CISM 2014 Questions - 2

A. reflect the requirements of key business stakeholders.

B. reflect the desires of the IT executive team.

C. reflect the requirements of industry best practices.

D. are reliable and cost-effective.

A. A list of appropriate controls for reducing or eliminating risk

B. Documented threats to the organization

C. Evaluation of the consequences to the entity

D. An inventory of risk that may impact the organization

A. Develop a scenario and perform a structured walk-through.

B. Draft and publish a clear practice for enterprise-level incident response.

C. Establish a cross-departmental working group to share perspectives.

D. Develop a project plan for end-to-end testing of disaster recovery.

A. Accept the high cost of protection.

B. Implement detective controls.

C. Ensure that asset exposure is low.

D. Transfer the risk to a third party.

A. zero.

B. an acceptable level.

C. an acceptable percent of revenue.

D. an acceptable probability of occurrence.

A. information security procedures.

B. information security principles.

C. employee code of conduct.

D. information security policy.

A. Patch management

B. Security baselines

C. Virus detection

D. Change management

A. Mandatory

B. Discretionary

C. Walled garden

D. Role-based

A. include customer perceptions.

B. contain percentage estimates.

C. lack specific details.

D. contain subjective information.

A. At the beginning of security program development

B. On a continuous basis

C. While developing the business case for the security program

D. During the business change process

A. Obtain the support of the board of directors.

B. Improve the content of the information security awareness program.

C. Improve the employees' knowledge of security policies.

D. Implement logical access controls to the information systems.

A. User assessments of changes

B. Comparison of the program results with industry standards

C. Assignment of risk within the organization

D. Participation by all members of the organization

A. Security awareness training

B. Achievable goals and objectives

C. Senior management sponsorship

D. Adequate start-up budget and staffing

A. Communicating to employees

B. Training IT staff

C. Identifying relevant technologies for automation

D. Obtaining sign-off from stakeholders

A. A documented succession plan

B. Distribution of key process documents

C. A reciprocal agreement with an alternate site

D. Strong senior management leadership

A. To reduce the likelihood of an information security event

B. To encourage compliance with information security policy

C. To comply with the local and industry-specific regulation and legislation

D. To provide employees with expectations for information security

A. the information security steering committee.

B. customers who may be impacted.

C. data owners who may be impacted.

D. regulatory agencies overseeing privacy.

A. system owner to take corrective action.

B. incident response team to investigate.

C. data owners to mitigate damage.

D. development team to remediate.

A. Validation checks are missing in data input pages.

B. Password rules do not allow sufficient complexity.

C. Application transaction log management is weak.

D. Application and database share a single access ID.

A. Confirm the incident.

B. Notify senior management.

C. Start containment.

D. Notify law enforcement.

A. To monitor that personnel are complying with contract provisions

B. To determine who is in the building in case of fire

C. To compare logical and physical access for anomalies

D. To ensure that the physical access control system is operating correctly

A. Data custodian

B. Chief information security officer (CISO)

C. Board of directors

D. Chief information officer (CIO)

A. Communicating specially drafted messages by an authorized person

B. Refusing to comment until recovery

C. Referring the media to the authorities

D. Reporting the losses and recovery strategy to the media

A. An adequate budget for the security program

B. Recruitment of technical IT employees

C. Periodic risk assessments

D. Security awareness training for employees

A. Product market share and annualized cost

B. Ability to interface with intrusion detection system (IDS) software and firewalls

C. Alert notifications and impact assessments for new viruses

D. Ease of maintenance and frequency of updates

A. security steering committee.

B. chief information officer (CIO).

C. chief information security officer (CISO).

D. chief compliance officer (CCO).

A. Risk analysis process

B. Business impact analysis (BIA)

C. Risk management balanced scorecard

D. Risk-based audit program

A. Resources available to implement the program

B. Compliance with legal and regulatory constraints

C. Effectiveness of risk mitigation

D. Resources required to implement the strategy

A. Business continuity plan

B. Disaster recovery plan

C. Incident response plan

D. Vulnerability management plan

A. Current and future technologies

B. Evolving data protection regulations

C. Economizing the costs of network bandwidth

D. Centralization of information security

A. Nonrepudiation

B. Timestamps

C. Biometric scanning

D. Encryption

A. Execute the virus scan.

B. Report the incident to senior management.

C. Format the hard disk.

D. Disconnect the computer from the network.

A. The patch should be loaded onto an isolated test machine.

B. The patch should be decompiled to check for malicious code.

C. The patch should be validated to ensure its authenticity.

D. The patch should be copied onto write-once media to prevent tampering.

A. recover an activity interrupted by an emergency or disaster, within a defined time and cost.

B. perform a walk-through of the steps required to recover from an adverse event.

C. reduce business disruption insurance premiums for the business.

D. address disruptive events with the objective of controlling impacts within acceptable levels.

A. More uniformity in quality of service

B. Better adherence to policies

C. Better alignment to business unit needs

D. More savings in total operating costs

A. Implement countermeasures.

B. Eliminate the risk.

C. Transfer the risk.

D. Accept the risk.

A. determine the probability of success.

B. calculate the return on investment (ROI).

C. analyze the cost-effectiveness.

D. define the issues to be addressed.

A. Most new viruses' signatures are identified over weekends

B. Technical personnel are not available to support the operation

C. Systems are vulnerable to new viruses during the intervening week

D. The update's success or failure is not known until Monday

A. express clearly and concisely the goals of an information security protection program.

B. outline the intended configuration of information system security controls.

C. mandate the behavior and acceptable actions of all information system users.

D. authorize the steps and procedures necessary to protect critical information systems.

A. The existence of messages is unknown.

B. Required key sizes are smaller.

C. Traffic cannot be sniffed.

D. Reliability of the data is higher in transit.

A. Information security staffing requirements

B. Current state and desired future state

C. IT capital investment requirements

D. Information security mission statement

A. Unrestricted data mining

B. Identity theft

C. Human rights protection

D. Identifiable personal data

A. Complying with applicable corporate standards

B. Achieving cost effectiveness of risk mitigation

C. Obtaining consensus of business units

D. Aligning with organizational goals

A. Direct information security on what they need to do

B. Research solutions to determine the proper solutions

C. Require management to report on compliance

D. Nothing; information security does not report to the board

A. constraints.

B. approach.

C. scope.

D. results.

A. Emergency call trees

B. Recovery criteria

C. Business impact assessment (BIA)

D. Critical backups inventory

A. Encryption

B. Content filtering

C. Database hardening

D. Hashing

A. Business unit managers

B. Chief information security officer (CISO)

C. Senior management

D. Chief information officer (CIO)

A. Through data encryption

B. Through digital signatures

C. Through strong passwords

D. Through two-factor authentication

A. Administrative and technical controls

B. Administrative and deterrent controls

C. Technical and physical controls

D. Administrative and corrective controls

A. IT steering committee

B. Data owner

C. System owner

D. IS auditor

A. utilizing a bottom-up approach.

B. management by the IT department.

C. referring the matter to the organization's legal department.

D. utilizing a top-down approach.

A. level of risk to information resources.

B. impact of a compromise.

C. requirements for control strength.

D. annual loss expectancy (ALE).

A. assess the risk of noncompliance.

B. initiate security awareness training.

C. prepare a status report for management.

D. increase compliance enforcement.

A. identify risks and assign roles and responsibilities for mitigation.

B. identify threats and probabilities.

C. facilitate a thorough review of all IT-related risks on a periodic basis.

D. record the annualized financial amount of expected losses due to risks.

A. effective communication and reporting processes.

B. clear policies detailing incident severity levels.

C. intrusion detection system (IDS) capabilities.

D. security awareness training.

A. Detailed technical recovery plans are maintained offsite

B. Network redundancy is maintained through separate providers

C. Hot site equipment needs are recertified on a regular basis

D. Appropriate declaration criteria have been established

A. The risk analysis helps justify the security expenditure.

B. The risk analysis helps prioritize the assets to be protected.

C. The risk analysis helps inform executive management of the residual risk.

D. The risk analysis helps assess exposures and plan remediation.

A. Employee monetary incentives

B. User education and training

C. A zero-tolerance security policy

D. Reporting of security infractions

A. Vulnerability scans

B. Penetration tests

C. Code reviews

D. Security audits

A. Input validation checks on SQL injection

B. Restricting access to social media sites

C. Deleting temporary files

D. Restricting execution of mobile code

A. periodic vulnerability assessment.

B. regulatory and legal requirements.

C. device storage capacity and longevity.

D. past litigation.

A. Perform periodic penetration testing

B. Establish minimum security baselines

C. Implement vendor default settings

D. Install a honeypot on the network

A. assess the commitment of senior management to the program.

B. assess the maturity level of the organization.

C. review the corporate standards.

D. review corporate risk management practices.

A. a level that is too small to be measurable.

B. the point at which the benefit exceeds the expense.

C. a level that the organization is willing to accept.

D. a rate of return that equals the current cost of capital.

A. Design a training program for the staff involved to heighten information security awareness

B. Set role-based access permissions on the shared folder

C. The end user develops a PC macro program to compare sender and recipient file contents

D. Shared folder operators sign an agreement to pledge not to commit fraudulent activities

A. Requiring employees to formally acknowledge receipt of the policy

B. Integrating security requirements into job descriptions

C. Making the policy available on the intranet

D. Implementing an annual retreat for employees on information security

A. Signal strength

B. Number of administrators

C. Bandwidth

D. Encryption strength

A. Cost to build a redundant processing facility and invocation

B. Daily cost of losing critical systems and recovery time objectives (RTOs)

C. Infrastructure complexity and system sensitivity

D. Criticality results from the business impact analysis (BIA)

A. Internal auditor

B. Information security management

C. Steering committee

D. Infrastructure management

A. security awareness training.

B. updated security policies.

C. a computer incident management team.

D. a security architecture.

A. Role-based access control

B. Audit trail monitoring

C. Privacy policy

D. Defense-in-depth

A. aligned with the IT strategic plan.

B. based on the current rate of technological change.

C. three-to-five years for both hardware and software.

D. aligned with the business strategy.

A. The identified levels of risk

B. Industry trends

C. An increased cost of services

D. The allocated revenue of the enterprise

A. Treat regulatory compliance as any other risk.

B. Ensure that policies address regulatory requirements.

C. Make regulatory compliance mandatory.

D. Obtain insurance for noncompliance.

A. Explicitly include the service provider in the security policies

B. Receive acknowledgement in writing stating the provider has read all policies

C. Cross-reference to policies in the service level agreement

D. Perform periodic reviews of the service provider

A. Information security manager

B. Information owners

C. Business continuity coordinator

D. Information technology (IT) operations manager

A. Describe the reduction of risk.

B. Present the emerging threat environment.

C. Benchmark against other enterprises.

D. Demonstrate the alignment of the program to business objectives.

A. Risk assessment

B. Security audit

C. Certification

D. Classification

A. Ensure that critical data on the server are backed up.

B. Shut down the compromised server.

C. Initiate the incident response process.

D. Shut down the network.

A. A defined information security architecture

B. Compliance with international security standards

C. Periodic external audits

D. An established risk management program

A. Develop an operational plan for achieving compliance with the legislation.

B. Identify systems and processes that contain privacy components.

C. Restrict the collection of personal information until compliant.

D. Identify privacy legislation in other countries that may contain similar requirements.

A. Data custodian

B. Legal department

C. Data owner

D. Chief information security officer (CISO)

A. Identifying security threats and vulnerabilities

B. Developing notification and activation procedures

C. Listing investigative priorities

D. Listing critical business resources

A. Critical data

B. Critical infrastructure

C. Safety of personnel

D. Vital records

A. It is computationally more efficient.

B. It is more scalable than a symmetric key.

C. It is less costly to maintain than a symmetric key approach.

D. It provides greater encryption strength than a secret key model.

A. Implementing a security awareness program

B. Rewarding compliance with security policies and guidelines

C. Implementing a discipline and reward system

D. Implementing a whistle-blower hotline

A. Insist on strict service level agreements (SLAs) to guarantee application availability.

B. Verify that the vendor's security architecture meets the organization's requirements.

C. Update the organization's security policies to reflect the vendor agreement.

D. Consult a third party to provide an audit report to assess the vendor's security program.

A. transfer the remaining risk to a third party.

B. acquire insurance against the effects of the residual risk.

C. validate that the residual risk is acceptable.

D. formally document and accept the residual risk.

A. Risk mitigation

B. Risk acceptance

C. Risk elimination

D. Risk transfer

A. The information security manager

B. The data owner

C. The data custodian

D. Business management

A. establish security metrics and performance monitoring.

B. educate business process owner s regarding their duties.

C. ensure that legal and regulatory requirements are met.

D. support the business objectives of the organization.

A. Database server

B. Domain name server (DNS)

C. Time server

D. Proxy server

A. Risk analysis

B. Annualized loss expectancy (ALE) calculations

C. Cost-benefit analysis

D. Impact analysis

A. developing the security strategy.

B. reviewing the security strategy.

C. communicating the security strategy.

D. approving the security strategy.

A. The business process owner

B. The departmental manager

C. The policy approver

D. The information security manager

A. Policies

B. Architecture

C. Legal requirements

D. Strategy

A. File backup procedures

B. Database integrity checks

C. Acceptable use policies

D. Incident response procedures

A. Eliminate low-priority security services.

B. Require management to accept the increased risk.

C. Use third-party providers for low-risk activities.

D. Reduce monitoring and compliance enforcement activities.

A. Opening a new office

B. Merging with another organization

C. Relocating the data center

D. Rewiring the network

A. Direct information security regarding specific resolutions that are needed to address the risk.

B. Research solutions to determine appropriate actions for the company.

C. Take no action; information security does not report to the board.

D. Direct management to assess the risk and to report the results to the board.

A. A comprehensive risk assessment

B. An enterprisewide impact assessment

C. A well-developed business case

D. Computing the net present value (NPV) of future savings

A. Restore servers from backup media stored offsite

B. Conduct an assessment to determine system status

C. Perform an impact analysis of the outage

D. Isolate the screened subnet

A. A summary of the security logs that illustrates the sequence of events

B. An explanation of the incident and corrective action taken

C. An analysis of the impact of similar attacks at other organizations

D. A business case for implementing stronger logical access controls

A. Downtime tolerance, resources and criticality

B. Cost of business outages in a year as a factor of the security budget

C. Business continuity testing methodology being deployed

D. Structure of the crisis management team

A. public key encryption is computationally more efficient.

B. scaling is less of a problem than using a symmetrical key.

C. public key encryption is less costly to maintain than symmetric key approaches.

D. public key encryption provides greater encryption strength than secret key options.

A. Establish the ownership of assets.

B. Evaluate the risks to the assets.

C. Take an asset inventory.

D. Categorize the assets.

A. a business plan.

B. an architecture.

C. requirements.

D. specifications.

A. Never use open source tools

B. Focus only on production servers

C. Follow a linear process for attacks

D. Do not interrupt production processes

A. Developing a business case

B. Conducting a cost-benefit analysis

C. Calculating return on investment (ROI)

D. Evaluating loss history

A. business value.

B. book value.

C. replacement cost.

D. initial cost.

A. Once a year for each business process and subprocess

B. Every three to six months for critical business processes

C. On a continuous basis

D. Annually or whenever there is a significant change

A. depend on up-to-date contact information.

B. pose an unacceptable risk to the organization.

C. pose a risk that the plan will not work when needed.

D. are quickly distinguished from tested plans.

A. The information security department has had difficulty filling vacancies.

B. The chief information officer (CIO) approves changes to the security policy.

C. The information security oversight committee only meets quarterly.

D. The data center manager has final signoff on all security projects.

A. A business impact assessment

B. An organization risk assessment

C. A business process map

D. A threat statement

A. Identify the incident.

B. Contain the incident.

C. Determine the root cause of the incident.

D. Perform a vulnerability assessment.

A. more time is devoted to exploitation than to fingerprinting and discovery.

B. this accurately simulates an external hacking attempt.

C. the ability to exploit Transmission Control Protocol/Internet Protocol (TCP/IP) vulnerabilities.

D. the elimination of the need for penetration testing tools.

A. Log all access to sensitive data.

B. Employ application-level encryption.

C. Install a database monitoring solution.

D. Develop a data security policy.

A. Providing equal coverage for all asset types

B. Benchmarking data from similar organizations

C. Considering both monetary value and likelihood of loss

D. Focusing on valid past threats and business losses

A. Authorization

B. Digital signing

C. Authentication

D. Nonrepudiation

A. identify whether current controls are adequate.

B. communicate the new requirement to audit.

C. implement the requirements of the new regulation.

D. conduct a cost-benefit analysis of implementing the control.

A. Backup media is stored offsite

B. Recovery location is secure and accessible

C. More than one hot site is available

D. Network alternate links are regularly tested

A. The nature of the indemnity clause

B. Ensuring that the business objectives are defined and met

C. Alignment of information system security objectives with enterprise goals

D. Compliance with legal requirements

A. Preemployment screening

B. Close monitoring of users' access patterns

C. Periodic awareness training

D. Efficient termination procedures

A. Train or "calibrate" the assessor.

B. Utilize only standardized approaches.

C. Ensure the impartiality of the assessor.

D. Utilize multiple methods of analysis.

A. organizational requirements.

B. information systems requirements.

C. information security requirements.

D. international standards.

A. Provide security awareness training to the third-party provider's employees

B. Conduct regular security reviews of the third-party provider

C. Include security requirements in the service contract

D. Request that the third-party provider comply with the organization's information security policy

A. Reducing the human risk

B. Maintaining evidence of training records to ensure compliance

C. Informing business units about the security strategy

D. Training personnel in security incident response

A. the cost of security is higher in later stages.

B. information security may affect project feasibility.

C. information security is essential to project approval.

D. it ensures proper project classification.

A. A business impact analysis (BIA), which identifies the requirements for continuous availability of critical business processes

B. Adequate distance between the primary site and the alternate site so that the same disaster does not simultaneously impact both sites

C. A benchmarking analysis of similarly situated enterprises in the same geographic region to demonstrate due diligence

D. Differences between the regulatory requirements applicable at the primary site and those at the alternate site

A. Hidden data may be stored there

B. The slack space contains login information

C. Slack space is encrypted

D. It provides flexible space for the investigation

A. Database management

B. Tape backup management

C. Configuration management

D. Incident response management

A. Assess the problems and institute rollback procedures, if needed.

B. Disconnect the systems from the network until the problems are corrected.

C. Uninstall the patches from these systems.

D. Contact the vendor regarding the problems that occurred.

A. A business case

B. A vulnerability assessment

C. Asset classification

D. Asset valuation

A. Implementing on-screen masking of passwords

B. Conducting periodic security awareness programs

C. Increasing the frequency of password changes

D. Requiring that passwords be kept strictly confidential

A. acknowledge receipt of electronic orders with a confirmation message.

B. perform reasonableness checks on quantities ordered before filling orders.

C. encrypt electronic orders.

D. verify the identity of senders and determine whether orders correspond to contract terms.

A. Passwords stored in encrypted form

B. User awareness

C. Strong passwords that are changed periodically

D. Implementation of lock-out policies

A. Delivery path tracing

B. Reverse lookup translation

C. Out-of-band channels

D. Digital signatures

A. It must be operated by information security to ensure that security is maintained.

B. It must be overseen by the steering committee because of its importance.

C. It must be secondary to release and configuration management.

D. It must include mandatory notification of the information security department.

A. change management.

B. release management.

C. incident management.

D. configuration management.

A. A fully updated intrusion detection system (IDS)

B. Multiple channels for distribution of information

C. A well-defined and structured communication plan

D. A regular schedule for review of network device logs

A. It identifies, assesses and prevents reoccurrence of incidents.

B. It detects and documents incidents.

C. It includes a risk management strategy.

D. It reflects the capabilities of the organization.

A. Card-key door locks

B. Photo identification

C. Biometric scanners

D. Awareness training

A. To implement the strategy

B. To optimize resources

C. To deliver on metrics

D. To achieve assurance

A. To mitigate the tendency for security gaps to exist between assurance functions

B. To reduce manpower requirements for providing effective information security

C. To ensure effective business continuity and disaster recovery

D. To simplify specification development and acquisition processes

A. an audit of the service provider uncovers no significant weakness.

B. the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property.

C. the contract should mandate that the service provider will comply with security policies.

D. the third-party service provider conducts regular penetration testing.

A. Retrieve identification badge and card keys

B. Retrieve all personal computer equipment

C. Erase all of the employee's folders

D. Ensure all logical access is removed

A. implement stronger controls.

B. conduct periodic awareness training.

C. actively monitor operations.

D. gain endorsement from executive management.

A. Reduced number of security violation reports

B. A quantitative evaluation to ensure user comprehension

C. Increased interest in focus groups on security issues

D. Increased number of security violation reports

A. increased difficulty in problem management.

B. added complexity in incident management.

C. determining the impact of cascading risk.

D. less flexibility in setting service delivery objectives.

A. Senior management

B. The security manager

C. The data owner

D. The data custodian

A. A bit-level copy of all hard drive data

B. The last verified backup stored offsite

C. Data from volatile memory

D. Backup servers

A. Defining and ratifying the organization's data classification structure

B. Assigning the classification levels to the information assets

C. Securing information assets in accordance with their data classification

D. Confirming that information assets have been properly classified

A. Senior management

B. The business manager

C. The IT audit manager

D. The information security officer (ISO)

A. Contribution to revenue generation

B. A business impact analysis (BIA)

C. Threat assessment and analysis

D. Replacement costs

A. The chance of collusion among staff

B. Degradation of investigation quality

C. Minimization of false-positive alerts

D. Monitoring repeated low-risk events

A. Policies

B. Standards

C. Procedures

D. Guidelines

A. They should define the circumstances where cryptography should be used.

B. They should define cryptographic algorithms and key lengths.

C. They should describe handling procedures of cryptographic keys.

D. They should establish the use of cryptographic solutions.

A. Understand the business requirements of the developer portal

B. Perform a vulnerability assessment of the developer portal

C. Install an intrusion detection system (IDS)

D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

A. Achieve strategic business goals and objectives.

B. Protect information assets using manual and automated controls.

C. Automate information security controls.

D. Eliminate threats to the organization.

A. Ensure the assignment of qualified personnel.

B. Request the IT department do an image copy.

C. Disconnect from the network and isolate the affected devices.

D. Ensure law enforcement personnel are present before the forensic analysis commences.

A. conducting a periodic and event-driven business impact analysis (BIA) to determine the needs of the business during a recovery.

B. assigning new applications a higher degree of importance and scheduling them for recovery first.

C. developing a help-desk ticket process that allows departments to request recovery of software during a disaster.

D. conducting a thorough risk assessment prior to purchasing the software.

A. Set accounts to pre-expire

B. Avoid granting system administration roles

C. Ensure they successfully pass background checks

D. Ensure their access is approved by the data owner

A. Creating a positive business security environment

B. Understanding key business objectives

C. Having a reporting line to senior management

D. Allocating sufficient resources to information security

A. Continue to work the current action.

B. Escalate to the next level for resolution.

C. Skip on to the next action in the plan.

D. Declare a disaster.

A. The security officer

B. Senior management

C. The end user

D. The custodian

A. User

B. Network

C. Operations

D. Database

A. Testing

B. Initiation

C. Design

D. Development

A. a prescriptive methodology for designing the systems architecture.

B. an understanding that the whole is greater than the sum of its parts.

C. a process that ensures alignment with business objectives.

D. a framework for information security governance.

A. Building use cases

B. Conducting a network traffic analysis

C. Performing an asset-based risk assessment

D. The quality of the logs

A. Support of business objectives

B. Security metrics

C. Security deliverables

D. Process improvement models

A. Interviewing candidates for information security specialist positions

B. Developing content for security awareness programs

C. Prioritizing information security initiatives

D. Approving access to critical financial systems

A. classification policy.

B. retention policy.

C. creation policy.

D. leakage protection.

A. Number of users with privileged access

B. Trends in incident frequency

C. Annual network downtime

D. Vulnerability scan results

A. Alignment of information security and business objectives

B. Alignment of security controls with information technology

C. Alignment of concurrent security strategies

D. Alignment of values to protect corporate assets

A. Mandatory access controls

B. Discretionary access controls

C. Lattice-based access controls

D. Role-based access controls

A. technical competency.

B. incompatible culture.

C. defense in depth.

D. adequate policies.

A. broken authentication.

B. unvalidated input.

C. cross-site scripting.

D. structured query language (SQL) injection.

A. Manager

B. Custodian

C. User

D. Owner