CISM Certified Information Security Manager Test Practice Mock

Which of the following would a security manager establish to determine the target for restoration of
normal processing?

Options are :

  • Maximum tolerable outage (MTO)
  • Services delivery objectives (SDOs)
  • Recovery point objectives (RPOs)
  • Recover)' time objective (RTO) (Correct)

Answer : Recover)' time objective (RTO)

Cism Information Security Program Development Practice

The PRIMARY purpose of using risk analysis within a security program is to:

Options are :

  • help businesses prioritize the assets to be protected.
  • justify the security expenditure
  • inform executive management of residual risk value.
  • assess exposures and plan remediation. (Correct)

Answer : assess exposures and plan remediation.

After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the
benefit to be derived. The information security manager should recommend to business
management that the risk be: 

Options are :

  • accepted. (Correct)
  • treated.
  • transferred.
  • terminated.

Answer : accepted.

Which of the following would BEST address the risk of data leakage? 

Options are :

  • File backup procedures
  • Database integrity checks
  • Acceptable use policies (Correct)
  • Incident response procedures

Answer : Acceptable use policies

CISM Information Security Program Management Test

Which of the following would be the MOST important factor to be considered in the loss of mobile
equipment with unencrypted data? 

Options are :

  • Intrinsic value of the data stored on the equipment (Correct)
  • Sufficient coverage of the insurance policy for accidental losses
  • Replacement cost of the equipment
  • Disclosure of personal information

Answer : Intrinsic value of the data stored on the equipment

Which of the following security activities should be implemented in the change management
process to identify key vulnerabilities introduced by changes? 

Options are :

  • Audit and review
  • Threat analysis
  • Business impact analysis (BIA)
  • Penetration testing (Correct)

Answer : Penetration testing

A security risk assessment exercise should be repeated at regular intervals because: 

Options are :

  • repetitive assessments allow various methodologies.
  • business threats are constantly changing. (Correct)
  • they help raise awareness on security in the business.
  • omissions in earlier assessments can be addressed.

Answer : business threats are constantly changing.

After a risk assessment study, a bank with global operations decided to continue doing business in
certain regions of the world where identity theft is rampant. The information security manager
should encourage the business to:

Options are :

  • outsource credit card processing to a third party.
  • make the customer liable for losses if they fail to follow the bank's advice.
  • implement monitoring techniques to detect and react to potential fraud. (Correct)
  • increase its customer awareness efforts in those regions.

Answer : implement monitoring techniques to detect and react to potential fraud.

Which of the following measures would be MOST effective against insider threats to confidential
information?

Options are :

  • Privacy policy
  • Defense-in-depth
  • Role-based access control (Correct)
  • Audit trail monitoring

Answer : Role-based access control

What mechanisms are used to identify deficiencies that would provide attackers with an
opportunity to compromise a computer system? 

Options are :

  • System performance metrics
  • Security gap analyses (Correct)
  • Business impact analyses
  • Incident response processes

Answer : Security gap analyses

CISM Information Security Program Management

Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor
authentication system?

Options are :

  • Annual loss expectancy (ALE) of incidents
  • Frequency of incidents
  • Total cost of ownership (TCO) (Correct)
  • Approved budget for the project

Answer : Total cost of ownership (TCO)

A company's mail server allows anonymous file transfer protocol (FTP) access which could be
exploited. What process should the information security manager deploy to determine the
necessity for remedial action? 

Options are :

  • A risk assessment (Correct)
  • A penetration test
  • A security baseline review
  • A business impact analysis (BIA)

Answer : A risk assessment

Which of the following types of information would the information security manager expect to have
the LOWEST level of security protection in a large, multinational enterprise? 

Options are :

  • Customer personal information
  • Previous financial results (Correct)
  • Strategic business plan
  • Upcoming financial results

Answer : Previous financial results

CISM Information Security Program Management Practice

A global financial institution has decided not to take any further action on a denial of service (DoS)
risk found by the risk assessment team. The MOST likely reason they made this decision is that:

Options are :

  • the needed countermeasure is too complicated to deploy
  • there are sufficient safeguards in place to prevent this risk from happening
  • The likelihood of the risk occurring is unknown.
  • the cost of countermeasure outweighs the value of the asset and potential loss. (Correct)

Answer : the cost of countermeasure outweighs the value of the asset and potential loss.

When a significant security breach occurs, what should be reported FIRST to senior
management?

Options are :

  • An analysis of the impact of similar attacks at other organizations
  • A business case for implementing stronger logical access controls
  • An explanation of the incident and corrective action taken (Correct)
  • A summary of the security logs that illustrates the sequence of events

Answer : An explanation of the incident and corrective action taken

When performing a risk assessment, the MOST important consideration is that: 

Options are :

  • annual loss expectations (ALEs) have been calculated for critical assets.
  • attack motives, means and opportunities be understood.
  • assets have been identified and appropriately valued. (Correct)
  • management supports risk mitigation efforts.

Answer : assets have been identified and appropriately valued.

CISM Certified Information Security Manager Mock

Which program element should be implemented FIRST in asset classification and control? 

Options are :

  • Classification
  • Risk assessment
  • Valuation (Correct)
  • Risk mitigation

Answer : Valuation

A project manager is developing a developer portal and requests that the security manager assign
a public IP address so that it can be accessed by in-house staff and by external consultants
outside the organization's local area network (LAN). What should the security manager do FIRST? 

Options are :

  • Install an intrusion detection system (IDS)
  • Understand the business requirements of the developer portal (Correct)
  • Perform a vulnerability assessment of the developer portal
  • Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

Answer : Understand the business requirements of the developer portal

An online banking institution is concerned that the breach of customer personal information will
have a significant financial impact due to the need to notify and compensate customers whose
personal information may have been compromised. The institution determines that residual risk
will always be too high and decides to

Options are :

  • mitigate the impact by purchasing insurance. (Correct)
  • increase the resiliency of security measures in place.
  • implement a circuit-level firewall to protect the network.
  • implement a real-time intrusion detection system.

Answer : mitigate the impact by purchasing insurance.

CISM Information Risk Management Certification Test

The criticality and sensitivity of information assets is determined on the basis of: 

Options are :

  • resource dependency assessment.
  • threat assessment.
  • vulnerability assessment
  • impact assessment. (Correct)

Answer : impact assessment.

A mission-critical system has been identified as having an administrative system account with
attributes that prevent locking and change of privileges and name. Which would be the BEST
approach to prevent successful brute forcing of the account?

Options are :

  • Prevent the system from being accessed remotely
  • Track usage of the account by audit trails
  • Ask for a vendor patch
  • Create a strong random password (Correct)

Answer : Create a strong random password

Because of its importance to the business, an organization wants to quickly implement a technical
solution which deviates from the company's policies. An information security manager should: 

Options are :

  • recommend revision of current policy.
  • conduct a risk assessment and allow or disallow based on the outcome.
  • recommend against implementation because it violates the company's policies.
  • recommend a risk assessment and implementation only if the residual risks are accepted. (Correct)

Answer : recommend a risk assessment and implementation only if the residual risks are accepted.

The MOST appropriate owner of customer data stored in a central database, used only by an
organization's sales department, would be the: 

Options are :

  • database administrator.
  • head of the sales department. (Correct)
  • chief information officer (CIO).
  • sales department.

Answer : head of the sales department.

Who is responsible for ensuring that information is classified? 

Options are :

  • Security manager
  • Custodian
  • Data owner (Correct)
  • Senior management

Answer : Data owner

Attackers who exploit cross-site scripting vulnerabilities take advantage of: 

Options are :

  • weak authentication controls in the web application layer.
  • implicit web application trust relationships.
  • a lack of proper input validation controls. (Correct)
  • flawed cryptographic secure sockets layer (SSL) implementations and short key lengths.

Answer : a lack of proper input validation controls.

CISM Information Security Program Management Practice

A company recently developed a breakthrough technology. Since this technology could give this
company a significant competitive edge, which of the following would FIRST govern how this
information is to be protected?

Options are :

  • Data classification policy (Correct)
  • Encryption standards
  • Access control policy
  • Acceptable use policy

Answer : Data classification policy

Risk assessment is MOST effective when performed:

Options are :

  • on a continuous basis. (Correct)
  • during the business change process.
  • while developing the business case for the security program
  • at the beginning of security program development.

Answer : on a continuous basis.

In assessing the degree to which an organization may be affected by new privacy legislation,
information security management should FIRST: 

Options are :

  • develop an operational plan for achieving compliance with the legislation.
  • identify systems and processes that contain privacy components (Correct)
  • restrict the collection of personal information until compliant.
  • identify privacy legislation in other countries that may contain similar requirements.

Answer : identify systems and processes that contain privacy components

CISM Information Security Governance Certified Test

To determine the selection of controls required to meet business objectives, an information
security manager should: 

Options are :

  • prioritize the use of role-based access controls.
  • focus on key controls (Correct)
  • restrict controls to only critical applications.
  • focus on automated controls.

Answer : focus on key controls

There is a time lag between the time when a security vulnerability is first published, and the time
when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk
during this time period?

Options are :

  • Communicate the vulnerability to system users
  • Identify the vulnerable systems and apply compensating controls (Correct)
  • Update the signatures database of the intrusion detection system (IDS)
  • Minimize the use of vulnerable systems

Answer : Identify the vulnerable systems and apply compensating controls

Which of the following risks is represented in the risk appetite of an organization?

Options are :

  • Control
  • Residual (Correct)
  • Inherent
  • Audit

Answer : Residual

CISM Information Security Governance Certified Test

Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?

Options are :

  • The risk environment is constantly changing. (Correct)
  • Management needs to be continually informed about emerging risks.
  • Justification of the security budget must be continually made.
  • New vulnerabilities are discovered every day.

Answer : The risk environment is constantly changing.

Which of (lie following would be the MOST relevant factor when defining the information
classification policy?

Options are :

  • Available IT infrastructure
  • Benchmarking
  • Requirements of data owners (Correct)
  • Quantity of information

Answer : Requirements of data owners

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions