As a CISSP working for a direct bank based in Taiwan that relies entirely on internet banking, you are participating in a development meeting for threat modeling the customer relationship management (CRM) system, a web application. A member identifies an attack vector that malicious users might manipulate query parameters in the URL resulting in a server buffer overflow. Which of the following should be conducted first?
A. Replace the static array as the buffer with a dynamic one
B. Refer to OWASP Top 10 for suggested solutions
C. Evaluate how easy for a malicious user to make it
D. Authenticate every user input
Continue reading →

As a CISSP working for a direct bank based in Taiwan that relies entirely on internet banking, you are collaborating with the software development team of the customer relationship management (CRM) system to address security concerns. Which of the following approaches or standards will you least likely to employ?
A. Security function
B. XP (eXtreme Programming)
C. ISO 15288
D. The Sherwood Applied Business Security Architecture (SABSA)
Continue reading →

As a CISO working for a direct bank based in Taiwan that relies entirely on internet banking, you are collaborating with the Human Resources (HR) department to improve personnel security. Which of the following will you suggest to review first?
A. Role-based access control mechanisms
B. Background investigation procedures
C. Implementation of separation of duties
D. Effectiveness and correctness of job descriptions
Continue reading →

The system administrator found a logic bomb installed on a back-end server. It was alleged that the disgruntled former system administrator got involved. As a security professional, which of the following will you suggest first to prevent it from reoccurring?
A. Ask 5-Whys to investigate in-depth for the solution
B. Reinstall the server using the CD media
C. Conduct thorough reference check and background investigation
D. Apply lessons learned for continuous improvement
Continue reading →

You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. Your bank is considering outsourcing the customer relationship management (CRM) system to an offshore software development vendor. Which of the following action should your bank take first?
A. Conduct the threat scenario analysis
B. Describe threat sources that are relevant to the organization
C. Develop and select threat events for analysis
D. Determine applicable controls
Continue reading →

You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You want to evaluate if security controls are implemented correctly, operating as intended, and producing the desired outcome. Which of the following should you conduct?
A. Risk assessment
B. Third-party audit
C. Business impact analysis
D. Security control assessment
Continue reading →

You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. The software development team is developing a customer relationship management (CRM) system. You are drafting the privacy policy for customer data. Which of the following behavior of the system will concern you most?
A. It shows the privacy policy with the opt-in option to consent
B. It provides an “unsubscribe” link to opt-out of receiving marketing emails
C. It constrains the customer from updating personal data to meet the use limitation principle
D. It opens to the customer to update personal data online
Continue reading →