CISM Information Risk Management Certification Practice Test

An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?

Options are :

  • A new risk assessment should be performed. (Correct)
  • A vulnerability assessment should be conducted.
  • Nothing, since a risk assessment was completed during development.
  • The new vendor's SAS 70 type II report should be reviewed

Answer : A new risk assessment should be performed.

An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:

Options are :

  • initiate awareness training to counter social engineering.
  • immediately advise senior management of the elevated risk. (Correct)
  • increase monitoring activities to provide early detection of intrusion.
  • perform a comprehensive assessment of the organization's exposure to the hacker's techniques.

Answer : immediately advise senior management of the elevated risk.

When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss?

Options are :

  • Measure the probability of occurrence of each threat
  • Calculate the value of the information or asset (Correct)
  • Evaluate productivity losses
  • Assess the impact of confidential data disclosure

Answer : Calculate the value of the information or asset

All risk management activities are PRIMARILY designed to reduce impacts to:

Options are :

  • a level defined by the security manager.
  • the minimum level possible.
  • an acceptable level based on organizational risk tolerance. (Correct)
  • a minimum level consistent with regulatory requirements.

Answer : an acceptable level based on organizational risk tolerance.

Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?

Options are :

  • Implement countermeasures.
  • Accept the risk
  • Eliminate the risk.
  • Transfer the risk (Correct)

Answer : Transfer the risk

After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?

Options are :

  • Conduct a risk assessment (Correct)
  • Define security metrics
  • Procure security tools
  • Perform a gap analysis

Answer : Conduct a risk assessment

When performing an information risk analysis, an information security manager should FIRST:

Options are :

  • categorize the assets.
  • evaluate the risks to the assets.
  • establish the ownership of assets.
  • take an asset inventory. (Correct)

Answer : take an asset inventory.

After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?

Options are :

  • Information security officer
  • Chief executive officer (CF.O)
  • Chief information officer (CIO)
  • Business owner (Correct)

Answer : Business owner

The valuation of IT assets should be performed by:

Options are :

  • the chief financial officer (CFO).
  • an IT security manager
  • the information owner (Correct)
  • an independent security consultant.

Answer : the information owner

When a significant security breach occurs, what should be reported FIRST to senior management?

Options are :

  • An explanation of the incident and corrective action taken (Correct)
  • A business case for implementing stronger logical access controls
  • A summary of the security logs that illustrates the sequence of events
  • An analysis of the impact of similar attacks at other organizations

Answer : An explanation of the incident and corrective action taken

Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?

Options are :

  • Assignment of risk within the organization
  • Comparison of the program results with industry standards
  • Participation by all members of the organization (Correct)
  • User assessments of changes

Answer : Participation by all members of the organization

To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRS T crucial step an information security manager would take in ensuring business continuity planning?

Options are :

  • Weighing the cost of implementing the plan vs. financial loss.
  • Conducting a qualitative and quantitative risk analysis.
  • Conducting a business impact analysis (BIA). (Correct)
  • Assigning value to the assets.

Answer : Conducting a business impact analysis (BIA).

Risk assessment is MOST effective when performed:

Options are :

  • at the beginning of security program development.
  • on a continuous basis (Correct)
  • while developing the business case for the security program.
  • during the business change process.

Answer : on a continuous basis

There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk

Options are :

  • Minimize the use of vulnerable systems
  • Communicate the vulnerability to system users
  • Update the signatures database of the intrusion detection system (IDS)
  • Identify the vulnerable systems and apply compensating controls (Correct)

Answer : Identify the vulnerable systems and apply compensating controls

After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:

Options are :

  • accepted. (Correct)
  • terminated.
  • treated.
  • transferred.

Answer : accepted.

A risk management approach to information protection is:

Options are :

  • implementing a training program to educate individuals on information protection and risks.
  • managing risk tools to ensure that they assess all information protection vulnerabilities.
  • managing risks to an acceptable level, commensurate with goals and objectives. (Correct)
  • accepting the security posture provided by commercial security products.

Answer : managing risks to an acceptable level, commensurate with goals and objectives.

Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?

Options are :

  • Custodian
  • Manager
  • User
  • Owner (Correct)

Answer : Owner

The PRIMARY benefit of performing an information asset classification is to:

Options are :

  • establish ownership.
  • identify controls commensurate to risk. (Correct)
  • link security requirements to business objectives.
  • define access rights.

Answer : identify controls commensurate to risk.

Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?

Options are :

  • Penetration testing
  • Annual loss expectancy (ALE) calculation
  • Frequent risk assessment programs
  • Countermeasure cost-benefit analysis (Correct)

Answer : Countermeasure cost-benefit analysis

Previously accepted risk should be:

Options are :

  • re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions. (Correct)
  • accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable
  • removed from the risk log once it is accepted
  • avoided next time since risk avoidance provides the best protection to the company

Answer : re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.

Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?

Options are :

  • Audit and review
  • Threat analysis
  • Penetration testing (Correct)
  • Business impact analysis (BIA)

Answer : Penetration testing

To determine the selection of controls required to meet business objectives, an information security manager should:

Options are :

  • focus on key controls. (Correct)
  • focus on automated controls.
  • prioritize the use of role-based access controls.
  • restrict controls to only critical applications

Answer : focus on key controls.

In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:

Options are :

  • identify systems and processes that contain privacy components. (Correct)
  • identify privacy legislation in other countries that may contain similar requirements.
  • restrict the collection of personal information until compliant
  • develop an operational plan for achieving compliance with the legislation.

Answer : identify systems and processes that contain privacy components.

Which of the following attacks is BEST mitigated by utilizing strong passwords?

Options are :

  • Brute force attack (Correct)
  • Man-in-the-middle attack
  • Remote buffer overflow
  • Root kit

Answer : Brute force attack

Phishing is BEST mitigated by which of the following?

Options are :

  • Encryption
  • User awareness (Correct)
  • Two-factor authentication
  • Security monitoring software

Answer : User awareness

The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:

Options are :

  • determining the overall budget of an information security program.
  • defining the level of access controls. (Correct)
  • justifying costs for information resources.
  • determining the scope for inclusion in an information security program.

Answer : defining the level of access controls.

Which of the following is MOST essential for a risk management program to be effective?

Options are :

  • New risks detection (Correct)
  • Accurate risk reporting
  • Sound risk baseline
  • Flexible security budget

Answer : New risks detection

When implementing security controls, an information security manager must PRIMARILY focus on:

Options are :

  • minimizing operational impacts. (Correct)
  • eliminating all vulnerabilities.
  • usage by similar organizations.
  • certification from a third party.

Answer : minimizing operational impacts.

The purpose of a corrective control is to:

Options are :

  • reduce adverse events.
  • indicate compromise.
  • mitigate impact. (Correct)
  • ensure compliance

Answer : mitigate impact.

Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?

Options are :

  • Basing the information security infrastructure on risk assessment (Correct)
  • Initiating IT security training and familiarization
  • Considering personal information devices as pan of the security policy
  • Performing a business impact analysis (BIA

Answer : Basing the information security infrastructure on risk assessment

Which of the following steps should be performed FIRST in the risk assessment process?

Options are :

  • Threat identification
  • Asset identification and valuation (Correct)
  • Staff interviews
  • Determination of the likelihood of identified risks

Answer : Asset identification and valuation

The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:

Options are :

  • chief information officer (CIO).
  • head of the sales department. (Correct)
  • database administrator.
  • sales department.

Answer : head of the sales department.

Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST:

Options are :

  • identify the value of the critical assets.
  • review available sources of risk information.
  • map the major threats to business objectives. (Correct)
  • determine the financial impact if threats materialize.

Answer : map the major threats to business objectives.

Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?

Options are :

  • Management needs to be continually informed about emerging risks.
  • New vulnerabilities are discovered every day.
  • Justification of the security budget must be continually made.
  • The risk environment is constantly changing. (Correct)

Answer : The risk environment is constantly changing.

Which of the following authentication methods prevents authentication replay?

Options are :

  • Password hash implementation
  • Challenge/response mechanism (Correct)
  • HTTP Basic Authentication
  • Wired Equivalent Privacy (WEP) encryption usage

Answer : Challenge/response mechanism

The PRIMARY objective of a risk management program is to:

Options are :

  • implement effective controls.
  • eliminate business risk.
  • minimize residual risk. (Correct)
  • minimize inherent risk

Answer : minimize residual risk.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions