CISM Information Risk Management Certification

The security responsibility of data custodians in an organization will include:

Options are :

  • determining data classification levels
  • implementing security controls in products they install.
  • assuming overall protection of information assets.
  • ensuring security measures are consistent with policy. (Correct)

Answer : ensuring security measures are consistent with policy.

The PRIMARY purpose of using risk analysis within a security program is to:

Options are :

  • justify the security expenditure.
  • assess exposures and plan remediation.
  • inform executive management of residual risk value. (Correct)
  • help businesses prioritize the assets to be protected

Answer : inform executive management of residual risk value.

A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?

Options are :

  • Understand the business requirements of the developer portal (Correct)
  • Install an intrusion detection system (IDS)
  • Perform a vulnerability assessment of the developer portal
  • Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

Answer : Understand the business requirements of the developer portal

What is the BEST technique to determine which security controls to implement with a limited budget?

Options are :

  • Impact analysis
  • Cost-benefit analysis (Correct)
  • Annualized loss expectancy (ALE) calculations
  • Risk analysis

Answer : Cost-benefit analysis

Which of the following risks is represented in the risk appetite of an organization?

Options are :

  • Control
  • Inherent
  • Audit
  • Residual (Correct)

Answer : Residual

Which of the following would BEST address the risk of data leakage?

Options are :

  • File backup procedures
  • Acceptable use policies (Correct)
  • Database integrity checks
  • Incident response procedures

Answer : Acceptable use policies

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?

Options are :

  • Establishing data retention policies
  • Performing a risk assessment
  • Identifying data owners (Correct)
  • Defining job roles

Answer : Identifying data owners

Which of the following measures would be MOST effective against insider threats to confidential information?

Options are :

  • Defense-in-depth
  • Role-based access control (Correct)
  • Audit trail monitoring
  • Privacy policy

Answer : Role-based access control

Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?

Options are :

  • Annualized loss expectancy (ALE)
  • Cost versus benefit of additional mitigating controls (Correct)
  • Acceptable level of potential business impacts
  • Historical cost of the asset

Answer : Cost versus benefit of additional mitigating controls

A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?

Options are :

  • Data classification policy (Correct)
  • Encryption standards
  • Access control policy
  • Acceptable use policy

Answer : Data classification policy

A common concern with poorly written web applications is that they can allow an attacker to:

Options are :

  • abuse a race condition.
  • inject structured query language (SQL) statements (Correct)
  • gain control through a buffer overflow
  • conduct a distributed denial of service (DoS) attack.

Answer : inject structured query language (SQL) statements

Which of the following steps in conducting a risk assessment should be performed FIRST?

Options are :

  • Identity business assets (Correct)
  • Identify business risks
  • Assess vulnerabilities
  • Evaluate key controls

Answer : Identity business assets

What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?

Options are :

  • Incident response processes
  • System performance metrics
  • Security gap analyses (Correct)
  • Business impact analyses

Answer : Security gap analyses

Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:

Options are :

  • conduct a risk assessment and allow or disallow based on the outcome.
  • recommend a risk assessment and implementation only if the residual risks are accepted. (Correct)
  • recommend revision of current policy.
  • recommend against implementation because it violates the company's policies.

Answer : recommend a risk assessment and implementation only if the residual risks are accepted.

The criticality and sensitivity of information assets is determined on the basis of:

Options are :

  • threat assessment
  • impact assessment. (Correct)
  • vulnerability assessment.
  • resource dependency assessment.

Answer : impact assessment.

A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:

Options are :

  • The likelihood of the risk occurring is unknown.
  • the needed countermeasure is too complicated to deploy.
  • there are sufficient safeguards in place to prevent this risk from happening.
  • the cost of countermeasure outweighs the value of the asset and potential loss. (Correct)

Answer : the cost of countermeasure outweighs the value of the asset and potential loss.

Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?

Options are :

  • assess exposures and plan remediation. (Correct)
  • Upcoming financial results
  • Strategic business plan
  • Customer personal information

Answer : assess exposures and plan remediation.

The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:

Options are :

  • periodically testing the incident response plans. (Correct)
  • periodically reviewing incident response procedures.
  • regularly testing the intrusion detection system (IDS).
  • establishing mandatory training of all personnel.

Answer : periodically testing the incident response plans.

Which program element should be implemented FIRST in asset classification and control?

Options are :

  • Valuation (Correct)
  • Risk mitigation
  • Risk assessment
  • Classification

Answer : Valuation

Which of the following would help management determine the resources needed to mitigate a risk to the organization?

Options are :

  • Risk-based audit program
  • Risk management balanced scorecard
  • Risk analysis process
  • Business impact analysis (BIA) (Correct)

Answer : Business impact analysis (BIA)

Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?

Options are :

  • Reduction in the number of reported security incidents
  • Number of controls implemented
  • Percent of compliance with the security policy
  • Percent of control objectives accomplished (Correct)

Answer : Percent of control objectives accomplished

A security risk assessment exercise should be repeated at regular intervals because:

Options are :

  • business threats are constantly changing (Correct)
  • they help raise awareness on security in the business.
  • repetitive assessments allow various methodologies.
  • omissions in earlier assessments can be addressed.

Answer : business threats are constantly changing

After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:

Options are :

  • make the customer liable for losses if they fail to follow the bank's advice
  • implement monitoring techniques to detect and react to potential fraud (Correct)
  • increase its customer awareness efforts in those regions
  • outsource credit card processing to a third party.

Answer : implement monitoring techniques to detect and react to potential fraud

An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:

Options are :

  • implement a real-time intrusion detection system.
  • increase the resiliency of security measures in place.
  • mitigate the impact by purchasing insurance. (Correct)
  • implement a circuit-level firewall to protect the network.

Answer : mitigate the impact by purchasing insurance.

A risk management program would be expected to:

Options are :

  • maintain residual risk at an acceptable level (Correct)
  • reduce control risk to zero.
  • implement preventive controls for every threat.
  • . remove all inherent risk.

Answer : maintain residual risk at an acceptable level

Attackers who exploit cross-site scripting vulnerabilities take advantage of:

Options are :

  • weak authentication controls in the web application layer.
  • implicit web application trust relationships.
  • a lack of proper input validation controls. (Correct)
  • flawed cryptographic secure sockets layer (SSL) implementations and short key lengths.

Answer : a lack of proper input validation controls.

A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?

Options are :

  • Ask for a vendor patch
  • Prevent the system from being accessed remotely
  • Track usage of the account by audit trails
  • Create a strong random password (Correct)

Answer : Create a strong random password

Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?

Options are :

  • Specification
  • Feasibility (Correct)
  • User testing
  • Programming

Answer : Feasibility

Which of the following would a security manager establish to determine the target for restoration of normal processing?

Options are :

  • Recover)' time objective (RTO) (Correct)
  • Recovery point objectives (RPOs)
  • Maximum tolerable outage (MTO)
  • Services delivery objectives (SDOs)

Answer : Recover)' time objective (RTO)

A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?

Options are :

  • A security baseline review
  • A risk assessment (Correct)
  • A penetration test
  • A business impact analysis (BIA)

Answer : A risk assessment

A risk management program should reduce risk to:

Options are :

  • an acceptable percent of revenue.
  • zero.
  • an acceptable probability of occurrence.
  • an acceptable level. (Correct)

Answer : an acceptable level.

The MOST effective way to incorporate risk management practices into existing production systems is through:

Options are :

  • policy development.
  • regular monitoring
  • change management. (Correct)
  • awareness training.

Answer : change management.

Which of the following results from the risk assessment process would BEST assist risk management decision making?

Options are :

  • Residual risk (Correct)
  • Control risk
  • Inherent risk
  • Risk exposure

Answer : Residual risk

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions