an event. Investigators analyze the hard drives, computers, or other technology
to establish how a crime took place. The most important element of forensic investigation is the
expertise of the employees performing the investigation. The other options are secondary aspects.
The involvement of legal experts depends on the nature of the investigation.
Q. 3
Answer: A. Assigning the job to a qualified person
Explanation: Forensic investigation is the process of gathering and analyzing all crime-related
evidence in order to conclude an event. Evidence will be accepted in legal proceedings only if it is
proved that the integrity of the evidence has not been compromised. Hence, it is of utmost
importance that the evidence is handled only by a qualified person. An end user is not qualified to
take an image copy. Evidence can be stored anywhere provided the appropriate controls are in place
to safeguard its integrity. The involvement of law enforcement is not mandatory while collecting
evidence.
Q. 4
Answer: B. Establishing the chain of custody log
Explanation: Chain of custody is a legal term referring to the order and manner in which evidence is
handled to ensure the integrity of the evidence and its admissibility in a court of law. The first step
should be to determine and safeguard the integrity of the hard drive. The other options are important
steps but must be completed after the chain of custody is established.
Q. 5
Answer: A. To determine the lessons learned to improve the process
Explanation: The objective of a post-incident review is to learn from each incident and improve the
organization's response and recovery procedures. Lessons learned during incident management can
best be used to inform the overall improvement of the security posture of the organization as well as
the incident management process. The other options are secondary aspects.
Q. 6
Answer: B. To identify the lessons learned
Explanation: Explanation: The objective of a post-incident review is to learn from each incident and
improve the organization's response and recovery procedures. Lessons learned during incident
management can best be used to inform the overall improvement of the security posture of the
organization as well as the incident management process. The other options are secondary aspects.
Q. 7
Answer: B. Copying a bit-by-bit image from the original media to new media
Explanation: The first step is to create a copy of the original media by copying its bit-by-bit image
into new media. This is very important to ensure that all analysis is performed on the copy drive and
not on the original drive. A simple backup may not be able to copy 100 percent of the data, such as
erased or deleted files and the data in the slack space. The other options are subsequent steps.
Q. 8
Answer: B. Chain of custody
handled to ensure its integrity and its admissibility in a court of law. The first step should be to
determine and safeguard the integrity of the hard drive. The other options are secondary aspects.
Q. 9
Answer: D. Whether the chain of custody was maintained
handled to ensure the integrity of the evidence and its admissibility in a court of law. The most
important aspect is to determine the integrity of the evidence. The other options are secondary
aspects.
Q. 10
Answer: B. To conduct an assessment to determine the system status
Explanation: The first step should be to determine the status of the system in terms of damage and
other impacts. This status will help the security manager determine the subsequent course of action.
Penetration testing and notifying law enforcement are subsequent actions. Isolating the firewall after
the incident will not provide any benefit.
Q. 11
Answer: B. The suspected hard drive was kept in a tape library for further analysis
Explanation: In cases where a hard drive is stored in a tape library, the chain of custody cannot be
verified as many individuals would have access to the library. It is not mandatory to remove the disk
in the presence of the law enforcement agency. Storing the hard drive in a safe and handing it over to
an authorized investigator does not violate the chain of custody.
Q. 12
Answer: C. Taking an image copy of the media
Explanation: The next step should be to take an image copy of the media. An analysis should be
performed on the copy and not on the original media. Preserving the evidence and maintaining the
chain of custody are very important factors to ensure legal admissibility. Documentation and
notification to law enforcement are subsequent steps. Scraping the server will result in the destruction
of the evidence.
Q. 13
Answer: B. Preserving the integrity of the evidence
Explanation: It is of utmost importance to demonstrate the integrity of evidence to have it

recognized in legal proceedings. The other options do help the investigation process but are not
relevant to the admissibility of evidence.
Q. 14
Answer: A. A bit-level copy of the server
Explanation: Analysis should not be conducted on the original affected server. This may impact the
integrity of the evidence. Analysis should be performed on a bit-level copy of the server. A bit-level
copy image supports the integrity and quality of forensic evidence in a way that is admissible in a
court of law. The other options will not provide a quality, exact image for investigative work.
Q. 15
Answer: C. To improve the response process
Explanation: The objective of a post-incident review is to learn from each incident and improve the
organization's response and recovery procedure. Lessons learned during the incident management
process can best be used to inform the overall improvement of the security posture of the
organization as well as the incident management process. The other options are secondary aspects.
Q. 16
Answer: C. Proven forensic processes are applied
Explanation: The admissibility of evidence in legal proceedings depends on what processes are used
to collect, analyze, and preserve the evidence. Proven forensic processes help with the admissibility
of evidence.
Q. 17
Answer: B. Locating the evidence and preserving the integrity of the evidence
Explanation: The priority should be locating the electronic evidence and preserving its integrity. The
Q. 18
Answer: A. The use of specially drafted messages by an authorized person
Explanation: It is always advisable to provide details that are preapproved by senior management.
Any unnecessary information may create havoc and impact the reputation of the organization.
Q. 19
Answer: D. To prevent the loss of data available in the volatile memory
Explanation: Disconnecting the power may result in the loss of data stored in the volatile memory.
This data may be critical for the investigation and for understanding the impact of the incident.
Disconnecting power will generally not impact the safety of hard drives or cause a loss of the data in
the server logs and will help contain the spread. However, instead of disconnecting, the computer
should be isolated from the network.
Q. 20
Answer: C. The file contents have been overwritten multiple times
Explanation: Overwriting the file makes it the most difficult to recover the data. Even highly
specialized tools may not be able to recover overwritten files in some instances. Deleted files that
have not been overwritten can easily be retrieved using forensic tools. Formatted disks and deleted
partition tables can also be recovered.

Q. 1
Answer: A. To build business cases
Explanation: One of the important challenges of implementing a SIEM is to reduce false positive
alerts. The most effective way to reduce false positive alerts is to develop business use cases.
Business use cases document the entire workflow, which provides the required results. In this
scenario, business cases would focus on the ability of a SIEM to analyze the logs for known threats.
The other options are components to develop the business case.
Q. 2
Answer: A. SIEM supports compliance with security policies

Explanation: SIEM helps to identify incidents through log analysis on the basis of predefined rules.
SIEM can provide information on policy compliance as well as incident monitoring and other
capabilities if properly deployed, configured, and tuned. SIEM is not meant to reduce the residual
risk, replace the firewall, or promote compensating controls.
Q. 3
Answer: B. A security information and event management system
Explanation: A SIEM system collects data from various sources and analyzes it for possible security
events. The SIEM system can detect attacks by signature- or behavior-based (heuristics) analysis.
Further, SIEM has the capability to perform a granular assessment, can highlight developing trends,
and can alert the risk practitioner for an immediate response. SIEM is the most effective method to
determine aggregate risk from different sources. The other options are not as effective.
Revision Questions
Q.1
Answer: A. The application support team
Explanation: SQL injection is an application-based attack. An application support team will be in

the best position to determine any unauthorized activity with respect to an application database. The
business process owner will be able to discuss the attack only if it has a major impact on business
processes. SQL injection is an application-based attack so the network security team and the incident
response team will not be able to assess the possible impact.
Q.2
Answer: D. It provides evidence of due diligence to support legal and liability claims
Explanation: A structured incident management process supports the legal and liability claims as
evidence is formally documented and handled in a methodical way. The other options are secondary
aspects.
Q.3
Answer: C. Path of the virus's entry
Explanation: It is most important for a security manager to understand the entry path of the virus.
The first step is to determine the entry path so that the investigation can identify which controls
failed. This loophole should be addressed at the earliest to prevent a reoccurrence.
Q.4
Answer: B. To determine the lessons learned
Explanation: On the basis of observations noted by staff involved in disaster recovery tests, the areas
of improvement can be determined. This will help improve the effectiveness of the test. The other
Q.5
Answer: D. An effective communication and reporting process
Explanation: A structured communication and reporting process is an important aspect to ensure that
incidents are reported in a timely manner to the incident response team. Timely reporting will help in
a prompt response. An intrusion detection system may not be able to detect and report incidents that
are not related to IT. The capability of the help desk team is also an important aspect; however,
without reporting from end users, the help desk team will not be able to detect the incident.
Determining the severity level is a secondary aspect compared to the communication and reporting
process.
Q.6
Answer: C. Creating hashes for the original and the image
Explanation: After a bit-by-bit copy is created, the next step is to generate the hash value for both
the original drive as well as the copied drive. A hash value is a fixed value derived from the content.
If the content changes, the hash value also changes. Both the hash values should be compared to
ensure that the copy is complete, correct, and accurate. Analysis should start only after ensuring that
the copy is an exact replica of the original. Tool validation should have happened prior to initiating
the copy. Encrypted images cannot be analyzed.
Q.7
Answer: C. Analysis
Explanation: The next step should be to analyze the vulnerability with respect to the possibility of
exposure, possible impact, applicable threat factors, and other relevant factors. The identification of a
vulnerability does not necessarily mean that an incident has occurred. Containment and eradication
are steps to be taken after the occurrence of an incident. Reporting is to be done after analysis.
Q.8
Answer: D. The defined responsibilities
Explanation: If responsibilities for the service provider and the service receiver are defined and
documented, it will help in the smooth execution of processes. In the event of operational issues,
responsibility ownership will help to determine the course of action. The other options are secondary
aspects for resolving operational issues.
Q.9
Answer: A. Creating a bit-by-bit image of the hard drive
Explanation: To the extent possible, forensic analysis should not be performed on original media. It
may impact the integrity of the evidence. The best way is to create a bit-by-bit image of the original
media. A bit-by-bit image will ensure that erased or deleted files and any data in slack memory are
also copied. A logical copy will only copy the files and folders and may not copy the other necessary
data to properly examine the hard drive for forensic evidence. Encryption is not required.
Q.10
Answer: D. Traceability of control
Explanation: Traceability of control refers to demonstrating who had control of the evidence
throughout the process. It indicates the proper chain of custody. The other options are secondary
aspects.
Q.11
Answer: B. To record the progress of incident response and document the exceptions
Explanation: The documentation of incident history helps to keep a record of the incident starting
from detection until closure. This helps to determine whether all related aspects of incident
management are performed appropriately as per the defined process and timelines. Exceptions, if any,
are discussed and deliberated and appropriate actions are taken. The other options are secondary
aspects.
Q.12
Answer: C. Improvements in identification
Explanation: A structured method of monitoring helps in the early detection of incidents. In the
absence of any monitoring process, an incident may go undetected and can have a major impact on
business processes. Monitoring will help to improve the identification of threats and vulnerabilities.
Implementing a monitoring process may increase the security budget. Monitoring does not impact
risk appetite. Compliance with the security policy is a secondary aspect.
Q.13
Answer: C. A hash value should be generated from both the original as well as the copy
Explanation: After a bit-by-bit copy is created, the next step is to generate hash values for both the
original drive as well as the copied drive. A hash value is a fixed value derived from the content. If
the content changes, the hash value also changes. Both the hash values should be compared to ensure
that the copy is complete, correct, and accurate. Analysis should start only after ensuring that the
copy is an exact replica of the original. It is not necessary to have the same disk model. It is good
practice to have two copies, but creating a hash value is more important. Restoration is not relevant
when evaluating evidence.
Q.14
Answer: B. Prevent contamination of the evidence
Explanation: For legal proceedings, the integrity of evidence is of utmost importance. Hence, the
first step in such a situation is to prevent contamination or alteration of the evidence. The other
options are subsequent actions.

33333dokumen - Pub - Certified-Information-Security-Manager-Exam-Prep-Guide-Hemang Doshi-2nd-Edition-9781804610633-1804610631

Uploaded by

Copyright:

Available Formats

You might also like

33333dokumen - Pub - Certified-Information-Security-Manager-Exam-Prep-Guide-Hemang Doshi-2nd-Edition-9781804610633-1804610631

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

33333dokumen - Pub - Certified-Information-Security-Manager-Exam-Prep-Guide-Hemang Doshi-2nd-Edition-9781804610633-1804610631

Uploaded by

Copyright:

Available Formats

BIRMINGHAM—MUMBAI

Certified Information Security Manager Exam Prep

Author: Hemang Doshi

Publishing Product Manager: Anindya Sil

Acquisitions Editor: Sneha Shinde

Development Editor: Shubhra Mayuri

Production Editor: Shantanu Zagade

First published: November 2021

Second edition: December 2022

Production reference: 1141222

Published by Packt Publishing Ltd.

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

About the author

About the reviewers

Pushkar Nagle is an InfoSec professional with 12 years of experience, holding professional IT

He can be reached via LinkedIn at https://www.linkedin.com/in/kartiksharma84. You can find more

Packt is searching for authors like you

Information Security Strategy

Information Risk Assessment

Information Risk Response

Information Security Program Development

Information Security Program Management

Information Security Infrastructure and Architecture

Information Security Monitoring Tools and Techniques

Incident Management Readiness

Incident Management Operations

Answers to Practice Questions

Online Exam-Prep Tools

Chapter 1: Enterprise Governance provides an overview of information security governance as a

Chapter 7 Information Security Infrastructure and Architecture defines information security

How to Get the Most Out of This Book

Step 1: Read this book from end to end.

Step 2: Go through ISACA's QAE book or database.

Step 3: Refer to ISACA's CISM Review Manual.

Step 4: Memorize key concepts using the flashcards on the website.

Step 7: Review exam tips on the website.

Requirements for the Online Content

Instructions for Unlocking the Online Content

WHERE TO FIND THE SIGN-UP CODES

2. Create a strong alphanumeric password (2) (minimum 6 characters in length):

Quick Access to the Website

Figure 0.6: QR Code for the CISM online exam-prep platform

Information Security Governance (24%) Information Security Governance (17%)

Information Risk Management (30%) Information Security Risk

Information Security Program Development and Information Security Program (33%)

Information Security Incident Management (19%) Incident Management (30%)

Figure 0.7: Previous and updated domains for CISM

Number Key Domains and Topics

1 Information Security Governance

1A1 Organizational Culture

1A2 Legal, Regulatory, and Contractual Requirements

1A3 Organizational Structures, Roles, and Responsibilities

B Information Security Strategy

1B1 Information Security Strategy Development

1B2 Information Governance Frameworks and Standards

1B3 Strategic Planning (e.g., budgets, resources, and business case)