CISM EXAM QUESTIONS AND
ANSWERS 100% CORRECT
What would be the BEST security measure we could use to prevent data disclosure and
data exfiltration?
A) User authentication in all applications.
B) Use very strong encryption.
C) Use very strong key storage.
D) Use very complex firewall rules. - ANSWER-C) Use very strong key storage.
Explanation
We would want a very strong key storage, if the attackers can get to our encryption
keys, most of the other security measures are irrelevant. Most encryption today is
strong enough to not be breakable with current technologies, making it stronger does
often not make it significantly more secure. Complex firewall rules do not mean more
secure, and in this example is a distractor. We would want user authentication in all
applications, but not relevant for this question.
What is the MOST important reason we have Information Security review our contracts
throughout the enterprise?
A) To ensure that both parties can perform their contractual promises.
B) To ensure the right to audit is a requirement.
C) To ensure appropriate controls are included.
D) To ensure no confidential information is included in the contract. - ANSWER-C) To
ensure appropriate controls are included.
As an IT auditor, Trisha is conducting a compliance review. Which of these is she
MOST likely to be performing?
A) Performing job activity analysis
B) Performing program activity analysis
C) Performing system aging analysis
,D) Determine whether program changes are approved - ANSWER-D) Determine
whether program changes are approved
Explanation
Compliance reviews determine whether the controls are enforcing the regulations and
include ensuring there are no unauthorized changes to the production environment. The
other answers are part of a substantive review, that verify the accuracy and
reasonableness of reported information.
Of these options, when is the BEST time to have penetration tests conducted?
A) After a high staff turnover.
B) After significant system changes.
C) After an attempted intrusion.
D) After an audit has found weaknesses in our security controls. - ANSWER-B) After
significant system changes.
At which phase of our systems or software development lifecycle should risk
assessments be built in to ensure risks are addressed in the project development?
A) The specifications phase.
B) The programming phase.
C) The user testing phase.
D) The feasibility phase. - ANSWER-D) The feasibility phase.
Explanation
We should address risk as early on in the project as possible, of the phases listed here
that would be feasibility. In the programming or the user testing phase is way too late, if
the feasibility phase was not an option, then we would do it in specifications, but
feasibility is much better.
Francis is a security engineer who helps development teams decide on which controls
should be included in new applications. He has a list of existing controls that have been
implemented in other applications, a list of new controls that will be implemented soon
in other applications, and a list of new designs for controls that probably cannot be
implemented using the current technology. Which list provides no security protection?
A) Controls that have not been implemented yet
B) Existing controls that have been proven to work
,C) Existing controls that due to their age of use have probably been cracked
D) New controls that have not been proven to work - ANSWER-A) Controls that have
not been implemented yet
We are a large multinational organization with offices in Europe, the US, Asia, Australia,
Russia and Africa. Which type of information would we expect to have the LOWEST
level of security protection?
A) Our upcoming financial results.
B) Our strategic plan.
C) Our previous financial results.
D) Customer PII (Personally Identifiable Information). - ANSWER-C) Our previous
financial results.
Explanation
Our previous financial results would have the LOWEST level of protection, they are
already public. Exposing our strategic plan, our upcoming financial results or customer
PII would have adverse effects.
Bob is scanning our internal network for security vulnerabilities. What is the MOST
important thing Bob should ensure?
A) To not use open source vulnerability scanners.
B) To follow the normal attack cycle.
C) To not interrupt production environments.
D) To only scan production environments. - ANSWER-C) To not interrupt production
environments.
Our organization has just finished a companywide Information Security user awareness
training effort and we are going to try to social engineer our employees to gauge how
effective the training was. Which of these is NOT a type of social engineering attack?
A) Authority
B) Vishing
C) Reconnaissance
, D) Scarcity - ANSWER-C) Reconnaissance
Reconnaissance is one of the phases of an attack or penetration testing, it is not a form
of social engineering. Vishing (voice phishing), authority, and scarcity are all types of
social engineering.
What would be the BEST reason to get help from external resources to work on our
Information Security program?
A) They can give us more redundancy for internal employees
B) They would be responsible for our Information Security program meeting the
requirements
C) They can be more cost effective and can have expertise we do not internally
D) They can deliver the product faster because of their external knowledge - ANSWER-
C) They can be more cost effective and can have expertise we do not internally
Bob is finishing up this iteration of our risk management program. What is the BIGGEST
benefit of the program?
A) It can bring our losses in alignment with what we had budgeted for.
B) It can identify and remove all threats posed by people.
C) It can eliminate or transfer all organizational risks.
D) It can align our risk with the cost of countermeasures. - ANSWER-D) It can align our
risk with the cost of countermeasures.
Paul asks his manager Naomi why separation of roles is important. What is the MOST
likely answer Naomi will give to Paul?
A) Divides the knowledge necessary to complete key tasks
B) No one person has complete control over a transaction or an activity
C) Employees from different departments do not work together
D) Avoids conflicts of interest - ANSWER-B) No one person has complete control over a
transaction or an activity
Which group of people would be the BEST for performing risk analysis on our
organization?
ANSWERS 100% CORRECT
What would be the BEST security measure we could use to prevent data disclosure and
data exfiltration?
A) User authentication in all applications.
B) Use very strong encryption.
C) Use very strong key storage.
D) Use very complex firewall rules. - ANSWER-C) Use very strong key storage.
Explanation
We would want a very strong key storage, if the attackers can get to our encryption
keys, most of the other security measures are irrelevant. Most encryption today is
strong enough to not be breakable with current technologies, making it stronger does
often not make it significantly more secure. Complex firewall rules do not mean more
secure, and in this example is a distractor. We would want user authentication in all
applications, but not relevant for this question.
What is the MOST important reason we have Information Security review our contracts
throughout the enterprise?
A) To ensure that both parties can perform their contractual promises.
B) To ensure the right to audit is a requirement.
C) To ensure appropriate controls are included.
D) To ensure no confidential information is included in the contract. - ANSWER-C) To
ensure appropriate controls are included.
As an IT auditor, Trisha is conducting a compliance review. Which of these is she
MOST likely to be performing?
A) Performing job activity analysis
B) Performing program activity analysis
C) Performing system aging analysis
,D) Determine whether program changes are approved - ANSWER-D) Determine
whether program changes are approved
Explanation
Compliance reviews determine whether the controls are enforcing the regulations and
include ensuring there are no unauthorized changes to the production environment. The
other answers are part of a substantive review, that verify the accuracy and
reasonableness of reported information.
Of these options, when is the BEST time to have penetration tests conducted?
A) After a high staff turnover.
B) After significant system changes.
C) After an attempted intrusion.
D) After an audit has found weaknesses in our security controls. - ANSWER-B) After
significant system changes.
At which phase of our systems or software development lifecycle should risk
assessments be built in to ensure risks are addressed in the project development?
A) The specifications phase.
B) The programming phase.
C) The user testing phase.
D) The feasibility phase. - ANSWER-D) The feasibility phase.
Explanation
We should address risk as early on in the project as possible, of the phases listed here
that would be feasibility. In the programming or the user testing phase is way too late, if
the feasibility phase was not an option, then we would do it in specifications, but
feasibility is much better.
Francis is a security engineer who helps development teams decide on which controls
should be included in new applications. He has a list of existing controls that have been
implemented in other applications, a list of new controls that will be implemented soon
in other applications, and a list of new designs for controls that probably cannot be
implemented using the current technology. Which list provides no security protection?
A) Controls that have not been implemented yet
B) Existing controls that have been proven to work
,C) Existing controls that due to their age of use have probably been cracked
D) New controls that have not been proven to work - ANSWER-A) Controls that have
not been implemented yet
We are a large multinational organization with offices in Europe, the US, Asia, Australia,
Russia and Africa. Which type of information would we expect to have the LOWEST
level of security protection?
A) Our upcoming financial results.
B) Our strategic plan.
C) Our previous financial results.
D) Customer PII (Personally Identifiable Information). - ANSWER-C) Our previous
financial results.
Explanation
Our previous financial results would have the LOWEST level of protection, they are
already public. Exposing our strategic plan, our upcoming financial results or customer
PII would have adverse effects.
Bob is scanning our internal network for security vulnerabilities. What is the MOST
important thing Bob should ensure?
A) To not use open source vulnerability scanners.
B) To follow the normal attack cycle.
C) To not interrupt production environments.
D) To only scan production environments. - ANSWER-C) To not interrupt production
environments.
Our organization has just finished a companywide Information Security user awareness
training effort and we are going to try to social engineer our employees to gauge how
effective the training was. Which of these is NOT a type of social engineering attack?
A) Authority
B) Vishing
C) Reconnaissance
, D) Scarcity - ANSWER-C) Reconnaissance
Reconnaissance is one of the phases of an attack or penetration testing, it is not a form
of social engineering. Vishing (voice phishing), authority, and scarcity are all types of
social engineering.
What would be the BEST reason to get help from external resources to work on our
Information Security program?
A) They can give us more redundancy for internal employees
B) They would be responsible for our Information Security program meeting the
requirements
C) They can be more cost effective and can have expertise we do not internally
D) They can deliver the product faster because of their external knowledge - ANSWER-
C) They can be more cost effective and can have expertise we do not internally
Bob is finishing up this iteration of our risk management program. What is the BIGGEST
benefit of the program?
A) It can bring our losses in alignment with what we had budgeted for.
B) It can identify and remove all threats posed by people.
C) It can eliminate or transfer all organizational risks.
D) It can align our risk with the cost of countermeasures. - ANSWER-D) It can align our
risk with the cost of countermeasures.
Paul asks his manager Naomi why separation of roles is important. What is the MOST
likely answer Naomi will give to Paul?
A) Divides the knowledge necessary to complete key tasks
B) No one person has complete control over a transaction or an activity
C) Employees from different departments do not work together
D) Avoids conflicts of interest - ANSWER-B) No one person has complete control over a
transaction or an activity
Which group of people would be the BEST for performing risk analysis on our
organization?
