CISM 2014 Questions - 2

Question

Strategic alignment is PRIMARILY achieved when services provided by the information security department:

Answer 1

A. reflect the requirements of key business stakeholders.

Answer 2

B. reflect the desires of the IT executive team.

Answer 3

C. reflect the requirements of industry best practices.

Answer 4

D. are reliable and cost-effective.

Answer 5

A. A list of appropriate controls for reducing or eliminating risk

Answer 6

B. Documented threats to the organization

Answer 7

C. Evaluation of the consequences to the entity

Answer 8

D. An inventory of risk that may impact the organization

Answer 9

A. Develop a scenario and perform a structured walk-through.

Answer 10

B. Draft and publish a clear practice for enterprise-level incident response.

Answer 11

C. Establish a cross-departmental working group to share perspectives.

Answer 12

D. Develop a project plan for end-to-end testing of disaster recovery.

Answer 13

A. Accept the high cost of protection.

Answer 14

B. Implement detective controls.

Answer 15

C. Ensure that asset exposure is low.

Answer 16

D. Transfer the risk to a third party.

Answer 17

B. an acceptable level.

Answer 18

C. an acceptable percent of revenue.

Answer 19

D. an acceptable probability of occurrence.

Answer 20

A. information security procedures.

Answer 21

B. information security principles.

Answer 22

C. employee code of conduct.

Answer 23

D. information security policy.

Answer 24

A. Patch management

Answer 25

B. Security baselines

Answer 26

C. Virus detection

Answer 27

D. Change management

Answer 28

A. Mandatory

Answer 29

B. Discretionary

Answer 30

C. Walled garden

Answer 31

D. Role-based

Answer 32

A. include customer perceptions.

Answer 33

B. contain percentage estimates.

Answer 34

C. lack specific details.

Answer 35

D. contain subjective information.

Answer 36

A. At the beginning of security program development

Answer 37

B. On a continuous basis

Answer 38

C. While developing the business case for the security program

Answer 39

D. During the business change process

Answer 40

A. Obtain the support of the board of directors.

Answer 41

B. Improve the content of the information security awareness program.

Answer 42

C. Improve the employees' knowledge of security policies.

Answer 43

D. Implement logical access controls to the information systems.

Answer 44

A. User assessments of changes

Answer 45

B. Comparison of the program results with industry standards

Answer 46

C. Assignment of risk within the organization

Answer 47

D. Participation by all members of the organization

Answer 48

A. Security awareness training

Answer 49

B. Achievable goals and objectives

Answer 50

C. Senior management sponsorship

Answer 51

D. Adequate start-up budget and staffing

Answer 52

A. Communicating to employees

Answer 53

B. Training IT staff

Answer 54

C. Identifying relevant technologies for automation

Answer 55

D. Obtaining sign-off from stakeholders

Answer 56

A. A documented succession plan

Answer 57

B. Distribution of key process documents

Answer 58

C. A reciprocal agreement with an alternate site

Answer 59

D. Strong senior management leadership

Answer 60

A. To reduce the likelihood of an information security event

Answer 61

B. To encourage compliance with information security policy

Answer 62

C. To comply with the local and industry-specific regulation and legislation

Answer 63

D. To provide employees with expectations for information security

Answer 64

A. the information security steering committee.

Answer 65

B. customers who may be impacted.

Answer 66

C. data owners who may be impacted.

Answer 67

D. regulatory agencies overseeing privacy.

Answer 68

A. system owner to take corrective action.

Answer 69

B. incident response team to investigate.

Answer 70

C. data owners to mitigate damage.

Answer 71

D. development team to remediate.

Answer 72

A. Validation checks are missing in data input pages.

Answer 73

B. Password rules do not allow sufficient complexity.

Answer 74

C. Application transaction log management is weak.

Answer 75

D. Application and database share a single access ID.

Answer 76

A. Confirm the incident.

Answer 77

B. Notify senior management.

Answer 78

C. Start containment.

Answer 79

D. Notify law enforcement.

Answer 80

A. To monitor that personnel are complying with contract provisions

Answer 81

B. To determine who is in the building in case of fire

Answer 82

C. To compare logical and physical access for anomalies

Answer 83

D. To ensure that the physical access control system is operating correctly

Answer 84

A. Data custodian

Answer 85

B. Chief information security officer (CISO)

Answer 86

C. Board of directors

Answer 87

D. Chief information officer (CIO)

Answer 88

A. Communicating specially drafted messages by an authorized person

Answer 89

B. Refusing to comment until recovery

Answer 90

C. Referring the media to the authorities

Answer 91

D. Reporting the losses and recovery strategy to the media

Answer 92

A. An adequate budget for the security program

Answer 93

B. Recruitment of technical IT employees

Answer 94

C. Periodic risk assessments

Answer 95

D. Security awareness training for employees

Answer 96

A. Product market share and annualized cost

Answer 97

B. Ability to interface with intrusion detection system (IDS) software and firewalls

Answer 98

C. Alert notifications and impact assessments for new viruses

Answer 99

D. Ease of maintenance and frequency of updates

Answer 100

A. security steering committee.

Answer 101

B. chief information officer (CIO).

Answer 102

C. chief information security officer (CISO).

Answer 103

D. chief compliance officer (CCO).

Answer 104

A. Risk analysis process

Answer 105

B. Business impact analysis (BIA)

Answer 106

C. Risk management balanced scorecard

Answer 107

D. Risk-based audit program

Answer 108

A. Resources available to implement the program

Answer 109

B. Compliance with legal and regulatory constraints

Answer 110

C. Effectiveness of risk mitigation

Answer 111

D. Resources required to implement the strategy

Answer 112

A. Business continuity plan

Answer 113

B. Disaster recovery plan

Answer 114

C. Incident response plan

Answer 115

D. Vulnerability management plan

Answer 116

A. Current and future technologies

Answer 117

B. Evolving data protection regulations

Answer 118

C. Economizing the costs of network bandwidth

Answer 119

D. Centralization of information security

Answer 120

A. Nonrepudiation

Answer 121

B. Timestamps

Answer 122

C. Biometric scanning

Answer 123

D. Encryption

Answer 124

A. Execute the virus scan.

Answer 125

B. Report the incident to senior management.

Answer 126

C. Format the hard disk.

Answer 127

D. Disconnect the computer from the network.

Answer 128

A. The patch should be loaded onto an isolated test machine.

Answer 129

B. The patch should be decompiled to check for malicious code.

Answer 130

C. The patch should be validated to ensure its authenticity.

Answer 131

D. The patch should be copied onto write-once media to prevent tampering.

Answer 132

A. recover an activity interrupted by an emergency or disaster, within a defined time and cost.

Answer 133

B. perform a walk-through of the steps required to recover from an adverse event.

Answer 134

C. reduce business disruption insurance premiums for the business.

Answer 135

D. address disruptive events with the objective of controlling impacts within acceptable levels.

Answer 136

A. More uniformity in quality of service

Answer 137

B. Better adherence to policies

Answer 138

C. Better alignment to business unit needs

Answer 139

D. More savings in total operating costs

Answer 140

A. Implement countermeasures.

Answer 141

B. Eliminate the risk.

Answer 142

C. Transfer the risk.

Answer 143

D. Accept the risk.

Answer 144

A. determine the probability of success.

Answer 145

B. calculate the return on investment (ROI).

Answer 146

C. analyze the cost-effectiveness.

Answer 147

D. define the issues to be addressed.

Answer 148

A. Most new viruses' signatures are identified over weekends

Answer 149

B. Technical personnel are not available to support the operation

Answer 150

C. Systems are vulnerable to new viruses during the intervening week

Answer 151

D. The update's success or failure is not known until Monday

Answer 152

A. express clearly and concisely the goals of an information security protection program.

Answer 153

B. outline the intended configuration of information system security controls.

Answer 154

C. mandate the behavior and acceptable actions of all information system users.

Answer 155

D. authorize the steps and procedures necessary to protect critical information systems.

Answer 156

A. The existence of messages is unknown.

Answer 157

B. Required key sizes are smaller.

Answer 158

C. Traffic cannot be sniffed.

Answer 159

D. Reliability of the data is higher in transit.

Answer 160

A. Information security staffing requirements

Answer 161

B. Current state and desired future state

Answer 162

C. IT capital investment requirements

Answer 163

D. Information security mission statement

Answer 164

A. Unrestricted data mining

Answer 165

B. Identity theft

Answer 166

C. Human rights protection

Answer 167

D. Identifiable personal data

Answer 168

A. Complying with applicable corporate standards

Answer 169

B. Achieving cost effectiveness of risk mitigation

Answer 170

C. Obtaining consensus of business units

Answer 171

D. Aligning with organizational goals

Answer 172

A. Direct information security on what they need to do

Answer 173

B. Research solutions to determine the proper solutions

Answer 174

C. Require management to report on compliance

Answer 175

D. Nothing; information security does not report to the board

Answer 176

A. constraints.

Answer 177

B. approach.

Answer 178

D. results.

Answer 179

A. Emergency call trees

Answer 180

B. Recovery criteria

Answer 181

C. Business impact assessment (BIA)

Answer 182

D. Critical backups inventory

Answer 183

A. Encryption

Answer 184

B. Content filtering

Answer 185

C. Database hardening

Answer 186

D. Hashing

Answer 187

A. Business unit managers

Answer 188

B. Chief information security officer (CISO)

Answer 189

C. Senior management

Answer 190

D. Chief information officer (CIO)

Answer 191

A. Through data encryption

Answer 192

B. Through digital signatures

Answer 193

C. Through strong passwords

Answer 194

D. Through two-factor authentication

Answer 195

A. Administrative and technical controls

Answer 196

B. Administrative and deterrent controls

Answer 197

C. Technical and physical controls

Answer 198

D. Administrative and corrective controls

Answer 199

A. IT steering committee

Answer 200

B. Data owner

Answer 201

C. System owner

Answer 202

D. IS auditor

Answer 203

A. utilizing a bottom-up approach.

Answer 204

B. management by the IT department.

Answer 205

C. referring the matter to the organization's legal department.

Answer 206

D. utilizing a top-down approach.

Answer 207

A. level of risk to information resources.

Answer 208

B. impact of a compromise.

Answer 209

C. requirements for control strength.

Answer 210

D. annual loss expectancy (ALE).

Answer 211

A. assess the risk of noncompliance.

Answer 212

B. initiate security awareness training.

Answer 213

C. prepare a status report for management.

Answer 214

D. increase compliance enforcement.

Answer 215

A. identify risks and assign roles and responsibilities for mitigation.

Answer 216

B. identify threats and probabilities.

Answer 217

C. facilitate a thorough review of all IT-related risks on a periodic basis.

Answer 218

D. record the annualized financial amount of expected losses due to risks.

Answer 219

A. effective communication and reporting processes.

Answer 220

B. clear policies detailing incident severity levels.

Answer 221

C. intrusion detection system (IDS) capabilities.

Answer 222

D. security awareness training.

Answer 223

A. Detailed technical recovery plans are maintained offsite

Answer 224

B. Network redundancy is maintained through separate providers

Answer 225

C. Hot site equipment needs are recertified on a regular basis

Answer 226

D. Appropriate declaration criteria have been established

Answer 227

A. The risk analysis helps justify the security expenditure.

Answer 228

B. The risk analysis helps prioritize the assets to be protected.

Answer 229

C. The risk analysis helps inform executive management of the residual risk.

Answer 230

D. The risk analysis helps assess exposures and plan remediation.

Answer 231

A. Employee monetary incentives

Answer 232

B. User education and training

Answer 233

C. A zero-tolerance security policy

Answer 234

D. Reporting of security infractions

Answer 235

A. Vulnerability scans

Answer 236

B. Penetration tests

Answer 237

C. Code reviews

Answer 238

D. Security audits

Answer 239

A. Input validation checks on SQL injection

Answer 240

B. Restricting access to social media sites

Answer 241

C. Deleting temporary files

Answer 242

D. Restricting execution of mobile code

Answer 243

A. periodic vulnerability assessment.

Answer 244

B. regulatory and legal requirements.

Answer 245

C. device storage capacity and longevity.

Answer 246

D. past litigation.

Answer 247

A. Perform periodic penetration testing

Answer 248

B. Establish minimum security baselines

Answer 249

C. Implement vendor default settings

Answer 250

D. Install a honeypot on the network

Answer 251

A. assess the commitment of senior management to the program.

Answer 252

B. assess the maturity level of the organization.

Answer 253

C. review the corporate standards.

Answer 254

D. review corporate risk management practices.

Answer 255

A. a level that is too small to be measurable.

Answer 256

B. the point at which the benefit exceeds the expense.

Answer 257

C. a level that the organization is willing to accept.

Answer 258

D. a rate of return that equals the current cost of capital.

Answer 259

A. Design a training program for the staff involved to heighten information security awareness

Answer 260

B. Set role-based access permissions on the shared folder

Answer 261

C. The end user develops a PC macro program to compare sender and recipient file contents

Answer 262

D. Shared folder operators sign an agreement to pledge not to commit fraudulent activities

Answer 263

A. Requiring employees to formally acknowledge receipt of the policy

Answer 264

B. Integrating security requirements into job descriptions

Answer 265

C. Making the policy available on the intranet

Answer 266

D. Implementing an annual retreat for employees on information security

Answer 267

A. Signal strength

Answer 268

B. Number of administrators

Answer 269

C. Bandwidth

Answer 270

D. Encryption strength

Answer 271

A. Cost to build a redundant processing facility and invocation

Answer 272

B. Daily cost of losing critical systems and recovery time objectives (RTOs)

Answer 273

C. Infrastructure complexity and system sensitivity

Answer 274

D. Criticality results from the business impact analysis (BIA)

Answer 275

A. Internal auditor

Answer 276

B. Information security management

Answer 277

C. Steering committee

Answer 278

D. Infrastructure management

Answer 279

A. security awareness training.

Answer 280

B. updated security policies.

Answer 281

C. a computer incident management team.

Answer 282

D. a security architecture.

Answer 283

A. Role-based access control

Answer 284

B. Audit trail monitoring

Answer 285

C. Privacy policy

Answer 286

D. Defense-in-depth

Answer 287

A. aligned with the IT strategic plan.

Answer 288

B. based on the current rate of technological change.

Answer 289

C. three-to-five years for both hardware and software.

Answer 290

D. aligned with the business strategy.

Answer 291

A. The identified levels of risk

Answer 292

B. Industry trends

Answer 293

C. An increased cost of services

Answer 294

D. The allocated revenue of the enterprise

Answer 295

A. Treat regulatory compliance as any other risk.

Answer 296

B. Ensure that policies address regulatory requirements.

Answer 297

C. Make regulatory compliance mandatory.

Answer 298

D. Obtain insurance for noncompliance.

Answer 299

A. Explicitly include the service provider in the security policies

Answer 300

B. Receive acknowledgement in writing stating the provider has read all policies

Answer 301

C. Cross-reference to policies in the service level agreement

Answer 302

D. Perform periodic reviews of the service provider

Answer 303

A. Information security manager

Answer 304

B. Information owners

Answer 305

C. Business continuity coordinator

Answer 306

D. Information technology (IT) operations manager

Answer 307

A. Describe the reduction of risk.

Answer 308

B. Present the emerging threat environment.

Answer 309

C. Benchmark against other enterprises.

Answer 310

D. Demonstrate the alignment of the program to business objectives.

Answer 311

A. Risk assessment

Answer 312

B. Security audit

Answer 313

C. Certification

Answer 314

D. Classification

Answer 315

A. Ensure that critical data on the server are backed up.

Answer 316

B. Shut down the compromised server.

Answer 317

C. Initiate the incident response process.

Answer 318

D. Shut down the network.

Answer 319

A. A defined information security architecture

Answer 320

B. Compliance with international security standards

Answer 321

C. Periodic external audits

Answer 322

D. An established risk management program

Answer 323

A. Develop an operational plan for achieving compliance with the legislation.

Answer 324

B. Identify systems and processes that contain privacy components.

Answer 325

C. Restrict the collection of personal information until compliant.

Answer 326

D. Identify privacy legislation in other countries that may contain similar requirements.

Answer 327

A. Data custodian

Answer 328

B. Legal department

Answer 329

C. Data owner

Answer 330

D. Chief information security officer (CISO)

Answer 331

A. Identifying security threats and vulnerabilities

Answer 332

B. Developing notification and activation procedures

Answer 333

C. Listing investigative priorities

Answer 334

D. Listing critical business resources

Answer 335

A. Critical data

Answer 336

B. Critical infrastructure

Answer 337

C. Safety of personnel

Answer 338

D. Vital records

Answer 339

A. It is computationally more efficient.

Answer 340

B. It is more scalable than a symmetric key.

Answer 341

C. It is less costly to maintain than a symmetric key approach.

Answer 342

D. It provides greater encryption strength than a secret key model.

Answer 343

A. Implementing a security awareness program

Answer 344

B. Rewarding compliance with security policies and guidelines

Answer 345

C. Implementing a discipline and reward system

Answer 346

D. Implementing a whistle-blower hotline

Answer 347

A. Insist on strict service level agreements (SLAs) to guarantee application availability.

Answer 348

B. Verify that the vendor's security architecture meets the organization's requirements.

Answer 349

C. Update the organization's security policies to reflect the vendor agreement.

Answer 350

D. Consult a third party to provide an audit report to assess the vendor's security program.

Answer 351

A. transfer the remaining risk to a third party.

Answer 352

B. acquire insurance against the effects of the residual risk.

Answer 353

C. validate that the residual risk is acceptable.

Answer 354

D. formally document and accept the residual risk.

Answer 355

A. Risk mitigation

Answer 356

B. Risk acceptance

Answer 357

C. Risk elimination

Answer 358

D. Risk transfer

Answer 359

A. The information security manager

Answer 360

B. The data owner

Answer 361

C. The data custodian

Answer 362

D. Business management

Answer 363

A. establish security metrics and performance monitoring.

Answer 364

B. educate business process owner s regarding their duties.

Answer 365

C. ensure that legal and regulatory requirements are met.

Answer 366

D. support the business objectives of the organization.

Answer 367

A. Database server

Answer 368

B. Domain name server (DNS)

Answer 369

C. Time server

Answer 370

D. Proxy server

Answer 371

A. Risk analysis

Answer 372

B. Annualized loss expectancy (ALE) calculations

Answer 373

C. Cost-benefit analysis

Answer 374

D. Impact analysis

Answer 375

A. developing the security strategy.

Answer 376

B. reviewing the security strategy.

Answer 377

C. communicating the security strategy.

Answer 378

D. approving the security strategy.

Answer 379

A. The business process owner

Answer 380

B. The departmental manager

Answer 381

C. The policy approver

Answer 382

D. The information security manager

Answer 383

A. Policies

Answer 384

B. Architecture

Answer 385

C. Legal requirements

Answer 386

D. Strategy

Answer 387

A. File backup procedures

Answer 388

B. Database integrity checks

Answer 389

C. Acceptable use policies

Answer 390

D. Incident response procedures

Answer 391

A. Eliminate low-priority security services.

Answer 392

B. Require management to accept the increased risk.

Answer 393

C. Use third-party providers for low-risk activities.

Answer 394

D. Reduce monitoring and compliance enforcement activities.

Answer 395

A. Opening a new office

Answer 396

B. Merging with another organization

Answer 397

C. Relocating the data center

Answer 398

D. Rewiring the network

Answer 399

A. Direct information security regarding specific resolutions that are needed to address the risk.

Answer 400

B. Research solutions to determine appropriate actions for the company.

Answer 401

C. Take no action; information security does not report to the board.

Answer 402

D. Direct management to assess the risk and to report the results to the board.

Answer 403

A. A comprehensive risk assessment

Answer 404

B. An enterprisewide impact assessment

Answer 405

C. A well-developed business case

Answer 406

D. Computing the net present value (NPV) of future savings

Answer 407

A. Restore servers from backup media stored offsite

Answer 408

B. Conduct an assessment to determine system status

Answer 409

C. Perform an impact analysis of the outage

Answer 410

D. Isolate the screened subnet

Answer 411

A. A summary of the security logs that illustrates the sequence of events

Answer 412

B. An explanation of the incident and corrective action taken

Answer 413

C. An analysis of the impact of similar attacks at other organizations

Answer 414

D. A business case for implementing stronger logical access controls

Answer 415

A. Downtime tolerance, resources and criticality

Answer 416

B. Cost of business outages in a year as a factor of the security budget

Answer 417

C. Business continuity testing methodology being deployed

Answer 418

D. Structure of the crisis management team

Answer 419

A. public key encryption is computationally more efficient.

Answer 420

B. scaling is less of a problem than using a symmetrical key.

Answer 421

C. public key encryption is less costly to maintain than symmetric key approaches.

Answer 422

D. public key encryption provides greater encryption strength than secret key options.

Answer 423

A. Establish the ownership of assets.

Answer 424

B. Evaluate the risks to the assets.

Answer 425

C. Take an asset inventory.

Answer 426

D. Categorize the assets.

Answer 427

A. a business plan.

Answer 428

B. an architecture.

Answer 429

C. requirements.

Answer 430

D. specifications.

Answer 431

A. Never use open source tools

Answer 432

B. Focus only on production servers

Answer 433

C. Follow a linear process for attacks

Answer 434

D. Do not interrupt production processes

Answer 435

A. Developing a business case

Answer 436

B. Conducting a cost-benefit analysis

Answer 437

C. Calculating return on investment (ROI)

Answer 438

D. Evaluating loss history

Answer 439

A. business value.

Answer 440

B. book value.

Answer 441

C. replacement cost.

Answer 442

D. initial cost.

Answer 443

A. Once a year for each business process and subprocess

Answer 444

B. Every three to six months for critical business processes

Answer 445

C. On a continuous basis

Answer 446

D. Annually or whenever there is a significant change

Answer 447

A. depend on up-to-date contact information.

Answer 448

B. pose an unacceptable risk to the organization.

Answer 449

C. pose a risk that the plan will not work when needed.

Answer 450

D. are quickly distinguished from tested plans.

Answer 451

A. The information security department has had difficulty filling vacancies.

Answer 452

B. The chief information officer (CIO) approves changes to the security policy.

Answer 453

C. The information security oversight committee only meets quarterly.

Answer 454

D. The data center manager has final signoff on all security projects.

Answer 455

A. A business impact assessment

Answer 456

B. An organization risk assessment

Answer 457

C. A business process map

Answer 458

D. A threat statement

Answer 459

A. Identify the incident.

Answer 460

B. Contain the incident.

Answer 461

C. Determine the root cause of the incident.

Answer 462

D. Perform a vulnerability assessment.

Answer 463

A. more time is devoted to exploitation than to fingerprinting and discovery.

Answer 464

B. this accurately simulates an external hacking attempt.

Answer 465

C. the ability to exploit Transmission Control Protocol/Internet Protocol (TCP/IP) vulnerabilities.

Answer 466

D. the elimination of the need for penetration testing tools.

Answer 467

A. Log all access to sensitive data.

Answer 468

B. Employ application-level encryption.

Answer 469

C. Install a database monitoring solution.

Answer 470

D. Develop a data security policy.

Answer 471

A. Providing equal coverage for all asset types

Answer 472

B. Benchmarking data from similar organizations

Answer 473

C. Considering both monetary value and likelihood of loss

Answer 474

D. Focusing on valid past threats and business losses

Answer 475

A. Authorization

Answer 476

B. Digital signing

Answer 477

C. Authentication

Answer 478

D. Nonrepudiation

Answer 479

A. identify whether current controls are adequate.

Answer 480

B. communicate the new requirement to audit.

Answer 481

C. implement the requirements of the new regulation.

Answer 482

D. conduct a cost-benefit analysis of implementing the control.

Answer 483

A. Backup media is stored offsite

Answer 484

B. Recovery location is secure and accessible

Answer 485

C. More than one hot site is available

Answer 486

D. Network alternate links are regularly tested

Answer 487

A. The nature of the indemnity clause

Answer 488

B. Ensuring that the business objectives are defined and met

Answer 489

C. Alignment of information system security objectives with enterprise goals

Answer 490

D. Compliance with legal requirements

Answer 491

A. Preemployment screening

Answer 492

B. Close monitoring of users' access patterns

Answer 493

C. Periodic awareness training

Answer 494

D. Efficient termination procedures

Answer 495

A. Train or "calibrate" the assessor.

Answer 496

B. Utilize only standardized approaches.

Answer 497

C. Ensure the impartiality of the assessor.

Answer 498

D. Utilize multiple methods of analysis.

Answer 499

A. organizational requirements.

Answer 500

B. information systems requirements.

Answer 501

C. information security requirements.

Answer 502

D. international standards.

Answer 503

A. Provide security awareness training to the third-party provider's employees

Answer 504

B. Conduct regular security reviews of the third-party provider

Answer 505

C. Include security requirements in the service contract

Answer 506

D. Request that the third-party provider comply with the organization's information security policy

Answer 507

A. Reducing the human risk

Answer 508

B. Maintaining evidence of training records to ensure compliance

Answer 509

C. Informing business units about the security strategy

Answer 510

D. Training personnel in security incident response

Answer 511

A. the cost of security is higher in later stages.

Answer 512

B. information security may affect project feasibility.

Answer 513

C. information security is essential to project approval.

Answer 514

D. it ensures proper project classification.

Answer 515

A. A business impact analysis (BIA), which identifies the requirements for continuous availability of critical business processes

Answer 516

B. Adequate distance between the primary site and the alternate site so that the same disaster does not simultaneously impact both sites

Answer 517

C. A benchmarking analysis of similarly situated enterprises in the same geographic region to demonstrate due diligence

Answer 518

D. Differences between the regulatory requirements applicable at the primary site and those at the alternate site

Answer 519

A. Hidden data may be stored there

Answer 520

B. The slack space contains login information

Answer 521

C. Slack space is encrypted

Answer 522

D. It provides flexible space for the investigation

Answer 523

A. Database management

Answer 524

B. Tape backup management

Answer 525

C. Configuration management

Answer 526

D. Incident response management

Answer 527

A. Assess the problems and institute rollback procedures, if needed.

Answer 528

B. Disconnect the systems from the network until the problems are corrected.

Answer 529

C. Uninstall the patches from these systems.

Answer 530

D. Contact the vendor regarding the problems that occurred.

Answer 531

A. A business case

Answer 532

B. A vulnerability assessment

Answer 533

C. Asset classification

Answer 534

D. Asset valuation

Answer 535

A. Implementing on-screen masking of passwords

Answer 536

B. Conducting periodic security awareness programs

Answer 537

C. Increasing the frequency of password changes

Answer 538

D. Requiring that passwords be kept strictly confidential

Answer 539

A. acknowledge receipt of electronic orders with a confirmation message.

Answer 540

B. perform reasonableness checks on quantities ordered before filling orders.

Answer 541

C. encrypt electronic orders.

Answer 542

D. verify the identity of senders and determine whether orders correspond to contract terms.

Answer 543

A. Passwords stored in encrypted form

Answer 544

B. User awareness

Answer 545

C. Strong passwords that are changed periodically

Answer 546

D. Implementation of lock-out policies

Answer 547

A. Delivery path tracing

Answer 548

B. Reverse lookup translation

Answer 549

C. Out-of-band channels

Answer 550

D. Digital signatures

Answer 551

A. It must be operated by information security to ensure that security is maintained.

Answer 552

B. It must be overseen by the steering committee because of its importance.

Answer 553

C. It must be secondary to release and configuration management.

Answer 554

D. It must include mandatory notification of the information security department.

Answer 555

A. change management.

Answer 556

B. release management.

Answer 557

C. incident management.

Answer 558

D. configuration management.

Answer 559

A. A fully updated intrusion detection system (IDS)

Answer 560

B. Multiple channels for distribution of information

Answer 561

C. A well-defined and structured communication plan

Answer 562

D. A regular schedule for review of network device logs

Answer 563

A. It identifies, assesses and prevents reoccurrence of incidents.

Answer 564

B. It detects and documents incidents.

Answer 565

C. It includes a risk management strategy.

Answer 566

D. It reflects the capabilities of the organization.

Answer 567

A. Card-key door locks

Answer 568

B. Photo identification

Answer 569

C. Biometric scanners

Answer 570

D. Awareness training

Answer 571

A. To implement the strategy

Answer 572

B. To optimize resources

Answer 573

C. To deliver on metrics

Answer 574

D. To achieve assurance

Answer 575

A. To mitigate the tendency for security gaps to exist between assurance functions

Answer 576

B. To reduce manpower requirements for providing effective information security

Answer 577

C. To ensure effective business continuity and disaster recovery

Answer 578

D. To simplify specification development and acquisition processes

Answer 579

A. an audit of the service provider uncovers no significant weakness.

Answer 580

B. the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property.

Answer 581

C. the contract should mandate that the service provider will comply with security policies.

Answer 582

D. the third-party service provider conducts regular penetration testing.

Answer 583

A. Retrieve identification badge and card keys

Answer 584

B. Retrieve all personal computer equipment

Answer 585

C. Erase all of the employee's folders

Answer 586

D. Ensure all logical access is removed

Answer 587

A. implement stronger controls.

Answer 588

B. conduct periodic awareness training.

Answer 589

C. actively monitor operations.

Answer 590

D. gain endorsement from executive management.

Answer 591

A. Reduced number of security violation reports

Answer 592

B. A quantitative evaluation to ensure user comprehension

Answer 593

C. Increased interest in focus groups on security issues

Answer 594

D. Increased number of security violation reports

Answer 595

A. increased difficulty in problem management.

Answer 596

B. added complexity in incident management.

Answer 597

C. determining the impact of cascading risk.

Answer 598

D. less flexibility in setting service delivery objectives.

Answer 599

A. Senior management

Answer 600

B. The security manager

Answer 601

C. The data owner

Answer 602

D. The data custodian

Answer 603

A. A bit-level copy of all hard drive data

Answer 604

B. The last verified backup stored offsite

Answer 605

C. Data from volatile memory

Answer 606

D. Backup servers

Answer 607

A. Defining and ratifying the organization's data classification structure

Answer 608

B. Assigning the classification levels to the information assets

Answer 609

C. Securing information assets in accordance with their data classification

Answer 610

D. Confirming that information assets have been properly classified

Answer 611

A. Senior management

Answer 612

B. The business manager

Answer 613

C. The IT audit manager

Answer 614

D. The information security officer (ISO)

Answer 615

A. Contribution to revenue generation

Answer 616

B. A business impact analysis (BIA)

Answer 617

C. Threat assessment and analysis

Answer 618

D. Replacement costs

Answer 619

A. The chance of collusion among staff

Answer 620

B. Degradation of investigation quality

Answer 621

C. Minimization of false-positive alerts

Answer 622

D. Monitoring repeated low-risk events

Answer 623

A. Policies

Answer 624

B. Standards

Answer 625

C. Procedures

Answer 626

D. Guidelines

Answer 627

A. They should define the circumstances where cryptography should be used.

Answer 628

B. They should define cryptographic algorithms and key lengths.

Answer 629

C. They should describe handling procedures of cryptographic keys.

Answer 630

D. They should establish the use of cryptographic solutions.

Answer 631

A. Understand the business requirements of the developer portal

Answer 632

B. Perform a vulnerability assessment of the developer portal

Answer 633

C. Install an intrusion detection system (IDS)

Answer 634

D. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

Answer 635

A. Achieve strategic business goals and objectives.

Answer 636

B. Protect information assets using manual and automated controls.

Answer 637

C. Automate information security controls.

Answer 638

D. Eliminate threats to the organization.

Answer 639

A. Ensure the assignment of qualified personnel.

Answer 640

B. Request the IT department do an image copy.

Answer 641

C. Disconnect from the network and isolate the affected devices.

Answer 642

D. Ensure law enforcement personnel are present before the forensic analysis commences.

Answer 643

A. conducting a periodic and event-driven business impact analysis (BIA) to determine the needs of the business during a recovery.

Answer 644

B. assigning new applications a higher degree of importance and scheduling them for recovery first.

Answer 645

C. developing a help-desk ticket process that allows departments to request recovery of software during a disaster.

Answer 646

D. conducting a thorough risk assessment prior to purchasing the software.

Answer 647

A. Set accounts to pre-expire

Answer 648

B. Avoid granting system administration roles

Answer 649

C. Ensure they successfully pass background checks

Answer 650

D. Ensure their access is approved by the data owner

Answer 651

A. Creating a positive business security environment

Answer 652

B. Understanding key business objectives

Answer 653

C. Having a reporting line to senior management

Answer 654

D. Allocating sufficient resources to information security

Answer 655

A. Continue to work the current action.

Answer 656

B. Escalate to the next level for resolution.

Answer 657

C. Skip on to the next action in the plan.

Answer 658

D. Declare a disaster.

Answer 659

A. The security officer

Answer 660

B. Senior management

Answer 661

C. The end user

Answer 662

D. The custodian

Answer 663

B. Network

Answer 664

C. Operations

Answer 665

D. Database

Answer 666

A. Testing

Answer 667

B. Initiation

Answer 668

D. Development

Answer 669

A. a prescriptive methodology for designing the systems architecture.

Answer 670

B. an understanding that the whole is greater than the sum of its parts.

Answer 671

C. a process that ensures alignment with business objectives.

Answer 672

D. a framework for information security governance.

Answer 673

A. Building use cases

Answer 674

B. Conducting a network traffic analysis

Answer 675

C. Performing an asset-based risk assessment

Answer 676

D. The quality of the logs

Answer 677

A. Support of business objectives

Answer 678

B. Security metrics

Answer 679

C. Security deliverables

Answer 680

D. Process improvement models

Answer 681

A. Interviewing candidates for information security specialist positions

Answer 682

B. Developing content for security awareness programs

Answer 683

C. Prioritizing information security initiatives

Answer 684

D. Approving access to critical financial systems

Answer 685

A. classification policy.

Answer 686

B. retention policy.

Answer 687

C. creation policy.

Answer 688

D. leakage protection.

Answer 689

A. Number of users with privileged access

Answer 690

B. Trends in incident frequency

Answer 691

C. Annual network downtime

Answer 692

D. Vulnerability scan results

Answer 693

A. Alignment of information security and business objectives

Answer 694

B. Alignment of security controls with information technology

Answer 695

C. Alignment of concurrent security strategies

Answer 696

D. Alignment of values to protect corporate assets

Answer 697

A. Mandatory access controls

Answer 698

B. Discretionary access controls

Answer 699

C. Lattice-based access controls

Answer 700

D. Role-based access controls

Answer 701

A. technical competency.

Answer 702

B. incompatible culture.

Answer 703

C. defense in depth.

Answer 704

D. adequate policies.

Answer 705

A. broken authentication.

Answer 706

B. unvalidated input.

Answer 707

C. cross-site scripting.

Answer 708

D. structured query language (SQL) injection.

Answer 709

A. Manager

Answer 710

B. Custodian

Answer 711

A. Evaluate the impact of the information loss

Answer 712

B. Update the corporate laptop inventory

Answer 713

C. Ensure compliance with reporting procedures

Answer 714

D. Disable the user account immediately

Answer 715

A. Cultural differences

Answer 716

B. Technical competency

Answer 717

C. Adequate controls

Answer 718

D. Information security policies

Answer 719

A. adopt security standards.

Answer 720

B. determine security baselines.

Answer 721

C. define the security strategy.

Answer 722

D. establish security policies.

Answer 723

A. Theft of purchased software

Answer 724

B. Power outage lasting 24 hours

Answer 725

C. Permanent decline in customer confidence

Answer 726

D. Temporary loss of email services

Answer 727

A. Identify the vulnerable systems and apply compensating controls

Answer 728

B. Minimize the use of vulnerable systems

Answer 729

C. Communicate the vulnerability to system users

Answer 730

D. Update the signatures database of the intrusion detection system (IDS)

Answer 731

A. Assessment of risk to the assets

Answer 732

B. Approval of risk management methodology

Answer 733

C. Review of inherent risk to information assets

Answer 734

D. Review of residual risk for information assets

Answer 735

A. Individual business managers

Answer 736

B. Business systems analysts

Answer 737

C. Information security management

Answer 738

D. Industry benchmarking results

Answer 739

A. inferred connections.

Answer 740

B. standardized controls.

Answer 741

C. managed constraints.

Answer 742

D. direct traceability.

Answer 743

A. Areas where strict regulatory requirements apply

Answer 744

B. Areas that require the shortest recovery time objective (RTO)

Answer 745

C. Areas that can maximize return on security investment (ROSI)

Answer 746

D. Areas where threat likelihood and impact are greatest

Answer 747

A. Checklist test

Answer 748

B. Tabletop exercise

Answer 749

C. Full interruption test

Answer 750

D. Simulation test

Answer 751

A. is the residual risk after controls are applied.

Answer 752

B. is a risk that is expensive to mitigate.

Answer 753

C. falls within the risk tolerance level.

Answer 754

D. is a risk of relatively low frequency.

Answer 755

A. Allow business processes to continue during the response.

Answer 756

B. Allow the security team to assess the attack profile.

Answer 757

C. Permit the incident to continue to trace the source.

Answer 758

D. Examine the incident response process for deficiencies.

Answer 759

A. Increased reporting of security incidents to the incident response function

Answer 760

B. Decreased reporting of security incidents to the incident response function

Answer 761

C. Decrease in the number of password resets

Answer 762

D. Increase in the number of identified system vulnerabilities

Answer 763

A. Cost-benefit analysis

Answer 764

B. Penetration testing

Answer 765

C. Frequent risk assessment programs

Answer 766

D. Annual loss expectancy (ALE) calculation

Answer 767

A. Hot site

Answer 768

B. Redundant site

Answer 769

C. Reciprocal arrangement

Answer 770

D. Cold site

Answer 771

A. policy.

Answer 772

B. strategy.

Answer 773

C. guideline.

Answer 774

D. baseline.

Answer 775

A. Regulatory environment

Answer 776

B. International security standards

Answer 777

C. Organizational risks

Answer 778

D. Organizational goals

Answer 779

A. The program is developed by a professional training company.

Answer 780

B. The program is embedded into the orientation process.

Answer 781

C. The program is customized to the audience using the appropriate delivery channel.

Answer 782

D. The program is required by the information security policy.

Answer 783

A. Redundant power supplies

Answer 784

B. Protective switch covers

Answer 785

C. Shutdown alarms

Answer 786

D. Biometric readers

Answer 787

A. Replace the system for better response time.

Answer 788

B. Escalate the issue to management.

Answer 789

C. Revert to manual entry control procedures.

Answer 790

D. Increase compliance enforcement.

Answer 791

A. Perform a risk assessment to determine the level of exposure.

Answer 792

B. Classify the risk as acceptable to senior management.

Answer 793

C. Deploy additional countermeasures immediately.

Answer 794

D. Transfer the remaining risk to another organization.

	Created by Eduardo Castella7911 almost 9 years ago

	Copied by Rob van der Heijden over 7 years ago

Next up

CISM 2014 Questions - 2

Description

Resource summary

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Question 26

Question 27

Question 28

Question 29

Question 30

Question 31

Question 32

Question 33

Question 34

Question 35

Question 36

Question 37

Question 38

Question 39

Question 40

Question 41

Question 42

Question 43

Question 44

Question 45

Question 46

Question 47

Question 48

Question 49

Question 50

Question 51

Question 52

Question 53

Question 54

Question 55

Question 56

Question 57

Question 58

Question 59

Question 60

Question 61

Question 62

Question 63

Question 64

Question 65

Question 66

Question 67

Question 68

Question 69

Question 70

Question 71

Question 72

Question 73

Question 74

Question 75

Question 76