CISA study question confusion...

colemic

[FONT=&quot]OK, call me crazy... but is the explanation given correct?

Which of the following controls would BEST detect intrusion?

a) User IDs and user privileges are granted through authorized procedures.

b) Automatic logoff is used when a workstation is inactive for a particular period of time.

c) Automatic logoff of the system occurs after a specified number of unsuccessful attempts.

d) Unsuccessful logon attempts are monitored by the security administrator.

'correct' answer: D?

[/FONT]
[FONT=&quot]Intrusion is detected by the active monitoring and review of unsuccessful logons. User IDs and the granting of user privileges define a policy, not a control. Automatic logoff is a method of preventing access on inactive terminals and is not a detective control. Unsuccessful attempts to log on are a method for preventing intrusion, not detecting.[/FONT]

[FONT=&quot][/FONT]
[FONT=&quot]Doesn't the part of the explanation I bolded above directly contradict 'd' being the correct answer?
[/FONT]

[FONT=&quot][/FONT]
[FONT=&quot]Discuss amongst yourselves...
[/FONT]

[FONT=&quot][/FONT]
[FONT=&quot]
[/FONT]

JDMurray

It's a copy-and-paste error. The last sentence should start, "[FONT=&quot]Automatic logoff of the system is..." and not, "Unsuccessful attempts to log on are..."

Always consider the possibility of typos and generally poor (or no) editing.
[/FONT]

colemic

Thanks... here's another gem from the ISACA study material:

Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate parties
B. Management support and approval for the implementation and maintenance of a security policy
C. Enforcement of security rules by providing punitive actions for any violation of security rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

The correct answer is A.
Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value. Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user's education on the importance of security.

That's the first time I have ever heard that senior leadership buy-in is not the most critical aspect.

JDMurray

I'm guessing for management support to be obtained "assimilation" must be successful first. I dislike the use of the word "assimilation." That's really ambiguous.

colemic

...but if management doesn't buy in and support the policies, then they won't be implemented.

I am super disappointed at the quality and hairsplitting of the ISACA study materials (not to mention the totally outrageous cost!). Those were just the two that I found last night.

JDMurray

colemic wrote: »

...but if management doesn't buy in and support the policies, then they won't be implemented.

As I said, management can't "buy in" if they can't "assimilate" (i.e., don't understand) what they are suppose to buy in to first.

redmond

One of the secrets in passing CISA successully is to clearly understand how ISACA thinks and expects you to in the exam. I do not see any issues with both the questions.

instant000

first question, was about BEST detecting intrusion. Only the D choice does that. Nothing else really monitors anything. Intrusion detection requires something to occur, and something to respond to that occurring.

second question was about MOST critical for successful
while it can be argued that management approval is usually recommended for everything security related, that would have been a good answer, except for this: the other choice said ALL parties, which meant everyone would participate. As we all know that security is not any stronger than its weakest link, getting everyone on board would be MOST critical, as "ALL" would have to include Management also., whereas only Management would exclude the workers who would be subject to the policy

As you have a CISSP, and have other security experience, then you are correct that Management's approval is a very critical factor for accomplishing most anything security related. (It's a "theme" you develop, as you read the material, LOL. But, you must also agree that, logically, "All" includes both management and the end user community.

I think this question was posed to make you think, and make sure to choose the "BEST" answer.

Like JDMurray, that term "assimilate" bothers me. Makes me think of the "Borg".

Is that how the term is phrased in your corresponding preparation materials: "assimilate"?

colemic

instant000 wrote: »

first question, was about BEST detecting intrusion. Only the D choice does that. Nothing else really monitors anything. Intrusion detection requires something to occur, and something to respond to that occurring.

second question was about MOST critical for successful
while it can be argued that management approval is usually recommended for everything security related, that would have been a good answer, except for this: the other choice said ALL parties, which meant everyone would participate. As we all know that security is not any stronger than its weakest link, getting everyone on board would be MOST critical, as "ALL" would have to include Management also., whereas only Management would exclude the workers who would be subject to the policy

As you have a CISSP, and have other security experience, then you are correct that Management's approval is a very critical factor for accomplishing most anything security related. (It's a "theme" you develop, as you read the material, LOL. But, you must also agree that, logically, "All" includes both management and the end user community.

I think this question was posed to make you think, and make sure to choose the "BEST" answer.

Like JDMurray, that term "assimilate" bothers me. Makes me think of the "Borg".

Is that how the term is phrased in your corresponding preparation materials: "assimilate"?

I haven't referenced it back to the study guide yet, it was a practice test question. As for your first point - what tripped me up, was what JD pointed out, that it appears to be a typographical error. My head was hurting trying to wrap around what they actually meant. As for the 2nd question - I still contend that B is correct as the question is written - it references 'approval for implementation,' which logically would come before integration (unless someone just insists on calling it assimilation. Redmond - I agree with you, it's just hard to 'unlearn' a lot of concepts.