26/03/14

CISSP,  CISA,  CISM  

Dr.  Edgar  R.  Weippl  

CISSP,  CISA,  CISM  

Agenda  
•  IntroducBon  &  Overview  (20  min)  
•  CISSP  in  Detail  (30  min  +  40  min)  
–  Access  Control  
–  Some  Exam  QuesBons  

•  CISA  in  Detail  (20  min  +  30  min)  

•  CISM  in  Detail  (20  min  +  20  min)  
•  Summary  

1  
 26/03/14  

Comparison  

CISSP   CISA   CISM  

• CerBfied   • CerBfied   • CerBfied  

InformaBon   InformaBon   InformaBon  
Systems   Systems   Security  
Security   Auditor   Manager  
Professional   • Auditors   • Managers  
• Technical   • IT  Systems   • Related  to  
overview   CISA  
• Security  focus  

Comparison  

CISSP   CISA   CISM  

• EUR  510  /   • USD  325  –   • USD  325  –  

exam   455  /  exam   455  /  exam  
• USD  85   (member  /   (member  /  
annual  fee   nonmember)   nonmember)  
• ISC2   • USD  40  –  75   • USD  40  –  75  
annual  fee   annual  fee  
• ISACA   • ISACA  

2  
 26/03/14  

CISM  IN  DETAIL  

•  0900-­‐0910  Intro  
•  0910-­‐0925  CISM  1  
•  0925-­‐0940  CISM  2  
•  0940-­‐0955  CISM  3  
•  0955-­‐1010  CISM  4  
•  1010-­‐1025  CISM  5  
•  Conclusion    

3  
 26/03/14  

CISM  Topics  
1.  InformaBon  Security  Governance  
2.  InformaBon  Risk  Management  
3.  InformaBon  Security  Program  Development  
4.  InformaBon  Security  Program  Management  
5.  Incident  Management  and  Response  

4  
 26/03/14  

InformaBon  Security  Governance  

•  10  quesBons,  35  sec.  each  (twice  as  fast  as  
real  exam)  

InformaBon  Security  Governance  

•  1.1  A  security  strategy  is  important  for  an  
organizaBon  PRIMARILY  because  it  provides:  
 
a.  a  basis  for  determining  the  best  logical  security  
architecture  for  the  organizaBon  
b.  management  intent  and  direcBon  for  security  
acBviBes  
c.  provides  users  guidance  on  how  to  operate  
securely  in  everyday  tasks  
d.  helps  IT  auditors  ensure  compliance

5  
 26/03/14  

InformaBon  Security  Governance  

•  1.2  The  MOST  important  reason  to  make  sure  
there  is  good  communicaBon  about  security  
throughout  the  organizaBon  is:  

a.  to  make  security  more  palatable  to  resistant  

employees  
b.  because  people  are  the  biggest  security  risk  
c.  to  inform  business  units  about  security  strategy  
d.  to  conform  to  regulaBons  requiring  all  
employees  are  informed  about  security  

InformaBon  Security  Governance  

•  1.3  The  regulatory  environment  for  most  organizaBons  
mandates  a  variety  of  security-­‐related  acBviBes.  It  is  
MOST  important  that  the  informa3on  security  
manager:  

a.  rely  on  corporate  counsel  to  advise  which  regulaBons  

are  relevant  
b.  stay  current  with  all  relevant  regulaBons  and  request  
legal  interpretaBon  
c.  involve  all  impacted  departments  and  treat  
regulaBons  as  just  another  risk  
d.  ignore  many  of  the  regulaBons  that  have  no  teeth  

6  
 26/03/14  

InformaBon  Security  Governance    

•  1.4  The  MOST  important  consideraBon  in  
developing  security  policies  is  that:  

a.  they  are  based  on  a  threat  profile  

b.  they  are  complete  and  no  detail  is  led  out  
c.  management  signs  off  on  them  
d.  all  employees  read  and  understand  them  

InformaBon  Security  Governance    

•  1.5  The  PRIMARY  security  objecBve  in  creaBng  
good  procedures  is:  

a.  to  make  sure  they  work  as  intended  

b.  that  they  are  unambiguous  and  meet  the  
standards  
c.  that  they  be  wrifen  in  plain  language  
d.  that  compliance  can  be  monitored  

7  
 26/03/14  

InformaBon  Security  Governance    

•  1.6  The  assignment  of  roles  and  responsibiliBes  
will  be  MOST  effecBve  if:  

a.  there  is  senior  management  support  

b.  the  assignments  are  consistent  with  
proficiencies  
c.  roles  are  mapped  to  required  competencies  
d.  responsibiliBes  are  undertaken  on  a  voluntary  
basis  

InformaBon  Security  Governance    

•  1.7  The  PRIMARY  benefit  organizaBons  derive  
from  effecBve  informaBon  security  
governance  is:  

a.  ensuring  appropriate  regulatory  compliance  

b.  ensuring  acceptable  levels  of  disrupBon  
c.  prioriBzing  allocaBon  of  remedial  resources  
d.  maximizing  return  on  security  investments

8  
 26/03/14  

InformaBon  Security  Governance    

•  1.8  From  an  informaBon  security  manager´s  
perspecBve,  the  MOST  important  factors  
regarding  data  retenBon  are:  

a.  business  and  regulatory    requirements  

b.  document  integrity  and  destrucion  
c.  media  availability  and  storage  
d.  data  confidenBality  and  encrypBon

InformaBon  Security  Governance    

•  1.9  Which  role  is  in  the  BEST  posiBon  to  
review  and  confirm  the  appropriateness  of  a  
user  access  list?  

a.  data  owner  

b.  informaBon  security  manager  
c.  domain  administrator  
d.  business  manager  

9  
 26/03/14  

InformaBon  Security  Governance    

•  1.10  in  implemenBng  informaBon  security  
governance,  the  informaBon  security  manager  
is  PRIMARILY  responsible  for:  

a.  developing  the  security  strategy  

b.  reviewing  the  security  strategy  
c.  communicaBng  the  security  strategy  
d.  approving  the  security  strategy  

10  
 26/03/14  

InformaBon  Risk  Management  

 
•  Tasks  
–  Establish  a  process  for  informaBon  asset  
classificaBon  and  ownership  
–  Implement  a  systemaBc  and  structured  
informaBon  risk  assessment  process  
–  Ensure  that  business  impact  assessments  are  
conducted  periodically.  

10  quesBons  

11  
 26/03/14  

InformaBon  Risk  Management  

•  2.1  The  overall  objecBve  of  risk  management  
is  to:  

a.  eliminate  all  vulnerabiliBes,  if  possible  

b.  determine  the  best  way  to  transfer  risk  
c.  reduce  risks  to  an  acceptable  level  
d.  implement  effecBve  countermeasures  

InformaBon  Risk  Management    

•  2.2  The  statement  „risk  =  value  x  vulnerability  x  
threat“  indicates  that:  

a.  risk  can  be  quanBfied  using  annual  loss  

expectancy  (ALE)  
b.  approximate  risk  can  be  esBmated,  provided  
probability  is  computed  
c.  the  level  of  risk  is  greater  when  more  threats  
meet  more  vulnerabiliBes  
d.  without  knowing  value,  risk  cannot  be  calculated  

12  
 26/03/14  

InformaBon  Risk  Management    

•  2.3  To  address  changes  in  risk,  an  effecBve  risk  
management  program  should:  

a.  ensure  that  conBnuous  monitoring  processes  

are  in  place  
b.  establish  proper  security  baselines  for  all  
informaBon  resources  
c.  implement  a  complete  data  classificaBon  
process  
d.  change  security  policies  on  a  Bmely  basis  to  
address  changing  risks  

InformaBon  Risk  Management    

•  2.4  InformaBon  classificaBon  is  important  to  properly  
manage  risk  PRIMARILY  because:  

a.  it  ensures  accountability  for  informaBon  resources  as  

required  by  roles  and  responsibiliBes  
b.  it  is  legal  requirement  under  various  regulaBons  
c.  there  is  no  other  way  to  meet  the  requirements  for  
availability,  integrity  and  auditability  
d.  it  is  used  to  idenBfy  the  sensiBvity  an  criBcality  of  
informaBon  to  the  organizaBon  

13  
 26/03/14  

InformaBon  Risk  Management    

•  2.5  VulnerabiliBes  discovered  during  an  
assessment  should  be:  

a.  handled  as  a  risk,  even  though  there  is  no  threat  
b.  prioriBzed  for  remediaBon  solely  based  on  
impact  
c.  a  basis  for  analyzing  the  effecBveness  of  controls  
d.  evaluated  for  threat  and  impact  in  addiBon  to  
cost  of  miBgaBon  

InformaBon  Risk  Management    

•  2.6  Indemnity  agreements  can  be  used  to:  

a.  ensure  an  agreed-­‐upon  level  of  service  

b.  reduce  impacts  on  criBcal  resources  
c.  transfer  responsibility  to  a  third  party  
d.  provide  an  effecBve  countermeasure  to  
threats  

14  
 26/03/14  

InformaBon  Risk  Management    

•  2.7  Residual  risks  can  be  determined  by:  

a.  determining  remaining  vulnerabiliBes  ader  

countermeasures  are  in  place  
b.  a  threat  analysis  
c.  a  risk  assessment  
d.  transferring  all  risks  

InformaBon  Risk  Management    

•  2.8  Data  owners  are  PRIMARILY  responsible  
for  creaBng  risk  miBgaBon  strategies  to  
address  which  of  the  following  areas?  

a.  plaoorm  security  

b.  enBtlement  changes  
c.  intrusion  detecBon  
d.  anBvirus  controls  

15  
 26/03/14  

InformaBon  Risk  Management    

•  2.9  A  risk  analysis  should:  

a.  limit  the  scope  to  a  benchmark  of  similar  

companies  
b.  assume  an  equal  degree  of  protecBon  for  all  
assets  
c.  address  the  potenBal  size  and  likelihood  of  loss  
d.  give  more  weight  to  the  likelihood  vs.  the  size  of  
the  loss  

InformaBon  Risk  Management    

•  2.10  Which  of  the  following  is  BEST  for  
prevenBng  an  external  afack?  

a.  staBc  IP  addresses  

b.  network  address  translaBon  
c.  background  checks  for  temporary  employees  
d.  wriBng  computer  logs  to  removable  media  

16  
 26/03/14  

InformaBon  Security  Program  

Development  
 
•  QuesBons…  

17  
 26/03/14  

InformaBon  Security  Program  

Development  
•  3.1  Who  is  in  the  BEST  posiBon  to  develop  the  
prioriBes  and  idenBfy  what  risks  and  impacts  
would  occur  if  there  were  a  loss  or  corrupBon  of  
the  organizaBon´s  informaBon  resources?  

a.  internal  auditors  

b.  security  management  
c.  business  process  owners  
d.  external  regulatory  agencies  

InformaBon  Security  Program  

Development    
•  3.2  The  MOST  important  single  concept  for  an  
informaBon  security  architect  to  keep  in  mind  
is:  

a.  plan-­‐do-­‐check-­‐act  
b.  confidenBality,  integrity,    availablility  
c.  prevenBon,  detecBon,  correcBon  
d.  tone  at  the  top  

18  
 26/03/14  

InformaBon  Security  Program  

Development    
•  3.3  Which  of  the  following  is  the  BEST  method  of  
limiBng  the  impact  of  vulnerabiliBes  inherent  to  
wireless  networks?  

a.  require  private,  key-­‐based  encrypBon  to  connect  to  

the  wireless  network  
b.  enable  audiBng  on  every  host  that  connects  to  a  
wireless  network  
c.  require  that  every  host  that  connects  to  this  network  
is  have  a  well-­‐tested  recovery  plan  
d.  enable  audiBng  on  every  connecBon  to  the  wireless  
network  

InformaBon  Security  Program  

Development    
•  3.4  In  an  environment  that  pracBses  defense  in  
depth,  an  Internet  applicaBon  that  requires  a  
login  for  a  user  to  access  it  would  also  require  
which  of  the  following  addiBonal  controls?  

a.  user  authenBcaBon  

b.  user  audit  trails  
c.  network  load  balancing  
d.  network  authenBcaBon  

19  
 26/03/14  

InformaBon  Security  Program  

Development    
•  3.5  If  an  informaBon  security  manager  has  
responsibility  for  applicaBon  security  review,  
which  of  the  following  addiBonal  responsibiliBes  
present  a  conflict  of  interest  in  performing  the  
review?  

a.  operaBon  system  recovery  

b.  applicaBon  administraBon  
c.  network  change  control  
d.  host-­‐based  intrusion  detecBon  

InformaBon  Security  Program  

Development    
•  3.6  Which  of  the  following  BEST  promotes  
accountability?  

a.  compliance  monitoring  

b.  awareness  training  
c.  secure  implementaBon  
d.  documented  policy  

20  
 26/03/14  

InformaBon  Security  Program  

Development    
•  3.7  Which  of  the  following  conclusions  render  
the  sentence  MOST  accurate?  VulnerabiliBes  
combined  with  threats:  

a.  always  results  in  damage  

b.  require  controls  to  avoid  damage  
c.  allow  exploits  that  may  cause  damage  
d.  always  results  in  exploits  

InformaBon  Security  Program  

Development    
•  3.8  In  which  state  of  the  systems  development  
life  cycle  (SDLC)  should  the  informaBon  security  
manager  create  a  list  of  security  issues  presented  
by  the  funcBonal  descripBon  of  a  newly  planned  
system?  

a.  feasibility  
b.  requirements  
c.  design  
d.  development  

21  
 26/03/14  

InformaBon  Security  Program  

Development    
•  3.9  What  is  the  FIRST  step  in  designing  a  secure  
client-­‐server  environment?  

a.  idenBfy  all  data  access  points  

b.  establish  operaBng  system  security  on  all  
plaoorms  
c.  require  hard  passwords  
d.  place  a  firewall  between  the  server  and  clients  

InformaBon  Security  Program  

Development    
•  3.10  What  BEST  represents  the  hierarchy  of  
access  control  strength,  from  weakest  to  
strongest?  

a.  what  you  have,  what  you  are,  what  you  know  
b.  what  you  know,  what  you  have,  what  you  are  
c.  what  you  are,  what  you  have,  what  you  know  
d.  what  you  are,  what  you  know,  what  you  have  

22  
 26/03/14  

InformaBon  Security  Program  

Management  
 
•  QuesBons…  

23  
 26/03/14  

InformaBon  Security  Program  

Management  
•  4.1  The  change  management  procedure  MOST  likely  to  
cause  concern  to  the  informaBon  security  manager  is  
when:  

a.  fallback  processes  are  tested  the  weeken  immediately  

prior  to  when  the  changes  are  made  
b.  users  are  noBfied  of  major  scheduled  system  changes  
via  electronic  mail  
c.  a  manual  process  is  used  by  operaBons  for  comparing  
program  versions  
d.  developement  managers  have  final  authority  for  
releasing  new  programs  into  producBon  

InformaBon  Security  Program  

Management    
•  4.2  Which  of  the  following  would  indicate  that  an  
automated  producBon  scheduling  system  has  
inadequate  security  controls?  

a.  control  statements  are  frequently  changes  to  point  to  

test  libraries  
b.  failure  of  a  process  automaBcally  iniBates  reserng  of  
parameters  
c.  developers  have  read  access  to  both  producBon  and  
test  schedules  
d.  scheduling  personnel  have  the  ability  to  iniBate  an  
emergency  override  

24  
 26/03/14  

InformaBon  Security  Program  

Management    
•  4.3  When  a  trading  partner  who  has  access  to  the  
corporate  internal  network  refuses  to  follow  
corporate  security  policies,  the  informaBon  
security  manager  should  iniBate  which  of  the  
following?  

a.  revoke  their  access  

b.  provide  minimal  access  
c.  send  a  breach  of  contract  lefer  
d.  contact  the  partners  external  auditors  

InformaBon  Security  Program  

Management    
•  4.4  The  MOST  important  aspect  in  wriBng  good  
informaBon  security  policies  is  to  ensure  that  
they:  

a.  are  easy  to  read  and  understand  

b.  allow  for  flexible  interpretaBon  
c.  capture  the  intent  of  management  
d.  change  whenever  operaBng  systems  are  
upgraded  

25  
 26/03/14  

InformaBon  Security  Program  

Management    
•  4.5  Which  of  the  following  would  be  the  BEST  
approach  when  conducBng  a  security  awareness  
campaign?  

a.  provide  technical  details  on  exploits  

b.  target  system  administrators  and  the  help  desk  
c.  provide  customized  messages  for  different  
groups  
d.  target  senior  managers  and  business  process  
owners  

InformaBon  Security  Program  

Management    
•  4.6  The  MOST  appropriate  metric  to  measure  
how  well  informaBon  security  is  managing  the  
administraBon  of  user  access  is  the  percent  of  
user  IDs  with  corresponding:  

a.  acBve  records  in  the  idenBty  management  

system  
b.  acBve  records  in  the  payroll  system  
c.  records  in  the  customer  account  system  
d.  records  in  the  enBtlement  system  

26  
 26/03/14  

InformaBon  Security  Program  

Management    
•  4.7  Of  these  uses  for  security  metrics,  which  
allows  an  informaBon  security  manager  to  
demonstrate  that  control  objecBves  are  met?  

a.  demonstraBng  policy  compliance  

b.  charBng  frequency  of  failed  hacking  afempts  
c.  saBsfying  requests  from  IT  audit  
d.  posBng  quarterly  security  acBvity  

InformaBon  Security  Program  

Management    
•  4.8  Which  of  the  following  types  of  audit  trails  
would  be  BEST  for  an  organizaBon  if  fraud  
detecBon  were  the  primary  requirement?  

a.  firewall  logs  

b.  operaBng  system  logs  
c.  applicaBon  logs  
d.  single  sign-­‐on  logs  

27  
 26/03/14  

InformaBon  Security  Program  

Management    
•  4.9  Vulnerability  assessments  are  a  common  method  
of  determining  potenBal  weaknesses  in  systems.  
However,  when  performing  a  vulnerability  
assessment  ,  the  informaBon  security  manager  should  
also  be  MOST  aware  that:  

a.  if  a  vulnerability  is  discovered  it  must  be  eliminated  

b.  new  vulnerabiliBes  are  constantly  introduced  
c.  vulnerabiliBes  provide  no  informaBon  on  impacts  
d.  conBnuous  tesBng  is  required  

InformaBon  Security  Program  

Management    
•  4.10  Which  of  the  following  is  the  MOST  important  
funcBon  for  informaBon  security  management  to  
monitor?  

a.  ensuring  security  procedures  are  properly  

disseminated  
b.  ensuring  ongoing  compliance  with  security  policies  
c.  determining  that  metrics  are  consistent  with  best  
pracBses  
d.  measuring  the  validity  of  the  security  strategy  

28  
 26/03/14  

Incident  Management  and  Response  

 
•  quesBons  

29  
 26/03/14  

Incident  Management  and  Response  

•  5.1  The  PRIMARY  goal  of  a  posBncident  review  is  
to:  

a.  gather  evidence  for  subsequent  legal  acBon  

b.  idenBfy  individuals  who  failed  to  take  
appropriate  acBon  
c.  prepare  a  report  on  the  incident  for  
management  
d.  derive  ways  to  improve  the  response  process  

Incident  Management  and  Response    

•  5.2  Which  of  the  following  is  the  MOST  
approppriate  quality  that  an  incident  handler  
should  possess?  

a.  presentaBon  skills  for  management  report  

b.  ability  to  follow  policy  procedures  
c.  Integrity  
d.  ability  to  cope  with  stress  

30  
 26/03/14  

Incident  Management  and  Response    

•  5.3  What  is  the  PRIMARY  reason  for  
conducBng  triage?  

a.  limited  resources  in  incident  handling  

b.  as  a  part  of  the  mandatory  process  in  incident  
handling  
c.  to  miBgate  an  incident  
d.  to  detect  an  incident  

Incident  Management  and  Response    

•  5.4  Which  of  the  following  is  the  MOST  important  
when  deciding  whether  to  build  an  alternate  facility  or  
subscribe  to  a  hot  site  operated  by  a  third  party?  

a.  cost  to  rebuild  informaBon  processing  faciliBes  

b.  incremental  daily  cost  of  losing  different  systems  
c.  locaBon  and  cost  of  commercial  recovery  faciliBes  
d.  esBmated  annualized  loss  expectancy  (ALE)  from  key  
risks  

31  
 26/03/14  

Incident  Management  and  Response    

•  5.5  Which  of  the  following  documents  should  
be  contained  in  a  computer  inicident  response  
team  (CIRT)  manual?  

a.  risk  assessment  

b.  severity  criteria  
c.  employee  phone  directory  
d.  table  of  all  backup  files  

Incident  Management  and  Response    

•  5.6  Which  of  the  following  types  of  insurance  
coverage  would  protect  an  organizaBon  against  
dishonest  or  fraudulent  behavior  by  ist  own  
employees?  

a.  fidelity  
b.  business  interrupBon  
c.  valuable  papers  and  records  
d.  business  conBnuity  

32  
 26/03/14  

Incident  Management  and  Response    

•  5.7  Which  of  the  following  pracBces  would  BEST  
ensure  the  adequacy  of  a  disaster  recovery  plan?  

a.  regular  reviews  of  recovery  plan  informaBon  

b.  table  top  walk-­‐through  of  disaster  recovery  
plans  
c.  regular  recovery  exercises,  using  expert  
personnel  
d.  regular  audits  of  disaster  recovery  faciliBes  

Incident  Management  and  Response    

•  5.8  Which  of  the  following  procedures  would  provide  
the  BEST  protecBon  if  an  intruder  or  malicious  
program  has  gained  superuder  (e.g.,  root)  access  to  a  
system?  

a.  prevent  the  system  administrator(s)  from  accessing  

the  system  unBl  it  can  be  shown  that  they  were  not  
the  afackers  
b.  inspect  the  system  and  intrusion  detecBon  output  to  
idenBfy  all  changes  and  then  udno  them  
c.  rebuild  the  system  
d.  change  all  passwords,  then  resume  normal  operaBons  

33  
 26/03/14  

Incident  Management  and  Response    

•  5.9  Which  of  the  following  statements  concerning  the  use  of  
outsourced  intrusion  detecBon  services  is  TRUE?  

a.  even  if  outsourcing  intrusion  detecBon  services,  some  company  

employees  should  be  involved  in  intrusion  detecBon  
b.  outsourced  intrusion  detecBon  services  generally  cost  more  than  
having  one’s  own  employees  involved  in  intrusion  detecBon  
c.  experBse  available  from  intrusion  detecBon  service  providers  is  
generally  less  than  is  available  from  within  a  company  
d.  most  intrusion  detecBon  service  providers  will  not  provide  only  
intrusion  detecBon  services  –  they  will  require  a  contract  for  
incident  response  services  

Incident  Management  and  Response    

•  5.10  If  a  forensics  copy  of  a  hard  drive  is  needed,  
the  copied  data  is  MOST  defensible  from  a  legal  
standpoint  if  which  of  the  following  is  used?  

a.  a  compressed  copy  of  all  contents  of  the  hard  

drive  
b.  a  copy  that  includes  all  files  and  directories  
c.  a  bit-­‐by-­‐bit  copy  of  all  data  
d.  an  encrypted  copy  of  all  contents  of  the  hard  
drive  

34