CISM Final Assessment 2

Which of the following is an information security manager’s MOST important consideration when exploring the use of a third-party provider to handle an IT function?

The provider carries cyber insurance to cover security breaches.
The provider agrees to provide historical security incident data.
The provider’s security processes align with the organization’s.
The provider has undergone an independent security review.

Which of the following MUST be defined in order for an information security manager to evaluate the appropriateness of controls currently in place?

Security policy
Risk management framework
Security standards
Risk appetite

When an organization decides to accept a risk, it should mean the cost to mitigate:

exceeds budget allocation.
is higher than the cost to transfer risk.
is less than the residual risk.
is greater than the residual risk.

Which of the following is the MOST important reason to conduct interviews as part of the business impact analysis (BIA) process?

To facilitate a qualitative risk assessment following the BIA
To obtain input from as many relevant stakeholders as possible
To ensure the stakeholders providing input own the related risk
To increase awareness of information security among key stakeholders

Due to changes in an organization’s environment, security controls may no longer be adequate. What is the information security manager’s BEST course of action?

Perform a new risk assessment.
Review the previous risk assessment and countermeasures.
Transfer the new risk to a third party.
Evaluate countermeasures to mitigate new risks.

What is the PRIMARY benefit to an organization when information security program requirements are aligned with employment and staffing processes?

Access is granted based on task requirements.
Information assets are classified appropriately.
Security staff turnover is reduced.
Security incident reporting procedures are followed.

When developing an asset classification program, which of the following steps should be completed FIRST?

Implement a data loss prevention (DLP) system.
Categorize each asset.
Create a business case for a digital rights management tool.
Create an inventory.

Which of the following is the PRIMARY reason to monitor key risk indicators (KRIs) related to information security?

To alert on unacceptable risk
To identity residual risk
To reassess risk appetite
To benchmark control performance

Which of the following is the BEST indicator of an emerging incident?

A weakness identified within an organization's information systems
Attempted patching of systems resulting in errors
Customer complaints about lack of website availability
A recent security incident at an industry competitor

An organization has discovered a recurring problem with unsecure code being released into production. Which of the following is the information security manager action?

Implement segregation of duties between development and production.
Increase the frequency of penetration testing.
Review existing configuration management processes.
Review existing change management processes.

When developing a categorization method for security incidents, the categories MUST:

be created by the incident hander.
align with reporting requirements.
have agreed-upon definitions.
align with industry standards.

Which of the following is MOST likely to be impacted when emerging technologies are introduced to an organization?

Risk profile
Security policies
Control effectiveness
Risk assessment approach

An organization’s main product is a customer-facing application delivered using Software as a Service (SaaS). The lead security engineer has just identified a major security vulnerability at the primary cloud provider. Within the organization, who is PRIMARILY accountable for the associated risk?

The data owner
The information security manager
The security engineer
The application owner

Which of the following is the MOST important criterion when deciding whether to accept residual risk?

Cost of replacing the asset
Annual loss expectancy (ALE)
Cost of additional mitigation
Annual rate of occurrence

An information security manager finds that a soon-to-be deployed online application will increase risk beyond acceptable levels, and necessary controls have not been included. Which of the following is the BEST course of action for the information security manager?

Recommend a different application.
Instruct IT to deploy controls based on urgent business needs.
Solicit bids for compensating control products.
Present a business case for additional controls to senior management.

When developing a business case to justify an information security investment, which of the following would BEST enable an informed decision by senior management?

The information security strategy
Security investment trends in the industry
Losses due to security incidents
The results of a risk assessment

A data-hosting organization’s data center houses servers, applications, and data for a large number of geographically dispersed customers. Which of the following strategies is the BEST approach for developing a physical access control policy for the organization?

Review customers’ security policies.
Design single sign-on (SSO) or federated access.
Develop access control requirements for each system and application.
Conduct a risk assessment to determine security risks and mitigating controls.

Which of the following is a PRIMARY benefit of managed security solutions?

Easier implementation across an organization
Greater ability to focus on core business operations
Wider range of capabilities
Lower cost of operations

Which of the following is an example of risk mitigation?

Improving security controls
Discontinuing the activity associated with the risk
Performing a cost-benefit analysis
Purchasing insurance

Which of the following BEST enables an organization to provide ongoing assurance that legal and regulatory compliance requirements can be met?

Engaging external experts to provide guidance on changes in compliance requirements
Assigning the operations manager accountability for meeting compliance requirements
Embedding compliance requirements within operational processes
Performing periodic audits for compliance with legal and regulatory requirements

Following a successful attack, an information security manager should be confident the malware has not continued to spread at the completion of which incident response phase?

Recovery
Eradication
Identification
Containment

Which of the following is the BEST method to align an information security strategic plan to the corporate strategy?

Ensuring the plan complies with business unit expectations
Involving industry experts in the development of the plan
Involving senior management in the development of the plan
Obtaining adequate funds from senior management

Which of the following would BEST ensure that security is integrated during application development?

Performing application security testing during acceptance testing
Introducing security requirements during the initiation phase
Employing global security standards during development processes
Providing training on secure development practices to programmers

Which of the following is MOST important in increasing the effectiveness of incident responders?

Integrating staff with the IT department
Testing response scenarios
Communicating with the management team
Reviewing the incident response plan annually

Which of the following should be the PRIMARY objective of the information security incident response process?

Classifying incidents
Conducting incident triage
Communicating with internal and external parties
Minimizing negative impact to critical operations

An incident response team has been assembled from a group of experienced individuals. Which type of exercise would be MOST beneficial for the team at the first drill?

Tabletop exercise
Red team exercise
Disaster recovery exercise
Black box penetration test

In violation of a policy prohibiting the use of cameras at the office, employees have been issued smartphones and tablet computers with enabled web cameras. Which of the following should be the information security manager’s FIRST course of action?

Revise the policy.
Conduct a risk assessment.
Communicate the acceptable use policy.
Perform a root cause analysis.

When performing a business impact analysis (BIA), who should calculate the recovery time and cost estimates?

Business process owner
Business continuity coordinator
Information security manager
Senior management

A PRIMARY purpose of creating security policies is to:

implement management's security governance strategy.
establish the way security tasks should be executed.
communicate management's security expectations.
define allowable security boundaries.

The MAIN benefit of implementing a data loss prevention (DLP) solution is to:

enhance the organization's antivirus controls.
reduce the need for a security awareness program.
complement the organization's detective controls.
eliminate the risk of data loss.

Which of the following is the MOST important detail to capture in an organization’s risk register?

Risk acceptance criteria
Risk severity level
Risk ownership
Risk appetite

Which of the following is the GREATEST benefit of information asset classification?

Supporting segregation of duties
Defining resource ownership
Providing a basis for implementing a need-to-know policy
Helping to determine the recovery point objective (RPO)

While classifying information assets, an information security manager notices that several production databases do not have owners assigned to them. What the information security manager address this situation?

Assign the highest classification level to those databases.
Assign responsibility to the database administrator (DBA).
Prepare a report of the databases for senior management.
Review the databases for sensitive content.

An organization’s research department plans to apply machine learning algorithms on a large data set containing customer names and purchase history. The risk leakage is considered high impact. Which of the following is the BEST risk treatment option in this situation?

Accept the risk, as the benefits exceed the potential consequences.
Mitigate the risk by applying anonymization on the data set.
Transfer the risk by purchasing insurance.
Mitigate the risk by encrypting the customer names in the data set.

IT projects have gone over budget with too many security controls being added post-production. Which of the following would MOST help to ensure that relevant to a project?

Involving information security at each stage of project management
Creating a data classification framework and providing it to stakeholders
Identifying responsibilities during the project business case analysis
Providing stakeholders with minimum information security requirements

Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities?

Integration of assurance efforts
Automation of controls
Documentation of control procedures
Standardization of compliance requirements

Which of the following BEST helps to ensure a risk response plan will be developed and executed in a timely manner?

Establishing risk metrics
Training on risk management procedures
Reporting on documented deficiencies
Assigning a risk owner

An information security manager learns that IT personnel are not adhering to the information security policy because it creates process inefficiencies. What should the information security manager do FIRST?

Propose that IT update information security policies and procedures.
Request that internal audit conduct a review of the policy development process.
Conduct user awareness training within the IT function.
Determine the risk related to noncompliance with the policy.

Which of the following is MOST important to include in a report to key stakeholders regarding the effectiveness of an information security program?

Security incident details
Security metrics
Security risk exposure
Security baselines

An organization is increasingly using Software as a Service (SaaS) to replace in-house hosting and support of IT applications. Which of the following would be the MOST effective way to help ensure procurement decisions consider information security concerns?

Integrate information security risk assessments into the procurement process.
Invite IT members into regular procurement team meetings to influence best practice.
Enforce the right to audit in procurement contracts with SaaS vendors.
Provide regular information security training to the procurement team.

Which of the following should be the KEY consideration when creating an information security communication plan with industry peers?

Reducing the costs associated with information sharing by automating the process
Balancing the benefits of information sharing with the drawbacks of sharing sensitive information
Notifying the legal department whenever incident-related information is shared
Ensuring information is detailed enough to be of use to other organizations

Which of the following is MOST effective for communicating forward-looking trends within security reporting?

Key risk indicators (KRIs)
Key performance indicators (KPIs)
Key control indicators (KCIs)
Key goal indicators (KGIs)

An organization recently purchased data loss prevention (DLP) software but soon discovered the software fails to detect or prevent data loss.

Which of the following should the information security manager do FIRST?

Revise the data classification policy.
Review the contract.
Review the configuration
Implement stricter data loss controls.

Network isolation techniques are immediately implemented after a security breach to.

allow time for key stakeholder decision making.
reduce the extent of further damage
enforce zero trust architecture principles.
preserve evidence as required for forensics.

Which of the following incident response phases involves actions to help safeguard critical systems while maintaining business operations?

Containment
Identification
Preparation
Recovery

An organization has received complaints from users that some of their files have been encrypted. These users are receiving demands for money to decrypt the files. Which of the following would be the BEST course of action?

Isolate the affected systems.
Conduct an impact assessment.
Initiate incident response.
Rebuild the affected systems.

Which of the following has the GREATEST positive impact on the ability to execute a disaster recovery plan (DRP)?

Updating the plan periodically
Conducting a walk-through of the plan
Storing the plan at an offsite location
Communicating the plan to all stakeholders.

Which of the following is MOST important to include in monthly information security reports to the board?

Root cause analysis of security incidents
Threat intelligence
Risk assessment results
Trend analysis of security metrics

Which of the following activities is designed to handle a control failure that leads to a breach?

Vulnerability management
Incident management
Root cause analysis
Risk assessment

Which of the following is MOST important to consider when aligning a security awareness program with the organization’s business strategy?

Processes and technology
People and culture
Regulations and standards
Executive and board directives

Which of the following BEST indicates that information assets are classified accurately?

An accurate and complete information asset catalog
Appropriate assignment of information asset owners
Appropriate prioritization of information risk treatment
Increased compliance with information security policy

Reevaluation of risk is MOST critical when there is:

a management request for updated security reports.
resistance to the implementation of mitigating controls.
a change in the threat landscape.
a change in security policy.

Which of the following BEST supports investments in an information security program?

Business impact analysis (BIA)
Risk assessment results
Gap analysis results
Business cases

Which of the following is MOST important to ensure when developing escalation procedures for an incident response plan?

Minimum regulatory requirements are maintained.
The contact list regularly updated.
Each process is assigned to a responsible party
Senior management approval has been documented.

Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process?

Compliance status is improved.
Threat management is enhanced.
Security metrics are enhanced.
Proactive risk management is facilitated.

An organization is implementing an information security governance framework. To communicate the program’s effectiveness to stakeholders, it is MOST important to establish:

a control self-assessment (CSA) process.
metrics for each milestone.
automated reporting to stakeholders.
a monitoring process for the security policy.

Which of the following would be the MOST effective way to present quarterly reports to the board on the status of the information security program?

Detailed analysis of security program KPIs
An information security risk register
An information security dashboard
A capability and maturity assessment

Which of the following is the BEST way to obtain support for a new organization-wide information security program?

Deliver an information security awareness campaign.
Publish an information security RACI chart.
Benchmark against similar industry organizations.
Establish an information security strategy committee

To confirm that a third-party provider complies with an organization’s information security requirements, it is MOST important to ensure:

contract clauses comply with the organization's information security policy.
security metrics are included in the service level agreement (SLA).
the information security policy of the third-party service provider is reviewed.
right to audit is included in the service level agreement (SLA).

Which of the following BEST enables an organization to transform its culture to support information security?

Strong management support
Robust technical security controls
Periodic compliance audits
Incentives for security incident reporting

An organization is close to going live with the implementation of a cloud-based application. Independent penetration test results have been received that show a high-rated vulnerability. Which of the following would be the BEST way to proceed?

Postpone the implementation until the vulnerability has been fixed.
Commission further penetration tests to validate initial test results.
Assess whether the vulnerability is within the organization's risk tolerance levels.
Implement the application and request the cloud service provider to fix the vulnerability.

Which of the following is the BEST way to achieve compliance with new global regulations related to the protection of personal information?

Review contracts and statements of work (SOWs) with vendors.
Determine current and desired state of controls.
Execute a risk treatment plan.
Implement data regionalization controls.

Which of the following should be given the HIGHEST priority during an information security post-incident review?

Evaluating incident response effectiveness
Documenting actions taken in sufficient detail
Evaluating the performance of incident response team members
Updating key risk indicators (KRIs)

Which of the following is the BEST course of action when an online company discovers a network attack in progress?

Shut off all network access points.
Isolate the affected network segment.
Dump all event logs to removable media.
Enable trace logging on all events.

Which of the following is the BEST reason for an organization to use Disaster Recovery as a Service (DRaaS)?

It transfers the risk associated with recovery to a third party
It eliminates the need for the business to perform testing.
It eliminates the need to maintain offsite facilities.
It lowers the annual cost to the business.

When properly implemented, secure transmission protocols protect transactions:

from eavesdropping
in the server's database.
from denial of service (DoS) attacks.
on the client desktop.

An organization is in the process of acquiring a new company. Which of the following would be the BEST approach to determine how to protect newly acquired data assets prior to integration?

Review data architecture.
Include security requirements in the contract.
Perform a risk assessment.
Assess security controls.

The PRIMARY objective of a post-incident review of an information security incident is to:

minimize impact.
determine the impact.
prevent recurrence.
update the risk profile.

The MOST appropriate time to conduct a disaster recovery test would be after:

the security risk profile has been reviewed.
major business processes have been redesigned.
the business continuity plan (BCP) has been updated.
noncompliance incidents have been filed.

Which of the following methods is the BEST way to demonstrate that an information security program provides appropriate coverage?

Gap assessment
Vulnerability scan report
Maturity assessment
Security risk analysis

Which of the following is an information security manager’s MOST important course of action when responding to a major security incident that could disrupt the business?

Notify law enforcement.
Contact forensic investigators.
Follow the escalation process.
Identify the indicators of compromise.

An information security manager determines there are a significant number of exceptions to a newly released industry-required security standard. Which of the following should be done NEXT?

Document risk acceptances.
Conduct an information security audit.
Assess the consequences of noncompliance.
Revise the organization's security policy.

Which of the following BEST facilitates effective incident response testing?

Including all business units in testing
Testing after major business changes
Simulating realistic test scenarios
Reviewing test results quarterly

Which of the following is the BEST indication of effective information security governance?

Information security is considered the responsibility of the entire information security team.
Information security is integrated into corporate governance.
Information security governance is based on an external security framework.
Information security controls are assigned to risk owners.

The information security manager has been notified of a new vulnerability that affects key data processing systems within the organization. Which of the following should be done FIRST?

Re-evaluate the risk
Ask the business owner for the new remediation plan.
Inform senior management.
Implement compensating controls.

Which of the following is the BEST way to assess the risk associated with using a Software as a Service (SaaS) vendor?

Require vendors to complete information security questionnaires.
Request customer references from the vendor.
Verify that information security requirements are included in the contract.
Review the results of the vendor's independent control reports.

Security administration efforts will be greatly reduced following the deployment of which of the following techniques?

Access control lists
Distributed access control
Discretionary access control
Role-based access control

Which of the following would be the BEST way for an information security manager to improve the effectiveness of an organization’s information security program?

Focus on addressing conflicts between security and performance.
Obtain assistance from IT to implement automated security controls.
Include information security requirements in the change control process.
Collaborate with business and IT functions in determining controls.

Which of the following should an information security manager do FIRST upon learning of noncompliance with an impending information security regulatory change?

Conduct a business impact and vulnerability analysis.
Report the noncompliance to senior management.
Assess the risk and cost of noncompliance.
Assess the risk and cost of noncompliance.

Which of the following is MOST critical when creating an incident response plan?

Identifying what constitutes an incident
Identifying vulnerable data assets
Documenting incident notification and escalation processes
Aligning with the risk assessment process

Which of the following would BEST help to ensure appropriate security controls are built into software?

Integrating security throughout the development process
Performing security testing prior to deployment
Providing standards for implementation during development activities
Providing security training to the software development team

Which of the following will BEST facilitate the integration of information security governance into enterprise governance?

Implementing an information security awareness program
Documenting the information security governance framework
Developing an information security policy based on risk assessments
Establishing an information security steering committee

Which of the following should an information security manager do FIRST when noncompliance with security standards is identified?

Validate the noncompliance
Include the noncompliance in the risk register
Report the noncompliance to senior management
Implement compensating controls to mitigate the noncompliance

Which of the following should be considered FIRST when recovering a compromised system that needs a complete rebuild?

Network system logs
Intrusion detection system (IDS) logs
Patch management files
Configuration management files

When deciding to move to a cloud-based model, the FIRST consideration should be:

data classification
physical location of the data
storage in a shared environment
availability of the data

Which of the following is the PRIMARY objective of incident triage?

Containment of threats
Coordination of communications
Categorization of events
Mitigation of vulnerabilities

Who is accountable for ensuring risk mitigation is effective?

Application owner
Business owner
Risk owner
Control owner

Which of the following BEST enables an information security manager to obtain organizational support for the implementation of security controls?

Conducting periodic vulnerability assessments
Defining the organization's risk management framework
Communicating business impact analysis (BIA) results
Establishing effective stakeholder relationships

To support effective risk decision making, which of the following is MOST important to have in place?

An audit committee consisting of mid-level management
Risk reporting procedures
Well-defined and approved controls
Established risk domains

Which of the following parties should be responsible for determining access levels to an application that processes client information?

The identity and access management team
The business client
The information security team
Business unit management

What should be an information security manager’s MOST important consideration when developing a multi-year plan?

Ensuring contingency plans are in place for potential information security risks
Ensuring alignment with the plans of other business units
Demonstrating projected budget increases year after year
Allowing the information security program to expand its capabilities

When performing a business impact analysis (BIA), who should be responsible for determining the initial recovery time objective (RTO)?

Information security manager
External consultant
Business continuity coordinator
Information owner

Which of the following will ensure confidentiality of content when accessing an email system over the Internet?

Digital encryption
Multi-factor authentication
Digital signatures
Data masking

Who is BEST suited to determine how the information in a database should be classified?

Information security analyst
Database analyst
Database administrator (DBA)
Data owner

Which of the following is an incident containment method?

Reviewing system logs and audit trails
Removing compromised systems from the network
Analyzing systems for impact from the incident
Mapping the scope of the incident on the network

A CISO learns that a third-party service provider did not notify the organization of a data breach that affected the service provider’s data center. Which of the following should the CISO do FIRST?

Determine the extent of the impact to the organization.
Request an independent review of the provider's data center.
Notify affected customers of the data breach.
Recommend canceling the outsourcing contract.

Which of the following is MOST important to include in an incident response plan to ensure incidents are responded to by the appropriate individuals?

Skills required for the incident response team
A detailed incident notification process
A list of external resources to assist with incidents
Service level agreements (SLAs)

Which of the following is the PRIMARY role of an information security manager in a software development project?

To identify software security weaknesses
To identify noncompliance in the early design stage
To assess and approve the security application architecture
To enhance awareness for secure software design

Which of the following MOST effectively identifies issues related to noncompliance with legal, regulatory, and contractual requirements?

Compliance maturity assessment
Compliance benchmarking data
Compliance gap analysis
Independent compliance audit

Which of the following is MOST helpful for fostering an effective information security culture?

Obtaining support from key organizational influencers
Implementing comprehensive technical security controls
Conducting regular information security awareness training
Developing procedures to enforce the information security policy

Which of the following is MOST important to convey to employees in building a security risk-aware culture?

Employee access should be based on the principle of least privilege.
Personal information requires different security controls than sensitive information.
The responsibility for security rests with all employees.
Understanding an information asset's value is critical to risk management.

Which of the following is the PRIMARY objective of integrating information security governance into corporate governance?

To align security goals with the information security program
To ensure the business supports information security goals
To adequately safeguard the business in achieving its mission
To obtain management commitment for sustaining the security program

Which of the following is an information security manager’s MOST important action to mitigate the risk associated with malicious software?

Disabling end-user computer peripheral access ports
Implementing a multi-layered security program
Ensuring antivirus has the latest definition files
Strengthening security patch implementation processes

Which of the following is the PRIMARY reason for granting a security exception?

The risk is justified by the cost to security.
The risk is justified by the benefit to security.
The risk is justified by the benefit to the business.
The risk is justified by the cost to the business.

Which of the following is MOST effective in preventing the introduction of vulnerabilities that may disrupt the availability of a critical business application?

A patch management process
Change management controls
Version control
Logical access controls

An organization is planning to outsource the execution of its disaster recovery activities. Which of the following would be MOST important to include in the outsourcing agreement?

Requirements for regularly testing backups
The disaster recovery communication plan
Recovery time objectives (RTOs)
Definition of when a disaster should be declared

Which type of plan is PRIMARILY intended to reduce the potential impact of security events that may occur?

Incident response plan
Business continuity plan (BCP)
Security awareness plan
Disaster recovery plan (DRP)

Which of the following is the MOST important outcome of strategic alignment of corporate and information security governance?

Implementation of information security controls
Development of a common and comprehensive set of IT security policies
Higher acceptance of information security projects
Reduction of adverse impacts on the organization to an acceptable level

Which of the following is MOST important to have in place as a basis for developing an effective information security program that supports the organization’s business goals?

An information security strategy
A defined security organizational structure
Information security policies
Metrics to drive the information security program

Which of the following BEST enables the integration of information security governance into corporate governance?

Senior management approval of the information security strategy
Clear lines of authority across the organization
An information security steering committee with business representation
Well-documented information security policies and standards

Which of the following contributes MOST to the effectiveness of information security governance?

Properly managed risk
Alignment with technology strategy
Stakeholder commitment
A defined security policy

Which of the following is the BEST approach for addressing noncompliance with security standards?

Maintain a security exceptions process.
Apply additional logging and monitoring to affected assets.
Discontinue affected activities until security requirements can be met.
Develop new security standards.

Which of the following is the BEST method for managing information security compliance of third-party suppliers?

Develop specific information security policies for third parties.
Conduct a vulnerability assessment of the third-party supplier.
Include third-party supplier details in the risk register.
Ensure information security requirements are addressed in the contract.

An organization is in the process of creating an agreement with a cloud provider. Who should determine the third party’s destruction schedule for the organization’s information?

The organization's information security manager
The cloud provider's information security manager
The organization's data owner
The cloud provider's data custodian

Which of the following is the BEST course of action when an organization’s incident response team does not have expertise in forensic analysis?

Contract with external forensic experts.
Develop forensic analysis procedures.
Document the shortcoming.
Acquire forensic analysis tools.

What should be the FIRST step when investigating an employee suspected of inappropriately downloading proprietary information?

Check for a signed nondisclosure agreement (NDA).
Review system access logs.
Conduct a forensic examination of the device.
Discuss the concern with the employee.

Which of the following is MOST critical to ensure that information security incidents are managed properly?

Conducting an incident capability maturity assessment
Testing the incident response plan
Establishing an incident management performance matrix
Assembling the incident response team

The GREATEST challenge when attempting data recovery of a specific file during forensic analysis is when:

high-level disk formatting has been performed.
all files in the directory have been deleted.
the partition table on the disk has been deleted.
the file has been overwritten.

Which of the following is MOST helpful in determining the criticality of an organization’s business functions?

Disaster recovery plan (DRP)
Business continuity plan (BCP)
Security assessment report (SAR)
Business impact analysis (BIA)

The contribution of recovery point objective (RPO) to disaster recovery is to:

eliminate single points of failure.
reduce mean time between failures (MTBF).
define backup strategy.
minimize outage periods.

An information security manager is MOST likely to obtain approval for a new security project when the business case provides evidence of:

threats to the organization.
organizational alignment.
existing control costs.
IT strategy alignment.

Which of the following should be established FIRST when implementing an Information security governance framework?

Security incident management learn
Security policies
Security architecture
Security awareness training program

An information security team is planning a security assessment of an existing vendor. Which of the following approaches is MOST helpful for properly scoping the assessment?

Review the vendor’s security policy.
Review controls listed in the vendor contract.
Focus the review on the infrastructure with the highest risk.
Determine whether the vendor follows the selected security framework rules.

A third-party audit of an organization’s network security has identified several critical risks. Which of the following should the information security manager do NEXT?

Assign risk ownership.
Identify mitigating controls.
Report the findings to senior management.
Prioritize the risks.

Which of the following provides the BEST evidence that a recently established information security program is effective?

The number of reported incidents has increased.
Regular IT balanced scorecards are communicated.
The number of tickets associated with IT incidents have stayed consistent.
Senior management has reported fewer junk emails.

An investigation of a recent security incident determined that the root cause was negligent handling of incident alerts by system administrators. What is the BEST way for the information security manager to address this issue?

Provide incident response training to data owners.
Provide incident response training to data custodians.
Conduct a risk assessment and share the results with senior management.
Revise the incident response plan to align with business processes.

An organization is the victim or a targeted attack and is unaware of the compromise until a security analyst notices an additional user account on the firewall. The implementation of which of the following would have detected the incident?

Web-application firewall
Security information and event management (SIEM)
Data leakage prevention (DLP)
Network access control

Of the following, who is accountable for data loss in the event of an information security incident at a third-party provider?

The information security manager
The service provider that hosts the data
The incident response team
The business data owner

Which of the following BEST minimizes information security risk in deploying applications to the production environment?

Conducting penetration testing post implementation
Having a well-defined change process
Verifying security during the testing process
Integrating security controls in each phase of the life cycle

Which of the following would BEST guide the development and maintenance of an information security program?

A business impact assessment
The organization's risk appetite
A comprehensive risk register
An established risk assessment process

Which of the following BEST indicates effective information security governance?

Availability of information security policies
Regular steering committee meetings
Organization-wide attendance at annual security training
Regular testing of the security incident response plan

The MOST useful technique for maintaining management support for the information security program is:

informing management about the security of business operations.
identifying the risks and consequences of failure to comply with standards.
benchmarking the security programs of comparable organizations.
implementing a comprehensive security awareness and training program.

When remote access is granted to a company’s internal network, the MOST important consideration should be that access is provided:

by the use of a remote access server.
if a robust IT infrastructure exists.
subject to legal and regulatory requirements.
on a need-to-know basis subject to controls.

Which of the following should be triggered FIRST when unknown malware has infected an organization’s critical system?

Disaster recovery plan (DRP)
Vulnerability management plan
Incident response plan
Business continuity plan (BCP)

Which of the following is the FIRST step in developing a business impact analysis (BIA)?

Identifying interdependencies among critical functions within the business
Determining the minimum resources needed for recovery
Identifying which business functions are critical to the organization
Determining the required recovery time objective (RTO) of business operations

Which of the following is MOST important when defining how an information security budget should be allocated?

Business impact assessment
Regulatory compliance standards
Information security strategy
Information security policy

A forensic examination of a PC is required, but the PC has been switched off. Which of the following should be done FIRST?

Perform a backup of the computer using the network.
Perform a bit-by-bit backup of the hard disk using a write-blocking device.
Reboot the system using third-party forensic software in the CD-ROM drive.
Perform a backup of the hard drive using backup utilities.

Which of the following should an organization do FIRST when confronted with the transfer of personal data across borders?

Define policies and standards for data processing.
Implement applicable privacy principles.
Research cyber insurance policies.
Assess local or regional regulation.

Which of the following BEST enables an organization to measure the total time that operations can be sustained at an alternative site designated in the business continuity plan (BCP)?

Recovery point objective (RPO)
Allowable interruption window (AIW)
Maximum tolerable outage (MTO)
Recovery time objective (RTO)

Which of the following has the GREATEST influence on the successful integration of information security within the business?

Organizational structure and culture
Risk tolerance and organizational objectives
Information security personnel
The desired state of the organization

Which of the following is the MOST important consideration to support potential legal action when responding to a security incident?

Contacting the appropriate law enforcement agency
Encrypting the documentation being assembled
Maintaining chain-of-custody of evidence
Preparing full forensic system backups

An incident response team has established that an application has been breached. Which of the following should be done NEXT?

Maintain the affected systems in a forensically acceptable state.
Inform senior management of the breach.
Isolate the impacted systems from the rest of the network.
Conduct a risk assessment on the affected application.

A daily monitoring report reveals that an IT employee made a change to a firewall rule outside of the change control process. The information security manager’s FIRST step in addressing the issue should be to:

perform an analysis of the change.
report the event to senior management.
require that the change be reversed.
review the change management process.

Which of the following BEST facilitates the reporting of useful information about the effectiveness of the information security program?

Security benchmark report
Risk heat map
Security metrics dashboard
Key risk indicators (KRIs)

Which of the following BEST mitigates the risk or information loss caused by a cloud service provider becoming insolvent?

Contractual provisions for the right to audit
Effective data loss prevention (DLP) controls
Contractual provisions for data repatriation
The purchasing of cybersecurity insurance

An information security team has been tasked with identifying confidential data within the organization to formalize its asset classification scheme. The MOST relevant input would be provided by:

business process owners.
the legal department.
The chief information officer (CIO).
database administrators (DBAs).

Which of the following is the PRIMARY reason to conduct a post-incident review?

To determine whether digital evidence is admissible
To notify regulatory authorities
To improve the response process
To aid in future risk assessments

Which of the following is the BEST way to protect against unauthorized access to an encrypted file sent via email?

Validating the recipient's identity
Using a digital signature in the email
Utilizing a separate distribution channel for the password
Ensuring a policy exists for encrypting files in transit

The PRIMARY purpose of implementing information security governance metrics is to:

measure alignment with best practices.
refine control operations.
assess operational and program metrics.
guide security towards the desired state.

Which of the following roles is PRIMARILY responsible for developing an information classification framework based on business needs?

Information owner
Information security steering committee
Senior management
Information security manager

CISM Final Assessment 2

Quiz Summary

Information

Results

Results

Categories

1. Question

2. Question

3. Question

4. Question

5. Question

6. Question

7. Question

8. Question

9. Question

10. Question

11. Question

12. Question

13. Question

14. Question

15. Question

16. Question

17. Question

18. Question

19. Question

20. Question

21. Question

22. Question

23. Question

24. Question

25. Question

26. Question

27. Question

28. Question

29. Question

30. Question

31. Question

32. Question

33. Question

34. Question

35. Question

36. Question

37. Question

38. Question

39. Question

40. Question

41. Question

42. Question

43. Question

44. Question

45. Question

46. Question

47. Question

48. Question

49. Question

50. Question

51. Question

52. Question

53. Question

54. Question

55. Question

56. Question

57. Question

58. Question

59. Question

60. Question

61. Question

62. Question

63. Question

64. Question

65. Question

66. Question

67. Question

68. Question

69. Question

70. Question

71. Question

72. Question

73. Question