CISM Domain 2 Test Questions With 100% Verified Answers

CISM Domain 2 Test Questions With 100% Verified Answers A social media application system has a process to scan posted comments in search of inappropriate disclosures.Which of the following choices would circumvent this control? - ANSWER- a misspelling in the text After residual risk has been determined, the enterprise should NEXT: - CORRECT ANSWER- validate that the residual risk is acceptable Which of the following is the BEST resolution when a security standard conflicts with a business objective? - ANSWER- performing a risk analysis A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take? - ANSWER- perform a risk analysis to quantify the risk Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: - ANSWER- it implies compliance risk When a proposed system change violates an existing security standard, the conflict would be BEST resolved by: - ANSWER- calculating the risk The information classification scheme should: (*) - ANSWER- consider possible impact of a security breach What is the MOST cost-effective method of identifying new vendor vulnerabilities? - ANSWER- external vulnerability reporting sources Which is the BEST way to access aggregate risk derived from a chain of linked system vulnerabilities?(*) - ANSWER- penetration tests Which of the following tasks should be information security manager do FIRST when business information has to be shared with external entities? - ANSWER- review the information classification When introducing public cloud computing technology to the business, which of the following situations would be a MAJOR concern?(*) - ANSWER- an unawareness of risk scenarios that need to be included in the risk profile Which of the following is the MOST important element of information assets classification?(*) - ANSWER- potential impact Which of the following would be the BEST indicator of an asset's value to an organization? - ANSWER- classification After performing an assets classification, the information security manager is BEST able to determine the: - ANSWER- impact of a compromise What is the TYPICAL output of a risk assessment? - ANSWER- an inventory of risk that may impact the organization Tightly integrated IT systems are MOST likely to be affected by: - ANSWER- cascading risk Which of the following is the BEST quantitative indicator of an organization's current risk appetite? - ANSWER- the ratio of cost to insurance coverage for business interruption protection Once the objective of performing a security review has been defined, the NEXT step for the information security manager is to determine: - ANSWER- scope The MOST effective approach to ensure the continued effectiveness of information security controls is by: - ANSWER- utilizing effective life cycle management Which of the following is the MOST useful indicator of control effectiveness? - ANSWER- the extent to which control objectives are achieved The PRIMARY reason to consider information security during the first stage of a project life cycle is:(*) - ANSWER- information security may affect project feasibility A permissive control policy would be reflected in which one of the following implementations?(*) - ANSWER- access is allowed unless explicitly denied. The PRIMARY objective of a vulnerability assessment is to: - ANSWER- provide assurance to management The information security policies of an organization require that all confidential information must be encrypted while communicating to external entities. A regulatory agency insisted that a compliance report must be sent without encryption. The information security manager should: - ANSWER- initiate an exception process for sending the report without encryption An information security manager's MOST effective efforts to manage the inherent risk related to a third party service provider will be the result of: - ANSWER- limiting organizational exposure The BEST process for assessing an existing risk level is a(n): (*) - CORRECT ANSWER- security review A cost-benefit analysis is performed on any proposed control to: (*) - CORRECT ANSWER- demonstrate the costs are justified by the reduction in risk The PRIMARY objective of assets classification is to: - ANSWER- determine protection level A control for protecting an IT asset, such as a laptop computer, is BEST selected if the cost of the control is less than the:(*) - ANSWER- impact on the business if the asset is lost or stolen Which of the following choices BEST reveals the evolving nature of attacks in an online environment? - ANSWER- industry tracking groups (CERT) Asset classification should be MOSTLY based on:(*) - ANSWER- business value Control baselines are MOST directly related to the:(*) - ANSWER- organization's risk appetite Which of the following is the BEST indicator of the level of acceptable risk in an organization?(*) - ANSWER- the ratio of business insurance coverage to its cost Which of the following is the FIRST action to be taken when the information security manager notes that the controls for a critical application are inadequate? - ANSWER- perform a risk assessment to determine the level of exposure When assessing the maturity of the risk management process, which of following findings raises the GREATEST concern? (*) - ANSWER- the desired state is not based on the business objectives