CISM All-In-One

Question 1

Security governance is most concerned with: 
A. Security policy
B. IT policy
C. Security strategy
D. Security executive compensation

Answer 1

C. Security governance is the mechanism through which security strategy is established, controlled, and monitored. Long-term and other strategic decisions are made in the context of security governance.

Question 2

A gaming software startup company does not employ penetration testing of its software. This is an example of:
A. High tolerance of risk 
B. Noncompliance
C. Irresponsibility
D. Outsourcing

Answer 2

A. A software startup in an industry like gaming is going to be highly tolerant of risk: time to market and signing up new customers will be its primary objectives. As the organization achieves viability, other priorities such as security will be introduced.

Question 3

An organization’s board of directors wants to see quarterly metrics on risk reduction. What would be the best metric for this purpose?
A. Number of firewall rules triggered
B. Viruses blocked by antivirus programs
C. Packets dropped by the firewall
D. Time to patch vulnerabilities on critical servers

Answer 3

D. The metric on time to patch critical servers will be the most meaningful metric for the board of directors. The other metrics, while potentially interesting at the operational level, do not convey business meaning to board members.

Question 4

Which of the following metrics is the best example of a leading indicator?
A. Average time to mitigate security incidents
B. Increase in the number of attacks blocked by the intrusion prevention
system (IPS)
C. Increase in the number of attacks blocked by the firewall
D. Percentage of critical servers being patched within service level
agreements (SLAs)

Answer 4

D. The metric of percentage of critical servers being patched within SLAs is the best leading indicator because it is a rough predictor of the probability of a future security incident. The other metrics are trailing indicators because they report on past incidents.

Question 5

What are the elements of the business model for information security (BMIS)?
A. Culture, governing, architecture, emergence, enabling and support, human factors
B. People, process, technology
C. Organization, people, process, technology
D. Financial, customer, internal processes, innovation, and learning

Answer 5

C. The elements of BMIS are organization, people, process, and
technology. The dynamic interconnections (DIs) are culture, governing,
architecture, emergence, enabling and support, and human factors.

Question 6

The best definition of a strategy is:
A. The objective to achieve a plan
B. The plan to achieve an objective
C. The plan to achieve business alignment D. The plan to reduce risk

Answer 6

B. A strategy is the plan to achieve an objective. An objective is the
“what” that an organization wants to achieve, and a strategy is the “how”
the objective will be achieved.

Question 7

The primary factor related to the selection of a control framework is: 
A. Industry vertical
B. Current process maturity level
C. Size of the organization
D. Compliance level

Answer 7

A. The most important factor influencing a decision of selecting a
control framework are the industry vertical. For example, a healthcare organization would likely select HIPAA as its primary control framework, whereas a retail organization might select PCI-DSS.

Question 8

As part of understanding the organization’s current state, a security strategist is examining the organization’s security policy. What does the policy tell the strategist?
A. The level of management commitment to security
B. The compliance level of the organization
C. The maturity level of the organization
D. None of these

Answer 8

D. By itself, security policy tells someone little about an organization’s security practices. An organization’s policy is only a collection of statements; without examining business processes, business records, and interviewing personnel, a security professional cannot develop any conclusions about an organization’s security practices.

Question 9

While gathering and examining various security-related business records, the security manager has determined that the organization has no security incident log. What conclusion can the security manager make from this?
A. The organization does not have security incident detection capabilities.
B. The organization has not yet experienced a security incident.
C. The organization is recording security incidents in its risk register.
D. The organization has effective preventive and detective controls.

Answer 9

A. An organization that does not have a security incident log probably lacks the capability to detect and respond to an incident. It is not reasonable to assume that the organization has had no security incidents since minor incidents occur with regularity. Claiming that the organization has effective controls is unreasonable, as it is understood that incidents occur even when effective controls are in place (because not all types of incidents can reasonably be prevented).

Question 10

The purpose of a balanced scorecard is to:
A. Measure the efficiency of a security organization
B. Evaluate the performance of individual employees
C. Benchmark a process in the organization against peer organizations
D. Measure organizational performance and effectiveness against
strategic goals

Answer 10

D. The balanced scorecard is a tool that is used to quantify the performance of an organization against strategic objectives. The focus of a balanced scorecard is financial, customer, internal processes, and innovation/learning.

Question 11

A security strategist has examined a business process and has determined that personnel who perform the process do so consistently, but there is no
written process document. The maturity level of this process is:
A. Initial
B. Repeatable
C. Defined
D. Managed

Answer 11

B. A process that is performed consistently but is undocumented is generally considered to be Repeatable.

Question 12

A security strategist has examined several business processes and has found that their individual maturity levels range from Repeatable to Optimizing. What is the best future state for these business processes?
A. All processes should be changed to Repeatable.
B. All processes should be changed to Optimizing.
C. There is insufficient information to determine the desired end states of
these processes.
D. Processes that are Repeatable should be changed to Defined.

Answer 12

C. There are no rules that specify that the maturity levels of different processes need to be the same or at different values relative to one another. In this example, each process may already be at an appropriate level, based on risk appetite, risk levels, and other considerations.

Question 13

In an organization using PCI-DSS as its control framework, the conclusion of a recent risk assessment stipulates that additional controls not present in PCI-DSS but present in ISO 27001 should be enacted. What is the best course of action in this situation?
A. Adopt ISO 27001 as the new control framework.
B. Retain PCI-DSS as the control framework and update process
documentation.
C. Add the required controls to the existing control framework.
D. Adopt NIST 800-53 as the new control framework.

Answer 13

C. An organization that needs to implement new controls should do so within its existing control framework. It is not necessary to adopt an entirely new control framework when a few controls need to be added.

Question 14

A security strategist is seeking to improve the security program in an organization with a strong but casual culture. What is the best approach here?
A. Conduct focus groups to discuss possible avenues of approach.
B. Enact new detective controls to identify personnel who are violating
policy.
C. Implement security awareness training that emphasizes new required behavior.
D. Lock users out of their accounts until they agree to be compliant.

Answer 14

A. Organizational culture is powerful, as it reflects how people think and work. In this example, there is no mention that the strong culture is bad, only that it is casual. Punishing people for their behavior may cause resentment, a revolt, or people to leave the organization. The best approach here is to better understand the culture and to work with people in the organization to figure out how a culture of security can be introduced successfully.

Question 15

A security strategist recently joined a retail organization that operates with slim profit margins and has discovered that the organization lacks several important security capabilities. What is the best strategy here?
A. Insist that management support an aggressive program to quickly improve the program.
B. Develop a risk ledger that highlights all identified risks.
C. Recommend that the biggest risks be avoided.
D. Develop a risk-based strategy that implements changes slowly over an extended period of time.

Answer 15

D. A security strategist needs to understand an organization’s capacity to spend its way to lower risk. In an organization with profit margins, it is unlikely that the organization is going to agree to an aggressive improvement plan. Developing a risk ledger that depicts these risks may be a helpful tool for communicating risk, but by itself there is no action to change anything. Similarly, recommending risk avoidance may mean discontinuing the very operations that bring in revenue.

Question 16

A risk manager is planning a first-ever risk assessment in an organization. What is the best approach for ensuring success?
A. Interview personnel separately so that their responses can be compared.
B. Select a framework that matches the organization’s control framework.
C. Work with executive management to determine the correct scope.
D. Do not inform executive management until the risk assessment has
been completed.

Answer 16

C. The best approach for success in an organization’s risk management program, and during risk assessments, is to have support from executive management. Executives need to define the scope of the risk management program, whether by business unit, geography, or other means.

Question 17

A security manager has completed a vulnerability scan and has identified numerous vulnerabilities in production servers. What is the best course of action?
A. Notify the production servers’ asset owners.
B. Conduct a formal investigation.
C. Place a single entry into the risk register.
D. Put individual vulnerability entries into the risk register.

Answer 17

A. Most organizations do not place individual vulnerabilities into a risk register. The risk register is primarily for strategic issues, not tactical issues such as individual vulnerabilities. However, if the vulnerability scan report was an indication of a broken process or broken technology, then that matter of brokenness might qualify as a valid risk register entry.

Question 18

The concept of security tasks in the context of a SaaS or IaaS environment is depicted in a:
A. Discretionary control model 
B. Mandatory control model 
C. Monte Carlo risk model
D. Shared responsibility model

Answer 18

D. The shared responsibility model, sometimes known as a shared responsibility matrix, depicts the operational model for SaaS and IaaS providers where client organizations have some security responsibilities (such as end user access control) and service provider organizations have some security responsibilities (such as physical access control).

Question 19

The categories of risk treatment are:
A. Risk avoidance, risk transfer, risk mitigation, and risk acceptance
B. Risk avoidance, risk transfer, and risk mitigation
C. Risk avoidance, risk reduction, risk transfer, risk mitigation, and risk
acceptance
D. Risk avoidance, risk treatment, risk mitigation, and risk acceptance

Answer 19

A. The four categories of risk treatment are risk mitigation (where risks are reduced through a control or process change), risk transfer (where risks are transferred to an external party such as an insurance company or managed services provider), risk avoidance (where the risk-producing activity is discontinued), and risk acceptance (where management chooses to accept the risk).

Question 20

Which of the following recovery objectives is associated with the longest allowed period of service outage?
A. Recovery tolerance objective (RTO) 
B. Recovery point objective (RPO)
C. Recovery capacity objective (RCapO) 
D. Recovery time objective (RTO)

Answer 20

D. Recovery time objective is the maximum period of time from the onset of an outage until the resumption of service.

Question 21

When would it make sense to spend $50,000 to protect an asset worth $10,000?
A. If the protective measure reduced threat impact by more than 90 percent.
B. It would never make sense to spend $50,000 to protect an asset worth $10,000.
C. If the asset was required for realization of $500,000 monthly revenue.
D. If the protective measure reduced threat probability by more than 90 percent.

Answer 21

C. Ordinarily it would not make sense to spend $50,000 to protect an asset worth $10,000. But sometimes there are other considerations, such as revenue realization or reputation damage, that can be difficult to quantify.

Question 22

Which of the following statements is true about compliance risk?
A. Compliance risk can be tolerated when fines cost less than controls.
B. Compliance risk is just another risk that needs to be measured.
C. Compliance risk can never be tolerated.
D. Compliance risk can be tolerated when it is optional.

Answer 22

B. In most cases, compliance risk is just another risk that needs to be understood. This includes the understanding of potential fines and other sanctions in relation to the costs required to reach a state of compliance. In some cases, however, being out of compliance can also result in reputation damage, as well as larger sanctions if the organization suffers from a security breach because of the noncompliant state.

Question 23

A security steering committee empowered to make risk treatment decisions has chosen to accept a specific risk. What is the best course of action?
A. Refer the risk to a qualified external security audit firm.
B. Perform additional risk analysis to identify residual risk.
C. Reopen the risk item for reconsideration after one year.
D. Mark the risk item as permanently closed.

Answer 23

C. A risk register item that has been accepted should be shelved and considered after a period of time, perhaps one year. This is a better option than closing the item permanently; in a year’s time, changes in business conditions, security threats, and other considerations may compel the organization to take different action.

Question 24

A security steering committee has voted to mitigate a specific risk. Some residual risk remains. What is the best course of action regarding the residual risk?
A. Accept the residual risk and close the risk ledger item.
B. Continue cycles of risk treatment until the residual risk reaches an
acceptable level.
C. Continue cycles of risk treatment until the residual risk reaches zero.
D. Accept the residual risk and keep the risk ledger item open.

Answer 24

B. After risk reduction through risk mitigation, the residual risk should be treated like any new risk: it should be reexamined, and a new risk treatment decision should be made. This should continue until the final remaining residual risk is accepted.

Question 25

A security manager has been directed by executive management to not document a specific risk in the risk register. This course of action is known as:
A. Burying the risk
B. Transferring the risk 
C. Accepting the risk
D. Ignoring the risk

Answer 25

D. The refusal of an organization to formally consider a risk is known as ignoring the risk. This is not a formal method of risk treatment because of the absence of deliberation and decision-making. It is not a wise business practice to keep some risk matters “off the books.”

Question 26

A security manager is performing a risk assessment on a business application. The security manager has determined that security patches have not been installed for more than a year. This finding is known as a:
A. Probability 
B. Threat
C. Vulnerability 
D. Risk

Answer 26

C. The absence of security patches on a system is considered a vulnerability. A vulnerability is defined as a weakness in a system that could permit an attack to occur.

Question 27

A security manager is performing a risk assessment on a data center. The security manager has determined that it is possible for unauthorized personnel to enter the data center through the loading dock door and shut off utility power to the building. This finding is known as a:
A. Probability 
B. Threat
C. Vulnerability 
D. Risk

Answer 27

B. Any undesired action that could harm an asset is known as a threat.

Question 28

A security manager has developed a scheme that prescribes required methods be used to protect information at rest, in motion, and in transit. This is known as a(n):
A. Data classification policy 
B. Asset classification policy 
C. Data loss prevention plan 
D. Asset loss prevention plan

Answer 28

A data classification policy is a statement that defines two or more classification levels for data, together with procedures and standards for the protection of data at each classification for various use cases such as storage in a database, storage on a laptop computer, transmissions via e- mail, and storage on backup media.

Question 29

A security manager is developing a strategy for making improvements to the organization’s incident management process. The security manager has defined the desired future state. Before specific plans can be made to improve the process, the security manager should perform a:
A. Training session
B. Penetration test
C. Vulnerability assessment 
D. Gap analysis

Answer 29

D. When the desired end state of a process or system is determined, a gap analysis must be performed so that the current state of the process or system can also be known. Then, specific tasks can be performed to reach the desired end state of the process.

Question 30

What is usually the primary objective of risk management?
A. Fewer and less severe security incidents
B. No security incidents
C. Improved compliance
D. Fewer audit findings

Answer 30

A. The most common objective of a risk management program is the reduction in the number and severity of security incidents.