CISM V24.35 Past Paper PDF
Document Details
Uploaded by BeneficialSagacity1258
ISACA
Tags
Summary
This document is an ISACA CISM V24.35 past paper, containing exam questions covering topics such as incident response, risk management, and security controls. The paper details different security concepts.
Full Transcript
IT Certification Guaranteed, The Easy Way! Exam : CISM Title : Certified Information Security Manager Vendor : ISACA Version : V24.35 1 IT Certification Guaranteed, The Easy Way! NO.1 An organization's information security manager is performing a post-incident review of a security in...
IT Certification Guaranteed, The Easy Way! Exam : CISM Title : Certified Information Security Manager Vendor : ISACA Version : V24.35 1 IT Certification Guaranteed, The Easy Way! NO.1 An organization's information security manager is performing a post-incident review of a security incident in which the following events occurred: * A bad actor broke into a business-critical FTP server by brute forcing an administrative password * The third-party service provider hosting the server sent an automated alert message to the help desk, but was ignored * The bad actor could not access the administrator console, but was exposed to encrypted data transferred to the server * After three hours, the bad actor deleted the FTP directory, causing incoming FTP attempts by legitimate customers to fail Which of the following could have been prevented by conducting regular incident response testing? A. Ignored alert messages B. The server being compromised C. The brute force attack D. Stolen data Answer: A Explanation: Ignored alert messages could have been prevented by conducting regular incident response testing because it would have ensured that the help desk staff are familiar with and trained on how to handle different types of alert messages from different sources, and how to escalate them appropriately. The server being compromised could not have been prevented by conducting regular incident response testing because it is related to security vulnerabilities or weaknesses in the server configuration or authentication mechanisms. The brute force attack could not have been prevented by conducting regular incident response testing because it is related to security threats or attacks from external sources. Stolen data could not have been prevented by conducting regular incident response testing because it is related to security breaches or incidents that may occur despite the incident response plan or process. Reference: https://www.isaca.org/resources/isacajournal/issues/2017/volume-5/incident-response-lessons-learned https://www.isaca.org/resources/isaca-journal/issues/2018/volume-3/incident-response-lessonslearned NO.2 An information security manager is reporting on open items from the risk register to senior management. Which of the following is MOST important to communicate with regard to these risks? A. Responsible entities B. Key risk indicators (KRIS) C. Compensating controls D. Potential business impact Answer: D NO.3 The PRIMARY purpose for continuous monitoring of security controls is to ensure: A. control gaps are minimized. B. system availability. C. effectiveness of controls. D. alignment with compliance requirements. Answer: C 2 IT Certification Guaranteed, The Easy Way! Explanation: The primary purpose for continuous monitoring of security controls is to ensure the effectiveness of controls. This involves regularly assessing the controls to ensure that they are meeting their intended objectives, and that any potential weaknesses are identified and addressed. Continuous monitoring also helps to ensure that control gaps are minimized, and that systems are available and aligned with compliance requirements. NO.4 How does an incident response team BEST leverage the results of a business impact analysis (BIA)? A. Assigning restoration priority during incidents B. Determining total cost of ownership (TCO) C. Evaluating vendors critical to business recovery D. Calculating residual risk after the incident recovery phase Answer: A NO.5 Following a risk assessment, an organization has made the decision to adopt a bring your own device (BYOD) strategy. What should the information security manager do NEXT? A. Develop a personal device policy B. Implement a mobile device management (MDM) solution C. Develop training specific to BYOD awareness D. Define control requirements Answer: D Explanation: Defining control requirements is the next step to ensure the security policy framework encompasses the new business model because it is a process of identifying and specifying the security measures and standards that are needed to protect the data and applications accessed by the BYOD devices. Defining control requirements helps to establish the baseline security level and expectations for the BYOD strategy, as well as to align them with the business objectives and risks. Therefore, defining control requirements is the correct answer. Reference: https://www.digitalguardian.com/blog/ultimate-guide-byod-security-overcoming-challengescreating-effective-policies-and-mitigating https://learn.microsoft.com/en-us/mem/intune/fundamentals/byod-technology-decisions NO.6 To help ensure that an information security training program is MOST effective its contents should be A. focused on information security policy. B. aligned to business processes C. based on employees' roles D. based on recent incidents Answer: C Explanation: "An information security training program should be tailored to the specific roles and responsibilities of employees. This will help them understand how their actions affect information security and what they need to do to protect it. A generic training program that is focused on policy, business processes 3 IT Certification Guaranteed, The Easy Way! or recent incidents may not be relevant or effective for all employees." NO.7 Which of the following processes BEST supports the evaluation of incident response effectiveness? A. Root cause analysis B. Post-incident review C. Chain of custody D. Incident logging Answer: B NO.8 Which of the following is the BEST option to lower the cost to implement application security controls? A. Perform security tests in the development environment. B. Integrate security activities within the development process C. Perform a risk analysis after project completion. D. Include standard application security requirements Answer: B Explanation: Integrating security activities within the development process is the best option to lower the cost to implement application security controls because it ensures that security is considered and addressed throughout the software development life cycle (SDLC), from design to deployment, and reduces the likelihood and impact of security flaws or vulnerabilities that may require costly fixes or patches later on. Performing security tests in the development environment is not the best option because it may not detect or prevent all security issues that may arise in different environments or scenarios. Performing a risk analysis after project completion is not a good option because it may be too late to identify or mitigate security risks that may have been introduced during the project. Including standard application security requirements is not a good option because it may not account for specific or unique security needs or challenges of different applications or projects. Reference: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/secure-softwaredevelopment-lifecycle https://www.isaca.org/resources/isaca-journal/issues/2016/volume4/technical-security-standards-for-information-systems NO.9 Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations? A. Require remote wipe capabilities for devices. B. Conduct security awareness training. C. Review and update existing security policies. D. Enforce passwords and data encryption on the devices. Answer: C Explanation: The primary responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations is to review and update existing security policies. Security policies are the foundation of an organi-zation's security program, as they define the goals, objectives, principles, roles, respon-sibilities, and requirements for protecting information and systems. Security policies should be reviewed and updated regularly to reflect changes in the 4 IT Certification Guaranteed, The Easy Way! organization's envi-ronment, needs, risks, and technologies1. Implementing the use of companyowned mobile devices in its operations is a significant change that may introduce new threats and vulnerabilities, as well as new opportunities and benefits, for the organiza-tion. Therefore, the information security manager should review and update existing security policies to address the following aspects2: * The scope, purpose, and ownership of company-owned mobile devices * The acceptable and unacceptable use of company-owned mobile devices * The security standards and best practices for company-owned mobile devices * The roles and responsibilities of users, managers, IT staff, and vendors regarding compa-ny-owned mobile devices * The procedures for provisioning, managing, monitoring, and decommissioning company-owned mobile devices * The incident response and reporting process for company-owned mobile devices By reviewing and updating existing security policies, the information security manager can ensure that the organization's security program is aligned with its business objec-tives and risk appetite, as well as compliant with applicable laws and regulations. The other options are not the primary responsibility of an information security manager in an organization that is implementing the use of companyowned mobile devices in its operations. They are possible actions or controls that may be derived from or support-ed by the updated security policies. Requiring remote wipe capabilities for devices is a technical control that can help prevent data loss or theft in case of device loss or com-promise3. Conducting security awareness training is an administrative control that can help educate users about the security risks and responsibilities associated with using company-owned mobile devices. Enforcing passwords and data encryption on the de-vices is a technical control that can help protect data confidentiality and integrity on company-owned mobile devices. Reference: 1: Information Security Policy - NIST 2: Mobile Device Security Policy - SANS 3: Remote Wipe: What It Is & How I t Works - Lifewire : Security Awareness Training - NIST : Mobile Device Encryption - NIST NO.10 Which of the following metrics BEST measures the effectiveness of an organization's information security program? A. Increase in risk assessments completed B. Reduction in information security incidents C. Return on information security investment D. Number of information security business cases developed Answer: C NO.11 To overcome the perception that security is a hindrance to business activities, it is important for an information security manager to: A. rely on senior management to enforce security. B. promote the relevance and contribution of security. C. focus on compliance. D. reiterate the necessity of security. Answer: B Explanation: To overcome the perception that security is a hindrance to business activities, it is important for an information security manager to promote the relevance and contribution of security. By 5 IT Certification Guaranteed, The Easy Way! demonstrating the value that security brings to the organization, including protecting assets and supporting business objectives, the information security manager can help to change the perception of security from a hindrance to a critical component of business success. Relying on senior management to enforce security, focusing on compliance, and reiterating the necessity of security are all important elements of a comprehensive security program, but they do not directly address the perception that security is a hindrance to business activities. By promoting the relevance and contribution of security, the information security manager can help to align security with the overall goals and objectives of the organization, and foster a culture that values and supports security initiatives. NO.12 Which of the following is MOST helpful for protecting an enterprise from advanced persistent threats (APTs)? A. Updated security policies B. Defined security standards C. Threat intelligence D. Regular antivirus updates Answer: B NO.13 When choosing the best controls to mitigate risk to acceptable levels, the information security manager's decision should be MAINLY driven by: A. best practices. B. control framework C. regulatory requirements. D. cost-benefit analysis, Answer: C NO.14 Which of the following BEST determines the allocation of resources during a security incident response? A. Senior management commitment B. A business continuity plan (BCP) C. An established escalation process D. Defined levels of severity Answer: D Explanation: Defined levels of severity is the best determinant of the allocation of resources during a security incident response. Having defined levels of severity allows organizations to plan for and allocate resources for each level of incident, depending on the severity of the incident. This ensures that the right resources are allocated in a timely manner and that incidents are addressed appropriately. NO.15 Which of the following should an information security manager do FIRST when creating an organization's disaster recovery plan (DRP)? A. Conduct a business impact analysis (BIA) B. Identify the response and recovery learns. C. Review the communications plan. 6 IT Certification Guaranteed, The Easy Way! D. Develop response and recovery strategies. Answer: A Explanation: Conducting a business impact analysis (BIA) is the first step when creating an organization's disaster recovery plan (DRP) because it helps to identify and prioritize the critical business functions or processes that need to be restored after a disruption, and determine their recovery time objectives (RTOs) and recovery point objectives (RPOs)2. Identifying the response and recovery teams is not the first step, but rather a subsequent step that involves assigning roles and responsibilities for executing the DRP. Reviewing the communications plan is not the first step, but rather a subsequent step that involves defining the communication channels and protocols for notifying and updating the stakeholders during and after a disruption. Developing response and recovery strategies is not the first step, but rather a subsequent step that involves selecting and implementing the appropriate solutions and procedures for restoring the critical business functions or processes. Reference: 2 https://www.isaca.org/resources/isaca-journal/issues/2018/volume-3/business-impact-analysis-biaand-disaster-recovery-planning-drp NO.16 Which of the following is the FIRST step to establishing an effective information security program? A. Conduct a compliance review. B. Assign accountability. C. Perform a business impact analysis (BIA). D. Create a business case. Answer: D NO.17 Which of the following would BEST justify continued investment in an information security program? A. Reduction in residual risk B. Security framework alignment C. Speed of implementation D. Industry peer benchmarking Answer: A Explanation: Residual risk is the remaining risk after all security controls have been implemented. It is important to measure the residual risk of an organization in order to determine the effectiveness of the security program and to justify continued investment in the program. A reduction in residual risk is an indication that the security program is effective and that continued investment is warranted. NO.18 Which of the following has the GREATEST influence on an organization's information security strategy? A. The organization's risk tolerance B. The organizational structure C. Industry security standards D. Information security awareness Answer: A 7 IT Certification Guaranteed, The Easy Way! Explanation: An organization's information security strategy should be aligned with its risk tolerance, which is the level of risk that an organization is willing to accept in pursuit of its objectives. The strategy should aim to balance the cost of security controls with the potential impact of security incidents on the organization's objectives. Therefore, an organization's risk tolerance has the greatest influence on its information security strategy. The organization's risk tolerance has the greatest influence on its information security strategy because it determines how much risk the organization is willing to accept and how much resources it will allocate to mitigate or transfer risk. The organizational structure, industry security standards, and information security awareness are important factors that affect the implementation and effectiveness of an information security strategy but not as much as the organization's risk tolerance. An information security strategy is a high-level plan that defines how an organization will achieve its information security objectives and address its information security risks. An information security strategy should align with the organization's business strategy and reflect its mission, vision, values, and culture. An information security strategy should also consider the external and internal factors that influence the organization's information security environment such as laws, regulations, competitors, customers, suppliers, partners, stakeholders, employees etc. NO.19 Which of the following would be the MOST effective way to present quarterly reports to the board on the status of the information security program? A. A capability and maturity assessment B. Detailed analysis of security program KPIs C. An information security dashboard D. An information security risk register Answer: C Explanation: An information security dashboard is an effective way to present quarterly reports to the board on the status of the information security program. It allows the board to quickly view key metrics and trends at a glance and to drill down into more detailed information as needed. The dashboard should include metrics such as total incidents, patching compliance, vulnerability scanning results, and more. It should also include high-level overviews of the security program and its components, such as the security policy, security architecture, and security controls. NO.20 An anomaly-based intrusion detection system (IDS) operates by gathering data on: A. normal network behavior and using it as a baseline lor measuring abnormal activity B. abnormal network behavior and issuing instructions to the firewall to drop rogue connections C. abnormal network behavior and using it as a baseline for measuring normal activity D. attack pattern signatures from historical data Answer: A Explanation: An anomaly-based intrusion detection system (IDS) operates by gathering data on normal network behavior and using it as a baseline for measuring abnormal activity. This is important because it allows the IDS to detect any activity that is outside of the normal range of usage for the network, which can help to identify potential malicious activity or security threats. Additionally, the IDS will monitor for any changes in the baseline behavior and alert the administrator if any irregularities are 8 IT Certification Guaranteed, The Easy Way! detected. By contrast, signature-based IDSs operate by gathering attack pattern signatures from historical data and comparing them against incoming traffic in order to identify malicious activity. NO.21 If civil litigation is a goal for an organizational response to a security incident, the PRIMARY step should be to: A. contact law enforcement. B. document the chain of custody. C. capture evidence using standard server-backup utilities. D. reboot affected machines in a secure area to search for evidence. Answer: B NO.22 Which of the following is MOST effective in monitoring an organization's existing risk? A. Periodic updates to risk register B. Risk management dashboards C. Security information and event management (SIEM) systems D. Vulnerability assessment results Answer: B NO.23 What is the BEST way to reduce the impact of a successful ransomware attack? A. Perform frequent backups and store them offline. B. Purchase or renew cyber insurance policies. C. Include provisions to pay ransoms ih the information security budget. D. Monitor the network and provide alerts on intrusions. Answer: A NO.24 Which of the following BEST facilitates an information security manager's efforts to obtain senior management commitment for an information security program? A. Presenting evidence of inherent risk B. Reporting the security maturity level C. Presenting compliance requirements D. Communicating the residual risk Answer: C NO.25 Which of the following is the MOST important reason to conduct interviews as part of the business impact analysis (BIA) process? A. To facilitate a qualitative risk assessment following the BIA B. To increase awareness of information security among key stakeholders C. To ensure the stakeholders providing input own the related risk D. To obtain input from as many relevant stakeholders as possible Answer: C NO.26 Which of the following would BEST enable the timely execution of an incident response plan? A. The introduction of a decision support tool 9 IT Certification Guaranteed, The Easy Way! B. Definition of trigger events C. Clearly defined data classification process D. Centralized service desk Answer: B Explanation: Definition of trigger events is the best way to enable the timely execution of an incident response plan because it helps to specify the conditions or criteria that initiate the incident response process. Trigger events are predefined scenarios or indicators that signal the occurrence or potential occurrence of a security incident, such as a ransomware attack, a data breach, a denial-of-service attack, or an unauthorized access attempt. Definition of trigger events helps to ensure that the incident response team is alerted and activated as soon as possible, as well as to determine the appropriate level and scope of response based on the severity and impact of the incident. Therefore, definition of trigger events is the correct answer. Reference: https://www.atlassian.com/incident-management/kpis/common-metrics https://www.varonis.com/blog/incident-response-plan/ https://holierthantao.com/2023/05/03/minimizing-disruptions-a-comprehensive-guide-to-incidentresponse-planning-and-execution/ NO.27 Which of the following change management procedures is MOST likely to cause concern to the information security manager? A. Fallback processes are tested the weekend before changes are made B. Users are not notified of scheduled system changes C. A manual rather than an automated process is used to compare program versions. D. The development manager migrates programs into production Answer: D Explanation: According to the Certified Information Security Manager (CISM) Study Guide, one of the primary responsibilities of an information security manager is to ensure that changes to systems and processes are managed in a secure and controlled manner. The change management procedure that is most likely to cause concern for an information security manager is when the development manager migrates programs into production without proper oversight or control. This can increase the risk of unauthorized changes being made to systems and data, and can also increase the risk of configuration errors or other issues that can negatively impact the security and availability of systems. To mitigate these risks, it is important for the information security manager to work closely with the development team to establish and enforce change management procedures that ensure that all changes are properly approved, tested, and implemented in a controlled manner. NO.28 Which of the following is the GREATEST benefit of conducting an organization-wide security awareness program? A. The security strategy is promoted. B. Fewer security incidents are reported. C. Security behavior is improved. D. More security incidents are detected. Answer: C 10 IT Certification Guaranteed, The Easy Way! NO.29 Which of the following documents should contain the INITIAL prioritization of recovery of services? A. IT risk analysis B. Threat assessment C. Business impact analysis (BIA) D. Business process map Answer: C Explanation: A business impact analysis (BIA) is the document that should contain the initial priori-tization of recovery of services. A BIA is a process of identifying and analyzing the po-tential effects of disruptions to critical business functions and processes. A BIA typi-cally includes the following steps1: * Identifying the critical business functions and processes that support the organization's mission and objectives. * Estimating the maximum tolerable downtime (MTD) for each function or process, which is the longest time that the organization can afford to be without that function or process before suffering unacceptable consequences. * Assessing the potential impacts of disruptions to each function or process, such as finan-cial losses, reputational damage, legal liabilities, regulatory penalties, customer dissatis-faction, etc. * Prioritizing the recovery of functions or processes based on their MTDs and impacts, and assigning recovery time objectives (RTOs) and recovery point objectives (RPOs) for each function or process. RTOs are the target times for restoring functions or processes after a disruption, while RPOs are the acceptable amounts of data loss in case of a disruption. * Identifying the resources and dependencies required for each function or process, such as staff, equipment, software, data, suppliers, customers, etc. A BIA provides the basis for developing a business continuity plan (BCP), which is a document that outlines the strategies and procedures for ensuring the continuity or re-covery of critical business functions and processes in the event of a disruption2. The other options are not documents that should contain the initial prioritization of recov-ery of services. An IT risk analysis is a process of identifying and evaluating the threats and vulnerabilities that affect the IT systems and assets of an organization. It helps to determine the likelihood and impact of potential IT incidents, and to select and imple-ment appropriate controls to mitigate the risks3. A threat assessment is a process of identifying and analyzing the sources and capabilities of adversaries that may pose a threat to an organization's security. It helps to determine the level of threat posed by different actors, and to develop countermeasures to prevent or respond to attacks. A business process map is a visual representation of the activities, inputs, outputs, roles, and resources involved in a business process. It helps to understand how a process works, how it can be improved, and how it relates to other processes. Reference: 1: Business impact analysis (BIA) - Wikipedia 2: Business continuity plan - Wikipedia 3: IT risk management - Wikipedia : Threat assessment - Wikipedia : Business process m ap-ping - Wikipedia NO.30 Which of the following is the GREATEST inherent risk when performing a disaster recovery plan (DRP) test? A. Poor documentation of results and lessons learned B. Lack of communication to affected users 11 IT Certification Guaranteed, The Easy Way! C. Disruption to the production environment D. Lack of coordination among departments Answer: C Explanation: The greatest inherent risk when performing a disaster recovery plan (DRP) test is disruption to the production environment. A DRP test involves simulating a disaster scenario to ensure that the organization's plans are effective and that it is able to recover from an incident. However, this involves running tests on the production environment, which has the potential to disrupt the normal operations of the organization. This inherent risk can be mitigated by running tests on a nonproduction environment or by running tests at times when disruption will be minimized. NO.31 Which of the following activities is designed to handle a control failure that leads to a breach? A. Risk assessment B. Incident management C. Root cause analysis D. Vulnerability management Answer: B NO.32 A finance department director has decided to outsource the organization's budget application and has identified potential providers. Which of the following actions should be initiated FIRST by IN information security manager? A. Determine the required security controls for the new solution B. Review the disaster recovery plans (DRPs) of the providers C. Obtain audit reports on the service providers' hosting environment D. Align the roles of the organization's and the service providers' stats. Answer: A Explanation: Before outsourcing any application or service, an information security manager should first determine the required security controls for the new solution, based on the organization's risk appetite, security policies and standards, and regulatory requirements. This will help to evaluate and select the most suitable provider, as well as to define the security roles and responsibilities, service level agreements (SLAs), and audit requirements. Reference: https://www.isaca.org/credentialing/cism https://www.wiley.com/enus/CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948 NO.33 Which of the following BEST enables the integration of information security governance into corporate governance? A. Senior management approval of the information security strategy B. An information security steering committee with business representation C. Clear lines of authority across the organization D. Well-decumented information security policies and standards Answer: B NO.34 Which of the following is the BEST course of action for an information security manager to 12 IT Certification Guaranteed, The Easy Way! align security and business goals? A. Conducting a business impact analysis (BIA) B. Reviewing the business strategy C. Defining key performance indicators (KPIs) D. Actively engaging with stakeholders Answer: D NO.35 The MOST appropriate time to conduct a disaster recovery test would be after: A. major business processes have been redesigned. B. the business continuity plan (BCP) has been updated. C. the security risk profile has been reviewed D. noncompliance incidents have been filed. Answer: A NO.36 Which of the following is the GREATEST benefit of including incident classification criteria within an incident response plan? A. Ability to monitor and control incident management costs B. More visibility to the impact of disruptions C. Effective protection of information assets D. Optimized allocation of recovery resources Answer: D Explanation: The explanation given in the manual is: Incident classification criteria enable an organization to prioritize incidents based on their impact and urgency. This allows for an optimized allocation of recovery resources to minimize business disruption and ensure timely restoration of normal operations. The other choices are benefits of incident management but not directly related to incident classification criteria. NO.37 An organization has multiple data repositories across different departments. The information security manager has been tasked with creating an enterprise strategy for protecting dat a. Which of the following information security initiatives should be the HIGHEST priority for the organization? A. Data masking B. Data retention strategy C. Data encryption standards D. Data loss prevention (DLP) Answer: C Explanation: Data encryption standards are the best information security initiative for creating an enterprise strategy for protecting data across multiple data repositories and different departments because they help to ensure the confidentiality, integrity, and availability of data in transit and at rest. Data encryption is a process of transforming data into an unreadable format using a secret key or algorithm, so that only authorized parties can access and decrypt it. Data encryption standards are the rules or specifications that define how data encryption should be performed, such as the type, strength, and mode of encryption, the key management and distribution methods, and the 13 IT Certification Guaranteed, The Easy Way! compliance requirements. Data encryption standards help to protect data from unauthorized access, modification, or theft, as well as to meet the regulatory obligations for data privacy and security. Therefore, data encryption standards are the correct answer. Reference: https://www.techtarget.com/searchdatabackup/tip/20-keys-to-a-successful-enterprise-dataprotection-strategy https://cloudian.com/guides/data-protection/data-protection-strategy-10-components-of-aneffective-strategy/ https://www.veritas.com/information-center/enterprise-data-protection NO.38 Which of the following is MOST useful to an information security manager when determining the need to escalate an incident to senior? A. Incident management procedures B. Incident management policy C. System risk assessment D. Organizational risk register Answer: D Explanation: The organizational risk register is the most useful for an information security manager when determining the need to escalate an incident to senior management because it contains a list of identified risks to the organization, their likelihood and impact, and their predefined risk thresholds or targets, which can help the information security manager assess the severity and urgency of the incident and decide whether it requires senior management's attention or action. Incident management procedures are not very useful for this purpose because they do not provide any specific criteria or guidance on when to escalate an incident to senior management. Incident management policy is not very useful for this purpose because it does not provide any specific criteria or guidance on when to escalate an incident to senior management. System risk assessment is not very useful for this purpose because it does not reflect the current risk exposure or status of the organization as a whole. Reference: https://www.isaca.org/resources/isacajournal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security-using-iso27004 https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-responselessons-learned NO.39 Which of the following would be MOST helpful to identify worst-case disruption scenarios? A. Business impact analysis (BIA) B. Business process analysis C. SWOT analysis D. Cast-benefit analysis Answer: A NO.40 A security incident has been reported within an organization. When should an inforrnation security manager contact the information owner? After the: A. incident has been confirmed. B. incident has been contained. C. potential incident has been logged. 14 IT Certification Guaranteed, The Easy Way! D. incident has been mitigated. Answer: A NO.41 Meeting which of the following security objectives BEST ensures that information is protected against unauthorized disclosure? A. Integrity B. Authenticity C. Confidentiality D. Nonrepudiation Answer: C Explanation: Confidentiality is the security objective that best ensures that information is protected against unauthorized disclosure. Confidentiality means that only authorized parties can access or view sensitive or classified information. Integrity means that information is accurate and consistent and has not been tampered with or modified by unauthorized parties. Authenticity means that information is genuine and trustworthy and has not been forged or misrepresented by unauthorized parties. Nonrepudiation means that information can be verified and proven to be sent or received by a specific party without any possibility of denial. Reference: https://www.csoonline.com/article/3513899/the-cia-triad-definition-components-andexamples.html NO.42 Which of the following is the MOST important factor in an organization's selection of a key risk indicator (KRI)? A. Return on investment (ROI) B. Compliance requirements C. Target audience D. Criticality of information Answer: D Explanation: A key risk indicator (KRI) is a metric that provides an early warning of potential exposure to a risk. A KRI should be relevant, measurable, timely, and actionable. The most important factor in an organization's selection of a KRI is the criticality of information, which means that the KRI should reflect the value and sensitivity of the information assets that are exposed to the risk. For example, a KRI for data breach risk could be the number of unauthorized access attempts to a database that contains confidential customer data. The criticality of information helps to prioritize the risks and focus on the most significant ones. Reference: https://www.isaca.org/credentialing/cism https://www.wiley.com/en-us/CISM+Certified+Information+Security+Manager+Study+Guide-p9781119801948 NO.43 Which of the following MUST be established to maintain an effective information security governance framework? A. Security controls automation B. Defined security metrics C. Change management processes 15 IT Certification Guaranteed, The Easy Way! D. Security policy provisions Answer: D Explanation: Security policy provisions are the statements or rules that define the information security objectives, principles, roles and responsibilities, and requirements for the organization. Security policy provisions must be established to maintain an effective information security governance framework, as they provide the foundation and direction for the information security activities and processes within the organization. Security policy provisions also help to align the information security governance framework with the business strategy and objectives, and ensure compliance with relevant laws and regulations. The other options, such as security controls automation, defined security metrics, or change management processes, are important components of an information security governance framework, but they are not essential to establish it. Reference: https://www.iso.org/standard/74046.html https://www.nist.gov/cyberframework https://www.iso.org/standard/27001 NO.44 In order to understand an organization's security posture, it is MOST important for an organization's senior leadership to: A. evaluate results of the most recent incident response test. B. review the number of reported security incidents. C. ensure established security metrics are reported. D. assess progress of risk mitigation efforts. Answer: C NO.45 The BEST way to identify the risk associated with a social engineering attack is to: A. monitor the intrusion detection system (IDS), B. review single sign-on (SSO) authentication lags. C. test user knowledge of information security practices. D. perform a business risk assessment of the email filtering system. Answer: C NO.46 A balanced scorecard MOST effectively enables information security: A. project management B. governance. C. performance. D. risk management. Answer: B Explanation: A balanced scorecard most effectively enables information security govern-ance. Information security governance is the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations, and are managed effectively and efficiently1. A balanced scorecard is a tool for meas-uring and communicating the performance and progress of an organization toward its strategic goals. It typically includes four perspectives: financial, customer, internal pro-cess, and 16 IT Certification Guaranteed, The Easy Way! learning and growth2. A balanced scorecard can help information security managers to: * Align information security objectives with business objectives and communicate them to senior management and other stakeholders * Monitor and report on the effectiveness and efficiency of information security processes and controls * Identify and prioritize improvement opportunities and corrective actions * Demonstrate the value and benefits of information security investments * Foster a culture of security awareness and continuous learning Several sources have proposed models or frameworks for applying the balanced scorecard approach to information security governance34 . The other options are not the most effective applications of a balanced scorecard for information security. Pro-ject management is the process of planning, executing, monitoring, and closing pro-jects to achieve specific objectives within constraints such as time, budget, scope, and quality. A balanced scorecard can be used to measure the performance of individual projects or project portfolios, but it is not specific to information security projects. Performance is the degree to which an organization or a process achieves its objectives or meets its standards. A balanced scorecard can be used to measure the performance of information security processes or functions, but it is not limited to performance measurement. Risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks that affect an organization's objec-tives. A balanced scorecard can be used to measure the risk exposure and risk appetite of an organization, but it is not a tool for risk assessment or treatment. Reference: 1: Information Security Governance - ISACA 2: Balanced scorecard - Wikipedia 3: Key Per-formanc e Indicators for Security Governance Part 1 - ISACA 4: A Strategy Map for Se-curity Leaders: Applying the Balanced Scorecard Framework to Information Security - Security Intelligence : How to Measure Security From a Governance Perspective - ISA-CA : Project management - Wikipedia : Performanc e measurement - Wikipedia : Risk management - Wikipedia NO.47 An online bank identifies a successful network attack in progress. The bank should FIRST: A. isolate the affected network segment. B. report the root cause to the board of directors. C. assess whether personally identifiable information (Pll) is compromised. D. shut down the entire network. Answer: A NO.48 Which of the following is MOST important to include in a report to key stakeholders regarding the effectiveness of an information security program? A. Security metrics B. Security baselines C. Security incident details D. Security risk exposure Answer: A Explanation: Security metrics are the most important to include in a report to key stakeholders regarding the effectiveness of an information security program because they provide objective and measurable evidence of security performance and progress. Security metrics can include measures such as the number and severity of security incidents, the level of compliance with security policies and 17 IT Certification Guaranteed, The Easy Way! standards, the effectiveness of security controls, and the return on investment (ROI) of security initiatives. The other choices may also be included in a security report, but security metrics are the most important. An information security program is a set of policies, procedures, standards, guidelines, and tools that aim to protect an organization's information assets from threats and ensure compliance with laws and regulations. The effectiveness of an information security program depends on various factors, such as the organization's risk appetite, business objectives, resources, culture, and external environment. Regular reporting to key stakeholders, such as senior management, the board of directors, and business partners, is critical to maintaining their support and buy-in for the program. The report should provide clear and concise information on the program's status, achievements, challenges, and future plans, and it should be tailored to the audience's needs and expectations. NO.49 Which of the following BEST enables an organization to provide ongoing assurance that legal and regulatory compliance requirements can be met? A. Embedding compliance requirements within operational processes B. Engaging external experts to provide guidance on changes in compliance requirements C. Performing periodic audits for compliance with legal and regulatory requirements D. Assigning the operations manager accountability for meeting compliance requirements Answer: A Explanation: Embedding compliance requirements within operational processes ensures that they are consistently followed and monitored as part of normal business activities. This provides ongoing assurance that legal and regulatory compliance requirements can be met. The other choices are not as effective as embedding compliance requirements within operational processes. Regulatory compliance involves following external legal mandates set forth by state, federal, or international government2. Compliance requirements may vary depending on the industry, location, and nature of the organization2. Compliance helps organizations avoid legal penalties, protect their reputation, and ensure ethical conduct2. NO.50 Which of the following BEST demonstrates the added value of an information security program? A. Security baselines B. A gap analysis C. A SWOT analysis D. A balanced scorecard Answer: D Explanation: A balanced scorecard is a tool that can be used to demonstrate the added value of an information security program by measuring and reporting on key performance indicators (KPIs) and key risk indicators (KRIs) aligned with strategic objectives. Security baselines, a gap analysis and a SWOT analysis are all useful for assessing and improving security posture, but they do not necessarily show how security contributes to business value. NO.51 Which of the following is the MOST important consideration when determining which type of failover site to employ? 18 IT Certification Guaranteed, The Easy Way! A. Reciprocal agreements B. Disaster recovery test results C. Recovery time objectives (RTOs) D. Data retention requirements Answer: C Explanation: The most important consideration when determining which type of failover site to employ is the recovery time objectives (RTOs). A failover site is a backup site that can be used to restore the functionality and operations of an organization's primary site in the event of a disaster or disruption. There are different types of failover sites, such as hot sites, warm sites, and cold sites, that vary in terms of availability, cost, and complexity. A recovery time objective (RTO) is a metric that defines the maximum acceptable amount of time that an organization can tolerate to restore a system or an application after a disaster or disruption. By determining the RTOs for each system or application, the organization can choose the most suitable type of failover site that can meet its recovery needs and expectations. For example, if the RTO for a critical system is very low, the organization may opt for a hot site that can provide immediate failover and minimal downtime. However, if the RTO for a noncritical system is high, the organization may choose a cold site that requires manual setup and activation, but has lower cost and maintenance. The other options are not the most important consideration when determining which type of failover site to employ, although they may be some factors or constraints that affect the decision. Reciprocal agreements are arrangements between two or more organizations that agree to provide backup facilities or resources to each other in case of a disaster or disruption. Reciprocal agreements can help reduce the cost and complexity of setting up and maintaining a failover site, but they may not guarantee the availability or compatibility of the backup facilities or resources. Disaster recovery test results are outcomes of testing and validating the functionality and performance of a failover site. Disaster recovery test results can help evaluate and improve the effectiveness and efficiency of a failover site, but they do not determine which type of failover site to employ. Data retention requirements are policies and regulations that define how long and in what format an organization must store its data. Data retention requirements can affect the design and configuration of a failover site, but they do not dictate which type of failover site to employ NO.52 Which of the following BEST enables an organization to enhance its incident response plan processes and procedures? A. Security risk assessments B. Lessons learned analysis C. Information security audits D. Key performance indicators (KPIs) Answer: B Explanation: Lessons learned analysis is the best way to enable an organization to enhance its incident response plan processes and procedures because it helps to identify the strengths and weaknesses of the current plan, capture the feedback and recommendations from the incident responders and stakeholders, and implement the necessary improvements and corrective actions for future incidents. Security risk assessments are not directly related to enhancing the incident response plan, but rather to identifying and evaluating the security risks and controls of the organization. 19 IT Certification Guaranteed, The Easy Way! Information security audits are not directly related to enhancing the incident response plan, but rather to verifying and validating the compliance and effectiveness of the security policies and standards of the organization. Key performance indicators (KPIs) are not directly related to enhancing the incident response plan, but rather to measuring and reporting the performance and progress of the security objectives and initiatives of the organization. Reference: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-response-lessonslearned https://www.isaca.org/resources/isaca-journal/issues/2017/volume-1/security-riskassessment-for-a-cloud-based-enterprise-resource-planning-system https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/how-to-measure-theeffectiveness-of-information-security-using-iso-27004 https://www.isaca.org/resources/isacajournal/issues/2017/volume-3/how-to-measure-the-effectiveness-of-your-information-securitymanagement-system NO.53 A risk assessment exercise has identified the threat of a denial of service (DoS) attack Executive management has decided to take no further action related to this risk. The MO ST likely reason for this decision is A. the risk assessment has not defined the likelihood of occurrence B. the reported vulnerability has not been validated C. executive management is not aware of the impact potential D. the cost of implementing controls exceeds the potential financial losses. Answer: D Explanation: Executive management may not take action related to a risk if they have determined that the cost of implementing necessary controls to mitigate the risk exceeds the potential financial losses that the organization may incur if the risk were to materialize. In cases such as this, it is important for the information security team to provide the executive team with thorough cost-benefit analysis that outlines the cost of implementing the controls versus the expected losses from the risk. NO.54 An organization has introduced a new bring your own device (BYOD) program. The security manager has determined that a small number of employees are utilizing free cloud storage services to store company data through their mobile devices. Which of the following is the MOST effective course of action? A. Allow the practice to continue temporarily for monitoring purposes. B. Disable the employees' remote access to company email and data C. Initiate remote wipe of the devices D. Assess the business need to provide a secure solution Answer: D Explanation: The most effective course of action when employees are using free cloud storage services to store company data through their mobile devices is to assess the business need to provide a secure solution, such as a corporate-approved cloud service or a virtual desktop environment. Assessing the business need can help understand why employees are using free cloud storage services, what kind of data they are storing, and what are the security risks and requirements. Based on the assessment, the security manager can propose a secure solution that meets the business needs and complies with the BYOD policy. The other options, such as allowing the practice to continue, disabling remote 20 IT Certification Guaranteed, The Easy Way! access, or initiating remote wipe, may not address the underlying business need or may cause disruption or data loss. Reference: https://www.digitalguardian.com/blog/byod-security-expert-tips-policy-mitigating-risks-preventingbreach https://news.microsoft.com/en-xm/2021/03/18/how-to-have-secure-remote-working-with-a-byodpolicy/ https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/-infosec-guidebring-your-own-device-byod NO.55 Which of the following is BEST used to determine the maturity of an information security program? A. Security budget allocation B. Organizational risk appetite C. Risk assessment results D. Security metrics Answer: D Explanation: Security metrics are the best way to determine the maturity of an information security program because they are quantifiable indicators of the performance and effectiveness of the security controls and processes. Security metrics help to evaluate the current state of security, identify gaps and weaknesses, measure progress and improvement, and communicate the value and impact of security to stakeholders. Therefore, security metrics are the correct answer. Reference: https://www.isaca.org/resources/isaca-journal/issues/2020/volume-6/key-performance-indicatorsfor-security-governance-part-1 https://www.gartner.com/en/publications/protect-your-business-assets-with-roadmap-for-maturinginformation-security NO.56 In a business proposal, a potential vendor promotes being certified for international security standards as a measure of its security capability. Before relying on this certification, it is MOST important that the information security manager confirms that the: A. current international standard was used to assess security processes. B. certification will remain current through the life of the contract. C. certification scope is relevant to the service being offered. D. certification can be extended to cover the client's business. Answer: C NO.57 Which of the following security processes will BEST prevent the exploitation of system vulnerabilities? A. Intrusion detection B. Log monitoring C. Patch management D. Antivirus software Answer: C 21 IT Certification Guaranteed, The Easy Way! NO.58 Which of the following BEST supports information security management in the event of organizational changes in security personnel? A. Formalizing a security strategy and program B. Developing an awareness program for staff C. Ensuring current documentation of security processes D. Establishing processes within the security operations team Answer: C NO.59 Which of the following is MOST important to include in a post-incident review following a data breach? A. An evaluation of the effectiveness of the information security strategy B. Evaluations of the adequacy of existing controls C. Documentation of regulatory reporting requirements D. A review of the forensics chain of custom Answer: B NO.60 When performing a business impact analysis (BIA), who should be responsible for determining the initial recovery time objective (RTO)? A. External consultant B. Information owners C. Information security manager D. Business continuity coordinator Answer: D Explanation: When performing a business impact analysis (BIA), it is the responsibility of the business continuity coordinator to determine the initial recovery time objective (RTO). The RTO is a critical component of the BIA and should be determined in cooperation with the information owners. The RTO should reflect the maximum tolerable period of disruption (MTPD) and should be used to guide the development of the recovery strategy. NO.61 An employee has just reported the loss of a personal mobile device containing corporate information. Which of the following should the information security manager do FIRST? A. Initiate incident response. B. Disable remote C. Initiate a device reset. D. Conduct a risk assessment. Answer: A Explanation: Initiating incident response is the first course of action for an information security manager when an employee reports the loss of a personal mobile device containing corporate information. This will help to contain the incident, assess the impact, and take appropriate measures to prevent or mitigate further damage. According to ISACA, incident management is one of the key processes for information security governance. Initiating a device reset, disabling remote access, and conducting a 22 IT Certification Guaranteed, The Easy Way! risk assessment are possible subsequent actions, but they should be part of the incident response plan. Reference: 1: Find, lock, or erase a lost Android device - Google Account Help 2: Find, lock, or erase a lost Android device - Android Help 3: Lost or Stolen Mobile Device Procedure - Informatio n Security Office : CISM Practice Quiz | CISM Exam Prep | ISACA : 200 CISM Exam Prep Questions | Free Practice Test | Simplilearn : CISM practice questions to prep for the exam | TechTarget NO.62 Which of the following would BEST ensure that security is integrated during application development? A. Employing global security standards during development processes B. Providing training on secure development practices to programmers C. Performing application security testing during acceptance testing D. Introducing security requirements during the initiation phase Answer: B NO.63 An organization's disaster recovery plan (DRP) is documented and kept at a disaster recovery site. Which of the following is the BEST way to ensure the plan can be carried out in an emergency? A. Store disaster recovery documentation in a public cloud. B. Maintain an outsourced contact center in another country. C. Require disaster recovery documentation be stored with all key decision makers. D. Provide annual disaster recovery training to appropriate staff. Answer: C NO.64 Which of the following is the MOST effective way to help staff members understand their responsibilities for information security? A. Communicate disciplinary processes for policy violations. B. Require staff to participate in information security awareness training. C. Require staff to sign confidentiality agreements. D. Include information security responsibilities in job descriptions. Answer: B NO.65 An information security team is planning a security assessment of an existing vendor. Which of the following approaches is MOST helpful for properly scoping the assessment? A. Focus the review on the infrastructure with the highest risk B. Review controls listed in the vendor contract C. Determine whether the vendor follows the selected security framework rules D. Review the vendor's security policy Answer: B Explanation: Reviewing controls listed in the vendor contract is the most helpful approach for properly scoping the security assessment of an existing vendor because it helps to determine the security requirements and expectations that the vendor has agreed to meet. A vendor contract is a legal document that defines the terms and conditions of the business relationship between the organization and the vendor, including the scope, deliverables, responsibilities, and obligations of both parties. A vendor contract should also specify the security controls that the vendor must implement and maintain to 23 IT Certification Guaranteed, The Easy Way! protect the organization's data and systems, such as encryption, authent