CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
Inspirational journeys
Follow the stories of academics and their research expeditions
CISM—Certified Information Security Manager - Part 189
1. Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was:
A) removed into the custody of law enforcement investigators.
B) kept in the tape library' pending further analysis.
C) sealed in a signed envelope and locked in a safe under dual control.
D) handed over to authorized independent investigators.
2. When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
A) Business continuity plan
B) Disaster recovery plan
C) Incident response plan
D) Vulnerability management plan
3. Isolation and containment measures for a compromised computer has been taken and information security management is now investigating. What is the MOST appropriate next step?
A) Run a forensics tool on the machine to gather evidence
B) Reboot the machine to break remote connections
C) Make a copy of the whole system's memory
D) Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/ I'DP) ports
4. Why is 'slack space' of value to an information security manager as pan of an incident investigation?
A) Hidden data may be stored there
B) The slack space contains login information
C) Slack space is encrypted
D) It provides flexible space for the investigation
5. What is the PRIMARY objective of a post-event review in incident response?
A) Adjust budget provisioning
B) Preserve forensic data
C) Improve the response process
D) Ensure the incident is fully documented
A) removed into the custody of law enforcement investigators.
B) kept in the tape library' pending further analysis.
C) sealed in a signed envelope and locked in a safe under dual control.
D) handed over to authorized independent investigators.
2. When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
A) Business continuity plan
B) Disaster recovery plan
C) Incident response plan
D) Vulnerability management plan
3. Isolation and containment measures for a compromised computer has been taken and information security management is now investigating. What is the MOST appropriate next step?
A) Run a forensics tool on the machine to gather evidence
B) Reboot the machine to break remote connections
C) Make a copy of the whole system's memory
D) Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/ I'DP) ports
4. Why is 'slack space' of value to an information security manager as pan of an incident investigation?
A) Hidden data may be stored there
B) The slack space contains login information
C) Slack space is encrypted
D) It provides flexible space for the investigation
5. What is the PRIMARY objective of a post-event review in incident response?
A) Adjust budget provisioning
B) Preserve forensic data
C) Improve the response process
D) Ensure the incident is fully documented
1. Right Answer: B
Explanation: Since a number of individuals would have access to the tape library, and could have accessed and tampered with the tape, the chain of custody could not be verified. All other choices provide clear indication of who was in custody of the tape at all times.
2. Right Answer: C
Explanation: An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities pertaining to all parties involved in responding to an information security breach. A business continuity plan or disaster recovery plan would be triggered during the execution of the incident response plan in the case of a breach impacting the business continuity. A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through configuration changes (patch management).
3. Right Answer: C
Explanation: When investigating a security breach, it is important to preserve all traces of evidence left by the invader. For this reason, it is imperative to preserve the memory' contents of the machine in order to analyze them later. The correct answer is choice C because a copy of the whole system's memory is obtained for future analysis by running the appropriate tools. This is also important from a legal perspective since an attorney may suggest that the system was changed during the conduct of the investigation. Running a computer forensics tool in the compromised machine will cause the creation of at least one process that may overwrite evidence. Rebooting the machine will delete the contents of the memory, erasing potential evidence. Collecting information about current connections and openTransmission Control Protocol/User Datagram Protocol (TCP/UDP) ports is correct, but doing so by using tools may also erase memory contents.
4. Right Answer: A
Explanation: Slack space is the unused space between where the fdc data end and the end of the cluster the data occupy. Login information is not typically stored in the slack space. Encryption for the slack space is no different from the rest of the file system. The slack space is not a viable means of storage during an investigation.
5. Right Answer: C
Explanation: The primary objective is to find any weakness in the current process and improve it. The other choices are all secondary.
Explanation: Since a number of individuals would have access to the tape library, and could have accessed and tampered with the tape, the chain of custody could not be verified. All other choices provide clear indication of who was in custody of the tape at all times.
2. Right Answer: C
Explanation: An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities pertaining to all parties involved in responding to an information security breach. A business continuity plan or disaster recovery plan would be triggered during the execution of the incident response plan in the case of a breach impacting the business continuity. A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through configuration changes (patch management).
3. Right Answer: C
Explanation: When investigating a security breach, it is important to preserve all traces of evidence left by the invader. For this reason, it is imperative to preserve the memory' contents of the machine in order to analyze them later. The correct answer is choice C because a copy of the whole system's memory is obtained for future analysis by running the appropriate tools. This is also important from a legal perspective since an attorney may suggest that the system was changed during the conduct of the investigation. Running a computer forensics tool in the compromised machine will cause the creation of at least one process that may overwrite evidence. Rebooting the machine will delete the contents of the memory, erasing potential evidence. Collecting information about current connections and openTransmission Control Protocol/User Datagram Protocol (TCP/UDP) ports is correct, but doing so by using tools may also erase memory contents.
4. Right Answer: A
Explanation: Slack space is the unused space between where the fdc data end and the end of the cluster the data occupy. Login information is not typically stored in the slack space. Encryption for the slack space is no different from the rest of the file system. The slack space is not a viable means of storage during an investigation.
5. Right Answer: C
Explanation: The primary objective is to find any weakness in the current process and improve it. The other choices are all secondary.
Tags:
it certification certified it it exams isaca certification isaca cgeit isaca cisa isaca cism isaca cobit 5 isaca crisc isaca questions practice exams pratice quests risc maangement it management it questions isaca answers isaca practice isaca dumps isaca test test questions questins and answer explanation0 Comments
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
Leave a comment