CISM 2014 Questions - 3

Question

Which of the following is MOST important to the successful promotion of good security management practices?

Answer 1

A. Security metrics

Answer 2

B. Security baselines

Answer 3

C. Management support

Answer 4

D. Periodic training

Answer 5

A. Configuration of firewalls

Answer 6

B. Strength of encryption algorithms

Answer 7

C. Authentication within application

Answer 8

D. Safeguards over keys

Answer 9

A. reduce risk to the business.

Answer 10

B. ensure compliance with security policies.

Answer 11

C. provide assurance to management.

Answer 12

D. measure efficiency of services provided.

Answer 13

A. There is an undue reliance on public networks.

Answer 14

B. Batteries require constant recharges.

Answer 15

C. There is a lack of operating system standardization.

Answer 16

D. Mobile devices can be easily lost or stolen.

Answer 17

A. Obtain comparative pricing bids and complete the transaction with the vendor offering the best deal.

Answer 18

B. Add the purchase to the budget during the next budget preparation cycle to account for costs.

Answer 19

C. Perform an assessment to determine correlation with business goals and objectives.

Answer 20

D. Form a project team to plan the implementation.

Answer 21

A. The policies must comply with new regulatory and legal mandates.

Answer 22

B. Appropriate security baselines are no longer set in the policies.

Answer 23

C. The policies no longer reflect management intent and direction.

Answer 24

D. Employees consistently ignore the policies.

Answer 25

A. Periodic audits of noncompliant areas

Answer 26

B. An ongoing vulnerability scanning program

Answer 27

C. Annual security awareness training

Answer 28

D. Regular reports to executive management

Answer 29

A. To identify weaknesses in network security

Answer 30

B. To identify patterns of suspicious access

Answer 31

C. To identify how an attack was launched on the network

Answer 32

D. To identify potential attacks on the internal network

Answer 33

A. use illustrative examples of successful attacks.

Answer 34

B. explain the technical risks to the organization.

Answer 35

C. evaluate the organization against best security practices.

Answer 36

D. tie security risks to key business objectives.

Answer 37

A. Disaster declaration

Answer 38

B. Recovery of the backups

Answer 39

C. Restoration of the system

Answer 40

D. Return to business as usual processing

Answer 41

A. All significant vulnerabilities must be mitigated in a timely fashion.

Answer 42

B. Treatment should be based on threat, impact and cost considerations.

Answer 43

C. Compensatory controls must be implemented for major vulnerabilities.

Answer 44

D. Mitigation options should be proposed for management approval.

Answer 45

A. It shows senior management that you understand their needs.

Answer 46

B. It provides a basis for redistributing resources to mitigate risk outside the risk tolerance.

Answer 47

C. It requires continuous monitoring because the entire risk environment is constantly changing.

Answer 48

D. It facilitates communication with management about the importance of security.

Answer 49

A. Threat analysis

Answer 50

B. Impact assessment

Answer 51

C. Controls evaluation

Answer 52

D. Penetration testing

Answer 53

A. Minimize inherent risk.

Answer 54

B. Eliminate business risk.

Answer 55

C. Implement effective controls.

Answer 56

D. Reduce residual risk to acceptable levels.

Answer 57

A. In policies

Answer 58

B. In the architecture

Answer 59

C. In the strategy

Answer 60

D. In procedures

Answer 61

A. Confirm the incident

Answer 62

B. Determine impact

Answer 63

C. Notify affected stakeholders

Answer 64

D. Isolate the incident

Answer 65

A. A formal methodology makes incident management more flexible.

Answer 66

B. A formal methodology is more reliant on business continuity activities.

Answer 67

C. Each incident responder is able to get broad-based experience.

Answer 68

D. Evidence of due diligence supports legal and liability claims.

Answer 69

A. The independence of the investigator

Answer 70

B. Timely intervention

Answer 71

C. Identifying the perpetrator

Answer 72

D. Chain of custody

Answer 73

A. as a qualitative approach to evaluating risk.

Answer 74

B. to determine maximum probable loss over a period of time.

Answer 75

C. for risk analysis applicable only to financial organizations.

Answer 76

D. as a useful tool to expedite the assessment process.

Answer 77

A. Identify a similar application and refer to its security weaknesses.

Answer 78

B. Recompile the application using the latest library and review the error codes.

Answer 79

C. Employ reverse engineering techniques to derive functionalities.

Answer 80

D. Conduct a vulnerability assessment to detect application weaknesses.

Answer 81

A. It should be based on the threat to each of the elements.

Answer 82

B. Availability is most important.

Answer 83

C. It should be based on the risk to each of the elements.

Answer 84

D. All elements are equally important.

Answer 85

A. aggregated risk.

Answer 86

B. systemic risk.

Answer 87

C. operational risk.

Answer 88

D. cascading risk.

Answer 89

A. Feasibility

Answer 90

C. Development

Answer 91

D. Testing

Answer 92

A. Create a separate account for the programmer as a power user.

Answer 93

B. Log all of the programmer's activity for review by their supervisor.

Answer 94

C. Have the programmer sign a letter accepting full responsibility.

Answer 95

D. Perform regular audits of the application.

Answer 96

A. Capture lessons learned to improve the process.

Answer 97

B. Develop a process for continuous improvement.

Answer 98

C. Develop a business case for the security program budget.

Answer 99

D. Identify new incident management tools.

Answer 100

A. Number of attacks detected

Answer 101

B. Number of successful attacks

Answer 102

C. Ratio of false positives to false negatives

Answer 103

D. Ratio of successful to unsuccessful attacks

Answer 104

A. cost of recovery.

Answer 105

B. cost to recreate.

Answer 106

C. opportunity cost.

Answer 107

D. cost of emergency operations.

Answer 108

A. Identify the assets.

Answer 109

B. Conduct a risk assessment.

Answer 110

C. Define the scope.

Answer 111

D. Perform a business impact analysis (BIA).

Answer 112

A. Assessed risk is below acceptable levels.

Answer 113

B. Risk cannot be determined.

Answer 114

C. The control cost is high.

Answer 115

D. The control is not effective.

Answer 116

A. Secure Sockets Layer (SSL)

Answer 117

B. Secure Shell (SSH)

Answer 118

C. IP Security (IPSec)

Answer 119

D. Secure/Multipurpose Internet Mail Extensions (S/MIME)

Answer 120

A. Regulatory requirements

Answer 121

B. Technical expert advisories

Answer 122

C. State-of-the-art technology

Answer 123

D. A risk assessment

Answer 124

A. Eliminating IT risk

Answer 125

B. Cost-benefit balance

Answer 126

C. Resource management

Answer 127

D. The number of assets protected

Answer 128

A. Track audits over time.

Answer 129

B. Evaluate incident losses.

Answer 130

C. Analyze business cases.

Answer 131

D. Interview business owners.

Answer 132

A. The cost of acquisition and implementation of the asset

Answer 133

B. Knowledge of vulnerabilities present in the asset

Answer 134

C. The degree of exposure to known threats

Answer 135

D. The criticality of the business function supported by the asset

Answer 136

A. Through analysis of the network traffic history

Answer 137

B. Through stateful inspection of firewall packets

Answer 138

C. Through identification of zero-day attacks

Answer 139

D. Through vulnerability assessments

Answer 140

A. Laws and regulations of the country of origin may not be enforceable in the foreign country.

Answer 141

B. A security breach notification might get delayed due to the time difference.

Answer 142

C. Additional network intrusion detection sensors should be installed, resulting in an additional cost.

Answer 143

D. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

Answer 144

A. Patch management

Answer 145

B. Change management

Answer 146

C. Security baselines

Answer 147

D. Acquisition management

Answer 148

A. user IDs of terminated staff remain active in application systems.

Answer 149

B. access privileges are accumulated based on previous job functions.

Answer 150

C. application role-based access deviates from the organizational hierarchies.

Answer 151

D. role mining tools are used in the access privilege review.

Answer 152

A. Potential impact is a central element of risk.

Answer 153

B. Potential impact is related to asset value.

Answer 154

C. Potential impact affects the extent of mitigation.

Answer 155

D. Potential impact helps determine the exposure.

Answer 156

A. notify law enforcement.

Answer 157

B. start containment.

Answer 158

C. make an image copy of the media.

Answer 159

D. isolate affected servers.

Answer 160

A. Performing more frequent reviews of the organization's risk factors

Answer 161

B. Developing more realistic information security risk scenarios

Answer 162

C. Understanding the flow and classification of information used by the organization

Answer 163

D. A process to monitor postincident review reports prepared by IT staff

Answer 164

A. Contain the file.

Answer 165

B. Delete the file.

Answer 166

C. Verify whether the file is malicious.

Answer 167

D. Report the suspicious file to management.

Answer 168

A. Ensure that the third party provides a demonstration on a test system.

Answer 169

B. Ensure that goals and objectives are clearly defined.

Answer 170

C. Ensure that technical staff has been briefed on what to expect.

Answer 171

D. Ensure that special backups of production servers are taken.

Answer 172

A. Penetration attempts investigated

Answer 173

B. Violation log reports produced

Answer 174

C. Violation log entries

Answer 175

D. Frequency of corrective actions taken

Answer 176

A. Senior management commitment

Answer 177

B. Information security framework

Answer 178

C. Information security organizational structure

Answer 179

D. Information security policy

Answer 180

A. Reassess the maximum tolerable outage (MTO).

Answer 181

B. Conduct a business impact assessment (BIA) and update the plan.

Answer 182

C. Increase the service delivery objective (SDO).

Answer 183

D. Take no action; maximum tolerable outage (MTO) is not related to AIW.

Answer 184

A. A high percentage of similar change requests

Answer 185

B. A high percentage of change request postponements

Answer 186

C. A high percentage of canceled change requests

Answer 187

D. A high percentage of emergency change requests

Answer 188

A. To reduce the cost of system development

Answer 189

B. To aid in strategy and policy development

Answer 190

C. To effectively manage complexity

Answer 191

D. To determine areas that will be a problem

Answer 192

A. managing risk relative to business objectives.

Answer 193

B. managing risk to a zero level and minimizing insurance premiums.

Answer 194

C. avoiding occurrence of risks so that insurance is not required.

Answer 195

D. transferring most risks to insurers and saving on control costs.

Answer 196

A. justify selection of risk mitigation strategies.

Answer 197

B. maximize the return on investment (ROI).

Answer 198

C. provide documentation for auditors and regulators.

Answer 199

D. quantify risks that would otherwise be subjective.

Answer 200

A. total cost of ownership.

Answer 201

B. priority of restoration.

Answer 202

C. annualized loss expectancy (ALE).

Answer 203

D. residual risk.

Answer 204

A. The system developer

Answer 205

B. The information security manager

Answer 206

C. The system custodian

Answer 207

D. The data owner

Answer 208

A. conducting a business impact assessment.

Answer 209

B. conducting a table-top business continuity test.

Answer 210

C. developing disaster recovery metrics.

Answer 211

D. selecting an alternate recovery site.

Answer 212

A. ensure information security covers all business functions.

Answer 213

B. ensure information security aligns with business goals.

Answer 214

C. raise information security awareness across the organization.

Answer 215

D. implement all decisions on security management across the organization.

Answer 216

A. Technical platform interfaces

Answer 217

B. Scalability of the network

Answer 218

C. Development methodologies

Answer 219

D. Stakeholder requirements

Answer 220

A. Senior management support

Answer 221

B. Budget for security activities

Answer 222

C. Regular vulnerability assessments

Answer 223

D. Knowledgeable security administrators

Answer 224

A. On the internal network

Answer 225

B. On the firewall server

Answer 226

C. On the external router

Answer 227

D. On the primary domain controller

Answer 228

A. Ensure the data classification requirements are compatible with the provider's own classification.

Answer 229

B. Ensure the data classification requirements are communicated to the provider.

Answer 230

C. Ensure the data classification requirements exceed those of the outsourcer.

Answer 231

D. Ensure the data classification requirements are stated in the contract.

Answer 232

A. 0-day vulnerabilities

Answer 233

B. Malicious software and spyware

Answer 234

C. Security design flaws

Answer 235

D. Misconfiguration and missing updates

Answer 236

A. Ensure processes are repeatable and sustainable.

Answer 237

B. Ensure alignment with business objectives.

Answer 238

C. Ensure auditability by regulatory agencies.

Answer 239

D. Ensure objective criteria for the application of metrics.

Answer 240

A. Password hash implementation

Answer 241

B. Challenge/response mechanism

Answer 242

C. Wired Equivalent Privacy (WEP) encryption usage

Answer 243

D. HTTP Basic Authentication

Answer 244

A. Adjust budget provisioning

Answer 245

B. Preserve forensic data

Answer 246

C. Improve the response process

Answer 247

D. Ensure the incident is fully documented

Answer 248

A. The impact on critical IT assets

Answer 249

B. A detailed business case

Answer 250

C. Steering committee approval

Answer 251

D. User acceptance

Answer 252

A. risk that will be addressed.

Answer 253

B. financial analysis of benefits.

Answer 254

C. alignment with organizational objectives.

Answer 255

D. feasibility and value proposition.

Answer 256

A. Ease of installation

Answer 257

B. Product documentation

Answer 258

C. Available support

Answer 259

D. System overhead

Answer 260

A. Tests are scheduled on weekends

Answer 261

B. Network IP addresses are predefined

Answer 262

C. Equipment at the hot site is identical

Answer 263

D. Business management actively participates

Answer 264

A. System analyst

Answer 265

B. System user

Answer 266

C. Operations manager

Answer 267

D. Data security officer

Answer 268

A. the development of organizationwide communication channels.

Answer 269

B. periodic third-party auditing of incident reporting logs.

Answer 270

C. an automated policy compliance monitoring system.

Answer 271

D. deployment of suggestion boxes throughout the organization.

Answer 272

A. to the extent that they impact the enterprise.

Answer 273

B. by implementing international standards.

Answer 274

C. by developing policies that address the requirements.

Answer 275

D. to ensure that guidelines meet the requirements.

Answer 276

A. Adequate security policies and procedures

Answer 277

B. Periodic compliance reviews

Answer 278

C. Security steering committees

Answer 279

D. Security awareness campaigns

Answer 280

A. Ensuring accessibility should a disaster occur

Answer 281

B. Versioning control as plans are modified

Answer 282

C. Broken hyperlinks to resources stored elsewhere

Answer 283

D. Tracking changes in personnel and plan assets

Answer 284

A. Review the finding with the sales manager to evaluate the risk and impact.

Answer 285

B. Report the issue to senior management immediately.

Answer 286

C. Request that the sales representatives stop emailing sensitive information.

Answer 287

D. Provide security awareness training to the sales representatives.

Answer 288

A. Inform senior management.

Answer 289

B. Determine the extent of the compromise.

Answer 290

C. Report the incident to the authorities.

Answer 291

D. Communicate with the affected customers.

Answer 292

A. transferred.

Answer 293

B. treated.

Answer 294

C. accepted.

Answer 295

D. terminated.

Answer 296

A. before system development begins.

Answer 297

B. at system deployment.

Answer 298

C. before developing a business case.

Answer 299

D. at each stage of the software development life cycle (SDLC).

Answer 300

A. Logon banners displayed at every logon

Answer 301

B. Periodic security-related email messages

Answer 302

C. An intranet web site for information security

Answer 303

D. Circulating the information security policy

Answer 304

A. The system administrator should be monitored by a separate reviewer.

Answer 305

B. All activity on the network should be monitored.

Answer 306

C. No additional monitoring is needed in this situation.

Answer 307

D. Monitoring should be done only by the information security manager.

Answer 308

A. Static IP addressing

Answer 309

B. Internal address translation

Answer 310

C. Prospective employee background checks

Answer 311

D. Employee awareness certification program

Answer 312

A. Corporate legal officer

Answer 313

B. Enterprise risk manager

Answer 314

C. Compliance officer

Answer 315

D. Affected departments

Answer 316

A. A hot site facility will be shared in multiple disaster declarations

Answer 317

B. All equipment is provided "at time of disaster, not on floor"

Answer 318

C. The facility is subject to a "first-come, first-served" policy

Answer 319

D. Equipment may be substituted with equivalent models

Answer 320

A. Audit logs are not enabled on a production server

Answer 321

B. The logon ID for a terminated systems analyst still exists on the system

Answer 322

C. The help desk has received numerous results of users receiving phishing emails

Answer 323

D. A Trojan was found to be installed on a system administrator's laptop

Answer 324

A. Timeliness of the reporting

Answer 325

B. Relevance to the recipient

Answer 326

C. Accuracy of the measurement

Answer 327

D. The cost of obtaining the metrics

Answer 328

A. A notification of liability on accuracy of information

Answer 329

B. A notification that information will be encrypted

Answer 330

C. A statement of what the company will do with information it collects

Answer 331

D. A description of the information classification process

Answer 332

A. A warning banner

Answer 333

B. Audit trails

Answer 334

C. An access control

Answer 335

D. An alarm system

Answer 336

A. Flexible security budget

Answer 337

B. Sound risk baseline

Answer 338

C. Detection of new risk

Answer 339

D. Accurate risk reporting

Answer 340

A. outside the firewall.

Answer 341

B. on the firewall server.

Answer 342

C. on a screened subnet.

Answer 343

D. on the external router.

Answer 344

A. Number of controls

Answer 345

B. Cost of achieving control objectives

Answer 346

C. Effectiveness of controls

Answer 347

D. Test results of controls

Answer 348

A. The increasing need for controls

Answer 349

B. The policy development process

Answer 350

C. The integration of assurance-related activities

Answer 351

D. A model for information security program development

Answer 352

A. Simulate an attack and review IDS performance.

Answer 353

B. Use a honeypot to check for unusual activity.

Answer 354

C. Audit the configuration of the IDS.

Answer 355

D. Benchmark the IDS against a peer site.

Answer 356

A. Applying emergency changes to application data

Answer 357

B. Administering security over database records

Answer 358

C. Migrating application code changes to production

Answer 359

D. Determining the level of application security required

Answer 360

A. Quantity of information

Answer 361

B. Available IT infrastructure

Answer 362

C. Benchmarking

Answer 363

D. Requirements of data owners

Answer 364

A. Identify a recognized forensics software tool to create the image.

Answer 365

B. Establish a chain of custody log.

Answer 366

C. Connect the hard drive to a write blocker.

Answer 367

D. Generate a cryptographic hash of the hard drive contents.

Answer 368

A. Isolate the infected server(s) from the network.

Answer 369

B. Identify all potential damage caused by the infection.

Answer 370

C. Ensure that the virus database files are current.

Answer 371

D. Establish security weaknesses in the firewall.

Answer 372

A. External audit and network penetration testers

Answer 373

B. Board of directors and the organization's regulators

Answer 374

C. External trade union representatives and key security vendors

Answer 375

D. Leadership from IT, human resources and the sales department

Answer 376

A. Criteria for data backup

Answer 377

B. Personnel responsible for backup

Answer 378

C. A data backup schedule

Answer 379

D. A list of systems to be backed up

Answer 380

A. Copy to the same disk model as the original.

Answer 381

B. Make a dual backup of the original disk.

Answer 382

C. Keep the digital hash from both hard disks.

Answer 383

D. Perform a restoration test after replication.

Answer 384

A. Include password construction requirements in the security standards

Answer 385

B. Require each user to acknowledge the password requirements

Answer 386

C. Implement strict penalties for user noncompliance

Answer 387

D. Enable system-enforced password configuration

Answer 388

A. Reviewing and modifying access rights

Answer 389

B. Assigning new security responsibilities

Answer 390

C. Conducting specific training for the new role

Answer 391

D. Knowledge of security weaknesses in last department

Answer 392

A. Ensure access to individual functions can be granted to individual users only.

Answer 393

B. Implement role-based access control in the application.

Answer 394

C. Enforce manual procedures ensuring separation of conflicting duties.

Answer 395

D. Create service accounts that can only be used by authorized team members.

Answer 396

A. Assign an information security administrator as regulatory liaison.

Answer 397

B. Perform self-assessments using regulatory guidelines and reports.

Answer 398

C. Assess previous regulatory reports with process owners input.

Answer 399

D. Ensure all regulatory inquiries are sanctioned by the legal department.

Answer 400

A. Assigning responsibility for acquiring the data

Answer 401

B. Locating the data and preserving the integrity of the data

Answer 402

C. Creating a forensically sound image

Answer 403

D. Issuing a litigation hold to all affected parties

Answer 404

A. Risk analysis results

Answer 405

B. Audit report findings

Answer 406

C. Penetration test results

Answer 407

D. Amount of IT budget available

Answer 408

A. Business impact analysis (BIA) report

Answer 409

B. List of action items to mitigate risk

Answer 410

C. Assignment of risks to process owners

Answer 411

D. Quantification of organizational risk

Answer 412

A. An adequate budget

Answer 413

B. Senior level authority

Answer 414

C. A robust technology

Answer 415

D. Effective business relationships

Answer 416

A. Remote buffer overflow

Answer 417

B. Cross site scripting

Answer 418

C. Clear text authentication

Answer 419

D. Man-in-the-middle attack

Answer 420

A. Data encryption

Answer 421

B. Digital signatures

Answer 422

C. Strong passwords

Answer 423

D. Two-factor authentication

Answer 424

A. escalate issues to an external third party for resolution.

Answer 425

B. ensure that senior management provide authority for security to address the issues.

Answer 426

C. insist that managers or units not in agreement with the security solution accept the risk.

Answer 427

D. refer the issues to senior management along with any security recommendations.

Answer 428

A. The recovery time objective (RTO) was not exceeded during testing

Answer 429

B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently

Answer 430

C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing

Answer 431

D. Information assets have been valued and assigned to owners per the business continuity plan/disaster recovery plan

Answer 432

A. To identify relevant electronic evidence

Answer 433

B. To identify lessons learned

Answer 434

C. To identify the hacker's identity

Answer 435

D. To identify affected areas

Answer 436

A. conduct a cost-benefit analysis.

Answer 437

B. develop a business case.

Answer 438

C. calculate return on investment (ROI).

Answer 439

D. evaluate loss history.

Answer 440

A. Man-in-the-middle attack

Answer 441

B. Brute force attack

Answer 442

C. Remote buffer overflow

Answer 443

D. Root kit

Answer 444

A. The right to audit

Answer 445

B. Service level agreements (SLAs)

Answer 446

C. Appropriate standard of care

Answer 447

D. Periodic security reviews

Answer 448

A. Defined objectives

Answer 449

B. Time frames for delivery

Answer 450

C. Adoption of a control framework

Answer 451

D. Complete policies

Answer 452

A. Request a list of the software to be used

Answer 453

B. Provide clear directions to IT staff

Answer 454

C. Monitor intrusion detection system (IDS) and firewall logs closely

Answer 455

D. Establish clear rules of engagement

Answer 456

A. Data custodian

Answer 457

B. Database administrator

Answer 458

C. Information security officer

Answer 459

D. Data owner

Answer 460

A. an organizational mandate.

Answer 461

B. a risk management priority.

Answer 462

C. a purely operational issue.

Answer 463

D. just another risk.

Answer 464

A. Define security metrics

Answer 465

B. Conduct a risk assessment

Answer 466

C. Perform a gap analysis

Answer 467

D. Procure security tools

Answer 468

A. During contract negotiation

Answer 469

B. Upon request for assistance from the business unit

Answer 470

C. When requirements are being established

Answer 471

D. When a security incident occurs

Answer 472

A. Diverting incoming traffic as a response to a denial of service (DoS) attack

Answer 473

B. Filtering network traffic

Answer 474

C. Examining inbound network traffic for viruses

Answer 475

D. Logging inbound network traffic

Answer 476

A. Reboot the border router connected to the firewall

Answer 477

B. Check IDS logs and monitor for any active attacks

Answer 478

C. Update IDS software to the latest available version

Answer 479

D. Enable server trace logging on the DMZ segment

Answer 480

A. Staff interviews

Answer 481

B. Threat identification

Answer 482

C. Asset identification and valuation

Answer 483

D. Determination of the likelihood of identified risks

Answer 484

A. A threat assessment

Answer 485

B. A vulnerability assessment

Answer 486

C. A resource dependency assessment

Answer 487

D. An impact assessment

Answer 488

A. Procedural design

Answer 489

B. Architectural design

Answer 490

C. System design specifications

Answer 491

D. Software development

Answer 492

A. conflicting security controls with organizational needs.

Answer 493

B. strong protection of information resources.

Answer 494

C. implementing appropriate controls to reduce risk.

Answer 495

D. proving information security's protective abilities.

Answer 496

A. Employees sign to acknowledge the security policy

Answer 497

B. More incidents are being reported

Answer 498

C. A majority of employees have completed training

Answer 499

D. No incidents have been reported in three months

Answer 500

A. Release management

Answer 501

B. Ownership schema

Answer 502

C. Resource dependency analysis

Answer 503

D. Asset classification

Answer 504

A. Strategic business plan

Answer 505

B. Upcoming financial results

Answer 506

C. Customer personal information

Answer 507

D. Previous financial results

Answer 508

A. senior management directing the information security program.

Answer 509

B. periodic risk analysis and treatment.

Answer 510

C. a security steering committee with representatives from all business functions.

Answer 511

D. regular security audits and ongoing monitoring.

Answer 512

A. Initiate the exception process.

Answer 513

B. Modify policy to address the risk.

Answer 514

C. Increase compliance enforcement.

Answer 515

D. Perform a risk assessment.

Answer 516

A. Risk should be reassessed periodically because risk changes over time.

Answer 517

B. Accepted risk should be flagged to avoid future reassessment efforts.

Answer 518

C. Risk should be avoided next time to optimize the risk profile.

Answer 519

D. Risk should be removed from the risk log after it is accepted.

Answer 520

A. Implementation

Answer 521

C. Testing

Answer 522

A. Patch management

Answer 523

B. Change management

Answer 524

C. Security baselines

Answer 525

D. Virus detection

Answer 526

A. Strengthen existing controls.

Answer 527

B. Reassess the risk.

Answer 528

C. Set new control objectives.

Answer 529

D. Modify security baselines.

Answer 530

A. Service level agreements (SLAs)

Answer 531

B. Right-to-audit clause

Answer 532

C. Intrusion detection system (IDS) services

Answer 533

D. Spam filtering services

Answer 534

A. Technical input requirements for IT security staff

Answer 535

B. Evaluating training program effectiveness

Answer 536

C. A diverse culture and varied technical abilities of end users

Answer 537

D. Availability of users either on weekends or after office hours

Answer 538

A. Attempt to reset several passwords to weaker values

Answer 539

B. Install code to capture passwords for periodic audit

Answer 540

C. Sample a subset of users and request their passwords for review

Answer 541

D. Install strong password settings on each platform

Answer 542

A. Eliminate low-priority security services.

Answer 543

B. Require management to accept the increased risk.

Answer 544

C. Prioritize risk mitigation and educate management.

Answer 545

D. Reduce monitoring and compliance enforcement activities.

Answer 546

A. Developing information security policies and procedures

Answer 547

B. Senior management commitment

Answer 548

C. Conducting security training and awareness for all users

Answer 549

D. Establishing an information security management system

Answer 550

A. Security monitoring software

Answer 551

B. Encryption

Answer 552

C. Two-factor authentication

Answer 553

D. User awareness

Answer 554

A. Utilize an intrusion detection system.

Answer 555

B. Establish minimum security baselines.

Answer 556

C. Implement vendor recommended settings.

Answer 557

D. Perform periodic penetration testing.

Answer 558

A. A cost-benefit analysis of budgeted resources

Answer 559

B. All of the resources that are recommended by the business

Answer 560

C. Total cost of ownership (TCO)

Answer 561

D. Baseline comparisons

Answer 562

A. show that information security understands the rules.

Answer 563

B. provide regulatory compliance.

Answer 564

C. maximize the cost-effectiveness of controls.

Answer 565

D. minimize the number of rules and regulations required.

Answer 566

A. Information security strategy

Answer 567

B. Information security guidelines

Answer 568

C. Information security model

Answer 569

D. Information security architecture

Answer 570

A. Annual loss expectancy (ALE) of incidents

Answer 571

B. Frequency of incidents

Answer 572

C. Total cost of ownership (TCO)

Answer 573

D. Approved budget for the project

Answer 574

A. When the organization has a high risk tolerance

Answer 575

B. When delegation of rights is contrary to policy

Answer 576

C. When the control policy specifies continuous oversight

Answer 577

D. When access is permitted, unless explicitly denied

Answer 578

A. Simple Mail Transfer Protocol (SMTP)

Answer 579

B. File Transfer Protocol (FTP)

Answer 580

C. Post Office Protocol (POP3)

Answer 581

D. Simple Network Management Protocol (SNMP v3)

Answer 582

A. The magnitude of impact

Answer 583

B. Risk tolerance

Answer 584

C. The replacement cost of assets

Answer 585

D. The book value of assets

Answer 586

A. Security in storage and transmission of sensitive data

Answer 587

B. Provider's level of compliance with industry standards

Answer 588

C. Security technologies in place at the facility

Answer 589

D. Results of the latest independent security review

Answer 590

A. It reduces threat.

Answer 591

B. It reduces criticality.

Answer 592

C. It reduces sensitivity.

Answer 593

D. It reduces exposure.

Answer 594

A. Formal training

Answer 595

B. Mentoring

Answer 596

C. On-the-job training

Answer 597

D. Induction

Answer 598

A. assess the impact of the loss and determine mitigating steps.

Answer 599

B. communicate the best practices in protecting laptops to all laptop users.

Answer 600

C. instruct the erring employees to pay a penalty for the lost laptops.

Answer 601

D. recommend that management report the incident to the police and file for insurance.

	Created by Eduardo Castella7911 about 8 years ago

Next up

CISM 2014 Questions - 3

Description

Resource summary

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Question 26

Question 27

Question 28

Question 29

Question 30

Question 31

Question 32

Question 33

Question 34

Question 35

Question 36

Question 37

Question 38

Question 39

Question 40

Question 41

Question 42

Question 43

Question 44

Question 45

Question 46

Question 47

Question 48

Question 49

Question 50

Question 51

Question 52

Question 53

Question 54

Question 55

Question 56

Question 57

Question 58

Question 59

Question 60

Question 61

Question 62

Question 63

Question 64

Question 65

Question 66

Question 67

Question 68

Question 69

Question 70

Question 71

Question 72

Question 73

Question 74

Question 75

Question 76