CISM Certified Information Security Manager Mock Test

Which of the following BEST ensures that modifications made to in-house developed business
applications do not introduce new security exposures?

Options are :

  • Change management (Correct)
  • Stress testing
  • Security baselines
  • Patch management

Answer : Change management

Which of the following tools is MOST appropriate to assess whether information security
governance objectives are being met? 

Options are :

  • Gap analysis
  • Balanced scorecard (Correct)
  • Waterfall chart
  • SWOT analysis

Answer : Balanced scorecard

Secure customer use of an e-commerce application can BEST be accomplished through:

Options are :

  • digital signatures.
  • strong passwords.
  • two-factor authentication.
  • data encryption. (Correct)

Answer : data encryption.

What is the MOST important item to be included in an information security policy?

Options are :

  • The definition of roles and responsibilities
  • Reference to procedures and standards of the security program
  • The key objectives of the security program (Correct)
  • The scope of the security program

Answer : The key objectives of the security program

Which of the following is the MOST important guideline when using software to scan for security
exposures within a corporate network?

Options are :

  • Follow a linear process for attacks
  • Focus only on production servers
  • Never use open source tools
  • Do not interrupt production processes (Correct)

Answer : Do not interrupt production processes

Which of the following controls is MOST effective in providing reasonable assurance of physical
access compliance to an unmanned server room controlled with biometric devices?

Options are :

  • A biometric coupled with a PIN
  • Security guard escort of visitors
  • Regular review of access control lists (Correct)
  • Visitor registry log at the door

Answer : Regular review of access control lists

The BEST metric for evaluating the effectiveness of a firewall is the:

Options are :

  • number of packets dropped
  • average throughput rate.
  • number of attacks blocked. (Correct)
  • number of firewall rules.

Answer : number of attacks blocked.

Which of the following is the MOST important item to consider when evaluating products to
monitor security across the enterprise?

Options are :

  • Ease of installation
  • System overhead (Correct)
  • Available support
  • Product documentation

Answer : System overhead

It is important to develop an information security baseline because it helps to define:

Options are :

  • a security policy for the entire organization.
  • required physical and logical access controls.
  • critical information resources needing protection.
  • the minimum acceptable security to be implemented. (Correct)

Answer : the minimum acceptable security to be implemented.

A border router should be placed on which of the following?

Options are :

  • Web server
  • IDS server
  • Domain boundary (Correct)
  • Screened subnet

Answer : Domain boundary

The information classification scheme should:

Options are :

  • classify personal information in electronic form.
  • be performed by the information security manager.
  • consider possible impact of a security breach. (Correct)
  • classify systems according to the data processed.

Answer : consider possible impact of a security breach.

When a user employs a client-side digital certificate to authenticate to a web server through
Secure Socket Layer (SSI.), confidentiality is MOST vulnerable to which of the following?

Options are :

  • Trojan (Correct)
  • IP spoofing
  • Repudiation
  • Man-in-the-middle attack

Answer : Trojan

What is an appropriate frequency for updating operating system (OS) patches on production
servers? 

Options are :

  • According to a fixed security patch management schedule
  • Whenever important security patches are released (Correct)
  • During scheduled rollouts of new applications
  • Concurrently with quarterly hardware maintenance

Answer : Whenever important security patches are released

An operating system (OS) noncritical patch to enhance system security cannot be applied
because a critical application is not compatible with the change. Which of the following is the
BEST solution? 

Options are :

  • Compensate for not installing the patch with mitigating controls (Correct)
  • Alter the patch to allow the application to run in a privileged state
  • Run the application on a test platform; tune production to allow patch and application
  • Rewrite the application to conform to the upgraded operating system

Answer : Compensate for not installing the patch with mitigating controls

Which of the following is the MOST important risk associated with middleware in a client-server
environment?

Options are :

  • Server patching may be prevented
  • System integrity may be affected (Correct)
  • System backups may be incomplete
  • End-user sessions may be hijacked

Answer : System integrity may be affected

Which of the following practices completely prevents a man-in-the-middle (MitM) attack between
two hosts?

Options are :

  • Enforce static media access control (MAC) addresses
  • Use security tokens for authentication
  • Use https with a server-side certificate
  • Connect through an IPSec VPN (Correct)

Answer : Connect through an IPSec VPN

A message* that has been encrypted by the sender's private key and again by the receiver's
public key achieves:

Options are :

  • confidentiality and nonrepudiation. (Correct)
  • authentication and nonrepudiation.
  • authentication and authorization.
  • confidentiality and integrity.

Answer : confidentiality and nonrepudiation.

To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should:

Options are :

  • conduct regular user awareness sessions.
  • evaluate a balanced business scorecard (Correct)
  • perform penetration tests.
  • revise the information security program.

Answer : evaluate a balanced business scorecard

Which of the following is the MOST important consideration when implementing an intrusion
detection system (IDS)?

Options are :

  • Patching
  • Encryption
  • Tuning (Correct)
  • Packet filtering

Answer : Tuning

Which of the following technologies is utilized to ensure that an individual connecting to a
corporate internal network over the Internet is not an intruder masquerading as an authorized
user? 

Options are :

  • Embedded digital signature
  • IP address packet filtering
  • Intrusion detection system (IDS)
  • Two-factor authentication (Correct)

Answer : Two-factor authentication

Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?

Options are :

  • Symmetric cryptography
  • Public key infrastructure (PKI) (Correct)
  • Message authentication code
  • Message hashing

Answer : Public key infrastructure (PKI)

An e-commerce order fulfillment web server should generally be placed on which of the following?

Options are :

  • Database server
  • Internal network
  • Demilitarized zone (DMZ) (Correct)
  • Domain controller

Answer : Demilitarized zone (DMZ)

Which of the following is MOST important to the success of an information security program?

Options are :

  • Security' awareness training
  • Senior management sponsorship (Correct)
  • Achievable goals and objectives
  • Adequate start-up budget and staffing

Answer : Senior management sponsorship

The advantage of Virtual Private Network (VPN) tunneling for remote users is that it:

Options are :

  • allows passwords to be changed less frequently.
  • increases security between multi-tier systems
  • helps ensure that communications are secure. (Correct)
  • eliminates the need for secondary authentication.

Answer : helps ensure that communications are secure.

An information security manager uses security metrics to measure the: 

Options are :

  • performance of the security baseline.
  • effectiveness of the incident response team.
  • performance of the information security program. (Correct)
  • effectiveness of the security risk analysis.

Answer : performance of the information security program.

The MOST important success factor to design an effective IT security awareness program is to:

Options are :

  • avoid technical content but give concrete examples.
  • ensure senior management is represented.
  • ensure that all the staff is trained.
  • customize the content to the target audience. (Correct)

Answer : customize the content to the target audience.

Primary direction on the impact of compliance with new regulatory requirements that may lead to
major application system changes should be obtained from the: 

Options are :

  • System developers/analysts.
  • corporate legal counsel
  • corporate internal auditor.
  • key business process owners. (Correct)

Answer : key business process owners.

Which of the following is MOST effective in protecting against the attack technique known as
phishing?

Options are :

  • Up-to-date signature files
  • Firewall blocking rules
  • Intrusion detection monitoring
  • Security awareness training (Correct)

Answer : Security awareness training

Security awareness training is MOST likely to lead to which of the following?

Options are :

  • Increase in reported incidents (Correct)
  • Increase in access rule violations
  • Decrease in intrusion incidents
  • Decrease in security policy changes

Answer : Increase in reported incidents

The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C)
financial web application is:

Options are :

  • Secure Sockets Layer (SSL). (Correct)
  • Secure/Multipurpose Internet Mail Extensions (S/MIME ).
  • IP Security (IPSec)
  • Secure Shell (SSH).

Answer : Secure Sockets Layer (SSL).

Which of the following is MOST effective in preventing the introduction of a code modification that
may reduce the security of a critical business application? 

Options are :

  • Change management (Correct)
  • Version control
  • Security metrics
  • Patch management

Answer : Change management

Which of the following is MOST important for a successful information security program?

Options are :

  • Adequate training on emerging security technologies
  • Open communication with key process owners
  • Adequate policies, standards and procedures
  • Executive management commitment (Correct)

Answer : Executive management commitment

Which of the following is the MOST important consideration when securing customer credit card
data acquired by a point-of-sale (POS) cash register?

Options are :

  • Hardening
  • Nonrepudiation
  • Authentication
  • Encryption (Correct)

Answer : Encryption

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions