CISM Information Security Program Management Practice

What is the MOST important element to include when developing user security awareness material?

Options are :

  • Detailed security policies
  • Senior management endorsement
  • Easy-to-read and compelling information (Correct)
  • Information regarding social engineering

Answer : Easy-to-read and compelling information

Which of the following would be MOST critical to the successful implementation of a biometric authentication system?

Options are :

  • Password requirements
  • User acceptance (Correct)
  • Technical skills of staff
  • Budget allocation

Answer : User acceptance

What is the MOST important success factor in launching a corporate information security awareness program?

Options are :

  • Centralized program management
  • Experience of the awareness trainers
  • Top-down approach (Correct)
  • Adequate budgetary support

Answer : Top-down approach

Managing the life cycle of a digital certificate is a role of a(n):

Options are :

  • system developer.
  • system administrator.
  • security administrator.
  • independent trusted source. (Correct)

Answer : independent trusted source.

The configuration management plan should PRIMARILY be based upon input from:

Options are :

  • business process owners.
  • the information security manager.
  • the security steering committee.
  • IT senior management. (Correct)

Answer : IT senior management.

What is the GREATEST advantage of documented guidelines and operating procedures from a security perspective?

Options are :

  • Provide detailed instructions on how to carry out different types of tasks
  • Ensure reusability to meet compliance to quality requirements
  • Ensure consistency of activities to provide a more stable environment (Correct)
  • Ensure compliance to security standards and regulatory requirements

Answer : Ensure consistency of activities to provide a more stable environment

Which of the following events generally has the highest information security impact?

Options are :

  • Merging with another organization (Correct)
  • Relocating the data center
  • Rewiring the network
  • Opening a new office

Answer : Merging with another organization

Who should determine the appropriate classification of accounting ledger data located on a database server and maintained by a database administrator in the IT department?

Options are :

  • Finance department management (Correct)
  • Database administrator (DBA )
  • Information security manager
  • IT department management

Answer : Finance department management

Which of the following is the MOST effective, positive method to promote security awareness?

Options are :

  • Competitions and rewards for compliance (Correct)
  • Disciplinary action for noncompliance
  • Lock-out after three incorrect password attempts
  • Strict enforcement of password formats

Answer : Competitions and rewards for compliance

Who is responsible for raising awareness of the need for adequate funding for risk action plans?

Options are :

  • Chief financial officer (CFO)
  • Information security manager (Correct)
  • Chief information officer (CIO)
  • Business unit management

Answer : Information security manager

An information security program should focus on:

Options are :

  • key controls identified in risk assessments. (Correct)
  • continued process improvement.
  • solutions codified in international standards.
  • best practices also in place at peer companies.

Answer : key controls identified in risk assessments.

To ensure that all information security procedures are functional and accurate, they should be designed with the involvement of:

Options are :

  • audit management.
  • legal counsel.
  • operational units. (Correct)
  • end users.

Answer : operational units.

Which of the following should be in place before a black box penetration test begins?

Options are :

  • A clearly stated definition of scope (Correct)
  • IT management approval
  • Proper communication and awareness training
  • An incident response plan

Answer : A clearly stated definition of scope

What is the MOS T cost-effective means of improving security awareness of staff personnel?

Options are :

  • Employee monetary incentives
  • Reporting of security infractions
  • A zero-tolerance security policy
  • User education and training (Correct)

Answer : User education and training

A third party was engaged to develop a business application. Which of the following would an information security manager BEST test for the existence of back doors?

Options are :

  • Running the application from a high-privileged account on a test system
  • Reverse engineering the application binaries
  • System monitoring for traffic on network ports
  • Security code reviews for the entire application (Correct)

Answer : Security code reviews for the entire application

Requiring all employees and contractors to meet personnel security/suitability requirements commensurate with their position sensitivity level and subject to personnel screening is an example of a security:

Options are :

  • strategy.
  • policy. (Correct)
  • baseline.
  • guideline

Answer : policy.

The MOST important reason for formally documenting security procedures is to ensure:

Options are :

  • objective criteria for the application of metrics.
  • auditability by regulatory agencies.
  • processes are repeatable and sustainable. (Correct)
  • processes are repeatable and sustainable.

Answer : processes are repeatable and sustainable.

Which item would be the BEST to include in the information security awareness training program for new general staff employees?

Options are :

  • Review of various security models (Correct)
  • Review of roles that have privileged access
  • Discussion of vulnerability assessment results
  • Discussion of how to construct strong passwords

Answer : Review of various security models

An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?

Options are :

  • Audit the third-party provider to evaluate their security controls.
  • Request that the third-party provider perform background checks on their employees.
  • Perform a security assessment to detect security vulnerabilities.
  • Perform an internal risk assessment to determine needed controls. (Correct)

Answer : Perform an internal risk assessment to determine needed controls.

A critical component of a continuous improvement program for information security is:

Options are :

  • measuring processes and providing feedback (Correct)
  • developing a service level agreement (SLA) for security.
  • tying corporate security standards to a recognized international standard
  • ensuring regulatory compliance.

Answer : measuring processes and providing feedback

Which would be the BEST recommendation to protect against phishing attacks?

Options are :

  • Provide security awareness to the organization's staff
  • Install an antispam system
  • Publish security guidance for customers (Correct)
  • Install an application-level firewall

Answer : Publish security guidance for customers

An organization's information security manager has been asked to hire a consultant to help assess the maturity level of the organization's information security management. The MOST important element of the request for proposal (RI P) is the:

Options are :

  • past experience of the engagement team.
  • methodology used in the assessment. (Correct)
  • references from other organizations.
  • sample deliverable.

Answer : methodology used in the assessment.

The implementation of continuous monitoring controls is the BEST option where:

Options are :

  • legislation requires strong information security controls
  • legislation requires strong information security controls
  • incidents may have a high impact and frequency (Correct)
  • Electronic commerce is a primary business driver

Answer : incidents may have a high impact and frequency

Which of the following is the BEST approach for an organization desiring to protect its intellectual property?

Options are :

  • Promptly remove all access when an employee leaves the organization
  • Restrict access to a need-to-know basis (Correct)
  • Conduct awareness sessions on intellectual property policy
  • Require all employees to sign a nondisclosure agreement

Answer : Restrict access to a need-to-know basis

The management staff of an organization that does not have a dedicated security function decides to use its IT manager to perform a security review. The MAIN job requirement in this arrangement is that the IT manager

Options are :

  • have knowledge of security standards.
  • obtain support from other departments.
  • various infrastructure changes are made. (Correct)
  • report risks in other departments.

Answer : various infrastructure changes are made.

An information security manager reviewing firewall rules will be MOST concerned if the firewall allows:

Options are :

  • nonstandard protocols.
  • unregistered ports.
  • source routing. (Correct)
  • broadcast propagation.

Answer : source routing.

What is the BEST way to alleviate security team understaffing while retaining the capability in-house?

Options are :

  • Hire a contractor that would not be included in the permanent headcount
  • Provide cross training to minimize the existing resources gap
  • Establish a virtual security team from competent employees across the company (Correct)
  • Outsource with a security services provider while retaining the control internally

Answer : Establish a virtual security team from competent employees across the company

When defining a service level agreement (SLA) regarding the level of data confidentiality that is handled by a third-party service provider, the BEST indicator of compliance would be the:

Options are :

  • access control matrix. (Correct)
  • authentication mechanism.
  • data repository
  • encryption strength.

Answer : access control matrix.

An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?

Options are :

  • Mandatory
  • Rule-based
  • Role-based (Correct)
  • Discretionary

Answer : Role-based

Which of the following is the MOST effective at preventing an unauthorized individual from following an authorized person through a secured entrance (tailgating or piggybacking)?

Options are :

  • Biometric scanners
  • Photo identification
  • Card-key door locks
  • Awareness training (Correct)

Answer : Awareness training

What is the MOS T cost-effective means of improving security awareness of staff personnel?

Options are :

  • A zero-tolerance security policy
  • User education and training (Correct)
  • Reporting of security infractions
  • Employee monetary incentives

Answer : User education and training

The PRIMARY reason for involving information security at each stage in the systems development life cycle (SDLC) is to identify the security implications and potential solutions required for:

Options are :

  • identifying vulnerabilities in the system.
  • sustaining the organization's security posture. (Correct)
  • complying with segregation of duties.
  • the existing systems that will be affected.

Answer : sustaining the organization's security posture.

A new port needs to be opened in a perimeter firewall. Which of the following should be the FIRST step before initiating any changes?

Options are :

  • Back up the firewall configuration and policy files.
  • Conduct a penetration test.
  • Prepare an impact assessment report. (Correct)
  • Obtain approval from senior management.

Answer : Prepare an impact assessment report.

An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. The information security manager should recommend which of the following?

Options are :

  • Restrict account access to read only (Correct)
  • Log all usage of this account
  • Require that a change request be submitted for each download
  • Suspend the account and activate only when needed

Answer : Restrict account access to read only

Data owners will determine what access and authorizations users will have by:

Options are :

  • determining hierarchical preferences.
  • delegating authority to data custodian.
  • mapping to business needs. (Correct)
  • cloning existing user accounts.

Answer : mapping to business needs.

An information security manager wishing to establish security baselines would:

Options are :

  • implement the security baselines to fulfill laws and applicable regulations in different jurisdictions.
  • implement the security baselines to establish information security best practices. (Correct)
  • include appropriate measurements in the system development life cycle.
  • leverage information security as a competitive advantage.

Answer : implement the security baselines to establish information security best practices.

Which of the following is the MAIN objective in contracting with an external company to perform penetration testing?

Options are :

  • To have an independent certification of network security
  • To mitigate technical risks
  • To receive an independent view of security exposures (Correct)
  • To identify a complete list of vulnerabilities

Answer : To receive an independent view of security exposures

What is the BEST way to ensure data protection upon termination of employment?

Options are :

  • Retrieve identification badge and card keys
  • Erase all of the employee's folders
  • Ensure all logical access is removed (Correct)
  • Retrieve all personal computer equipment

Answer : Ensure all logical access is removed

Which of the following is the BEST indicator that an effective security control is built into an organization?

Options are :

  • The audit reports do not reflect any significant findings on security
  • The percentage of systems that is compliant with security standards.
  • The cost of implementing a security control is less than the value of the assets.
  • The monthly service level statistics indicate a minimal impact from security issues (Correct)

Answer : The monthly service level statistics indicate a minimal impact from security issues

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions