CISM Practice B Topic 2 Flashcards by Nancy Taylor

A risk mitigation report would include recommendations for:

assessment.

acceptance.

evaluation.

quantification.

acceptance

How well did you know this?

Not at all

Perfectly

A risk management program should reduce risk to:

zero.

an acceptable level.

an acceptable percent of revenue.

an acceptable probability of occurrence.

an acceptable level.

How well did you know this?

Not at all

Perfectly

\The MOST important reason for conducting periodic risk assessments is because:

risk assessments are not always precise.
security risks are subject to frequent change.
reviewers can optimize and reduce the cost of controls.
it demonstrates to senior management that the security function can add value.

security risks are subject to frequent change.

How well did you know this?

Not at all

Perfectly

Which of the following BEST indicates a successful risk management practice?

Overall risk is quantified

Inherent risk is eliminated

Residual risk is minimized

Control risk is tied to business units

Residual risk is minimized

How well did you know this?

Not at all

Perfectly

Which of the following would generally have the GREATEST negative impact on an organization?

Theft of computer software

Interruption of utility services

Loss of customer confidence

Internal fraud resulting in monetary loss

Loss of customer confidence

How well did you know this?

Not at all

Perfectly

A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?

Risk analysis results

Audit report findings

Penetration test results

Amount of IT budget available

Risk analysis results

How well did you know this?

Not at all

Perfectly

Which of the following will BEST protect an organization from internal security attacks?

Static IP addressing

Internal address translation

Prospective employee background checks

Employee awareness certification program

Prospective employee background checks

How well did you know this?

Not at all

Perfectly

For risk management purposes, the value of an asset should be based on:

original cost.

net cash flow.

net present value.

replacement cost.

How well did you know this?

Not at all

Perfectly

In a business impact analysis, the value of an information system should be based on the overall cost:

of recovery.

to recreate.

if unavailable.

of emergency operations.

if unavailable.

How well did you know this?

Not at all

Perfectly

Acceptable risk is achieved when:

residual risk is minimized.

transferred risk is minimized.

control risk is minimized.

inherent risk is minimized.

residual risk is minimized.

How well did you know this?

Not at all

Perfectly

The value of information assets is BEST determined by:

individual business managers.

business systems analysts.

information security management.

industry averages benchmarking.

individual business managers.

How well did you know this?

Not at all

Perfectly

During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?

Feasibility

Design

Development

Testing

Feasibility

How well did you know this?

Not at all

Perfectly

The MOST effective way to incorporate risk management practices into existing production systems is through:

policy development.

change management.

awareness training.

regular monitoring.

change management.

How well did you know this?

Not at all

Perfectly

Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?

Gap analysis

Regression analysis

Risk analysis

Business impact analysis

How well did you know this?

Not at all

Perfectly

The recovery time objective (RTO) is reached at which of the following milestones?

Disaster declaration

Recovery of the backups

Restoration of the system

Return to business as usual processing

Restoration of the system

How well did you know this?

Not at all

Perfectly

Which of the following results from the risk assessment process would BEST assist risk management decision making?

Control risk

Inherent risk

Risk exposure

Residual risk

How well did you know this?

Not at all

Perfectly

The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?

Mitigating controls

Visibility of impact

Likelihood of occurrence

Incident frequency

Visibility of impact

How well did you know this?

Not at all

Perfectly

Risk acceptance is a component of which of the following?

Assessment

Mitigation

Evaluation

Monitoring

Mitigation

How well did you know this?

Not at all

Perfectly

Risk management programs are designed to reduce risk to:

a level that is too small to be measurable.

the point at which the benefit exceeds the expense.

a level that the organization is willing to accept.

a rate of return that equals the current cost of capital.

a level that the organization is willing to accept.

How well did you know this?

Not at all

Perfectly

A risk assessment should be conducted:

once a year for each business process and subprocess.

every three to six months for critical business processes.

by external parties to maintain objectivity.

annually or whenever there is a significant change.

How well did you know this?

Not at all

Perfectly

The MOST important function of a risk management program is to:

quantify overall risk.

minimize residual risk.

eliminate inherent risk.

maximize the sum of all annualized loss expectancies (ALEs).

minimize residual risk.

How well did you know this?

Not at all

Perfectly

Which of the following risks would BEST be assessed using qualitative risk assessment techniques?

Theft of purchased software

Power outage lasting 24 hours

Permanent decline in customer confidence

Temporary loss of e-mail due to a virus attack

Permanent decline in customer confidence

How well did you know this?

Not at all

Perfectly

Which of the following will BEST prevent external security attacks?

Static IP addressing

Network address translation

Background checks for temporary employees

Securing and analyzing system access logs

Network address translation

How well did you know this?

Not at all

Perfectly

In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:

original cost to acquire.

cost of the software stored.

annualized loss expectancy (ALE).

cost to obtain a replacement.

How well did you know this?

Not at all

Perfectly

A business impact analysis (BIA) is the BEST tool for calculating: total cost of ownership. priority of restoration. annualized loss expectancy (ALE). residual risk.

priority of restoration.

When residual risk is minimized: acceptable risk is probable. transferred risk is acceptable. control risk is reduced. risk is transferable.

acceptable risk is probable.

Quantitative risk analysis is MOST appropriate when assessment data: include customer perceptions. contain percentage estimates. do not contain specific details. contain subjective information.

contain percentage estimates.

Which of the following is the MOST appropriate use of gap analysis? Evaluating a business impact analysis (BIA) Developing a balanced business scorecard Demonstrating the relationship between controls Measuring current state vs. desired future state

Measuring current state vs. desired future state

Identification and prioritization of business risk enables project managers to: establish implementation milestones. reduce the overall amount of slack time. address areas with most significance. accelerate completion of critical paths.

address areas with most significance.

A risk analysis should: * include a benchmark of similar companies in its scope. * assume an equal degree of protection for all assets. * address the potential size and likelihood of loss. * give more weight to the likelihood vs. the size of the loss.

address the potential size and likelihood of loss.

The recovery point objective (RPO) requires which of the following? Disaster declaration Before-image restoration System restoration After-image processing

Before-image restoration

Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations? Systems operation procedures are not enforced Change management procedures are poor Systems development is outsourced Systems capacity management is not performed

Change management procedures are poor

Which of the following BEST describes the scope of risk analysis? Key financial systems Organizational activities Key systems and infrastructure Systems subject to regulatory compliance

Organizational activities

The decision as to whether a risk has been reduced to an acceptable level should be determined by: organizational requirements. information systems requirements. information security requirements. international standards.

organizational requirements.

Which of the following is the PRIMARY reason for implementing a risk management program? Allows the organization to eliminate risk Is a necessary part of management's due diligence Satisfies audit and regulatory requirements Assists in incrementing the return on investment (ROI)

Is a necessary part of management's due diligence

Which of the following groups would be in the BEST position to perform a risk analysis for a business? External auditors A peer group within a similar business Process owners A specialized management consultant

Process owners

A successful risk management program should lead to: optimization of risk reduction efforts against cost. containment of losses to an annual budgeted amount. identification and removal of all man-made threats. elimination or transference of all organizational risks.

optimization of risk reduction efforts against cost.

Which of the following risks would BEST be assessed using quantitative risk assessment techniques? Customer data stolen An electrical power outage A web site defaced by hackers Loss of the software development team

An electrical power outage

The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the: hourly billing rate charged by the carrier. value of the data transmitted over the network. aggregate compensation of all affected business users. financial losses incurred by affected business units.

financial losses incurred by affected business units.

Which of the following is the MOST usable deliverable of an information security risk analysis? Business impact analysis (BIA) report List of action items to mitigate risk Assignment of risks to process owners Quantification of organizational risk

List of action items to mitigate risk

Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following? Tree diagrams Venn diagrams Heat charts Bar charts

Heat charts

Who would be in the BEST position to determine the recovery point objective (RPO) for business applications? Business continuity coordinator Chief operations officer (COO) Information security manager Internal audit

Chief operations officer (COO)

Which two components PRIMARILY must be assessed in an effective risk analysis? Visibility and duration Likelihood and impact Probability and frequency Financial impact and duration

Likelihood and impact

Information security managers should use risk assessment techniques to: justify selection of risk mitigation strategies. maximize the return on investment (ROI). provide documentation for auditors and regulators. quantify risks that would otherwise be subjective.

justify selection of risk mitigation strategies.

In assessing risk, it is MOST essential to: provide equal coverage for all asset types. use benchmarking data from similar organizations. consider both monetary value and likelihood of loss. focus primarily on threats and recent business losses.

consider both monetary value and likelihood of loss.

When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify: the information security steering committee. customers who may be impacted. data owners who may be impacted. regulatory agencies overseeing privacy.

data owners who may be impacted.

Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas? Platform security Entitlement changes Intrusion detection Antivirus controls

Entitlement changes

The PRIMARY goal of a corporate risk management program is to ensure that an organization's: IT assets in key business functions are protected. business risks are addressed by preventive controls. stated objectives are achievable. IT facilities and systems are always available.

stated objectives are achievable.

It is important to classify and determine relative sensitivity of assets to ensure that: cost of protection is in proportion to sensitivity. highly sensitive assets are protected. cost of controls is minimized. countermeasures are proportional to risk.

countermeasures are proportional to risk.

The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should: ensure the provider is made liable for losses. recommend not renewing the contract upon expiration. recommend the immediate termination of the contract. determine the current level of security.

determine the current level of security.

An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the: threat. loss. vulnerability. probability.

vulnerability.

When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss? Evaluate productivity losses Assess the impact of confidential data disclosure Calculate the value of the information or asset Measure the probability of occurrence of each threat

Calculate the value of the information or asset

Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST: map the major threats to business objectives. review available sources of risk information. identify the value of the critical assets. determine the financial impact if threats materialize

map the major threats to business objectives.

The valuation of IT assets should be performed by: an IT security manager. an independent security consultant. the chief financial officer (CFO). the information owner

the information owner

The PRIMARY objective of a risk management program is to: minimize inherent risk. eliminate business risk. implement effective controls. minimize residual risk.

minimize residual risk.

After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented? Senior management Business manager IT audit manager Information security officer (ISO)

Business manager

When performing an information risk analysis, an information security manager should FIRST: establish the ownership of assets. evaluate the risks to the assets. take an asset inventory. categorize the assets.

take an asset inventory.

The PRIMARY benefit of performing an information asset classification is to: link security requirements to business objectives. identify controls commensurate to risk. define access rights. establish ownership

identify controls commensurate to risk.

Which of the following is MOST essential for a risk management program to be effective? Flexible security budget Sound risk baseline New risks detection Accurate risk reporting

New risks detection

Which of the following attacks is BEST mitigated by utilizing strong passwords? Man-in-the-middle attack Brute force attack Remote buffer overflow Root kit

Brute force attack

Phishing is BEST mitigated by which of the following? Security monitoring software Encryption Two-factor authentication User awareness

User awareness

The security responsibility of data custodians in an organization will include: assuming overall protection of information assets. determining data classification levels. implementing security controls in products they install. ensuring security measures are consistent with policy.

ensuring security measures are consistent with policy.

A security risk assessment exercise should be repeated at regular intervals because: business threats are constantly changing. omissions in earlier assessments can be addressed. repetitive assessments allow various methodologies. they help raise awareness on security in the business.

business threats are constantly changing.

Which of the following steps in conducting a risk assessment should be performed FIRST? Identity business assets Identify business risks Assess vulnerabilities Evaluate key controls

Identity business assets

The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by: periodically testing the incident response plans. regularly testing the intrusion detection system (IDS). establishing mandatory training of all personnel. periodically reviewing incident response procedures.

periodically testing the incident response plans.

Which of the following risks is represented in the risk appetite of an organization? Control Inherent Residual Audit

Residual

Which of the following would a security manager establish to determine the target for restoration of normal processing? Recovery time objective (RTO) Maximum tolerable outage (MTO) Recovery point objectives (RPOs) Services delivery objectives (SDOs)

Recovery time objective (RTO)

A risk management program would be expected to: remove all inherent risk. maintain residual risk at an acceptable level. implement preventive controls for every threat. reduce control risk to zero.

maintain residual risk at an acceptable level.

Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project? Programming Specification User testing Feasibility

Feasibility

Which of the following would help management determine the resources needed to mitigate a risk to the organization? Risk analysis process Business impact analysis (BIA) Risk management balanced scorecard Risk-based audit program

Business impact analysis (BIA)

A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that: * there are sufficient safeguards in place to prevent this risk from happening. * the needed countermeasure is too complicated to deploy. * the cost of countermeasure outweighs the value of the asset and potential loss. * the likelihood of the risk occurring is unknown.

the cost of countermeasure outweighs the value of the asset and potential loss.

Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program? Number of controls implemented Percent of control objectives accomplished Percent of compliance with the security policy Reduction in the number of reported security incidents

Percent of control objectives accomplished

Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise? Strategic business plan Upcoming financial results Customer personal information Previous financial results

Previous financial results

The PRIMARY purpose of using risk analysis within a security program is to: justify the security expenditure. help businesses prioritize the assets to be protected. inform executive management of residual risk value. assess exposures and plan remediation.

assess exposures and plan remediation.

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization? Defining job roles Performing a risk assessment Identifying data owners Establishing data retention policies

Identifying data owners

An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to: * mitigate the impact by purchasing insurance. * implement a circuit-level firewall to protect the network. * increase the resiliency of security measures in place. * implement a real-time intrusion detection system.

mitigate the impact by purchasing insurance.

What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system? Business impact analyses Security gap analyses System performance metrics Incident response processes

Security gap analyses

A common concern with poorly written web applications is that they can allow an attacker to: gain control through a buffer overflow. conduct a distributed denial of service (DoS) attack. abuse a race condition. inject structured query language (SQL) statements.

inject structured query language (SQL) statements.

Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk? Historical cost of the asset Acceptable level of potential business impacts Cost versus benefit of additional mitigating controls Annualized loss expectancy (ALE)

Cost versus benefit of additional mitigating controls

A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST? Understand the business requirements of the developer portal Perform a vulnerability assessment of the developer portal Install an intrusion detection system (IDS) Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

Understand the business requirements of the developer portal

A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account? Prevent the system from being accessed remotely Create a strong random password Ask for a vendor patch Track usage of the account by audit trails

Create a strong random password

Attackers who exploit cross-site scripting vulnerabilities take advantage of: * a lack of proper input validation controls. * weak authentication controls in the web application layer. * flawed cryptographic secure sockets layer (SSL) implementations and short key lengths. * implicit web application trust relationships.

a lack of proper input validation controls.

Which of the following would BEST address the risk of data leakage? File backup procedures Database integrity checks Acceptable use policies Incident response procedures

Acceptable use policies

A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected? Access control policy Data classification policy Encryption standards Acceptable use policy

Data classification policy

What is the BEST technique to determine which security controls to implement with a limited budget? Risk analysis Annualized loss expectancy (ALE) calculations Cost-benefit analysis Impact analysis

Cost-benefit analysis

A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action? A penetration test A security baseline review A risk assessment A business impact analysis (BIA)

A risk assessment

Which of the following measures would be MOST effective against insider threats to confidential information? Role-based access control Audit trail monitoring Privacy policy Defense-in-depth

Role-based access control

Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should: * conduct a risk assessment and allow or disallow based on the outcome. * recommend a risk assessment and implementation only if the residual risks are accepted. * recommend against implementation because it violates the company's policies. * recommend revision of current policy

recommend a risk assessment and implementation only if the residual risks are accepted.

After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to: * increase its customer awareness efforts in those regions. * implement monitoring techniques to detect and react to potential fraud. * outsource credit card processing to a third party. * make the customer liable for losses if they fail to follow the bank's advice.

implement monitoring techniques to detect and react to potential fraud.

The criticality and sensitivity of information assets is determined on the basis of: threat assessment. vulnerability assessment. resource dependency assessment. impact assessment

impact assessment

Which program element should be implemented FIRST in asset classification and control? Risk assessment Classification Valuation Risk mitigation

Valuation

When performing a risk assessment, the MOST important consideration is that: * management supports risk mitigation efforts. * annual loss expectations (ALEs) have been calculated for critical assets. * assets have been identified and appropriately valued. * attack motives, means and opportunities be understood.

assets have been identified and appropriately valued.

The MAIN reason why asset classification is important to a successful information security program is because classification determines: the priority and extent of risk mitigation efforts. the amount of insurance needed in case of loss. the appropriate level of protection to the asset. how protection levels compare to peer organizations.

the appropriate level of protection to the asset.

The BEST strategy for risk management is to: * achieve a balance between risk and organizational goals. * reduce risk to an acceptable level. * ensure that policy development properly considers organizational risks. * ensure that all unmitigated risks are accepted by management.

reduce risk to an acceptable level.

Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data? Disclosure of personal information Sufficient coverage of the insurance policy for accidental losses Intrinsic value of the data stored on the equipment Replacement cost of the equipment

Intrinsic value of the data stored on the equipment

An organization has to comply with recently published industry regulatory requirements - compliance that potentially has high implementation costs. What should the information security manager do FIRST? Implement a security committee. Perform a gap analysis. Implement compensating controls. Demand immediate compliance.

Perform a gap analysis.

Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system? Annual loss expectancy (ALE) of incidents Frequency of incidents Total cost of ownership (TCO) Approved budget for the project

Total cost of ownership (TCO)

One way to determine control effectiveness is by determining: whether it is preventive, detective or compensatory. the capability of providing notification of failure. the test results of intended objectives. the evaluation and analysis of reliability.

the test results of intended objectives.

What does a network vulnerability assessment intend to identify? 0-day vulnerabilities Malicious software and spyware Security design flaws Misconfiguration and missing updates

Misconfiguration and missing updates

Who is responsible for ensuring that information is classified? Senior management Security manager Data owner Custodian

Data owner

After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be: transferred. treated. accepted. terminated.

accepted.

When a significant security breach occurs, what should be reported FIRST to senior management? A summary of the security logs that illustrates the sequence of events An explanation of the incident and corrective action taken An analysis of the impact of similar attacks at other organizations A business case for implementing stronger logical access controls

An explanation of the incident and corrective action taken

The PRIMARY reason for initiating a policy exception process is when: operations are too busy to comply. the risk is justified by the benefit. policy compliance would be difficult to enforce. users may initially be inconvenienced.

the risk is justified by the benefit.

Which of the following would be the MOST relevant factor when defining the information classification policy? Quantity of information Available IT infrastructure Benchmarking Requirements of data owners

Requirements of data owners

To determine the selection of controls required to meet business objectives, an information security manager should: prioritize the use of role-based access controls. focus on key controls. restrict controls to only critical applications. focus on automated controls.

focus on key controls.

The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the: sales department. database administrator. chief information officer (CIO). head of the sales department.

head of the sales department.

In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST: * develop an operational plan for achieving compliance with the legislation. * identify systems and processes that contain privacy components. * restrict the collection of personal information until compliant. * identify privacy legislation in other countries that may contain similar requirements.

identify systems and processes that contain privacy components.

Risk assessment is MOST effective when performed: * at the beginning of security program development. * on a continuous basis. * while developing the business case for the security program. * during the business change process.

on a continuous basis.

Which of the following is the MAIN reason for performing risk assessment on a continuous basis? Justification of the security budget must be continually made. New vulnerabilities are discovered every day. The risk environment is constantly changing. Management needs to be continually informed about emerging risks.

The risk environment is constantly changing.

There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period? Identify the vulnerable systems and apply compensating controls Minimize the use of vulnerable systems Communicate the vulnerability to system users Update the signatures database of the intrusion detection system (IDS)

Identify the vulnerable systems and apply compensating controls

Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes? Business impact analysis (BIA) Penetration testing Audit and review Threat analysis

Penetration testing

Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented? Countermeasure cost-benefit analysis Penetration testing Frequent risk assessment programs Annual loss expectancy (ALE) calculation

Countermeasure cost-benefit analysis

An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of: eliminating the risk. transferring the risk. mitigating the risk. accepting the risk.

mitigating the risk.

Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset? Manager Custodian User Owner

Owner

The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for: * determining the scope for inclusion in an information security program. * defining the level of access controls. * justifying costs for information resources. * determining the overall budget of an information security program.

defining the level of access controls.

An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs? Key performance indicators (KPIs) Business impact analysis (BIA) Gap analysis Technical vulnerability assessment

Gap analysis

When performing a qualitative risk analysis, which of the following will BEST produce reliable results? Estimated productivity losses Possible scenarios with threats and impacts Value of information assets Vulnerability assessment

Possible scenarios with threats and impacts

Which of the following is the BEST method to ensure the overall effectiveness of a risk management program? User assessments of changes Comparison of the program results with industry standards Assignment of risk within the organization Participation by all members of the organization

Participation by all members of the organization

The MOST effective use of a risk register is to: * identify risks and assign roles and responsibilities for mitigation. * identify threats and probabilities. * facilitate a thorough review of all IT-related risks on a periodic basis. * record the annualized financial amount of expected losses due to risks.

facilitate a thorough review of all IT-related risks on a periodic basis.

After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program? Define security metrics Conduct a risk assessment Perform a gap analysis Procure security tools

Conduct a risk assessment

Which of the following are the essential ingredients of a business impact analysis (BIA)? Downtime tolerance, resources and criticality Cost of business outages in a year as a factor of the security budget Business continuity testing methodology being deployed Structure of the crisis management team

Downtime tolerance, resources and criticality

A risk management approach to information protection is: * managing risks to an acceptable level, commensurate with goals and objectives. * accepting the security posture provided by commercial security products. * implementing a training program to educate individuals on information protection and risks. * managing risk tools to ensure that they assess all information protection vulnerabilities.

managing risks to an acceptable level, commensurate with goals and objectives.

Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level? Implement countermeasures. Eliminate the risk. Transfer the risk. Accept the risk.

Transfer the risk.

To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRST crucial step an information security manager would take in ensuring business continuity planning? Conducting a qualitative and quantitative risk analysis. Assigning value to the assets. Weighing the cost of implementing the plan vs. financial loss. Conducting a business impact analysis (BIA).

Conducting a business impact analysis (BIA).

An information security organization should PRIMARILY: * support the business objectives of the company by providing security-related support services. * be responsible for setting up and documenting the information security responsibilities of the information security team members. * ensure that the information security policies of the company are in line with global best practices and standards. * ensure that the information security expectations are conveyed to employees.

support the business objectives of the company by providing security-related support services.

When implementing security controls, an information security manager must PRIMARILY focus on: minimizing operational impacts. eliminating all vulnerabilities. usage by similar organizations. certification from a third party.

minimizing operational impacts.

All risk management activities are PRIMARILY designed to reduce impacts to: * a level defined by the security manager. * an acceptable level based on organizational risk tolerance. * a minimum level consistent with regulatory requirements. * the minimum level possible.

an acceptable level based on organizational risk tolerance.

After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks? Information security officer Chief information officer (CIO) Business owner Chief executive officer (CEO)

Business owner

The purpose of a corrective control is to: reduce adverse events. indicate compromise. mitigate impact. ensure compliance.

mitigate impact.

Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? Performing a business impact analysis (BIA) Considering personal information devices as part of the security policy Initiating IT security training and familiarization Basing the information security infrastructure on risk assessment

Basing the information security infrastructure on risk assessment

Previously accepted risk should be: * re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions. * accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable. * avoided next time since risk avoidance provides the best protection to the company. * removed from the risk log once it is accepted.

re-assessed periodically since the risk can be escalated to an unacceptable level due to revised

An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to: * perform a comprehensive assessment of the organization's exposure to the hacker's techniques. * initiate awareness training to counter social engineering. * immediately advise senior management of the elevated risk. * increase monitoring activities to provide early detection of intrusion.

immediately advise senior management of the elevated risk.

Which of the following steps should be performed FIRST in the risk assessment process? Staff interviews Threat identification Asset identification and valuation Determination of the likelihood of identified risks

Asset identification and valuation

Which of the following authentication methods prevents authentication replay? Password hash implementation Challenge/response mechanism Wired Equivalent Privacy (WEP) encryption usage HTTP Basic Authentication

Challenge/response mechanism

An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur? Nothing, since a risk assessment was completed during development. A vulnerability assessment should be conducted. A new risk assessment should be performed. The new vendor's SAS 70 type II report should be reviewed.

A new risk assessment should be performed.

CISM Practice B Topic 2 Flashcards

(136 cards)