CISM Information Risk Management Certification Test

During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?

Options are :

  • Development
  • Feasibility (Correct)
  • Testing
  • Design

Answer : Feasibility

Risk management programs are designed to reduce risk to:

Options are :

  • a rate of return that equals the current cost of capital.
  • a level that is too small to be measurable
  • the point at which the benefit exceeds the expense.
  • a level that the organization is willing to accept (Correct)

Answer : a level that the organization is willing to accept

Which of the following will BEST protect an organization from internal security attacks?

Options are :

  • Static IP addressing
  • Employee awareness certification program
  • Prospective employee background checks (Correct)
  • Internal address translation

Answer : Prospective employee background checks

For risk management purposes, the value of an asset should be based on:

Options are :

  • net present value.
  • original cost.
  • replacement cost. (Correct)
  • net cash flow.

Answer : replacement cost.

The MOST important function of a risk management program is to:

Options are :

  • maximize the sum of all annualized loss expectancies (ALEs).
  • quantify overall risk.
  • minimize residual risk. (Correct)
  • eliminate inherent risk.

Answer : minimize residual risk.

What does a network vulnerability assessment intend to identify?

Options are :

  • Misconfiguration and missing updates (Correct)
  • 0-day vulnerabilities
  • Malicious software and spyware
  • Security design flaws

Answer : Misconfiguration and missing updates

The MAIN reason why asset classification is important to a successful information security program is because classification determines:

Options are :

  • the amount of insurance needed in case of loss
  • how protection levels compare to peer organizations.
  • the appropriate level of protection to the asset. (Correct)
  • the priority and extent of risk mitigation efforts.

Answer : the appropriate level of protection to the asset.

Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?

Options are :

  • Intrinsic value of the data stored on the equipment (Correct)
  • Sufficient coverage of the insurance policy for accidental losses
  • Disclosure of personal information
  • Replacement cost of the equipment

Answer : Intrinsic value of the data stored on the equipment

Acceptable risk is achieved when:

Options are :

  • residual risk is minimized (Correct)
  • control risk is minimized.
  • transferred risk is minimized.
  • inherent risk is minimized.

Answer : residual risk is minimized

The recovery time objective (RTO) is reached at which of the following milestones?

Options are :

  • Recovery of the backups
  • Restoration of the system (Correct)
  • Return to business as usual processing
  • Disaster declaration

Answer : Restoration of the system

Risk acceptance is a component of which of the following?

Options are :

  • Monitoring
  • Mitigation (Correct)
  • Evaluation
  • Assessment

Answer : Mitigation

A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?

Options are :

  • Amount of IT budget available
  • Audit report findings
  • Penetration test results
  • Risk analysis results (Correct)

Answer : Risk analysis results

One way to determine control effectiveness is by determining:

Options are :

  • the test results of intended objectives. (Correct)
  • whether it is preventive, detective or compensatory.
  • the capability of providing notification of failure
  • the evaluation and analysis of reliability.

Answer : the test results of intended objectives.

The MOST important reason for conducting periodic risk assessments is because:

Options are :

  • risk assessments are not always precise.
  • security risks are subject to frequent change. (Correct)
  • reviewers can optimize and reduce the cost of controls.
  • it demonstrates to senior management that the security function can add value.

Answer : security risks are subject to frequent change.

Which of the following would generally have the GREATEST negative impact on an organization?

Options are :

  • Theft of computer software
  • Internal fraud resulting in monetary loss
  • Interruption of utility services
  • Loss of customer confidence (Correct)

Answer : Loss of customer confidence

Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?

Options are :

  • Gap analysis
  • Risk analysis
  • Business impact analysis (Correct)
  • Regression analysis

Answer : Business impact analysis

A risk mitigation report would include recommendations for:

Options are :

  • assessment.
  • quantification.
  • evaluation.
  • acceptance (Correct)

Answer : acceptance

An organization has to comply with recently published industry regulatory requirements— compliance that potentially has high implementation costs. What should the information security manager do FIRST?

Options are :

  • Demand immediate compliance.
  • Perform a gap analysis (Correct)
  • Implement compensating controls.
  • Implement a security committee.

Answer : Perform a gap analysis

The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?

Options are :

  • Visibility of impact (Correct)
  • Mitigating controls
  • Incident frequency
  • Likelihood of occurrence

Answer : Visibility of impact

When performing a risk assessment, the MOST important consideration is that:

Options are :

  • annual loss expectations (ALEs) have been calculated for critical assets.
  • attack motives, means and opportunities be understood.
  • assets have been identified and appropriately valued. (Correct)
  • management supports risk mitigation efforts.

Answer : assets have been identified and appropriately valued.

In a business impact analysis, the value of an information system should be based on the overall cost:

Options are :

  • of recovery.
  • to recreate
  • of emergency operations.
  • if unavailable. (Correct)

Answer : if unavailable.

The BEST strategy for risk management is to:

Options are :

  • reduce risk to an acceptable level (Correct)
  • ensure that policy development properly considers organizational risks.
  • ensure that all unmitigated risks are accepted by management.
  • achieve a balance between risk and organizational goals

Answer : reduce risk to an acceptable level

Who is responsible for ensuring that information is classified?

Options are :

  • Data owner (Correct)
  • Custodian
  • Security manager
  • Senior management

Answer : Data owner

A risk assessment should be conducted:

Options are :

  • annually or whenever there is a significant change. (Correct)
  • by external parties to maintain objectivity.
  • once a year for each business process and subprocess.
  • every three to six months for critical business processes.

Answer : annually or whenever there is a significant change.

Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

Options are :

  • Frequency of incidents
  • Approved budget for the project
  • Total cost of ownership (TCO) (Correct)
  • Annual loss expectancy (ALE) of incidents

Answer : Total cost of ownership (TCO)

Which of the following BEST indicates a successful risk management practice?

Options are :

  • Inherent risk is eliminated
  • Overall risk is quantified
  • Residual risk is minimized (Correct)
  • Control risk is tied to business units

Answer : Residual risk is minimized

The value of information assets is BEST determined by

Options are :

  • individual business managers. (Correct)
  • business systems analysts.
  • industry averages benchmarking
  • information security management

Answer : individual business managers.

Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?

Options are :

  • Heat charts (Correct)
  • Venn diagrams
  • Tree diagrams
  • Bar charts

Answer : Heat charts

The PRIMARY goal of a corporate risk management program is to ensure that an organization's:

Options are :

  • business risks are addressed by preventive controls.
  • IT assets in key business functions are protected.
  • stated objectives are achievable. (Correct)
  • . IT facilities and systems are always available

Answer : stated objectives are achievable.

Which of the following is the MOST usable deliverable of an information security risk analysis?

Options are :

  • Assignment of risks to process owners
  • List of action items to mitigate risk (Correct)
  • Business impact analysis (BIA) report
  • Quantification of organizational risk

Answer : List of action items to mitigate risk

When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:

Options are :

  • the information security steering committee
  • data owners who may be impacted. (Correct)
  • customers who may be impacted.
  • regulatory- agencies overseeing privacy.

Answer : data owners who may be impacted.

Which of the following is the PRIMARY reason for implementing a risk management program?

Options are :

  • Allows the organization to eliminate risk
  • Assists in incrementing the return on investment (ROD
  • Satisfies audit and regulatory requirements
  • Is a necessary part of management's due diligence (Correct)

Answer : Is a necessary part of management's due diligence

Information security managers should use risk assessment techniques to:

Options are :

  • justify selection of risk mitigation strategies. (Correct)
  • quantify risks that would otherwise be subjective.
  • maximize the return on investment (ROD.
  • provide documentation for auditors and regulators.

Answer : justify selection of risk mitigation strategies.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions