CISM Past Paper PDF
Document Details
Uploaded by BeneficialSagacity1258
Tags
Related
- Toreon Presentation: Security Trends & Management PDF
- EC-Council Certified Cybersecurity Technician Exam 212-82 Mobile Device Security PDF
- Information Security & Management PDF
- Introduction to Information Security Management PDF
- Information Security Management Study Material PDF
- Information Security Management PDF
Summary
This document contains a set of questions and answers related to information security. It covers topics such as post-incident reviews, incident response testing, and continuous monitoring of security controls.
Full Transcript
IT Certification Guaranteed, The Easy Way! NO.1 An organization's information security manager is performing a post-incident review of a security incident in which the following events occurred: * A bad actor broke into a business-critical FTP server by brute forcing an administrative password * Th...
IT Certification Guaranteed, The Easy Way! NO.1 An organization's information security manager is performing a post-incident review of a security incident in which the following events occurred: * A bad actor broke into a business-critical FTP server by brute forcing an administrative password * The third-party service provider hosting the server sent an automated alert message to the help desk, but was ignored * The bad actor could not access the administrator console, but was exposed to encrypted data transferred to the server * After three hours, the bad actor deleted the FTP directory, causing incoming FTP attempts by legitimate customers to fail Which of the following could have been prevented by conducting regular incident response testing? A. Ignored alert messages B. The server being compromised C. The brute force attack D. Stolen data Answer: A Explanation: Ignored alert messages could have been prevented by conducting regular incident response testing because it would have ensured that the help desk staff are familiar with and trained on how to handle different types of alert messages from different sources, and how to escalate them appropriately. The server being compromised could not have been prevented by conducting regular incident response testing because it is related to security vulnerabilities or weaknesses in the server configuration or authentication mechanisms. The brute force attack could not have been prevented by conducting regular incident response testing because it is related to security threats or attacks from external sources. Stolen data could not have been prevented by conducting regular incident response testing because it is related to security breaches or incidents that may occur despite the incident response plan or process. Reference: https:/ /www.isaca.org/resources/isacajournal/issues/2017/volume-5/incident-response-lessons-learned https:/ /www.isaca.org/resources/isaca-journal/issues/2018/volume-3/incident-response-lessonslearned NO.2 An information security manager is reporting on open items from the risk register to senior management. Which of the following is MOST important to communicate with regard to these risks? A. Responsible entities B. Key risk indicators (KRIS) C. Compensating controls D. Potential business impact Answer: D NO.3 The PRIMARY purpose for continuous monitoring of security controls is to ensure: A. control gaps are minimized. B. system availability. C. effectiveness of controls. D. alignment with compliance requirements. Answer: C 2 IT Certification Guaranteed, The Easy Way! Explanation: The primary purpose for continuous monitoring of security controls is to ensure the effectiveness of controls. This involves regularly assessing the controls to ensure that they are meeting their intended objectives, and that any potential weaknesses are identified and addressed. Continuous monitoring also helps to ensure that control gaps are minimized, and that systems are available and aligned with compliance requirements. NO.4 How does an incident response team BEST leverage the results of a business impact analysis (BIA)? A. Assigning restoration priority during incidents B. Determining total cost of ownership (TCO) C. Evaluating vendors critical to business recovery D. Calculating residual risk after the incident recovery phase Answer: A NO.5 Following a risk assessment, an organization has made the decision to adopt a bring your own device (BYOD) strategy. What should the information security manager do NEXT? A. Develop a personal device policy B. Implement a mobile device management (MDM) solution C. Develop training specific to BYOD awareness D. Define control requirements Answer: D Explanation: Defining control requirements is the next step to ensure the security policy framework encompasses the new business model because it is a process of identifying and specifying the security measures and standards that are needed to protect the data and applications accessed by the BYOD devices. Defining control requirements helps to establish the baseline security level and expectations for the BYOD strategy, as well as to align them with the business objectives and risks. Therefore, defining control requirements is the correct answer. Reference: https:/ /www.digitalguardian.com/blog/ultimate-guide-byod-security-overcoming-challengescreating-effective-policies-and-mitigating https:/ /learn.microsoft.com/en-us/mem/intune/fundamentals/byod-technology-decisions NO.6 To help ensure that an information security training program is MOST effective its contents should be A. focused on information security policy. B. aligned to business processes C. based on employees' roles D. based on recent incidents Answer: C Explanation: "An information security training program should be tailored to the specific roles and responsibilities of employees. This will help them understand how their actions affect information security and what they need to do to protect it. A generic training program that is focused on policy, business processes 3 IT Certification Guaranteed, The Easy Way! or recent incidents may not be relevant or effective for all employees." NO.7 Which of the following processes BEST supports the evaluation of incident response effectiveness? A. Root cause analysis B. Post-incident review C. Chain of custody D. Incident logging Answer: B NO.8 Which of the following is the BEST option to lower the cost to implement application security controls? A. Perform security tests in the development environment. B. Integrate security activities within the development process C. Perform a risk analysis after project completion. D. Include standard application security requirements Answer: B Explanation: Integrating security activities within the development process is the best option to lower the cost to implement application security controls because it ensures that security is considered and addressed throughout the software development life cycle (SDLC), from design to deployment, and reduces the likelihood and impact of security flaws or vulnerabilities that may require costly fixes or patches later on. Performing security tests in the development environment is not the best option because it may not detect or prevent all security issues that may arise in different environments or scenarios. Performing a risk analysis after project completion is not a good option because it may be too late to identify or mitigate security risks that may have been introduced during the project. Including standard application security requirements is not a good option because it may not account for specific or unique security needs or challenges of different applications or projects. Reference: https:/ /www.isaca.org/resources/isaca-journal/issues/2017/volume-2/secure-softwaredevelopment-lifecycle https:/ /www.isaca.org/resources/isaca-journal/issues/2016/volume4/technical-security-standards-for-information-systems NO.9 Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations? A. Require remote wipe capabilities for devices. B. Conduct security awareness training. C. Review and update existing security policies. D. Enforce passwords and data encryption on the devices. Answer: C Explanation: The primary responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations is to review and update existing security policies. Security policies are the foundation of an organi-zation's security program, as they define the goals, objectives, principles, roles, respon-sibilities, and requirements for protecting information and systems. Security policies should be reviewed and updated regularly to reflect changes in the 4 IT Certification Guaranteed, The Easy Way! organization's envi-ronment, needs, risks, and technologies1. Implementing the use of companyowned mobile devices in its operations is a significant change that may introduce new threats and vulnerabilities, as well as new opportunities and benefits, for the organiza-tion. Therefore, the information security manager should review and update existing security policies to address the following aspects2: * The scope, purpose, and ownership of company-owned mobile devices * The acceptable and unacceptable use of company-owned mobile devices * The security standards and best practices for company-owned mobile devices * The roles and responsibilities of users, managers, IT staff, and vendors regarding compa-ny-owned mobile devices * The procedures for provisioning, managing, monitoring, and decommissioning company-owned mobile devices * The incident response and reporting process for company-owned mobile devices By reviewing and updating existing security policies, the information security manager can ensure that the organization's security program is aligned with its business objec-tives and risk appetite, as well as compliant with applicable laws and regulations. The other options are not the primary responsibility of an information security manager in an organization that is implementing the use of companyowned mobile devices in its operations. They are possible actions or controls that may be derived from or support-ed by the updated security policies. Requiring remote wipe capabilities for devices is a technical control that can help prevent data loss or theft in case of device loss or com-promise3. Conducting security awareness training is an administrative control that can help educate users about the security risks and responsibilities associated with using company-owned mobile devices. Enforcing passwords and data encryption on the de-vices is a technical control that can help protect data confidentiality and integrity on company-owned mobile devices. Reference: 1: Information Security Policy - NIST 2: Mobile Device Security Policy - SANS 3: Remote Wipe: What It Is & How I t Works - Lifewire : Security Awareness Training - NIST : Mobile Device Encryption - NIST NO.10 Which of the following metrics BEST measures the effectiveness of an organization's information security program? A. Increase in risk assessments completed B. Reduction in information security incidents C. Return on information security investment D. Number of information security business cases developed Answer: C NO.11 To overcome the perception that security is a hindrance to business activities, it is important for an information security manager to: A. rely on senior management to enforce security. B. promote the relevance and contribution of security. C. focus on compliance. D. reiterate the necessity of security. Answer: B Explanation: To overcome the perception that security is a hindrance to business activities, it is important for an information security manager to promote the relevance and contribution of security. By 5 IT Certification Guaranteed, The Easy Way! demonstrating the value that security brings to the organization, including protecting assets and supporting business objectives, the information security manager can help to change the perception of security from a hindrance to a critical component of business success. Relying on senior management to enforce security, focusing on compliance, and reiterating the necessity of security are all important elements of a comprehensive security program, but they do not directly address the perception that security is a hindrance to business activities. By promoting the relevance and contribution of security, the information security manager can help to align security with the overall goals and objectives of the organization, and foster a culture that values and supports security initiatives. NO.12 Which of the following is MOST helpful for protecting an enterprise from advanced persistent threats (APTs)? A. Updated security policies B. Defined security standards C. Threat intelligence D. Regular antivirus updates Answer: B NO.13 When choosing the best controls to mitigate risk to acceptable levels, the information security manager's decision should be MAINLY driven by: A. best practices. B. control framework C. regulatory requirements. D. cost-benefit analysis, Answer: C NO.14 Which of the following BEST determines the allocation of resources during a security incident response? A. Senior management commitment B. A business continuity plan (BCP) C. An established escalation process D. Defined levels of severity Answer: D Explanation: Defined levels of severity is the best determinant of the allocation of resources during a security incident response. Having defined levels of severity allows organizations to plan for and allocate resources for each level of incident, depending on the severity of the incident. This ensures that the right resources are allocated in a timely manner and that incidents are addressed appropriately. NO.15 Which of the following should an information security manager do FIRST when creating an organization's disaster recovery plan (DRP)? A. Conduct a business impact analysis (BIA) B. Identify the response and recovery learns. C. Review the communications plan. 6 IT Certification Guaranteed, The Easy Way! D. Develop response and recovery strategies. Answer: A Explanation: Conducting a business impact analysis (BIA) is the first step when creating an organization's disaster recovery plan (DRP) because it helps to identify and prioritize the critical business functions or processes that need to be restored after a disruption, and determine their recovery time objectives (RTOs) and recovery point objectives (RPOs)2. Identifying the response and recovery teams is not the first step, but rather a subsequent step that involves assigning roles and responsibilities for executing the DRP. Reviewing the communications plan is not the first step, but rather a subsequent step that involves defining the communication channels and protocols for notifying and updating the stakeholders during and after a disruption. Developing response and recovery strategies is not the first step, but rather a subsequent step that involves selecting and implementing the appropriate solutions and procedures for restoring the critical business functions or processes. Reference: 2 https:/ /www.isaca.org/resources/isaca-journal/issues/2018/volume-3/business-impact-analysis-biaand-disaster-recovery-planning-drp NO.16 Which of the following is the FIRST step to establishing an effective information security program? A. Conduct a compliance review. B. Assign accountability. C. Perform a business impact analysis (BIA). D. Create a business case. Answer: D NO.17 Which of the following would BEST justify continued investment in an information security program? A. Reduction in residual risk B. Security framework alignment C. Speed of implementation D. Industry peer benchmarking Answer: A Explanation: Residual risk is the remaining risk after all security controls have been implemented. It is important to measure the residual risk of an organization in order to determine the effectiveness of the security program and to justify continued investment in the program. A reduction in residual risk is an indication that the security program is effective and that continued investment is warranted. NO.18 Which of the following has the GREATEST influence on an organization's information security strategy? A. The organization's risk tolerance B. The organizational structure C. Industry security standards D. Information security awareness Answer: A 7 IT Certification Guaranteed, The Easy Way! Explanation: An organization's information security strategy should be aligned with its risk tolerance, which is the level of risk that an organization is willing to accept in pursuit of its objectives. The strategy should aim to balance the cost of security controls with the potential impact of security incidents on the organization's objectives. Therefore, an organization's risk tolerance has the greatest influence on its information security strategy. The organization's risk tolerance has the greatest influence on its information security strategy because it determines how much risk the organization is willing to accept and how much resources it will allocate to mitigate or transfer risk. The organizational structure, industry security standards, and information security awareness are important factors that affect the implementation and effectiveness of an information security strategy but not as much as the organization's risk tolerance. An information security strategy is a high-level plan that defines how an organization will achieve its information security objectives and address its information security risks. An information security strategy should align with the organization's business strategy and reflect its mission, vision, values, and culture. An information security strategy should also consider the external and internal factors that influence the organization's information security environment such as laws, regulations, competitors, customers, suppliers, partners, stakeholders, employees etc. NO.19 Which of the following would be the MOST effective way to present quarterly reports to the board on the status of the information security program? A. A capability and maturity assessment B. Detailed analysis of security program KPIs C. An information security dashboard D. An information security risk register Answer: C Explanation: An information security dashboard is an effective way to present quarterly reports to the board on the status of the information security program. It allows the board to quickly view key metrics and trends at a glance and to drill down into more detailed information as needed. The dashboard should include metrics such as total incidents, patching compliance, vulnerability scanning results, and more. It should also include high-level overviews of the security program and its components, such as the security policy, security architecture, and security controls. NO.20 An anomaly-based intrusion detection system (IDS) operates by gathering data on: A. normal network behavior and using it as a baseline lor measuring abnormal activity B. abnormal network behavior and issuing instructions to the firewall to drop rogue connections C. abnormal network behavior and using it as a baseline for measuring normal activity D. attack pattern signatures from historical data Answer: A Explanation: An anomaly-based intrusion detection system (IDS) operates by gathering data on normal network behavior and using it as a baseline for measuring abnormal activity. This is important because it allows the IDS to detect any activity that is outside of the normal range of usage for the network, which can help to identify potential malicious activity or security threats. Additionally, the IDS will monitor for any changes in the baseline behavior and alert the administrator if any irregularities are 8 IT Certification Guaranteed, The Easy Way! detected. By contrast, signature-based IDSs operate by gathering attack pattern signatures from historical data and comparing them against incoming traffic in order to identify malicious activity. NO.21 If civil litigation is a goal for an organizational response to a security incident, the PRIMARY step should be to: A. contact law enforcement. B. document the chain of custody. C. capture evidence using standard server-backup utilities. D. reboot affected machines in a secure area to search for evidence. Answer: B NO.22 Which of the following is MOST effective in monitoring an organization's existing risk? A. Periodic updates to risk register B. Risk management dashboards C. Security information and event management (SIEM) systems D. Vulnerability assessment results Answer: B NO.23 What is the BEST way to reduce the impact of a successful ransomware attack? A. Perform frequent backups and store them offline. B. Purchase or renew cyber insurance policies. C. Include provisions to pay ransoms ih the information security budget. D. Monitor the network and provide alerts on intrusions. Answer: A NO.24 Which of the following BEST facilitates an information security manager's efforts to obtain senior management commitment for an information security program? A. Presenting evidence of inherent risk B. Reporting the security maturity level C. Presenting compliance requirements D. Communicating the residual risk Answer: C NO.25 Which of the following is the MOST important reason to conduct interviews as part of the business impact analysis (BIA) process? A. To facilitate a qualitative risk assessment following the BIA B. To increase awareness of information security among key stakeholders C. To ensure the stakeholders providing input own the related risk D. To obtain input from as many relevant stakeholders as possible Answer: C NO.26 Which of the following would BEST enable the timely execution of an incident response plan? A. The introduction of a decision support tool 9 IT Certification Guaranteed, The Easy Way! B. Definition of trigger events C. Clearly defined data classification process D. Centralized service desk Answer: B Explanation: Definition of trigger events is the best way to enable the timely execution of an incident response plan because it helps to specify the conditions or criteria that initiate the incident response process. Trigger events are predefined scenarios or indicators that signal the occurrence or potential occurrence of a security incident, such as a ransomware attack, a data breach, a denial-of-service attack, or an unauthorized access attempt. Definition of trigger events helps to ensure that the incident response team is alerted and activated as soon as possible, as well as to determine the appropriate level and scope of response based on the severity and impact of the incident. Therefore, definition of trigger events is the correct answer. Reference: https:/ /www.atlassian.com/incident-management/kpis/common-metrics https:/ /www.varonis.com/blog/incident-response-plan/ https:/ /holierthantao.com/2023/05/03/minimizing-disruptions-a-comprehensive-guide-to-incidentresponse-planning-and-execution/ NO.27 Which of the following change management procedures is MOST likely to cause concern to the information security manager? A. Fallback processes are tested the weekend before changes are made B. Users are not notified of scheduled system changes C. A manual rather than an automated process is used to compare program versions. D. The development manager migrates programs into production Answer: D Explanation: According to the Certified Information Security Manager (CISM) Study Guide, one of the primary responsibilities of an information security manager is to ensure that changes to systems and processes are managed in a secure and controlled manner. The change management procedure that is most likely to cause concern for an information security manager is when the development manager migrates programs into production without proper oversight or control. This can increase the risk of unauthorized changes being made to systems and data, and can also increase the risk of configuration errors or other issues that can negatively impact the security and availability of systems. To mitigate these risks, it is important for the information security manager to work closely with the development team to establish and enforce change management procedures that ensure that all changes are properly approved, tested, and implemented in a controlled manner. NO.28 Which of the following is the GREATEST benefit of conducting an organization-wide security awareness program? A. The security strategy is promoted. B. Fewer security incidents are reported. C. Security behavior is improved. D. More security incidents are detected. Answer: C 10 IT Certification Guaranteed, The Easy Way! NO.29 Which of the following documents should contain the INITIAL prioritization of recovery of services? A. IT risk analysis B. Threat assessment C. Business impact analysis (BIA) D. Business process map Answer: C Explanation: A business impact analysis (BIA) is the document that should contain the initial priori-tization of recovery of services. A BIA is a process of identifying and analyzing the po-tential effects of disruptions to critical business functions and processes. A BIA typi-cally includes the following steps1: * Identifying the critical business functions and processes that support the organization's mission and objectives. * Estimating the maximum tolerable downtime (MTD) for each function or process, which is the longest time that the organization can afford to be without that function or process before suffering unacceptable consequences. * Assessing the potential impacts of disruptions to each function or process, such as finan-cial losses, reputational damage, legal liabilities, regulatory penalties, customer dissatis-faction, etc. * Prioritizing the recovery of functions or processes based on their MTDs and impacts, and assigning recovery time objectives (RTOs) and recovery point objectives (RPOs) for each function or process. RTOs are the target times for restoring functions or processes after a disruption, while RPOs are the acceptable amounts of data loss in case of a disruption. * Identifying the resources and dependencies required for each function or process, such as staff, equipment, software, data, suppliers, customers, etc. A BIA provides the basis for developing a business continuity plan (BCP), which is a document that outlines the strategies and procedures for ensuring the continuity or re-covery of critical business functions and processes in the event of a disruption2. The other options are not documents that should contain the initial prioritization of recov-ery of services. An IT risk analysis is a process of identifying and evaluating the threats and vulnerabilities that affect the IT systems and assets of an organization. It helps to determine the likelihood and impact of potential IT incidents, and to select and imple-ment appropriate controls to mitigate the risks3. A threat assessment is a process of identifying and analyzing the sources and capabilities of adversaries that may pose a threat to an organization's security. It helps to determine the level of threat posed by different actors, and to develop countermeasures to prevent or respond to attacks. A business process map is a visual representation of the activities, inputs, outputs, roles, and resources involved in a business process. It helps to understand how a process works, how it can be improved, and how it relates to other processes. Reference: 1: Business impact analysis (BIA) - Wikipedia 2: Business continuity plan - Wikipedia 3: IT risk management - Wikipedia : Threat assessment - Wikipedia : Business process m ap-ping - Wikipedia NO.30 Which of the following is the GREATEST inherent risk when performing a disaster recovery plan (DRP) test? A. Poor documentation of results and lessons learned B. Lack of communication to affected users 11 IT Certification Guaranteed, The Easy Way! C. Disruption to the production environment D. Lack of coordination among departments Answer: C Explanation: The greatest inherent risk when performing a disaster recovery plan (DRP) test is disruption to the production environment. A DRP test involves simulating a disaster scenario to ensure that the organization's plans are effective and that it is able to recover from an incident. However, this involves running tests on the production environment, which has the potential to disrupt the normal operations of the organization. This inherent risk can be mitigated by running tests on a nonproduction environment or by running tests at times when disruption will be minimized. NO.31 Which of the following activities is designed to handle a control failure that leads to a breach? A. Risk assessment B. Incident management C. Root cause analysis D. Vulnerability management Answer: B NO.32 A finance department director has decided to outsource the organization's budget application and has identified potential providers. Which of the following actions should be initiated FIRST by IN information security manager? A. Determine the required security controls for the new solution B. Review the disaster recovery plans (DRPs) of the providers C. Obtain audit reports on the service providers' hosting environment D. Align the roles of the organization's and the service providers' stats. Answer: A Explanation: Before outsourcing any application or service, an information security manager should first determine the required security controls for the new solution, based on the organization's risk appetite, security policies and standards, and regulatory requirements. This will help to evaluate and select the most suitable provider, as well as to define the security roles and responsibilities, service level agreements (SLAs), and audit requirements. Reference: https:/ /www.isaca.org/credentialing/cism https:/ /www.wiley.com/enus/CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948 NO.33 Which of the following BEST enables the integration of information security governance into corporate governance? A. Senior management approval of the information security strategy B. An information security steering committee with business representation C. Clear lines of authority across the organization D. Well-decumented information security policies and standards Answer: B NO.34 Which of the following is the BEST course of action for an information security manager to 12 IT Certification Guaranteed, The Easy Way! align security and business goals? A. Conducting a business impact analysis (BIA) B. Reviewing the business strategy C. Defining key performance indicators (KPIs) D. Actively engaging with stakeholders Answer: D NO.35 The MOST appropriate time to conduct a disaster recovery test would be after: A. major business processes have been redesigned. B. the business continuity plan (BCP) has been updated. C. the security risk profile has been reviewed D. noncompliance incidents have been filed. Answer: A NO.36 Which of the following is the GREATEST benefit of including incident classification criteria within an incident response plan? A. Ability to monitor and control incident management costs B. More visibility to the impact of disruptions C. Effective protection of information assets D. Optimized allocation of recovery resources Answer: D Explanation: The explanation given in the manual is: Incident classification criteria enable an organization to prioritize incidents based on their impact and urgency. This allows for an optimized allocation of recovery resources to minimize business disruption and ensure timely restoration of normal operations. The other choices are benefits of incident management but not directly related to incident classification criteria. NO.37 An organization has multiple data repositories across different departments. The information security manager has been tasked with creating an enterprise strategy for protecting dat a. Which of the following information security initiatives should be the HIGHEST priority for the organization? A. Data masking B. Data retention strategy C. Data encryption standards D. Data loss prevention (DLP) Answer: C Explanation: Data encryption standards are the best information security initiative for creating an enterprise strategy for protecting data across multiple data repositories and different departments because they help to ensure the confidentiality, integrity, and availability of data in transit and at rest. Data encryption is a process of transforming data into an unreadable format using a secret key or algorithm, so that only authorized parties can access and decrypt it. Data encryption standards are the rules or specifications that define how data encryption should be performed, such as the type, strength, and mode of encryption, the key management and distribution methods, and the 13 IT Certification Guaranteed, The Easy Way! compliance requirements. Data encryption standards help to protect data from unauthorized access, modification, or theft, as well as to meet the regulatory obligations for data privacy and security. Therefore, data encryption standards are the correct answer. Reference: https:/ /www.techtarget.com/searchdatabackup/tip/20-keys-to-a-successful-enterprise-dataprotection-strategy https:/ /cloudian.com/guides/data-protection/data-protection-strategy-10-components-of-aneffective-strategy/ https:/ /www.veritas.com/information-center/enterprise-data-protection NO.38 Which of the following is MOST useful to an information security manager when determining the need to escalate an incident to senior? A. Incident management procedures B. Incident management policy C. System risk assessment D. Organizational risk register Answer: D Explanation: The organizational risk register is the most useful for an information security manager when determining the need to escalate an incident to senior management because it contains a list of identified risks to the organization, their likelihood and impact, and their predefined risk thresholds or targets, which can help the information security manager assess the severity and urgency of the incident and decide whether it requires senior management's attention or action. Incident management procedures are not very useful for this purpose because they do not provide any specific criteria or guidance on when to escalate an incident to senior management. Incident management policy is not very useful for this purpose because it does not provide any specific criteria or guidance on when to escalate an incident to senior management. System risk assessment is not very useful for this purpose because it does not reflect the current risk exposure or status of the organization as a whole. Reference: https:/ /www.isaca.org/resources/isacajournal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security-using-iso27004 https:/ /www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-responselessons-learned NO.39 Which of the following would be MOST helpful to identify worst-case disruption scenarios? A. Business impact analysis (BIA) B. Business process analysis C. SWOT analysis D. Cast-benefit analysis Answer: A NO.40 A security incident has been reported within an organization. When should an inforrnation security manager contact the information owner? After the: A. incident has been confirmed. B. incident has been contained. C. potential incident has been logged. 14