CISM Information Risk Management Certification Practice

Which of the following risks would BEST be assessed using quantitative risk assessment techniques?

Options are :

  • A web site defaced by hackers
  • Loss of the software development team
  • An electrical power outage (Correct)
  • Customer data stolen

Answer : An electrical power outage

CISM Information Security Governance Certification Practice

The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should:

Options are :

  • determine the current level of security. (Correct)
  • ensure the provider is made liable for losses.
  • recommend not renewing the contract upon expiration.
  • recommend the immediate termination of the contract

Answer : determine the current level of security.

Which of the following groups would be in the BEST position to perform a risk analysis for a business?

Options are :

  • External auditors
  • A specialized management consultant
  • A peer group within a similar business
  • Process owners (Correct)

Answer : Process owners

Which of the following will BEST prevent external security attacks?

Options are :

  • Securing and analyzing system access logs
  • Static IP addressing
  • Network address translation (Correct)
  • Background checks for temporary employees

Answer : Network address translation

CISM Information Risk Management Certification Practice Test

Which of the following risks would BEST be assessed using qualitative risk assessment techniques?

Options are :

  • Temporary loss of e-mail due to a virus attack
  • Permanent decline in customer confidence (Correct)
  • Power outage lasting 24 hours
  • Theft of purchased software

Answer : Permanent decline in customer confidence

A business impact analysis (BIA) is the BEST tool for calculating:

Options are :

  • residual risk.
  • priority of restoration. (Correct)
  • total cost of ownership.
  • annualized loss expectancy (ALE).

Answer : priority of restoration.

An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:

Options are :

  • loss
  • threat.
  • probability.
  • vulnerability. (Correct)

Answer : vulnerability.

Cism Information Security Program Development Practice Exam

The decision as to whether a risk has been reduced to an acceptable level should be determined by:

Options are :

  • information security requirements.
  • organizational requirements. (Correct)
  • information systems requirements.
  • international standards.

Answer : organizational requirements.

Which of the following is the MOST appropriate use of gap analysis?

Options are :

  • Developing a balanced business scorecard
  • Demonstrating the relationship between controls
  • Evaluating a business impact analysis (BIA)
  • Measuring current state vs. desired future state (Correct)

Answer : Measuring current state vs. desired future state

The recovery point objective (RPO) requires which of the following?

Options are :

  • After-image processing
  • Disaster declaration
  • System restoration
  • Before-image restoration (Correct)

Answer : Before-image restoration

CISM Information Security Program Management Test

In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:

Options are :

  • cost of the software stored
  • annualized loss expectancy (ALE)
  • cost to obtain a replacement. (Correct)
  • original cost to acquire

Answer : cost to obtain a replacement.

The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:

Options are :

  • value of the data transmitted over the network.
  • financial losses incurred by affected business units. (Correct)
  • aggregate compensation of all affected business users.
  • hourly billing rate charged by the carrier.

Answer : financial losses incurred by affected business units.

Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?

Options are :

  • Platform security
  • Antivirus controls
  • Entitlement changes (Correct)
  • Intrusion detection

Answer : Entitlement changes

CISM Information Security Program Management Practice Exam

A risk analysis should:

Options are :

  • give more weight to the likelihood vs. the size of the loss.
  • assume an equal degree of protection for all assets.
  • address the potential size and likelihood of loss. (Correct)
  • include a benchmark of similar companies in its scope.

Answer : address the potential size and likelihood of loss.

A successful risk management program should lead to:

Options are :

  • elimination or transference of all organizational risks.
  • optimization of risk reduction efforts against cost. (Correct)
  • containment of losses to an annual budgeted amount.
  • identification and removal of all man-made threats.

Answer : optimization of risk reduction efforts against cost.

Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?

Options are :

  • Chief operations officer (COO) (Correct)
  • Internal audit
  • Information security manager
  • Business continuity coordinator

Answer : Chief operations officer (COO)

CISM Information Security Program Management Test

When residual risk is minimized:

Options are :

  • acceptable risk is probable (Correct)
  • control risk is reduced.
  • transferred risk is acceptable.
  • risk is transferable.

Answer : acceptable risk is probable

Quantitative risk analysis is MOST appropriate when assessment data:

Options are :

  • include customer perceptions.
  • contain percentage estimates. (Correct)
  • do not contain specific details.
  • contain subjective information.

Answer : contain percentage estimates.

It is important to classify and determine relative sensitivity of assets to ensure that:

Options are :

  • highly sensitive assets are protected.
  • countermeasures are proportional to risk. (Correct)
  • cost of protection is in proportion to sensitivity.
  • cost of controls is minimized

Answer : countermeasures are proportional to risk.

CISM Information Security Program Management

Identification and prioritization of business risk enables project managers to:

Options are :

  • establish implementation milestones.
  • accelerate completion of critical paths.
  • address areas with most significance. (Correct)
  • reduce the overall amount of slack time

Answer : address areas with most significance.

Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?

Options are :

  • Systems capacity management is not performed
  • Change management procedures are poor (Correct)
  • Systems development is outsourced
  • Systems operation procedures are not enforced

Answer : Change management procedures are poor

Which of the following BEST describes the scope of risk analysis?

Options are :

  • Key systems and infrastructure
  • Key financial systems
  • Systems subject to regulatory compliance
  • Organizational activities (Correct)

Answer : Organizational activities

CISM Information Risk Management Certification Practice

Which two components PRIMARILY must be assessed in an effective risk analysis?

Options are :

  • Financial impact and duration
  • Likelihood and impact (Correct)
  • Probability and frequency
  • Visibility and duration

Answer : Likelihood and impact

In assessing risk, it is MOST essential to:

Options are :

  • provide equal coverage for all asset types.
  • use benchmarking data from similar organizations.
  • consider both monetary value and likelihood of loss. (Correct)
  • focus primarily on threats and recent business losses.

Answer : consider both monetary value and likelihood of loss.

The valuation of IT assets should be performed by:

Options are :

  • the information owner (Correct)
  • an independent security consultant.
  • an IT security manager
  • the chief financial officer (CFO).

Answer : the information owner

The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:

Options are :

  • sales department.
  • head of the sales department. (Correct)
  • chief information officer (CIO).
  • database administrator.

Answer : head of the sales department.

Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?

Options are :

  • Penetration testing
  • Annual loss expectancy (ALE) calculation
  • Countermeasure cost-benefit analysis (Correct)
  • Frequent risk assessment programs

Answer : Countermeasure cost-benefit analysis

To determine the selection of controls required to meet business objectives, an information security manager should:

Options are :

  • prioritize the use of role-based access controls.
  • focus on automated controls.
  • focus on key controls. (Correct)
  • restrict controls to only critical applications

Answer : focus on key controls.

Cism Information Security Program Development Practice

The PRIMARY objective of a risk management program is to:

Options are :

  • minimize inherent risk
  • implement effective controls.
  • eliminate business risk.
  • minimize residual risk. (Correct)

Answer : minimize residual risk.

There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk

Options are :

  • Identify the vulnerable systems and apply compensating controls (Correct)
  • Communicate the vulnerability to system users
  • Update the signatures database of the intrusion detection system (IDS)
  • Minimize the use of vulnerable systems

Answer : Identify the vulnerable systems and apply compensating controls

Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?

Options are :

  • Penetration testing (Correct)
  • Business impact analysis (BIA)
  • Threat analysis
  • Audit and review

Answer : Penetration testing

Cism Information Security Program Development Practice Exam

Phishing is BEST mitigated by which of the following?

Options are :

  • Two-factor authentication
  • Security monitoring software
  • Encryption
  • User awareness (Correct)

Answer : User awareness

Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST:

Options are :

  • identify the value of the critical assets.
  • review available sources of risk information.
  • determine the financial impact if threats materialize.
  • map the major threats to business objectives. (Correct)

Answer : map the major threats to business objectives.

When a significant security breach occurs, what should be reported FIRST to senior management?

Options are :

  • A summary of the security logs that illustrates the sequence of events
  • A business case for implementing stronger logical access controls
  • An explanation of the incident and corrective action taken (Correct)
  • An analysis of the impact of similar attacks at other organizations

Answer : An explanation of the incident and corrective action taken

CISM Information Security Program Management Practice

An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?

Options are :

  • Business impact analysis (BIA)
  • Key performance indicators (KPIs)
  • Technical vulnerability assessment
  • Gap analysis (Correct)

Answer : Gap analysis

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions