CISM Practice C Topic 2 Flashcards
A risk mitigation report would include recommendations for:
acceptance
A risk management program should reduce risk to:
an acceptable level.
The MOST important reason for conducting periodic risk assessments is because:
security risks are subject to frequent change.
Which of the following BEST indicates a successful risk management practice?
Residual risk is minimized
Which of the following would generally have the GREATEST negative impact on an organization?
Loss of customer confidence
A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
Risk analysis results
Which of the following will BEST protect an organization from internal security attacks?
Prospective employee background checks
For risk management purposes, the value of an asset should be based on:
replacement cost.
In a business impact analysis, the value of an information system should be based on the overall cost:
if unavailable.
Acceptable risk is achieved when:
residual risk is minimized.
The value of information assets is BEST determined by:
individual business managers.
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
Feasibility
The MOST effective way to incorporate risk management practices into existing production systems is through:
change management.
Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?
Business impact analysis
The recovery time objective (RTO) is reached at which of the following milestones?
Restoration of the system
Which of the following results from the risk assessment process would BEST assist risk management decision making?
Residual risk
The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?
Visibility of impact
Risk acceptance is a component of which of the following?
Mitigation
Risk management programs are designed to reduce risk to:
a level that the organization is willing to accept.
A risk assessment should be conducted:
annually or whenever there is a significant change.
The MOST important function of a risk management program is to:
minimize residual risk.
Which of the following risks would BEST be assessed using qualitative risk assessment techniques?
Permanent decline in customer confidence
Which of the following will BEST prevent external security attacks?
Network address translation
In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:
cost to obtain a replacement.
A business impact analysis (BIA) is the BEST tool for calculating:
priority of restoration.
When residual risk is minimized:
acceptable risk is probable.
Quantitative risk analysis is MOST appropriate when assessment data:
contain percentage estimates.
Which of the following is the MOST appropriate use of gap analysis?
Measuring current state vs. desired future state
Identification and prioritization of business risk enables project managers to:
address areas with most significance.
A risk analysis should:
address the potential size and likelihood of loss.
The recovery point objective (RPO) requires which of the following?
Before-image restoration
Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?nt is not performed
Change management procedures are poor
Which of the following BEST describes the scope of risk analysis?
Organizational activities
The decision as to whether a risk has been reduced to an acceptable level should be determined by:
organizational requirements.
Which of the following is the PRIMARY reason for implementing a risk management program?
Is a necessary part of management’s due diligence
Which of the following groups would be in the BEST position to perform a risk analysis for a business?
Process owners
A successful risk management program should lead to:
optimization of risk reduction efforts against cost.
Which of the following risks would BEST be assessed using quantitative risk assessment techniques?
An electrical power outage
The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:
financial losses incurred by affected business units.
Which of the following is the MOST usable deliverable of an information security risk analysis?
List of action items to mitigate risk
Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?
Heat charts
Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?
Chief operations officer (COO)
Which two components PRIMARILY must be assessed in an effective risk analysis?
Likelihood and impact
Information security managers should use risk assessment techniques to:
justify selection of risk mitigation strategies.
In assessing risk, it is MOST essential to:
consider both monetary value and likelihood of loss.
When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
data owners who may be impacted.
Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?
Entitlement changes
The PRIMARY goal of a corporate risk management program is to ensure that an organization’s:
stated objectives are achievable.
It is important to classify and determine relative sensitivity of assets to ensure that:
countermeasures are proportional to risk.
The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should:
determine the current level of security.
An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:
vulnerability.
When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss?
Calculate the value of the information or asset
Before conducting a formal risk assessment of an organization’s information resources, an information security manager should FIRST:
map the major threats to business objectives.
The valuation of IT assets should be performed by:
the information owner
The PRIMARY objective of a risk management program is to:
minimize residual risk.
After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?
Business manager
When performing an information risk analysis, an information security manager should FIRST:
take an asset inventory.
The PRIMARY benefit of performing an information asset classification is to:
identify controls commensurate to risk.
Which of the following is MOST essential for a risk management program to be effective?
New risks detection
Which of the following attacks is BEST mitigated by utilizing strong passwords?
Brute force attack
Phishing is BEST mitigated by which of the following?
User awareness
The security responsibility of data custodians in an organization will include:
ensuring security measures are consistent with policy.
A security risk assessment exercise should be repeated at regular intervals because:
business threats are constantly changing.
Which of the following steps in conducting a risk assessment should be performed FIRST?
Identity business assets
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:
periodically testing the incident response plans.
Which of the following risks is represented in the risk appetite of an organization?
Residual
Which of the following would a security manager establish to determine the target for restoration of normal processing?
Recovery time objective (RTO)
A risk management program would be expected to:
maintain residual risk at an acceptable level.
Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
Feasibility
Which of the following would help management determine the resources needed to mitigate a risk to the organization?
Business impact analysis (BIA)
A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:
the cost of countermeasure outweighs the value of the asset and potential loss.
Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?
Percent of control objectives accomplished
Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?
Previous financial results
The PRIMARY purpose of using risk analysis within a security program is to:
assess exposures and plan remediation.
Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?
Identifying data owners
An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:
mitigate the impact by purchasing insurance.
What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?
Security gap analyses
A common concern with poorly written web applications is that they can allow an attacker to:
inject structured query language (SQL) statements.
Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?
Cost versus benefit of additional mitigating controls
A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization’s local area network (LAN). What should the security manager do FIRST?
Understand the business requirements of the developer portal
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?
Create a strong random password
Attackers who exploit cross-site scripting vulnerabilities take advantage of:
a lack of proper input validation controls.
Which of the following would BEST address the risk of data leakage?
Acceptable use policies
A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?
Data classification policy
What is the BEST technique to determine which security controls to implement with a limited budget?
Cost-benefit analysis
A company’s mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?A penetration testA security baseline reviewA risk assessmentA business impact analysis (BIA)
A risk assessment
Which of the following measures would be MOST effective against insider threats to confidential information?Role-based access controlAudit trail monitoringPrivacy policyDefense-in-depth
Role-based access control
Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company’s policies. An information security manager should:•conduct a risk assessment and allow or disallow based on the outcome.•recommend a risk assessment and implementation only if the residual risks are accepted.•recommend against implementation because it violates the company’s policies.•recommend revision of current policy
recommend a risk assessment and implementation only if the residual risks are accepted.
After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:•increase its customer awareness efforts in those regions.•implement monitoring techniques to detect and react to potential fraud.•outsource credit card processing to a third party.•make the customer liable for losses if they fail to follow the bank’s advice.
implement monitoring techniques to detect and react to potential fraud.
The criticality and sensitivity of information assets is determined on the basis of:threat assessment.vulnerability assessment.resource dependency assessment.impact assessment
impact assessment
Which program element should be implemented FIRST in asset classification and control?Risk assessmentClassificationValuationRisk mitigation
Valuation
When performing a risk assessment, the MOST important consideration is that:•management supports risk mitigation efforts.•annual loss expectations (ALEs) have been calculated for critical assets.•assets have been identified and appropriately valued.•attack motives, means and opportunities be understood.
assets have been identified and appropriately valued.
The MAIN reason why asset classification is important to a successful information security program is because classification determines:the priority and extent of risk mitigation efforts.the amount of insurance needed in case of loss.the appropriate level of protection to the asset.how protection levels compare to peer organizations.
the appropriate level of protection to the asset.
The BEST strategy for risk management is to:•achieve a balance between risk and organizational goals.•reduce risk to an acceptable level.•ensure that policy development properly considers organizational risks.•ensure that all unmitigated risks are accepted by management.
reduce risk to an acceptable level.
Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?Disclosure of personal informationSufficient coverage of the insurance policy for accidental lossesIntrinsic value of the data stored on the equipmentReplacement cost of the equipment
Intrinsic value of the data stored on the equipment
An organization has to comply with recently published industry regulatory requirements •compliance that potentially has high implementation costs. What should the information security manager do FIRST?Implement a security committee.Perform a gap analysis.Implement compensating controls.Demand immediate compliance.
Perform a gap analysis.
Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?Annual loss expectancy (ALE) of incidentsFrequency of incidentsTotal cost of ownership (TCO)Approved budget for the project
Total cost of ownership (TCO)
One way to determine control effectiveness is by determining:whether it is preventive, detective or compensatory.the capability of providing notification of failure.the test results of intended objectives.the evaluation and analysis of reliability.
the test results of intended objectives.
What does a network vulnerability assessment intend to identify?0-day vulnerabilitiesMalicious software and spywareSecurity design flawsMisconfiguration and missing updates
Misconfiguration and missing updates
Who is responsible for ensuring that information is classified?Senior managementSecurity managerData ownerCustodian
Data owner
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:transferred.treated.accepted.terminated.
accepted.
When a significant security breach occurs, what should be reported FIRST to senior management?A summary of the security logs that illustrates the sequence of eventsAn explanation of the incident and corrective action takenAn analysis of the impact of similar attacks at other organizationsA business case for implementing stronger logical access controls
An explanation of the incident and corrective action taken
The PRIMARY reason for initiating a policy exception process is when:operations are too busy to comply.the risk is justified by the benefit.policy compliance would be difficult to enforce.users may initially be inconvenienced.
the risk is justified by the benefit.
Which of the following would be the MOST relevant factor when defining the information classification policy?Quantity of informationAvailable IT infrastructureBenchmarkingRequirements of data owners
Requirements of data owners
To determine the selection of controls required to meet business objectives, an information security manager should:prioritize the use of role-based access controls.focus on key controls.restrict controls to only critical applications.focus on automated controls.
focus on key controls.
The MOST appropriate owner of customer data stored in a central database, used only by an organization’s sales department, would be the:sales department.database administrator.chief information officer (CIO).head of the sales department.
head of the sales department.
In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:•develop an operational plan for achieving compliance with the legislation.•identify systems and processes that contain privacy components.•restrict the collection of personal information until compliant.•identify privacy legislation in other countries that may contain similar requirements.
identify systems and processes that contain privacy components.
Risk assessment is MOST effective when performed:•at the beginning of security program development.•on a continuous basis.•while developing the business case for the security program.•during the business change process.
on a continuous basis.
Which of the following is the MAIN reason for performing risk assessment on a continuous basis?Justification of the security budget must be continually made.New vulnerabilities are discovered every day.The risk environment is constantly changing.Management needs to be continually informed about emerging risks.
The risk environment is constantly changing.
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?Identify the vulnerable systems and apply compensating controlsMinimize the use of vulnerable systemsCommunicate the vulnerability to system usersUpdate the signatures database of the intrusion detection system (IDS)
Identify the vulnerable systems and apply compensating controls
Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?Business impact analysis (BIA)Penetration testingAudit and reviewThreat analysis
Penetration testing
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?Countermeasure cost-benefit analysisPenetration testingFrequent risk assessment programsAnnual loss expectancy (ALE) calculation
Countermeasure cost-benefit analysis
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:eliminating the risk.transferring the risk.mitigating the risk.accepting the risk.
mitigating the risk.
Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?ManagerCustodianUserOwner
Owner
The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:•determining the scope for inclusion in an information security program.•defining the level of access controls.•justifying costs for information resources.•determining the overall budget of an information security program.
defining the level of access controls.
An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?Key performance indicators (KPIs)Business impact analysis (BIA)Gap analysisTechnical vulnerability assessment
Gap analysis
When performing a qualitative risk analysis, which of the following will BEST produce reliable results?Estimated productivity lossesPossible scenarios with threats and impactsValue of information assetsVulnerability assessment
Possible scenarios with threats and impacts
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?User assessments of changesComparison of the program results with industry standardsAssignment of risk within the organizationParticipation by all members of the organization
Participation by all members of the organization
The MOST effective use of a risk register is to:•identify risks and assign roles and responsibilities for mitigation.•identify threats and probabilities.•facilitate a thorough review of all IT-related risks on a periodic basis.•record the annualized financial amount of expected losses due to risks.
facilitate a thorough review of all IT-related risks on a periodic basis.
After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?Define security metricsConduct a risk assessmentPerform a gap analysisProcure security tools
Conduct a risk assessment
Which of the following are the essential ingredients of a business impact analysis (BIA)?Downtime tolerance, resources and criticalityCost of business outages in a year as a factor of the security budgetBusiness continuity testing methodology being deployedStructure of the crisis management team
Downtime tolerance, resources and criticality
A risk management approach to information protection is:•managing risks to an acceptable level, commensurate with goals and objectives.•accepting the security posture provided by commercial security products.•implementing a training program to educate individuals on information protection and risks.•managing risk tools to ensure that they assess all information protection vulnerabilities.
managing risks to an acceptable level, commensurate with goals and objectives.
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?Implement countermeasures.Eliminate the risk.Transfer the risk.Accept the risk.
Transfer the risk.
To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRST crucial step an information security manager would take in ensuring business continuity planning?Conducting a qualitative and quantitative risk analysis.Assigning value to the assets.Weighing the cost of implementing the plan vs. financial loss.Conducting a business impact analysis (BIA).
Conducting a business impact analysis (BIA).
An information security organization should PRIMARILY:•support the business objectives of the company by providing security-related support services.•be responsible for setting up and documenting the information security responsibilities of the information security team members.•ensure that the information security policies of the company are in line with global best practices and standards.•ensure that the information security expectations are conveyed to employees.
support the business objectives of the company by providing security-related support services.
When implementing security controls, an information security manager must PRIMARILY focus on:minimizing operational impacts.eliminating all vulnerabilities.usage by similar organizations.certification from a third party.
minimizing operational impacts.
All risk management activities are PRIMARILY designed to reduce impacts to:•a level defined by the security manager.•an acceptable level based on organizational risk tolerance.•a minimum level consistent with regulatory requirements.•the minimum level possible.
an acceptable level based on organizational risk tolerance.
After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?Information security officerChief information officer (CIO)Business ownerChief executive officer (CEO)
Business owner
The purpose of a corrective control is to:reduce adverse events.indicate compromise.mitigate impact.ensure compliance.
mitigate impact.
Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?Performing a business impact analysis (BIA)Considering personal information devices as part of the security policyInitiating IT security training and familiarizationBasing the information security infrastructure on risk assessment
Basing the information security infrastructure on risk assessment
Previously accepted risk should be:•re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.•accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.•avoided next time since risk avoidance provides the best protection to the company.•removed from the risk log once it is accepted.
re-assessed periodically since the risk can be escalated to an unacceptable level due to revised
An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:•perform a comprehensive assessment of the organization’s exposure to the hacker’s techniques.•initiate awareness training to counter social engineering.•immediately advise senior management of the elevated risk.•increase monitoring activities to provide early detection of intrusion.
immediately advise senior management of the elevated risk.
Which of the following steps should be performed FIRST in the risk assessment process?Staff interviewsThreat identificationAsset identification and valuationDetermination of the likelihood of identified risks
Asset identification and valuation
Which of the following authentication methods prevents authentication replay?Password hash implementationChallenge/response mechanismWired Equivalent Privacy (WEP) encryption usageHTTP Basic Authentication
Challenge/response mechanism
An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur? Nothing, since a risk assessment was completed during development.A vulnerability assessment should be conducted.A new risk assessment should be performed.The new vendor’s SAS 70 type II report should be reviewed.
A new risk assessment should be performed.
