CISM Information Risk Management Certification

A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?

Options are :

  • Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server
  • Install an intrusion detection system (IDS)
  • Perform a vulnerability assessment of the developer portal
  • Understand the business requirements of the developer portal (Correct)

Answer : Understand the business requirements of the developer portal

The MOST important reason for conducting periodic risk assessments is because:

Options are :

  • security risks are subject to frequent change. (Correct)
  • risk assessments are not always precise.
  • it demonstrates to senior management that the security function can add value.
  • reviewers can optimize and reduce the cost of controls.

Answer : security risks are subject to frequent change.

The MAIN reason why asset classification is important to a successful information security program is because classification determines:

Options are :

  • the amount of insurance needed in case of loss
  • the appropriate level of protection to the asset. (Correct)
  • the priority and extent of risk mitigation efforts.
  • how protection levels compare to peer organizations.

Answer : the appropriate level of protection to the asset.

A common concern with poorly written web applications is that they can allow an attacker to:

Options are :

  • gain control through a buffer overflow
  • abuse a race condition.
  • conduct a distributed denial of service (DoS) attack.
  • inject structured query language (SQL) statements (Correct)

Answer : inject structured query language (SQL) statements

Which of the following steps in conducting a risk assessment should be performed FIRST?

Options are :

  • Identity business assets (Correct)
  • Identify business risks
  • Evaluate key controls
  • Assess vulnerabilities

Answer : Identity business assets

A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?

Options are :

  • Prevent the system from being accessed remotely
  • Ask for a vendor patch
  • Track usage of the account by audit trails
  • Create a strong random password (Correct)

Answer : Create a strong random password

One way to determine control effectiveness is by determining:

Options are :

  • whether it is preventive, detective or compensatory.
  • the test results of intended objectives. (Correct)
  • the evaluation and analysis of reliability.
  • the capability of providing notification of failure

Answer : the test results of intended objectives.

Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?

Options are :

  • Percent of control objectives accomplished (Correct)
  • Reduction in the number of reported security incidents
  • Percent of compliance with the security policy
  • Number of controls implemented

Answer : Percent of control objectives accomplished

Which of the following would a security manager establish to determine the target for restoration of normal processing?

Options are :

  • Recovery point objectives (RPOs)
  • Recover)' time objective (RTO) (Correct)
  • Maximum tolerable outage (MTO)
  • Services delivery objectives (SDOs)

Answer : Recover)' time objective (RTO)

A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?

Options are :

  • Amount of IT budget available
  • Audit report findings
  • Penetration test results
  • Risk analysis results (Correct)

Answer : Risk analysis results

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?

Options are :

  • Identifying data owners (Correct)
  • Defining job roles
  • Performing a risk assessment
  • Establishing data retention policies

Answer : Identifying data owners

Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?

Options are :

  • Feasibility (Correct)
  • Programming
  • User testing
  • Specification

Answer : Feasibility

Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:

Options are :

  • conduct a risk assessment and allow or disallow based on the outcome.
  • recommend against implementation because it violates the company's policies.
  • recommend a risk assessment and implementation only if the residual risks are accepted. (Correct)
  • recommend revision of current policy.

Answer : recommend a risk assessment and implementation only if the residual risks are accepted.

Attackers who exploit cross-site scripting vulnerabilities take advantage of:

Options are :

  • a lack of proper input validation controls. (Correct)
  • flawed cryptographic secure sockets layer (SSL) implementations and short key lengths.
  • implicit web application trust relationships.
  • weak authentication controls in the web application layer.

Answer : a lack of proper input validation controls.

An organization has to comply with recently published industry regulatory requirements— compliance that potentially has high implementation costs. What should the information security manager do FIRST?

Options are :

  • Demand immediate compliance.
  • Perform a gap analysis (Correct)
  • Implement a security committee.
  • Implement compensating controls.

Answer : Perform a gap analysis

A risk management program should reduce risk to:

Options are :

  • an acceptable level. (Correct)
  • zero.
  • an acceptable percent of revenue.
  • an acceptable probability of occurrence.

Answer : an acceptable level.

Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?

Options are :

  • Cost versus benefit of additional mitigating controls (Correct)
  • Acceptable level of potential business impacts
  • Historical cost of the asset
  • Annualized loss expectancy (ALE)

Answer : Cost versus benefit of additional mitigating controls

A security risk assessment exercise should be repeated at regular intervals because:

Options are :

  • repetitive assessments allow various methodologies.
  • omissions in earlier assessments can be addressed.
  • they help raise awareness on security in the business.
  • business threats are constantly changing (Correct)

Answer : business threats are constantly changing

The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:

Options are :

  • periodically testing the incident response plans. (Correct)
  • periodically reviewing incident response procedures.
  • establishing mandatory training of all personnel.
  • regularly testing the intrusion detection system (IDS).

Answer : periodically testing the incident response plans.

Which program element should be implemented FIRST in asset classification and control?

Options are :

  • Risk mitigation
  • Classification
  • Risk assessment
  • Valuation (Correct)

Answer : Valuation

Who is responsible for ensuring that information is classified?

Options are :

  • Security manager
  • Senior management
  • Data owner (Correct)
  • Custodian

Answer : Data owner

The security responsibility of data custodians in an organization will include:

Options are :

  • ensuring security measures are consistent with policy. (Correct)
  • determining data classification levels
  • assuming overall protection of information assets.
  • implementing security controls in products they install.

Answer : ensuring security measures are consistent with policy.

Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?

Options are :

  • Intrinsic value of the data stored on the equipment (Correct)
  • Replacement cost of the equipment
  • Disclosure of personal information
  • Sufficient coverage of the insurance policy for accidental losses

Answer : Intrinsic value of the data stored on the equipment

Which of the following would generally have the GREATEST negative impact on an organization?

Options are :

  • Internal fraud resulting in monetary loss
  • Interruption of utility services
  • Theft of computer software
  • Loss of customer confidence (Correct)

Answer : Loss of customer confidence

A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?

Options are :

  • A penetration test
  • A risk assessment (Correct)
  • A security baseline review
  • A business impact analysis (BIA)

Answer : A risk assessment

What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?

Options are :

  • Business impact analyses
  • System performance metrics
  • Incident response processes
  • Security gap analyses (Correct)

Answer : Security gap analyses

A risk management program would be expected to:

Options are :

  • . remove all inherent risk.
  • implement preventive controls for every threat.
  • reduce control risk to zero.
  • maintain residual risk at an acceptable level (Correct)

Answer : maintain residual risk at an acceptable level

When performing a risk assessment, the MOST important consideration is that:

Options are :

  • management supports risk mitigation efforts.
  • attack motives, means and opportunities be understood.
  • annual loss expectations (ALEs) have been calculated for critical assets.
  • assets have been identified and appropriately valued. (Correct)

Answer : assets have been identified and appropriately valued.

Which of the following risks is represented in the risk appetite of an organization?

Options are :

  • Control
  • Audit
  • Residual (Correct)
  • Inherent

Answer : Residual

What is the BEST technique to determine which security controls to implement with a limited budget?

Options are :

  • Impact analysis
  • Cost-benefit analysis (Correct)
  • Annualized loss expectancy (ALE) calculations
  • Risk analysis

Answer : Cost-benefit analysis

The PRIMARY purpose of using risk analysis within a security program is to:

Options are :

  • inform executive management of residual risk value. (Correct)
  • help businesses prioritize the assets to be protected
  • justify the security expenditure.
  • assess exposures and plan remediation.

Answer : inform executive management of residual risk value.

Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?

Options are :

  • assess exposures and plan remediation. (Correct)
  • Strategic business plan
  • Customer personal information
  • Upcoming financial results

Answer : assess exposures and plan remediation.

Which of the following would help management determine the resources needed to mitigate a risk to the organization?

Options are :

  • Risk management balanced scorecard
  • Risk analysis process
  • Risk-based audit program
  • Business impact analysis (BIA) (Correct)

Answer : Business impact analysis (BIA)

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions