Christian Haller
Quiz von , erstellt am more than 1 year ago

Quiz am CISM Quiz, erstellt von Christian Haller am 21/06/2014.

2264
0
0
Christian Haller
Erstellt von Christian Haller vor mehr als 10 Jahre
Schließen

CISM Quiz

Frage 1 von 30

1

A security strategy is important for an organization PRIMARILY because it provides

Wähle eine der folgenden:

  • basis for determining the best logical security architecture for the organization

  • management intent and direction for security activities

  • provides users guidance on how to operate securely in everyday tasks

  • helps IT auditors ensure compliance

Erklärung

Frage 2 von 30

1

The MOST important reason to make sure there is good communication about security throughout the organization is:

Wähle eine der folgenden:

  • to make security more palatable to resistant employees

  • because people are the biggest security risk

  • to inform business units about security strategy

  • to conform to regulations requiring all employees are informed about security

Erklärung

Frage 3 von 30

1

The regulatory environment for most organizations mandates a variety of security-related activities. It is MOST important that the information security manager:

Wähle eine der folgenden:

  • rely on corporate counsel to advise which regulations are relevant

  • stay current with all relevant regulations and request legal interpretation

  • involve all impacted departments and treat regulations as just another risk

  • ignore many of the regulations that have no teeth

Erklärung

Frage 4 von 30

1

The MOST important consideration in developing security policies is that:

Wähle eine der folgenden:

  • they are based on a threat profile

  • they are complete and no detail is let out

  • management signs off on them

  • all employees read and understand them

Erklärung

Frage 5 von 30

1

The PRIMARY security objective in creating good procedures is

Wähle eine der folgenden:

  • to make sure they work as intended

  • that they are unambiguous and meet the standards

  • that they be written in plain language

  • that compliance can be monitored

Erklärung

Frage 6 von 30

1

The assignment of roles and responsibilities will be MOST effective if:

Wähle eine der folgenden:

  • there is senior management support

  • the assignments are consistent with proficiencies

  • roles are mapped to required competencies

  • responsibilities are undertaken on a voluntary basis

Erklärung

Frage 7 von 30

1

The PRIMARY benefit organizations derive from effective information security governance is:

Wähle eine der folgenden:

  • ensuring appropriate regulatory compliance

  • ensuring acceptable levels of disruption

  • prioritizing allocation of remedial resources

  • maximizing return on security investments

Erklärung

Frage 8 von 30

1

From an information security manager’s perspective, the MOST important factors regarding data retention are:

Wähle eine der folgenden:

  • business and regulatory requirements

  • document integrity and destruction

  • media availability and storage

  • data confidentiality and encryption

Erklärung

Frage 9 von 30

1

Which role is in the BEST position to review and confirm the appropriateness of a user access list?

Wähle eine der folgenden:

  • data owner

  • information security manager

  • domain administrator

  • business manager

Erklärung

Frage 10 von 30

1

In implementing information security governance, the information security manager is PRIMARILY responsible for:

Wähle eine der folgenden:

  • developing the security strategy

  • reviewing the security strategy

  • communicating the security strategy

  • approving the security strategy

Erklärung

Frage 11 von 30

1

The overall objective of risk management is to:

Wähle eine der folgenden:

  • eliminate all vulnerabilities, if possible

  • determine the best way to transfer risk

  • reduce risks to an acceptable level

  • implement effective countermeasures

Erklärung

Frage 12 von 30

1

The statement „risk = value x vulnerability x threat“ indicates that:

Wähle eine der folgenden:

  • risk can be quantified using annual loss expectancy (ALE)

  • approximate risk can be estimated, provided probability is computed

  • the level of risk is greater when more threats meet more vulnerabilities

  • without knowing value, risk cannot be calculated

Erklärung

Frage 13 von 30

1

To address changes in risk, an effective risk management program should:

Wähle eine der folgenden:

  • ensure that continuous monitoring processes are in place

  • establish proper security baselines for all information resources

  • implement a complete data classification process

  • change security policies on a timely basis to address changing risks

Erklärung

Frage 14 von 30

1

Information classification is important to properly manage risk PRIMARILY because:

Wähle eine der folgenden:

  • it ensures accountability for information resources as required by roles and responsibilities

  • it is legal requirement under various regulations

  • there is no other way to meet the requirements for availability, integrity and auditability

  • it is used to identify the sensitivity and criticality of information to the organization

Erklärung

Frage 15 von 30

1

Vulnerabilities discovered during an assessment should be:

Wähle eine der folgenden:

  • handled as a risk, even though there is no threat

  • prioritized for remediation solely based on impact

  • a basis for analyzing the effectiveness of controls

  • evaluated for threat and impact in addition to cost of mitigation

Erklärung

Frage 16 von 30

1

Indemnity (Schadensersatz) agreements can be used to:

Wähle eine der folgenden:

  • ensure an agreed-upon level of service

  • reduce impacts on critical resources

  • transfer responsibility to a third party

  • provide an effective countermeasure to threats

Erklärung

Frage 17 von 30

1

Residual risks can be determined by:

Wähle eine der folgenden:

  • determining remaining vulnerabilities after countermeasures are in place

  • a threat analysis

  • a risk assessment

  • transferring all risks

Erklärung

Frage 18 von 30

1

Data owners are PRIMARILY responsible for creating risk mitigation strategies to address which of the following areas?

Wähle eine der folgenden:

  • platform security

  • entitlement changes

  • intrusion detection

  • antivirus controls

Erklärung

Frage 19 von 30

1

A risk analysis should:

Wähle eine der folgenden:

  • limit the scope to a benchmark of similar companies

  • assume an equal degree of protection for all assets

  • address the potential size and likelihood of loss

  • give more weight to the likelihood vs. the size of the loss

Erklärung

Frage 20 von 30

1

Which of the following is BEST for preventing an external attack?

Wähle eine der folgenden:

  • static IP addresses

  • network address translation

  • background checks for temporary employees

  • writing computer logs to removable media

Erklärung

Frage 21 von 30

1

Who is in the BEST position to develop the priorities and identify what risks and impacts would occur if there were a loss or corruption of the organization‘s information resources?

Wähle eine der folgenden:

  • internal auditors

  • security management

  • business process owners

  • external regulatory agencies

Erklärung

Frage 22 von 30

1

The MOST important single concept for an information security architect to keep in mind is:

Wähle eine der folgenden:

  • plan do check act

  • confidentiality, integrity, availablility

  • prevention, detection, correction

  • tone at the top

Erklärung

Frage 23 von 30

1

Which of the following is the BEST method of limiting the impact of vulnerabilities inherent to wireless networks?

Wähle eine der folgenden:

  • require private, key based encryption to connect to the wireless network

  • enable auditing on every host that connects to a wireless network

  • require that every host that connects to this network is have a well tested recovery plan

  • enable auditing on every connection to the wireless network

Erklärung

Frage 24 von 30

1

In an environment that practises defense in depth, an Internet application that requires a login for a user to access it would also require which of the following additional controls?

Wähle eine der folgenden:

  • user authentication

  • user audit trails

  • network load balancing

  • network authentication

Erklärung

Frage 25 von 30

1

If an information security manager has responsibility for application security review, which of the following additional responsibilities present a conflict of interest in performing the review?

Wähle eine der folgenden:

  • operation system recovery

  • application administration

  • network change control

  • host based intrusion detection

Erklärung

Frage 26 von 30

1

Which of the following BEST promotes accountability?

Wähle eine der folgenden:

  • compliance monitoring

  • awareness training

  • secure implementation

  • documented policy

Erklärung

Frage 27 von 30

1

Which of the following conclusions render the sentence MOST accurate? Vulnerabilities combined with threats:

Wähle eine der folgenden:

  • always results in damage

  • require controls to avoid damage

  • allow exploits that may cause damage

  • always results in exploits

Erklärung

Frage 28 von 30

1

In which state of the systems development life cycle (SDLC) should the information security manager create a list of security issues presented by the functional description of a newly planned system?

Wähle eine der folgenden:

  • feasibility

  • requirements

  • design

  • development

Erklärung

Frage 29 von 30

1

What is the FIRST step in designing a secure client server environment?

Wähle eine der folgenden:

  • identify all data access points

  • establish operating system security on all platforms

  • require hard passwords

  • place a firewall between the server and clients

Erklärung

Frage 30 von 30

1

What BEST represents the hierarchy of access control strength, from weakest to strongest?

Wähle eine der folgenden:

  • what you have, what you are, what you know

  • what you know, what you have, what you are

  • what you are, what you have, what you know

  • what you are, what you know, what you have information Security Program

Erklärung