CISM

Question 1

What is the BEST method to verify that all security patches applied to servers were properly documented?

Answer 1

Trace OS patch logs to change control requests

Question 2

Who is responsible for raising awareness of the need for adequate funding to support risk mitigation plans?

Answer 2

Information security manager

Question 3

An information security manager must understand the relationship between information security and business operations in order to:

A. support organizational objectives.
B. determine likely areas of noncompliance.
C. assess the possible impacts of compromise.
D. understand the threats to the business.

Answer 3

Correct A. support organizational objectives.

Question 4

Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?

Answer 4

Encrypting by the sender’s private key ensures authentication. By being able to decrypt with the sender’s public key, the receiver would know that the message is sent by the sender only and the sender cannot deny/repudiate the message

Question 5

The PRIMARY goal of developing an information security program is to:

Answer 5

The development of an information security program is usually seen as a manifestation of the information security strategy. Thus, the goal of developing the information security program is to implement the strategy.

Question 6

An internal review of a web-based application system finds the ability to gain access to all employees’ accounts by changing the employee’s ID on the URL used for accessing the account. The vulnerability identified is:

Answer 6

The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed.

Question 7

Which of the following BEST indicates senior management commitment toward supporting information security?

Answer 7

Management sign-off on risk management methodology helps in performing the entire risk cycle.

Question 8

Minimum standards for securing the technical infrastructure should be defined in a security:

Answer 8

Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place.

Question 9

The PRIMARY focus of information security governance is to:

Answer 9

Optimize the information security strategy to achieve business objectives.

Governance ensures that business objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against plans.

Question 10

When performing an information risk analysis, an information security manager should FIRST:

Answer 10

Assets must be inventoried before any of the other choices can be performed.

Question 11

Which of the following roles is MOST appropriately responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience?

Answer 11

The information security department oversees the information security program. This includes ensuring that training reaches the intended audience.

Question 12

When should a request for proposal (RFP) be issued?

Answer 12

Prior to developing a project budget

Question 13

Senior management commitment and support for information security can BEST be enhanced through:

Answer 13

Periodic review of alignment with business management goals.

Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support.

Question 14

Which of the following is the MOST appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?

Answer 14

System users, specifically the user acceptance testers, would be in the best position to note whether new exposures are introduced during the change management process. The system designer or system analyst, data security officer and operations manager would not be as closely involved in testing code changes.

Question 15

Which of the following is an indicator of effective governance?

Answer 15

A risk management program is a key component of effective governance.

Question 16

The development of an information security program begins with:

Answer 16

an effective information security strategy.

Question 17

Which of the following is the MOST usable deliverable of an information security risk analysis?

Answer 17

Assignment of risks to process owners

Question 18

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?

A. Defining job roles
B. Performing a risk assessment
C. Identifying data owners
D. Establishing data retention policies

Answer 18

Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified).

Question 19

Which of the following is the BEST tool to maintain the currency and coverage of an information security program within an organization?

A. The program’s governance oversight mechanisms
B. Information security periodicals and manuals
C. The program’s security architecture and design
D. Training and certification of the information security team

Answer 19

A. The program’s governance oversight mechanisms

Question 20

Relationships among security technologies are BEST defined through which of the following?

A. Security metrics
B. Network topology
C. Security architecture
D. Process improvement models

Answer 20

Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies.

Question 21

The BEST strategy for risk management is to:

A. achieve a balance between risk and organizational goals.
B. reduce risk to an acceptable level.
C. ensure that policy development properly considers organizational risks.
D. ensure that all unmitigated risks are accepted by management.

Answer 21

B. reduce risk to an acceptable level.

Question 22

An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:

A. source routing.
B. broadcast propagation.
C. unregistered ports.
D. nonstandard protocols.

Answer 22

A. source routing.

Question 23

Obtaining senior management support for an information security initiative can BEST be accomplished by:

A. developing and presenting a business case.
B. defining the risk that will be addressed.
C. presenting a financial analysis of benefits.
D. aligning the initiative with organizational objectives.

Answer 23

developing and presenting a business case.

A business case is inclusive of the other options and includes and specifically addresses them.

Question 24

The MOST important requirement for gaining management commitment to the information security program is to:

A. benchmark a number of successful organizations.

B. demonstrate potential losses and other impacts that can result from a lack of support.

C. inform management of the legal requirements of due care.

D. demonstrate support for desired outcomes.

Answer 24

D. demonstrate support for desired outcomes.