CISM Incident Management and Response Practice

Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?

Options are :

  • Reporting the losses and recovery strategy to the media
  • Communicating specially drafted messages by an authorized person (Correct)
  • Refusing to comment until recovery
  • Referring the media to the authorities

Answer : Communicating specially drafted messages by an authorized person

CISM Information Security Governance Certification Practice

Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?

Options are :

  • Incident response metrics
  • Post incident review (Correct)
  • Periodic auditing of the incident response process
  • Action recording and review

Answer : Post incident review

What task should be performed once a security incident has been verified?

Options are :

  • Identify the incident.
  • Perform a vulnerability assessment.
  • Contain the incident. (Correct)
  • Determine the root cause of the incident.

Answer : Contain the incident.

The FIRST step in an incident response plan is to:

Options are :

  • validate the incident. (Correct)
  • contain the effects of the incident to limit damage.
  • develop response strategies for systematic attacks.
  • notify- the appropriate individuals.

Answer : validate the incident.

CISM Information Security Governance Certified Practice

Which of the following is an example of a corrective control?

Options are :

  • Examining inbound network traffic for viruses
  • Filtering network traffic before entering an internal network from outside
  • Diverting incoming traffic upon responding to the denial of service (DoS) attack (Correct)
  • Logging inbound network traffic

Answer : Diverting incoming traffic upon responding to the denial of service (DoS) attack

The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:

Options are :

  • regulatory' requirements.
  • T resource availability.
  • financial value.
  • business requirements. (Correct)

Answer : business requirements.

A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager?

Options are :

  • Ensure that all OS patches are up-to-date
  • Commission a penetration test
  • Block inbound traffic until a suitable solution is found
  • Obtain guidance from the firewall manufacturer (Correct)

Answer : Obtain guidance from the firewall manufacturer

CISM Information Security Program Management Test

Which of the following processes is critical for deciding prioritization of actions in a business continuity plan?

Options are :

  • Business impact analysis (BIA) (Correct)
  • Risk assessment
  • Business process mapping
  • Vulnerability assessment

Answer : Business impact analysis (BIA)

A possible breach of an organization's IT system is reported by the project manager. What is the FIRST thing the incident response manager should do?

Options are :

  • Run a port scan on the system
  • Validate the incident (Correct)
  • Disable the logon ID
  • Investigate the system logs

Answer : Validate the incident

The MOST important objective of a post incident review is to:

Options are :

  • develop a process for continuous improvement.
  • identify new incident management tools.
  • capture lessons learned to improve the process. (Correct)
  • develop a business case for the security program budget.

Answer : capture lessons learned to improve the process.

CISM Information Risk Management Certification

An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:

Options are :

  • assess the likelihood of incidents from the reported cause. (Correct)
  • report to senior management that the organization is not affected.
  • discontinue the use of the vulnerable technology.
  • remind staff that no similar security breaches have taken place.

Answer : assess the likelihood of incidents from the reported cause.

An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:

Options are :

  • inspect the facility and inventory the tapes on a quarterly basis.
  • use the test equipment in the warm site facility to read the tapes.
  • retrieve the tapes from the warm site and test them. (Correct)
  • have duplicate equipment available at the warm site.

Answer : retrieve the tapes from the warm site and test them.

An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?

Options are :

  • Determine the extent of the compromise. (Correct)
  • Report the incident to the authorities.
  • Communicate with the affected customers.
  • Inform senior management.

Answer : Determine the extent of the compromise.

CISM Information Security Governance Certified Practice Exam

During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should:

Options are :

  • report this situation to the data owner. (Correct)
  • remove access privileges to the folder containing the data.
  • copy sample files as evidence.
  • train the HR team on properly controlling file permissions.

Answer : report this situation to the data owner.

The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to:

Options are :

  • obtain support for enhancing the expertise of the third-party teams.
  • identify lessons learned for further improving the information security management process.
  • enable independent and objective review of the root cause of the incidents. (Correct)
  • obtain better buy-in for the information security program.

Answer : enable independent and objective review of the root cause of the incidents.

To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?

Options are :

  • Database server
  • Proxy server
  • Domain name server (DNS)
  • Time server (Correct)

Answer : Time server

CISM Information Security Governance Certified

In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?

Options are :

  • Copies of critical contracts and service level agreements (SLAs)
  • Key software escrow agreements for the purchased systems
  • List of emergency numbers of service providers
  • Copies of the business continuity plan (Correct)

Answer : Copies of the business continuity plan

Which of the following has the highest priority when defining an emergency response plan?

Options are :

  • Critical infrastructure
  • Safety of personnel (Correct)
  • Vital records
  • Critical data

Answer : Safety of personnel

An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:

Options are :

  • install an intrusion detection system (IDS). (Correct)
  • implement centralized logging software.
  • assign static IP addresses.
  • require the use of strong passwords.

Answer : install an intrusion detection system (IDS).

CISM Information Security Program Management

If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:

Options are :

  • preserving the integrity of the evidence. (Correct)
  • disconnecting all IT equipment involved.
  • obtaining evidence as soon as possible.
  • reconstructing the sequence of events.

Answer : preserving the integrity of the evidence.

A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to:

Options are :

  • start containment.
  • confirm the incident. (Correct)
  • notify law enforcement.
  • notify senior management.

Answer : confirm the incident.

CISM Information Security Program Management Test

An intrusion detection system (IDS) should:

Options are :

  • run continuously (Correct)
  • be located on the network
  • require a stable, rarely changed environment
  • ignore anomalies

Answer : run continuously

An unauthorized user gained access to a merchant's database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?

Options are :

  • Duplicate the hard disk of the server immediately.
  • Isolate the server from the network. (Correct)
  • Shut down and power off the server.
  • Copy the database log file to a protected server.

Answer : Isolate the server from the network.

The PRIORITY action to be taken when a server is infected with a virus is to:

Options are :

  • establish security weaknesses in the firewall.
  • identify all potential damage caused by the infection.
  • isolate the infected server(s) from the network. (Correct)
  • ensure that the virus database files are current.

Answer : isolate the infected server(s) from the network.

CISM Incident Management and Response Practice Exam

Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)?

Options are :

  • Maintaining redundant systems
  • Data backup frequency
  • Aligning with recovery time objectives (RTOs) (Correct)
  • Setting up a backup site

Answer : Aligning with recovery time objectives (RTOs)

When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the:

Options are :

  • recovery window. (Correct)
  • maximum tolerable outage (MTO).
  • services delivery objective
  • recovery time objective (RTO).

Answer : recovery window.

Which of the following situations would be the MOST concern to a security manager?

Options are :

  • Audit logs are not enabled on a production server
  • The logon ID for a terminated systems analyst still exists on the system
  • The help desk has received numerous results of users receiving phishing e-mails
  • A Trojan was found to be installed on a system administrator's laptop (Correct)

Answer : A Trojan was found to be installed on a system administrator's laptop

Cism Information Security Program Development Practice

What is the FIRST action an information security manager should take when a company laptop is reported stolen?

Options are :

  • Disable the user account immediately
  • Ensure compliance with reporting procedures (Correct)
  • Update the corporate laptop inventory
  • Evaluate the impact of the information loss

Answer : Ensure compliance with reporting procedures

When creating a forensic image of a hard drive, which of the following should be the FIRST step?

Options are :

  • Identify a recognized forensics software tool to create the image.
  • Generate a cryptographic hash of the hard drive contents.
  • Establish a chain of custody log. (Correct)
  • Connect the hard drive to a write blocker.

Answer : Establish a chain of custody log.

Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan?

Options are :

  • Paper tests
  • Preparedness tests (Correct)
  • Actual service disruption
  • Full operational tests

Answer : Preparedness tests

CISM Information Security Governance Certified Test

In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process?

Options are :

  • Make a copy of all files that are relevant to the investigation.
  • Run an error-checking program on all logical drives to ensure that there are no disk errors.
  • Perform a bit-by-bit image of the original media source onto new media. (Correct)
  • Perform a backup of the suspect media to new media.

Answer : Perform a bit-by-bit image of the original media source onto new media.

Which of the following would be MOST appropriate for collecting and preserving evidence?

Options are :

  • Log correlation software
  • . Encrypted hard drives
  • Generic audit software
  • Proven forensic processes (Correct)

Answer : Proven forensic processes

Which of the following provides the BKST confirmation that the business continuity/disaster recovery plan objectives have been achieved?

Options are :

  • The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing
  • Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan
  • The recovery time objective (RTO) was not exceeded during testing (Correct)
  • Objective testing of the business continuity/disaster recovery plan has been carried out consistently

Answer : The recovery time objective (RTO) was not exceeded during testing

CISM Certified Information Security Manager Practice

An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?

Options are :

  • Shut down the compromised server.
  • Unsure that critical data on the server are backed up.
  • Initiate the incident response process. (Correct)
  • Shut down the network.

Answer : Initiate the incident response process.

Which of the following recovery strategies has the GREATEST chance of failure?

Options are :

  • Redundant site
  • Hot site
  • Reciprocal arrangement (Correct)
  • Cold site

Answer : Reciprocal arrangement

Recovery point objectives (RPOs) can be used to determine which of the following?

Options are :

  • Time to restore backups
  • Maximum tolerable downtime
  • Maximum tolerable period of data loss (Correct)
  • Baseline for operational resiliency

Answer : Maximum tolerable period of data loss

When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?

Options are :

  • Locating the data and preserving the integrity of the data (Correct)
  • Issuing a litigation hold to all affected parties
  • Assigning responsibility for acquiring the data
  • Creating a forensically sound image

Answer : Locating the data and preserving the integrity of the data

In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the:

Options are :

  • interruption window.
  • recovery' time objective (RTO).
  • volume of sensitive data.
  • recovery point objective (RPO). (Correct)

Answer : recovery point objective (RPO).

Of the following, which is the MOST important aspect of forensic investigations?

Options are :

  • Identifying the perpetrator
  • Chain of custody (Correct)
  • Timely intervention
  • The independence of the investigator

Answer : Chain of custody

CISM Information Security Program Management Practice Exam

Which of the following actions should lake place immediately after a security breach is reported to an information security manager?

Options are :

  • Confirm the incident (Correct)
  • Isolate the incident
  • Notify affected stakeholders
  • Determine impact

Answer : Confirm the incident

An incident response policy must contain:

Options are :

  • press release templates.
  • updated call trees.
  • critical backup files inventory.
  • escalation criteria. (Correct)

Answer : escalation criteria.

CISM Information Security Governance Certification Practice

A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:

Options are :

  • notify law enforcement.
  • document how the attack occurred
  • close the accounts receivable system.
  • take an image copy of the media. (Correct)

Answer : take an image copy of the media.

A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GRF.ATEST weakness in recovery capability?

Options are :

  • The time of declaration determines site access priority
  • The provider services all major companies in the area (Correct)
  • Exclusive use of the hot site is limited to six weeks
  • The hot site may have to be shared with other customers

Answer : The provider services all major companies in the area

The FIRST priority when responding to a major security incident is:

Options are :

  • containment. (Correct)
  • restoration
  • documentation.
  • monitoring.

Answer : containment.

CISM Information Risk Management Certification

What is the BEST method for mitigating against network denial of service (DoS) attacks?

Options are :

  • Ensure all servers are up-to-date on OS patches
  • Employ packet filtering to drop suspect packets (Correct)
  • Implement network address translation to make internal addresses nonroutable
  • Implement load balancing for Internet facing devices

Answer : Employ packet filtering to drop suspect packets

Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?

Options are :

  • Tests are scheduled on weekends
  • Business management actively participates (Correct)
  • Network IP addresses are predefined
  • Equipment at the hot site is identical

Answer : Business management actively participates

An organization with multiple data centers has designated one of its own facilities as the recovery site. The MOST important concern is the:

Options are :

  • current processing capacity loads at data centers. (Correct)
  • synchronization of system software release versions.
  • communication line capacity between data centers.
  • differences in logical security at each center.

Answer : current processing capacity loads at data centers.

CISM Incident Management and Response Practice

At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor's hot site facility?

Options are :

  • Erase data and software from devices (Correct)
  • Conduct a meeting to evaluate the test
  • Complete an assessment of the hot site provider
  • Evaluate the results from all test scripts

Answer : Erase data and software from devices

Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site?

Options are :

  • Criticality results from the business impact analysis (BIA)
  • Infrastructure complexity and system sensitivity (Correct)
  • Daily cost of losing critical systems and recovery time objectives (RTOs)
  • Cost to build a redundant processing facility and invocation

Answer : Infrastructure complexity and system sensitivity

desktop computer that was involved in a computer security incident should be secured as evidence by:

Options are :

  • disabling all local user accounts except for one administrator.
  • encrypting local files and uploading exact copies to a secure server.
  • disconnecting the computer from all power sources. (Correct)
  • copying all files using the operating system (OS) to write-once media.

Answer : disconnecting the computer from all power sources.

Cism Information Security Program Development Practice

A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat?

Options are :

  • Block all e-mails containing picture file attachments (Correct)
  • Quarantine all picture files stored on file servers
  • Block incoming Internet mail, but permit outgoing mail
  • Quarantine all mail servers connected to the Internet

Answer : Block all e-mails containing picture file attachments

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions