CISM Certified Information Security Manager Mock

In the process of deploying a new e-mail system, an information security manager would like to
ensure the confidentiality of messages while in transit. Which of the following is the MOST
appropriate method to ensure data confidentiality in a new e-mail system implementation?

Options are :

  • Encryption (Correct)
  • Digital signature
  • Digital certificate
  • I lashing algorithm

Answer : Encryption

Which of the following is MOST effective for securing wireless networks as a point of entry into a
corporate network? 

Options are :

  • Strong encryption (Correct)
  • Internet-facing firewall
  • Boundary router
  • Intrusion detection system (IDS)

Answer : Strong encryption

Which of the following is the MOST relevant metric to include in an information security quarterly
report to the executive committee?

Options are :

  • Percentage of security compliant servers
  • Number of security patches applied
  • Security patches applied trend report
  • Security compliant servers trend report (Correct)

Answer : Security compliant servers trend report

Which of the following security mechanisms is MOST effective in protecting classified data that
have been encrypted to prevent disclosure and transmission outside the organization's network?

Options are :

  • Safeguards over keys (Correct)
  • Authentication within application
  • Configuration of firewalls
  • Strength of encryption algorithms

Answer : Safeguards over keys

Which of the following practices is BEST to remove system access for contractors and other
temporary users when it is no longer required?

Options are :

  • Ensure each individual has signed a security acknowledgement
  • Require managers to e-mail security when the user leaves
  • Establish predetermined automatic expiration dates (Correct)
  • Log all account usage and send it to their manager

Answer : Establish predetermined automatic expiration dates

The MAIN advantage of implementing automated password synchronization is that it: 

Options are :

  • allows passwords to be changed less frequently.
  • increases security between multi-tier systems
  • reduces the need for two-factor authentication.
  • reduces overall administrative workload. (Correct)

Answer : reduces overall administrative workload.

When a newly installed system for synchronizing passwords across multiple systems and
platforms abnormally terminates without warning, which of the following should automatically occur
FIRST?

Options are :

  • All systems should block new logins until the problem is corrected
  • System logs should record all user activity for later analysis
  • Access control should fall back to no synchronized mode (Correct)
  • The firewall should block all inbound traffic during the outage

Answer : Access control should fall back to no synchronized mode

Which of the following is the MOST effective solution for preventing individuals external to the
organization from modifying sensitive information on a corporate database? 

Options are :

  • Intrusion detection system (IDS)
  • Information classification policies and procedures
  • Screened subnets (Correct)
  • Role-based access controls

Answer : Screened subnets

Which of the following is the BEST method to provide a new user with their initial password for email
system access?

Options are :

  • Set initial password equal to the user ID with expiration in 30 days
  • Require no password but force the user to set their own in 10 days
  • Give a dummy password over the telephone set for immediate expiration (Correct)
  • Interoffice a system-generated complex password with 30 days expiration

Answer : Give a dummy password over the telephone set for immediate expiration

An outsource service provider must handle sensitive customer information. Which of the following
is MOST important for an information security manager to know? 

Options are :

  • Results of the latest independent security review
  • Provider's level of compliance with industry standards
  • Security in storage and transmission of sensitive data (Correct)
  • Security technologies in place at the facility

Answer : Security in storage and transmission of sensitive data

Which of the following devices should be placed within a DMZ?

Options are :

  • Data warehouse server
  • Departmental server
  • Proxy server
  • Application server (Correct)

Answer : Application server

What is the BEST defense against a Structured Query Language (SQL) injection attack?

Options are :

  • Regularly updated signature files
  • An intrusion detection system
  • A properly configured firewall
  • Strict controls on input fields (Correct)

Answer : Strict controls on input fields

The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs)
are less commonly used than signature-based IDSs, is that stat IDSs: 

Options are :

  • cannot detect new types of attacks
  • generate false alarms from varying user or system actions. (Correct)
  • cause false positives from minor changes to system variables.
  • create more overhead than signature-based IDSs

Answer : generate false alarms from varying user or system actions.

Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a
web browser?

Options are :

  • Certificate-based authentication of web server
  • Data confidentiality between client and web server
  • Certificate-based authentication of web client (Correct)
  • Multiple encryption algorithms

Answer : Certificate-based authentication of web client

An information security program should be sponsored by: 

Options are :

  • information security management.
  • the corporate audit department.
  • key business process owners. (Correct)
  • infrastructure management.

Answer : key business process owners.

Which of the following is the MOST important item to include when developing web hosting
agreements with third-party providers?

Options are :

  • Termination conditions
  • Liability limits
  • Privacy restrictions
  • Service levels (Correct)

Answer : Service levels

Which of the following ensures that newly identified security weaknesses in an operating system
are mitigated in a timely fashion?

Options are :

  • Change management
  • Security baselines
  • Patch management (Correct)
  • Acquisition management

Answer : Patch management

The MOST effective way to ensure that outsourced service providers comply with the
organization's information security policy would be:

Options are :

  • periodically auditing. (Correct)
  • service level monitoring.
  • security awareness training.
  • penetration testing.

Answer : periodically auditing.

Which of the following would be the BEST metric for the IT risk management process?

Options are :

  • Number of security incidents identified
  • Percentage of critical assets with budgeted remedial (Correct)
  • Percentage of unresolved risk exposures
  • Number of risk management action plans

Answer : Percentage of critical assets with budgeted remedial

Which of the following guarantees that data in a file have not changed? 

Options are :

  • nspecting the modified date of the file
  • Encrypting the file with symmetric encryption
  • Creating a hash of the file, then comparing the file hashes (Correct)
  • Using stringent access control to prevent unauthorized access

Answer : Creating a hash of the file, then comparing the file hashes

Which of the following metrics would be the MOST useful in measuring how well information
security is monitoring violation logs? 

Options are :

  • Violation log reports produced
  • Violation log entries
  • Frequency of corrective actions taken
  • Penetration attempts investigated (Correct)

Answer : Penetration attempts investigated

In order to protect a network against unauthorized external connections to corporate systems, the
information security manager should BEST implement:

Options are :

  • access lists of trusted devices.
  • IP antispoofing filtering.
  • network encryption protocol.
  • a strong authentication. (Correct)

Answer : a strong authentication.

In a well-controlled environment, which of the following activities is MOST likely to lead to the
introduction of weaknesses in security software? 

Options are :

  • Applying patches
  • Upgrading hardware
  • Backing up files
  • Changing access rules (Correct)

Answer : Changing access rules

When considering the value of assets, which of the following would give the information security
manager the MOST objective basis for measurement of value delivery in information security
governance?

Options are :

  • Effectiveness of controls
  • Number of controls
  • Test results of controls
  • Cost of achieving control objectives (Correct)

Answer : Cost of achieving control objectives

The MOST effective way to ensure network users are aware of their responsibilities to comply with
an organization's security requirements is:

Options are :

  • an Intranet web site for information security.
  • messages displayed at every logon. (Correct)
  • circulating the information security policy.
  • periodic security-related e-mail messages.

Answer : messages displayed at every logon.

Which of the following change management activities would be a clear indicator that normal
operational procedures require examination? A high percentage of:

Options are :

  • change request postponements.
  • similar change requests.
  • canceled change requests.
  • emergency change requests. (Correct)

Answer : emergency change requests.

The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information
security program is to: 

Options are :

  • allow deployment of the active directory.
  • ensure the confidentiality of sensitive material.
  • implement secure sockets layer (SSL) encryption.
  • provide a high assurance of identity. (Correct)

Answer : provide a high assurance of identity.

Which of the following is the MOST important reason for an information security review of
contracts? To help ensure that: 

Options are :

  • appropriate controls are included. (Correct)
  • the right to audit is a requirement.
  • confidential data are not included in the agreement.
  • the parties to the agreement can perform.

Answer : appropriate controls are included.

In an organization, information systems security is the responsibility of: 

Options are :

  • information systems security personnel.
  • information systems personnel.
  • all personnel. (Correct)
  • functional personnel.

Answer : all personnel.

When an emergency security patch is received via electronic mail, the patch should FIRST be:

Options are :

  • copied onto write-once media to prevent tampering.
  • validated to ensure its authenticity. (Correct)
  • decompiled to check for malicious code.
  • lloaded onto an isolated test machine.

Answer : validated to ensure its authenticity.

An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and
encourage crosstraining. Which type of authorization policy would BEST address this practice?

Options are :

  • Attribute-based
  • Role-based (Correct)
  • Discretionary
  • Multilevel

Answer : Role-based

The BEST way to ensure that security settings on each platform are in compliance with
information security policies and procedures is to: 

Options are :

  • perform penetration testing.
  • implement vendor default settings.
  • link policies to an independent standard.
  • establish security baselines. (Correct)

Answer : establish security baselines.

Which of the following would BEST protect an organization's confidential data stored on a laptop
computer from unauthorized access?

Options are :

  • Strong authentication by password
  • Multifactor authentication procedures
  • Network-based data backup
  • Encrypted hard drives (Correct)

Answer : Encrypted hard drives

Which of the following, using public key cryptography, ensures authentication, confidentiality and
nonrepudiation of a message?

Options are :

  • Encrypting first by sender's private key and second decrypting by sender's public key
  • Encrypting first by receiver's private key and second by sender's public key
  • Encrypting first by sender's public key and second by receiver's private key
  • Encrypting first by sender's private key and second by receiver's public key (Correct)

Answer : Encrypting first by sender's private key and second by receiver's public key

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions