An IT asset management program should include all of the following components EXCEPT:
Maintaining inventories of systems, connections, and software applications
Defining application security standards for internally developed applications
Tracking and monitoring availability of vendor updates and any timelines for end of support
Identifying and tracking adherence to IT asset end-of-life policy
An IT asset management program is a set of processes and tools that help an organization manage its IT assets throughout their lifecycle, from acquisition to disposal. An IT asset management program should include the following components1234:
Defining application security standards for internally developed applications is not a component of an IT asset management program, but rather a component of an application development and security program. An application development and security program is a set of processes and tools that help an organization design, develop, test, deploy, and maintain secure and reliable applications, whether they are internally developed or acquired from external sources. An application development and security program should include the following components5 :
References:
Which of the following statements is FALSE about Data Loss Prevention Programs?
DLP programs include the policy, tool configuration requirements, and processes for the identification, blocking or monitoring of data
DLP programs define the consequences for non-compliance to policies
DLP programs define the required policies based on default tool configuration
DLP programs include acknowledgement the company can apply controls to remove any data
Data Loss Prevention (DLP) programs are not based on default tool configuration, but on the specific needs and risks of the organization. DLP programs should be tailored to the data types, locations, flows, and users that are relevant to the business. DLP programs should also align with the regulatory and contractual obligations, as well as the data risk appetite, of the organization. Default tool configuration may not adequately address these factors and may result in either over-blocking or under-protecting data. Therefore, statement C is false about DLP programs. References:
Which statement reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program?
The program includes the definition of internal escalation processes
The program includes protocols for disclosure of information to external parties
The program includes mechanisms for notification to clients
The program includes processes in support of disaster recovery
An Information Security Incident Management Program is a set of policies, procedures, and tools that enable an organization to prevent, detect, respond to, and recover from information security incidents. An information security incident is any event that compromises the confidentiality, integrity, or availability of information assets, systems, or services12. A formal Information Security Incident Management Program typically includes the following components12:
The statement that reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program is D. The program includes processes in support of disaster recovery. While disaster recovery is an important aspect of information security, it is not a specific component of an Information Security Incident Management Program. Rather, it is a separate program that covers the broader scope of business continuity and resilience, and may involve other types of disasters besides information security incidents, such as natural disasters, power outages, or pandemics3 . Therefore, the correct answer is D. The program includes processes in support of disaster recovery. References: 1: Computer Security Incident Handling Guide 2: Develop and Implement a Security Incident Management Program 3: Business Continuity Management vs Disaster Recovery : What is the difference between disaster recovery and security incident response?
Which statement is NOT a method of securing web applications?
Ensure appropriate logging and review of access and events
Conduct periodic penetration tests
Adhere to web content accessibility guidelines
Include validation checks in SDLC for cross site scripting and SOL injections
Web content accessibility guidelines (WCAG) are a set of standards that aim to make web content more accessible to people with disabilities, such as visual, auditory, cognitive, or motor impairments. While WCAG is a good practice for web development and usability, it is not directly related to web application security. WCAG does not address the common security risks that web applications face, such as injection, broken authentication, misconfiguration, or vulnerable components. Therefore, adhering to WCAG is not a method of securing web applications, unlike the other options. References:
Copyright © 2021-2024 CertsTopics. All Rights Reserved