Simlado Cobit 5

11
Which one of the following is a good example of an information

security strategy?
A. quality = performance standard, B. reliability = fiduciary control, C. integrity =

asset protection, D. compliance = fiduciary control.
Therefore, information security is focused on asset protection R3
A. Changing passwords regularly.

B. Balancing administrative versus technological controls.
C. Prohibiting the use of dial-up modems on laptops linked to the
corporate network.
D. Doing background checks on all applicants for security positions.
66
Which one of the following documents should be submitted when
seeking senior management commitment for the information security
program?
B is an example of strategy. None of the other choices are of a strategic nature,

although they are examples of good practice R2
22
An enterprise that publishes information on the Internet must have, as
a minimum, which one of the following items in place?
A. Data policy.
B. Security policy.
C. Privacy policy.
D. Communications policy.
Information published on the Internet should be protected by a privacy policy
linked to each page. Each page should provide a notice linking to that privacy
policy and allowing 'opt in' and/or 'opt out' options; documents published on the
Web need expiration dates and a process to remove these documents; consent
must be obtained from authors of any published material, and if copying or reuse
is prevented, then that should be made clear R3
33
Which one of the following would be a strategic objective for
information security?
A. Improved incident response capability.
B. Enterprise-baseline security established.
C. Executive involvement in the security awareness programme.
D. Increased organizational capability.
Translating benefits achieved into an increased organizational capability that
enables future business is a strategic objective. The other options are all
operational activities R4
44
If server downtime is a performance measure appropriate to IT
management which one of the following is a likely performance
measure that senior/executive business management would typically
focus on?
A. Impact on revenue.
B. Cost of eBusiness application.
C. Ping response.
D. Cost per eBusiness transaction.
Senior/executive management are only interested in measurements that show
the impact on mission critical areas R1
55
The business need for asset protection is best expressed in terms of
which one of the following attributes?
A. IT quality.
B. IT reliability.
C. IT integrity.
D. IT compliance.
A. Risk assessment report.

B. Detailed list of tasks.
C. Security technology brochures.
D. Budget of known costs of security.
D is correct because cost is always an important issue for decision makers.
Senior management are typically not interested in the detailed tasks, the
inventory of risks or how the technology works. These activities are usually
delegated. But matters of cost are rarely delegated R4
77
Which one of the following would be one of the best strategies in
making a security policy effective?
A. Include users in the process of developing a security policy.
B. Calculate the cost of too little security and any inconvenience.
C. Detail the punishments for failing to comply.
D. Make the buy-in from a senior manager highly visible.
Visible actions of senior management supporting the security policy will
demonstrate their clear commitment and will have the most impact in achieving
the desired effectiveness. The other options, whilst useful, will not be as effective
R4
88
Security management would typically report the achievements of
information security initiatives in supporting the business strategy by
using which one of the following measurements?
A. Time lag between detection, reporting and acting upon security
incidents.
B. Reduced number of security-related service calls, change requests
and fixes.
C. Customer satisfaction.
D. Number of incidents causing public embarrassment.
CobiT Management Guideline - Senior/executive management are only
interested in measurements that show the impact on mission critical areas.
Customer satisfaction is the most important issue listed R3
99
Awareness about information security activities is enhanced when set
out clearly in which one of the following documents?
A. Organogram (organisation diagram).
B. Security standards.
C. Job descriptions.
D. Training manual.
C is correct because job descriptions that set out roles and responsibilities
indicate the significance of security to the employee. Something for which that
they are specifically accountable. Setting out security matters in roles and
responsibilities of staff has little to do with standards, B is therefore inappropriate.
A May be a byproduct, but would not be the objective. D is a possibility, but not
as effective as job descriptions R3
10 10
Which one of the following is essential in securing senior management
commitment and support of information security management?
A. Basing information security discussions around a plan of action.
B. Using a technical specialist to explain security properly.
C. Presenting evidence of the threats of a security breach.
D. Explaining in clear details what needs to be done, rather than why.
A is correct as senior management expect answers to any problems presented,
or at least a plan to address the problem. They do not normally want to speak to
specialists, nor do they appreciate hype. D is not correct as senior management
are more interested in WHY something must be done, rather than with WHAT
needs to be done R1
11 11
The most successful action for integrating information security
governance into the overall enterprise governance framework is likely
to be which one of the following?
A. Send information security personnel on corporate governance
training.
B. Establishing an audit committee that clearly understands its role.
C. Appointing a business manager as head of information security.
D. Combining the internal audit function with security management.
A is a possible correct answer, but in comparison to B, is inferior. D is
inappropriate and whilst C is not inappropriate it will not address the issues of
better governance. B, establishing an audit committee that understands its role,
is the best answer R2
12 12
How can the balanced scorecard technique be used for risk
management?
A. Mapping IT risks to key goal indicators.
B. Relating performance indicators to outcomes.
C. Stating process outcomes as risk drivers.
D. Restating key goal indicators as risk indicators.
The balanced scorecard, as a technique, focuses on objectives and related
measures. If key goal indicators have been defined to meet business objectives,
then they can be restated in terms of the associated risks should the business
objectives not be met R4
13 13
Which one of the following is a popular method of integrating
information security governance into the overall enterprise governance
framework?
A. Security awareness campaigns.
B. Benchmarking.
C. Centralized security administration.
D. Enterprise risk management.
Effective security is not just a technology problem, it is a business issue.
Enterprise risk management will address many issues including the corporate
culture, management's security consciousness and security related actions.
Enterprise risk management will ensure information security, where significant,
will be part of the overall governance framework R4
14 14
Which one of the following information criteria would be important to
address enterprise executives and directors fiduciary responsibilities
for security management?
A. Reliability.
B. Effectiveness.
C. Availability.
D. Integrity.
A. reliability = fiduciary control; B. effectiveness = performance; C. availability =
security; D. integrity = security; Reliability relates providing management with
appropriate information for it to use in operating the entity, providing financial
reporting information, providing information to report to regulatory bodies with
regard to compliance with laws and regulations R1
15 15
High-level security policies are created for which one of the following
reasons?
A. Administrative.
B. Operational.
C. Tactical.
D. Strategic.
Executive management use high-level security policies to communicate their
intent, commitment, and the direction activities should take - i.e. strategic R4
16 16
The enterprise's high-level information security policy would provide
which one of the following benefits?
A. Prioritized value for information assets.
B. Guidance for screening new applicants.
C. Clarity about how to implement security.
D. Priorities regarding choice of solutions.
Statements about the value of information to the enterprise help significantly with
the choices that must follow when implementing security. Since security often
doesn't provide tangible benefits, a cost justification is difficult. Therefore security
expenditure is best guided by policy R1
17 17
The primary role of a security steering committee would include which
one of the following?
A. Manage the quality of security system development.
B. Authorize resources for security initiatives.
C. Perform the user acceptance tests.
D. Communicate regularly between the security personnel and the
users.
Steering committee activities typically include the politicking for resources and
authorizing those committed. The security steering committee is a high-level
committee to facilitate the implementation of security. This committee would not
be involved in the daily security management activities R2
18 18
Business requirements for critical systems normally require approval
from the information security steering committee. Which one of the
following is the primary purpose of the information security steering
committee reviewing the business requirements?
A. To approve the project budget required.
B. To ensure that the system can function as intended.
C. To review the systems design documentation.
D. To help build the cost/benefit case for the design.
The steering committee's role is to ensure that information security requirements
are treated as an integral part of business requirements - and are fully
considered so that the system can function as intended. The project budget is not
their concern. The design documentation will be reviewed by a security technical
expert. Cost justification of the system design would not be the responsibility of
the security steering committee R2
19 19
Which one of the following roles would be acceptable for the Security
Administrator to perform, in addition to their normal function?
A. Data Base Administrator.
B. Systems Analyst.
C. Computer Operator.
D. Systems Programmer.
Often the DBA, by the nature of his job, has privileged access to data. Hence the
inclusion of a responsibility for security would not normally place data under any
greater threat. The other positions would increase the threat and therefore should
be segregated R1
20 20
Who is responsible for the actual day-to-day function of protecting the
data?
A. Data user.
B. Data owner.
C. Data custodian.
D. Data administrator.
establishing appropriate levels of security?

A. A formal, enterprise-wide security management and administration
function.
B. Inculcating security responsibilities as part of employees other
responsibilities and duties.
C. A centralized command and control structure of roles and
responsibilities for information security.
D. Creating an extra organizational unit to focus primarily on
information security.
The ISF suggest that making employees aware of their information security
responsibilities through their job descriptions is the best practice, although the
other activities will have a positive indirect impact on employee attitudes to
information security R2
23 23
Which one of the following is an advantage of a centralized IT security
arrangement with a formal functional unit?
A. Potential for a uniform level of IT security across the enterprise.
B. Profound knowledge about security distributed across the
enterprise.
C. Limitation placed on the level of bureaucracy through centralization.
D. Requirement for an enterprise-wide security policy is removed.
A centralized security management arrangement will ensure that security is
implemented in a uniform manner across the enterprise. Centralization might limit
the knowledge about security in distributed locations ruling B out as an option R1
Usually the data owner will delegate certain responsibilities to the data custodian
R3
21 21
Which of the following best describes the three methods of risk
assessment?
A. Accept, Mitigate, Transfer.
B. Quantitative, Qualitative, Knowledge Based.
C. People, Process, Technology.
D. High, Low, Medium.
A quantitative risk assessment is used to determine the amount of money that is
at risk for assets if a threat is able to successfully attack them. This is a difficult
process, but it is appropriate for high-value environments. A qualitative risk
assessment ranks the threat as low, medium or high, is easier to accomplish and
can identify the high risk areas. A knowledge based risk assessment requires a
checklist that embodies best practice. It is the most difficult assessment to
develop but can be very effective in practice R1
22 22
Stem 22
A. correct option 1.
B. option 2.
C. option 3.
D. option 4.
A quantitative risk assessment is used to determine the amount of money that is
at risk for assets if a threat is able to successfully attack them. This is a difficult
process, but it is appropriate for high-value environments. A qualitative risk
assessment ranks the threat as low, medium or high, is easier to accomplish and
can identify the high risk areas. A knowledge based risk assessment requires a
checklist that embodies best practice. It is the most difficult assessment to
develop but can be very effective in practice R2
22 22
Which approach to information security management is most
appropriate to achieve a high level of employee attention to
24 24
Which one of the following is a disadvantage of a centralized IT
security arrangement with a formal functional unit?
A. Employees may be uncertain as to whom to contact about security
issues.
B. Centralized control and uniform follow-up.
C. An extra organizational unit is required.
D. Dissimilar levels of security between organizational units.
A, B, and D are typical problems overcome by a centralized function. C is the
correct answer as centralization will require an additional business unit R3
25 25
Which one of the following is a disadvantage of a centralized IT
security arrangement with a formal functional unit?
A. Higher managerial effort.
B. Employees may only do what they are asked to do.
C. A uniform level of IT security might be implemented.
D. Security levels still require interpretation.
Employees may not be as motivated about security and therefore only do what
they are asked to do R2
26 26
Which one of the following is a disadvantage of a devolved IT security
arrangement with all employees being responsible for security as an
integral part of their activities?
A. Dissimilar levels of security in different parts of the enterprise.
B. Lower levels of awareness about the importance of security.
C. Security will not be considered as important by employees.
D. Lack of direction as to what security is appropriate in new systems.
A is correct. There would be less of an enterprise view of security arrangements.

But this should not result in a lower level of awareness, lack of significance or
direction as in a devolved situation employees should be supported through
training and therefore able to fine tune security to match precise needs R1
27 27
Which one of the following is a disadvantage of a devolved IT security
arrangement with all employees being responsible for security as an
integral part of their activities?
A. Security becomes subservient to other activities.
B. Higher managerial effort.
C. Lower personal motivation.
D. Excessive bureaucracy.
The disadvantage of devolution is an increase in managerial effort to maintain
control. Security will be an integral part, and therefore not a subservient activity.
Staff will be more motivated not less, and the excessive bureaucracy will be
removed R2
28 28
When securing personally identifiable information which one of the
following is a reasonable basis to determine the level of protection
required?
A. Sensitivity of the information.
B. Source of the information.
C. Cost to obtain the information.
D. Validity of the information.
A is the correct answer because the sensitive nature of the information takes
precedence over source, cost or reliability R1
A. Protection of property.
B. Preservation of critical information.
C. Defect management.
D. Revenue growth.
Insurance has little to do with revenue or defect management. Whilst protection
of property is secured through insurance, this is very much part of the normal
insurance arrangements of a company. Preservation of critical information would
be a core area of responsibility for the information security and therefore a tool to
be used to counter threats R2
32 32
Which one of the following activities is likely to result in reduced
insurance premiums?
A. Quality assurance.
B. Recruitment practices.
C. Enterprise architecture.
D. Classification of information.
Some insurance providers provide lower insurance premiums if the organisation
meets various criteria that include the classification of information, network
security and business continuity planning. The other options have no relevance
to insurance contracts R4
33 33
Which one of the following can be used to identify enterprise record
keeping requirements?
A. Database management system.
B. Risk assessment.
C. Security policy.
D. System specifications.
Explanation R2
29 29
Where an organization is collecting personally identifiable information,
it should be able to explain which one of the following to the individual?
A. The nature of its business in relation to its customers.
B. The purpose for which the information is being collected.
C. The enterprise business plan.
D. The business continuity planning arrangements.
Personally identifiable data should only be collectible from individuals where it
can explain the purpose for doing so. The other options are not relevant R2
30 30
Privacy cannot be protected without adequate network security
programs, good encryption, identification programs and which one of
the following?
A. User manuals.
B. Document management programs.
C. Arbitration schemes.
D. Retention of staff.
34 34
With whom should responsibility and accountability for record
management rest?
A. Executive management.
B. A person with authority.
C. Process owners.
D. Data administration.
Specific leadership responsibility and accountability for records management
should be assigned to a person with appropriate authority within the organization.
Executives are responsible for supporting the application of records management
policies throughout the organization R2
35 35
Which one of the following is most likely to influence decisions about
the development and implementation of particular business document
classification tool or technique?
The management of business records is a critical component ensuring privacy

R2
A. The complexity of the business activities.

B. The way business activities are performed.
C. The external threats to the enterprise.
D. The level of support given to users.
31 31
The information security manager would consider insurance as a tool
for which of the following objectives?
The level of support given to users will influence decisions about the
development and implementation of particular classification tools. The complexity
of the business activities, and the way business activities are performed, will
influence the type of classification tool most suited to an organisation. C is not
relevant R4
36 36
What is the primary driver for record retention?
A. Compliance with legislation.
B. A durable historical record.
C. Information security.
D. Data protection.
Good records are vital corporate assets and good record keeping is essential for
a reliable and durable long-term historical record. Each of the other options have
an impact, but the primary driver is maintaining a historical record of business
activity R2
37 37
Which one of the following should not be included in an information
security policy?
A. Senior management expectations.
B. Prescriptive information.
C. Statements of direction.
D. Clarity on accountability.
The security policy should set out senior management requirements, without
detailing how they should be achieved. Business management should be allowed
the choice of mechanism R4
38 38
Which one of the following is an effective way of tying security policy to
business objectives?
A. Information classification.
B. Systems master plan.
C. Information engineering.
D. Enterprise architecture.
Information classification will enable security policies to be applied according to
business priorities. The systems master plan is used to map application system
development to business requirements. Information engineering is used to model
information requirements across the enterprise to the information systems
architecture. An enterprise architecture is a repository of information about the
organisation, it's information, business processes, application systems and
supporting infrastructure useful for decision making R1
39 39
A security architecture presupposes the existence of which one of the
following?
A. Overall policy.
B. Standards.
C. Security guidelines.
D. Technical solutions.
A policy generally outlines management's desires regarding the security,
continuity and control of information resources. This enables a security
architecture to be crafted that describes with consistency, coherently and
sufficiently the design for including security mechanisms R1
40 40
Which one of the following is the typical objective of an information
security policy?
A. To describe the restrictions on staff activities and penalties for
breaches in security.
B. To provide a framework for the application of standard security
controls throughout the enterprise.
C. To document top management direction on and commitment to
D. To consolidate the requirements for information security from the
various statutory sources.
The information security policy is used to document senior management's
position on security and provide direction. It will state that a high, medium or low
level of security is applicable. Security measures will be selected in response to
this top management position statement on the need for information security R3
41 41
Which one of the following best describes the purpose of an
information security architecture?
A. To provide a framework for the application of standard security
controls throughout the enterprise.
B. To reduce the risk of information security being compromised by
weaknesses in hardware and software.
C. To communicate how information and systems should be treated in
order that attention can be focused on those that are most critical.
D. To document top management direction about, and commitment to,
The information security architecture communicates the required level of security
functionality that is applicable across the enterprise. B describes asset
management, C describes information classification and D describes security
policy R1
42 42
Exceeding the security budget and schedule of security projects would
be typical of an enterprise at which one of the following levels of
process maturity?
A. Maturity Level 1.
B. Maturity Level 2.
C. Maturity Level 3.
D. Maturity Level 4.
At maturity level 1, processes are usually ad hoc and chaotic. The organization
usually does not provide a stable environment. Maturity level 1 organizations are
characterized by a tendency to over commit, and to abandon processes in the
time of crisis. At maturity level 2, the organization has ensured that requirements
are managed and that processes are planned, performed, measured, and
controlled R1
43 43
If success in meeting business expectations depends on the
competence and heroics of the people in the organization and not on
the use of proven processes which level of maturity is the enterprise
likely to be?
D. Maturity Level 4
This is an environment where activities are conducted in an ad hoc,
chaotic environment.
Maturity level 1 organizations often produce products and services
that work, but only because of the efforts of the individuals employed
R1
44 44
A process model such as CobiT has been developed based on
experience that has shown the maturity level of an organization to be
an indicator of which one of the following?
A. Past performance.
B. Current performance.
C. Future performance.
D. Minimum performance.
The maturity level of an organization provides a way to predict the future
performance of an organization within a given discipline or set of disciplines.
Empirical studies of the Software Engineering Institute prove this. The other
choices are not feasible R3
45 45
When focused on process improvement organizations do their best in
which one of the following instances?
A. Align their efforts with their current process area capabilities.
B. Focus on maximizing process area sophistication rapidly.
C. Focus their efforts on a manageable number of process areas.
D. Plan the increased sophistication around current demands.
Experience has shown that organizations do their best: when they focus their
process-improvement efforts; on a manageable number of process areas; that
require increasingly sophisticated effort; as the organization improves R3
46 46
If the assessment of risk is a standard procedure and exceptions to
following the procedure would be noticed by IT management, the
process capability is likely to be assessed according to the CobiT
model at which one of the following levels?
A. Defined Process.
B. Initial/Ad hoc.
C. Managed and Measurable.
D. Repeatable but intuitive.
At the core of CobiT is the understanding that IT delivers value to the business
through the information it produces. Information that is late or unreliable has little
value R4
49 49
If an organization considers IT risks in an ad hoc manner, without
following defined processes or policies it will be assessed at which
level of process maturity?
A. Maturity level 1.
B. Maturity level 2.
C. Maturity level 3.
D. Maturity level 4.
At Maturity level 1 it is an environment where activities are conducted in an ad
hoc, chaotic manner. Maturity level 1 organizations often produce products and
services that work, but only because of the efforts of the individuals employed R1
50 50
If responsibilities for continuous service are informal, with limited
authority and management is only now becoming aware of the risks
related to, and the need for, continuous service, then the process
capability will be assessed at which one of the following levels?
A. Defined Process.
B. Initial/Ad hoc.
According to the IT Security Governance Maturity Model, at level 2
responsibilities and accountabilities for IT security are assigned to an IT security
coordinator with no management authority. At level 1 responsibilities for
continuous service are informal, with limited authority. Management is becoming
aware of the risks related to and the need for continuous service R2
At Level 4 (Managed and Measurable) control is established using statistical and

other quantitative techniques and therefore exceptions will be easily detected R3
51 51
At which maturity level would processes be well characterized and
understood, and are described in standards, procedures, tools, and
methods?
47 47
Which of the CobiT processes listed below are most directly related to
the management of information security?
A. Manage quality.
B. Define the organizational relationships.
C. Assess risks.
D. Assess internal control adequacy.
At maturity level 3, processes are well characterized and understood, and are
described in standards, procedures, tools, and methods. Standards are the first
level above having properly defined procedures, which is maturity level 2 R3
Information security is a response to managing risks and therefore C is the

correct answer. A and B are clearly incorrect, whilst D is indirectly relevant to
security R3
52 52
At which process maturity level would the process disciplines help
ensure that existing practices are retained during times of stress?
48 48
What is the basic premise of CobiT when it comes to achieving
enterprise needs?
A. Process capability is required in 34 processes.

B. Key performance indicators must balance key goal indicators.
C. Key goal indicators must balance four key perspectives of the
enterprise.
D. IT needs to deliver the information that the enterprise needs.
The process discipline reflected by maturity level 2 helps to ensure that existing
practices are retained during times of stress. When these practices are in place,
projects are performed and managed according to their documented plans R2
53 53
At which level of maturity would an organization have a set of standard
processes for security awareness briefings that have been established
and improved over time so that these standard processes can be used
to establish consistency across the organization?
The organization's set of standard processes, which is the basis for maturity level
3, is established and improved over time. These standard processes are used to
establish consistency across the organization. Projects establish their defined
processes by tailoring the organization's set of standard processes according to
tailoring guidelines R3
54 54
Which one of the following statements about the information security
architecture is least likely to be correct?
A. It contains the detailed specifications, procedures, guidelines,
standards and job descriptions for security management.
B. It describes the form, appearance, function and location of
information security processes.
C. It provides a common basis for the design, development,
implementation and management of the information security process.
D. It provides the basis on which the enterprise technology architecture
will be selected and implemented.
The information security architecture is a high-level document that describes the
form of security processes, provides a common basis for design, and is used to
select technology R1
55 55
At which level of process capability would high-availability components
and system redundancy be applied, albeit piecemeal?
A. Defined Process.
B. Initial/Ad hoc.
According to the IT Security Governance Maturity Model, at level 2 reporting on
system availability is incomplete and does not take business impact into account.
At level 3 high-availability components and system redundancy are being applied
piecemeal R1
56 56
At which level of IT Security Governance maturity model are user
identification, authentication and authorization standardized across the
enterprise?
A. Defined Process.
B. Initial/Ad hoc.
According to the IT Security Governance Maturity Model, at level 4 user
identification, authentication and authorization are standardized enterprise-wide
R3
57 57
ISO 17799 is intended to serve as a single reference point for
identifying the range of controls needed by business. What size
enterprise is ISO 17799 specifically targeted?

A. Small.
B. Medium.
C. Large.
D. All.
ISO 17799 (based on part one of BS 7799) is intended to serve as a single
reference point for identifying the range of controls needed for most situations
where information systems are used in industry and commerce. It is suitable for
use by any size organization R4
58 58
The 'balanced scorecard' technique can be used by Security
management for which one of the following purposes?
A. Strategic alignment.
B. Risk assessment.
C. Internal control design.
D. Process capability improvement.
The balanced scorecard technique is used to align activities with the strategic
objectives. Within security management the balanced scored is used for strategic
alignment with business goals R1
59 59
A business that is planning to use the Web to improve and/or integrate
core business processes internally would typically require which one of
the following sets of security measures?
A. Basic firewall, anti-virus and e-mail password protection, privacy
policy, Web notification of privacy policy.
B. Demilitarized zone; identification, authentication and authorization at
the Web and application levels; intrusion detection; transaction
encryption; basic administration, privacy notice containing procedures
for data handling.
C. Well-defined policies; centralized identification, authentication,
authorization and management for all systems, data and applications;
data encryption; privacy 'contracts'.
D. Integration of administration; identification, authorization and
authentication schemes for data and applications; cross-enterprise
trust; privacy 'contracts'.
Security requirements need to include: centralized authentication and
authorization for all systems and applications. Currently, available security
management products allow centralized, controlled access to applications based
on security and privacy policies that define user and group job functions (or
roles). Systems that centrally monitor security events across the enterprise so
that suspicious activities can be more readily identified and appropriate action
taken. Standardization of security system products, interfaces and protocols is
important for application integration R3
60 60
ISO 17799 is best described by which one of the following statements?
A. A collection of baseline information security procedures.
B. As a starting point for developing organisation specific guidance.
C. A comprehensive set of security measures and controls to follow.
D. A standard that is only applicable to large enterprises.
ISO 17799 is a starting point for developing organisation specific guidance. Not
all the guidance and controls in the code of practice may be applicable and other
controls, not included, may be necessary. It is applicable to enterprises both large
and small. It is not a baseline, nor is it comprehensive R2
A risk analysis is used to obtain a better understanding of the significance of

threats and vulnerabilities R1
11
Which enterprise business processes should the information security
manager understand?
A. All processes.
B. Internal process.
C. External processes.
D. Critical processes.
The information security manager should understand those business processes
and information resources that are critical to each business process. This will
ensure that implemented security matches the business requirement
R 4, 2);
22
In assessing risks, it is most important for the information security
manager to commence with an analysis of which one of the following?
A. Project objectives.
B. Control objectives.
C. Business objectives.
D. Quality objectives.
There is a direct relationship between business objectives, which are what an
entity strives to achieve, and the enterprise risk management components.
Effective enterprise risk management helps management achieve business
objectives. But enterprise risk management, no matter how well designed and
operated, does not ensure an entity's success R3
33
A continuous approach to risk management will be focused on which
one of the followings?
A. Events and impacts.
B. Metrics and monitoring.
C. Response and controls.
D. Objectives and threats.
Whilst all are components of enterprise risk management, metrics and monitoring
will be the foundation for continuous management of risks R2
44
As computing in distributed environments, processes and systems
evolve, people with limited experience and knowledge may be
unfamiliar with risk management, security and controls. An effective
approach to managing life cycle processes is to integrate risk
management with which one of the following?
A. Access control.
B. Systems analysis.
C. Change management.
D. Schedule of authority.
66
Which one of the following is an essential part of the information
security life cycle?
A. Feasibility study.
B. Incident response.
C. Construction.
D. Penetration testing.
The information security life cycle consists of countermeasures, detection and
incident response R2
77
Which one of the following is a resource attribute used by the
information security manager for purposes of information
classification?
A. Technical complexity.
B. Level of control.
C. Level of financial loss.
D. Level of sensitivity.
A, B and C are valuation methodologies, not information classification schemes,
which D is R4
88
In which one of the following SDLC phases are risks identified?
A. Initiation.
B. Development or Acquisition.
C. Implementation.
D. Operation.
Risk should be identified at the time of acquisition or development, as this is the
time to develop countermeasures R2
99
A security concept of operations (strategy) is developed in which one
of the following SDLC phases?
A. Initiation.
C. Implementation.
D. Operation.
The security strategy has to be decided upfront as it will impact all the
subsequent phases of the SDLC R1
Integrating risk management with change management will ensure an effective

control over life cycle approaches is implemented R3
10 10
A security threat is best described by which one of the following
statements?
55
What would be one of the benefits from a risk analysis exercise?
A. A source that can trigger a security vulnerability.

B. A weakness in an operating platform or system.
C. An adverse impact of a security event.
D. A breakdown in a countermeasure.
A. A better understanding of what the enterprise is trying to protect.

B. Knowing what a hacker may try to target.
C. Determining the steps that might be used to penetrate a system.
D. Better coordination between security personnel.
Suitable controls may remove that vulnerability. A weakness in an operating

system is a vulnerability. An adverse impact is the result. A breakdown in a
countermeasure is control failure. It is the existence of a vulnerability that gives
rise to a threat R1
11 11
The most appropriate criteria for an information classification exercise
is which one of the following?
A. Organizational structure.
B. Sensitivity.
C. Information risk.
D. Business process.
Information and systems should be classified according to their criticality,
sensitivity, and vulnerability to particular threats; take account of the business
impact of a loss of confidentiality, integrity and availability; apply to all information
in electronic and paper form, all software and hardware, and to services provided
by external parties; be applied to new systems at their development stage, as
well as to established systems; provide guidance on how to resolve conflicting
classifications R2
12 12
A mandatory access control mechanism is based on which one of the
following?
A. Information value.
B. User privileges.
C. Sensitivity labels.
D. System classification.
C. Manipulation of job streams.

D. Communication link failure.
Circumventing access privileges will result in access to protected data causing a
loss of confidentiality R2
16 16
Information classification schemes are used for which of the following
purposes?
A. Establish technical complexity.
B. Design a security program.
C. Determine levels of financial loss.
D. Understand information resources.
An information classification scheme is used by an information security manager
to better design and implement a security program across an enterprise R2
17 17
How would information classification result in a reduction of the risk of
over protecting information resources?
A. It relates security to technical capability.
B. It relates security to levels of control.
C. It relates security to process complexity.
D. It relates security to business objectives.
Sensitivity labels are associated with mandatory resource protection measures

that secure all resources with a particular label to the same extent R3
Through the focus on business needs, the risk of over protecting information
resources can be reduced. It's based on the assumption that not all information is
worth the same level of protection R4
13 13
Who is responsible for changes to the IT systems?
18 18
Which one of the following is an example of a preventative control?
A. Senior management.
B. Information owners.
C. Security practitioners.
D. Chief information officer.
A. Integrity check.
B. Control total.
C. Data backup.
D. Exception reporting.
Normally the system and information owners are responsible for changes to their
IT systems. Thus, they usually have to approve and sign off on changes to their
IT systems (e.g., system enhancement, major changes to the software and
hardware) R2
An integrity check such as auto-generation or range validation is a preventative

control. Control totals are detective controls, as are exception reports. Data
backup is a corrective control R1
14 14
Who normally has primary responsibility for determining the
information's sensitivity or classification levels?
A. Data user.
B. Data base administrator.
C. Data owner.
D. Security management.
Data owners have primary responsibility for determining the information's
classification as they best understand the impact on the business if there is a
security breach R3
15 15
Which one of the following is an example of a primary threat to
confidentiality?
A. Computer viruses.
B. Circumvention of access privileges.
19 19
What is one of the primary reasons for documenting the analysis of
requirements for availability, confidentiality and integrity?
A. Develop a cost/benefit justification.
B. Prepare a solutions proposal.
C. Form a basis for subsequent review.
D. Outline the controls required.
The impact analysis regardless of how detailed, at least provides the basis for
any subsequent review. The other options are inappropriate at this stage R3
20 20
The single most significant benefit of performing a vulnerability
assessment in most instances is risk management. Which one of the
following is the most likely follow-on activity from a vulnerability
assessment?
A. If controls are weak, they can be improved.
B. If the impact is high, it can be reduced.
C. If threats are unknown, they can be quantified.

D. If the risks are inherent, they can be mitigated.
A is correct, because normally one responds to a situation of weak controls by
improving on the strength. It is not always easy to change the impact directly, nor
is it easy to quantify threats. Inherent risks cannot be mitigated, but are part of
doing business R1
21 21
How would a security manager best determine if the baselines for
security are acceptable at their individual organization?
A. Perform a risk assessment.
B. Discuss with the vendors.
C. Examine industry best practice.
D. Review past audit reports.
A risk assessment will enable the security manager to determine whether or not
security processes and procedures above the baseline are necessary R1
22 22
Which one of the following is an example of a detection control?
A. Message authentication.
B. Power supply protection.
C. Terminal time-out.
D. Checksum.
D is the only detection control. Message authentication is a preventative control,
terminal time out is a security control and power supply protection is a physical
protection mechanism to ensure availability R4
23 23
Which one of the following activities would occur first in a process to
mitigate inherent risks to acceptable levels across the enterprise?
A. Impact assessment.
B. Develop a risk response.
C. Understand business objectives.
D. Event identification.
Whilst all are part of the enterprise risk management process, the order is
objectives, events, impact, response. C is therefore correct R3
24 24
Proponents of qualitative risk analysis would argue which of the
following points to be true?
A. Risk analysis is essential for determining countermeasures.
B. Risk analysis implies a precision that does not exist.
C. Risk analysis is the process to gather detailed metrics about
security concerns.
D. Risk analysis implies a high level of precision is required.
Quantitative risk analysis is considered too subjective to be meaningful and that it
is not possible to make calculations with any real precision - much is
'guestimates'. ", 2
25 25
The risk assessment methodology needed to determine whether
certain vulnerabilities are present, will be affected by which one of the
following?
A. The expected size of the vulnerability in relation to the entity.

B. The size of the entity and number of people employed.
C. The nature of the IT system and the phase of the SDLC it is in.
D. The number of weaknesses that can be exploited.
The existence of vulnerabilities will be most affected by the nature of the IT
systems and or the phase of SDLC. The other options will not have an impact on
the methodology used. ", 3
26 26
When performing a risk analysis, the annual rate of occurrence is
calculated from which one of the following?
A. Risks.
B. Vulnerabilities.
C. Threats.
D. Values.
The value of assets that can be lost (impact) is the basis for calculating the
annual rate of occurrence R4
27 27
A security concept of operations (strategy) is developed in which one
of the following SDLC phases?
A. Initiation.
C. Implementation.
D. Operation.
The security strategy has to be decided upfront as it will impact all the
subsequent phases of the SDLC R1
28 28
How are recovery time objectives calculated?
A. Average time a vendor takes to replace a failed component.
B. Full-time equivalents for staffing resources essential to recovery
effort.
C. Extent of downtime a business unit can endure.
D. Time from initial system failure to full recovery.
Recovery time objectives are determined from the business' dependence on the
information systems - the extent of downtime that can be endured R3
29 29
Which one of the following is an example of a threat to integrity?
A. Suppression of input documents.
B. Interception of communication links.
C. Circumvention of access privileges.
D. Network malfunction.
A relates specifically to data being manipulated, in this case by being suppressed
R1
30 30
Experience has shown that a short recovery time objective will result in
which one of the following being true?
A. A higher cost of recovery.
B. An easier approach for recovery.
C. A lower cost of recovery.
D. Fewer tasks being needed for recovery.

A short recovery time objective requires specialized approaches for recovery and
at a higher cost R1
31 31
Which one of the following is used to establish the vulnerability of an
enterprise?
A. The value of the asset.
B. The absence of a safeguard.
C. The size of the risk.
D. The number of threats.
Vulnerability is related to a risk that can be countered. The absence of a
safeguard causes the vulnerability R2
32 32
Which one of the following is a typical method used to determine
whether system vulnerabilities are present?
A. Staff surveys.
B. External vulnerability sources.
C. Vendor documentation.
D. Internal audits.
External sources that maintain databases of information are typical places to
obtain information about vulnerabilities R2
33 33
Which one of the following is required before the potential losses
incurred during the realization of a threat can be estimated?
A. Common asset valuation process.
B. Countermeasure design process.
C. Standardized vulnerability labels.
D. Threat ranking methodology.
Potential losses can only be determined if you have an idea of the asset values
R1
34 34
Quantitative risk analysis is less likely to include which one of the
following characteristics?
A. Cost/benefit analysis.
B. Financial hard costs.
C. Automated method.
D. Guesswork.
Quantitative analysis is intended to reduce the guesswork often found in risk
analysis R4
35 35
Which one of the following would be the primary purpose of performing
a gap analysis to assess generally accepted standards of good
practice for information security management against current state.
A. Benchmark against similar enterprise in the same and other
industries.
B. Develop a set of action plans to recommend to management.
C. Establish a baseline for measuring progress in the future.
D. Institute a programme of continuous process improvement.
B and D are not correct as a gap analysis would provide insufficient information.
Whilst benchmarking would be of interest, the primary purpose of the gap
analysis is simply to establish a point of reference for assessment again in the
future R3
36 = new Array("C_36
The current status of process capability is determined from which one
of the following?
A. Maturity scale.
B. Gap analysis.
C. Benefits analysis.
D. Risk assessment.
An information security governance maturity model is scale for scoring the
current status of a process. Gap analysis is used to determine where you want to
be, benefits analysis is used to prioritize the initiatives. A risk analysis is a base
practice and not an indicator of process capability R1
37 37
Which one of the following would be used to determine process
capability targets?
A. Maturity scale.
B. Gap analysis.
D. Risk assessment.
38 38
Which one of the following would be used to priorities security
initiatives?
A. Maturity scale.
B. Gap analysis.
D. Risk assessment.
39 39
Which of the following is the biggest advantage of the risk assessment
approach over the baseline approach to information security
management?
A. At least some protection is available for all resources.
B. It ensures that the resources are not over protected.
C. It is an easier approach to implement.
D. The level of protection is matched to known threats.
The baseline approach ensures a particular level of control across the
environment. Using a risk assessment enables apriority to be established and the
most likely targets are protected first and to a degree appropriate to the threat R2
40 40
Which choice below most accurately reflects the goals of risk
mitigation?
A. Defining the acceptable level of risk the organization can tolerate,
and reducing risk to that level.
B. Analyzing and removing all vulnerabilities and threats to security
within the organization.
C. Determining all the threats to the business and transferring them to
other organizations.
D. Analyzing the effects of a business disruption and preparing the
company's response.
Risk mitigation is about reducing the inherent risk of being in business to
acceptable levels that match the revenue generated R1
41 41
Which of the following is an error correction control relating to the
raising of source documents?
A. A bank teller recording separately the total number of checks
deposited.
B. Pre-formatted deposit slips to be used by a bank customer.
C. Dual custody of details about the deposit.
D. Recording the depositors personal details.
controls such as limiting what a system user can access and do can significantly
reduce an attacker's gain). When loss is too great: apply design principles,
architectural designs, and technical and non-technical protections to limit the
extent of the attack, thereby reducing the potential for loss R1
45 45
When selecting a risk mitigation solution the security manager will take
which of the following into account?
A. A balance between costs of the security solution and risks of the
resources.
B. A mix between security solutions to maximise effectiveness against
the risks.
C. A combination of vendor opinion and security management
preferences.
D. Preferred solutions identified in any of the past internal or external
audit reports.
The security manager must balance the cost of the security technique against
risks to the information resources R1
The depositor's personal details are relevant for error correction R4
46 46
Which one of the following should receive greatest weighting when
selecting a security solution?
42 42
Which one of the following is the appropriate document to describe risk
mitigation strategies?
A. Sensitivity analysis.
B. Cost/benefit analysis.
C. Risks to information resources.
D. Executive management directive.
A. Risk analysis.
B. Information security policy.
C. Information security architecture.
D. Information classification scheme.
The information security architecture describes the enterprise wide functionality
of security solutions to be deployed i.e. the risk mitigation strategic choices. ", 3
43 43
The risk remaining after the implementation of new or enhanced
controls is often described as which one of the following?
A. Mitigated risk.
B. Residual risk.
C. Transferred risk.
D. Control risk.
Inherent risk is as a result of the business activities. Through appropriate
countermeasures inherent risks are reduced, the result being the residual risk R2
44 44
A good risk mitigation strategy to start with against potential human
threats when a vulnerability or flaw exists is which one of the following?
A. Decrease the likelihood of the vulnerability being exercised.
B. Minimize the risk of occurrence.
C. Decrease attackers motivation.
D. Reduce potential for loss.
When vulnerability (or flaw, weakness) exists: implement assurance techniques
to reduce the likelihood of a vulnerability being exercised. When a vulnerability
can be exercised: apply layered protections, architectural designs, and
administrative controls to minimize the risk of or prevent this occurrence. When
the attacker's cost is less than the potential gain: apply protections to decrease
an attackers motivation by increasing the attacker's cost (e.g., use of system
Executive management determine the risk profile for the enterprise based on
their perception of balancing risk and reward for the benefit of the stakeholders
R4
47 47
Which of the following is the biggest actual threat to information
systems?
A. Hackers.
B. Employees.
C. Industrial espionage.
D. Viruses.
Recent surveys continue to show that the real threat is from internal sources employees, firstly as a result of errors R2
48 48
Which one of the following is an acceptable technique for assigning
value to resources?
A. Technical complexity.
B. Executive management directive.
C. Level of control procedures.
D. A combination of the above.
In practice, security managers use a combination of these techniques R4
49 49
Which one of the following is the preferred approach for a security
manager adopt in determining that the level of security is appropriate?
A. Industry standard baselines.
B. Risk assessment.
C. Vendor recommendations.
D. Benchmarking.
A risk-based approach will ensure that specific threats to the enterprise are
addressed, whilst the other approaches will address the general concerns R2
50 50
Which one of the following is the most significant benefit from setting
baselines for security over an enterprise's information?
A. Accuracy.
B. Effectiveness.
C. Standardization.
D. Quality.
Baselines provide a level of standardisation around what has been mutually
agreed between industry security professionals, vendors and auditors R3
51 51
What is considered to be the major benefit of an automated risk
analysis product?
A. Database of vulnerabilities.
B. Database of threats.
C. Minimal effort to rerun the analysis.
D. Ability to handle complex calculations.
Whilst an automated tool often comes with a database of information, this may
not be entirely relevant. Consequently, it should be used with care. What is of
benefit is that once the database is set up, the analysis can be re-run with
minimal effort R3
52 52
Why is risk management an important senior management
responsibility?
A. They are responsible for business operations and IT procurement
process.
B. They have responsible for ensuring that proper controls are in place
to address integrity.
C. They must operate under a standard of due care and with ultimate
responsibility for mission accomplishment.
D. They are responsible for budgeting and performance.
B. Heat map.
C. PERT diagram.
D. Critical Path Analysis.
Heat maps depict the colours red, amber and green to illustrate how serious the
concern is to management R2
55 55
Which one of the following statements about information classification
is true?
A. Security and availability have interchangeable characteristics.
B. Information classification is a business decision process.
C. Information classification is a technical process best left to security
specialists.
D. The greater the number of information classification categories the
better.
The decisions about classification are based on business requirements for
different protection levels. The fewer the better R2
56 56
It is good practice that the security classification be undertaken by:
A. Business managers.
B. Security officer.
C. Individuals responsible for the information.
D. IT management.
The decisions about classification are based on business requirements for
different protection levels. The fewer the better R3
57 57
Scientific processes for risk management, based on probabilities, risks
and threats, can prove impractical due to a shortfall in which one of the
following?
A. Experience.
B. Budget.
C. Tools.
D. People.
Available budget is often limited, consequently only the most critical risks can
receive attention R2
Executive management are required to manage with appropriate skills and with
due care - not negligently R3
53 53
What is the typical output of a risk assessment?
A. An inventory of risks that may impact the enterprise.
B. Documented threats to the enterprise.
C. Evaluation of the consequences to the entity.
D. A list of appropriate controls for reducing or eliminating risk.
The output of a risk assessment should be a list of countermeasures to reduce
risk to acceptable levels R4
58 58
Criticality of information systems is measured on two scales: tolerable
period of outage and which one of the following?
A. Tolerable period to recover systems.
B. Tolerable period to relocate.
C. Tolerable period to recover backup systems.
D. Tolerable period to overcome backlog of transactions.
The transaction backlog after an outage is restored can often be a killer.
Managing the backlog to zero may be very difficult R4
54 54
Which one of the following is a popular technique used to report the
status of identified risks?
59 59
Stem
A. Gantt Chart.
B. option 2.
C. option 3.
D. option 4.
B. Service level agreement.

C. High-level diagnostic and review.
D. Implementation plan.
Explanation R1
The high-level diagnostic is used to plan the more detailed site diagnostic and
surveys which would be followed by an implementation plan to improve security
and a service level agreement to maintain security R3
60 60
Stem
B. option 2.
C. option 3.
D. option 4.
Explanation R1
55
The best justification for the implementation of baseline security
controls is which one of the following?
A. Specified by vendors.
B. Designed by experts
C. Successful common practice.
D. Comprehensive by nature.
C is correct as baseline controls are based on good practice. It is not source from
vendors nor experts. Baseline controls are not intended to be comprehensive R3
11
In planning for physical security, a series of barriers at different points
may be considered. Each level of physical protection should have:
A. Different points of entry to distribute the risk of penetration.
B. A published statement of activity within each perimeter.
C. Colour coded documentation for each protection level.
D. A defined security perimeter with consistent protection.
D is correct since consistent protection on the perimeter is essential - security
breaches will occur at the weakest points, and therefore security is as good as
the weakest link. A, B and C all have the opposite condition as being true R4
22
T security practitioners (e.g., network, system, application, and
database administrators; computer specialists; security analysts;
security consultants) are responsible for which one of the following
security related activities?
A. Mission accomplishment.
B. Risk management.
C. Planning, budgeting, and performance measurement.
D. Proper implementation of security requirements in their IT systems.
Security practitioners are expected to focus on the proper implementation of
security requirements in their IT systems. Security management and business
management will focus on the activities R4
33
A discretionary access control mechanism is based on which one of
the following?
A. Information value.
B. File permission sets.
C. Sensitivity labels.
D. System classification.
Discretionary access control often is in the form of access control lists associated
with files - i.e. file permission sets R2
44
An information security manager who is about to plan an upgrade of
network security would require which one of the following first?
A. Site diagnostic and survey.
66
Baseline security controls can be used best for which one of the
following activities?
A. Securing unstable environments.
B. Strengthening security standards.
C. Detailing security implementation tasks.
D. Establishing a corporate security policy.
B. is correct as the baseline sets the common level of standards that is typically
attained. It is a way to quickly get going with security implementation. Unstable
environments would need careful assessment an specific controls identified.
Detailing security implementation tasks or first defining policy are more thorough,
but time consuming approaches R2
77
Which one of the following is the best metric to manage the information
security program(me)?
A. Number of systems subject to intrusion detection.
B. Number of recorded deviations from minimum information security
requirements.
C. Amount of downtime caused by security incidents.
D. Time lag between detection, reporting and acting upon security
incidents.
The number of systems subject to intrusion has no relevance to the quality of
security management but more to do with the enterprise's vulnerability. The
amount of downtime is a measure of the scale of the threat. The time lag is a
measure of the responsiveness of the security team. But the number of
deviations from set requirements is a direct correlation to the quality of the
security programme R2
88
Baseline security measures are used to address which one of the
following:
A. Specific business needs.
B. Common control requirements.
C. Particular risk profiles.
D. A minimum level of loss.
B is the correct answer because baseline controls result from a set of common
control requirements developed through the collaborative efforts of companies
with similar interests. Baseline does not address specific needs, nor does it
address particular risk profiles. Nor does baseline relate to a minimum level of
loss. It is addressing a common requirement R2
B. Access control lists

C. Role-based access control
D. Mandatory access control.
99
Which one of the following is an example of a preventative technical
control?
Role-based access control is correct because it separates individuals from roles

and ties access to specific roles. This reduces the security administration effort
when individuals change positions within the enterprise. A, B and D are normally
associated with the identity of individuals, creating a much more challenging
administration environment R3
A. Non-repudiation.
B. Internal audit.
C. Restore secure state.
D. Intrusion detection.
Non-repudiation is a preventative control associated with authentication R1
10 10
What would be the purpose of an enterprise's Board setting direction
for information security, driving policy and information security
strategy?
A. Developing a mission statement.
B. Defining an enterprise risk profile.
C. Allocating accountability.
D. Selecting specific security solutions.
The Board would be setting out the enterprises appetite for risk - their risk profile
R2
11 11
Formal standards / procedures should be driven by business
requirements and focused on issues that:
A. Cause the enterprise the most harm.
B. Cause the least concern.
C. Cause customers the most satisfaction.
D. Cause the least vulnerability.
Formal standards / procedures should be driven by business requirements,
based on practical experience and focused on issues that cause the most harm
R1
12 12
Which one of the following statements about the information security
architecture is least likely to be correct?
A. It provides a framework to produce high level policy statements and
strategies, detailed specifications, guidelines, standards and job
descriptions.
B. It describes to the form, appearance, function and location of
information security processes.
C. It provides a common basis for the design, development,
implementation and management of the information security process.
D. It provides the basis on which the enterprise technology architecture
will be selected and implemented.
D is the correct answer. Security architecture does not normally determine the
technology architecture. Security is derived from technology. A, B and C are all
true statements about security architecture R4
13 13
The security administration effort will be greatly reduced through the
deployment of which one of the following techniques?
A. Discretionary access control.
14 14
Formal standards / procedures should be driven by business
requirements, but based on:
A. User requests.
B. Industry expert advice.
C. Management opinion.
D. Practical experience.
Formal standards / procedures should be driven by business requirements,
based on practical experience and focused on issues that cause the most harm
R4
15 15
Which one of the following is an example of an information security
governance best practice?
A. Management has addressed the interconnectivity of systems.
B. Minimal involvement of the Board in risk management processes.
C. The Board has established ownership for security and continuity
with enterprise managers.
D. IT security issues are kept separate from business issues.
B and C are potential governance issues, but B is incorrect making C the only
correct answer R3
16 16
Which one of the following is an example of an information security
governance best practice?
A. Management has standardised on one anti-virus solution.
B. Management maintains a record of security personnel overtime
charges.
C. Management receives regular reports on the number of security
incidents occurring.
D. Management has a view on how much the enterprise should invest
in IT security improvements.
Only D is a governance issue, the rest are operational concerns R4
17 17
At what stage during the system development life cycle would the
verification of security controls take place?
A. Solution definition.
B. Construction.
C. Implementation.
D. Post-implementation.
During the Construction phase testing take place. This is when controls would be
verified. The other phases are inappropriate times for verification R2
18 18
Which one of the following items would be a key deliverable from the
project planning phase of the security implementation plan?
A. Detailed description of business processes and data model.
B. Initial security rating for availability, confidentiality and integrity
requirements.
C. Description of the system-specific controls to be developed.
D. Definition of tests to be carried out on all controls.
During the project planning phase it is most likely that only provisional
information is available like initial security ratings. During later phases business
process modeling, systems specific controls identified and testing would be
performed R2
19 19
Why is it important that the awareness of security baselines is
integrated in the design and management of security for business
applications and the infrastructure?
A. It removes the need to document security requirements.
B. Incorporating security post-implementation is difficult.
C. Helps with the development of better security assessment
programs.
D. It removes the requirement for a risk assessment.
Changes to applications have traditionally been difficult to implement after
implementation and are costly R2
20 20
Which one of the following is an example of a preventative
management security control?
A. Incident response capability.
B. Periodic system audits.
C. System security plans.
D. Personnel clearance checks.
A plan of action is a preventative control whilst the other options are detective R3
Roles are associated with specific positions in an organization. They are not
mapped directly to individuals. Mandatory access control is applied to resources
whilst discretionary and group based privilege are associated with individuals or
groups of individuals R4
23 23
Firewalls are used to protect an entity's internal resources and would
typically include which one of the following features?
A. Stateful packet analysis.
B. User authentication.
C. Dial-up security.
D. Virus controls.
A firewall filters the packets in the process of deciding to let it pass through or be
rejected R1
24 24
Which of the following can best describe the three pillars of Information
Security?
A. Strategy, Tactical, and Operational.
B. Discretionary, Mandatory, and Obligatory.
C. Confidentiality, Integrity and Availability.
D. Prevention, Detection and Correction.
Strategy, Tactical and operational activities are focused on different time periods.
Discretionary, Mandatory and Obligatory controls relate to performance.
Prevention, Detection and Correction focus on timing of control activities.
Confidentiality, Integrity and `Availability are the foundation of information security
R3
25 25
How does the information security manager harden an operating
system?
A. Increase the strength of the computer casing.
B. Remove all unnecessary services.
C. Improve the access control mechanisms.
D. Decrease the number of users permitted concurrent access.
21 21
When is the prototyping approach to developing a security solution
most appropriate?
Hardening simply means to remove all unnecessary services like FTP, telnet,
finger etc. from the machine R2
A. When the solution is obtained from a reputable vendor.

B. When the solution is technically complex.
C. When the solution is developed by inexperienced staff.
D. When the solution's functional specification is not clear.
26 26
In which situation below are checksum algorithms not a good solution
to the problem of detecting errors?
A is incorrect since the functionality is already fixed. B is incorrect as prototyping

would be an inefficient way to solve technically complex issues. C is
inappropriate, as inexperienced staff will battle with the loose development style
associated with prototyping. D is correct because prototyping specifically
addresses a step-by-step development process, checking the user requirement
all the way R4
22 22
Which one of the following provides the best mapping of access
privileges to an enterprise's organizational structure?
A. Group based access control.
B. Discretionary access control.
C. Mandatory access control.
D. Role based access control.
A. Noise on communication lines.

B. Defects in a hard-disk surface.
C. Hostile humans.
D. Erroneous data capture.
Checksums provide excellent protection against random errors, but they provide
very little protection against intelligent and malicious agents who are not
constrained to corrupt messages in a random manner R3
27 27
Which one of the following is a characteristic of digital digests?
A. A digital digest algorithm is constructed to make it easy to recover
the original message from the digest.
B. A digital digest cannot be transmitted in public for fear of
interception.
C. A digital digest can correspond to only one specific message.
D. A digital digest can be calculated quicker than a checksum.
A digital digest is created by establishing a unique hash total for a particular
string of characters. Consequently a digital digest correspond to only one specific
message - C. The other options are all incorrect statements about digital digests
R3
any new security program code does not affect any portion of the
security application already installed?
A. Regression testing.
B. Acceptance testing.
C. Unit testing.
D. Program code walk through.
Regression tests ensure previously working components continue to work with
the new code R1
28 28
What would MOST LIKELY determine the requirements and siting of a
physical security perimeter?
A. The enterprise's security policy.
B. The value of the assets and services to be protected.
C. The number of key facilities to be protected.
D. Nature of the business.
The value of the assets would indicate whether security is required, how much
should be spent on security, and therefore which locations will be secured. The
security policy will document management's expectation taking into account the
nature of the business and its associated threats R2
29 29
Which one of the following is not an appropriate physical measure for
security within a data centre?
A. Isolated delivery loading area.
B. Hazardous and combustible materials should be stored a safe
distance away.
C. Clear desk policy.
D. Appropriate safety equipment should be installed.
Clearing one's desk is a physical control, but it is least likely to have a direct
impact on the security of a data centre R3
30 30
Which one of the following is not an example of physical entry control?
A. Supervision of visitors in secure areas at all times.
B. Visible employee identity badges.
C. Immediate revocation of access rights on termination of service.
D. A clearly defined security perimeter.
The emphasis is on individuals once they are on the inside. A security perimeter
does not control individuals once they are inside. This question highlights the
care that must be taken in understanding what is being asked R4
31 31
In which phase of the development life cycle would an information
security manager with the objective of checking a system development
project's compliance with corporate information security standards,
plan his involvement?
A. Feasibility.
B. Specification.
C. Construction.
D. Implementation.
Its during the construction phase that the evidence of compliance will become
available R3
32 32
How would the information security manager have done to ensure that
33 33
Management can use an information security governance maturity
model to establish rankings for security in an organization. This model
is a useful aid for which one of the following purposes?
A. Establishing an outcomes based performance measurement
system.
B. Aligning information security strategies with business requirements.
C. Implementing base practices for information security management.
D. Establish a baseline for measuring progress in the future.
D is correct - an initial ranking sets the baseline. The maturity model is not a
sequence of processes steps, rather its about controls over the process steps. A
and B relate to the balanced scorecard. C relates to sources of best practice
such as ITIL, ISO 17799 and ISF baseline controls R4
34 34
Which one of the following would be a good performance measure of
Information Security governance succeeding?
A. Reduced number of new implementations delayed by security
concerns.
B. Reduced number of security-related service calls, change requests
and fixes.
C. Increased number of systems subject to an intrusion detection
process.
D. Full compliance, or agreed-upon and recorded deviations from
minimum security requirements.
D relates to Security Governance, whilst the rest are measures for information
security R4
35 35
Information Security Governance succeeding?
A. Amount of downtime caused by security incidents .
B. Percent of IT security plans and policies communicated to all
stakeholders.
C. Number of critical business processes relying on IT that have
adequate continuity plans.
D. Measured improvement in employee awareness of ethical conduct
requirements.
B relates to Security Governance (an outcome/KGI of security management),
whilst the rest are measures for information security R2
36 36
Information Security succeeding?
A. Full compliance, or agreed and recorded deviations from minimum
security requirements.
B. Percent of IT security plans and policies communicated to all

stakeholders.
C. Immediate reporting on critical incidents.
D. Number of critical infrastructure components with automatic
availability monitoring.
D relates to Security Management (an enabler/KPI of security management),
whilst the rest are measures for information security governance (KGIs) R4
A. Analyze residual risk.

B. Analysis of threats and vulnerabilities.
C. Definition of tests.
D. Quality control.
Controls are countermeasures to reduce risk. Therefore the analysis of threats
and vulnerabilities is required R2
37 37
What would be the main objective of enforcing a clear desk policy?
42 42
The assessment of risk is MOST useful during which of the following
phases of the system development life cycle?
A. Reducing risk of a fire hazard.

B. Avoiding unauthorized access.
C. Proper documentation control.
D. Security workflow procedure.
A. Project initiation.
B. System construction.
C. Integration testing.
D. Implementation planning.
A is partly true, but not the main objective. B is correct as it reduces the risk of
unauthorized access to information. C and D are inappropriate answers R2
The earlier in the process that the risk assessment is performed, the better R1
38 38
Information Security succeeding?
A. Alignment of access rights with organizational responsibilities.
B. Number of incidents involving unauthorised access.
C. No security incidents causing public embarrassment.
D. Number of new implementations delayed by security concerns.
43 43
PKI authentication will require which one of the following to take place
first?
A. That a device acquires the user's public-key certificate.
B. That a device acquires the other entitys public-key.
C. That a device acquires the certificate authorities public-key.
D. That a device acquires the network sessions public-key.
C relates to Security Management (an enabler/KPI of security management),

whilst the rest are measures for information security governance (KGIs) R3
The device needs to acquire the certificate authorities public-key to decrypt a

message that contains the other entity's certificate, indicating that the Certificate
Authority recognizes this entity's credentials R3
39 39
E-mail systems have proved to be a useful source of evidence,
particularly at times of litigation. What is the primary reason for this?
44 44
During which of the following phases in systems development would
user acceptance test plans normally be prepared?
A. Strong access controls establish accountability for activity on the email system.
B. Data classification is often used to regulate what information should
be communicated via e-mail.
C. Clear policy for using e-mail within the enterprise ensures that the
right evidence is available.
D. Poor housekeeping leads to excessive cycles of backup files
remaining available.
A. Feasibility study.
B. Requirements definition.
C. Implementation planning.
D. Post-implementation review.
E-mail is generally poorly controlled, and because of instability, numerous copies

of files are often stored for long periods of time R4
45 45
Which one of the following is a sound basis for managing external
resources?
40 40
In which system development life cycle stage would the detailed
specification for security be prepared?
A. Job descriptions.
B. Documented procedures.
C. Performance goals.
D. Signed contracts.
A. Construction.
B. Solution Definition.
C. Requirements analysis.
D. Implementation.
Specifications are developed as part of the development of a definition for an
appropriate solution R2
41 41
What is a key activity necessary prior to the definition of controls?
User acceptance test are normally prepared up front, alongside the requirements
definition. This will ensure that the tests are closely linked to the requirement R2
Management of external resources must focus primarily on the outcomes

achieved. The other options are all plausible, but none are focused on the
outcomes R3
46 46
When outsourcing certain security related functions, the information
security manager would monitor one of the following to better
understand the likelihood of meeting customer expectations. Which
one is most appropriate for this purpose?
A. Critical success factors.

B. Key performance indicators.
C. Key goal indicators.
D. Market trends.
Key performance indicators are 'lead' indicators about the enablers for
information security to satisfy key goals and ultimately business objectives R2
47 47
When using external resources the security manager must personally
maintain which one of the following?
A. Incident management response.
B. Chain of command.
C. Development of procedures.
D. Regular appraisal of contract staff.
When utilizing external resources, the responsibility still resides with the
information security manager. Therefore the security manager must have a
incident management capability R1
48 48
Which one of the following activities is part of configuration
management?
A. Procurement.
B. Manage contracts.
C. Change management.
D. Manage retirement.
Change management is part of the configuration lifecycle, whilst the other
options are part of asset management lifecycle R3
49 49
The evaluation of a security service or product against the Common
Criteria will have as its primary objective the performance of which one
of the following?
A. Engineering due diligence.
B. Cryptography review.
C. Process controls.
D. Product interoperability.
The Common Criteria focuses on establishing the reliability of the engineering
processes with a view to ensure that this can not have compromised the final
product R1
50 50
The review of a cryptographic module is most likely to be in
accordance with which one of the following?
A. Common Criteria.
B. FIPS 140 specification.
C. ISO 9000.
D. ISO 17799.
FIPS 140 is a cryptography specification, the Common Criteria is an engineering
specification, ISO 9000 is a quality management standard and ISO 17799 is a
security management standard R2
51 51
What would be a primary driver for an enterprise to certify and accredit
compliance of business applications and infrastructure to the
enterprise's information security governance framework?

A. Globalization standards.
B. Insurance contracts.
C. Management commitment.
D. Internal audit requirements.
For an enterprise to certify and accredit compliance of business applications and
infrastructure to the enterprise's information security governance framework
requires a great deal of management commitment R3
52 52
Which one of the following is a considerable advantage of optical fibre?
A. Cheap.
B. Easy to install.
C. Readily available.
D. Suitable for long distances.
D is the only advantage, the other options are usually disadvantages R4
53 53
As 'virtual networks' proliferate, users need access to many back-end
databases. Which one of the following is likely to be the most
burdensome task to overcome?
A. Centrally managing users and roles.
B. Implementing levels of user authentication.
C. Defining users for each database.
D. Securing sensitive data from the database administrators.
The most time consuming task is setting up users and their privileges on the
various databases R3
54 54
Which one of the following is the most significant benefit of an antipiracy policy to an organization?
A. It prevents staff from using illegal software on the entity's
computers.
B. It focuses management attention on matters for discipline in the
entity.
C. It reduces the likelihood of successful litigation against the entity.
D. It ensures staff are able to distinguish between legal and illegal
software.
Whilst a policy has the objective of communicating management's attention,
should litigation occur a clear policy on anti-piracy quickly reduces the likelihood
of success R3
55 55
Which one of the following approaches is most likely to be people
resource intensive?
A. Role-based access control.
B. Token-based control lists.
C. Discretionary-based access control.
D. Group-based access control.
Discretionary based access control requires every individual with access
privileges to be listed on the access control list of each protected resource. Each
of the other approaches has a greater degree of consolidation than the individual
level R3
56 56
How would a security manager prioritize the amount of physical,
administrative and technical controls to employ?
A. Internal audit expectation.
B. Risk assessment.
C. Technical architecture.
D. Vendor recommendation.
C. Accuracy.
D. Integrity.
Of the items listed, time stamps will be of most help when recovering from
failures R1
Of the available choices, risk assessment would be the best approach to

prioritizing control implementation R2
11
Who should decide on information access policies?
57 57
Which one of the following is not an advantage of copper cabling?
A. Owners of the information.

B. Security management.
C. Data management.
D. Users of the information.
A. Cheap.
B. Simple to install.
C. Readily available.
D. Suitable for long distances.
Owners of the information, i.e. business management, whose business

processes are most likely to be affected the greatest should decide on the access
policy R1
Copper cabling is not as good as other media over long distances. The other
options are advantages of copper cabling R4
58 58
Why can a customer shopping at an electronic mall run on a secure
server, trust the merchant with sensitive information like a credit card
number?
A. The customer can authenticate the identity of the mall operator by
requesting the certificate of the mall operator's server and checking the
certificate authority's digital signature.
B. The customer can authenticate the identity of the mall operator by
requesting the certificate of the mall operator's server and checking the
certificate authority's public key.
C. The customer can authenticate the identity of the mall operator by
requesting the public key of the mall operator's server and checking
the certificate authority's digital signature.
D. The customer can authenticate the identity of the mall operator by
requesting the digital signature of the mall operator's server and
checking it with the certificate authority's digital signature.
Certificate authorities provide server certificates encrypted with their private key
and make available their public key for authentication purposes. Hence a level of
trust can be established as the CA is expected to have verified the company's
credentials before issuing the certificate R3
59 59
When a person wishes to transmit an encrypted message whose key is
used?
A. The sender's public key is used to encrypt the message.
B. The recipient's public key is used to encrypt the message.
C. The sender's private key is used to encrypt the message.
D. The recipient's private key is used to encrypt the message.
A sender will use their private key to encrypt and the recipient will use the
sender's public key to decrypt R3
60 60
Date/Time stamps in an EDI environment help most with which one of
the following?
A. Recoverability.
B. Security.
22
What is the purpose of an information security architecture?
A. It is a framework for building information security products.
B. It is a description of the physical environment in which the
information systems are to be deployed.
C. It is a common basis for the design, development, implementation
and management of security processes.
D. It is the basis on which the enterprise's technology architecture will
be selected and implemented.
An information security architecture is a common basis for design, development,
implementation and management of security processes. It is a high level
specification for security R3
33
The security principle of 'applying the level of least privilege' addresses
which one of the following security elements?
A. Integrity.
B. Confidentiality.
C. Identification.
D. Accountability.
The principle of maintaining levels of least privilege address the creating,
modifying or destroying information - in other words, apply to maintaining integrity
R1
44
In order for a security policy to be viable for the long term, it requires a
lot of flexibility that is often provided through which one of the
following?
A. Knowledge of user preferences.
B. An architectural security concept.
C. Availability of budget.
D. Access control permissions.
A sound security architecture will enable a security policy to be viable over the
long-term as it will communicate clearly the requirements for security
management R2
55
Business knowledge is essential for the information security as it is
necessary to conduct which of the following?
A. Cost-benefit analysis.
B. Countermeasure design.
C. Describe core functionality.
D. Estimate project costs.
A. Security architecture
B. Mission statement.
C. Standard.
D. Security procedure.
Mission statements contain statements about functional duties R2
Interpreting information security policies into operational use requires the security
manager to perform a cost-benefit analysis R1
11 11
Which one of the following is usually a part of the role of the security
administration function?
66
An information security manager would issue a security guideline with
which one of the following objectives in mind?
A. Approve policy.
B. Allocate budget.
C. Control access.
D. Manage security breaches.
A. A specific information security program in mind.

B. Provide a statement for overall design and operation of security.
C. Directions for preferred levels of security and programs.
D. Keep the number of alternative solutions to a minimum.
A guideline is used to communicate the preferred levels of security and to offer
guidance regarding security programs R3
77
How does top level management best demonstrate their commitment
to the information security efforts?
A. Appointing a security officer.
B. Participating in discussions.
C. Signing statements of support.
D. Providing sufficient resources.
Management approve policy and allocate budget. User management carries the
responsibility for handling issues. The security administration function will control
access R3
12 12
A key objective of Security Administration would be which one of the
following?
A. Problem management.
B. Component approval.
C. Service level measurement.
D. Consistency in design, practices and disciplines.
Problem management and service level measurement are part of Operations.
Component approval is part of Software security. Consistency in design,
practices and disciplines is the responsibility of Security Administration R4
Providing resources is the clearest and strongest statement of all R4
88
How can an enterprise achieve a consistent standard of good practice
for information security across the enterprise?
A. Through security awareness campaigns.
B. Through detailed security guidelines.
C. Through clear direction from top management.
D. Through the use of a mission statement.
Top management direction will ensure that information security receives
appropriate attention. Often, the lack of this direction results in insufficient
attention to security matters R3
99
The alignment of security solutions with business requirements is best
achieved by using which one of the following as the link?
A. Data model.
B. Systems map.
C. Resource requirements.
D. Information criteria.
13 13
A critical function of security administrators is which one of the
following?
A. Implementing information security features.
B. Identifying information security solutions.
C. Coordinating information security arrangements.
D. Defining information access policies.
One or more individuals (i.e. local security administrators) should be made
responsible for coordinating the information security arrangements and acting as
a single point of contact on information security issues R3
14 14
Why are biometrics considered risky for authentication?
A. Cracking the device's authentication mechanism.
B. Replication of the key generator in the biometric device.
C. Masquerading of the user attribute by an imposter.
D. Spoofing of the authentication approved message.
The difficulty experienced with a biometric device is the weakness of the key
generation procedure R2
CobiT's information criteria is the link between the technical environment and
business requirements R4
10 10
'Supervise specification and selection of security technology' is a
statement typically found in which of the following documents?
15 15
A business objective of being flexible and responsive to customer
needs must be matched by an IT security strategy with which one of
the following attributes?
A. Availability of choices.
B. Support for users.
C. Technical ability.
D. Reporting of activity.
A. IT management.
B. Third party management.
C. Security management.
D. Business process owners.
Responsiveness is matched by a need for flexibility R1

Business process owners are responsible for third-party connections and access
control R3
16 16
How could the information security manager BEST minimize the risk of
proprietary coding standards being shared with competitors'
programmers?
A. Programming standards.
B. Non-disclosure agreements.
C. Code of practice for staff.
D. Regular development project audits.
Of the choices, the most effective will be a legally assisted non-disclosure
agreement R2
17 17
Which of the following would be an effective way of managing an
enterprise's information security programme through third parties?
A. A defined policy documented in a service level agreement.
B. Security education programme.
C. Access control.
D. Physical security perimeter.
A defined policy in a service level agreement results in a contractual arrangement
that creates awareness and defines security requirements. For third parties, this
will be the most effective, but not only security measure required. The other three
options will be appropriate, but depend on the service level agreement to be
effective R1
18 18
Which one of the following will enforce business partners and
outsourced service providers compliance with established information
security policies?
A. Access control.
B. Auditing of all activity logs.
C. Unique user identifiers.
D. Security gateway.
Enforcement of compliance is established through logging and auditing of
security-related activities. Auditing of all activity will be an effective way to enforce
compliance R2
21 21
Which one of the following is a measurement of a key performance
indicator?
A. There is awareness that a good security plan takes time to evolve.
B. Reduced turnaround time for security administration requests.
C. No incidents causing public embarrassment.
D. A process is in place to authenticate users at reasonable cost, light
to implement and easy to use.
The turnaround time for security administration requests is a lead indicator,
highlighting current status of an enabler - i.e. a performance indicator. Option A
and D are a critical success factors and C is a key goal indicator R2
22 22
Which of the following is an example of a key goal indicator for
information security management?
A. Full compliance with, or agreed and recorded deviations from,
minimum security requirements.
B. Reduced number of service calls, change requests and fixes.
C. Number of systems subject to an intrusion detection process.
D. Number of IT security awareness training days.
Option A is an example of a key goal indicator. It's a measure of the outcome taken at the end of a period. The others are all measures of the enablers of
security management - key performance indicators R1
23 23
What is one of the strengths of an activity monitor used to detect
viruses?
A. They can differentiate between a word processor and a virus
updating a file.
B. They cannot be bypassed by any viral programs.
C. They can detect viral programs that have not been previously
identified.
D. They can continually ask for confirmation of valid activities.
An activity monitor detects changes in the environment, via a hash total over a
file or group of files and therefore rely little on what is known about the virus R3
19 19
Controls over third parties should take which one of the following into
account?
A. Business risks.
B. Mutual respect.
C. Associated costs.
D. Differences in security requirements.
Controls must always be implemented to counter business related risks R1
20 20
Responsibility for third party access and compliance with security
policies is with which one of the following?
24 24
As a company becomes compartmentalized, which of the following
characteristics will a security manager MOST likely to have to pay
specific attention to when purchasing additional pieces of security
equipment?
A. Scalability.
B. Maintainability.
C. Usability.
D. Understandability.
The greater the fragmentation, the greater the difficulty to scale security solutions
R1
The principle behind a maturity model is to define stages of maturity and then to
measure the entity against these stages of maturity R3
25 25
A central characteristic in preparing a information security function's
mission statement is which one of the following?
A. Ethics.
B. Priority.
C. Vision.
D. Values.
Mission statements that are laundry lists of every responsibility possible are
usually greeted with the disdain they deserve. Mission statements set targets and
distinguish between what is important and what is not R2
30 30
Why is a hardware-based firewall generally considered better than a
software-based approach?
A. More secure.
B. Better performance.
C. More reliable.
D. Better documentation.
Better performance can be obtained from hardware-based solutions R2
26 26
A standard, in addition to describing a process or object, is primarily
used for which one of the following purposes?
31 31
Which one of the following is an example of a vulnerability
assessment?
A. Measurement of compliance.
B. Guidance about choices.
C. Descriptive regarding 'How to'.
D. Step-by-step in detail.
A. Scenario planning.
B. Penetration testing.
C. Intruder detection.
D. Threat analysis.
A standard describes a process in a manner such that compliance with the

specification can be measured and the expected benefits from the process
determined R1
Penetration testing is an example of a vulnerability test R2
27 27
To manage the success of the investments in information security, the
information security manager must ensure that there is alignment with
business expectations through the use of which one of the following
tools or techniques?
A. Gap analysis.
B. Cost-benefit analysis.
C. Key performance indicators.
D. Project management.
Key performance indicators are used to manage and monitor process to ensure
business objectives are met R3
28 28
The security manager can use the CobiT maturity model as a basis for
which of the following?
A. Alignment with goals.
B. Continuous improvement.
C. Cost-benefit analysis.
D. Sensitivity analysis.
Maturity modelling is associated with building increasingly sophisticated
capability R2
32 32
A password cracker is a tool best suited to assessing which one of the
following?
A. Business impact.
B. Sensitivity.
C. Vulnerability.
D. Risks.
A password cracker is used to establish the vulnerability of passwords to being
exploited R3
33 33
Why is it important that the security implication of a change be
managed early in the process?
A. All changes to controls must be traceable.
B. Trivial changes should not require authorization.
C. Emergency changes should not require documentation.
D. Not all changes need justification.
All changes to controls must be traceable and undertaken in a controlled manner
R1
34 34
What technique is used to ensure that appropriate changes are made
to all deliverables throughout the life cycle?
29 29
The philosophy of control in open systems should always be to
improve on current levels of performance. Tools to accomplish this
include:
A. Program library.
B. Version control.
C. Tape Library.
D. Control totals.
A. PERT methods.
B. Benchmark metrics.
C. Maturity models.
D. Quality measurements.
Version control is the way to establish control over deliverables R2
35 35
Which one of the following is the MOST practical way to minimize the
risks associated with emergency changes to a system component?
40 40
A war-dialer is a tool used to detect vulnerabilities from which one of
the following sources?
A. Approval of all affected parties is obtained first.

B. Documenting emergency change procedures clearly.
C. Emergency changes are implemented in a separate library.
D. Access controls that restrict access to affected datasets.
A. Laptop computers.
B. Mobile phone connections.
C. Telephone conversations.
D. Insecure modems.
Because emergencies require swift action, many controls are overlooked and
therefore the use of a separate library would enable controls to be applied after
the emergency has been resolved R3
War-dialing is an old method to exploit rouge or insecure modems, it is still an

effective means to penetrate computers and the networks the computers may be
attached to R4
36 36
Which one of the following would be an effective and pragmatic
technique to ensure system security software changes are properly
controlled?
41 41
Which one of the following can be used to measure the effectiveness
of the modem security policy?
A. Scheduling specific times for system security software changes.

B. Restricting system security software changes to the Operators.
C. Involving the data owners in the change procedure.
D. Appointing a project board representative to attend the change.
A. War-dialer.
B. Risk assessment.
C. Content scanner.
D. Access logs.
By scheduling specific times, it would limit the opportunity for abuse, as well as
make it easier to detect R1
War-dialing is an old method to exploit rouge or insecure modems, it is still an

effective means to penetrate computers and the networks the computers may be
attached to R1
37 37
The security manager has primary responsibility for which of the
following aspects of non-compliance?
42 42
Which one of the following can serve as a convenient means of
determining the source of potential security breaches?
A. Timely resolution.
B. Technical solution.
C. Legal action.
D. Expert advice.
A. Log of unsuccessful authentication attempts.

B. External vulnerability reporting service.
C. Penetration testing.
D. Honeypot.
The security manager's primary responsibility is to obtain timely resolution and

therefore will follow-up on all instances of non-compliance R1
A log of unsuccessful authentication attempts will contain the number and source
of the threats guiding management to conclude on its severity R1
38 38
To effectively deal with non-compliance in a timely manner, a process
should be in place to deal with non-compliance and one of its related
procedures. Which item listed is most likely to be important in dealing
with non-compliance?
43 43
Which one of the following is an explicit technique to test the security
awareness of staff?
A. Arbitration.
B. Escalation.
C. Impact.
D. Evaluation.
A. Working practices.
B. Number of incidents.
C. Logged activity.
D. Days training.
Explicit techniques include working practices, interviews, questionnaires and staff
appraisals R1
The most likely answer is Escalation, although Arbitration may be considered a

valid option R2
39 39
A security manager undertaking a review of environmental controls
would include which one of the following in the review program?
A. Dial-up services.
B. Bandwidth usage.
C. Remote access controls.
D. Performance monitoring.
Bandwidth is the only option considered part of the environment R2
44 44
In order to measure progress with the security awareness programme
which one of the following would you need first?
A. Build a detailed business case.
B. Build a detailed plan.
C. Define success factors.
D. A baseline of current knowledge.
A baseline of current knowledge is essential prior to any further work on security
awareness R4
45 45
How can the information security manager check that security
administrators are performing their tasks responsibly?
A. Review access permission change request procedures.
B. Examine a log of all user activity.
C. Inspect a log of failed access attempts.
D. Customer satisfaction surveys.
Inspecting the log of user activity will highlight the number of weaknesses in the
system as a result of unauthorised user activity R2
Test results will be useful to assist with problem-solving in the future R2
50 50
How can an information security manager best determine the impact a
change in an information security component will have on the
environment?
A. Review the program code of the security product.
B. Discuss with the vendor issues such as response time.
C. Observe the product in a test environment.
D. Examine the functional specifications for the solution.
46 46
The security manager is expected to fulfill which one following roles
when working with internal and external assurance providers?
A test environment is the best way to evaluate the impact of a new product on its
environment as the application can be tested against a comprehensive set of
criteria in a reliable, and safe, manner R3
A. Guide.
B. Manager.
C. Liaison.
D. Assistant.
51 51
Which one of the following is a business framework for managing
enterprises?
The assurance process is a key process within the information security program
and the information security program can benefit from the periodic reviews.
Consequently, the security manager should act as a liaison point R3
47 47
Which one of the following is a universal standard to evaluate the
security and assurance levels of technology products?
A. ISO 17799.
B. Common Criteria.
C. CobiT
D. SAS 70
The Common Criteria is a result of the harmonisation of the US and
European standards for security evaluation and accreditation.
ISO 17799 is code of practice for information security, CobiT is an IT
process control model; SAS 70 defines the scope of an audit R2
48 48
Vulnerability scanner reports often serve as a wakeup call for
management, but are not very useful in providing assurance in which
one of the following instances?
A. Operating system vulnerabilities have been detected.
B. A host is free of any introduced back doors.
C. Recommended OS patches have been applied.
D. Bugs that may be exploited have been identified.
Vulnerability scanners test the network and operating system for known
weaknesses, but do not test for strength such as the correct sequence in
applying OS patches R3
A. SAS 70.
B. COSO.
C. ISO 17799.
D. HIPAA.
COSO is the 'Committee of Sponsoring Organisations' of the Treadway
Commission (in the US) that reported on business and internal control issues in
1991 R2
52 52
The frequency of backups should be aligned with which one of the
following circumstances?
A. The size of the data centre.
B. The design of the network.
C. The stability of the systems infrastructure
D. The network administrators' workload.
The greater the instability, the greater the frequency of backups required so that
the time to recovery is always short R3
53 53
What is the primary purpose of subscribing to an external vulnerability
reporting service?
A. Educating staff.
B. Benchmarking.
C. Early warning.
D. Gap analysis.
Threats can arise from many sources around the world. An external vulnerability
reporting service is typically an early warning mechanism R3
49 49
Why should the results of testing a new security product be
documented?
A. It provides an audit trail of test results for independent auditors to
review.
B. It provides an audit trail to assist in problem-solving in the future.
C. It provides an audit trail of the tests so they need not be repeated in
the future.
D. It provides an audit trail for benchmarking with other entities using
similar technology.
.
54 54
Which one of the following is a useful service for security managers to
ensure that the security program is constantly being adjusted?
A. External auditor reports.
B. External vulnerability reports.
C. External peer reviews.
D. External baseline benchmarking.
Threats can arise from many sources around the world. An external vulnerability
reporting service is typically an early warning mechanism enabling security

managers to respond instantly to new vulnerabilities R2
55 55
Knowledge of civil unrest or protest near the enterprise's facility would
require which one of the following actions?
A. Permanent increase in physical security.
B. Temporary increase in baseline for physical security.
C. Improvement in logical access control.
D. No action is required as the event is external to the enterprise.
Baseline security should be increased to match the threat and removed if no
longer necessary R2
Executive support would be the best indicator to staff that security policies are to
be taken seriously R1
60 60
An information security manager concerned with the integration and
operation of security solutions across the enterprise would use which
one of the following approaches to influence others?
A. Information security guideline.
B. Information security standard.
C. Information security policy.
D. Information security architecture.
An information security architecture is used to communicate at a high level the
requirements for information protection R4
56 56
Which one of the following will be the most important part of problem
management practices for security?
A. Being systematic.
B. Tracking results.
C. Define the problem.
D. Maintaining protection.
11
Reports received from vulnerability scans often serve as a wakeup call
for management. Network vulnerability scanners are useful for all
except one of the following. Which one is the exception?
The security manager will require that the necessary levels of protection exist
throughout the process of handling a problem issue R4
A. Operating system vulnerabilities have been detected.

B. A host is free of any introduced back doors.
C. Recommended OS patches have been applied.
D. Bugs that may be exploited have been identified.
57 57
Which one of the follow should be standard practice for problem
management after the emergency fixes have been made?
A. Emergency fixes should be properly documented.
B. Senior management should approve the emergency fixes.
C. Authorisation for emergency access should be revoked.
D. Emergency fixes should be tested in the test environment.
A = Vulnerability scanners do this. B = Scanners provide no assurance

whatsoever that a host is free of introduced back doors. A methodical
examination of the hosts for evidence of hostile activity and trojanized system
executables is required. C = Vulnerability scanners detect missing patches. D =
Vulnerability scanners detect instances where known bugs have not been
repaired R2
Emergency fixes should be reversed, making options A, B and D inappropriate.

Authorisation for emergency access should be revoked immediately R3
22
Which one of the following individuals would be the preferred leader of
the Emergency Response Team?
58 58
Which one of the following is a useful metric to measure problem
management?
A. An executive manager.
B. The IS manager.
C. The business manager most affected.
D. A specifically trained manager.
A. Number of information security problems in the month.

B. Awards received for dedication to the task.
C. Average time and manpower needed to resolve a problem.
D. Number of items in the auditors report related to problem
management.
The most useful metric is the average time and manpower needed to resolve a
problem. The number of problems arising has less to do with problem
management itself. Similarly, dedication to the job is great, but vague. The
auditors report is not a scorecard but an opinion on items for improvement R3
59 59
How can the frequently held view amongst staff that information
security policies result in excessive administrative burden, best be
overcome?
A. Executive support be obtained.
B. Administrative guidelines.
C. Clear documentation.
D. Awareness training.
Business continuity planning includes amongst other activities, two important

components, decision making and handling a crisis. Most decisions should be
thought out in advance. Hence a person specifically trained to manage a crisis,
with the right information, would be the best leader R4
33
The first stage of an Incident Response methodology normally is
associated with which of the following activities?
A. Preparing to develop the incident response methodology.
B. Preparing to respond before an incident actually occurs.
C. Preparing to respond when an incident actually occurs.
D. Preparing to respond after an incident actually occurs.
Security incidents are complex and time consuming to address. Preparing before
an incident occurs is considered the most efficient approach R2
44
Once the incident response team has been selected and trained, the
first point of the incident response process to test would be which one
of the following?
A. Team members' knowledge of what to do.
B. The review of system logs.
C. The qualifications of the team members.
D. Users' knowledge of who to call.
A critical, and often overlooked, step in incident response is knowing who to call.
Thereafter, the other activities may follow R4
55
A proactive and practical technique for protection against malicious
code is which one of the following?
A. Prohibit the downloading of program code.
B. Filter downloaded program code for key words.
C. First execute downloaded programs in a 'sandbox'.
D. Permit code to be downloaded only from trusted sources.
A = This may prevent legitimate computing; B = This is not very reliable; C = This
is the only practical solution; D = This may hinder legitimate computing R3
66
Comprehensive response and recovery strategies are developed
based on which one of the following?
88
Emergency management activities typically include which one of the
following?
A. Safety of personnel.
B. Testing of procedures.
C. Dealing with legal issues.
D. Cleaning of soiled equipment.
Emergency management typically revolves around large scale crisis
management that includes personnel form various external bodies and
government agencies R1
99
Experienced professionals generally consider the use of a
methodology to have which one of the following characteristics?
A. Too slow for situations that are dynamic in nature.
B. Provide structure and order for most situations.
C. Inhibiting to experienced security professionals.
D. Unnecessarily expensive for the majority of incidents.
Pandemonium can and does often occur very quickly when security-related
incidents happen. Simultaneous incidents are more often the case. Therefore a
methodology helps prevent the situation getting out of control, even for seasoned
professionals. A methodology often includes the use of proven tools that result in
greater efficiency and ultimately a lower cost R2
A. Business impact assessment.

B. Risk assessment.
C. Information security management's planning.
D. Senior management's approval.
10 10
Which one of the following is a frequent reason given for the failure of
Incident Response initiatives?
Whilst all the options are true, the basic requirement is that response and
recovery strategies must be developed according to senior management's
approval, thereby incorporating their authority and commitment to providing
adequate resources R4
A. Time.
B. Knowledge.
C. Personnel.
D. Funding.
77
Training the response and recovery teams is undertaken with which
one of the following objectives in mind?
A. Familiarity with their responsibilities.
B. Avoid unnecessary detail in the documentation.
C. Empower employees to take decisions as necessary.
D. Focus on weaknesses in the technology.
Training is essential in ensuring that persons selected gain familiarity with their
responsibilities. All significant detail must be recorded in the BCP document and
decision-making by employees should be pre-empted with clearly defined
processes. Technology is not the primary focus, rather its an end-to-end
understanding of the recovery of an entire business process R1
Responding to security incidents is not cheap and under funding is cited to be a

common problem. Knowledge is generally available from various sources
including the Internet. With knowledge personnel can be trained. Time is a
function of availability of knowledgeable people R4
11 11
A petroleum company whose greatest assets are its data regarding
where crude oil deposits are located, has its data stored on databases
on its subnets located around the world. Assume countermeasures to
the known vulnerabilities are in place, except that in reality patching
systems is a slow and disjointed process and several vulnerabilities
are being exploited. Which one of the following is likely to be the first
incident response step?
A. Perform penetration tests and determine the steps necessary to
penetrate these systems.
B. Review the latest risk assessment and establish whether current
countermeasures are adequate.
C. Understand as much as possible about the systems in use,
including how they could be compromised.
D. Perform a vulnerability assessment for the assets in question.
Common practice is to start with gaining a proper understanding of the systems
and then determining how incidents that could occur can be dealt with.
Irrespective of the extent of any vulnerability, a determined hacker will breach the
security. Risk assessments date quickly and therefore countermeasures can
quickly become obsolete and consequently breached. Penetration tests provide
evidence of the weaknesses that exist and are most useful to prove the
vulnerability that has been identified. Both of which highlight the existence of
weaknesses and therefore useful, but not the first step R3
12 12
Why is the development of a computer emergency response team is
favored?
A. It lowers the budget.
B. Enables better coordination.
C. Frees users from this responsibility.
D. Solves staffing issues.
Typically, it requires a good/big budget. It does result in better coordination as
dedicated persons can build relationships as appropriate. It does not free up
users from their responsibilities, rather it helps users. Staffing issues can only be
solved if the correct staff can be employed. This often not the case R2
13 13
Using a methodology to respond to a security related incident is almost
an absolute requirement for legal considerations. The most obvious
being which one of the following?
A. Adherence to statutory audit requirements.
B. Demonstrating due care.
C. Data protection law.
D. Working with law enforcement agencies.
Adopting a reasonable and responsible set of measures to guard against harm
will constitute due care and avoid a possible lawsuit for incompetence in dealing
with an incident R2
14 14
With which one of the following organizational units is an Incident
Response function most likely to encounter resistance from?
A. Internal Audit.
B. Operations.
C. Information Security.
D. Systems Programming.
Operations are most likely to be negatively affected by an Incident Response
team. The impact on the others will be far less R2
15 15
There are many forms of denial of service attacks but the objective is
the same, make sites unavailable through heavy congestion or
consumption of the victim's processing resources. Which one of the
following countermeasure is the most difficult to implement?
A. Spread a site across multiple ISPs.
B. Harden network security.
C. Impose state limits on servers.
D. Block the attack at the source.
Identifying and preventing an attack is the most difficult change. Techniques used
to attack specifically mislead one about the source. Each of the other steps are
much more tangible to perform R4
16 16
In large organizations with large volumes of network activity, which one
of the following is likely to be the most difficult?
A. Capturing traffic.
B. IDS deployment.
C. Applying rule sets.

D. Analyzing the output.
Capturing traffic is a relatively straightforward practice. Deploying an IDS engine
can be fairly simple, and applying the rule set might not be especially difficult but when the volume of traffic is large, analyzing the output and understanding
what is happening is not simple R4
17 17
Advance planning and preparation for incident response can be
enhanced by which one of the following activities?
A. Risk analysis.
C. Historical records of loss.
D. Archived system logs.
Historical records and archives only tell one about the past. Penetration testing
will highlight specific weaknesses. But risk analysis will create a perspective of
the threats and vulnerability of the enterprise to these threats R1
18 18
A reciprocal agreement as a business continuity plan would be MOST
appropriate in which one of the following scenarios?
A. Two companies in the same neighbourhood.
B. Two companies already networked together.
C. Two companies with the same IT vendor.
D. Two similar branches of the same company.
Two similar branches will have many things in common. This makes a reciprocal
agreement a suitable option. This is not the case in the other instances as the
computing requirements are likely to be very different R4
19 19
Regular testing of the disaster recovery plan and business recovery
processes will ensure which one of the following?
A. Impact assessments are reliable.
B. All plans are current.
C. Authority of the security manager.
D. Business' commitment.
The impact of a failure is unlikely to be established through testing, unless the
recovery efforts fail, nor is it the opportunity for the security manager to exert
authority or extract business commitment. However, regular testing will ensure
that plans remain current, and any detail that has changed, will be identified
ahead of any potential disaster R2
20 20
An important consideration in business continuity planning is
establishing a balance between business recovery needs and the cost
of a recovery capability. Which one of the following helps to do so?
A. Threat analysis.
C. Impact assessment.
D. Quality assurance.
The threat analysis identifies the events that may affect the business, but not the
impact and therefore the cost justification for a recovery capability. Option C is
correct as this will provide a cost justification, and options B and D are totally
inappropriate R3
21 21
Good practice in testing a business continuity plan is considered to be
which one of the following?
A. Start small and gradually increase complexity.
B. Avoid processes that could have a significant negative impact.
C. Never introduce unplanned events to the test script.
D. Only test when all key personnel are available.
Always start small, but do include process that could have a significant negative
impact. Do introduce unplanned events such as the unavailability of key
personnel R1
22 22
Orientation/Walk-through testing is more appropriate for which of the
following test objectives?
A. Individual and team training.
B. Mobilising resources.
C. Validation of crisis response functions.
D. Demonstrating skills.
Orientation/walk-through testing assists training of individuals and teams about
their responsibilities. It doesn't test the effort required to mobilise resources or
validate crisis responses. Nor does it create the opportunity to demonstrate skills.
The primary purpose is to create awareness around individual and team
responsibilities R1
Response and recovery should be planned around a vulnerability assessment.

The others are incorrect. Logs simply provide a historical view, penetration tests
highlight specific weaknesses and the annual loss expectancy if used for
anything, provides a feel for what is a reasonable cost to incur R3
26 26
Security incident response, information recording and data
preservation require procedures that provide sufficient guidance in
which one of the following areas?
A. Incident response.
B. Legal framework.
C. Business continuity planning.
D. Information technology auditing.
Having a good legal framework is important to provide options to the organization
so that a security event can be handled in a manner appropriate to the business
R2
27 27
Which one of the following is essential to incident response?
A. Prior agreement on escalation procedures.
B. Prior selection of personnel to decide on escalation steps at time of
incident.
C. Guideline on developing escalation procedures.
D. Standardised escalation procedures.
23 23
Business continuity planning for a public key infrastructure that is in
use would require all except which one of the following procedures?
Escalation procedures should be agreed to by all the parties prior to an event so

that they are simply followed at the time of an incident R1
A. Duplicate servers for certificate revocation lists.

B. Duplicate certificates for each participant.
C. Key escrow.
D. Backup copies of all public and private keys.
28 28
When selecting antiviral software one of the most important features to
consider is which of the following?
Backing up private keys in a PKI system creates a major vulnerability. If lost they
should be replaced, not recovered from back up. The other options are all valid
R4
A. The quality of the antiviral software's GUI.

B. The number of actual viruses the software can detect.
C. The inclusion of dis-infection features in the software.
D. The environment in which the antiviral software will run.
24 24
Why should the environmental control devices, alarms and control
procedures be evaluated as part of the business continuity planning
exercise?
A. To determine if they adequately address all of the potential threats
to the environment.
B. To determine what environmental controls are required at the
fallback site..
C. To develop a business continuity plan for these support services..
D. To check that they are in good working order.
An important part of business continuity planning is taking preventative steps.
Deploying environmental control devices would be a preventative step R1
25 25
Which one of the following would you perform first to ensure the
execution of response and recovery plans will be as required?
A. Review of archived logs.
B. Penetration tests.
C. Vulnerability tests.
D. Calculate annual loss expectancy.
A = False - GUIs are not very important; B = False - this can be a misleading
statistic; C = False - the detection ability is more important; D = True - The actual
environment is most important in choosing an anti-virus strategy R4
29 29
When deploying a honeypot to monitor hacker activity, where should
the honeypot be located?
A. Inside the corporate firewall.
B. On the same network segment.
C. On a separate network segment.
D. Between the Internet and the DMZ.
Honeypots must look as realistic targets as possible. Therefore they should be
where the hacker expects to find them. Anywhere else could look suspicious R2
30 30
Which of the following is the BEST countermeasure to denial of service
attacks?
A. Firewall.
B. Content filter.
C. Smart router.
D. Modem.
Identifying and controlling the source of traffic, severely restricts denial of service
attacks. More so than simply strengthening the door!", 3
31 31
Which one of the following is recognised as the most frequent cause of
the success of many denial of service attacks?
A. Poor system administrator knowledge.
B. Poor design of firewall technology.
C. Poor quality control in system design.
D. Poor audit testing and review techniques
36 36
Host-based intrusion-detection systems have the following advantage
over network-based solutions?
A. A single implementation is required.
B. Better suited to picking up attacks.
C. Smaller impact on system performance.
D. Less costly.
Host-based IDS are installed on every system that requires IDS, but are better at
detecting attacks. Host-based IDS is therefore also more costly and they have a
greater impact on system performance R2
Poorly trained staff, leading to poor configuration and administration is the most
frequent problem. The other options are less likely to be problematic R1
37 37
Significant incidents should be reported to which of the following as
part of the process to establish impact:
32 32
Which one of the following actions tends to have the highest payoff
during the detection stage of dealing with a security incident?
A. Business 'owner'.
B. Security officer.
C. Operations manager.
D. Security expert.
A. Immediately deleting all sensitive data.

B. Promptly taking a full backup of the system under attack.
C. Removing potentially dangerous user privileges.
D. Using anti-virus software.
Significant incidents should be reported to the business 'owner' who should

assess their business impact R1
An attacker will try to erase or corrupt evidence of an attack. Taking a backup

may result in evidence being retained for analysis and legal purposes R2
38 38
When conducting forensic examinations, which one of the following
would be best?
33 33
Which of the following is a typical target in a denial of service attack?
A. Working with the actual data files as stored on the hard disk.
B. Working with a copy on the actual computer's hard disk.
C. Creating a test bed of data on the actual computer's hard disk.
D. Creating a copy of the actual data files on a test computer's hard
disk.
A. Network.
B. Application system.
C. Operating system.
D. Browser.
A is the only correct answer, as denial of service is a network based attack R1
34 34
What is an advantage of anti-virus software schemes based on change
detection?
A. It has the highest probability of avoiding false alarms.
B. It has a good chance of detecting current and future viral strains.
C. It has good protection against software infections.
D. It has to be updated less frequently than activity monitors.
A = False; B = True; C = False; D = False R2
35 35
Which one of the following actions tends to have the highest payoff
during the detection stage of dealing with a security incident?
A. Taking time to analyze anomalies.
B. Focusing only on the material items.
C. Reviewing vulnerabilities of any previous risks assessments.
D. Making use of penetration tests.
Sometimes very small symptoms indicate that an incident is in progress. An
attack on US computers was discovered because of a 75c anomaly in computer
usage charges R1
Working with the actual data files will destroy the evidence. Working with the
actual hard disk will also destroy evidence. Therefore D is the solution as it
requires a copy to be taken and used for the investigation. The investigation
should never use the actual media which should be kept securely as evidence
R4
39 39
An investigator must have the necessary authority to conduct a
forensic investigation. What would be the normal basis of the authority
derived to carry out these investigations?
A. Acceptable use policy.
B. Data protection standards
C. Information security directive.
D. Employee permission.
By setting policy on what is acceptable and what is inappropriate, the employer
has the right to track down inappropriate use. The other options are inappropriate
for a smoothly run forensic capability R1
40 40
Which one of the following types of backups is going to be of most use
for forensic purposes?
A. Device to Device copy.
B. Dump of file system.
C. Tape archive of files.
D. Dump of memory store
Device to device copy reads data block-by-block, thereby also copying
deleted files.
This is the most effective approach for forensic purposes R1
41 41
What is the primary purpose of a post-incident follow-up review?
A. Determine if management has taken appropriate corrective action.
B. Complete items that could not be finales during the review.
C. Review the performance of the review team.
D. Determine if the assessment program is adequate for that particular
review.
A typical objective of the post-incident meeting is to find out if management has
already taken corrective action R1
42 42
The post incident review and follow-up procedures of the incident
response team is essential for which one of the following reasons?
A. Keep the team's resources fully occupied.
B. Build team spirit.
C. Attribute blame for team member mistakes.
D. Use the lessons learned to improve skills.
Follow-up provides an opportunity to use the lessons learned to improve skills of
the entire team, and specifically for new team members. Its not about blaming
individuals, but rather improving the methodology. Team building may be a
secondary objective. It should not be about simply deploying team members just
to keep up the appearance of being fully occupied R4
// QUESTIONS C1_61 to C1_66

43 43
Which one of the following best describes the outcome from
benchmarking?
A. A set of internally focused information security performance
measurement for uniform scoring.
B. A process for auditing compliance of internal activities against a
known standard.
C. A technique that enables process improvement steps to be
prioritized.
D. An external focus on internal activities, functions, or operations in
order to achieve continuous improvement.
The process of benchmarking is linked to measuring performance of single or
multiple processes within a company with those found in competitors for the
purpose of continuous improvement R4
44 44
Some very real people will resist having their freedom and power of
action reduced by improvements to information security. Which one of
the following will require specific attention?
A. Information security policy content.
B. Staff appraisal and disciplinary procedures.
C. Cost/benefit analysis.
D. Organisational change management.
Changes that can influence a company's power structure are politics. This
requires attention to organizational change management R4
45 45
Which one of the following is a typical objective of compiling a
business case?
A. Set goals.
B. Map out the actions required.
C. Understand the requirements of users.
D. Define the problem.
The problem to be solved must be set out in business terms. Goals are set in the
mission statement and strategy is used to map out actions to achieve the mission
statement R4
46 46
If how you protect your own environment does not impact your
enterprise, but if it is important to your clients, then this is an
opportunity for which one of the following security-based initiatives.
A. Penetration testing.
B. Security outsourcing.
C. Cost optimization.
D. Competitive advantage.
If your customers cannot trust your system(s), and they can trust your opposition
they might move to them. Similarly, if security is very important to your
customers, your entity can attract customers through offers of higher levels of
trust R4
47 47
The enterprise value proposition for information security is best
established through which one of the following?
A. IT alignment with business goals.
B. Key performance indicators.
C. Historical loss records.
D. Annual loss expectancy calculation.
The method for establishing the enterprise value of information security is to align
IT with business goals. This is done through cascading the key goal indicators of
business down to IT and then, down to information security management. Key
performance indicators measure short term (daily or monthly) activities and
would not give an indication of the enterprise value. Historical records may not be
an accurate reflection. The annual loss expectancy may provide some insight,
but is focused on the monetary loss R1
48 48
Where it is difficult to determine fully the tangible benefits from an
investment, as is the case for information security, the investment
decision is influenced mostly by which one of the following?
A. Penetration test results.
B. Benchmarking.
C. Availability of cash.
D. Management policy.
Management policy provides direction for the implementation of security,
particularly when tangible benefits are not clear and the decision is closely linked
to management's risk appetite. The other options are inappropriate R4
49 49
Biometric devices can be considered to be which one of the following?
A. Something you know.
B. Something you have.
C. Something you are.
D. Something you give.

Biometric devices use a part of your body (eye, finger, palm, wrist, face),
something that you are, and cannot change R3
50 50
Which of the following best describes Two Factor Authentication?
A. A logon user-id and a password.
B. Something you have and something you know.
C. Challenge and response.
D. Public and private key encryption.
B is the traditional definition of two factor authentication, whilst the other options
are all phrases linked to authentication techniques R2
51 51
Which one of the following would be generally accepted as a
reasonable good amount of bandwidth availability?
A. Ping response in under 3ms.
B. Ping response in under 30ms
C. Ping response in under 300ms
D. Ping response in under 3000ms.
150ms is considered excellent, and 300 is reasonably good R3
52 52
A device on the network using PKI authentication will require which
one of the following to take place first?
A. The certificate authorities public-key.
B. The other entity's public-key.
C. The user's public-key certificate.
D. The network session's public-key.
The CA's public key is needed first to decrypt the message from the sender R1
activities, other important security related tasks many go unmanaged R1
55 55
Which staff is most likely to comply with the enterprise's information
security policies and practices?
A. Staff who understand the reasons for security.
B. Staff who are in employment the longest.
C. Staff who fear the consequences most.
D. Information technology staff.
Understanding the reasons for security is considered best practice to ensure
compliance with security requirements R1
56 56
Which of the following is likely to be the most effective role for an
information security manager to succeed in implementing the most
appropriate security measures?
A. Administrator.
B. Facilitator.
C. Expert.
D. Reviewer.
Facilitating discussions between business management and IT personnel in
matters pertaining to security implementation is most likely to be an effective role
for the security manager R2
57 57
Which of the following is likely to be most effective in generating
support for information security measures?
A. Explain threats.
B. Demonstrate benefits.
C. Present vulnerabilities.
D. Communicate aims.
Documenting tangible benefits is the most successful approach to obtaining
support R2
// QUESTIONS C4_61 to C4_66

53 53
How can the information security manager ensure support from the
staff for the enterprise's security measures?
58 58
Documenting tangible benefits is the most successful approach to
obtaining support.
A. Surprise information security audits.

B. Regular information security communications.
C. Staff incentive scheme.
D. Through the threat of penalties.
A. Total number of security breaches enterprise-wide.

B. Employee knowledge of the levels of security appropriate to the
enterprise.
C. Results from an enterprise-wide information security vulnerability
assessment.
D. Level of inherent risks across the enterprise after the campaign.
Regular communication is regarded as the best approach to maintaining

awareness and support R2
54 54
Which one of the following activities is not a role for the security
manager?
A. Secure a network server.
B. Gain senior management support.
C. Consultant to internal departments.
D. Educator of employees.
If the security manager personally spent too much time on detailed project
Only B is an appropriate measure as it shows the level of employee

understanding - the result of the awareness campaign should have been to
improve this R2
59 59
When is it most appropriate to implement employee awareness about
information security?
A. Application related user training.
B. Staff appraisals.
C. On-the-job training.
D. Employee induction training.
Awareness should start when the employee joins the enterprise R4
60 60
Good advice for developing an enterprise-wide security awareness
campaign is which one of the following?
A. Resist the influence of culture.
B. Keep it simple
C. Concentrate on a single medium.

D. Make use of threats to get results.
Keeping things simple is good advice. It is also good to be aware of the
enterprise's culture and the need for multiple mediums to get the message
across. Use of threats is negative motivation and rarely is successful R2

Simlado Cobit 5

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Simlado Cobit 5

Transféré par

Droits d'auteur :

Formats disponibles

11

Which one of the following is a good example of an information

A. quality = performance standard, B. reliability = fiduciary control, C. integrity =

A. Changing passwords regularly.

B is an example of strategy. None of the other choices are of a strategic nature,

A. Risk assessment report.

establishing appropriate levels of security?

A is correct. There would be less of an enterprise view of security arrangements.

The management of business records is a critical component ensuring privacy

A. The complexity of the business activities.

At Level 4 (Managed and Measurable) control is established using statistical and

Information security is a response to managing risks and therefore C is the

A. Process capability is required in 34 processes.

enterprise is ISO 17799 specifically targeted?

A risk analysis is used to obtain a better understanding of the significance of

Integrating risk management with change management will ensure an effective

A. A source that can trigger a security vulnerability.

A. A better understanding of what the enterprise is trying to protect.

Suitable controls may remove that vulnerability. A weakness in an operating

C. Manipulation of job streams.

Sensitivity labels are associated with mandatory resource protection measures

An integrity check such as auto-generation or range validation is a preventative

C. If threats are unknown, they can be quantified.

A. The expected size of the vulnerability in relation to the entity.

D. Fewer tasks being needed for recovery.

The depositor's personal details are relevant for error correction R4

B. Service level agreement.

B. Access control lists

Role-based access control is correct because it separates individuals from roles

A. When the solution is obtained from a reputable vendor.

A is incorrect since the functionality is already fixed. B is incorrect as prototyping

A. Noise on communication lines.

B. Percent of IT security plans and policies communicated to all

A. Analyze residual risk.

A. Reducing risk of a fire hazard.

C relates to Security Management (an enabler/KPI of security management),

The device needs to acquire the certificate authorities public-key to decrypt a

E-mail is generally poorly controlled, and because of instability, numerous copies

Management of external resources must focus primarily on the outcomes

A. Critical success factors.

enterprise's information security governance framework?

Of the available choices, risk assessment would be the best approach to

A. Owners of the information.

Owners of the information, i.e. business management, whose business

A. A specific information security program in mind.

Providing resources is the clearest and strongest statement of all R4

Responsiveness is matched by a need for flexibility R1

A standard describes a process in a manner such that compliance with the

Penetration testing is an example of a vulnerability test R2

Version control is the way to establish control over deliverables R2

A. Approval of all affected parties is obtained first.

War-dialing is an old method to exploit rouge or insecure modems, it is still an

A. Scheduling specific times for system security software changes.

War-dialing is an old method to exploit rouge or insecure modems, it is still an

A. Log of unsuccessful authentication attempts.

The security manager's primary responsibility is to obtain timely resolution and

The most likely answer is Escalation, although Arbitration may be considered a

Test results will be useful to assist with problem-solving in the future R2

reporting service is typically an early warning mechanism enabling security

A. Operating system vulnerabilities have been detected.

A = Vulnerability scanners do this. B = Scanners provide no assurance

Emergency fixes should be reversed, making options A, B and D inappropriate.

A. Number of information security problems in the month.