CISM Incident Management and Response Practice Exam

Which of the following is the MOST important to ensure a successful recovery?

Options are :

  • Network alternate links are regularly tested
  • More than one hot site is available
  • Recovery location is secure and accessible
  • Backup media is stored offsite (Correct)

Answer : Backup media is stored offsite

To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?

Options are :

  • Need for constant improvement on the security level
  • Need of an independent review of incident causes
  • Possible business benefits from incident impact reduction (Correct)
  • Assessment of business impact of past incidents

Answer : Possible business benefits from incident impact reduction

CISM Information Risk Management Certification Practice

Which of the following is MOST important in determining whether a disaster recovery test is successful?

Options are :

  • IT staff fully recovers the processing infrastructure
  • Only business data files from offsite storage are used
  • Critical business processes are duplicated (Correct)
  • All systems are restored within recovery time objectives (RTOs)

Answer : Critical business processes are duplicated

The BEST approach in managing a security incident involving a successful penetration should be to:

Options are :

  • permit the incident to continue to trace the source.
  • allow the security team to assess the attack profile.
  • allow business processes to continue during the response. (Correct)
  • examine the incident response process for deficiencies.

Answer : allow business processes to continue during the response.

The BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk is to utilize:

Options are :

  • decoy files. (Correct)
  • screened subnets.
  • bastion hosts.
  • firewalls.

Answer : decoy files.

CISM Information Security Governance Certified Practice Exam

Which of the following actions should be taken when an online trading company discovers a network attack in progress?

Options are :

  • Isolate the affected network segment (Correct)
  • Dump all event logs to removable media
  • Shut off all network access points
  • Enable trace logging on all event

Answer : Isolate the affected network segment

Which of the following should be determined FIRST when establishing a business continuity program?

Options are :

  • Location and cost of offsite recovery facilities
  • Cost to rebuild information processing facilities
  • Incremental daily cost of the unavailability of systems (Correct)
  • Composition and mission of individual recovery teams

Answer : Incremental daily cost of the unavailability of systems

When collecting evidence for forensic analysis, it is important to:

Options are :

  • disconnect from the network and isolate the affected devices.
  • ensure the assignment of qualified personnel. (Correct)
  • request the IT department do an image copy.
  • ensure law enforcement personnel are present before the forensic analysis commences.

Answer : ensure the assignment of qualified personnel.

CISM Information Security Program Management Practice Exam

A post-incident review should be conducted by an incident management team to determine:

Options are :

  • lessons learned. (Correct)
  • relevant electronic evidence.
  • hacker's identity.
  • areas affected.

Answer : lessons learned.

When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken?

Options are :

  • Monitor the probe and isolate the affected segment (Correct)
  • Power down all servers located on the DMZ segment
  • Reboot the router connecting the DMZ to the firewall
  • Enable server trace logging on the affected segment

Answer : Monitor the probe and isolate the affected segment

CISM Information Security Governance Certification Practice

Which of the following is the BEST way to verify that all critical production servers are utilizing up-to- date virus signature files?

Options are :

  • Use a recently identified benign virus to test if it is quarantined
  • Research the most recent signature file and compare to the console
  • Verify the date that signature files were last pushed out
  • Check a sample of servers that the signature files are current (Correct)

Answer : Check a sample of servers that the signature files are current

Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?

Options are :

  • The facility is subject to a "first-come, first-served" policy
  • All equipment is provided "at time of disaster, not on floor" (Correct)
  • A hot site facility will be shared in multiple disaster declarations
  • Equipment may be substituted with equivalent model

Answer : All equipment is provided "at time of disaster, not on floor"

Which of the following application systems should have the shortest recovery time objective (RTO)?

Options are :

  • Contractor payroll
  • Fixed asset system
  • E-commerce web site (Correct)
  • Change management

Answer : E-commerce web site

CISM Information Security Governance Certification

Isolation and containment measures lor a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step?

Options are :

  • Run a forensics tool on the machine to gather evidence
  • Make a copy of the whole system's memory
  • Reboot the machine to break remote connections (Correct)
  • Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/ I'DP) ports

Answer : Reboot the machine to break remote connections

Which of the following is MOST closely associated with a business continuity program?

Options are :

  • Updating the hot site equipment configuration every quarter
  • Periodically testing network redundancy
  • Developing recovery time objectives (RTOs) for critical functions (Correct)
  • Confirming that detailed technical recovery plans exist

Answer : Developing recovery time objectives (RTOs) for critical functions

Why is "slack space" of value to an information security manager as pan of an incident investigation?

Options are :

  • Hidden data may be stored there (Correct)
  • The slack space contains login information
  • It provides flexible space for the investigation
  • Slack space is encrypted

Answer : Hidden data may be stored there

CISM Certified Information Security Manager

Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter?

Options are :

  • Reboot the border router connected to the firewall
  • Update IDS software to the latest available version
  • Check IDS logs and monitor for any active attacks (Correct)
  • Enable server trace logging on the DMZ segment

Answer : Check IDS logs and monitor for any active attacks

The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:

Options are :

  • patterns of suspicious access.
  • weaknesses in network security.
  • potential attacks on the internal network. (Correct)
  • how an attack was launched on the network.

Answer : potential attacks on the internal network.

When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates?

Options are :

  • Industry averages benchmarks
  • Business continuity coordinator
  • Business process owners (Correct)
  • Information security manager

Answer : Business process owners

CISM Certified Information Security Manager Test Practice Mock

When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?

Options are :

  • Tracking changes in personnel and plan assets
  • Ensuring accessibility should a disaster occur (Correct)
  • Versioning control as plans are modified
  • Broken hyperlinks to resources stored elsewhere

Answer : Ensuring accessibility should a disaster occur

The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:

Options are :

  • ways to improve the incident response process.
  • the optimum response to internal hacker attacks.
  • potential attack vectors on the network perimeter.
  • weaknesses in network and server security. (Correct)

Answer : weaknesses in network and server security.

The business continuity policy should contain which of the following?

Options are :

  • Emergency call trees
  • Business impact assessment (BIA)
  • Recovery criteria (Correct)
  • Critical backups inventory

Answer : Recovery criteria

CISM Information Security Program Management Practice Exam

When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?

Options are :

  • Business continuity plan
  • Disaster recovery plan
  • Incident response plan (Correct)
  • Vulnerability management plan

Answer : Incident response plan

Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was:

Options are :

  • sealed in a signed envelope and locked in a safe under dual control.
  • handed over to authorized independent investigators.
  • kept in the tape library' pending further analysis. (Correct)
  • removed into the custody of law enforcement investigators.

Answer : kept in the tape library' pending further analysis.

Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?

Options are :

  • Appropriate declaration criteria have been established
  • Detailed technical recovery plans are maintained offsite (Correct)
  • Network redundancy is maintained through separate providers
  • Hot site equipment needs are recertified on a regular basis

Answer : Detailed technical recovery plans are maintained offsite

CISM Information Security Program Management Practice Exam

Which of the following are the MOST important criteria when selecting virus protection software?

Options are :

  • Ease of maintenance and frequency of updates (Correct)
  • Alert notifications and impact assessments for new viruses
  • Product market share and annualized cost
  • Ability to interface with intrusion detection system (IDS) software and firewalls

Answer : Ease of maintenance and frequency of updates

Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23.00 hrs.)?

Options are :

  • Systems are vulnerable to new viruses during the intervening week (Correct)
  • Technical personnel are not available to support the operation
  • The update's success or failure is not known until Monday
  • Most new viruses* signatures are identified over weekends

Answer : Systems are vulnerable to new viruses during the intervening week

A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?

Options are :

  • Risk assessment results
  • Severity criteria (Correct)
  • Table of critical backup files
  • Emergency call tree directory

Answer : Severity criteria

CISM Information Risk Management Certification

Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?

Options are :

  • Perform an impact analysis of the outage
  • Restore servers from backup media stored offsite
  • Conduct an assessment to determine system status (Correct)
  • Isolate the screened subnet

Answer : Conduct an assessment to determine system status

The PRIORITY action to be taken when a server is infected with a virus is to:

Options are :

  • ensure that the virus database files are current.
  • establish security weaknesses in the firewall.
  • isolate the infected server(s) from the network. (Correct)
  • identify all potential damage caused by the infection.

Answer : isolate the infected server(s) from the network.

CISM Certified Information Security Manager Test Practice Mock

To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?

Options are :

  • Assessment of business impact of past incidents
  • Need for constant improvement on the security level
  • Need of an independent review of incident causes
  • Possible business benefits from incident impact reduction (Correct)

Answer : Possible business benefits from incident impact reduction

A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to:

Options are :

  • notify senior management.
  • start containment.
  • notify law enforcement.
  • confirm the incident (Correct)

Answer : confirm the incident

A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?

Options are :

  • Firewall logs
  • Concurrent logons
  • Write access violations
  • Invalid logon attempts (Correct)

Answer : Invalid logon attempts

CISM Certified Information Security Manager Practice Exam

Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and:

Options are :

  • reducing the extent of operational damage. (Correct)
  • determining the extent of property damage.
  • ensuring orderly plan activation.
  • preserving environmental conditions.

Answer : reducing the extent of operational damage.

Which of the following situations would be the MOST concern to a security manager?

Options are :

  • The logon ID for a terminated systems analyst still exists on the system
  • The help desk has received numerous results of users receiving phishing e-mails
  • Audit logs are not enabled on a production server
  • A Trojan was found to be installed on a system administrator's laptop (Correct)

Answer : A Trojan was found to be installed on a system administrator's laptop

Which of the following provides the BKST confirmation that the business continuity/disaster recovery plan objectives have been achieved?

Options are :

  • The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing
  • Objective testing of the business continuity/disaster recovery plan has been carried out consistently
  • Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan
  • The recovery time objective (RTO) was not exceeded during testing (Correct)

Answer : The recovery time objective (RTO) was not exceeded during testing

CISM Information Risk Management Certification Test

A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:

Options are :

  • close the accounts receivable system.
  • document how the attack occurred.
  • notify law enforcement.
  • take an image copy of the media. (Correct)

Answer : take an image copy of the media.

What is the PRIMARY objective of a post-event review in incident response?

Options are :

  • Preserve forensic data
  • Improve the response process (Correct)
  • Adjust budget provisioning
  • Ensure the incident is fully documented

Answer : Improve the response process

When collecting evidence for forensic analysis, it is important to:

Options are :

  • request the IT department do an image copy.
  • ensure the assignment of qualified personnel. (Correct)
  • ensure law enforcement personnel are present before the forensic analysis commences.
  • disconnect from the network and isolate the affected devices.

Answer : ensure the assignment of qualified personnel.

CISM Information Security Program Management

Detailed business continuity plans should be based PRIMARILY on:

Options are :

  • the solution that is least expensive.
  • strategies that cover all applications.
  • strategies validated by senior management. (Correct)
  • consideration of different alternatives.

Answer : strategies validated by senior management.

Which of the following actions should lake place immediately after a security breach is reported to an information security manager?

Options are :

  • Confirm the incident (Correct)
  • Isolate the incident
  • Determine impact
  • Notify affected stakeholders

Answer : Confirm the incident

A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:

Options are :

  • rebuild the server from the last verified backup
  • rebuild the server with original media and relevant patches. (Correct)
  • place the web server in quarantine.
  • shut down the server in an organized manner.

Answer : rebuild the server with original media and relevant patches.

CISM Information Security Governance Certified Practice Exam

An intrusion detection system (IDS) should:

Options are :

  • run continuously (Correct)
  • be located on the network
  • ignore anomalies
  • require a stable, rarely changed environment

Answer : run continuously

Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?

Options are :

  • Backup servers
  • Data from volatile memory
  • A bit-level copy of all hard drive data (Correct)
  • The last verified backup stored offsite

Answer : A bit-level copy of all hard drive data

What is the FIRST action an information security manager should take when a company laptop is reported stolen?

Options are :

  • Ensure compliance with reporting procedures (Correct)
  • Update the corporate laptop inventory
  • Evaluate the impact of the information loss
  • Disable the user account immediately

Answer : Ensure compliance with reporting procedures

CISM Information Risk Management Certification

In the course of responding 10 an information security incident, the BEST way to treat evidence for possible legal action is defined by:

Options are :

  • international standards.
  • organizational security policies.
  • generally accepted best practices.
  • local regulations. (Correct)

Answer : local regulations.

In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the:

Options are :

  • volume of sensitive data.
  • recovery' time objective (RTO).
  • interruption window
  • recovery point objective (RPO). (Correct)

Answer : recovery point objective (RPO).

What is the BEST method for mitigating against network denial of service (DoS) attacks?

Options are :

  • Employ packet filtering to drop suspect packets (Correct)
  • Ensure all servers are up-to-date on OS patches
  • Implement load balancing for Internet facing devices
  • Implement network address translation to make internal addresses nonroutable

Answer : Employ packet filtering to drop suspect packets

Cism Information Security Program Development Practice

When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the:

Options are :

  • services delivery objective.
  • recovery window. (Correct)
  • maximum tolerable outage (MTO).
  • recovery time objective (RTO).

Answer : recovery window.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions