CISM Certified Information Security Manager Test Practice

One way to determine control effectiveness is by determining:

Options are :

  • whether it is preventive, detective or compensatory.
  • the evaluation and analysis of reliability.
  • the capability of providing notification of failure
  • the test results of intended objectives. (Correct)

Answer : the test results of intended objectives.

What does a network vulnerability assessment intend to identify?

Options are :

  • 0-day vulnerabilities
  • Misconfiguration and missing updates (Correct)
  • Malicious software and spyware
  • Security design flaws

Answer : Misconfiguration and missing updates

The systems administrator did not immediately notify the security officer about a malicious attack.
An information security manager could prevent this situation by: 

Options are :

  • establishing mandatory training of all personnel.
  • periodically testing the incident response plans. (Correct)
  • regularly testing the intrusion detection system (IDS).
  • periodically reviewing incident response procedures.

Answer : periodically testing the incident response plans.

Risk assessment should be built into which of the following systems development phases to
ensure that risks are addressed in a development project?

Options are :

  • Specification
  • Programming
  • User testing
  • Feasibility (Correct)

Answer : Feasibility

An organization has to comply with recently published industry regulatory
requirements—compliance that potentially has high implementation costs. What should the
information security manager do FIRST?

Options are :

  • Perform a gap analysis. (Correct)
  • Implement compensating controls.
  • Implement a security committee
  • Demand immediate compliance.

Answer : Perform a gap analysis.

The MAIN reason why asset classification is important to a successful information security
program is because classification determines:

Options are :

  • the appropriate level of protection to the asset. (Correct)
  • how protection levels compare to peer organizations.
  • the amount of insurance needed in case of loss.
  • the priority and extent of risk mitigation efforts.

Answer : the appropriate level of protection to the asset.

A risk management program would be expected to:

Options are :

  • implement preventive controls for every threat
  • maintain residual risk at an acceptable level. (Correct)
  • reduce control risk to zero.
  • remove all inherent risk

Answer : maintain residual risk at an acceptable level.

Which of the following is the PRIMARY prerequisite to implementing data classification within an
organization?

Options are :

  • Performing a risk assessment
  • Defining job roles
  • Identifying data owners (Correct)
  • Establishing data retention policies

Answer : Identifying data owners

Which of the following would help management determine the resources needed to mitigate a risk
to the organization? 

Options are :

  • Risk-based audit program
  • Risk analysis process
  • Business impact analysis (BIA) (Correct)
  • Risk management balanced scorecard

Answer : Business impact analysis (BIA)

A common concern with poorly written web applications is that they can allow an attacker to:

Options are :

  • abuse a race condition.
  • inject structured query language (SQL) statements. (Correct)
  • gain control through a buffer overflow.
  • conduct a distributed denial of service (DoS) attack.

Answer : inject structured query language (SQL) statements.

Which of the following steps in conducting a risk assessment should be performed FIRST?

Options are :

  • Assess vulnerabilities
  • Identify business risks
  • Evaluate key controls
  • Identity business assets (Correct)

Answer : Identity business assets

The security responsibility of data custodians in an organization will include:

Options are :

  • implementing security controls in products they install.
  • determining data classification levels.
  • assuming overall protection of information assets.
  • ensuring security measures are consistent with policy. (Correct)
  • None of the above

Answer : ensuring security measures are consistent with policy.

Which of the following would be of GREATEST importance to the security manager in determining
whether to accept residual risk? 

Options are :

  • Historical cost of the asset
  • Annualized loss expectancy (ALE)
  • Acceptable level of potential business impacts
  • Cost versus benefit of additional mitigating controls (Correct)

Answer : Cost versus benefit of additional mitigating controls

What is the BEST technique to determine which security controls to implement with a limited
budget?

Options are :

  • Impact analysis
  • Annualized loss expectancy (ALE) calculations
  • Risk analysis
  • Cost-benefit analysis (Correct)

Answer : Cost-benefit analysis

The BEST strategy for risk management is to:

Options are :

  • ensure that all unmitigated risks are accepted by management.
  • ensure that policy development properly considers organizational risks.
  • reduce risk to an acceptable level. (Correct)
  • achieve a balance between risk and organizational goals.

Answer : reduce risk to an acceptable level.

The PRIMARY reason for initiating a policy exception process is when:

Options are :

  • operations are too busy to comply
  • users may initially be inconvenienced.
  • policy compliance would be difficult to enforce.
  • the risk is justified by the benefit (Correct)

Answer : the risk is justified by the benefit

Which would be one of the BEST metrics an information security manager can employ to
effectively evaluate the results of a security program?

Options are :

  • Number of controls implemented
  • Percent of compliance with the security policy
  • Reduction in the number of reported security incidents
  • Percent of control objectives accomplished (Correct)

Answer : Percent of control objectives accomplished

Which of the following is MOST effective in preventing weaknesses from being introduced into
existing production systems? 

Options are :

  • Security baselines
  • Patch management
  • Change managementt (Correct)
  • Virus detection

Answer : Change managementt

Which of the following is the MOST effective solution for preventing internal users from modifying
sensitive and classified information?

Options are :

  • Exit routines
  • System access violation logs
  • Baseline security standards
  • Role-based access controls (Correct)

Answer : Role-based access controls

All risk management activities are PRIMARILY designed to reduce impacts to:

Options are :

  • the minimum level possible.
  • a level defined by the security manager.
  • a minimum level consistent with regulatory requirements.
  • an acceptable level based on organizational risk tolerance. (Correct)

Answer : an acceptable level based on organizational risk tolerance.

Previously accepted risk should be: 

Options are :

  • accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
  • avoided next time since risk avoidance provides the best protection to the company.
  • re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions (Correct)
  • removed from the risk log once it is accepted.

Answer : re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions

An extranet server should be placed: 

Options are :

  • on the external router
  • outside the firewall.
  • on the firewall server.
  • on a screened subnet. (Correct)

Answer : on a screened subnet.

The MOST effective use of a risk register is to:

Options are :

  • record the annualized financial amount of expected losses due to risks.
  • identify threats and probabilities.
  • facilitate a thorough review of all IT-related risks on a periodic basis. (Correct)
  • identify risks and assign roles and responsibilities for mitigation.

Answer : facilitate a thorough review of all IT-related risks on a periodic basis.

After obtaining commitment from senior management, which of the following should be completed
NEXT when establishing an information security program?

Options are :

  • Define security metrics
  • Procure security tools
  • Perform a gap analysis
  • Conduct a risk assessment (Correct)

Answer : Conduct a risk assessment

When a proposed system change violates an existing security standard, the conflict would be
BEST resolved by: 

Options are :

  • calculating the residual risk. (Correct)
  • redesigning the system change.
  • enforcing the security standard.
  • implementing mitigating controls.

Answer : calculating the residual risk.

The BEST reason for an organization to have two discrete firewalls connected directly to the
Internet and to the same DMZ would be to:

Options are :

  • separate test and production.
  • prevent a denial-of-service attack.
  • provide in-depth defense.
  • permit traffic load balancing. (Correct)

Answer : permit traffic load balancing.

Which of the following devices should be placed within a DMZ?

Options are :

  • Router
  • Authentication server
  • Firewall
  • Mail relay (Correct)

Answer : Mail relay

An organization has decided to implement additional security controls to treat the risks of a new
process. This is an example of: 

Options are :

  • eliminating the risk.
  • transferring the risk.
  • mitigating the risk. (Correct)
  • accepting the risk.

Answer : mitigating the risk.

Who can BEST advocate the development of and ensure the success of an information security
program?

Options are :

  • Steering committee (Correct)
  • Chief operating officer (COO)
  • IT management
  • Internal auditor

Answer : Steering committee

Which of the following is the BEST metric for evaluating the effectiveness of security awareness
twining? The number of: 

Options are :

  • password resets
  • incidents resolved.
  • reported incidents. (Correct)
  • access rule violations.

Answer : reported incidents.

To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what
would be the FIRS T crucial step an information security manager would take in ensuring business continuity planning?

Options are :

  • Conducting a qualitative and quantitative risk analysis
  • Conducting a business impact analysis (BIA). (Correct)
  • Assigning value to the assets
  • Weighing the cost of implementing the plan vs. financial loss.

Answer : Conducting a business impact analysis (BIA).

An information security manager is advised by contacts in law enforcement that there is evidence
that his/ her company is being targeted by a skilled gang of hackers known to use a variety of
techniques, including social engineering and network penetration. The FIRST step that the
security manager should take is to: 

Options are :

  • perform a comprehensive assessment of the organization's exposure to the hacker's techniques.
  • increase monitoring activities to provide early detection of intrusion.
  • immediately advise senior management of the elevated risk. (Correct)
  • initiate awareness training to counter social engineering.

Answer : immediately advise senior management of the elevated risk.

An intranet server should generally be placed on the: 

Options are :

  • firewall server.
  • primary domain controller.
  • internal network. (Correct)
  • external router

Answer : internal network.

When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:

Options are :

  • financial penalties clause.
  • right-to-terminate clause.
  • limitations of liability.
  • service level agreement (SLA) (Correct)

Answer : service level agreement (SLA)

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions