CISM Information Security Program Management Test

To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:

Options are :

  • ensure they successfully pass background checks.
  • avoid granting system administration roles. (Correct)
  • ensure their access is approved by the data owner.
  • set their accounts to expire in six months or less.

Answer : avoid granting system administration roles.

CISM Information Risk Management Certification

Which of the following represents a PRIMARY area of interest when conducting a penetration test?

Options are :

  • Network mapping (Correct)
  • Intrusion Detection System (IDS)
  • Customer data
  • Data mining

Answer : Network mapping

The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:

Options are :

  • benchmark the IDS against a peer site.
  • audit the configuration of the IDS.
  • simulate an attack and review IDS performance. (Correct)
  • use a honeypot to check for unusual activity.

Answer : simulate an attack and review IDS performance.

Which of the following areas is MOST susceptible to the introduction of security weaknesses?

Options are :

  • Incident response management
  • Configuration management (Correct)
  • Database management
  • Tape backup management

Answer : Configuration management

Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:

Options are :

  • special backups of production servers are taken.
  • the third party provides a demonstration on a test system.
  • the technical staff has been briefed on what to expect.
  • goals and objectives are clearly defined. (Correct)

Answer : goals and objectives are clearly defined.

The BEST time to perform a penetration test is after:

Options are :

  • various infrastructure changes are made. (Correct)
  • an audit has reported weaknesses in security controls.
  • a high turnover in systems staff.
  • an attempted penetration has occurred.

Answer : various infrastructure changes are made.

Which of the following will BEST ensure that management takes ownership of the decision making process for information security?

Options are :

  • Security policies and procedures
  • Security awareness campaigns
  • Security- steering committees (Correct)
  • Annual self-assessment by management

Answer : Security- steering committees

Cism Information Security Program Development Practice Exam

Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?

Options are :

  • Operating system (OS) security patches have not been applied (Correct)
  • User ad hoc reporting is not logged
  • Database security defaults to ERP settings
  • Network traffic is through a single switch

Answer : Operating system (OS) security patches have not been applied

Which of the following is MOST important to the successful promotion of good security management practices?

Options are :

  • Management support (Correct)
  • Security metrics
  • Security baselines
  • Periodic training

Answer : Management support

Security awareness training should be provided to new employees:

Options are :

  • during system user training.
  • before they have access to data. (Correct)
  • along with department staff.
  • on an as-needed basis.

Answer : before they have access to data.

CISM Information Security Governance Certification Practice

Which of the following will BEST protect against malicious activity by a former employee?

Options are :

  • Effective termination procedures (Correct)
  • Preemployment screening
  • Close monitoring of users
  • Periodic awareness training

Answer : Effective termination procedures

Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:

Options are :

  • lattice-based access controls.
  • mandatory access controls.
  • role-based access controls. (Correct)
  • discretionary access controls

Answer : role-based access controls.

The PRIMARY objective of security awareness is to:

Options are :

  • ensure that security policies are understood.
  • influence employee behavior. (Correct)
  • notify of actions for noncompliance
  • ensure legal and regulatory compliance

Answer : influence employee behavior.

CISM Certified Information Security Manager

Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?

Options are :

  • Utilize an intrusion detection system.
  • Perform periodic penetration testing. (Correct)
  • Implement vendor recommended settings.
  • Establish minimum security baselines.

Answer : Perform periodic penetration testing.

Information security policies should:

Options are :

  • be customized to specific groups and roles.
  • address the process for communicating a violation.
  • address corporate network vulnerabilities.
  • be straightforward and easy to understand. (Correct)

Answer : be straightforward and easy to understand.

What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?

Options are :

  • Install a honeypot on the network (Correct)
  • Establish minimum security baselines
  • Implement vendor default settings
  • Perform periodic penetration testing

Answer : Install a honeypot on the network

CISM Information Risk Management Certification Practice

Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?

Options are :

  • Applying patches
  • Upgrading hardware
  • Backing up files (Correct)
  • Changing access rules

Answer : Backing up files

A security awareness program should:

Options are :

  • address details on specific exploits.
  • promote security department procedures.
  • address specific groups and roles. (Correct)
  • present top management's perspective.

Answer : address specific groups and roles.

The return on investment of information security can BEST be evaluated through which of the following?

Options are :

  • Process improvement models
  • Security metrics
  • Support of business objectives (Correct)
  • Security deliverables

Answer : Support of business objectives

CISM Information Risk Management Certification Practice

Which of the following environments represents the GREATEST risk to organizational security?

Options are :

  • Locally managed file server (Correct)
  • Enterprise data warehouse
  • Centrally managed data switch
  • Load-balanced, web server cluster

Answer : Locally managed file server

Which of the following presents the GREATEST exposure to internal attack on a network?

Options are :

  • User passwords are not automatically expired
  • All network traffic goes through a single switch
  • User passwords are encoded but not encrypted (Correct)
  • All users reside on a single internal subnet

Answer : User passwords are encoded but not encrypted

In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?

Options are :

  • Implementing on-screen masking of passwords
  • Increasing the frequency of password changes
  • Requiring that passwords be kept strictly confidential
  • Conducting periodic security awareness programs (Correct)

Answer : Conducting periodic security awareness programs

CISM Information Security Governance Certified Practice

Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?

Options are :

  • Quality control manager
  • System analyst
  • Information security manager
  • Process owner (Correct)

Answer : Process owner

Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?

Options are :

  • Security
  • User (Correct)
  • Operations
  • Database

Answer : User

Successful social engineering attacks can BEST be prevented through:

Options are :

  • close monitoring of users' access patterns.
  • efficient termination procedures.
  • periodic awareness training. (Correct)
  • preemployment screening.

Answer : periodic awareness training.

CISM Information Risk Management Certification Practice

Nonrepudiation can BEST be assured by using:

Options are :

  • delivery path tracing.
  • reverse lookup translation.
  • out-of-hand channels.
  • digital signatures. (Correct)

Answer : digital signatures.

What is the BEST method to verify that all security patches applied to servers were properly documented?

Options are :

  • Trace OS patch logs to change control requests (Correct)
  • Trace OS patch logs to OS vendor's update documentation
  • Review change control documentation for key servers
  • Trace change control requests to operating system (OS) patch logs

Answer : Trace OS patch logs to change control requests

What is the BEST way to ensure that contract programmers comply with organizational security policies?

Options are :

  • Perform periodic security reviews of the contractors (Correct)
  • Explicitly refer to contractors in the security standards
  • Create penalties for noncompliance in the contracting agreement
  • Have the contractors acknowledge in writing the security policies

Answer : Perform periodic security reviews of the contractors

Cism Information Security Program Development Practice Exam

When a departmental system continues to be out of compliance with an information security policy's password strength requirements, the BEST action to undertake is to:

Options are :

  • request a risk acceptance from senior management.
  • submit the issue to the steering committee.
  • conduct an impact analysis to quantify the risks. (Correct)
  • isolate the system from the rest of the network.

Answer : conduct an impact analysis to quantify the risks.

Security policies should be aligned MOST closely with:

Options are :

  • local laws and regulations.
  • organizational needs. (Correct)
  • industry' best practices
  • generally accepted standards.

Answer : organizational needs.

Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?

Options are :

  • Information security officer
  • Data custodian
  • Security steering committee (Correct)
  • Data owner

Answer : Security steering committee

CISM Information Security Program Management Test

What is the MOST effective access control method to prevent users from sharing files with unauthorized users?

Options are :

  • Mandatory (Correct)
  • Role-based
  • Walled garden
  • Discretionary

Answer : Mandatory

Which of the following is MOST important for measuring the effectiveness of a security awareness program?

Options are :

  • Increased interest in focus groups on security issues
  • A quantitative evaluation to ensure user comprehension (Correct)
  • Increased number of security violation reports
  • Reduced number of security violation reports

Answer : A quantitative evaluation to ensure user comprehension

Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?

Options are :

  • A legally binding data protection agreement
  • Encryption between the organization and the provider
  • The right to conduct independent security reviews (Correct)
  • A joint risk assessment of the system

Answer : The right to conduct independent security reviews

CISM Information Risk Management Certification

Which of the following documents would be the BES T reference to determine whether access control mechanisms are appropriate for a critical application?

Options are :

  • Business process flow
  • IT security policy (Correct)
  • Regulatory requirements
  • User security procedures

Answer : IT security policy

Data owners are normally responsible for which of the following?

Options are :

  • Determining the level of application security required (Correct)
  • Migrating application code changes to production
  • Administering security over database records
  • Applying emergency changes to application data

Answer : Determining the level of application security required

Which of the following is an inherent weakness of signature-based intrusion detection systems?

Options are :

  • A higher number of false positives
  • New attack methods will be missed (Correct)
  • Long duration probing will be missed
  • Attack profiles can be easily spoofed

Answer : New attack methods will be missed

CISM Information Security Governance Certified Test

Good information security standards should:

Options are :

  • be updated frequently as new software is released.
  • address high-level objectives of the organization.
  • describe the process for communicating violations.
  • define precise and unambiguous allowable limits. (Correct)

Answer : define precise and unambiguous allowable limits.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now