Cism Information Security Program Development Practice

Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network?

Options are :

  • Safeguards over keys (Correct)
  • Configuration of firewalls
  • Strength of encryption algorithms
  • Authentication within application

Answer : Safeguards over keys

Which of the following is MOST effective in protecting against the attack technique known as phishing?

Options are :

  • Security awareness training (Correct)
  • Intrusion detection monitoring
  • Up-to-date signature files
  • Firewall blocking rules

Answer : Security awareness training

The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:

Options are :

  • create more overhead than signature-based IDSs.
  • generate false alarms from varying user or system actions. (Correct)
  • cannot detect new types of attacks.
  • cause false positives from minor changes to system variables.

Answer : generate false alarms from varying user or system actions.

What is the MOST important item to be included in an information security policy?

Options are :

  • The definition of roles and responsibilities
  • The key objectives of the security program (Correct)
  • Reference to procedures and standards of the security program
  • The scope of the security program

Answer : The key objectives of the security program

CISM Information Risk Management Certification

Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?

Options are :

  • Security patches applied trend report
  • Percentage of security compliant servers
  • Security compliant servers trend report (Correct)
  • Number of security patches applied

Answer : Security compliant servers trend report

A message* that has been encrypted by the sender's private key and again by the receiver's public key achieves:

Options are :

  • authentication and authorization.
  • confidentiality and integrity.
  • authentication and nonrepudiation.
  • confidentiality and nonrepudiation. (Correct)

Answer : confidentiality and nonrepudiation.

When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSI.), confidentiality is MOST vulnerable to which of the following?

Options are :

  • Trojan (Correct)
  • Repudiation
  • IP spoofing
  • Man-in-the-middle attack

Answer : Trojan

CISM Information Security Governance Certification Test

To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should:

Options are :

  • evaluate a balanced business scorecard. (Correct)
  • perform penetration tests.
  • conduct regular user awareness sessions.
  • revise the information security program.

Answer : evaluate a balanced business scorecard.

Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?

Options are :

  • Message hashing
  • Message authentication code
  • Public key infrastructure (PKI) (Correct)
  • Symmetric cryptography

Answer : Public key infrastructure (PKI)

A risk assessment study carried out by an organization noted that there is no segmentation of the local area network (LAN). Network segmentation would reduce the potential impact of which of the following?

Options are :

  • IP address spoofing
  • Virus infections
  • Denial of service (DoS) attacks
  • Traffic sniffing (Correct)

Answer : Traffic sniffing

CISM Information Risk Management Certification

Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?

Options are :

  • Certificate-based authentication of web client (Correct)
  • Data confidentiality between client and web server
  • Multiple encryption algorithms
  • Certificate-based authentication of web server

Answer : Certificate-based authentication of web client

In an organization, information systems security is the responsibility of:

Options are :

  • functional personnel
  • all personnel. (Correct)
  • information systems personnel.
  • information systems security personnel.

Answer : all personnel.

Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?

Options are :

  • A biometric coupled with a PIN
  • Security guard escort of visitors
  • Regular review of access control lists (Correct)
  • Visitor registry log at the door

Answer : Regular review of access control lists

CISM Information Security Program Management Practice

The MAIN goal of an information security strategic plan is to:

Options are :

  • protect information assets and resources. (Correct)
  • establish security governance.
  • develop a risk assessment plan.
  • develop a data protection plan.

Answer : protect information assets and resources.

When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?

Options are :

  • Effectiveness of controls
  • Number of controls
  • Cost of achieving control objectives (Correct)
  • Test results of controls

Answer : Cost of achieving control objectives

Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?

Options are :

  • Encrypting first by receiver's private key and second by sender's public key
  • Encrypting first by sender's public key and second by receiver's private key
  • Encrypting first by sender's private key and second decrypting by sender's public key
  • Encrypting first by sender's private key and second by receiver's public key (Correct)

Answer : Encrypting first by sender's private key and second by receiver's public key

CISM Information Security Governance Certified

It is important to develop an information security baseline because it helps to define:

Options are :

  • required physical and logical access controls.
  • critical information resources needing protection.
  • a security policy for the entire organization.
  • the minimum acceptable security to be implemented. (Correct)

Answer : the minimum acceptable security to be implemented.

Which of the following is a key area of the ISO 27001 framework?

Options are :

  • Business continuity management (Correct)
  • Financial crime metrics
  • Operational risk assessment
  • Capacity management

Answer : Business continuity management

The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:

Options are :

  • check the system's risk analysis.
  • verify the decision with the business units. (Correct)
  • recommend update after post implementation review.
  • request an audit review.

Answer : verify the decision with the business units.

Cism Information Security Program Development Practice

The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:

Options are :

  • rebuild the system from the original installation medium (Correct)
  • change the root password of the system
  • disconnect the mail server from the network.
  • implement multifactor authentication

Answer : rebuild the system from the original installation medium

The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:

Options are :

  • Secure/Multipurpose Internet Mail Extensions (S/MIME ).
  • Secure Shell (SSH)
  • Secure Sockets Layer (SSL). (Correct)
  • IP Security (IPSec).

Answer : Secure Sockets Layer (SSL).

Which of the following would be the BEST metric for the IT risk management process?

Options are :

  • Percentage of unresolved risk exposures
  • Percentage of critical assets with budgeted remedial (Correct)
  • Number of security incidents identified
  • Number of risk management action plans

Answer : Percentage of critical assets with budgeted remedial

CISM Information Risk Management Certification Practice

An organization without any formal information security program that has decided to implement information security best practices should FIRST:

Options are :

  • benchmark similar organizations.
  • define high-level business security requirements. (Correct)
  • invite an external consultant to create the security strategy.
  • allocate budget based on best practices.

Answer : define high-level business security requirements.

An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:

Options are :

  • structured query language (SQL) injection.
  • unvalidated input.
  • cross-site scripting.
  • broken authentication. (Correct)

Answer : broken authentication.

CISM Information Security Governance Certified Test

Which of the following would be the BEST defense against sniffing?

Options are :

  • Password protect the files
  • Encrypt the data being transmitted (Correct)
  • Set static mandatory access control (MAC) addresses
  • Implement a dynamic IP address scheme

Answer : Encrypt the data being transmitted

Which of the following would BEST protect an organization's confidential data stored on a laptop computer from unauthorized access?

Options are :

  • Multifactor authentication procedures
  • Encrypted hard drives (Correct)
  • Strong authentication by password
  • Network-based data backup

Answer : Encrypted hard drives

The PRIMARY driver to obtain external resources to execute the information security program is that external resources can:

Options are :

  • replace the dependence on internal resources.
  • deliver more effectively on account of their knowledge.
  • contribute cost-effective expertise not available internally. (Correct)
  • be made responsible for meeting the security program requirements.

Answer : contribute cost-effective expertise not available internally.

CISM Information Risk Management Certification Test

A digital signature using a public key infrastructure (PKI) will:

Options are :

  • provide a high level of confidentiality
  • require two parties to the message exchange.
  • not ensure the integrity of a message.
  • rely on the extent to which the certificate authority (CA) is trusted. (Correct)

Answer : rely on the extent to which the certificate authority (CA) is trusted.

Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?

Options are :

  • Protective switch covers (Correct)
  • Biometric readers
  • Redundant power supplies
  • Shutdown alarms

Answer : Protective switch covers

The MOST effective way to ensure that outsourced service providers comply with the organization's information security policy would be:

Options are :

  • security awareness training.
  • penetration testing.
  • service level monitoring.
  • periodically auditing. (Correct)

Answer : periodically auditing.

CISM Information Security Governance Certification Test

At what stage of the applications development process would encryption key management initially be addressed?

Options are :

  • Code reviews
  • Systems testing
  • Requirements development (Correct)
  • Deployment

Answer : Requirements development

Which of the following is the MOST important reason why information security objectives should be defined?

Options are :

  • General understanding of goals
  • Tool for measuring effectiveness (Correct)
  • Management sign-off and support initiatives
  • Consistency with applicable standards

Answer : Tool for measuring effectiveness

The MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements is:

Options are :

  • messages displayed at every logon. (Correct)
  • periodic security-related e-mail messages.
  • an Intranet web site for information security.
  • circulating the information security policy.

Answer : messages displayed at every logon.

CISM Information Security Program Management Test

Network-based data backup

Options are :

  • Reducing the human risk (Correct)
  • Informing business units about the security strategy
  • Training personnel in security incident response
  • Maintaining evidence of training records to ensure compliance

Answer : Reducing the human risk

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions