CISM Certified Information Security Manager Test Practice

One way to determine control effectiveness is by determining:

Options are :

  • whether it is preventive, detective or compensatory.
  • the evaluation and analysis of reliability.
  • the capability of providing notification of failure
  • the test results of intended objectives. (Correct)

Answer : the test results of intended objectives.

CISM Information Risk Management Certification Practice

What does a network vulnerability assessment intend to identify?

Options are :

  • 0-day vulnerabilities
  • Misconfiguration and missing updates (Correct)
  • Malicious software and spyware
  • Security design flaws

Answer : Misconfiguration and missing updates

The systems administrator did not immediately notify the security officer about a malicious attack.
An information security manager could prevent this situation by: 

Options are :

  • establishing mandatory training of all personnel.
  • periodically testing the incident response plans. (Correct)
  • regularly testing the intrusion detection system (IDS).
  • periodically reviewing incident response procedures.

Answer : periodically testing the incident response plans.

Risk assessment should be built into which of the following systems development phases to
ensure that risks are addressed in a development project?

Options are :

  • Specification
  • Programming
  • User testing
  • Feasibility (Correct)

Answer : Feasibility

CISM Information Security Program Management

An organization has to comply with recently published industry regulatory
requirements—compliance that potentially has high implementation costs. What should the
information security manager do FIRST?

Options are :

  • Perform a gap analysis. (Correct)
  • Implement compensating controls.
  • Implement a security committee
  • Demand immediate compliance.

Answer : Perform a gap analysis.

The MAIN reason why asset classification is important to a successful information security
program is because classification determines:

Options are :

  • the appropriate level of protection to the asset. (Correct)
  • how protection levels compare to peer organizations.
  • the amount of insurance needed in case of loss.
  • the priority and extent of risk mitigation efforts.

Answer : the appropriate level of protection to the asset.

A risk management program would be expected to:

Options are :

  • implement preventive controls for every threat
  • maintain residual risk at an acceptable level. (Correct)
  • reduce control risk to zero.
  • remove all inherent risk

Answer : maintain residual risk at an acceptable level.

CISM Certified Information Security Manager Test

Which of the following is the PRIMARY prerequisite to implementing data classification within an
organization?

Options are :

  • Performing a risk assessment
  • Defining job roles
  • Identifying data owners (Correct)
  • Establishing data retention policies

Answer : Identifying data owners

Which of the following would help management determine the resources needed to mitigate a risk
to the organization? 

Options are :

  • Risk-based audit program
  • Risk analysis process
  • Business impact analysis (BIA) (Correct)
  • Risk management balanced scorecard

Answer : Business impact analysis (BIA)

A common concern with poorly written web applications is that they can allow an attacker to:

Options are :

  • abuse a race condition.
  • inject structured query language (SQL) statements. (Correct)
  • gain control through a buffer overflow.
  • conduct a distributed denial of service (DoS) attack.

Answer : inject structured query language (SQL) statements.

CISM Information Risk Management Certification Test

Which of the following steps in conducting a risk assessment should be performed FIRST?

Options are :

  • Assess vulnerabilities
  • Identify business risks
  • Evaluate key controls
  • Identity business assets (Correct)

Answer : Identity business assets

The security responsibility of data custodians in an organization will include:

Options are :

  • implementing security controls in products they install.
  • determining data classification levels.
  • assuming overall protection of information assets.
  • ensuring security measures are consistent with policy. (Correct)
  • None of the above

Answer : ensuring security measures are consistent with policy.

Which of the following would be of GREATEST importance to the security manager in determining
whether to accept residual risk? 

Options are :

  • Historical cost of the asset
  • Annualized loss expectancy (ALE)
  • Acceptable level of potential business impacts
  • Cost versus benefit of additional mitigating controls (Correct)

Answer : Cost versus benefit of additional mitigating controls

CISM Information Security Governance Certification Exam

What is the BEST technique to determine which security controls to implement with a limited
budget?

Options are :

  • Impact analysis
  • Annualized loss expectancy (ALE) calculations
  • Risk analysis
  • Cost-benefit analysis (Correct)

Answer : Cost-benefit analysis

The BEST strategy for risk management is to:

Options are :

  • ensure that all unmitigated risks are accepted by management.
  • ensure that policy development properly considers organizational risks.
  • reduce risk to an acceptable level. (Correct)
  • achieve a balance between risk and organizational goals.

Answer : reduce risk to an acceptable level.

The PRIMARY reason for initiating a policy exception process is when:

Options are :

  • operations are too busy to comply
  • users may initially be inconvenienced.
  • policy compliance would be difficult to enforce.
  • the risk is justified by the benefit (Correct)

Answer : the risk is justified by the benefit

Cism Information Security Program Development Practice Exam

Which would be one of the BEST metrics an information security manager can employ to
effectively evaluate the results of a security program?

Options are :

  • Number of controls implemented
  • Percent of compliance with the security policy
  • Reduction in the number of reported security incidents
  • Percent of control objectives accomplished (Correct)

Answer : Percent of control objectives accomplished

Which of the following is MOST effective in preventing weaknesses from being introduced into
existing production systems? 

Options are :

  • Security baselines
  • Patch management
  • Change managementt (Correct)
  • Virus detection

Answer : Change managementt

Cism Information Security Program Development

Which of the following is the MOST effective solution for preventing internal users from modifying
sensitive and classified information?

Options are :

  • Exit routines
  • System access violation logs
  • Baseline security standards
  • Role-based access controls (Correct)

Answer : Role-based access controls

All risk management activities are PRIMARILY designed to reduce impacts to:

Options are :

  • the minimum level possible.
  • a level defined by the security manager.
  • a minimum level consistent with regulatory requirements.
  • an acceptable level based on organizational risk tolerance. (Correct)

Answer : an acceptable level based on organizational risk tolerance.

Previously accepted risk should be: 

Options are :

  • accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
  • avoided next time since risk avoidance provides the best protection to the company.
  • re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions (Correct)
  • removed from the risk log once it is accepted.

Answer : re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions

CISM Information Security Governance Certified

An extranet server should be placed: 

Options are :

  • on the external router
  • outside the firewall.
  • on the firewall server.
  • on a screened subnet. (Correct)

Answer : on a screened subnet.

The MOST effective use of a risk register is to:

Options are :

  • record the annualized financial amount of expected losses due to risks.
  • identify threats and probabilities.
  • facilitate a thorough review of all IT-related risks on a periodic basis. (Correct)
  • identify risks and assign roles and responsibilities for mitigation.

Answer : facilitate a thorough review of all IT-related risks on a periodic basis.

After obtaining commitment from senior management, which of the following should be completed
NEXT when establishing an information security program?

Options are :

  • Define security metrics
  • Procure security tools
  • Perform a gap analysis
  • Conduct a risk assessment (Correct)

Answer : Conduct a risk assessment

CISM Information Security Governance Certified Test

When a proposed system change violates an existing security standard, the conflict would be
BEST resolved by: 

Options are :

  • calculating the residual risk. (Correct)
  • redesigning the system change.
  • enforcing the security standard.
  • implementing mitigating controls.

Answer : calculating the residual risk.

The BEST reason for an organization to have two discrete firewalls connected directly to the
Internet and to the same DMZ would be to:

Options are :

  • separate test and production.
  • prevent a denial-of-service attack.
  • provide in-depth defense.
  • permit traffic load balancing. (Correct)

Answer : permit traffic load balancing.

Which of the following devices should be placed within a DMZ?

Options are :

  • Router
  • Authentication server
  • Firewall
  • Mail relay (Correct)

Answer : Mail relay

CISM Information Risk Management Certification Practice

An organization has decided to implement additional security controls to treat the risks of a new
process. This is an example of: 

Options are :

  • eliminating the risk.
  • transferring the risk.
  • mitigating the risk. (Correct)
  • accepting the risk.

Answer : mitigating the risk.

Who can BEST advocate the development of and ensure the success of an information security
program?

Options are :

  • Steering committee (Correct)
  • Chief operating officer (COO)
  • IT management
  • Internal auditor

Answer : Steering committee

Which of the following is the BEST metric for evaluating the effectiveness of security awareness
twining? The number of: 

Options are :

  • password resets
  • incidents resolved.
  • reported incidents. (Correct)
  • access rule violations.

Answer : reported incidents.

CISM Information Security Governance Certified Test

To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what
would be the FIRS T crucial step an information security manager would take in ensuring business continuity planning?

Options are :

  • Conducting a qualitative and quantitative risk analysis
  • Conducting a business impact analysis (BIA). (Correct)
  • Assigning value to the assets
  • Weighing the cost of implementing the plan vs. financial loss.

Answer : Conducting a business impact analysis (BIA).

An information security manager is advised by contacts in law enforcement that there is evidence
that his/ her company is being targeted by a skilled gang of hackers known to use a variety of
techniques, including social engineering and network penetration. The FIRST step that the
security manager should take is to: 

Options are :

  • perform a comprehensive assessment of the organization's exposure to the hacker's techniques.
  • increase monitoring activities to provide early detection of intrusion.
  • immediately advise senior management of the elevated risk. (Correct)
  • initiate awareness training to counter social engineering.

Answer : immediately advise senior management of the elevated risk.

An intranet server should generally be placed on the: 

Options are :

  • firewall server.
  • primary domain controller.
  • internal network. (Correct)
  • external router

Answer : internal network.

When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:

Options are :

  • financial penalties clause.
  • right-to-terminate clause.
  • limitations of liability.
  • service level agreement (SLA) (Correct)

Answer : service level agreement (SLA)

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions