CISM 2014 Questions - With duplicates.

Question

The PRIMARY selection criterion for an offsite media storage facility is:

Answer 1

A. that the primary and offsite facilities not be subject to the same environmental disasters.

Answer 2

B. that the offsite storage facility be in close proximity to the primary site.

Answer 3

C. the overall storage and maintenance costs of the offsite facility.

Answer 4

D. the availability of cost-effective media transportation services.

Answer 5

A. Platform security

Answer 6

B. Entitlement changes

Answer 7

C. Intrusion detection

Answer 8

D. Antivirus controls

Answer 9

A. Cost reduction

Answer 10

B. Compliance with company policies

Answer 11

C. Protection of business assets

Answer 12

D. Increased business value

Answer 13

A. Risk analysis

Answer 14

B. Business impact analysis (BIA)

Answer 15

C. Return on investment (ROI) analysis

Answer 16

D. Cost-benefit analysis

Answer 17

A. References from other organizations

Answer 18

B. Past experience of the engagement team

Answer 19

C. Sample deliverable

Answer 20

D. Methodology to be used in the assessment

Answer 21

A. Ensure that intrusion prevention is placed in front of the firewall.

Answer 22

B. Ensure that all devices that are connected can easily see the IPS in the network.

Answer 23

C. Ensure that all encrypted traffic is decrypted prior to being processed by the IPS.

Answer 24

D. Ensure that traffic to all devices is mirrored to the IPS.

Answer 25

A. Procedures for hardening database servers

Answer 26

B. Standards for password length and complexity

Answer 27

C. Policies addressing information security governance

Answer 28

D. Standards for document retention and destruction

Answer 29

A. Estimated productivity losses

Answer 30

B. Possible scenarios with threats and impacts

Answer 31

C. Value of information assets

Answer 32

D. Vulnerability assessment

Answer 33

A. release management.

Answer 34

B. incident management.

Answer 35

C. change management.

Answer 36

D. configuration management.

Answer 37

A. Technical

Answer 38

B. Regulatory

Answer 39

C. Privacy

Answer 40

D. Business

Answer 41

A. notifications.

Answer 42

B. warranties.

Answer 43

C. liabilities.

Answer 44

D. geographic coverage.

Answer 45

A. External auditors

Answer 46

B. A peer group within a similar business

Answer 47

C. Process owners

Answer 48

D. A specialized management consultant

Answer 49

A. developing and presenting a business case.

Answer 50

B. defining the risk that will be addressed.

Answer 51

C. presenting a financial analysis of benefits.

Answer 52

D. aligning the initiative with organizational objectives.

Answer 53

A. Choose a subset of influential people to promote the benefits of the security program.

Answer 54

B. Hold structured training in small groups on an annual basis.

Answer 55

C. Require each employee to complete a self-paced training module once per year.

Answer 56

D. Deliver training to all employees across the organization via streaming video.

Answer 57

A. providing access to systems.

Answer 58

B. approving access to systems.

Answer 59

C. establishing authorization and authentication.

Answer 60

D. handling identity management.

Answer 61

A. Direct reports to the chief information officer

Answer 62

B. IT management and key business process owners

Answer 63

C. Cross-section of end users and IT professionals

Answer 64

D. Internal audit and corporate legal departments

Answer 65

A. Number of open incidents

Answer 66

B. Reduction of the number of security incidents

Answer 67

C. Reduction of the average response time to an incident

Answer 68

D. Number of incidents handled per month

Answer 69

A. link security risk to organization business objectives.

Answer 70

B. explain the technical risk to the organization.

Answer 71

C. include industry best practices as they relate to information security.

Answer 72

D. detail successful attacks against a competitor.

Answer 73

A. Implementing wireless intrusion prevention systems

Answer 74

B. Not broadcasting the service set IDentifier (SSID)

Answer 75

C. Implementing wired equivalent privacy (WEP) authentication

Answer 76

D. Enforcing a virtual private network (VPN) over wireless

Answer 77

A. The internal audit department

Answer 78

B. System developers/analysts

Answer 79

C. Key business process owners

Answer 80

D. Corporate legal counsel

Answer 81

A. Type and nature of risk

Answer 82

B. Organizational culture

Answer 83

C. Overall business objectives

Answer 84

D. Lines of business

Answer 85

A. Standards and policies have only an indirect relationship.

Answer 86

B. Standards provide a detailed description of the meaning of a policy.

Answer 87

C. Standards provide direction on achieving compliance with policy intent.

Answer 88

D. Standards can exist without a relationship to any particular policy.

Answer 89

A. Exposure

Answer 90

C. Vulnerability

Answer 91

D. Likelihood

Answer 92

A. Updated call trees

Answer 93

B. Escalation criteria

Answer 94

C. Press release templates

Answer 95

D. Critical backup files inventory

Answer 96

A. includes appropriate justification.

Answer 97

B. explains the current risk profile.

Answer 98

C. details regulatory requirements.

Answer 99

D. identifies incidents and losses.

Answer 100

A. The KRI is accurate and reliable.

Answer 101

B. The KRI provides quantitative metrics.

Answer 102

C. The KRI indicates required action.

Answer 103

D. The KRI is predictive of a risk event.

Answer 104

A. Firewall blocking rules

Answer 105

B. Up-to-date signature files

Answer 106

C. Security awareness training

Answer 107

D. Intrusion detection monitoring

Answer 108

A. ability to resume normal operations.

Answer 109

B. maximum tolerable outage (MTO).

Answer 110

C. service delivery objective (SDO).

Answer 111

D. acceptable interruption window (AIW).

Answer 112

A. User passwords are not automatically expired

Answer 113

B. All network traffic goes through a single switch

Answer 114

C. User passwords are encoded but not encrypted

Answer 115

D. All users reside on a single internal subnet

Answer 116

A. A cost-benefit analysis has been completed.

Answer 117

B. Privacy requirements are met.

Answer 118

C. The service provider ensures a secure data transfer.

Answer 119

D. No significant security incident occurred at the service provider.

Answer 120

A. Regular review of risk treatment options

Answer 121

B. Classification of assets in order of criticality

Answer 122

C. Adoption of a maturity model

Answer 123

D. Integration of assurance functions

Answer 124

A. The security steering committee

Answer 125

B. The board of directors

Answer 126

C. IT managers

Answer 127

D. The information security manager

Answer 128

A. Survey business stakeholders

Answer 129

B. Track audits over time

Answer 130

C. Evaluate incident losses

Answer 131

D. Analyze business cases

Answer 132

A. Tree diagrams

Answer 133

B. Venn diagrams

Answer 134

C. Heat charts

Answer 135

D. Bar charts

Answer 136

A. To mitigate technical risks

Answer 137

B. To have an independent certification of network security

Answer 138

C. To receive an independent view of security exposures

Answer 139

D. To identify a complete list of vulnerabilities

Answer 140

A. ensuring inherent control strength.

Answer 141

B. ensuring strategic alignment.

Answer 142

C. utilizing effective life cycle management.

Answer 143

D. utilizing effective change management.

Answer 144

A. User security procedures

Answer 145

B. Business process flow

Answer 146

C. IT security standards

Answer 147

D. Regulatory requirements

Answer 148

A. verify the decision with the business units.

Answer 149

B. check the system's risk analysis.

Answer 150

C. recommend update after postimplementation review.

Answer 151

D. request an audit review.

Answer 152

A. technology constraints.

Answer 153

B. regulatory requirements.

Answer 154

C. litigation potential.

Answer 155

D. business strategy.

Answer 156

A. identify business risk that affects the organization.

Answer 157

B. establish the need for creating the program.

Answer 158

C. assign responsibility for the program.

Answer 159

D. assess adequacy of existing controls.

Answer 160

A. a statement regarding what the company will do with the information it collects.

Answer 161

B. a disclaimer regarding the accuracy of information on its web site.

Answer 162

C. technical information regarding how information is protected.

Answer 163

D. a statement regarding where the information is being hosted.

Answer 164

A. Impact and threat

Answer 165

B. Likelihood and consequence

Answer 166

C. Threat and exposure

Answer 167

D. Sensitivity and exposure

Answer 168

A. Enhanced policy compliance

Answer 169

B. Improved procedure flows

Answer 170

C. Segregation of duties

Answer 171

D. Better accountability

Answer 172

A. Ensure that a clear organizational incident definition and severity hierarchy exists.

Answer 173

B. Initiate a companywide incident identification training and awareness program.

Answer 174

C. Escalate the issue to the security steering committee for appropriate action.

Answer 175

D. Involve human resources (HR) in implementing a reporting enforcement program.

Answer 176

A. The firewall allows source routing.

Answer 177

B. The firewall allows broadcast propagation.

Answer 178

C. The firewall allows unregistered ports.

Answer 179

D. The firewall allows nonstandard protocols.

Answer 180

A. To help ensure the parties to the agreement can perform

Answer 181

B. To help ensure confidential data are not included in the agreement

Answer 182

C. To help ensure appropriate controls are included

Answer 183

D. To help ensure the right to audit is a requirement

Answer 184

A. Containment

Answer 185

B. Detection

Answer 186

C. Reaction

Answer 187

D. Recovery

Answer 188

A. Review of internal control mechanisms

Answer 189

B. Effective involvement in business decision making

Answer 190

C. Total elimination of risk factors

Answer 191

D. Ensuring trust in data

Answer 192

A. Assess the type and severity of the attack.

Answer 193

B. Determine whether it is an actual incident.

Answer 194

C. Contain the damage to minimize the risk.

Answer 195

D. Minimize the disruption of computer resources.

Answer 196

A. Network switch

Answer 197

B. Web server

Answer 198

C. Database server

Answer 199

D. File/print server

Answer 200

A. Information classification

Answer 201

B. Segregation of duties

Answer 202

C. Least privilege

Answer 203

D. Systems monitoring

Answer 204

A. External vulnerability reporting sources

Answer 205

B. Periodic vulnerability assessments performed by consultants

Answer 206

C. Intrusion prevention software

Answer 207

D. Honeypots located in the DMZ

Answer 208

A. Number of open incidents

Answer 209

B. Reduction of the number of security incidents

Answer 210

C. Reduction of the average response time to an incident

Answer 211

D. Number of incidents handled per month

Answer 212

A. Realistic budget estimates

Answer 213

B. Security awareness

Answer 214

C. Support of senior management

Answer 215

D. Recalculation of the work factor

Answer 216

A. changes comply with security policy.

Answer 217

B. risk from proposed changes is managed.

Answer 218

C. rollback to a current status has been considered.

Answer 219

D. changes are initiated by business managers.

Answer 220

A. prevent the occurrence of incidents.

Answer 221

B. ensure business continuity.

Answer 222

C. train users on resolution of incidents.

Answer 223

D. promote business resiliency.

Answer 224

A. The security administrator who implemented the controls

Answer 225

B. The organization's chief information security officer (CISO)

Answer 226

C. The organization's senior management

Answer 227

D. The information systems (IS) auditor who recommended the controls

Answer 228

A. The extent to which controls are procedural

Answer 229

B. The extent to which controls are subject to the same threat

Answer 230

C. The total cost of ownership for existing controls

Answer 231

D. The extent to which controls fail in a closed condition

Answer 232

A. Obtaining evidence as soon as possible

Answer 233

B. Preserving the integrity of the evidence

Answer 234

C. Disconnecting all IT equipment involved

Answer 235

D. Reconstructing the sequence of events

Answer 236

A. change the root password of the system.

Answer 237

B. implement multifactor authentication.

Answer 238

C. rebuild the system from the original installation medium.

Answer 239

D. disconnect the mail server from the network.

Answer 240

A. Enhanced policy compliance

Answer 241

B. Improved procedure flows

Answer 242

C. Segregation of duties

Answer 243

D. Better accountability

Answer 244

A. Create an image of the hard drive.

Answer 245

B. Encrypt the data on the hard drive.

Answer 246

C. Examine the original hard drive.

Answer 247

D. Create a logical copy of the hard drive.

Answer 248

A. Security compliant servers trend report

Answer 249

B. Percentage of security compliant servers

Answer 250

C. Number of security patches applied

Answer 251

D. Security patches applied trend report

Answer 252

A. Complete policies and standards

Answer 253

B. An appropriate governance framework

Answer 254

C. Current state and objectives

Answer 255

D. Management intent and direction

Answer 256

A. Performing a low-level format

Answer 257

B. Rewriting with zeros

Answer 258

C. Burning them

Answer 259

D. Degaussing them

Answer 260

A. Justification of the security budget must be continually made.

Answer 261

B. New vulnerabilities are discovered every day.

Answer 262

C. The risk environment is constantly changing.

Answer 263

D. Management needs to be continually informed about emerging risks.

Answer 264

A. it simulates the real-life situation of an external security attack.

Answer 265

B. human intervention is not required for this type of test.

Answer 266

C. less time is spent on reconnaissance and information gathering.

Answer 267

D. critical infrastructure information is not revealed to the tester.

Answer 268

A. The proportion of identified risk that has been remediated

Answer 269

B. The ratio of business insurance coverage to its cost

Answer 270

C. The percentage of the IT budget allocated to security

Answer 271

D. The percentage of assets that has been classified

Answer 272

A. Cross site request forgery

Answer 273

B. Structured Query Language (SQL) injection

Answer 274

C. Metasploit

Answer 275

D. Cross site scripting

Answer 276

A. It is easier to promote security awareness.

Answer 277

B. It is easier to manage and control.

Answer 278

C. It is more responsive to business unit needs.

Answer 279

D. It provides a faster turnaround for security requests.

Answer 280

A. Verify the date that signature files were last pushed out

Answer 281

B. Use a recently identified benign virus to test if it is quarantined

Answer 282

C. Research the most recent signature file and compare to the console

Answer 283

D. Check a sample of servers that the signature files are current

Answer 284

A. Enforce the existing security standard

Answer 285

B. Change the standard to permit the deployment

Answer 286

C. Perform a risk analysis to quantify the risk

Answer 287

D. Perform research to propose use of a better technology

Answer 288

A. treated as a distinct process.

Answer 289

B. conducted by the IT department.

Answer 290

C. integrated within business processes.

Answer 291

D. communicated to all employees.

Answer 292

A. Security metrics

Answer 293

B. Network topology

Answer 294

C. Security architecture

Answer 295

D. Process improvement models

Answer 296

A. Role-based access control systems

Answer 297

B. Automated access provisioning

Answer 298

C. Security awareness training

Answer 299

D. Intrusion prevention systems (IPSs)

Answer 300

A. recovery point objective (RPO).

Answer 301

B. recovery time objective (RTO).

Answer 302

C. service delivery objective (SDO).

Answer 303

D. maximum tolerable outage (MTO).

Answer 304

A. Unplugging the systems

Answer 305

B. Chain of custody

Answer 306

C. Separation of duties

Answer 307

D. Clock synchronization

Answer 308

A. application hardening.

Answer 309

B. spam filters.

Answer 310

C. an intrusion detection system (IDS).

Answer 311

D. end user awareness.

Answer 312

A. Briefing team members on the nature of new threats to IS security

Answer 313

B. Periodic testing and updates to incorporate lessons learned

Answer 314

C. Ensuring that all members have a good understanding of IS technology

Answer 315

D. A nonhierarchical structure to ensure that team members can share ideas

Answer 316

A. Research best practices

Answer 317

B. Meet with stakeholders

Answer 318

C. Establish change control procedures

Answer 319

D. Identify critical systems

Answer 320

A. Shorten the password validity period.

Answer 321

B. Encourage the use of special characters.

Answer 322

C. Strengthen segregation of duties (SoD).

Answer 323

D. Introduce compensatory controls.

Answer 324

A. consider possible impact of a security breach.

Answer 325

B. classify personal information in electronic form.

Answer 326

C. be performed by the information security manager.

Answer 327

D. classify systems according to the data processed.

Answer 328

A. Signed contracts

Answer 329

B. Severe penalties

Answer 330

C. Assigned accountability

Answer 331

D. Clear policies

Answer 332

A. Management discretion

Answer 333

B. Regulatory requirements

Answer 334

C. Inherent risk

Answer 335

D. Internal audit findings

Answer 336

A. Industry best practices

Answer 337

B. Business goals and objectives

Answer 338

C. Information technology (IT) plans

Answer 339

D. International information security frameworks

Answer 340

A. Allows the organization to eliminate risk

Answer 341

B. Is a necessary part of management's due diligence

Answer 342

C. Satisfies audit and regulatory requirements

Answer 343

D. Assists in increasing the return on investment (ROI)

Answer 344

A. Asset classification

Answer 345

B. Risk assessment

Answer 346

C. Security architecture

Answer 347

D. Configuration management

Answer 348

A. original cost.

Answer 349

B. net cash flow.

Answer 350

C. net present value.

Answer 351

D. replacement cost.

Answer 352

A. On the web server

Answer 353

B. On the intrusion detection system (IDS) server

Answer 354

C. On the screened subnet

Answer 355

D. On the domain boundary

Answer 356

A. baseline.

Answer 357

B. strategy.

Answer 358

C. procedure.

Answer 359

D. policy.

Answer 360

A. The number of incidents and the subsequent mitigation activities

Answer 361

B. The number, type and layering of deterrent control technologies

Answer 362

C. The extent of risk management requirements in policies and standards

Answer 363

D. The ratio of cost to insurance coverage for business interruption protection

Answer 364

A. A project database

Answer 365

B. A project portfolio database

Answer 366

C. Policy documents

Answer 367

D. A program management office

Answer 368

A. Ensuring that risk is identified and mitigated

Answer 369

B. Ensuring that information security strategy is aligned with organizational goals

Answer 370

C. Maximizing the return on information security investments

Answer 371

D. Ensuring the efficient utilization of information security resources

Answer 372

A. The regulations are ambiguous and difficult to interpret.

Answer 373

B. Management has a low level of risk tolerance.

Answer 374

C. The cost of compliance exceeds the cost of possible sanctions.

Answer 375

D. The regulations are inconsistent with the organizational strategy.

Answer 376

A. To justify program development costs

Answer 377

B. To integrate development activities

Answer 378

C. To gain management support for an information security program

Answer 379

D. To comply with international standards

Answer 380

A. There are sufficient safeguards in place to prevent this risk from happening.

Answer 381

B. The needed countermeasures are too complicated to deploy.

Answer 382

C. The cost of countermeasures outweighs the value of the asset and potential loss.

Answer 383

D. the likelihood of the risk occurring is unknown.

Answer 384

A. Number of controls implemented

Answer 385

B. Percent of control objectives accomplished

Answer 386

C. Percent of compliance with the security policy

Answer 387

D. Reduction in the number of reported security incidents

Answer 388

A. vulnerability assessments.

Answer 389

B. value analysis.

Answer 390

C. business climate.

Answer 391

D. audit recommendations.

Answer 392

A. Management discretion

Answer 393

B. Regulatory requirements

Answer 394

C. Inherent risk

Answer 395

D. Internal audit findings

Answer 396

A. a data leak prevention program.

Answer 397

B. user awareness training.

Answer 398

C. an information classification process.

Answer 399

D. a network intrusion detection system (IDS).

Answer 400

A. A tested business continuity/disaster recovery plan (BCP/DRP)

Answer 401

B. An increase in timely reporting of incidents by employees

Answer 402

C. Extent of risk management education

Answer 403

D. Regular review of risks by senior management

Answer 404

A. Information owner

Answer 405

B. Security manager

Answer 406

C. Chief information officer (CIO)

Answer 407

D. System administrator

Answer 408

A. Copies of critical contracts and service level agreements (SLAs)

Answer 409

B. Copies of the business continuity plan

Answer 410

C. Key software escrow agreements for the purchased systems

Answer 411

D. List of emergency numbers of service providers

Answer 412

A. To ensure that changes are authorized

Answer 413

B. To ensure that changes are applied

Answer 414

C. To ensure that changes are documented

Answer 415

D. To ensure that changes are tested

Answer 416

A. content filtering.

Answer 417

B. data classification.

Answer 418

C. information security awareness.

Answer 419

D. encryption for all attachments.

Answer 420

A. They all use weak encryption.

Answer 421

B. They are decrypted by the firewall.

Answer 422

C. They may be quarantined by mail filters.

Answer 423

D. They may be corrupted by the receiving mail server.

Answer 424

A. hardening of web servers.

Answer 425

B. consolidating multiple sites into a single portal.

Answer 426

C. coding standards and reviewing code.

Answer 427

D. using https in place of http.

Answer 428

A. Functional requirements are not adequately considered.

Answer 429

B. User training programs may be inadequate.

Answer 430

C. Budgets allocated to business units are not appropriate.

Answer 431

D. Information security plans are not aligned with business requirements.

Answer 432

A. Justification of the security budget must be continually made.

Answer 433

B. New vulnerabilities are discovered every day.

Answer 434

C. The risk environment is constantly changing.

Answer 435

D. Management needs to be continually informed about emerging risks.

Answer 436

A. Risk assessment

Answer 437

B. Risk treatment

Answer 438

C. Risk evaluation

Answer 439

D. Risk monitoring

Answer 440

A. ensure adequate corrective actions were implemented.

Answer 441

B. demonstrate management commitment to the information security process.

Answer 442

C. evaluate the incident response process for deficiencies.

Answer 443

D. evaluate the ability of the security team.

Answer 444

A. The market value minus the book value

Answer 445

B. The book value minus the market value

Answer 446

C. Adding the totals of the asset classification

Answer 447

D. A business impact assessment and analysis

Answer 448

A. Operations and marketing

Answer 449

B. IT, finance and legal

Answer 450

C. Audit, risk and regulations

Answer 451

D. Information security and risk

Answer 452

A. state expectations of IT management.

Answer 453

B. state only one general security mandate.

Answer 454

C. are aligned with organizational goals.

Answer 455

D. govern the creation of procedures and guidelines.

Answer 456

A. Evaluation of third parties requesting connectivity

Answer 457

B. Assessment of the adequacy of disaster recovery plans

Answer 458

C. Final approval of information security policies

Answer 459

D. Monitoring adherence to physical security controls

Answer 460

A. Visibility and duration

Answer 461

B. Likelihood and impact

Answer 462

C. Probability and frequency

Answer 463

D. Financial impact and duration

Answer 464

A. all organizational activities.

Answer 465

B. those elements identified by a risk assessment.

Answer 466

C. any area that exceeds acceptable risk levels.

Answer 467

D. only those areas that have potential impact.

Answer 468

A. Creation date

Answer 469

B. Author name

Answer 470

C. Initial draft approval date

Answer 471

D. Last review date

Answer 472

A. the method that minimizes risk to the greatest extent.

Answer 473

B. based on the organization's risk tolerance.

Answer 474

C. an efficient approach to achieve control objectives.

Answer 475

D. the method that maximizes risk mitigation.

Answer 476

A. Distributing industry statistics about security incidents

Answer 477

B. Monitoring the magnitude of incidents

Answer 478

C. Encouraging employees to behave in a more conscious manner

Answer 479

D. Continually reinforcing the security policy

Answer 480

A. reviewing new laws and regulations.

Answer 481

B. updating operational procedures.

Answer 482

C. validating staff qualifications.

Answer 483

D. conducting a risk assessment.

Answer 484

A. To create the information security policy

Answer 485

B. To maximize system uptime

Answer 486

C. To develop strong controls

Answer 487

D. To implement the strategy

Answer 488

A. Business impact analyses

Answer 489

B. Security gap analyses

Answer 490

C. System performance metrics

Answer 491

D. Incident response processes

Answer 492

A. Regular review of access control lists

Answer 493

B. Security guard escort of visitors

Answer 494

C. Visitor registry log at the door

Answer 495

D. A biometric coupled with a PIN

Answer 496

A. Enable access through a separate device that requires adequate authentication

Answer 497

B. Implement manual procedures that require password change after each use

Answer 498

C. Request the vendor to add multiple user IDs

Answer 499

D. Analyze the logs to detect unauthorized access

Answer 500

A. Residual risk

Answer 501

B. Separation of duties

Answer 502

C. Potential impact

Answer 503

D. Need to know

Answer 504

A. Services delivery objective

Answer 505

B. Recovery time objective (RTO)

Answer 506

C. Recovery window

Answer 507

D. Maximum tolerable outage (MTO)

Answer 508

B. Implementation

Answer 509

C. Application security testing

Answer 510

D. Feasibility

Answer 511

A. Stolen customer data

Answer 512

B. An electrical power outage

Answer 513

C. A defaced web site

Answer 514

D. Loss of the software development team

Answer 515

A. To reduce governance costs

Answer 516

B. To improve risk management

Answer 517

C. To harmonize security activities

Answer 518

D. To meet or maintain regulatory compliance

Answer 519

A. Ensure all servers are up-to-date on OS patches

Answer 520

B. Employ packet filtering to drop suspect packets

Answer 521

C. Implement network address translation to make internal addresses nonroutable

Answer 522

D. Implement load balancing for Internet facing devices

Answer 523

A. The maximum tolerable outage (MTO) exceeded the acceptable interruption window (AIW).

Answer 524

B. The recovery plans specified outdated operating system (OS) versions.

Answer 525

C. Some restored systems exceeded service delivery objectives (SDO).

Answer 526

D. Aggregate recovery activities exceeded the acceptable interruption window (AIW).

Answer 527

A. guidelines.

Answer 528

B. standards.

Answer 529

C. policies.

Answer 530

D. procedures.

Answer 531

A. Business continuity coordinator

Answer 532

B. Chief operations officer (COO)

Answer 533

C. Information security manager

Answer 534

D. Internal audit

Answer 535

A. technology constraints.

Answer 536

B. regulatory requirements.

Answer 537

C. litigation potential.

Answer 538

D. business strategy.

Answer 539

A. Card key door locks

Answer 540

B. Photo identification

Answer 541

C. Awareness training

Answer 542

D. Biometric scanners

Answer 543

A. Transaction turnaround time

Answer 544

B. Mean time between failures (MTBF)

Answer 545

C. Service delivery objectives (SDOs)

Answer 546

D. The duration of the data restoration job

Answer 547

A. Signature-based detection

Answer 548

B. Deep packet inspection

Answer 549

C. Virus detection

Answer 550

D. Anomaly-based detection

Answer 551

A. create more overhead than signature-based IDSs.

Answer 552

B. cause false positives from minor changes to system variables.

Answer 553

C. generate false alarms from varying user or system actions.

Answer 554

D. cannot detect new types of attacks.

Answer 555

A. Static IP addressing

Answer 556

B. Network address translation

Answer 557

C. Background checks for temporary employees

Answer 558

D. Securing and analyzing system access logs

Answer 559

A. revise the information security program.

Answer 560

B. evaluate a balanced business scorecard.

Answer 561

C. conduct regular user awareness sessions.

Answer 562

D. perform penetration tests.

Answer 563

A. Database administrator (DBA)

Answer 564

B. Finance department management

Answer 565

C. Information security manager

Answer 566

D. IT department management

Answer 567

A. always the best option for an enterprise.

Answer 568

B. often in conflict with effective problem management.

Answer 569

C. the basis for enterprise risk management (ERM) activities.

Answer 570

D. a component of forensics training.

Answer 571

A. Criticality and sensitivity

Answer 572

B. Likelihood and impact

Answer 573

C. Valuation and replacement cost

Answer 574

D. Threat vector and exposure

Answer 575

A. Controls design and deployment

Answer 576

B. Security organization development

Answer 577

C. Logical and conceptual architecture design

Answer 578

D. Development of risk management objectives

Answer 579

A. Operation of a robust incident management process

Answer 580

B. Identification of areas of responsibility

Answer 581

C. Involvement of law enforcement

Answer 582

D. Expertise of resources

Answer 583

A. Give organization standards preference over local regulations

Answer 584

B. Follow local regulations only

Answer 585

C. Make the organization aware of those standards where local regulations cause conflicts

Answer 586

D. Negotiate a local version of the organization standards

Answer 587

A. Business continuity coordinator

Answer 588

B. Information security manager

Answer 589

C. Business process owners

Answer 590

D. IT management

Answer 591

A. organization's risk appetite.

Answer 592

B. external threat landscape.

Answer 593

C. effectiveness of mitigation options.

Answer 594

D. vulnerability assessment.

Answer 595

B. Proportionality

Answer 596

C. Integration

Answer 597

D. Accountability

Answer 598

A. Policies

Answer 599

B. Procedures

Answer 600

C. Technical guides

Answer 601

D. Baselines

Answer 602

A. Procedures

Answer 603

B. Guidelines

Answer 604

C. Baselines

Answer 605

D. Policies

Answer 606

A. Periodically survey management

Answer 607

B. Implement a governance framework

Answer 608

C. Ensure that controls meet objectives

Answer 609

D. Develop an enterprise architecture

Answer 610

A. Inform management.

Answer 611

B. Notify users.

Answer 612

C. Isolate the server.

Answer 613

D. Verify the information.

Answer 614

A. maximize the cost-effectiveness of controls.

Answer 615

B. demonstrate that information security understands the requirements.

Answer 616

C. provide operational consistency.

Answer 617

D. minimize the number of regulations required.

Answer 618

A. Firewalls

Answer 619

B. Bastion hosts

Answer 620

C. Decoy files

Answer 621

D. Screened subnets

Answer 622

A. generally accepted industry best practices.

Answer 623

B. business requirements.

Answer 624

C. legislative and regulatory requirements.

Answer 625

D. storage availability.

Answer 626

A. service level monitoring.

Answer 627

B. penetration testing.

Answer 628

C. periodically auditing.

Answer 629

D. security awareness training.

Answer 630

B. Firewall

Answer 631

C. Mail relay

Answer 632

D. Authentication server

Answer 633

A. Biometrics coupled with strong encryption

Answer 634

B. Challenge response authentication and a secure hash

Answer 635

C. Link encryption and hardware tokens

Answer 636

D. A public key infrastructure (PKI)

Answer 637

A. A tested plan and a team to provide oversight

Answer 638

B. An individual to serve as the liaison between the parties

Answer 639

C. Clear notification and reporting channels

Answer 640

D. A periodic audit of the provider's capabilities

Answer 641

A. To improve the integration of business and information security processes

Answer 642

B. To increase information security budgets and staffing levels

Answer 643

C. To develop tighter controls and stronger compliance efforts

Answer 644

D. To acquire better supplemental technical security controls

Answer 645

A. Access control policy

Answer 646

B. Data classification policy

Answer 647

C. Encryption standards

Answer 648

D. Acceptable use policy

Answer 649

A. Setting up a backup site

Answer 650

B. Maintaining redundant systems

Answer 651

C. Aligning with recovery time objectives (RTOs)

Answer 652

D. Data backup frequency

Answer 653

A. always the best option for an enterprise.

Answer 654

B. often in conflict with effective problem management.

Answer 655

C. the basis for enterprise risk management (ERM) activities.

Answer 656

D. a component of forensics training.

Answer 657

A. Run a forensics tool on the machine to gather evidence

Answer 658

B. Reboot the machine to break remote connections

Answer 659

C. Make a copy of the whole system's memory

Answer 660

D. Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports

Answer 661

A. Management acceptance and support

Answer 662

B. Information security policies and standards

Answer 663

C. A management committee to provide oversight for the program

Answer 664

D. The context and purpose of the program

Answer 665

A. minimize the magnitude of impact.

Answer 666

B. align the security program with IT goals.

Answer 667

C. identify critical information assets.

Answer 668

D. reduce the number of policy exceptions.

Answer 669

A. Survey business stakeholders

Answer 670

B. Track audits over time

Answer 671

C. Evaluate incident losses

Answer 672

D. Analyze business cases

Answer 673

A. Determine whether the control is preventive, detective or corrective.

Answer 674

B. Review the control's capability of providing notification of failure.

Answer 675

C. Confirm the control's ability to meet intended objectives.

Answer 676

D. Assess and quantify the control's reliability.

Answer 677

A. the method that minimizes risk to the greatest extent.

Answer 678

B. based on the organization's risk tolerance.

Answer 679

C. an efficient approach to achieve control objectives.

Answer 680

D. the method that maximizes risk mitigation.

Answer 681

A. Number of open incidents

Answer 682

B. Reduction of the number of security incidents

Answer 683

C. Reduction of the average response time to an incident

Answer 684

D. Number of incidents handled per month

Answer 685

A. Invalid logon attempts

Answer 686

B. Write access violations

Answer 687

C. Concurrent logons

Answer 688

D. Firewall logs

Answer 689

A. To ensure the confidentiality of sensitive material

Answer 690

B. To provide a high assurance of identity

Answer 691

C. To allow deployment of the active directory

Answer 692

D. To implement secure sockets layer (SSL) encryption

Answer 693

A. A summary of the security logs that illustrates the sequence of events

Answer 694

B. An analysis of the impact of similar attacks at other organizations

Answer 695

C. A business case for implementing stronger logical access controls

Answer 696

D. The impact of the incident and corrective actions taken

Answer 697

A. Ensure all servers are up-to-date on OS patches

Answer 698

B. Employ packet filtering to drop suspect packets

Answer 699

C. Implement network address translation to make internal addresses nonroutable

Answer 700

D. Implement load balancing for Internet facing devices

Answer 701

A. Implement a security committee.

Answer 702

B. Perform a gap analysis.

Answer 703

C. Implement compensating controls.

Answer 704

D. Demand immediate compliance.

Answer 705

A. periodically testing the incident response plans.

Answer 706

B. regularly testing the intrusion detection system (IDS).

Answer 707

C. establishing mandatory training of all personnel.

Answer 708

D. periodically reviewing incident response procedures.

Answer 709

A. a data leak prevention program.

Answer 710

B. user awareness training.

Answer 711

C. an information classification process.

Answer 712

D. a network intrusion detection system (IDS).

Answer 713

A. verify the decision with the business units.

Answer 714

B. check the system's risk analysis.

Answer 715

C. recommend update after postimplementation review.

Answer 716

D. request an audit review.

Answer 717

A. legal department.

Answer 718

B. compliance officer.

Answer 719

C. information security manager.

Answer 720

D. business owner.

Answer 721

A. Enforce the existing security standard

Answer 722

B. Change the standard to permit the deployment

Answer 723

C. Perform a risk analysis to quantify the risk

Answer 724

D. Perform research to propose use of a better technology

Answer 725

A. Evaluating a business impact analysis (BIA)

Answer 726

B. Developing a balanced business scorecard

Answer 727

C. Demonstrating the relationship between controls

Answer 728

D. Measuring current state vs. desired future state

Answer 729

A. Increased uncertainty

Answer 730

B. Single points of failure

Answer 731

C. Cascading risk

Answer 732

D. Aggregated risk

Answer 733

A. impact analysis.

Answer 734

B. security review.

Answer 735

C. vulnerability assessment.

Answer 736

D. threat analysis.

Answer 737

A. Performing reviews of password resets

Answer 738

B. Conducting security awareness programs

Answer 739

C. Increasing the frequency of password changes

Answer 740

D. Implementing automatic password syntax checking

Answer 741

A. improving integration of business and information security processes.

Answer 742

B. increasing information security budgets and staffing levels.

Answer 743

C. developing tighter controls and stronger compliance efforts.

Answer 744

D. acquiring better supplemental technical security controls.

Answer 745

A. communication of information security requirements to all users in the organization.

Answer 746

B. formulation of policies and procedures for information security.

Answer 747

C. alignment with organizational goals and objectives.

Answer 748

D. monitoring compliance with information security policies and procedures.

Answer 749

A. Only business data files from offsite storage are used

Answer 750

B. IT staff fully recovers the processing infrastructure

Answer 751

C. Critical business processes are duplicated

Answer 752

D. All systems are restored within recovery time objectives (RTOs)

Answer 753

A. The extent to which the control provides defense in depth

Answer 754

B. Whether the control fails open or closed

Answer 755

C. How often the control has failed

Answer 756

D. The extent to which control objectives are achieved

Answer 757

A. Review of internal control mechanisms

Answer 758

B. Effective involvement in business decision making

Answer 759

C. Total elimination of risk factors

Answer 760

D. Ensuring trust in data

Answer 761

A. limiting organizational exposure.

Answer 762

B. a risk assessment and analysis.

Answer 763

C. strong service level agreements (SLAs).

Answer 764

D. independent audits of third parties.

Answer 765

A. Risk assessment

Answer 766

B. Risk treatment

Answer 767

C. Risk evaluation

Answer 768

D. Risk monitoring

Answer 769

A. To achieve acceptable compliance with the security policy

Answer 770

B. To build a common understanding of information security

Answer 771

C. To change culture to be more conducive to good security

Answer 772

D. To establish communication between management and staff

Answer 773

A. There are sufficient safeguards in place to prevent this risk from happening.

Answer 774

B. The needed countermeasures are too complicated to deploy.

Answer 775

C. The cost of countermeasures outweighs the value of the asset and potential loss.

Answer 776

D. the likelihood of the risk occurring is unknown.

Answer 777

A. They all use weak encryption.

Answer 778

B. They are decrypted by the firewall.

Answer 779

C. They may be quarantined by mail filters.

Answer 780

D. They may be corrupted by the receiving mail server.

Answer 781

A. It lowers costs of assessing risk.

Answer 782

B. It provides evidence of attestation.

Answer 783

C. It is a necessary part of third-party audits.

Answer 784

D. It provides trends in the evolving risk profile.

Answer 785

A. Operations and marketing

Answer 786

B. IT, finance and legal

Answer 787

C. Audit, risk and regulations

Answer 788

D. Information security and risk

Answer 789

A. Audits of the business process changes

Answer 790

B. Maintenance of the latest configurations

Answer 791

C. Regular testing of the disaster recovery plan (DRP)

Answer 792

D. Maintenance of the personnel contact list

Answer 793

A. Regular review of risk treatment options

Answer 794

B. Classification of assets in order of criticality

Answer 795

C. Adoption of a maturity model

Answer 796

D. Integration of assurance functions

	Criado por Eduardo Castella7911 quase 9 anos atrás

Próximo

CISM 2014 Questions - With duplicates.

Descrição

Resumo de Recurso

Questão 1

Questão 2

Questão 3

Questão 4

Questão 5

Questão 6

Questão 7

Questão 8

Questão 9

Questão 10

Questão 11

Questão 12

Questão 13

Questão 14

Questão 15

Questão 16

Questão 17

Questão 18

Questão 19

Questão 20

Questão 21

Questão 22

Questão 23

Questão 24

Questão 25

Questão 26

Questão 27

Questão 28

Questão 29

Questão 30

Questão 31

Questão 32

Questão 33

Questão 34

Questão 35

Questão 36

Questão 37

Questão 38

Questão 39

Questão 40

Questão 41

Questão 42

Questão 43

Questão 44

Questão 45

Questão 46

Questão 47

Questão 48

Questão 49

Questão 50

Questão 51

Questão 52

Questão 53

Questão 54

Questão 55

Questão 56

Questão 57

Questão 58

Questão 59

Questão 60

Questão 61

Questão 62

Questão 63

Questão 64

Questão 65

Questão 66

Questão 67

Questão 68

Questão 69

Questão 70

Questão 71

Questão 72

Questão 73

Questão 74

Questão 75

Questão 76