CISM All-In-One Flashcards

1
Q
Security governance is most concerned with: 
A. Security policy
B. IT policy
C. Security strategy
D. Security executive compensation
A

C. Security governance is the mechanism through which security strategy is established, controlled, and monitored. Long-term and other strategic decisions are made in the context of security governance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
A gaming software startup company does not employ penetration testing of its software. This is an example of:
A. High tolerance of risk 
B. Noncompliance
C. Irresponsibility
D. Outsourcing
A

A. A software startup in an industry like gaming is going to be highly tolerant of risk: time to market and signing up new customers will be its primary objectives. As the organization achieves viability, other priorities such as security will be introduced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An organization’s board of directors wants to see quarterly metrics on risk reduction. What would be the best metric for this purpose?
A. Number of firewall rules triggered
B. Viruses blocked by antivirus programs
C. Packets dropped by the firewall
D. Time to patch vulnerabilities on critical servers

A

D. The metric on time to patch critical servers will be the most meaningful metric for the board of directors. The other metrics, while potentially interesting at the operational level, do not convey business meaning to board members.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following metrics is the best example of a leading indicator?
A. Average time to mitigate security incidents
B. Increase in the number of attacks blocked by the intrusion prevention
system (IPS)
C. Increase in the number of attacks blocked by the firewall
D. Percentage of critical servers being patched within service level
agreements (SLAs)

A

D. The metric of percentage of critical servers being patched within SLAs is the best leading indicator because it is a rough predictor of the probability of a future security incident. The other metrics are trailing indicators because they report on past incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the elements of the business model for information security (BMIS)?
A. Culture, governing, architecture, emergence, enabling and support, human factors
B. People, process, technology
C. Organization, people, process, technology
D. Financial, customer, internal processes, innovation, and learning

A

C. The elements of BMIS are organization, people, process, and
technology. The dynamic interconnections (DIs) are culture, governing,
architecture, emergence, enabling and support, and human factors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The best definition of a strategy is:
A. The objective to achieve a plan
B. The plan to achieve an objective
C. The plan to achieve business alignment D. The plan to reduce risk

A

B. A strategy is the plan to achieve an objective. An objective is the
“what” that an organization wants to achieve, and a strategy is the “how”
the objective will be achieved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
The primary factor related to the selection of a control framework is: 
A. Industry vertical
B. Current process maturity level
C. Size of the organization
D. Compliance level
A

A. The most important factor influencing a decision of selecting a
control framework are the industry vertical. For example, a healthcare organization would likely select HIPAA as its primary control framework, whereas a retail organization might select PCI-DSS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

As part of understanding the organization’s current state, a security strategist is examining the organization’s security policy. What does the policy tell the strategist?
A. The level of management commitment to security
B. The compliance level of the organization
C. The maturity level of the organization
D. None of these

A

D. By itself, security policy tells someone little about an organization’s security practices. An organization’s policy is only a collection of statements; without examining business processes, business records, and interviewing personnel, a security professional cannot develop any conclusions about an organization’s security practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

While gathering and examining various security-related business records, the security manager has determined that the organization has no security incident log. What conclusion can the security manager make from this?
A. The organization does not have security incident detection capabilities.
B. The organization has not yet experienced a security incident.
C. The organization is recording security incidents in its risk register.
D. The organization has effective preventive and detective controls.

A

A. An organization that does not have a security incident log probably lacks the capability to detect and respond to an incident. It is not reasonable to assume that the organization has had no security incidents since minor incidents occur with regularity. Claiming that the organization has effective controls is unreasonable, as it is understood that incidents occur even when effective controls are in place (because not all types of incidents can reasonably be prevented).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The purpose of a balanced scorecard is to:
A. Measure the efficiency of a security organization
B. Evaluate the performance of individual employees
C. Benchmark a process in the organization against peer organizations
D. Measure organizational performance and effectiveness against
strategic goals

A

D. The balanced scorecard is a tool that is used to quantify the performance of an organization against strategic objectives. The focus of a balanced scorecard is financial, customer, internal processes, and innovation/learning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A security strategist has examined a business process and has determined that personnel who perform the process do so consistently, but there is no
written process document. The maturity level of this process is:
A. Initial
B. Repeatable
C. Defined
D. Managed

A

B. A process that is performed consistently but is undocumented is generally considered to be Repeatable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A security strategist has examined several business processes and has found that their individual maturity levels range from Repeatable to Optimizing. What is the best future state for these business processes?
A. All processes should be changed to Repeatable.
B. All processes should be changed to Optimizing.
C. There is insufficient information to determine the desired end states of
these processes.
D. Processes that are Repeatable should be changed to Defined.

A

C. There are no rules that specify that the maturity levels of different processes need to be the same or at different values relative to one another. In this example, each process may already be at an appropriate level, based on risk appetite, risk levels, and other considerations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

In an organization using PCI-DSS as its control framework, the conclusion of a recent risk assessment stipulates that additional controls not present in PCI-DSS but present in ISO 27001 should be enacted. What is the best course of action in this situation?
A. Adopt ISO 27001 as the new control framework.
B. Retain PCI-DSS as the control framework and update process
documentation.
C. Add the required controls to the existing control framework.
D. Adopt NIST 800-53 as the new control framework.

A

C. An organization that needs to implement new controls should do so within its existing control framework. It is not necessary to adopt an entirely new control framework when a few controls need to be added.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A security strategist is seeking to improve the security program in an organization with a strong but casual culture. What is the best approach here?
A. Conduct focus groups to discuss possible avenues of approach.
B. Enact new detective controls to identify personnel who are violating
policy.
C. Implement security awareness training that emphasizes new required behavior.
D. Lock users out of their accounts until they agree to be compliant.

A

A. Organizational culture is powerful, as it reflects how people think and work. In this example, there is no mention that the strong culture is bad, only that it is casual. Punishing people for their behavior may cause resentment, a revolt, or people to leave the organization. The best approach here is to better understand the culture and to work with people in the organization to figure out how a culture of security can be introduced successfully.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A security strategist recently joined a retail organization that operates with slim profit margins and has discovered that the organization lacks several important security capabilities. What is the best strategy here?
A. Insist that management support an aggressive program to quickly improve the program.
B. Develop a risk ledger that highlights all identified risks.
C. Recommend that the biggest risks be avoided.
D. Develop a risk-based strategy that implements changes slowly over an extended period of time.

A

D. A security strategist needs to understand an organization’s capacity to spend its way to lower risk. In an organization with profit margins, it is unlikely that the organization is going to agree to an aggressive improvement plan. Developing a risk ledger that depicts these risks may be a helpful tool for communicating risk, but by itself there is no action to change anything. Similarly, recommending risk avoidance may mean discontinuing the very operations that bring in revenue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A risk manager is planning a first-ever risk assessment in an organization. What is the best approach for ensuring success?
A. Interview personnel separately so that their responses can be compared.
B. Select a framework that matches the organization’s control framework.
C. Work with executive management to determine the correct scope.
D. Do not inform executive management until the risk assessment has
been completed.

A

C. The best approach for success in an organization’s risk management program, and during risk assessments, is to have support from executive management. Executives need to define the scope of the risk management program, whether by business unit, geography, or other means.

17
Q

A security manager has completed a vulnerability scan and has identified numerous vulnerabilities in production servers. What is the best course of action?
A. Notify the production servers’ asset owners.
B. Conduct a formal investigation.
C. Place a single entry into the risk register.
D. Put individual vulnerability entries into the risk register.

A

A. Most organizations do not place individual vulnerabilities into a risk register. The risk register is primarily for strategic issues, not tactical issues such as individual vulnerabilities. However, if the vulnerability scan report was an indication of a broken process or broken technology, then that matter of brokenness might qualify as a valid risk register entry.

18
Q
The concept of security tasks in the context of a SaaS or IaaS environment is depicted in a:
A. Discretionary control model 
B. Mandatory control model 
C. Monte Carlo risk model
D. Shared responsibility model
A

D. The shared responsibility model, sometimes known as a shared responsibility matrix, depicts the operational model for SaaS and IaaS providers where client organizations have some security responsibilities (such as end user access control) and service provider organizations have some security responsibilities (such as physical access control).

19
Q

The categories of risk treatment are:
A. Risk avoidance, risk transfer, risk mitigation, and risk acceptance
B. Risk avoidance, risk transfer, and risk mitigation
C. Risk avoidance, risk reduction, risk transfer, risk mitigation, and risk
acceptance
D. Risk avoidance, risk treatment, risk mitigation, and risk acceptance

A

A. The four categories of risk treatment are risk mitigation (where risks are reduced through a control or process change), risk transfer (where risks are transferred to an external party such as an insurance company or managed services provider), risk avoidance (where the risk-producing activity is discontinued), and risk acceptance (where management chooses to accept the risk).

20
Q
Which of the following recovery objectives is associated with the longest allowed period of service outage?
A. Recovery tolerance objective (RTO) 
B. Recovery point objective (RPO)
C. Recovery capacity objective (RCapO) 
D. Recovery time objective (RTO)
A

D. Recovery time objective is the maximum period of time from the onset of an outage until the resumption of service.

21
Q

When would it make sense to spend $50,000 to protect an asset worth $10,000?
A. If the protective measure reduced threat impact by more than 90 percent.
B. It would never make sense to spend $50,000 to protect an asset worth $10,000.
C. If the asset was required for realization of $500,000 monthly revenue.
D. If the protective measure reduced threat probability by more than 90 percent.

A

C. Ordinarily it would not make sense to spend $50,000 to protect an asset worth $10,000. But sometimes there are other considerations, such as revenue realization or reputation damage, that can be difficult to quantify.

22
Q

Which of the following statements is true about compliance risk?
A. Compliance risk can be tolerated when fines cost less than controls.
B. Compliance risk is just another risk that needs to be measured.
C. Compliance risk can never be tolerated.
D. Compliance risk can be tolerated when it is optional.

A

B. In most cases, compliance risk is just another risk that needs to be understood. This includes the understanding of potential fines and other sanctions in relation to the costs required to reach a state of compliance. In some cases, however, being out of compliance can also result in reputation damage, as well as larger sanctions if the organization suffers from a security breach because of the noncompliant state.

23
Q

A security steering committee empowered to make risk treatment decisions has chosen to accept a specific risk. What is the best course of action?
A. Refer the risk to a qualified external security audit firm.
B. Perform additional risk analysis to identify residual risk.
C. Reopen the risk item for reconsideration after one year.
D. Mark the risk item as permanently closed.

A

C. A risk register item that has been accepted should be shelved and considered after a period of time, perhaps one year. This is a better option than closing the item permanently; in a year’s time, changes in business conditions, security threats, and other considerations may compel the organization to take different action.

24
Q

A security steering committee has voted to mitigate a specific risk. Some residual risk remains. What is the best course of action regarding the residual risk?
A. Accept the residual risk and close the risk ledger item.
B. Continue cycles of risk treatment until the residual risk reaches an
acceptable level.
C. Continue cycles of risk treatment until the residual risk reaches zero.
D. Accept the residual risk and keep the risk ledger item open.

A

B. After risk reduction through risk mitigation, the residual risk should be treated like any new risk: it should be reexamined, and a new risk treatment decision should be made. This should continue until the final remaining residual risk is accepted.

25
Q
A security manager has been directed by executive management to not document a specific risk in the risk register. This course of action is known as:
A. Burying the risk
B. Transferring the risk 
C. Accepting the risk
D. Ignoring the risk
A

D. The refusal of an organization to formally consider a risk is known as ignoring the risk. This is not a formal method of risk treatment because of the absence of deliberation and decision-making. It is not a wise business practice to keep some risk matters “off the books.”

26
Q
A security manager is performing a risk assessment on a business application. The security manager has determined that security patches have not been installed for more than a year. This finding is known as a:
A. Probability 
B. Threat
C. Vulnerability 
D. Risk
A

C. The absence of security patches on a system is considered a vulnerability. A vulnerability is defined as a weakness in a system that could permit an attack to occur.

27
Q
A security manager is performing a risk assessment on a data center. The security manager has determined that it is possible for unauthorized personnel to enter the data center through the loading dock door and shut off utility power to the building. This finding is known as a:
A. Probability 
B. Threat
C. Vulnerability 
D. Risk
A

B. Any undesired action that could harm an asset is known as a threat.

28
Q
A security manager has developed a scheme that prescribes required methods be used to protect information at rest, in motion, and in transit. This is known as a(n):
A. Data classification policy 
B. Asset classification policy 
C. Data loss prevention plan 
D. Asset loss prevention plan
A

A data classification policy is a statement that defines two or more classification levels for data, together with procedures and standards for the protection of data at each classification for various use cases such as storage in a database, storage on a laptop computer, transmissions via e- mail, and storage on backup media.

29
Q
A security manager is developing a strategy for making improvements to the organization’s incident management process. The security manager has defined the desired future state. Before specific plans can be made to improve the process, the security manager should perform a:
A. Training session
B. Penetration test
C. Vulnerability assessment 
D. Gap analysis
A

D. When the desired end state of a process or system is determined, a gap analysis must be performed so that the current state of the process or system can also be known. Then, specific tasks can be performed to reach the desired end state of the process.

30
Q

What is usually the primary objective of risk management?
A. Fewer and less severe security incidents
B. No security incidents
C. Improved compliance
D. Fewer audit findings

A

A. The most common objective of a risk management program is the reduction in the number and severity of security incidents.