CISM Information Risk Management Certification

A risk mitigation report would include recommendations for:

Options are :

  • quantification.
  • acceptance (Correct)
  • evaluation.
  • assessment.

Answer : acceptance

Which of the following BEST indicates a successful risk management practice?

Options are :

  • Inherent risk is eliminated
  • Overall risk is quantified
  • Control risk is tied to business units
  • Residual risk is minimized (Correct)

Answer : Residual risk is minimized

An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:

Options are :

  • implement a real-time intrusion detection system.
  • increase the resiliency of security measures in place.
  • mitigate the impact by purchasing insurance. (Correct)
  • implement a circuit-level firewall to protect the network.

Answer : mitigate the impact by purchasing insurance.

A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?

Options are :

  • Access control policy
  • Encryption standards
  • Acceptable use policy
  • Data classification policy (Correct)

Answer : Data classification policy

A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:

Options are :

  • the cost of countermeasure outweighs the value of the asset and potential loss. (Correct)
  • The likelihood of the risk occurring is unknown.
  • there are sufficient safeguards in place to prevent this risk from happening.
  • the needed countermeasure is too complicated to deploy.

Answer : the cost of countermeasure outweighs the value of the asset and potential loss.

The BEST strategy for risk management is to:

Options are :

  • reduce risk to an acceptable level (Correct)
  • ensure that policy development properly considers organizational risks.
  • ensure that all unmitigated risks are accepted by management.
  • achieve a balance between risk and organizational goals

Answer : reduce risk to an acceptable level

What does a network vulnerability assessment intend to identify?

Options are :

  • Security design flaws
  • Malicious software and spyware
  • Misconfiguration and missing updates (Correct)
  • 0-day vulnerabilities

Answer : Misconfiguration and missing updates

Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

Options are :

  • Annual loss expectancy (ALE) of incidents
  • Approved budget for the project
  • Total cost of ownership (TCO) (Correct)
  • Frequency of incidents

Answer : Total cost of ownership (TCO)

The criticality and sensitivity of information assets is determined on the basis of:

Options are :

  • resource dependency assessment.
  • vulnerability assessment.
  • impact assessment. (Correct)
  • threat assessment

Answer : impact assessment.

Which of the following measures would be MOST effective against insider threats to confidential information?

Options are :

  • Privacy policy
  • Audit trail monitoring
  • Role-based access control (Correct)
  • Defense-in-depth

Answer : Role-based access control

Which of the following would BEST address the risk of data leakage?

Options are :

  • Database integrity checks
  • File backup procedures
  • Acceptable use policies (Correct)
  • Incident response procedures

Answer : Acceptable use policies

After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:

Options are :

  • make the customer liable for losses if they fail to follow the bank's advice
  • outsource credit card processing to a third party.
  • implement monitoring techniques to detect and react to potential fraud (Correct)
  • increase its customer awareness efforts in those regions

Answer : implement monitoring techniques to detect and react to potential fraud

Which of the following risks would BEST be assessed using qualitative risk assessment techniques?

Options are :

  • Temporary loss of e-mail due to a virus attack
  • Theft of purchased software
  • Power outage lasting 24 hours
  • Permanent decline in customer confidence (Correct)

Answer : Permanent decline in customer confidence

For risk management purposes, the value of an asset should be based on:

Options are :

  • net present value.
  • original cost.
  • net cash flow.
  • replacement cost. (Correct)

Answer : replacement cost.

Which of the following results from the risk assessment process would BEST assist risk management decision making?

Options are :

  • Control risk
  • Risk exposure
  • Residual risk (Correct)
  • Inherent risk

Answer : Residual risk

Which of the following is the MOST usable deliverable of an information security risk analysis?

Options are :

  • Business impact analysis (BIA) report
  • Quantification of organizational risk
  • Assignment of risks to process owners
  • List of action items to mitigate risk (Correct)

Answer : List of action items to mitigate risk

Which of the following BEST describes the scope of risk analysis?

Options are :

  • Key systems and infrastructure
  • Organizational activities (Correct)
  • Key financial systems
  • Systems subject to regulatory compliance

Answer : Organizational activities

Information security managers should use risk assessment techniques to:

Options are :

  • maximize the return on investment (ROD.
  • provide documentation for auditors and regulators.
  • justify selection of risk mitigation strategies. (Correct)
  • quantify risks that would otherwise be subjective.

Answer : justify selection of risk mitigation strategies.

The decision as to whether a risk has been reduced to an acceptable level should be determined by:

Options are :

  • organizational requirements. (Correct)
  • international standards.
  • information systems requirements.
  • information security requirements.

Answer : organizational requirements.

Identification and prioritization of business risk enables project managers to:

Options are :

  • reduce the overall amount of slack time
  • accelerate completion of critical paths.
  • establish implementation milestones.
  • address areas with most significance. (Correct)

Answer : address areas with most significance.

In assessing risk, it is MOST essential to:

Options are :

  • use benchmarking data from similar organizations.
  • provide equal coverage for all asset types.
  • focus primarily on threats and recent business losses.
  • consider both monetary value and likelihood of loss. (Correct)

Answer : consider both monetary value and likelihood of loss.

The recovery time objective (RTO) is reached at which of the following milestones?

Options are :

  • Disaster declaration
  • Recovery of the backups
  • Return to business as usual processing
  • Restoration of the system (Correct)

Answer : Restoration of the system

When residual risk is minimized:

Options are :

  • transferred risk is acceptable.
  • acceptable risk is probable (Correct)
  • control risk is reduced.
  • risk is transferable.

Answer : acceptable risk is probable

Which of the following is the MOST appropriate use of gap analysis?

Options are :

  • Demonstrating the relationship between controls
  • Measuring current state vs. desired future state (Correct)
  • Evaluating a business impact analysis (BIA)
  • Developing a balanced business scorecard

Answer : Measuring current state vs. desired future state

A successful risk management program should lead to:

Options are :

  • optimization of risk reduction efforts against cost. (Correct)
  • containment of losses to an annual budgeted amount.
  • elimination or transference of all organizational risks.
  • identification and removal of all man-made threats.

Answer : optimization of risk reduction efforts against cost.

During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?

Options are :

  • Testing
  • Feasibility (Correct)
  • Design
  • Development

Answer : Feasibility

It is important to classify and determine relative sensitivity of assets to ensure that:

Options are :

  • cost of protection is in proportion to sensitivity.
  • highly sensitive assets are protected.
  • countermeasures are proportional to risk. (Correct)
  • cost of controls is minimized

Answer : countermeasures are proportional to risk.

A business impact analysis (BIA) is the BEST tool for calculating:

Options are :

  • residual risk.
  • priority of restoration. (Correct)
  • annualized loss expectancy (ALE).
  • total cost of ownership.

Answer : priority of restoration.

The MOST important function of a risk management program is to:

Options are :

  • maximize the sum of all annualized loss expectancies (ALEs).
  • eliminate inherent risk.
  • minimize residual risk. (Correct)
  • quantify overall risk.

Answer : minimize residual risk.

Which of the following is the PRIMARY reason for implementing a risk management program?

Options are :

  • Satisfies audit and regulatory requirements
  • Is a necessary part of management's due diligence (Correct)
  • Assists in incrementing the return on investment (ROD
  • Allows the organization to eliminate risk

Answer : Is a necessary part of management's due diligence

The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should:

Options are :

  • determine the current level of security. (Correct)
  • ensure the provider is made liable for losses.
  • recommend not renewing the contract upon expiration.
  • recommend the immediate termination of the contract

Answer : determine the current level of security.

In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:

Options are :

  • original cost to acquire
  • annualized loss expectancy (ALE)
  • cost of the software stored
  • cost to obtain a replacement. (Correct)

Answer : cost to obtain a replacement.

Quantitative risk analysis is MOST appropriate when assessment data:

Options are :

  • do not contain specific details.
  • include customer perceptions.
  • contain percentage estimates. (Correct)
  • contain subjective information.

Answer : contain percentage estimates.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions