The CISM Prep Guide: Mastering the Five Domains of Information Security ManagementISBN: 978-0-471-45598-1
Paperback
456 pages
May 2003
 This title is out-of-print and not currently available for purchase from this site.
|
Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.
| Chapter | Page | Details | Date | Print Run |
|---|---|---|---|---|
| CD ID#52 | CD Question ID#52 Put the following steps in the qualitative scenario procedure in order: A. The team prepares its findings and presents them to management. B. A scenario is written to address each identified threat. C. Business unit managers review the scenario for a reality check. D.The team works through each scenario by using a threat, asset, and safeguard. A: A,C,D,B B: B,C,D,A C: C,A,B,D D: B,C,A,D Explanation: See Chapter 2 Errata: Answer should be Answer B “B,C,D,A.” The test engine does not properly handle answer types such as this and the authors approved this re-edited version during editing. However, the developer did not make the correction in time for publication. |
2/22/04 | ||
| CD ID#61 | CD Question ID#61 Three things that must be considered for the planning and implementation of access control mechanisms are: A: Threats, assets, and objectives B: Threats, vulnerabilities, and risks C: Vulnerabilities, secret keys, and exposures D: Exposures, threats, and countermeasures Explanation: Threats define the possible source of security policy violations; vulnerabilities describe weaknesses in the system that might be exploited by the threats; the risk determines the probability of threats being realized. All three items must be present to apply access control meaningfully. Therefore, the other answers are incorrect. Errata: The authors and publisher are aware that questions 61 and 65 are very similar. The random selection function of the test engine may cause these questions to occur in close succession. |
6/13/03 | ||
| CD ID#65 | CD Question ID#65 Access control must consider which of the following? A: Vulnerabilities, biometrics, and exposures B: Threats, assets, and safeguards C: Exposures, threats, and countermeasures D: Threats, vulnerabilities, and risks Explanation: Threats are an event or situation that may cause harm to an information system; vulnerabilities describe weaknesses in the system that might be exploited by the threats; the risk determines the probability of threats being realized. All three items must be considered to apply access control meaningfully. Therefore, the other answers are incorrect. Errata: The authors and publisher are aware that questions 61 and 65 are very similar. The random selection function of the test engine may cause these questions to occur in close succession. |
6/13/03 | ||
| CD ID#68 | CD Question ID#68 Which statement is accurate about the reasons to implement a layered security architecture? A: A layered security approach is not necessary when using COTS products B: A good packet-filtering router will eliminate the need to implement a layered security architecture C: A layered security approach is intended to increase the work factor for an attacker D: A layered approach doesn't really improve the security posture of the organization Explanation: Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work factor an attacker must expend to attack the system successfully. The need for layered protections is important when commercial off-the- shelf (COTS) products are used. The current state–of–the art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in levels, requiring additional work by attackers to accomplish their goals. Errata: In the explanation, state–of–the art should be state-of-the-art. |
3/19/04 | ||
| CD ID#77 | CD Question ID#77 Using prenumbered forms to initiate a transaction is an example of what type of control? A: Deterrent control B: Preventive control C: Detective control D: Application control Explanation: Prenumbered forms are an example of preventive controls. They can also be considered a transaction control and input control. Errata: Answer should be C. The authors did submit this correction during editing, but the developer did not make the correction in time for publication. |
3/19/04 | ||
| CD ID#117 | CD Question ID#117 As stated in the National Security Agency/Central Security Service (NSA/CSS) Circular No. 500R, the objective of acquisition management is to manage a project by applying a number of techniques. Which one of the following is NOT one of these techniques? A: Functional analysis B: Design synthesis C: Freezing requirements early in the design cycle D: Verification Explanation: The correct answer is C. The circular states that the requirements shall be reviewed at key decision points and, if necessary, refined to meet cost, schedule, and performance objectives. Errata: C should read: Freezing requirements early in the design cycle. The authors did submit this correction during editing, but the developer did not make the correction in time for publication. |
3/19/04 | ||
| CD ID#147 | CD Question ID#147 In configuration management, a configuration item is: A: The version of the operating system that is operating on the workstation that provides information security services B: A component whose state is to be recorded and against which changes are to be progressed C: The network architecture used by the organization D: A series of files that contain sensitive information Explanation: Answers a, c, and d are incorrect by the definition of a configuration item. Errata: The authors and publisher are aware that question 147 may be repeated. The random selection function of the test engine may cause questions to occur in close succession. |
2/22/04 | ||
| CD ID#149 | CD Question ID#149 Which element of Configuration Management involves the use of Configuration Items (CIs)? A: Configuration accounting B: Configuration audit C: Configuration control D: Configuration identification Explanation: The discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle is called configuration identification. Configuration management entails decomposing the verification system into identifiable, understandable, manageable, trackable units known as Configuration Items (CIs). A CI is a uniquely identifiable subset of the system that represents the smallest portion to be subject to independent configuration control procedures. The decomposition process of a verification system into CIs is called configuration identification. CIs can vary widely in size, type, and complexity. Although there are no hard –and fast rules for decomposition, the granularity of CIs can have great practical importance. A favorable strategy is to designate relatively large CIs for elements that are not expected to change over the life of the system and small CIs for elements likely to change more frequently. Answer a, configuration accounting, documents the status of configuration control activities and in general provides the information needed to manage a configuration effectively. It allows managers to trace system changes and establish the history of any developmental problems and associated fixes. Answer b, configuration audit, is the quality assurance component of configuration management. It involves periodic checks to determine the consistency and completeness of accounting information and to verify that all configuration management policies are being followed. Answer c, configuration control, is a means of ensuring that system changes are approved before being implemented, only the proposed and approved changes are implemented, and the implementation is complete and accurate. Errata: The first sentence in the Explanation should read, “The discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle is called configuration identification:…” |
3/19/04 | ||
| CD ID#158 | CD Question ID#158 Which statement is true about security awareness and educational programs? A: Awareness and training help users become more accountable for their actions. B: Security education assists management in determining who should be promoted. C: A security awareness and training program helps prevent the occurrence of natural disasters. D: Security awareness is not necessary for high-level senior executives. Explanation: Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability because without the knowledge of the necessary security measures and how to use them, users cannot be truly accountable for their actions. Errata: Answer should be A. The authors did submit this correction during editing, but the developer did not make the correction in time for publication. |
2/22/04 | ||
| CD ID#188 | CD Question ID#188 In which order should the following steps be taken to create an emergency management plan? A .Implement the plan B. Form a planning team C. Develop a plan D. Conduct a vulnerability assessment A: B,C,D,A B: B,D,A,C C: D,B,C,A D: B,D,C,A Explanation: The proper order of steps in the emergency management planning process is the following: *Establish a planning team *Analyze capabilities and hazards *Develop the plan *Implement the plan Errata: Answer should be Answer D, “B,D,C,A.” The test engine does not properly handle answer types such as this and the authors approved this re-edited version during editing. However, the developer did not make the correction in time for publication. |
2/22/04 | ||
| CD ID#190 | CD Question ID#190 In which order should the following steps be taken to perform a vulnerability assessment? A. List potential emergencies B. Estimate probability C. Assess external and internal resources D. Assess potential impact A: A,D,B,C B: D,A,B,C C: A,B,D,C D: B,A,D,C Explanation: Common steps to performing a vulnerability assessment could be the following: *List potential emergencies, both internally to your facility and externally to the community. Natural, man-made, technological, and human error are all categories of potential emergencies and errors. *Estimate the likelihood that each emergency could occur, in a subjective analysis. *Assess the potential impact of the emergency on the organization in the areas of human impact (death or injury), property impact (loss or damage), and business impact (market share or credibility). *Assess external and internal resources required to deal with the emergency, and determine if they are located internally or if external capabilities or procedures are required. Errata: Answer should be Answer C, “A,B,D,C.” The test engine does not properly handle answer types such as this and the authors approved this re-edited version during editing. However, the developer did not make the correction in time for publication. |
2/11/04 | ||
| 174 | Error in Text ?Page 174 of this book under The US Office of the Secretary of Defense Acquisition Reform mentions 10 principles, although the book only mentions 9 of these.? |
12/9/2013 |
Related Titles
More By These Authors
Security
Read an Excerpt
.png){kind=small}
Join An E-mail ListLearn about the latest products, events, offers and content. |
