CISM TEXT (2) (dragged) 4.pdf

Full Transcript

NO.171 An investigation of a recent security incident determined that the root cause was negligent handing of incident alerts
by system admit manager to address this issue?
A. Conduct a risk assessment and share the result with senior management.
B. Revise the incident response plan-to align with business processes.
C. Provide incident response training to data custodians.
D. Provide incident response training to data owners.
Answer: C

NO.172 Of the following, who is accountable for data loss in the event of an information security incident at a third-party
provider?
A. The information security manager
B. The service provider that hosts the data
C. The incident response team
D. The business data owner
Answer: D

NO.173 The MOST important reason for having an information security manager serve on the change management
committee is to:
A. identify changes to the information security policy.
B. ensure that changes are tested.
C. ensure changes are properly documented.
D. advise on change-related risk.
Answer: D

NO.174 Which of the following roles is MOST appropriate to determine access rights for specific users of an application?
A. Data owner
B. Data custodian
C. System administrator
D. Senior management
Answer: A

NO.175 Which of the following would provide the BEST evidence to senior management that security control performance has
improved?
A. Demonstrated return on security investment
B. Reduction in inherent risk
C. Results of an emerging threat analysis
D. Review of security metrics trends
Answer: D

NO.176 Which of the following is the BEST course of action when an online company discovers a network attack in progress?
A. Dump all event logs to removable media
B. Isolate the affected network segment
C. Enable trace logging on ail events
D. Shut off all network access points

Answer: B

NO.177 Which of the following is the BEST tool to monitor the effectiveness of information security governance?
A. Key performance indicators (KPIs)
B. Balanced scorecard
C. Business impact analysis (BIA)
D. Risk profile
Answer: B

NO.178 Of the following, who is MOST appropriate to own the risk associated with the failure of a privileged access control?
A. Data owner
B. Business owner
C. Information security manager
D. Compliance manager
Answer: B

NO.179 During the initiation phase of the system development life cycle (SDLC) for a software project, information security
activities should address:
A. baseline security controls.
B. benchmarking security metrics.
C. security objectives.
D. cost-benefit analyses.
Answer: A

NO.180 The MOST important element in achieving executive commitment to an information security governance program is:
A. a defined security framework.
B. a process improvement model
C. established security strategies.
D. identified business drivers.
Answer: D

NO.181 A user reports a stolen personal mobile device that stores sensitive corporate dat a. Which of the following will BEST
minimize the risk of data exposure?
A. Prevent the user from using personal mobile devices.
B. Report the incident to the police.
C. Wipe the device remotely.
D. Remove user's access to corporate data.
Answer: C

NO.182 Which of the following is MOST helpful for aligning security operations with the IT governance framework?
A. Security risk assessment
B. Security operations program
C. Information security policy
D. Business impact analysis (BIA)

Answer: B

NO.183 Recovery time objectives (RTOs) are an output of which of the following?
A. Business continuity plan (BCP)
B. Disaster recovery plan (DRP)
C. Service level agreement (SLA)
D. Business impact analysis (BIA)
Answer: D

NO.184 Which of the following would BEST enable a new information security manager to obtain senior management support
for an information security governance program?
A. Demonstrating the program's value to the organization
B. Discussing governance programs found in similar organizations
C. Providing the results of external audits
D. Providing examples of information security incidents within the organization
Answer: A

NO.185 Which of the following is MOST important for an information security manager to verify before conducting fullfunctional continuity testing?
A. Risk acceptance by the business has been documented
B. Teams and individuals responsible for recovery have been identified
C. Copies of recovery and incident response plans are kept offsite
D. Incident response and recovery plans are documented in simple language
Answer: B

NO.186 An organization plans to utilize Software as a Service (SaaS) and is in the process of selecting a vendor. What should
the information security manager do FIRST to support this initiative?
A. Review independent security assessment reports for each vendor.
B. Benchmark each vendor's services with industry best practices.
C. Analyze the risks and propose mitigating controls.
D. Define information security requirements and processes.
Answer: A

NO.187 The PRIMARY objective of performing a post-incident review is to:
A. re-evaluate the impact of incidents.
B. identify vulnerabilities.
C. identify control improvements.
D. identify the root cause.
Answer: D

NO.188 Which of the following is MOST critical when creating an incident response plan?
A. Identifying vulnerable data assets
B. Identifying what constitutes an incident
C. Decumenting incident notification and escalation processes
D. Aligning with the risk assessment process

Answer: B

NO.189 An organization has identified an increased threat of external brute force attacks in its environment. Which of the
following is the MOST effective way to mitigate this risk to the organization's critical systems?
A. Implement multi-factor authentication.
B. Increase the frequency of log monitoring and analysis.
C. Implement a security information and event management system (SIEM),
D. Increase the sensitivity of intrusion detection systems (IDSs).
Answer: A

NO.190 Which of the following has The GREATEST positive impact on The ability to execute a disaster recovery plan (DRP)?
A. Storing the plan at an offsite location
B. Communicating the plan to all stakeholders
C. Updating the plan periodically
D. Conducting a walk-through of the plan
Answer: C

NO.191 Which of the following is the sole responsibility of the client organization when adopting a Software as a Service
(SaaS) model?
A. Host patching
B. Penetration testing
C. Infrastructure hardening
D. Data classification
Answer: D

NO.192 Due to specific application requirements, a project team has been granted administrative ponieon GR: is the
PRIMARY reason for ensuring clearly defined roles and responsibilities are communicated to these users?
A. Clearer segregation of duties
B. Increased user productivity
C. Increased accountability
D. Fewer security incidents
Answer: C

NO.193 Regular vulnerability scanning on an organization's internal network has identified that many user workstations have
unpatched versions of software. What is the BEST way for the information security manager to help senior management
understand the related risk?
A. Include the impact of the risk as part of regular metrics.
B. Recommend the security steering committee conduct a review.
C. Update the risk assessment at regular intervals
D. Send regular notifications directly to senior managers
Answer: A

NO.194 Information security controls should be designed PRIMARILY based on:
A. a business impact analysis (BIA).

B. regulatory requirements.
C. business risk scenarios,
D. a vulnerability assessment.
Answer: C

NO.195 Labeling information according to its security classification:
A. enhances the likelihood of people handling information securely.
B. reduces the number and type of countermeasures required.
C. reduces the need to identify baseline controls for each classification.
D. affects the consequences if information is handled insecurely.
Answer: A

NO.196 Management decisions concerning information security investments will be MOST effective when they are based on:
A. a process for identifying and analyzing threats and vulnerabilities.
B. an annual loss expectancy (ALE) determined from the history of security events,
C. the reporting of consistent and periodic assessments of risks.
D. the formalized acceptance of risk analysis by management,
Answer: C

NO.197 An information security manager has been tasked with developing materials to update the board, regulatory agencies,
and the media about a security incident. Which of the following should the information security manager do FIRST?
A. Set up communication channels for the target audience.
B. Determine the needs and requirements of each audience.
C. Create a comprehensive singular communication
D. Invoke the organization's incident response plan.
Answer: B

NO.198 Which of the following BEST indicates that information security governance and corporate governance are integrated?
A. The information security team is aware of business goals.
B. The board is regularly informed of information security key performance indicators (KPIs),
C. The information security steering committee is composed of business leaders.
D. A cost-benefit analysis is conducted on all information security initiatives.
Answer: C

NO.199 Which is the BEST method to evaluate the effectiveness of an alternate processing site when continuous uptime is
required?
A. Parallel test
B. Full interruption test
C. Simulation test
D. Tabletop test
Answer: A

NO.200 From an information security perspective, legal issues associated with a transborder flow of technology-related items
are MOST often
A. website transactions and taxation.

B. software patches and corporate date.
C. encryption tools and personal data.
D. lack of competition and free trade.
Answer: C

NO.201 Which of the following is the BEST approach for managing user access permissions to ensure alignment with data
classification?
A. Enable multi-factor authentication on user and admin accounts.
B. Review access permissions annually or whenever job responsibilities change
C. Lock out accounts after a set number of unsuccessful login attempts.
D. Delegate the management of access permissions to an independent third party.
Answer: B

NO.202 Which of the following is the PRIMARY reason to monitor key risk indicators (KRIs) related to information security?
A. To alert on unacceptable risk
B. To identify residual risk
C. To reassess risk appetite
D. To benchmark control performance
Answer: D

NO.203 Which of the following should be done FIRST when establishing a new data protection program that must comply with
applicable data privacy regulations?
A. Evaluate privacy technologies required for data protection.
B. Encrypt all personal data stored on systems and networks.
C. Update disciplinary processes to address privacy violations.
D. Create an inventory of systems where personal data is stored.
Answer: D

NO.204 To help ensure that an information security training program is MOST effective, its contents should be:
A. based on recent incidents.
B. based on employees' roles.
C. aligned to business processes.
D. focused on information security policy.
Answer: B

NO.205 Which of the following is MOST important to convey to employees in building a security risk- aware culture?
A. Personal information requires different security controls than sensitive information.
B. Employee access should be based on the principle of least privilege.
C. Understanding an information asset's value is critical to risk management.
D. The responsibility for security rests with all employees.
Answer: D

NO.206 Which of the following is the PRIMARY reason for granting a security exception?

A. The risk is justified by the cost to the business.
B. The risk is justified by the benefit to security.
C. The risk is justified by the cost to security.
D. The risk is justified by the benefit to the business.
Answer: D

NO.207 Recovery time objectives (RTOs) are BEST determined by:
A. business managers
B. business continuity officers
C. executive management
D. database administrators (DBAs).
Answer: B

NO.208 Which risk is introduced when using only sanitized data for the testing of applications?
A. Data loss may occur during the testing phase.
B. Data disclosure may occur during the migration event
C. Unexpected outcomes may arise in production
D. Breaches of compliance obligations will occur.
Answer: C

NO.209 Which of the following is MOST effective for communicating forward-looking trends within security reporting?
A. Key control indicator (KCIs)
B. Key risk indicators (KRIs)
C. Key performance indicators (KPIs)
D. Key goal indicators (KGIs)
Answer: C

NO.210 The MAIN reason for having senior management review and approve an information security strategic plan is to
ensure:
A. the organization has the required funds to implement the plan.
B. compliance with legal and regulatory requirements.
C. staff participation in information security efforts.
D. the plan aligns with corporate governance.
Answer: D

NO.211 To confirm that a third-party provider complies with an organization's information security requirements, it is MOST
important to ensure:
A. security metrics are included in the service level agreement (SLA).
B. contract clauses comply with the organization's information security policy.
C. the information security policy of the third-party service provider is reviewed.
D. right to audit is included in the service level agreement (SLA).
Answer: D

NO.212 An organization is implementing an information security governance framework. To communicate the program's

effectiveness to stakeholders, it is MOST important to establish:
A. a control self-assessment (CSA) process.
B. automated reporting to stakeholders.
C. a monitoring process for the security policy.
D. metrics for each milestone.
Answer: D

NO.213 An organization is increasingly using Software as a Service (SaaS) to replace in-house hosting and support of IT
applications. Which of the following would be the MOST effective way to help ensure procurement decisions consider
information security concerns?
A. Integrate information security risk assessments into the procurement process.
B. Provide regular information security training to the procurement team.
C. Invite IT members into regular procurement team meetings to influence best practice.
D. Enforce the right to audit in procurement contracts with SaaS vendors.
Answer: A

NO.214 Which of the following provides the MOST comprehensive insight into ongoing threats facing an organization?
A. Business impact analysis (BIA)
B. Risk register
C. Penetration testing
D. Vulnerability assessment
Answer: B

NO.215 When developing a categorization method for security incidents, the categories MUST:
A. align with industry standards.
B. be created by the incident handler.
C. have agreed-upon definitions.
D. align with reporting requirements.
Answer: C

NO.216 Which of the following would be MOST useful to help senior management understand the status of information
security compliance?
A. Industry benchmarks
B. Key performance indicators (KPIs)
C. Business impact analysis (BIA) results
D. Risk assessment results
Answer: B

NO.217 The contribution of recovery point objective (RPO) to disaster recovery is to:
A. minimize outage periods.
B. eliminate single points of failure.
C. define backup strategy
D. reduce mean time between failures (MTBF).
Answer: C

NO.218 Which of the following BEST enables an organization to effectively manage emerging cyber risk?
A. Periodic internal and external audits
B. Clear lines of responsibility
C. Sufficient cyber budget allocation
D. Cybersecurity policies
Answer: D

NO.219 A business requires a legacy version of an application to operate but the application cannot be patched. To limit the
risk exposure to the business, a firewall is implemented in front of the legacy application. Which risk treatment option has been
applied?
A. Mitigate
B. Accept
C. Transfer
D. Avoid
Answer: A

NO.220 The information security manager has been notified of a new vulnerability that affects key data processing systems
within the organization Which of the following should be done FIRST?
A. Inform senior management
B. Re-evaluate the risk
C. Implement compensating controls
D. Ask the business owner for the new remediation plan
Answer: B

NO.221 Which of the following is the BEST way to ensure the capability to restore clean data after a ransomware attack?
A. Purchase cyber insurance
B. Encrypt sensitive production data
C. Perform Integrity checks on backups
D. Maintain multiple offline backups
Answer: D

NO.222 Which of the following is the BEST indication ofa successful information security culture? A. Penetration testing is
done regularly and findings remediated.
B. End users know how to identify and report incidents.
C. Individuals are given roles based on job functions.
D. The budget allocated for information security is sufficient.
Answer: B

NO.223 Which of the following should be an information security manager's FIRST course of action when a newly introduced
privacy regulation affects the business?
A. Consult with IT staff and assess the risk based on their recommendations

B. Update the security policy based on the regulatory requirements
C. Propose relevant controls to ensure the business complies with the regulation
D. Identify and assess the risk in the context of business objectives
Answer: D

NO.224 An information security manager has identified that privileged employee access requests to production servers are
approved; but user actions are not logged. Which of the following should be the GREATEST concern with this situation?
A. Lack of availability
B. Lack of accountability
C. Improper authorization
D. Inadequate authentication
Answer: B
NO.225 Which of the following is the GREATEST benefit of information asset classification?
A. Helping to determine the recovery point objective (RPO)
B. Providing a basis for implementing a need-to-know policy
C. Supporting segregation of duties
D. Defining resource ownership
Answer: B

NO.226 An incident management team is alerted to a suspected security event. Before classifying the suspected event as a
security incident, it is MOST important for the security manager to:
A. conduct an incident forensic analysis.
B. fallow the incident response plan
C. notify the business process owner.
D. fallow the business continuity plan (BCP).
Answer: C

NO.227 An information security manager has identified that security risks are not being treated in a timely manner. Which of
the following
A. Provide regular updates about the current state of the risks.
B. Re-perform risk analysis at regular intervals.
C. Assign a risk owner to each risk
D. Create mitigating controls to manage the risks.
Answer: B

NO.228 Which of the following provides the BEST assurance that security policies are applied across business operations?
A. Organizational standards are included in awareness training.
B. Organizational standards are enforced by technical controls.
C. Organizational standards are required to be formally accepted.
D. Organizational standards are documented in operational procedures.
Answer: D

NO.229 Which of the following is the MOST important consideration when establishing an organization's information security
governance committee?
A. Members have knowledge of information security controls.

B. Members are business risk owners.
C. Members are rotated periodically.
D. Members represent functions across the organization.
Answer: D

NO.230 Which of the following BEST indicates that an organization has effectively tested its business continuity and disaster
recovery plans within the stated recovery time objectives (RTOs)?
A. Regulatory requirements are being met.
B. Internal compliance requirements are being met.
C. Risk management objectives are being met.
D. Business needs are being met.
Answer: D

NO.231 An information security manager developing an incident response plan MUST ensure it includes:
A. an inventory of critical data.
B. criteria for escalation.
C. a business impact analysis (BIA).
D. critical infrastructure diagrams.
Answer: B

NO.232 Which of the following is MOST important in increasing the effectiveness of incident responders?
A. Communicating with the management team
B. Integrating staff with the IT department
C. Testing response scenarios
D. Reviewing the incident response plan annually
Answer: C

NO.233 Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process?
A. Threat management is enhanced.
B. Compliance status is improved.
C. Security metrics are enhanced.
D. Proactive risk management is facilitated.
Answer: A

NO.234 To ensure that a new application complies with information security policy, the BEST approach is to:
A. review the security of the application before implementation.
B. integrate functionality the development stage.
C. perform a vulnerability analysis.
D. periodically audit the security of the application.
Answer: C

NO.235 Which of the following should be done FIRST when implementing a security program?
A. Perform a risk analysis
B. Implement data encryption.
C. Create an information asset inventory.
D. Determine the value of information assets.

Answer: A

NO.236 An organization has received complaints from users that some of their files have been encrypted. These users are
receiving demands for money to decrypt the files. Which of the following would be the BEST course of action?
A. Conduct an impact assessment.
B. Isolate the affected systems.
C. Rebuild the affected systems.
D. Initiate incident response.
Answer: B

NO.237 A forensic examination of a PC is required, but the PC has been switched off. Which of the following should be done
FIRST?
A. Perform a backup of the hard drive using backup utilities.
B. Perform a bit-by-bit backup of the hard disk using a write-blocking device
C. Perform a backup of the computer using the network
D. Reboot the system using third-party forensic software in the CD-ROM drive
Answer: B
NO.238 The PRIMARY objective of a post-incident review of an information security incident is to: A. update the risk profile
B. minimize impact
C. prevent recurrence.
D. determine the impact Answer: C
NO.239 The MOST important information for influencing management's support of information security is:
A. an demonstration of alignment with the business strategy.
B. An identification of the overall threat landscape.
C. A report of a successful attack on a competitor. D. An identification of organizational risks.
Answer: A

NO.240 Threat and vulnerability assessments are important PRIMARILY because they are: A. used to establish security
investments
B. the basis for setting control objectives.
C. elements of the organization's security posture.
D. needed to estimate risk.
Answer: B

A. Determine acceptable levels of information security risk
B. Create a roadmap to identify security baselines and controls
C. Perform a gap analysis based on the current state
D. Identify key stakeholders to champion information security
Answer: D

NO.242 An incident response team has established that an application has been breached. Which of the following should be
done NEXT?
A. Maintain the affected systems in a forensically acceptable state
B. Conduct a risk assessment on the affected application
C. Inform senior management of the breach.

D. Isolate the impacted systems from the rest of the network
Answer: D

NO.243 A penetration test was conducted by an accredited third party Which of the following should be the information
security manager's FIRST course of action?
A. Ensure a risk assessment is performed to evaluate the findings
B. Ensure vulnerabilities found are resolved within acceptable timeframes
C. Request funding needed to resolve the top vulnerabilities
D. Report findings to senior management
Answer: D

NO.244 Which of the following is the BEST reason for an organization to use Disaster Recovery as a Service (DRaaS)?
A. It transfers the risk associated with recovery to a third party.
B. It lowers the annual cost to the business.
C. It eliminates the need to maintain offsite facilities.
D. It eliminates the need for the business to perform testing.
Answer: B

NO.245 IT projects have gone over budget with too many security controls being added post- production. Which of the
following would MOST help to ensure that relevant controls are applied to a project?
A. Involving information security at each stage of project management
B. Identifying responsibilities during the project business case analysis
C. Creating a data classification framework and providing it to stakeholders
D. Providing stakeholders with minimum information security requirements
Answer: B

NO.246 Which of the following would BEST support the business case for an increase in the information security budget?
A. Cost-benefit analysis results
B. Comparison of information security budgets with peer organizations
C. Business impact analysis (BIA) results
D. Frequency of information security incidents
Answer: A

NO.247 Which of the following is the BEST indicator of an organization's information security status?
A. Intrusion detection log analysis
B. Controls audit
C. Threat analysis
D. Penetration test
Answer: B

NO.248 Which of the following BEST supports the incident management process for attacks on an organization's supply
chain?
A. Including service level agreements (SLAs) in vendor contracts
B. Establishing communication paths with vendors
C. Requiring security awareness training for vendor staff
D. Performing integration testing with vendor systems

Answer: B

NO.249 Of the following, who is in the BEST position to evaluate business impacts?
A. Senior management
B. Information security manager
C. IT manager
D. Process manager
Answer: D

NO.250 An incident management team is alerted ta a suspected security event. Before classifying the suspected event as a
security incident, it is MOST important for the security manager to:
A. notify the business process owner.
B. follow the business continuity plan (BCP).
C. conduct an incident forensic analysis.
D. follow the incident response plan.
Answer: A

NO.251 In an organization with a rapidly changing environment, business management has accepted an information security
risk. It is MOST important for the information security manager to ensure:
A. change activities are documented.
B. the rationale for acceptance is periodically reviewed.
C. the acceptance is aligned with business strategy.
D. compliance with the risk acceptance framework.
Answer: B

NO.252 When performing a business impact analysis (BIA), who should calculate the recovery time and cost estimates?
A. Business process owner
B. Business continuity coordinator
C. Senior management
D. Information security manager
Answer: A

NO.253 Which of the following would be MOST useful to a newly hired information security manager who has been tasked with
developing and implementing an information security strategy?
A. The capabilities and expertise of the information security team
B. The organization's mission statement and roadmap
C. A prior successful information security strategy
D. The organization's information technology (IT) strategy
Answer: B

NO.254 An organization's HR department requires that employee account privileges be removed from all corporate IT systems
within three days of termination to comply with a government regulation However, the systems all have different user
directories, and it currently takes up to four weeks to remove the privileges Which of the following would BEST enable
regulatory compliance? A. Multi-factor authentication (MFA) system
B. Identity and access management (IAM) system
C. Privileged access management (PAM) system

D. Governance, risk, and compliance (GRC) system
Answer: C

NO.255 An information security manager is working to incorporate media communication procedures into the security incident
communication plan. It would be MOST important to include:
A. a directory of approved local media contacts
B. pre-prepared media statements
C. procedures to contact law enforcement
D. a single point of contact within the organization
Answer: D

NO.256 Which of the following is MOST helpful in determining the criticality of an organization's business functions?
A. Disaster recovery plan (DRP)
B. Business impact analysis (BIA)
C. Business continuity plan (BCP)
D. Security assessment report (SAR)
Answer: B

NO.257 Which of the following is the BEST way to determine if an information security profile is aligned with business
requirements?
A. Review the key performance indicator (KPI) dashboard
B. Review security-related key risk indicators (KRIs)
C. Review control self-assessment (CSA) results
D. Review periodic security audits
Answer: B

NO.258 Which of the following is MOST important for building 4 robust information security culture within an organization?
A. Mature information security awareness training across the organization
B. Strict enforcement of employee compliance with organizational security policies
C. Security controls embedded within the development and operation of the IT environment
D. Senior management approval of information security policies
Answer: D

NO.259 The PRIMARY consideration when responding to a ransomware attack should be to ensure:
A. backups are available.
B. the most recent patches have been applied.
C. the ransomware attack is contained
D. the business can operate
Answer: D
NO.260 Which of the following is the BEST way to ensure the organization's security objectives are embedded in business
operations?
A. Publish adopted information security standards.
B. Perform annual information security compliance reviews.
C. Implement an information security governance framework.
D. Define penalties for information security noncompliance.
Answer: C