CISM Information Security Program Management Test

To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:

Options are :

  • ensure they successfully pass background checks.
  • avoid granting system administration roles. (Correct)
  • ensure their access is approved by the data owner.
  • set their accounts to expire in six months or less.

Answer : avoid granting system administration roles.

Which of the following represents a PRIMARY area of interest when conducting a penetration test?

Options are :

  • Network mapping (Correct)
  • Intrusion Detection System (IDS)
  • Customer data
  • Data mining

Answer : Network mapping

The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:

Options are :

  • benchmark the IDS against a peer site.
  • audit the configuration of the IDS.
  • simulate an attack and review IDS performance. (Correct)
  • use a honeypot to check for unusual activity.

Answer : simulate an attack and review IDS performance.

Which of the following areas is MOST susceptible to the introduction of security weaknesses?

Options are :

  • Incident response management
  • Configuration management (Correct)
  • Database management
  • Tape backup management

Answer : Configuration management

Prior to having a third party perform an attack and penetration test against an organization, the MOST important action is to ensure that:

Options are :

  • special backups of production servers are taken.
  • the third party provides a demonstration on a test system.
  • the technical staff has been briefed on what to expect.
  • goals and objectives are clearly defined. (Correct)

Answer : goals and objectives are clearly defined.

The BEST time to perform a penetration test is after:

Options are :

  • various infrastructure changes are made. (Correct)
  • an audit has reported weaknesses in security controls.
  • a high turnover in systems staff.
  • an attempted penetration has occurred.

Answer : various infrastructure changes are made.

Which of the following will BEST ensure that management takes ownership of the decision making process for information security?

Options are :

  • Security policies and procedures
  • Security awareness campaigns
  • Security- steering committees (Correct)
  • Annual self-assessment by management

Answer : Security- steering committees

Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?

Options are :

  • Operating system (OS) security patches have not been applied (Correct)
  • User ad hoc reporting is not logged
  • Database security defaults to ERP settings
  • Network traffic is through a single switch

Answer : Operating system (OS) security patches have not been applied

Which of the following is MOST important to the successful promotion of good security management practices?

Options are :

  • Management support (Correct)
  • Security metrics
  • Security baselines
  • Periodic training

Answer : Management support

Security awareness training should be provided to new employees:

Options are :

  • during system user training.
  • before they have access to data. (Correct)
  • along with department staff.
  • on an as-needed basis.

Answer : before they have access to data.

Which of the following will BEST protect against malicious activity by a former employee?

Options are :

  • Effective termination procedures (Correct)
  • Preemployment screening
  • Close monitoring of users
  • Periodic awareness training

Answer : Effective termination procedures

Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:

Options are :

  • lattice-based access controls.
  • mandatory access controls.
  • role-based access controls. (Correct)
  • discretionary access controls

Answer : role-based access controls.

The PRIMARY objective of security awareness is to:

Options are :

  • ensure that security policies are understood.
  • influence employee behavior. (Correct)
  • notify of actions for noncompliance
  • ensure legal and regulatory compliance

Answer : influence employee behavior.

Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack?

Options are :

  • Utilize an intrusion detection system.
  • Perform periodic penetration testing. (Correct)
  • Implement vendor recommended settings.
  • Establish minimum security baselines.

Answer : Perform periodic penetration testing.

Information security policies should:

Options are :

  • be customized to specific groups and roles.
  • address the process for communicating a violation.
  • address corporate network vulnerabilities.
  • be straightforward and easy to understand. (Correct)

Answer : be straightforward and easy to understand.

What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?

Options are :

  • Install a honeypot on the network (Correct)
  • Establish minimum security baselines
  • Implement vendor default settings
  • Perform periodic penetration testing

Answer : Install a honeypot on the network

Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?

Options are :

  • Applying patches
  • Upgrading hardware
  • Backing up files (Correct)
  • Changing access rules

Answer : Backing up files

A security awareness program should:

Options are :

  • address details on specific exploits.
  • promote security department procedures.
  • address specific groups and roles. (Correct)
  • present top management's perspective.

Answer : address specific groups and roles.

The return on investment of information security can BEST be evaluated through which of the following?

Options are :

  • Process improvement models
  • Security metrics
  • Support of business objectives (Correct)
  • Security deliverables

Answer : Support of business objectives

Which of the following environments represents the GREATEST risk to organizational security?

Options are :

  • Locally managed file server (Correct)
  • Enterprise data warehouse
  • Centrally managed data switch
  • Load-balanced, web server cluster

Answer : Locally managed file server

Which of the following presents the GREATEST exposure to internal attack on a network?

Options are :

  • User passwords are not automatically expired
  • All network traffic goes through a single switch
  • User passwords are encoded but not encrypted (Correct)
  • All users reside on a single internal subnet

Answer : User passwords are encoded but not encrypted

In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?

Options are :

  • Implementing on-screen masking of passwords
  • Increasing the frequency of password changes
  • Requiring that passwords be kept strictly confidential
  • Conducting periodic security awareness programs (Correct)

Answer : Conducting periodic security awareness programs

Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?

Options are :

  • Quality control manager
  • System analyst
  • Information security manager
  • Process owner (Correct)

Answer : Process owner

Which of the following is the MOST important management signoff for migrating an order processing system from a test environment to a production environment?

Options are :

  • Security
  • User (Correct)
  • Operations
  • Database

Answer : User

Successful social engineering attacks can BEST be prevented through:

Options are :

  • close monitoring of users' access patterns.
  • efficient termination procedures.
  • periodic awareness training. (Correct)
  • preemployment screening.

Answer : periodic awareness training.

Nonrepudiation can BEST be assured by using:

Options are :

  • delivery path tracing.
  • reverse lookup translation.
  • out-of-hand channels.
  • digital signatures. (Correct)

Answer : digital signatures.

What is the BEST method to verify that all security patches applied to servers were properly documented?

Options are :

  • Trace OS patch logs to change control requests (Correct)
  • Trace OS patch logs to OS vendor's update documentation
  • Review change control documentation for key servers
  • Trace change control requests to operating system (OS) patch logs

Answer : Trace OS patch logs to change control requests

What is the BEST way to ensure that contract programmers comply with organizational security policies?

Options are :

  • Perform periodic security reviews of the contractors (Correct)
  • Explicitly refer to contractors in the security standards
  • Create penalties for noncompliance in the contracting agreement
  • Have the contractors acknowledge in writing the security policies

Answer : Perform periodic security reviews of the contractors

When a departmental system continues to be out of compliance with an information security policy's password strength requirements, the BEST action to undertake is to:

Options are :

  • request a risk acceptance from senior management.
  • submit the issue to the steering committee.
  • conduct an impact analysis to quantify the risks. (Correct)
  • isolate the system from the rest of the network.

Answer : conduct an impact analysis to quantify the risks.

Security policies should be aligned MOST closely with:

Options are :

  • local laws and regulations.
  • organizational needs. (Correct)
  • industry' best practices
  • generally accepted standards.

Answer : organizational needs.

Who is ultimately responsible for ensuring that information is categorized and that protective measures are taken?

Options are :

  • Information security officer
  • Data custodian
  • Security steering committee (Correct)
  • Data owner

Answer : Security steering committee

What is the MOST effective access control method to prevent users from sharing files with unauthorized users?

Options are :

  • Mandatory (Correct)
  • Role-based
  • Walled garden
  • Discretionary

Answer : Mandatory

Which of the following is MOST important for measuring the effectiveness of a security awareness program?

Options are :

  • Increased interest in focus groups on security issues
  • A quantitative evaluation to ensure user comprehension (Correct)
  • Increased number of security violation reports
  • Reduced number of security violation reports

Answer : A quantitative evaluation to ensure user comprehension

Which of the following is the MOST important process that an information security manager needs to negotiate with an outsource service provider?

Options are :

  • A legally binding data protection agreement
  • Encryption between the organization and the provider
  • The right to conduct independent security reviews (Correct)
  • A joint risk assessment of the system

Answer : The right to conduct independent security reviews

Which of the following documents would be the BES T reference to determine whether access control mechanisms are appropriate for a critical application?

Options are :

  • Business process flow
  • IT security policy (Correct)
  • Regulatory requirements
  • User security procedures

Answer : IT security policy

Data owners are normally responsible for which of the following?

Options are :

  • Determining the level of application security required (Correct)
  • Migrating application code changes to production
  • Administering security over database records
  • Applying emergency changes to application data

Answer : Determining the level of application security required

Which of the following is an inherent weakness of signature-based intrusion detection systems?

Options are :

  • A higher number of false positives
  • New attack methods will be missed (Correct)
  • Long duration probing will be missed
  • Attack profiles can be easily spoofed

Answer : New attack methods will be missed

Good information security standards should:

Options are :

  • be updated frequently as new software is released.
  • address high-level objectives of the organization.
  • describe the process for communicating violations.
  • define precise and unambiguous allowable limits. (Correct)

Answer : define precise and unambiguous allowable limits.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions