Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISM Study Questions B > CISM Practice B Topic 2 > Flashcards

CISM Practice B Topic 2 Flashcards

1
Q

A risk mitigation report would include recommendations for:

assessment.

acceptance.

evaluation.

quantification.

A

acceptance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A risk management program should reduce risk to:

zero.

an acceptable level.

an acceptable percent of revenue.

an acceptable probability of occurrence.

A

an acceptable level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

\The MOST important reason for conducting periodic risk assessments is because:

  • risk assessments are not always precise.
  • security risks are subject to frequent change.
  • reviewers can optimize and reduce the cost of controls.
  • it demonstrates to senior management that the security function can add value.
A

security risks are subject to frequent change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following BEST indicates a successful risk management practice?

Overall risk is quantified

Inherent risk is eliminated

Residual risk is minimized

Control risk is tied to business units

A

Residual risk is minimized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following would generally have the GREATEST negative impact on an organization?

Theft of computer software

Interruption of utility services

Loss of customer confidence

Internal fraud resulting in monetary loss

A

Loss of customer confidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?

Risk analysis results

Audit report findings

Penetration test results

Amount of IT budget available

A

Risk analysis results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following will BEST protect an organization from internal security attacks?

Static IP addressing

Internal address translation

Prospective employee background checks

Employee awareness certification program

A

Prospective employee background checks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

For risk management purposes, the value of an asset should be based on:

original cost.

net cash flow.

net present value.

replacement cost.

A

replacement cost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In a business impact analysis, the value of an information system should be based on the overall cost:

of recovery.

to recreate.

if unavailable.

of emergency operations.

A

if unavailable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Acceptable risk is achieved when:

residual risk is minimized.

transferred risk is minimized.

control risk is minimized.

inherent risk is minimized.

A

residual risk is minimized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The value of information assets is BEST determined by:

individual business managers.

business systems analysts.

information security management.

industry averages benchmarking.

A

individual business managers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?

Feasibility

Design

Development

Testing

A

Feasibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The MOST effective way to incorporate risk management practices into existing production systems is through:

policy development.

change management.

awareness training.

regular monitoring.

A

change management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?

Gap analysis

Regression analysis

Risk analysis

Business impact analysis

A

Business impact analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The recovery time objective (RTO) is reached at which of the following milestones?

Disaster declaration

Recovery of the backups

Restoration of the system

Return to business as usual processing

A

Restoration of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following results from the risk assessment process would BEST assist risk management decision making?

Control risk

Inherent risk

Risk exposure

Residual risk

A

Residual risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?

Mitigating controls

Visibility of impact

Likelihood of occurrence

Incident frequency

A

Visibility of impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Risk acceptance is a component of which of the following?

Assessment

Mitigation

Evaluation

Monitoring

A

Mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Risk management programs are designed to reduce risk to:

a level that is too small to be measurable.

the point at which the benefit exceeds the expense.

a level that the organization is willing to accept.

a rate of return that equals the current cost of capital.

A

a level that the organization is willing to accept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A risk assessment should be conducted:

once a year for each business process and subprocess.

every three to six months for critical business processes.

by external parties to maintain objectivity.

annually or whenever there is a significant change.

A

annually or whenever there is a significant change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The MOST important function of a risk management program is to:

quantify overall risk.

minimize residual risk.

eliminate inherent risk.

maximize the sum of all annualized loss expectancies (ALEs).

A

minimize residual risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following risks would BEST be assessed using qualitative risk assessment techniques?

Theft of purchased software

Power outage lasting 24 hours

Permanent decline in customer confidence

Temporary loss of e-mail due to a virus attack

A

Permanent decline in customer confidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following will BEST prevent external security attacks?

Static IP addressing

Network address translation

Background checks for temporary employees

Securing and analyzing system access logs

A

Network address translation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:

original cost to acquire.

cost of the software stored.

annualized loss expectancy (ALE).

cost to obtain a replacement.

A

cost to obtain a replacement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A business impact analysis (BIA) is the BEST tool for calculating:

total cost of ownership.

priority of restoration.

annualized loss expectancy (ALE).

residual risk.

A

priority of restoration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

When residual risk is minimized:

acceptable risk is probable.

transferred risk is acceptable.

control risk is reduced.

risk is transferable.

A

acceptable risk is probable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Quantitative risk analysis is MOST appropriate when assessment data:

include customer perceptions.

contain percentage estimates.

do not contain specific details.

contain subjective information.

A

contain percentage estimates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is the MOST appropriate use of gap analysis?

Evaluating a business impact analysis (BIA)

Developing a balanced business scorecard

Demonstrating the relationship between controls

Measuring current state vs. desired future state

A

Measuring current state vs. desired future state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Identification and prioritization of business risk enables project managers to:

establish implementation milestones.

reduce the overall amount of slack time.

address areas with most significance.

accelerate completion of critical paths.

A

address areas with most significance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A risk analysis should:

  • include a benchmark of similar companies in its scope.
  • assume an equal degree of protection for all assets.
  • address the potential size and likelihood of loss.
  • give more weight to the likelihood vs. the size of the loss.
A

address the potential size and likelihood of loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The recovery point objective (RPO) requires which of the following?

Disaster declaration

Before-image restoration

System restoration

After-image processing

A

Before-image restoration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?

Systems operation procedures are not enforced

Change management procedures are poor

Systems development is outsourced

Systems capacity management is not performed

A

Change management procedures are poor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which of the following BEST describes the scope of risk analysis?

Key financial systems

Organizational activities

Key systems and infrastructure

Systems subject to regulatory compliance

A

Organizational activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

The decision as to whether a risk has been reduced to an acceptable level should be determined by:

organizational requirements.

information systems requirements.

information security requirements.

international standards.

A

organizational requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which of the following is the PRIMARY reason for implementing a risk management program?

Allows the organization to eliminate risk

Is a necessary part of management’s due diligence

Satisfies audit and regulatory requirements

Assists in incrementing the return on investment (ROI)

A

Is a necessary part of management’s due diligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following groups would be in the BEST position to perform a risk analysis for a business?

External auditors

A peer group within a similar business

Process owners

A specialized management consultant

A

Process owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

A successful risk management program should lead to:

optimization of risk reduction efforts against cost.

containment of losses to an annual budgeted amount.

identification and removal of all man-made threats.

elimination or transference of all organizational risks.

A

optimization of risk reduction efforts against cost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Which of the following risks would BEST be assessed using quantitative risk assessment techniques?

Customer data stolen

An electrical power outage

A web site defaced by hackers

Loss of the software development team

A

An electrical power outage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:

hourly billing rate charged by the carrier.

value of the data transmitted over the network.

aggregate compensation of all affected business users.

financial losses incurred by affected business units.

A

financial losses incurred by affected business units.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following is the MOST usable deliverable of an information security risk analysis?

Business impact analysis (BIA) report

List of action items to mitigate risk

Assignment of risks to process owners

Quantification of organizational risk

A

List of action items to mitigate risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?

Tree diagrams

Venn diagrams

Heat charts

Bar charts

A

Heat charts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?

Business continuity coordinator

Chief operations officer (COO)

Information security manager

Internal audit

A

Chief operations officer (COO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which two components PRIMARILY must be assessed in an effective risk analysis?

Visibility and duration

Likelihood and impact

Probability and frequency

Financial impact and duration

A

Likelihood and impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Information security managers should use risk assessment techniques to:

justify selection of risk mitigation strategies.

maximize the return on investment (ROI).

provide documentation for auditors and regulators.

quantify risks that would otherwise be subjective.

A

justify selection of risk mitigation strategies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

In assessing risk, it is MOST essential to:

provide equal coverage for all asset types.

use benchmarking data from similar organizations.

consider both monetary value and likelihood of loss.

focus primarily on threats and recent business losses.

A

consider both monetary value and likelihood of loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:

the information security steering committee.

customers who may be impacted.

data owners who may be impacted.

regulatory agencies overseeing privacy.

A

data owners who may be impacted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?

Platform security

Entitlement changes

Intrusion detection

Antivirus controls

A

Entitlement changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

The PRIMARY goal of a corporate risk management program is to ensure that an organization’s:

IT assets in key business functions are protected.

business risks are addressed by preventive controls.

stated objectives are achievable.

IT facilities and systems are always available.

A

stated objectives are achievable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

It is important to classify and determine relative sensitivity of assets to ensure that:

cost of protection is in proportion to sensitivity.

highly sensitive assets are protected.

cost of controls is minimized.

countermeasures are proportional to risk.

A

countermeasures are proportional to risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should:

ensure the provider is made liable for losses.

recommend not renewing the contract upon expiration.

recommend the immediate termination of the contract.

determine the current level of security.

A

determine the current level of security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:

threat.

loss.

vulnerability.

probability.

A

vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss?

Evaluate productivity losses

Assess the impact of confidential data disclosure

Calculate the value of the information or asset

Measure the probability of occurrence of each threat

A

Calculate the value of the information or asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Before conducting a formal risk assessment of an organization’s information resources, an information security manager should FIRST:

map the major threats to business objectives.

review available sources of risk information.

identify the value of the critical assets.

determine the financial impact if threats materialize

A

map the major threats to business objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

The valuation of IT assets should be performed by:

an IT security manager.

an independent security consultant.

the chief financial officer (CFO).

the information owner

A

the information owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

The PRIMARY objective of a risk management program is to:

minimize inherent risk.

eliminate business risk.

implement effective controls.

minimize residual risk.

A

minimize residual risk.

56
Q

After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?

Senior management

Business manager

IT audit manager

Information security officer (ISO)

A

Business manager

57
Q

When performing an information risk analysis, an information security manager should FIRST:

establish the ownership of assets.

evaluate the risks to the assets.

take an asset inventory.

categorize the assets.

A

take an asset inventory.

58
Q

The PRIMARY benefit of performing an information asset classification is to:

link security requirements to business objectives.

identify controls commensurate to risk.

define access rights.

establish ownership

A

identify controls commensurate to risk.

59
Q

Which of the following is MOST essential for a risk management program to be effective?

Flexible security budget

Sound risk baseline

New risks detection

Accurate risk reporting

A

New risks detection

60
Q

Which of the following attacks is BEST mitigated by utilizing strong passwords?

Man-in-the-middle attack

Brute force attack

Remote buffer overflow

Root kit

A

Brute force attack

61
Q

Phishing is BEST mitigated by which of the following?

Security monitoring software

Encryption

Two-factor authentication

User awareness

A

User awareness

62
Q

The security responsibility of data custodians in an organization will include:

assuming overall protection of information assets.

determining data classification levels.

implementing security controls in products they install.

ensuring security measures are consistent with policy.

A

ensuring security measures are consistent with policy.

63
Q

A security risk assessment exercise should be repeated at regular intervals because:

business threats are constantly changing.

omissions in earlier assessments can be addressed.

repetitive assessments allow various methodologies.

they help raise awareness on security in the business.

A

business threats are constantly changing.

64
Q

Which of the following steps in conducting a risk assessment should be performed FIRST?

Identity business assets

Identify business risks

Assess vulnerabilities

Evaluate key controls

A

Identity business assets

65
Q

The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:

periodically testing the incident response plans.

regularly testing the intrusion detection system (IDS).

establishing mandatory training of all personnel.

periodically reviewing incident response procedures.

A

periodically testing the incident response plans.

66
Q

Which of the following risks is represented in the risk appetite of an organization?

Control

Inherent

Residual

Audit

A

Residual

67
Q

Which of the following would a security manager establish to determine the target for restoration of normal processing?

Recovery time objective (RTO)

Maximum tolerable outage (MTO)

Recovery point objectives (RPOs)

Services delivery objectives (SDOs)

A

Recovery time objective (RTO)

68
Q

A risk management program would be expected to:

remove all inherent risk.

maintain residual risk at an acceptable level.

implement preventive controls for every threat.

reduce control risk to zero.

A

maintain residual risk at an acceptable level.

69
Q

Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?

Programming

Specification

User testing

Feasibility

A

Feasibility

70
Q

Which of the following would help management determine the resources needed to mitigate a risk to the organization?

Risk analysis process

Business impact analysis (BIA)

Risk management balanced scorecard

Risk-based audit program

A

Business impact analysis (BIA)

71
Q

A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:

  • there are sufficient safeguards in place to prevent this risk from happening.
  • the needed countermeasure is too complicated to deploy.
  • the cost of countermeasure outweighs the value of the asset and potential loss.
  • the likelihood of the risk occurring is unknown.
A

the cost of countermeasure outweighs the value of the asset and potential loss.

72
Q

Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?

Number of controls implemented

Percent of control objectives accomplished

Percent of compliance with the security policy

Reduction in the number of reported security incidents

A

Percent of control objectives accomplished

73
Q

Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?

Strategic business plan

Upcoming financial results

Customer personal information

Previous financial results

A

Previous financial results

74
Q

The PRIMARY purpose of using risk analysis within a security program is to:

justify the security expenditure.

help businesses prioritize the assets to be protected.

inform executive management of residual risk value.

assess exposures and plan remediation.

A

assess exposures and plan remediation.

75
Q

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?

Defining job roles

Performing a risk assessment

Identifying data owners

Establishing data retention policies

A

Identifying data owners

76
Q

An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:

  • mitigate the impact by purchasing insurance.
  • implement a circuit-level firewall to protect the network.
  • increase the resiliency of security measures in place.
  • implement a real-time intrusion detection system.
A

mitigate the impact by purchasing insurance.

77
Q

What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?

Business impact analyses

Security gap analyses

System performance metrics

Incident response processes

A

Security gap analyses

78
Q

A common concern with poorly written web applications is that they can allow an attacker to:

gain control through a buffer overflow.

conduct a distributed denial of service (DoS) attack.

abuse a race condition.

inject structured query language (SQL) statements.

A

inject structured query language (SQL) statements.

79
Q

Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?

Historical cost of the asset

Acceptable level of potential business impacts

Cost versus benefit of additional mitigating controls

Annualized loss expectancy (ALE)

A

Cost versus benefit of additional mitigating controls

80
Q

A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization’s local area network (LAN). What should the security manager do FIRST?

Understand the business requirements of the developer portal

Perform a vulnerability assessment of the developer portal

Install an intrusion detection system (IDS)

Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

A

Understand the business requirements of the developer portal

81
Q

A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?

Prevent the system from being accessed remotely

Create a strong random password

Ask for a vendor patch

Track usage of the account by audit trails

A

Create a strong random password

82
Q

Attackers who exploit cross-site scripting vulnerabilities take advantage of:

  • a lack of proper input validation controls.
  • weak authentication controls in the web application layer.
  • flawed cryptographic secure sockets layer (SSL) implementations and short key lengths.
  • implicit web application trust relationships.
A

a lack of proper input validation controls.

83
Q

Which of the following would BEST address the risk of data leakage?

File backup procedures

Database integrity checks

Acceptable use policies

Incident response procedures

A

Acceptable use policies

84
Q

A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?

Access control policy

Data classification policy

Encryption standards

Acceptable use policy

A

Data classification policy

85
Q

What is the BEST technique to determine which security controls to implement with a limited budget?

Risk analysis

Annualized loss expectancy (ALE) calculations

Cost-benefit analysis

Impact analysis

A

Cost-benefit analysis

86
Q

A company’s mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?

A penetration test

A security baseline review

A risk assessment

A business impact analysis (BIA)

A

A risk assessment

87
Q

Which of the following measures would be MOST effective against insider threats to confidential information?

Role-based access control

Audit trail monitoring

Privacy policy

Defense-in-depth

A

Role-based access control

88
Q

Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company’s policies. An information security manager should:

  • conduct a risk assessment and allow or disallow based on the outcome.
  • recommend a risk assessment and implementation only if the residual risks are accepted.
  • recommend against implementation because it violates the company’s policies.
  • recommend revision of current policy
A

recommend a risk assessment and implementation only if the residual risks are accepted.

89
Q

After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:

  • increase its customer awareness efforts in those regions.
  • implement monitoring techniques to detect and react to potential fraud.
  • outsource credit card processing to a third party.
  • make the customer liable for losses if they fail to follow the bank’s advice.
A

implement monitoring techniques to detect and react to potential fraud.

90
Q

The criticality and sensitivity of information assets is determined on the basis of:

threat assessment.

vulnerability assessment.

resource dependency assessment.

impact assessment

A

impact assessment

91
Q

Which program element should be implemented FIRST in asset classification and control?

Risk assessment

Classification

Valuation

Risk mitigation

A

Valuation

92
Q

When performing a risk assessment, the MOST important consideration is that:

  • management supports risk mitigation efforts.
  • annual loss expectations (ALEs) have been calculated for critical assets.
  • assets have been identified and appropriately valued.
  • attack motives, means and opportunities be understood.
A

assets have been identified and appropriately valued.

93
Q

The MAIN reason why asset classification is important to a successful information security program is because classification determines:

the priority and extent of risk mitigation efforts.

the amount of insurance needed in case of loss.

the appropriate level of protection to the asset.

how protection levels compare to peer organizations.

A

the appropriate level of protection to the asset.

94
Q

The BEST strategy for risk management is to:

  • achieve a balance between risk and organizational goals.
  • reduce risk to an acceptable level.
  • ensure that policy development properly considers organizational risks.
  • ensure that all unmitigated risks are accepted by management.
A

reduce risk to an acceptable level.

95
Q

Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?

Disclosure of personal information

Sufficient coverage of the insurance policy for accidental losses

Intrinsic value of the data stored on the equipment

Replacement cost of the equipment

A

Intrinsic value of the data stored on the equipment

96
Q

An organization has to comply with recently published industry regulatory requirements - compliance that potentially has high implementation costs. What should the information security manager do FIRST?

Implement a security committee.

Perform a gap analysis.

Implement compensating controls.

Demand immediate compliance.

A

Perform a gap analysis.

97
Q

Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

Annual loss expectancy (ALE) of incidents

Frequency of incidents

Total cost of ownership (TCO)

Approved budget for the project

A

Total cost of ownership (TCO)

98
Q

One way to determine control effectiveness is by determining:

whether it is preventive, detective or compensatory.

the capability of providing notification of failure.

the test results of intended objectives.

the evaluation and analysis of reliability.

A

the test results of intended objectives.

99
Q

What does a network vulnerability assessment intend to identify?

0-day vulnerabilities

Malicious software and spyware

Security design flaws

Misconfiguration and missing updates

A

Misconfiguration and missing updates

100
Q

Who is responsible for ensuring that information is classified?

Senior management

Security manager

Data owner

Custodian

A

Data owner

101
Q

After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:

transferred.

treated.

accepted.

terminated.

A

accepted.

102
Q

When a significant security breach occurs, what should be reported FIRST to senior management?

A summary of the security logs that illustrates the sequence of events

An explanation of the incident and corrective action taken

An analysis of the impact of similar attacks at other organizations

A business case for implementing stronger logical access controls

A

An explanation of the incident and corrective action taken

103
Q

The PRIMARY reason for initiating a policy exception process is when:

operations are too busy to comply.

the risk is justified by the benefit.

policy compliance would be difficult to enforce.

users may initially be inconvenienced.

A

the risk is justified by the benefit.

104
Q

Which of the following would be the MOST relevant factor when defining the information classification policy?

Quantity of information

Available IT infrastructure

Benchmarking

Requirements of data owners

A

Requirements of data owners

105
Q

To determine the selection of controls required to meet business objectives, an information security manager should:

prioritize the use of role-based access controls.

focus on key controls.

restrict controls to only critical applications.

focus on automated controls.

A

focus on key controls.

106
Q

The MOST appropriate owner of customer data stored in a central database, used only by an organization’s sales department, would be the:

sales department.

database administrator.

chief information officer (CIO).

head of the sales department.

A

head of the sales department.

107
Q

In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:

  • develop an operational plan for achieving compliance with the legislation.
  • identify systems and processes that contain privacy components.
  • restrict the collection of personal information until compliant.
  • identify privacy legislation in other countries that may contain similar requirements.
A

identify systems and processes that contain privacy components.

108
Q

Risk assessment is MOST effective when performed:

  • at the beginning of security program development.
  • on a continuous basis.
  • while developing the business case for the security program.
  • during the business change process.
A

on a continuous basis.

109
Q

Which of the following is the MAIN reason for performing risk assessment on a continuous basis?

Justification of the security budget must be continually made.

New vulnerabilities are discovered every day.

The risk environment is constantly changing.

Management needs to be continually informed about emerging risks.

A

The risk environment is constantly changing.

110
Q

There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?

Identify the vulnerable systems and apply compensating controls

Minimize the use of vulnerable systems

Communicate the vulnerability to system users

Update the signatures database of the intrusion detection system (IDS)

A

Identify the vulnerable systems and apply compensating controls

111
Q

Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?

Business impact analysis (BIA)

Penetration testing

Audit and review

Threat analysis

A

Penetration testing

112
Q

Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?

Countermeasure cost-benefit analysis

Penetration testing

Frequent risk assessment programs

Annual loss expectancy (ALE) calculation

A

Countermeasure cost-benefit analysis

113
Q

An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:

eliminating the risk.

transferring the risk.

mitigating the risk.

accepting the risk.

A

mitigating the risk.

114
Q

Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?

Manager

Custodian

User

Owner

A

Owner

115
Q

The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:

  • determining the scope for inclusion in an information security program.
  • defining the level of access controls.
  • justifying costs for information resources.
  • determining the overall budget of an information security program.
A

defining the level of access controls.

116
Q

An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?

Key performance indicators (KPIs)

Business impact analysis (BIA)

Gap analysis

Technical vulnerability assessment

A

Gap analysis

117
Q

When performing a qualitative risk analysis, which of the following will BEST produce reliable results?

Estimated productivity losses

Possible scenarios with threats and impacts

Value of information assets

Vulnerability assessment

A

Possible scenarios with threats and impacts

118
Q

Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?

User assessments of changes

Comparison of the program results with industry standards

Assignment of risk within the organization

Participation by all members of the organization

A

Participation by all members of the organization

119
Q

The MOST effective use of a risk register is to:

  • identify risks and assign roles and responsibilities for mitigation.
  • identify threats and probabilities.
  • facilitate a thorough review of all IT-related risks on a periodic basis.
  • record the annualized financial amount of expected losses due to risks.
A

facilitate a thorough review of all IT-related risks on a periodic basis.

120
Q

After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?

Define security metrics

Conduct a risk assessment

Perform a gap analysis

Procure security tools

A

Conduct a risk assessment

121
Q

Which of the following are the essential ingredients of a business impact analysis (BIA)?

Downtime tolerance, resources and criticality

Cost of business outages in a year as a factor of the security budget

Business continuity testing methodology being deployed

Structure of the crisis management team

A

Downtime tolerance, resources and criticality

122
Q

A risk management approach to information protection is:

  • managing risks to an acceptable level, commensurate with goals and objectives.
  • accepting the security posture provided by commercial security products.
  • implementing a training program to educate individuals on information protection and risks.
  • managing risk tools to ensure that they assess all information protection vulnerabilities.
A

managing risks to an acceptable level, commensurate with goals and objectives.

123
Q

Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?

Implement countermeasures.

Eliminate the risk.

Transfer the risk.

Accept the risk.

A

Transfer the risk.

124
Q

To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRST crucial step an information security manager would take in ensuring business continuity planning?

Conducting a qualitative and quantitative risk analysis.

Assigning value to the assets.

Weighing the cost of implementing the plan vs. financial loss.

Conducting a business impact analysis (BIA).

A

Conducting a business impact analysis (BIA).

125
Q

An information security organization should PRIMARILY:

  • support the business objectives of the company by providing security-related support services.
  • be responsible for setting up and documenting the information security responsibilities of the information security team members.
  • ensure that the information security policies of the company are in line with global best practices and standards.
  • ensure that the information security expectations are conveyed to employees.
A

support the business objectives of the company by providing security-related support services.

126
Q

When implementing security controls, an information security manager must PRIMARILY focus on:

minimizing operational impacts.

eliminating all vulnerabilities.

usage by similar organizations.

certification from a third party.

A

minimizing operational impacts.

127
Q

All risk management activities are PRIMARILY designed to reduce impacts to:

  • a level defined by the security manager.
  • an acceptable level based on organizational risk tolerance.
  • a minimum level consistent with regulatory requirements.
  • the minimum level possible.
A

an acceptable level based on organizational risk tolerance.

128
Q

After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?

Information security officer

Chief information officer (CIO)

Business owner

Chief executive officer (CEO)

A

Business owner

129
Q

The purpose of a corrective control is to:

reduce adverse events.

indicate compromise.

mitigate impact.

ensure compliance.

A

mitigate impact.

130
Q

Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?

Performing a business impact analysis (BIA)

Considering personal information devices as part of the security policy

Initiating IT security training and familiarization

Basing the information security infrastructure on risk assessment

A

Basing the information security infrastructure on risk assessment

131
Q

Previously accepted risk should be:

  • re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
  • accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
  • avoided next time since risk avoidance provides the best protection to the company.
  • removed from the risk log once it is accepted.
A

re-assessed periodically since the risk can be escalated to an unacceptable level due to revised

132
Q

An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:

  • perform a comprehensive assessment of the organization’s exposure to the hacker’s techniques.
  • initiate awareness training to counter social engineering.
  • immediately advise senior management of the elevated risk.
  • increase monitoring activities to provide early detection of intrusion.
A

immediately advise senior management of the elevated risk.

133
Q

Which of the following steps should be performed FIRST in the risk assessment process?

Staff interviews

Threat identification

Asset identification and valuation

Determination of the likelihood of identified risks

A

Asset identification and valuation

134
Q

Which of the following authentication methods prevents authentication replay?

Password hash implementation

Challenge/response mechanism

Wired Equivalent Privacy (WEP) encryption usage

HTTP Basic Authentication

A

Challenge/response mechanism

135
Q

An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?

Nothing, since a risk assessment was completed during development.

A vulnerability assessment should be conducted.

A new risk assessment should be performed.

The new vendor’s SAS 70 type II report should be reviewed.

A

A new risk assessment should be performed.

136
Q
A

CISM Study Questions B (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions