CISM Final Assessment 4

A situation where an organization has unpatched IT systems in violation of the patching policy should be treated as:

an increased threat profile.
a vulnerability management failure.
an increased risk profile.
a security control failure.

How does data discovery assist with data classification?

It provides assurance of data integrity.
It shows where specific data is stored
It automatically classifies data by keywords.
It helps to identify the data owner.

Which of the following is the MOST effective control to prevent proliferation of shadow IT?

Implement a software allow list.
Conduct periodic vulnerability scanning.
Install a solution to detect unlicensed software.
Conduct software audits.

Which of the following is the MOST important driver when developing an effective information security strategy?

Benchmarking reports
Information security standards
Business requirements
Security audit reports

Which of the following is MOST important for the improvement of a business continuity plan (BCP)?

Implementing an IT resilience solution
Implementing management reviews
Documenting critical business processes
Incorporating lessons learned

Which of the following is MOST important to consider when choosing a shared alternate location for computing facilities?

Incident response team training
The organization's risk tolerance
The organization's mission
Resource availability

A financial institution has identified a high risk of fraud within its credit department. Which of the following information security controls will BEST reduce the risk of fraud?

Mandatory time off
Segregation of duties
Acceptable use policy
Periodic risk assessments

An employee clicked on a malicious link in an email that resulted in compromising company data. What is the BEST way to mitigate this risk in the future?

Assess and update spam filtering rules.
Establish an acceptable use policy.
Implement disciplinary procedures.
Conduct phishing awareness training.

The business value of an information asset is derived from:

its replacement cost.
its criticality.
the threat profile.
the risk assessment.

Which of the following is the BEST indicator of the maturity level of a vendor risk management process?

Number of vendors rejected because of security review results
Percentage of vendors that are regularly reviewed against defined criteria
Percentage of vendors that have gone through the vendor on boarding process
Average time required to complete the vendor risk management process

An international organization with remote branches is implementing a corporate security policy for managing personally identifiable information (PII). Which of the following should be the information security manager’s MAIN concern?

Data backup strategy
Organizational reporting structure
Local regulations
Consistency in awareness programs

Which of the following is the BEST reason for senior management to support a business case for developing a monitoring system for a critical application?

The system can be replicated for additional use cases.
An industry peer experienced a recent breach with a similar application.
The cost of implementing the system is less than the impact of downtime.
The solution is within the organization's risk tolerance.

Which of the following is MOST important when developing an information security governance framework?

Ensuring alignment with the organization's risk management framework
Integrating security within the system development life cycle (SDLC) process
Developing policies and procedures to support the framework
Developing security incident response measures

What should be an information security manager’s GREATEST concern when an HR department outsources data processing to a cloud service provider?

Security posture of the provider
Data loss protection insurance
Required provider service levels
The scope of the data

Which of the following BEST enables the capability of an organization to sustain the delivery of products and services within acceptable time frames and at predefined capacity during a disruption?

Business continuity plan (BCP)
Disaster recovery plan (DRP)
Business impact analysis (BIA)
Service level agreement (SLA)

Which of the following BEST determines an information asset’s classification?

Criticality to a business process
Value of the information asset in the marketplace
Risk assessment from the data owner
Cost of producing the information asset

Which of the following is the PRIMARY objective of a cyber resilience strategy?

Business continuity
Employee awareness
Executive support
Regulatory compliance

Which of the following is the MOST important reason for an organization to communicate to affected parties that a security incident has occurred?

To improve awareness of information security
To disclose the root cause of the incident
To comply with regulations regarding notification
To increase goodwill toward the organization

Which of the following is the BEST indication that an information security control is no longer relevant?

The control is not cost efficient.
The control does not support a specific business function.
IT management does not support the control.
The technology related to the control is obsolete.

Which of the following is the PRIMARY advantage of an organization using Disaster Recovery as a Service (DRaaS) to help manage its disaster recovery program?

It offers the organization flexible deployment options using cloud infrastructure.
It allows the organization to prioritize its core operations.
It is more secure than traditional data backup architecture.
It allows the use of a professional response team at a lower cost.

Which of the following is the MOST important outcome of a post-incident review?

The system affected by the incident is restored to its prior state.
The root cause of the incident is determined.
The person responsible for the incident is identified.
The impact of the incident is reported to senior management.

Which of the following is the BEST indicator of the performance of a security program?

Changes in return on investments (ROIs)
Changes in the maturity level
Changes in budget allocation
Changes in security training attendance

An organization has remediated a security flaw in a system. Which of the following should be done NEXT?

Allocate budget for penetration testing.
Update the system's documentation.
Assess the residual risk.
Share lessons learned with the organization.

Which of the following BEST facilitates the development of a comprehensive information security policy?

Alignment with an established information security framework
Security key performance indicators (KPIs)
A review of recent information security incidents
An established internal audit program

Which of the following is the MOST effective way to demonstrate improvement in security performance?

Report the results of a security control self-assessment (CSA).
Present trends in a validated metrics dashboard.
Provide a summary of security project return on investments (ROIs).
Present vulnerability testing results.

In order to gain organization-wide support for an information security program, which of the following is MOST important to consider?

Corporate risk framework
Corporate culture
Clarity of security roles and responsibilities
Maturity of the security policy

Which of the following is the BEST way to ensure the business continuity plan (BCP) is current?

Manage business process changes.
Update business impact analyses (BIAs) on a regular basis.
Review and update emergency contact lists.
Conduct periodic testing.

Which of the following would be MOST useful when determining the business continuity strategy for a large organization’s data center?

Business impact analysis (BIA)
Incident root cause analysis
Stakeholder feedback analysis
Business continuity risk analysis

The results of a risk assessment for a potential network reconfiguration reveal a high likelihood of sensitive data being compromised. What is the information security manager’s BEST course of action?

Seek an independent opinion to confirm the findings.
Determine alignment with existing regulations.
Report findings to key stakeholders.
Recommend additional network segmentation.

Who should be included in INITIAL discussions regarding a failed security control?

Penetration testers
The service provider
Senior management
The process owner

An organization has implemented a new customer relationship management (CRM) system. Who should be responsible for enforcing authorized and controlled access to the CRM data?

The data custodian
The data owner
Internal IT audit
The information security manager

Which of the following should an information security manager do FIRST upon learning of a new ransomware targeting a particular line of business?

Ensure backups are stored offsite.
Conduct a disaster recovery test and address any gaps.
Assess the potential impact to the organization.
Conduct a vulnerability scan and remediate the findings.

Which of the following should be the PRIMARY objective when establishing a new information security program?

Facilitating operational security
Optimizing resources
Minimizing organizational risk
Executing the security strategy

An organization implemented a number of technical and administrative controls to mitigate risk associated with ransomware. Which of the following is MOST important to present to senior management when reporting on the performance of this initiative?

The number and severity of ransomware incidents
The total cost of the investment
Benchmarks of industry peers impacted by ransomware
The cost and associated risk reduction

Which of the following is the BEST defense against distributed denial of service (DDoS) attacks?

Regular patching
Multiple and redundant paths
Intruder-detection lockout
Well-configured routers and firewalls

Which of the following scenarios would MOST likely require a change to corporate security policies?

New security standards have been implemented.
Employees do not understand or adhere to the policies.
The organization has undergone a merger.
The organization incurs an increased number of security incidents.

While conducting a test of a business continuity plan (BCP), which of the following is the MOST important consideration?

The test involves IT members in the test process.
The test simulates actual prime-time processing conditions.
The test is scheduled to reduce operational impact.
The test addresses the critical components.

When testing an incident response plan for recovery from a ransomware attack, which of the following is MOST important to verify?

An alternative network link is immediately available.
Data backups are recoverable from an offsite location.
Network access requires two-factor authentication.
Digital currency is immediately available.

Which of the following is the GREATEST benefit of incorporating information security governance into the corporate governance framework?

Management accountability for information security
Improved process resiliency in the event of attacks
Promotion of security-by-design principles to the business
Heightened awareness of information security strategies

Which of the following should an information security manager do FIRST when a vulnerability has been disclosed?

Perform a patch update.
Conduct a risk assessment.
Conduct an impact assessment.
Perform a penetration test.

When an organization experiences a disruptive event, the business continuity plan (BCP) should be triggered PRIMARILY based on:

expected duration of outage.
the root cause of the event.
type of security incident.
management direction.

Which of the following controls would BEST help to detect a targeted attack exploiting a zero-day vulnerability?

Intrusion prevention system (IPS)
Vulnerability scanning
Endpoint detection and response (EDR)
Extended detection and response (XDR

Which of the following is the MOST relevant control to address the integrity of information?

Implementation of a redundant server system
Encryption of email
Implementation of an Internet security application
Assignment of appropriate access permissions

What should be the PRIMARY objective of an information classification scheme?

To define data retention requirements
To develop an asset inventory
To meet legislative and regulatory requirements
To implement controls proportionate to risk

Which of the following is MOST important to consider when prioritizing threats during the risk assessment process?

Regulatory requirements on the organization
The severity of exploited vulnerabilities
The threat landscape within the industry
The potential impact on operations

Which of the following would BEST fulfill a board of directors’ request for a concise overview of information security risk facing the business?

Business impact analysis (BIA)
Balanced scorecard
Risk heat map
Risk scenario summary

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

To define security roles and responsibilities
To determine the criticality of information assets
To establish incident severity levels
To determine return on investment (ROI)

An organization wants to integrate information security into its HR management processes. Which of the following should be the FIRST step?

Calculate the return on investment (ROI).
Provide security awareness training to HR.
Assess the business objectives of the processes.
Benchmark the processes with best practice to identify gaps.

Following a breach where the risk has been isolated and forensic processes have been performed, which of the following should be done NEXT?

Place the web server in quarantine.
Rebuild the server from the last verified backup.
Shut down the server in an organized manner.
Rebuild the server with relevant patches from the original media.

Which of the following is MOST important for effective cybersecurity incident management?

Early detection and response
Regular tabletop exercises
Root cause analysis
Investigation and forensics

An organization uses a security standard that has undergone a major revision by the certifying authority. The old version of the standard will no longer be used for organizations wishing to maintain their certifications. Which of the following should be the FIRST course of action?

Modify policies to ensure new requirements are covered.
Review the new standard for applicability to the business.
Evaluate the cost of maintaining the certification.
Communicate the new standard to senior leadership.

Which of the following is the MOST appropriate metric to demonstrate the effectiveness of information security controls to senior management?

Number of security vulnerabilities uncovered with network scans
Percentage of servers patched
Downtime due to malware infections
Annualized loss resulting from security incidents

Which of the following is the BEST indication that an organization has integrated information security governance with corporate governance?

Impact is measured according to business loss when assessing IT risk.
Service levels for security vendors are defined according to business needs.
Security policies are reviewed whenever business objectives are changed.
Security performance metrics are measured against business objectives.

The MOST effective way to present information security risk to senior management is to highlight:

business impact.
countermeasures.
threat intelligence.
risk mitigation over time.

Within the confidentiality, integrity, and availability (CIA) triad, which of the following activities BEST supports the concept of confidentiality?

Ensuring encryption for data in transit
Enforcing service level agreements (SLAs)
Utilizing a formal change management process
Ensuring hashing of administrator credentials

Which of the following should be the PRIMARY objective for creating a culture of security within an organization?

To obtain resources for information security initiatives
To reduce risk to acceptable levels
To prioritize security within the organization
To demonstrate control effectiveness to senior management

Which of the following should be updated FIRST when aligning the incident response plan with the corporate strategy?

Security procedures
Disaster recovery plan (DRP)
Incident notification plan
Risk response scenarios

Which of the following is the MOST effective way to ensure the security of services and solutions delivered by third-party vendors?

Review third-party contracts as part of the vendor management process.
Perform an audit on vendors' security controls and practices.
Integrate risk management into the vendor management process.
Conduct security reviews on the services and solutions delivered.

Which of the following eradication methods is MOST appropriate when responding to an incident resulting in malware on an application server?

Disconnect the system from the network.
Change passwords on the compromised system.
Restore the system from a known good backup.
Perform operation system hardening.

Which of the following is MOST important for guiding the development and management of a comprehensive information security program?

Adopting information security program management best practices
Aligning the organization's business objectives with IT objectives
Establishing and maintaining an information security governance framework
Implementing policies and procedures to address the information security strategy

Which of the following is the BEST way to ensure data is not co-mingled or exposed when using a cloud service provider?

Require the provider to follow stringent data classification procedures.
Obtain an independent audit report.
Review the provider's information security policies.
Include high penalties for security breaches in the contract.

Before approving the implementation of a new security solution, senior management requires a business case. Which of the following would BEST support the justification for investment?

The solution contributes to business strategy.
The solution improves business risk tolerance levels.
The solution reduces the cost of noncompliance with regulations.
The solution improves business resiliency.

When an organization implements an information security governance framework, it is MOST important for executive leadership to have a direct role in:

reviewing the information security policy directing the organization.
developing technical key risk indicators (KRIs) for information security.
implementing information security metrics for the organization.
approving information security standards and procedures for the organization.

Which of the following should have the MOST influence on an organization’s response to a new industry regulation?

The organization's risk control baselines
The organization's control objectives
The organization's risk management framework
The organization's risk appetite

Biometrics are BEST used for:

authorization
authentication
auditing
accounting

Predetermined containment methods to be used in a cybersecurity incident response should be based PRIMARILY on the:

capability of incident handlers.
type of confirmed incident.
predicted incident duration.
number of impacted users.

Communicating which of the following would be MOST helpful to gain senior management support for risk treatment options?

Threat analysis
Root cause analysis
Quantitative loss
Industry benchmarks

Which of the following is the PRIMARY objective of information asset classification?

Threat minimization
Vulnerability reduction
Risk management
Compliance management

Which of the following trends would be of GREATEST concern when reviewing the performance of an organization’s intrusion detection systems (IDSs)?

Increase in false negatives
Increase in false positives
Decrease in false positives
Decrease in false negatives

Management would like to understand the risk associated with engaging an Infrastructure-as-a-Service (IaaS) provider compared to hosting internally. Which of the following would provide the BEST method of comparing risk scenarios?

Reviewing mitigating and compensating controls for each risk scenario
Mapping the risk scenarios by likelihood and impact on a chart
Performing a risk assessment on the IaaS provider
Mapping risk scenarios according to sensitivity of data

Which of the following is the PRIMARY reason to regularly update business continuity and disaster recovery documents?

To ensure audit and compliance requirements are met
To enforce security policy requirements
To maintain business asset inventories
To ensure the availability of business operations

Which of the following will have the GREATEST impact on the development of the information classification scheme consisting of various classification levels?

Value of the information
Data format
Owners of the information
Organizational structure

To prepare for a third-party forensics investigation following an incident involving malware, the incident response team should:

clean the malware.
isolate the infected systems.
image the infected systems.
preserve the evidence.

Of the following, who should own the risk associated with unauthorized access to application data?

Data custodian
Application developer
Application owner
Access administrator

The categorization of incidents is MOST important for evaluating which of the following?

Appropriate communication channels
Risk severity and incident priority
Allocation of needed resources
Response and containment requirements

An organization learns that a third party has outsourced critical functions to another external provider. Which of the following is the information security manager’s MOST important course of action?

Engage an independent audit of the third party's external provider.
Conduct an external audit of the contracted third party.
Recommend canceling the contract with the third party.
Evaluate the third party's agreements with its external provider.

An organization has acquired a new system with strict maintenance instructions and schedules. Where should this information be documented?

Standards
Procedures
Guidelines
Policies

The PRIMARY benefit of using http secure (https) is that it provides:

confidentiality of data transmitted.
integrity for data at rest.
authentication.
better session traceability.

An organization provides notebook PCs, cable wire locks, smartphone access, and virtual private network (VPN) access to its remote employees. Which of the following is MOST important for the information security manager to ensure?

Employees are trained on the acceptable use policy.
Employees use smartphone tethering when accessing from remote locations.
Employees use the VPN when accessing the organization's online resources.
Employees physically lock PCs when leaving the immediate area.

To improve an organization’s information security culture, it is MOST important for senior management to:

participate in security training.
review security budget and resources.
demonstrate good security practices.
approve security policies.

Which of the following BEST illustrates residual risk within an organization?

Balanced scorecard
Risk management framework
Business impact analysis (BIA)
Heat map

Which of the following is the MOST effective way to determine the alignment of an information security program with the business strategy?

Evaluate the results of business continuity testing.
Evaluate the business impact of incidents.
Review key performance indicators (KPIs).
Engage business process owners.

An organization experienced a loss of revenue during a recent disaster. Which of the following would BEST prepare the organization to recover?

Business impact analysis (BIA)
Incident response plan
Disaster recovery plan (DRP)
Business continuity plan (BCP)

Which of the following is the MOST important success factor when developing an information security strategy?

The delivery of the strategy is adequately funded.
The strategy is aligned with an industry-recognized security control framework.
The strategy is based on proven technologies and industry trends
The strategy is approved by the board and executive management.

Which of the following BEST demonstrates a security-conscious organizational culture?

Security incidents are reported directly to senior management.
Security awareness metrics have been established and tracked.
Phishing simulations are part of information security training.
Employees identify potential incidents and report them.

Which of the following is the MOST effective data loss control when connecting a personally owned mobile device to the corporate email system?

Email must be stored in an encrypted format on the mobile device.
Users must agree to the use of biometric multi-factor authentication (MFA).
A senior manager must approve each new connection.
Email synchronization must be prevented when connected to a public Wi-Fi hotspot.

Which of the following should be the FIRST step when performing triage of a malware incident?

Preserving the forensic image
Containing the affected system
Comparing backup against production
Removing the malware

Which of the following BEST helps to enable the desired information security culture within an organization?

Information security awareness training and campaigns
Incentives for appropriate information security-related behavior
Effective information security policies and procedures
Delegation of information security roles and responsibilities

Which of the following should be the GREATEST concern for an information security manager when an annual audit reveals the organization’s business continuity plan (BCP) has not been reviewed or updated in more than a year?

The organization may suffer reputational damage for not following industry best practices.
The audit finding may impact the overall risk rating of the organization.
An outdated BCP may result in less efficient recovery if an actual incident occurs.
The lack of updates to the BCP may result in noncompliance with internal policies.

Which of the following is the MOST important goal of an information security program?

Optimizing resources
Reducing risk factors
Managing controls
Enhancing business decision making

Which of the following BEST helps to ensure the effective execution of an organization’s disaster recovery plan (DRP)?

The plan is based on industry best practices.
The plan is reviewed by senior and IT operational management.
Procedures are available at the primary and failover location.
Process steps are documented by the disaster recovery team.

Which of the following would be MOST effective in reducing the impact of a distributed denial of service (DDoS) attack?

Impose state limits on servers.
Spread a site across multiple ISPs.
Harden network security.
Block the attack at the source.

The PRIMARY reason for senior management to monitor information security metrics is to ensure:

alignment of the information security budget to corporate funding.
alignment of information security with corporate governance.
alignment of security and IT objectives.
alignment with risk mitigation efforts.

Which of the following is the MOST important reason to perform a privacy impact assessment?

To provide assurance to senior management
To ensure business data processing has been assessed for risk
To ensure compensating controls are in place for key information assets
To reduce threats associated with business data processing

When reporting information security risk to senior management, it is MOST important to include:

control risk.
inherent risk.
detection risk.
residual risk.

Which of the following is MOST likely to improve an organization’s security culture?

Involving stakeholders in security planning
Enforcing penalties for security incidents
Communicating security incidents within the industry
Incentivizing managers based on security metrics

Which of the following is MOST important to complete during the recovery phase of an incident response process before bringing affected systems back online?

Test and verify that compromised systems are clean.
Document recovery steps for senior management reporting.
Record and close security incident tickets.
Capture and preserve forensic images of affected systems.

What is the BEST way for an information security manager to improve the effectiveness of risk management in an organization that currently manages risk at the departmental level?

Deploy security risk management software in all departments.
Determine whether the organization has defined its risk tolerance and risk appetite.
Subscribe to external risk reports relevant to each department.
Propose that security risk be integrated under a common risk register.

Which of the following is MOST helpful to an information security manager when determining service level requirements for an outsourced application?

Supplier business continuity plan (BCP)
Information security policy
Application capabilities
Data classification

Which of the following is MOST important to consider when planning the eradication of a cyberattack?

The skills and competencies of the eradication team
The cost of tools and efforts required for the process
Obtain a clean backup of the operating system
Knowledge about the type and source of the threat

Which of the following BEST enables an information security manager to identify changes in the threat landscape due to emerging technologies?

Input from external experts
Annual security assessments
Periodic risk assessments
Benchmarking against industry peers

An enterprise has decided to procure security services from a third-party vendor to support its information security program. Which of the following is MOST important to include in the vendor selection criteria?

The maturity of the vendor's internal control environment
Feedback from the vendor's previous clients
Alignment of the vendor's business objectives with enterprise security goals
Penetration testing against the vendor's network

The resilience requirements of an application are BEST determined by:

a cost-benefit analysis.
a threat assessment.
a business impact analysis (BIA).
a risk assessment.

Which of the following BEST facilitates recovery of data lost as a result of a cybersecurity incident?

Disaster recovery plan (DRP)
Offsite data backups
Encrypted data drives
Removable storage media

Which of the following is MOST important to the successful implementation of a new information security program?

Evaluating current information security processes
Gaining commitment from senior management
Conducting regular external benchmarking
Monitoring key performance indicators (KPIs)

An information security team has confirmed that threat actors are taking advantage of a newly announced critical vulnerability within an application. Which of the following should be done FIRST?

Notify senior management.
Prevent access to the application.
Invoke the incident response plan.
Install additional application controls.

Which of the following is the MOST important consideration when evaluating the performance of existing security controls?

Interviewing control owners to accurately collect metrics data
Establishing testing scenarios based on international standards
Selecting testing methods that match the purpose of the testing
Obtaining senior management support to facilitate testing

Which of the following metrics BEST demonstrates the effectiveness of an organization’s security awareness program?

Percentage of employee computers and devices infected with malware
Percentage of employees who regularly attend security training
Number of security incidents reported to the help desk
Number of phishing emails viewed by end users

Who should decide whether a specific control should be changed once risk is approved for mitigation?

Risk owner
Data owner
Control owner
Process owner

When determining key risk indicators (KRIs) for use in an information security program it is MOST important to select:

KRIs that track both short-term and long-term performance.
KRIs that align with business processes.
KRIs that are quantifiable.
as many KRIs as possible to catch risk events from the broadest areas.

Senior management has requested a budget cut for the information security program in the coming fiscal year. Which of the following should be the information security manager’s FIRST course of action?

Analyze the impact to the information security program.
Advise business unit heads of potential changes to the information security program.
Evaluate cost savings within existing implementations.
Re-prioritize information security implementation and operations.

What is the MOST important consideration when establishing metrics for reporting to the information security strategy committee?

Benchmarking the expected value of the metrics against industry standards
Aligning the metrics with the organizational culture
Agreeing on baseline values for the metrics
Developing a dashboard for communicating the metrics

Which of the following presents the GREATEST challenge when assessing the impact of emerging risk?

Outdated risk management strategy
Insufficient data related to the emerging risk
Complexity of the emerging risk
Lack of resources to perform risk assessments

To effectively manage an organization’s information security risk, it is MOST important to:

establish and communicate risk tolerance.
benchmark risk scenarios against peer organizations.
assign risk management responsibility to an experienced consultant.
periodically identify and correct new systems vulnerabilities.

Which of the following is the MOST useful input for an information security manager when updating the organization’s security policy?

Security team capabilities
Risk appetite
Vulnerability scan
Industry best practices

The MOST effective way for an information security manager to secure senior management support for the information security strategy is by:

presenting industry-specific information security best practices.
determining cost effective information security controls.
educating management on information security program needs.
developing reports showing current threats to the organization.

When engaging an external party to perform a penetration test, it is MOST important to:

provide an updated asset inventory.
notify employees of the testing.
define the project scope.
provide network documentation.

Which of the following is the MOST effective way to convey information security responsibilities across an organization?

Implementing security awareness programs
Defining information security responsibilities in the security policy
Developing a skills matrix
Documenting information security responsibilities within job descriptions

A financial institution is expanding to international jurisdictions and is mindful of protecting customer information. Which of the following should be of GREATEST concern?

Ability to monitor and enforce security controls in multiple jurisdictions
Global payment card industry regulations
Privacy laws and regulations for each country in which the organization operates
Information security resources available in each country in which the organization operates

When evaluating cloud storage solutions, the FIRST consideration should be:

how the organization's sensitive data will be transferred.
the service level agreement (SLA) for encryption keys.
the volume of data to be stored in the cloud.
alignment with the organization's data classification policy.

Which of the following is the GREATEST benefit resulting from the introduction of data security standards for payment cards?

It helps achieve the holistic protection of information assets in the industry.
It deters hackers from committing crimes related to card payments.
It enables a wider range of more sophisticated payment methods.
It optimizes budget allocation for cybersecurity in each organization.

Which of the following should an information security manager establish FIRST to ensure security-related activities are adequately monitored?

Regular reviews of system logs
Accountability for security functions
Procedures for security assessments
Schedules for internal audits

Which of the following is the BEST approach for data owners to use when defining access privileges for users?

Implement an identity and access management (IDM) tool.
Adopt user account settings recommended by the vendor.
Perform a risk assessment of the users' access privileges.
Define access privileges based on user roles.

Which of the following is the BEST control to protect customer personal information that is stored in the cloud?

Strong encryption methods
Appropriate data anonymization
Strong physical access controls
Timely deletion of digital records

Which of the following is MOST important to include in an enterprise information security policy?

Acceptable use
Security objectives
Security metrics
Audit trail review requirements

An information security manager wants to upgrade an organization’s workstations to a new operating system version. Which of the following would be MOST helpful to gain senior management support for the upgrade?

The results of user surveys indicating issues with the current operating system
A list of the latest security features in the new operating system
A summary of performance improvements in the new operating system
An assessment of the current operating system based on risk

Which of the following is MOST important to define when creating information security management metrics?

Budget
Objectives
Policy
Benchmarks

A PRIMARY benefit of adopting an information security framework is that it provides:

standardized security controls.
common exploitability indices.
credible emerging threat intelligence.
security and vulnerability reporting guidelines.

It is MOST important that risk owners understand they are accountable for:

collaborating with stakeholders to evaluate the effectiveness of controls associated with the risk.
reporting risk metrics and control compliance status to the information security manager.
escalating control deficiencies associated with the risk to the steering committee for decision making.
overseeing and monitoring the effectiveness of controls associated with the risk.

Which of the following is MOST important to include in security incident escalation procedures?

Recovery procedures
Containment procedures
Key objectives of the security program
Notification criteria

An organization has implemented a new email filter to mitigate risk associated with its email system. Who is BEST suited to be the control owner?

Head of IT department
Head of compliance
Head of corporate communications
Head of information security

When introducing a new information asset, what is the MOST important responsibility of the asset owner?

Information backup
Information access administration
Information disposal
Information classification

When establishing an information security governance framework, it is MOST important for an information security manager to understand:

information security best practices.
the corporate culture.
risk management techniques.
the threat environment.

When updating the information security policy to accommodate a new regulation, the information security manager should FIRST:

review key risk indicators (KRIs).
consult process owners.
update key performance indicators (KPIs).
perform a gap analysis.

Which of the following is the BEST way to align security and business strategies?

Establish key performance indicators (KPIs) for the business.
Integrate information security governance into corporate governance.
Ensure the information security program conforms to industry standards.
Include security risk as part of ongoing metrics reporting.

Which of the following should an information security manager do FIRST when developing a security framework?

Document security procedures
Conduct an asset inventory
Update the security policy
Perform a gap analysis

A Software as a Service (SaaS) application has been implemented to support a critical business process. Which of the following is MOST important to include within the service level agreement (SLA) to ensure timely response to incidents affecting the application?

Vendor declarations and warranties
Enhanced monitoring of in-scope systems
Defined incident response roles and responsibilities
Established incident response procedures

Of the following, who is BEST positioned to perform a business impact analysis (BIA)?

The information security team
Process owners
The IT team
Business continuity management auditors

Which of the following is the BEST indication of an effective disaster recovery planning process?

Recovery time objectives (RTOs) are shorter than recovery point objectives (RPOs)
Hot sites are required for any declared disaster
Post-incident reviews are conducted after each event
Chain of custody is maintained throughout the disaster recovery process

Which of the following provides the BEST input to determine the level of protection needed for an IT system?

Vulnerability assessment
Asset classification
Threat analysis
Internal audit findings

Which of the following should be the FIRST consideration for an information security manager after a security incident has been confirmed?

Developing incident reporting criteria
Executing containment procedures
Restoring business operations
Determining the root cause

Which of the following actions will BEST resolve the root cause of a cyber incident involving unauthorized network access due to a critical vulnerability on a web server?

Improving the patching process
Locking accounts with unauthorized access
Isolating affected systems
Terminating malicious network connections

Following an unsuccessful denial of service (DoS) attack, identified weaknesses should be:

noted and re-examined later if similar weaknesses are found
tracked and reported on until their final resolution
quickly resolved and eliminated regardless of cost
documented in security awareness programs

Which of the following is an information security manager’s MOST important action during the third-party provider selection process?

Determining it the third party is sufficiently staffed
Performing a network penetration test
Analyzing the third party’s existing control environment
Consulting with the third party’s clients

Which of the following risk assessment findings for an online-only business should be given the HIGHEST priority to address availability concerns?

The back office system that processes payments to providers has slowed.
The web server for the online store was found to be vulnerable to distributed denial of service (DDoS) attacks.
Email authentication through a connector to a single sign-on (SSO) service has a history of failure.
The access point for the visitor WiFi network has several unpatched vulnerabilities.

At which stage of business continuity planning is risk identification performed?

Impact analysis
Stakeholder meeting
Development
Project planning

An information security team plans to strengthen authentication requirements for a customer-facing site, but there are concerns it will negatively impact the user experience. Which of the following is the information security manager’s BEST course of action?

Refer to industry best practices.
Quantify the security risk to the business.
Provide security awareness training to customers.
Assess business impact against security risk.

Which of the following is the PRIMARY reason for executive management to be involved in establishing an enterprise’s security management framework?

To determine the desired state of enterprise security
To satisfy auditors’ recommendations for enterprise security
To ensure industry best practices for enterprise security are followed
To establish the minimum level of controls needed

Which of the following is MOST important for an information security manager to consider when determining whether data should be stored?

Type and nature of data
Business requirements
Data storage limitations
Data protection regulations

A business unit recently integrated the organization’s new strong password policy into its business application which requires users to reset passwords every 30 days. The help desk is now flooded with password reset requests. Which of the following is the information security manager’s BEST course of action to address this situation?

Conduct a business impact analysis (BIA)
Provide end-user training
Escalate to senior management
Continue to enforce the policy

CISM Final Assessment 4

Quiz Summary

Information

Results

Results

Categories

1. Question

2. Question

3. Question

4. Question

5. Question

6. Question

7. Question

8. Question

9. Question

10. Question

11. Question

12. Question

13. Question

14. Question

15. Question

16. Question

17. Question

18. Question

19. Question

20. Question

21. Question

22. Question

23. Question

24. Question

25. Question

26. Question

27. Question

28. Question

29. Question

30. Question

31. Question

32. Question

33. Question

34. Question

35. Question

36. Question

37. Question

38. Question

39. Question

40. Question

41. Question

42. Question

43. Question

44. Question

45. Question

46. Question

47. Question

48. Question

49. Question

50. Question

51. Question

52. Question

53. Question

54. Question

55. Question

56. Question

57. Question

58. Question

59. Question

60. Question

61. Question

62. Question

63. Question

64. Question

65. Question

66. Question

67. Question

68. Question

69. Question

70. Question

71. Question

72. Question

73. Question