CISM Certified Information Security Manager Mock Practice

Access control to a sensitive intranet application by mobile users can BEST be implemented
through:

Options are :

  • two-factor authentication (Correct)
  • data encryption.
  • strong passwords.
  • digital signatures.

Answer : two-factor authentication

Which of the following roles is PRIMARILY responsible for determining the information
classification levels for a given information asset? 

Options are :

  • User
  • Owner (Correct)
  • Custodian
  • Manager

Answer : Owner

CISM Information Security Governance Certified

Which of the following is the MOST effective way to treat a risk such as a natural disaster that has
a low probability and a high impact level? 

Options are :

  • Accept the risk.
  • Eliminate the risk.
  • Transfer the risk. (Correct)
  • Implement countermeasures

Answer : Transfer the risk.

Which of the following tools is MOST appropriate for determining how long a security project will
take to implement?

Options are :

  • Waterfall chart
  • Rapid Application Development (RAD)
  • Critical path (Correct)
  • Gantt chart

Answer : Critical path

The effectiveness of virus detection software is MOST dependent on which of the following?

Options are :

  • Packet filtering
  • Software upgrades
  • D. Definition tables (Correct)
  • Intrusion detection

Answer : D. Definition tables

CISM Information Security Program Management

An organization is already certified to an international security standard. Which mechanism would
BEST help to further align the organization with other data security regulatory requirements as per
new business needs? 

Options are :

  • Gap analysis (Correct)
  • Key performance indicators (KPIs)
  • Business impact analysis (BIA)
  • Technical vulnerability assessment

Answer : Gap analysis

Which of the following techniques MOST clearly indicates whether specific risk-reduction controls
should be implemented?

Options are :

  • Penetration testing
  • Annual loss expectancy (ALE) calculation
  • Countermeasure cost-benefit analysis (Correct)
  • Frequent risk assessment programs

Answer : Countermeasure cost-benefit analysis

Which of the following is the MOST appropriate frequency for updating antivirus signature files for
antivirus software on production servers?

Options are :

  • During scheduled change control updates
  • Daily (Correct)
  • Concurrently with O/S patch updates
  • Weekly

Answer : Daily

CISM Information Risk Management Certification

Which of the following are the essential ingredients of a business impact analysis (B1A)?

Options are :

  • Business continuity testing methodology being deployed
  • Structure of the crisis management team
  • Cost of business outages in a year as a factor of the security budget
  • Downtime tolerance, resources and criticality (Correct)

Answer : Downtime tolerance, resources and criticality

Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection
mechanism?

Options are :

  • Number of attacks detected
  • Number of successful attacks
  • Ratio of false positives to false negatives (Correct)
  • Ratio of successful to unsuccessful attacks

Answer : Ratio of false positives to false negatives

Which of the following is MOST effective in preventing security weaknesses in operating systems?

Options are :

  • Security baselines
  • Change management
  • Patch management (Correct)
  • Configuration management

Answer : Patch management

CISM Information Risk Management Certification

A risk management approach to information protection is: 

Options are :

  • accepting the security posture provided by commercial security products.
  • managing risk tools to ensure that they assess all information protection vulnerabilities.
  • implementing a training program to educate individuals on information protection and risks.
  • managing risks to an acceptable level, commensurate with goals and objectives. (Correct)

Answer : managing risks to an acceptable level, commensurate with goals and objectives.

Which of the following is the BEST method for ensuring that security procedures and guidelines
are known and understood? 

Options are :

  • Periodic focus group meetings
  • Employee's signed acknowledgement
  • Computer-based certification training (CBT) (Correct)
  • Periodic compliance reviews

Answer : Computer-based certification training (CBT)

An intrusion detection system should be placed: 

Options are :

  • on the external router.
  • on the firewall server.
  • on a screened subnet (Correct)
  • outside the firewall.

Answer : on a screened subnet

CISM Information Risk Management Certification

The purpose of a corrective control is to: 

Options are :

  • indicate compromise.
  • reduce adverse events.
  • ensure compliance.
  • mitigate impact. (Correct)

Answer : mitigate impact.

Which of the following BEST ensures that information transmitted over the Internet will remain
confidential?

Options are :

  • Firewalls and routers
  • Biometric authentication
  • Virtual private network (VPN) (Correct)
  • Two-factor authentication

Answer : Virtual private network (VPN)

Which of the following authentication methods prevents authentication replay?

Options are :

  • Password hash implementation
  • HTTP Basic Authentication
  • Challenge/response mechanism (Correct)
  • Wired Equivalent Privacy (WEP) encryption usage

Answer : Challenge/response mechanism

CISM Information Security Governance Certification Test

An information security organization should PRIMARILY:

Options are :

  • ensure that the information security expectations are conveyed to employees.
  • ensure that the information security policies of the company are in line with global best practices and standards.
  • support the business objectives of the company by providing security-related support services. (Correct)
  • be responsible for setting up and documenting the information security responsibilities of the information security team members.

Answer : support the business objectives of the company by providing security-related support services.

When performing a qualitative risk analysis, which of the following will BEST produce reliable
results?

Options are :

  • Estimated productivity losses
  • Vulnerability assessment
  • Possible scenarios with threats and impacts (Correct)
  • Value of information assets

Answer : Possible scenarios with threats and impacts

Security monitoring mechanisms should PRIMARILY:

Options are :

  • focus on detecting network intrusions.
  • assist owners to manage control risks.
  • focus on business-critical information (Correct)
  • record all security violations.

Answer : focus on business-critical information

fter assessing and mitigating the risks of a web application, who should decide on the
acceptance of residual application risks?

Options are :

  • Business owner (Correct)
  • Chief executive officer (CF.O)
  • Chief information officer (CIO)
  • Information security officer

Answer : Business owner

An organization has a process in place that involves the use of a vendor. A risk assessment was
completed during the development of the process. A year after the implementation a monetary
decision has been made to use a different vendor. What, if anything, should occur?

Options are :

  • A new risk assessment should be performed. (Correct)
  • The new vendor's SAS 70 type II report should be reviewed.
  • A vulnerability assessment should be conducted.
  • Nothing, since a risk assessment was completed during development

Answer : A new risk assessment should be performed.

The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is
to provide a basis for:

Options are :

  • defining the level of access controls. (Correct)
  • determining the scope for inclusion in an information security program
  • determining the overall budget of an information security program.
  • justifying costs for information resources.

Answer : defining the level of access controls.

Cism Information Security Program Development Practice

When application-level security controlled by business process owners is found to be poorly
managed, which of the following could BEST improve current practices? 

Options are :

  • Centralizing security management (Correct)
  • Implementing sanctions for noncompliance
  • Periodic compliance reviews
  • Policy enforcement by IT management

Answer : Centralizing security management

On which of the following should a firewall be placed?

Options are :

  • Intrusion detection system (IDS) server
  • Web server
  • Domain boundary (Correct)
  • Screened subnet

Answer : Domain boundary

When implementing security controls, an information security manager must PRIMARILY focus
on:

Options are :

  • minimizing operational impacts. (Correct)
  • eliminating all vulnerabilities.
  • certification from a third party
  • usage by similar organizations.

Answer : minimizing operational impacts.

CISM Information Security Program Management

Which of the following is the MOST important requirement for setting up an information security
infrastructure for a new system? 

Options are :

  • Basing the information security infrastructure on risk assessment (Correct)
  • Initiating IT security training and familiarization
  • Performing a business impact analysis (BIA)
  • Considering personal information devices as pan of the security policy

Answer : Basing the information security infrastructure on risk assessment

Which of the following is generally used to ensure that information transmitted over the Internet is
authentic and actually transmitted by the named sender?

Options are :

  • Embedded digital signature (Correct)
  • Biometric authentication
  • Embedded steganographic
  • Two-factor authentication

Answer : Embedded digital signature

Which of the following devices should be placed within a demilitarized zone (DMZ )?

Options are :

  • Web server (Correct)
  • Database server
  • File/print server
  • Network switch

Answer : Web server

CISM Information Risk Management Certification

Which of the following steps should be performed FIRST in the risk assessment process? 

Options are :

  • Asset identification and valuation (Correct)
  • Threat identification
  • Staff interviews
  • Determination of the likelihood of identified risks

Answer : Asset identification and valuation

Which of the following is the MOST effective type of access control?

Options are :

  • Role-based (Correct)
  • Decentralized
  • Discretionary
  • Centralized

Answer : Role-based

Which of the following is the BEST method to ensure the overall effectiveness of a risk
management program?

Options are :

  • User assessments of changes
  • Comparison of the program results with industry standards
  • Participation by all members of the organization (Correct)
  • Assignment of risk within the organization

Answer : Participation by all members of the organization

CISM Information Security Program Management Practice Exam

Who can BEST approve plans to implement an information security governance framework?

Options are :

  • Information security management
  • Internal auditor
  • Steering committee (Correct)
  • Infrastructure management

Answer : Steering committee

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions