The CISM Prep Guide: Mastering the Five Domains of Information Security Management
* CISM is business-oriented and intended for the individual who must manage, design, oversee, and assess an enterprise's information security
* Essential reading for those who are cramming for this new test and need an authoritative study guide
* Many out-of-work IT professionals are seeking security management certification as a vehicle to re-employment
* CD-ROM includes a Boson-powered test engine with all the questions and answers from the book
Chapter 1. Information Security Governance.
Chapter 2. Risk Management.
Chapter 3. Information Security Program Management.
Chapter 4. Information Security Management.
Chapter 5. Response Management.
Appendix A. Glossary of Terms and Acronyms.
Appendix B. CISM Area Tasks and Knowledge Statements.
Appendix C. Answers to Sample Questions.
RUSSELL DEAN VINES, CISSP, is President and founder of The RDV Group Inc., a New York City-based security consulting services firm. He is the author of Wireless Security Essentials and coauthor of the CISSP Prep Guide, The CISSP Prep Guide, Gold Edition, and the Security+ Prep Guide (Wiley).
Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.
|CD ID#52||CD Question ID#52
Put the following steps in the qualitative scenario procedure in order: A. The team prepares its findings and presents them to management. B. A scenario is written to address each identified threat. C. Business unit managers review the scenario for a reality check. D.The team works through each scenario by using a threat, asset, and safeguard. A: A,C,D,B B: B,C,D,A C: C,A,B,D D: B,C,A,D Explanation: See Chapter 2 Errata: Answer should be Answer B “B,C,D,A.” The test engine does not properly handle answer types such as this and the authors approved this re-edited version during editing. However, the developer did not make the correction in time for publication.
|CD ID#61||CD Question ID#61
Three things that must be considered for the planning and implementation of access control mechanisms are: A: Threats, assets, and objectives B: Threats, vulnerabilities, and risks C: Vulnerabilities, secret keys, and exposures D: Exposures, threats, and countermeasures Explanation: Threats define the possible source of security policy violations; vulnerabilities describe weaknesses in the system that might be exploited by the threats; the risk determines the probability of threats being realized. All three items must be present to apply access control meaningfully. Therefore, the other answers are incorrect. Errata: The authors and publisher are aware that questions 61 and 65 are very similar. The random selection function of the test engine may cause these questions to occur in close succession.
|CD ID#65||CD Question ID#65
Access control must consider which of the following? A: Vulnerabilities, biometrics, and exposures B: Threats, assets, and safeguards C: Exposures, threats, and countermeasures D: Threats, vulnerabilities, and risks Explanation: Threats are an event or situation that may cause harm to an information system; vulnerabilities describe weaknesses in the system that might be exploited by the threats; the risk determines the probability of threats being realized. All three items must be considered to apply access control meaningfully. Therefore, the other answers are incorrect. Errata: The authors and publisher are aware that questions 61 and 65 are very similar. The random selection function of the test engine may cause these questions to occur in close succession.
|CD ID#68||CD Question ID#68
Which statement is accurate about the reasons to implement a layered security architecture? A: A layered security approach is not necessary when using COTS products B: A good packet-filtering router will eliminate the need to implement a layered security architecture C: A layered security approach is intended to increase the work factor for an attacker D: A layered approach doesn't really improve the security posture of the organization Explanation: Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work factor an attacker must expend to attack the system successfully. The need for layered protections is important when commercial off-the- shelf (COTS) products are used. The current state–of–the art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in levels, requiring additional work by attackers to accomplish their goals. Errata: In the explanation, state–of–the art should be state-of-the-art.
|CD ID#77||CD Question ID#77
Using prenumbered forms to initiate a transaction is an example of what type of control? A: Deterrent control B: Preventive control C: Detective control D: Application control Explanation: Prenumbered forms are an example of preventive controls. They can also be considered a transaction control and input control. Errata: Answer should be C. The authors did submit this correction during editing, but the developer did not make the correction in time for publication.
|CD ID#117||CD Question ID#117
As stated in the National Security Agency/Central Security Service (NSA/CSS) Circular No. 500R, the objective of acquisition management is to manage a project by applying a number of techniques. Which one of the following is NOT one of these techniques? A: Functional analysis B: Design synthesis C: Freezing requirements early in the design cycle D: Verification Explanation: The correct answer is C. The circular states that the requirements shall be reviewed at key decision points and, if necessary, refined to meet cost, schedule, and performance objectives. Errata: C should read: Freezing requirements early in the design cycle. The authors did submit this correction during editing, but the developer did not make the correction in time for publication.
|CD ID#147||CD Question ID#147
In configuration management, a configuration item is: A: The version of the operating system that is operating on the workstation that provides information security services B: A component whose state is to be recorded and against which changes are to be progressed C: The network architecture used by the organization D: A series of files that contain sensitive information Explanation: Answers a, c, and d are incorrect by the definition of a configuration item. Errata: The authors and publisher are aware that question 147 may be repeated. The random selection function of the test engine may cause questions to occur in close succession.
|CD ID#149||CD Question ID#149
Which element of Configuration Management involves the use of Configuration Items (CIs)? A: Configuration accounting B: Configuration audit C: Configuration control D: Configuration identification Explanation: The discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle is called configuration identification. Configuration management entails decomposing the verification system into identifiable, understandable, manageable, trackable units known as Configuration Items (CIs). A CI is a uniquely identifiable subset of the system that represents the smallest portion to be subject to independent configuration control procedures. The decomposition process of a verification system into CIs is called configuration identification. CIs can vary widely in size, type, and complexity. Although there are no hard –and fast rules for decomposition, the granularity of CIs can have great practical importance. A favorable strategy is to designate relatively large CIs for elements that are not expected to change over the life of the system and small CIs for elements likely to change more frequently. Answer a, configuration accounting, documents the status of configuration control activities and in general provides the information needed to manage a configuration effectively. It allows managers to trace system changes and establish the history of any developmental problems and associated fixes. Answer b, configuration audit, is the quality assurance component of configuration management. It involves periodic checks to determine the consistency and completeness of accounting information and to verify that all configuration management policies are being followed. Answer c, configuration control, is a means of ensuring that system changes are approved before being implemented, only the proposed and approved changes are implemented, and the implementation is complete and accurate. Errata: The first sentence in the Explanation should read, “The discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle is called configuration identification:…”
|CD ID#158||CD Question ID#158
Which statement is true about security awareness and educational programs? A: Awareness and training help users become more accountable for their actions. B: Security education assists management in determining who should be promoted. C: A security awareness and training program helps prevent the occurrence of natural disasters. D: Security awareness is not necessary for high-level senior executives. Explanation: Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability because without the knowledge of the necessary security measures and how to use them, users cannot be truly accountable for their actions. Errata: Answer should be A. The authors did submit this correction during editing, but the developer did not make the correction in time for publication.
|CD ID#188||CD Question ID#188
In which order should the following steps be taken to create an emergency management plan? A .Implement the plan B. Form a planning team C. Develop a plan D. Conduct a vulnerability assessment A: B,C,D,A B: B,D,A,C C: D,B,C,A D: B,D,C,A Explanation: The proper order of steps in the emergency management planning process is the following: *Establish a planning team *Analyze capabilities and hazards *Develop the plan *Implement the plan Errata: Answer should be Answer D, “B,D,C,A.” The test engine does not properly handle answer types such as this and the authors approved this re-edited version during editing. However, the developer did not make the correction in time for publication.
|CD ID#190||CD Question ID#190
In which order should the following steps be taken to perform a vulnerability assessment? A. List potential emergencies B. Estimate probability C. Assess external and internal resources D. Assess potential impact A: A,D,B,C B: D,A,B,C C: A,B,D,C D: B,A,D,C Explanation: Common steps to performing a vulnerability assessment could be the following: *List potential emergencies, both internally to your facility and externally to the community. Natural, man-made, technological, and human error are all categories of potential emergencies and errors. *Estimate the likelihood that each emergency could occur, in a subjective analysis. *Assess the potential impact of the emergency on the organization in the areas of human impact (death or injury), property impact (loss or damage), and business impact (market share or credibility). *Assess external and internal resources required to deal with the emergency, and determine if they are located internally or if external capabilities or procedures are required. Errata: Answer should be Answer C, “A,B,D,C.” The test engine does not properly handle answer types such as this and the authors approved this re-edited version during editing. However, the developer did not make the correction in time for publication.
|174||Error in Text
?Page 174 of this book under The US Office of the Secretary of Defense Acquisition Reform mentions 10 principles, although the book only mentions 9 of these.?