A bank has just outsourced the security department to a consulting firm, but retained the security architecture group. A few months into the contract the bank discovers that the consulting firm has sub- contracted some of the security functions to another provider. Management is pressuring the sourcing manager to ensure adequate protections are in place to insulate the bank from legal and service exposures. Which of the following is the MOST appropriate action to take?
A. Directly establish another separate service contract with the sub-contractor to limit the risk exposure and legal implications.
B. Ensure the consulting firm has service agreements with the sub-contractor; if the agreement does not exist, exit the contract when possible.
C. Log it as a risk in the business risk register and pass the risk to the consulting firm for acceptance and responsibility.
D. Terminate the contract immediately and bring the security department in-house again to reduce legal and regulatory exposure.
Company ABC has grown yearly through mergers and acquisitions. This has led to over 200 internal custom web applications having standalone identity stores. In order to reduce costs and improve operational efficiencies a project has been
initiated to implement a centralized security infrastructure.
The requirements are as follows:
Reduce costs
Improve efficiencies and time to market
Manageable
Accurate identity information
Standardize on authentication and authorization
Ensure a reusable model with standard integration patterns
Which of the following security solution options will BEST meet the above requirements? (Select THREE).
A. Build an organization-wide fine grained access control model stored in a centralized policy data store.
B. Implement self service provisioning of identity information, coarse grained, and fine grained access control.
C. Implement a web access control agent based model with a centralized directory model providing coarse grained access control and single sign-on capabilities.
D. Implement a web access controlled reverse proxy and centralized directory model providing coarse grained access control and single sign-on capabilities.
E. Implement automated provisioning of identity information; coarse grained, and fine grained access control.
F. Move each of the applications individual fine grained access control models into a centralized directory with fine grained access control.
G. Implement a web access control forward proxy and centralized directory model, providing coarse grained access control, and single sign-on capabilities.
Company XYZ is selling its manufacturing business consisting of one plant to a competitor, Company QRS. All of the people will become QRS employees, but will retain permissions to plant-specific information and resources for one month. To ease the transition, Company QRS also connected the plant and employees to the Company QRS network. Which of the following threats is the HIGHEST risk to Company XYZ?
A. Malware originating from Company XYZ's network
B. Co-mingling of company networks
C. Lack of an IPSec connection between the two networks
D. Loss of proprietary plant information
A programming team is deploying a new PHP module to be run on a Solaris 10 server with trusted extensions. The server is configured with three zones, a management zone, a customer zone, and a backend zone. The security model is constructed so that only programs in the management zone can communicate data between the zones. After installation of the new PHP module, which handles on-line customer payments, it is not functioning correctly. Which of the following is the MOST likely cause of this problem?
A. The PHP module is written to transfer data from the customer zone to the management zone, and then from the management zone to the backend zone.
B. The iptables configuration is not configured correctly to permit zone to zone communications between the customer and backend zones.
C. The PHP module was installed in the management zone, but is trying to call a routine in the customer zone to transfer data directly to a MySQL database in the backend zone.
D. The ipfilters configuration is configured to disallow loopback traffic between the physical NICs associated with each zone.
The sales staff at a software development company has received the following requirements from a customer: "We need the system to notify us in advance of all software errors and report all outages". Which of the following BEST conveys these customer requirements to the software development team to understand and implement?
A. The system shall send a status message to a network monitoring console every five seconds while in an error state and the system should email the administrator when the number of input errors exceeds five.
B. The system shall alert the administrator upon the loss of network communications and when error flags are thrown.
C. The system shall email the administrator when processing deviates from expected conditions and the system shall send a heartbeat message to a monitoring console every second while in normal operations.
D. The system shall email the administrator when an error condition is detected and a flag is thrown and the system shall send an email to the administrator when network communications are disrupted.
A security engineer at a major financial institution is prototyping multiple secure network configurations. The testing is focused on understanding the impact each potential design will have on the three major security tenants of the network. All designs must take into account the stringent compliance and reporting requirements for most worldwide financial institutions. Which of the following is the BEST list of security lifecycle related concerns related to deploying the final design?
A. Decommissioning the existing network smoothly, implementing maintenance and operations procedures for the new network in advance, and ensuring compliance with applicable regulations and laws.
B. Interoperability with the Security Administration Remote Access protocol, integrity of the data at rest, overall network availability, and compliance with corporate and government regulations and policies.
C. Resistance of the new network design to DDoS attacks, ability to ensure confidentiality of all data in transit, security of change management processes and procedures, and resilience of the firewalls to power fluctuations.
D. Decommissioning plan for the new network, proper disposal protocols for the existing network equipment, transitioning operations to the new network on day one, and ensuring compliance with corporate data retention policies.
E. Ensuring smooth transition of maintenance resources to support the new network, updating all whole disk encryption keys to be compatible with IPv6, and maximizing profits for bank shareholders.
The increasing complexity of attacks on corporate networks is a direct result of more and more corporate employees connecting to corporate networks with mobile and personal devices. In most cases simply banning these connections and devices is not practical because they support necessary business needs. Which of the following are typical risks and mitigations associated with this new trend?
A. Risks: Data leakage, lost data on destroyed mobile devices, smaller network attack surface, prohibitive telecommunications costs Mitigations: Device Encryptions, lock screens, certificate based authentication, corporate telecom plans
B. Risks: Confidentiality leaks through cell conversations, availability of remote corporate data, integrity of data stored on the devices Mitigations: Cellular privacy extensions, mobile VPN clients, over-the-air backups.
C. Risks: Data exfiltration, loss of data via stolen mobile devices, increased data leakage at the network edge Mitigations: Remote data wipe capabilities, implementing corporate security on personally owned devices
D. Risks: Theft of mobile devices, unsanctioned applications, minimal device storage, call quality Mitigations: GPS tracking, centralized approved application deployment, over-the-air backups, QoS implementation
The new security policy states that only authorized software will be allowed on the corporate network and all personally owned equipment needs to be configured by the IT security staff before being allowed on the network. The security administrator creates standard images with all the required software and proper security controls. These images are required to be loaded on all personally owned equipment prior to connecting to the corporate network. These measures ensure compliance with the new security policy. Which of the following security risks still needs to be addressed in this scenario?
A. An employee copying gigabytes of personal video files from the employee's personal laptop to their company desktop to share files.
B. An employee connecting their personal laptop to use a non-company endorsed accounting application that the employee used at a previous company.
C. An employee using a corporate FTP application to transfer customer lists and other proprietary files to an external computer and selling them to a competitor.
D. An employee accidentally infecting the network with a virus by connecting a USB drive to the employee's personal laptop.
Company A is merging with Company B. Company B uses mostly hosted services from an outside vendor, while Company A uses mostly in-house products.
The project manager of the merger states the merged systems should meet these goals: Ability to customize systems per department
Quick implementation along with an immediate ROI
The internal IT team having administrative level control over all products
The project manager states the in-house services are the best solution. Because of staff shortages, the senior security administrator argues that security will be best maintained by continuing to use outsourced services.
Which of the following solutions BEST solves the disagreement?
A. Raise the issue to the Chief Executive Officer (CEO) to escalate the decision to senior management with the recommendation to continue the outsourcing of all IT services.
B. Calculate the time to deploy and support the in-sourced systems accounting for the staff shortage and compare the costs to the ROI costs minus outsourcing costs. Present the document numbers to management for a final decision.
C. Perform a detailed cost benefit analysis of outsourcing vs. in-sourcing the IT systems and review the system documentation to assess the ROI of in-sourcing. Select COTS products to eliminate development time to meet the ROI goals.
D. Arrange a meeting between the project manager and the senior security administrator to review the requirements and determine how critical all the requirements are.
The Chief Information Security Officer (CISO) is researching ways to reduce the risk associated with administrative access of six IT staff members while enforcing separation of duties. In the case where an IT staff member is absent, each
staff member should be able to perform all the necessary duties of their IT co-workers.
Which of the following policies should the CISO implement to reduce the risk?
A. Require the use of an unprivileged account, and a second shared account only for administrative purposes.
B. Require role-based security on primary role, and only provide access to secondary roles on a case-by- case basis.
C. Require separation of duties ensuring no single administrator has access to all systems.
D. Require on-going auditing of administrative activities, and evaluate against risk-based metrics.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CAS-002 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.