CISM Practice C Topic 2

Question 1

A risk mitigation report would include recommendations for:

Answer 1

acceptance

Question 2

A risk management program should reduce risk to:

Answer 2

an acceptable level.

Question 3

The MOST important reason for conducting periodic risk assessments is because:

Answer 3

security risks are subject to frequent change.

Question 4

Which of the following BEST indicates a successful risk management practice?

Answer 4

Residual risk is minimized

Question 5

Which of the following would generally have the GREATEST negative impact on an organization?

Answer 5

Loss of customer confidence

Question 6

A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?

Answer 6

Risk analysis results

Question 7

Which of the following will BEST protect an organization from internal security attacks?

Answer 7

Prospective employee background checks

Question 8

For risk management purposes, the value of an asset should be based on:

Answer 8

replacement cost.

Question 9

In a business impact analysis, the value of an information system should be based on the overall cost:

Answer 9

if unavailable.

Question 10

Acceptable risk is achieved when:

Answer 10

residual risk is minimized.

Question 11

The value of information assets is BEST determined by:

Answer 11

individual business managers.

Question 12

During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?

Answer 12

Feasibility

Question 13

The MOST effective way to incorporate risk management practices into existing production systems is through:

Answer 13

change management.

Question 14

Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?

Answer 14

Business impact analysis

Question 15

The recovery time objective (RTO) is reached at which of the following milestones?

Answer 15

Restoration of the system

Question 16

Which of the following results from the risk assessment process would BEST assist risk management decision making?

Answer 16

Residual risk

Question 17

The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?

Answer 17

Visibility of impact

Question 18

Risk acceptance is a component of which of the following?

Answer 18

Mitigation

Question 19

Risk management programs are designed to reduce risk to:

Answer 19

a level that the organization is willing to accept.

Question 20

A risk assessment should be conducted:

Answer 20

annually or whenever there is a significant change.

Question 21

The MOST important function of a risk management program is to:

Answer 21

minimize residual risk.

Question 22

Which of the following risks would BEST be assessed using qualitative risk assessment techniques?

Answer 22

Permanent decline in customer confidence

Question 23

Which of the following will BEST prevent external security attacks?

Answer 23

Network address translation

Question 24

In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:

Answer 24

cost to obtain a replacement.

Question 25

A business impact analysis (BIA) is the BEST tool for calculating:

Answer 25

priority of restoration.

Question 26

When residual risk is minimized:

Answer 26

acceptable risk is probable.

Question 27

Quantitative risk analysis is MOST appropriate when assessment data:

Answer 27

contain percentage estimates.

Question 28

Which of the following is the MOST appropriate use of gap analysis?

Answer 28

Measuring current state vs. desired future state

Question 29

Identification and prioritization of business risk enables project managers to:

Answer 29

address areas with most significance.

Question 30

A risk analysis should:

Answer 30

address the potential size and likelihood of loss.

Question 31

The recovery point objective (RPO) requires which of the following?

Answer 31

Before-image restoration

Question 32

Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?nt is not performed

Answer 32

Change management procedures are poor

Question 33

Which of the following BEST describes the scope of risk analysis?

Answer 33

Organizational activities

Question 34

The decision as to whether a risk has been reduced to an acceptable level should be determined by:

Answer 34

organizational requirements.

Question 35

Which of the following is the PRIMARY reason for implementing a risk management program?

Answer 35

Is a necessary part of management’s due diligence

Question 36

Which of the following groups would be in the BEST position to perform a risk analysis for a business?

Answer 36

Process owners

Question 37

A successful risk management program should lead to:

Answer 37

optimization of risk reduction efforts against cost.

Question 38

Which of the following risks would BEST be assessed using quantitative risk assessment techniques?

Answer 38

An electrical power outage

Question 39

The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:

Answer 39

financial losses incurred by affected business units.

Question 40

Which of the following is the MOST usable deliverable of an information security risk analysis?

Answer 40

List of action items to mitigate risk

Question 41

Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?

Answer 41

Heat charts

Question 42

Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?

Answer 42

Chief operations officer (COO)

Question 43

Which two components PRIMARILY must be assessed in an effective risk analysis?

Answer 43

Likelihood and impact

Question 44

Information security managers should use risk assessment techniques to:

Answer 44

justify selection of risk mitigation strategies.

Question 45

In assessing risk, it is MOST essential to:

Answer 45

consider both monetary value and likelihood of loss.

Question 46

When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:

Answer 46

data owners who may be impacted.

Question 47

Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?

Answer 47

Entitlement changes

Question 48

The PRIMARY goal of a corporate risk management program is to ensure that an organization’s:

Answer 48

stated objectives are achievable.

Question 49

It is important to classify and determine relative sensitivity of assets to ensure that:

Answer 49

countermeasures are proportional to risk.

Question 50

The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should:

Answer 50

determine the current level of security.

Question 51

An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:

Answer 51

vulnerability.

Question 52

When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss?

Answer 52

Calculate the value of the information or asset

Question 53

Before conducting a formal risk assessment of an organization’s information resources, an information security manager should FIRST:

Answer 53

map the major threats to business objectives.

Question 54

The valuation of IT assets should be performed by:

Answer 54

the information owner

Question 55

The PRIMARY objective of a risk management program is to:

Answer 55

minimize residual risk.

Question 56

After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?

Answer 56

Business manager

Question 57

When performing an information risk analysis, an information security manager should FIRST:

Answer 57

take an asset inventory.

Question 58

The PRIMARY benefit of performing an information asset classification is to:

Answer 58

identify controls commensurate to risk.

Question 59

Which of the following is MOST essential for a risk management program to be effective?

Answer 59

New risks detection

Question 60

Which of the following attacks is BEST mitigated by utilizing strong passwords?

Answer 60

Brute force attack

Question 61

Phishing is BEST mitigated by which of the following?

Answer 61

User awareness

Question 62

The security responsibility of data custodians in an organization will include:

Answer 62

ensuring security measures are consistent with policy.

Question 63

A security risk assessment exercise should be repeated at regular intervals because:

Answer 63

business threats are constantly changing.

Question 64

Which of the following steps in conducting a risk assessment should be performed FIRST?

Answer 64

Identity business assets

Question 65

The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:

Answer 65

periodically testing the incident response plans.

Question 66

Which of the following risks is represented in the risk appetite of an organization?

Answer 66

Residual

Question 67

Which of the following would a security manager establish to determine the target for restoration of normal processing?

Answer 67

Recovery time objective (RTO)

Question 68

A risk management program would be expected to:

Answer 68

maintain residual risk at an acceptable level.

Question 69

Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?

Answer 69

Feasibility

Question 70

Which of the following would help management determine the resources needed to mitigate a risk to the organization?

Answer 70

Business impact analysis (BIA)

Question 71

A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:

Answer 71

the cost of countermeasure outweighs the value of the asset and potential loss.

Question 72

Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?

Answer 72

Percent of control objectives accomplished

Question 73

Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?

Answer 73

Previous financial results

Question 74

The PRIMARY purpose of using risk analysis within a security program is to:

Answer 74

assess exposures and plan remediation.

Question 75

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?

Answer 75

Identifying data owners

Question 76

An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:

Answer 76

mitigate the impact by purchasing insurance.

Question 77

What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?

Answer 77

Security gap analyses

Question 78

A common concern with poorly written web applications is that they can allow an attacker to:

Answer 78

inject structured query language (SQL) statements.

Question 79

Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?

Answer 79

Cost versus benefit of additional mitigating controls

Question 80

A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization’s local area network (LAN). What should the security manager do FIRST?

Answer 80

Understand the business requirements of the developer portal

Question 81

A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?

Answer 81

Create a strong random password

Question 82

Attackers who exploit cross-site scripting vulnerabilities take advantage of:

Answer 82

a lack of proper input validation controls.

Question 83

Which of the following would BEST address the risk of data leakage?

Answer 83

Acceptable use policies

Question 84

A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected?

Answer 84

Data classification policy

Question 85

What is the BEST technique to determine which security controls to implement with a limited budget?

Answer 85

Cost-benefit analysis

Question 86

A company’s mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?A penetration testA security baseline reviewA risk assessmentA business impact analysis (BIA)

Answer 86

A risk assessment

Question 87

Which of the following measures would be MOST effective against insider threats to confidential information?Role-based access controlAudit trail monitoringPrivacy policyDefense-in-depth

Answer 87

Role-based access control

Question 88

Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company’s policies. An information security manager should:•conduct a risk assessment and allow or disallow based on the outcome.•recommend a risk assessment and implementation only if the residual risks are accepted.•recommend against implementation because it violates the company’s policies.•recommend revision of current policy

Answer 88

recommend a risk assessment and implementation only if the residual risks are accepted.

Question 89

After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:•increase its customer awareness efforts in those regions.•implement monitoring techniques to detect and react to potential fraud.•outsource credit card processing to a third party.•make the customer liable for losses if they fail to follow the bank’s advice.

Answer 89

implement monitoring techniques to detect and react to potential fraud.

Question 90

The criticality and sensitivity of information assets is determined on the basis of:threat assessment.vulnerability assessment.resource dependency assessment.impact assessment

Answer 90

impact assessment

Question 91

Which program element should be implemented FIRST in asset classification and control?Risk assessmentClassificationValuationRisk mitigation

Answer 91

Valuation

Question 92

When performing a risk assessment, the MOST important consideration is that:•management supports risk mitigation efforts.•annual loss expectations (ALEs) have been calculated for critical assets.•assets have been identified and appropriately valued.•attack motives, means and opportunities be understood.

Answer 92

assets have been identified and appropriately valued.

Question 93

The MAIN reason why asset classification is important to a successful information security program is because classification determines:the priority and extent of risk mitigation efforts.the amount of insurance needed in case of loss.the appropriate level of protection to the asset.how protection levels compare to peer organizations.

Answer 93

the appropriate level of protection to the asset.

Question 94

The BEST strategy for risk management is to:•achieve a balance between risk and organizational goals.•reduce risk to an acceptable level.•ensure that policy development properly considers organizational risks.•ensure that all unmitigated risks are accepted by management.

Answer 94

reduce risk to an acceptable level.

Question 95

Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?Disclosure of personal informationSufficient coverage of the insurance policy for accidental lossesIntrinsic value of the data stored on the equipmentReplacement cost of the equipment

Answer 95

Intrinsic value of the data stored on the equipment

Question 96

An organization has to comply with recently published industry regulatory requirements •compliance that potentially has high implementation costs. What should the information security manager do FIRST?Implement a security committee.Perform a gap analysis.Implement compensating controls.Demand immediate compliance.

Answer 96

Perform a gap analysis.

Question 97

Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?Annual loss expectancy (ALE) of incidentsFrequency of incidentsTotal cost of ownership (TCO)Approved budget for the project

Answer 97

Total cost of ownership (TCO)

Question 98

One way to determine control effectiveness is by determining:whether it is preventive, detective or compensatory.the capability of providing notification of failure.the test results of intended objectives.the evaluation and analysis of reliability.

Answer 98

the test results of intended objectives.

Question 99

What does a network vulnerability assessment intend to identify?0-day vulnerabilitiesMalicious software and spywareSecurity design flawsMisconfiguration and missing updates

Answer 99

Misconfiguration and missing updates

Question 100

Who is responsible for ensuring that information is classified?Senior managementSecurity managerData ownerCustodian

Answer 100

Data owner

Question 101

After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:transferred.treated.accepted.terminated.

Answer 101

accepted.

Question 102

When a significant security breach occurs, what should be reported FIRST to senior management?A summary of the security logs that illustrates the sequence of eventsAn explanation of the incident and corrective action takenAn analysis of the impact of similar attacks at other organizationsA business case for implementing stronger logical access controls

Answer 102

An explanation of the incident and corrective action taken

Question 103

The PRIMARY reason for initiating a policy exception process is when:operations are too busy to comply.the risk is justified by the benefit.policy compliance would be difficult to enforce.users may initially be inconvenienced.

Answer 103

the risk is justified by the benefit.

Question 104

Which of the following would be the MOST relevant factor when defining the information classification policy?Quantity of informationAvailable IT infrastructureBenchmarkingRequirements of data owners

Answer 104

Requirements of data owners

Question 105

To determine the selection of controls required to meet business objectives, an information security manager should:prioritize the use of role-based access controls.focus on key controls.restrict controls to only critical applications.focus on automated controls.

Answer 105

focus on key controls.

Question 106

The MOST appropriate owner of customer data stored in a central database, used only by an organization’s sales department, would be the:sales department.database administrator.chief information officer (CIO).head of the sales department.

Answer 106

head of the sales department.

Question 107

In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:•develop an operational plan for achieving compliance with the legislation.•identify systems and processes that contain privacy components.•restrict the collection of personal information until compliant.•identify privacy legislation in other countries that may contain similar requirements.

Answer 107

identify systems and processes that contain privacy components.

Question 108

Risk assessment is MOST effective when performed:•at the beginning of security program development.•on a continuous basis.•while developing the business case for the security program.•during the business change process.

Answer 108

on a continuous basis.

Question 109

Which of the following is the MAIN reason for performing risk assessment on a continuous basis?Justification of the security budget must be continually made.New vulnerabilities are discovered every day.The risk environment is constantly changing.Management needs to be continually informed about emerging risks.

Answer 109

The risk environment is constantly changing.

Question 110

There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?Identify the vulnerable systems and apply compensating controlsMinimize the use of vulnerable systemsCommunicate the vulnerability to system usersUpdate the signatures database of the intrusion detection system (IDS)

Answer 110

Identify the vulnerable systems and apply compensating controls

Question 111

Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?Business impact analysis (BIA)Penetration testingAudit and reviewThreat analysis

Answer 111

Penetration testing

Question 112

Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?Countermeasure cost-benefit analysisPenetration testingFrequent risk assessment programsAnnual loss expectancy (ALE) calculation

Answer 112

Countermeasure cost-benefit analysis

Question 113

An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:eliminating the risk.transferring the risk.mitigating the risk.accepting the risk.

Answer 113

mitigating the risk.

Question 114

Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?ManagerCustodianUserOwner

Answer 114

Owner

Question 115

The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:•determining the scope for inclusion in an information security program.•defining the level of access controls.•justifying costs for information resources.•determining the overall budget of an information security program.

Answer 115

defining the level of access controls.

Question 116

An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?Key performance indicators (KPIs)Business impact analysis (BIA)Gap analysisTechnical vulnerability assessment

Answer 116

Gap analysis

Question 117

When performing a qualitative risk analysis, which of the following will BEST produce reliable results?Estimated productivity lossesPossible scenarios with threats and impactsValue of information assetsVulnerability assessment

Answer 117

Possible scenarios with threats and impacts

Question 118

Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?User assessments of changesComparison of the program results with industry standardsAssignment of risk within the organizationParticipation by all members of the organization

Answer 118

Participation by all members of the organization

Question 119

The MOST effective use of a risk register is to:•identify risks and assign roles and responsibilities for mitigation.•identify threats and probabilities.•facilitate a thorough review of all IT-related risks on a periodic basis.•record the annualized financial amount of expected losses due to risks.

Answer 119

facilitate a thorough review of all IT-related risks on a periodic basis.

Question 120

After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?Define security metricsConduct a risk assessmentPerform a gap analysisProcure security tools

Answer 120

Conduct a risk assessment

Question 121

Which of the following are the essential ingredients of a business impact analysis (BIA)?Downtime tolerance, resources and criticalityCost of business outages in a year as a factor of the security budgetBusiness continuity testing methodology being deployedStructure of the crisis management team

Answer 121

Downtime tolerance, resources and criticality

Question 122

A risk management approach to information protection is:•managing risks to an acceptable level, commensurate with goals and objectives.•accepting the security posture provided by commercial security products.•implementing a training program to educate individuals on information protection and risks.•managing risk tools to ensure that they assess all information protection vulnerabilities.

Answer 122

managing risks to an acceptable level, commensurate with goals and objectives.

Question 123

Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?Implement countermeasures.Eliminate the risk.Transfer the risk.Accept the risk.

Answer 123

Transfer the risk.

Question 124

To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRST crucial step an information security manager would take in ensuring business continuity planning?Conducting a qualitative and quantitative risk analysis.Assigning value to the assets.Weighing the cost of implementing the plan vs. financial loss.Conducting a business impact analysis (BIA).

Answer 124

Conducting a business impact analysis (BIA).

Question 125

An information security organization should PRIMARILY:•support the business objectives of the company by providing security-related support services.•be responsible for setting up and documenting the information security responsibilities of the information security team members.•ensure that the information security policies of the company are in line with global best practices and standards.•ensure that the information security expectations are conveyed to employees.

Answer 125

support the business objectives of the company by providing security-related support services.

Question 126

When implementing security controls, an information security manager must PRIMARILY focus on:minimizing operational impacts.eliminating all vulnerabilities.usage by similar organizations.certification from a third party.

Answer 126

minimizing operational impacts.

Question 127

All risk management activities are PRIMARILY designed to reduce impacts to:•a level defined by the security manager.•an acceptable level based on organizational risk tolerance.•a minimum level consistent with regulatory requirements.•the minimum level possible.

Answer 127

an acceptable level based on organizational risk tolerance.

Question 128

After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?Information security officerChief information officer (CIO)Business ownerChief executive officer (CEO)

Answer 128

Business owner

Question 129

The purpose of a corrective control is to:reduce adverse events.indicate compromise.mitigate impact.ensure compliance.

Answer 129

mitigate impact.

Question 130

Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?Performing a business impact analysis (BIA)Considering personal information devices as part of the security policyInitiating IT security training and familiarizationBasing the information security infrastructure on risk assessment

Answer 130

Basing the information security infrastructure on risk assessment

Question 131

Previously accepted risk should be:•re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.•accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.•avoided next time since risk avoidance provides the best protection to the company.•removed from the risk log once it is accepted.

Answer 131

re-assessed periodically since the risk can be escalated to an unacceptable level due to revised

Question 132

An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:•perform a comprehensive assessment of the organization’s exposure to the hacker’s techniques.•initiate awareness training to counter social engineering.•immediately advise senior management of the elevated risk.•increase monitoring activities to provide early detection of intrusion.

Answer 132

immediately advise senior management of the elevated risk.

Question 133

Which of the following steps should be performed FIRST in the risk assessment process?Staff interviewsThreat identificationAsset identification and valuationDetermination of the likelihood of identified risks

Answer 133

Asset identification and valuation

Question 134

Which of the following authentication methods prevents authentication replay?Password hash implementationChallenge/response mechanismWired Equivalent Privacy (WEP) encryption usageHTTP Basic Authentication

Answer 134

Challenge/response mechanism

Question 135

An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur? Nothing, since a risk assessment was completed during development.A vulnerability assessment should be conducted.A new risk assessment should be performed.The new vendor’s SAS 70 type II report should be reviewed.

Answer 135

A new risk assessment should be performed.