BCS Foundation Certificate in Information Security Management Principles V9.0 CISMP-V9 Exam Practice Test

Answer : D

Turning on SSID broadcasts is not considered a best practice for securing a wireless network. SSID broadcasts make the network name publicly visible, which can be an invitation for unauthorized users to attempt to access the network. Best practices suggest disabling SSID broadcasts to make the network less visible and thus less likely to be targeted by malicious actors.While using WPA encryption, MAC filtering, and dedicating an access point on a VLAN connected to a firewall are all recommended security measures, advertising the network's presence via SSID broadcasts does not enhance security and could potentially compromise it12.

Answer : A

When selecting a third-party digital forensics service provider, it is crucial to ensure that the company has the appropriate accreditations and the staff hold relevant certifications. This ensures that the service provider adheres to recognized standards and best practices in digital forensics, which is essential for the integrity and admissibility of evidence. Company accreditation provides assurance that the organization follows industry-recognized quality standards, while staff certification demonstrates that the individuals handling the forensic process are qualified and competent. This combination is vital for maintaining the credibility of the forensic investigation and the security of the data handled.

Answer : A

The method used to target senior individuals in an organization for coercing them into actions like misdirected high-value payments is known as awhaling attack. This type of attack is a more targeted version of phishing, aimed specifically at high-ranking executives or important individuals within an organization. The attackers masquerade as a senior player at the organization and use social engineering techniques to trick the target into performing actions such as transferring money or revealing sensitive information. Whaling attacks are highly personalized and often involve extensive research on the target to make the fraudulent requests seem legitimate and convincing.The term ''whaling'' is used because it refers to going after the ''big fish'' or ''whales'' of an organization, such as CEOs or CFOs, who have access to significant resources and sensitive information.Reference: Based on the information provided by Kaspersky's resource center on whaling attacks1.

Answer : C

In the context of information security vulnerabilities, we are typically referring to weaknesses that can be exploited by threats to compromise the confidentiality, integrity, or availability of an information system. Options A, B, and D all represent potential vulnerabilities:

A: Use of HTTP for an Apache web server could allow for interception of data due to lack of encryption.

B: An unpatched Windows operating system could have known security flaws that can be exploited.

D: An unlocked filing cabinet could lead to unauthorized physical access to sensitive documents.

Option C, however, refers to the storage of confidential data in a fire safe, which is a protective measure rather than a vulnerability. A fire safe is designed to protect physical assets from damage or destruction, particularly in the event of a fire, and does not inherently contain a weakness that could be exploited by a cyber threat. Therefore, it is not considered an information security specific vulnerability.

Answer : B

An organization's security policy should be a reflection of its own security stance and principles, not tailored to third parties. While it may be informed by third-party requirements, the policy itself should not be amended to suit all third-party contractors. This is because the security policy is meant to establish a clear set of rules and expectations for the organization's members to maintain the confidentiality, integrity, and availability of its data. It should be defined, approved by management, and communicated to employees and relevant external parties. Amending the policy to suit all third-party contractors could lead to a dilution of the security standards and potentially compromise the organization's security posture.

Answer : B

Static testing is a method where the code is analyzed without being executed. It involves reviewing the code, documentation, and other related artifacts to identify errors at an early stage. Static testing can detect potential issues like syntax errors, variable misuse, and security vulnerabilities. This type of testing is crucial because it helps to find errors before the code is run, which can save time and resources in the development process.It's typically done through various techniques such as code reviews, walkthroughs, and the use of static analysis tools12.

Understanding of static testing and its importance in the software development lifecycle is well-documented in the literature, including the BCS Foundation Certificate in Information Security Management Principles1.

Further details on static testing methodologies and their application can be found in industry-specific guidelines and best practices2.

Answer : A

The British Standards Institution (BSI) is known for producing standards that cover good practices in various domains, including information assurance. BSI is the UK's national standards body and a founding member of the International Organization for Standardization (ISO). It contributes to the development of international standards through ISO, which provides frameworks and best practices for information security management systems (ISMS), such as the ISO/IEC 27000 series. These standards are designed to help organizations manage the security of assets such as financial information, intellectual property, employee details, and information entrusted by third parties.