CISM Questions and Answers with Certified Solutions

CISM Questions and Answers with Certified Solutions The foundation of an information security program is: Alignment with the goals and objectives of the organization The core principles of an information security program are: Confidentiality, Integrity and Availability The key factor in a successful information security program is: Senior Management support A threat can be described as: Any event or action that could cause harm to the organization True/False: Threats can be either intentional or accidental True Personnel Security requires trained personnel to manage systems and networks. When does personnel security begin? Through pre-employment checks Who plays the most important role in information security? Upper management The advantage of an IPS (intrusion prevention system) over an IDS (intrusion detection system) is that: The IPS can block suspicious activity in real time True/False: Physical security is an important part of an Information Security program True The Sherwood Applied Business Security Architecture (SABSA) is primarily concerned with: An enterprise=wide approach to security architecture A centralized approach to security has the primary advantage of: Uniform enforcement of security policies The greatest advantage to a decentralized approach to security is: More adjustable to local laws and requirements A primary objective of an information security strategy is to: Identify and protect information assets The first step in an information security strategy is to: Determine the desired state of security Effective information security governance is based on: implementing security policies and procedures The use of a standard such as ISO27001 is useful to: Ensure that all relevant security needs have been addressed Three main factors in a business case are resource usage, regulatory compliance and: Return on investment What is a primary method for justifying investments in information security? development of a business case Relationships with third parties may: Require the organization to comply with the security standards of the third party True or False? The organization does not have to worry about the impact of third party relationships on the security program False The role of an Information Systems Security Steering Committee is to: Provide feedback from all areas of the organization The most effective tool a security department has is: A security awareness program The role of Audit in relation to Information Security is: The validate the effectiveness of the security program against established metrics Who should be responsible for development of a risk management strategy? The Security Manager The security requirements of each member of the organization should be documented in: Their job descriptions What could be the greatest challenge to implementing a new security strategy? Obtaining buy-in from employees A disgruntled former employee is a: Threat A bug or software flaw is a: Vulnerability An audit log is an example of a: Detective control A compensating control is used: When normal controls are not sufficient to mitigate the trick Encryption is an example of a: Countermeasure The examination of risk factors would be an example of: Risk analysis True/False: The only real risk mitigation technique is based on effective implementation of technical controls. False Should a risk assessment consider controls that are planned but not yet implemented? Yes, because it would not be appropriate to recommend implementing controls that are already planned The main purpose of information classification is to: Ensure the effective, appropriate protection of information The value of information is based in part on: The fines imposed by regulators in the event of a breach The definition of an information security baseline is: The minimum level of security mandated in the organization The use of a baseline can help the organization to: Compare the current state of security with the desired state The purpose of a Business Impact Analysis (BIA) is to: Estimate the potential impact on the business in case of a system failure The ultimate goal of BIA is to: determine the priorities for recovery of business processes and systems New controls should be implemented as a part of the risk mitigation strategy: In areas where the cost of the control is justified by the benefit obtained An example of risk transference as a risk mitigation option is: The purchase of insurance to cover some of the losses associated with an incident. The purpose of a life cycle (as used in the Systems Development Life Cycle (SDLC)) is to: Assist in the management of a complex project by breaking it into individual steps At which stage of a project should risk management be performed? At each stage starting at project initiation When working with an outside party that may include access to sensitive information, each party should require a: Non-disclosure agreement (NDA) Symmetric key algorithms are best used for: Encryption of large amounts of data An benefit provided by a symmetric algorithm is: confidentiality Asymmetric algorithms are often used in: Digital signatures The primary benefit of a hash function is: Proving integrity of a message Which key would open a message encrypted with John's public key? John corresponding private key Symmetric encryption is a: two-way encryption process A primary reason for the development of public key cryptography was to: Address the ley distribution problems of asymmetric encryption What is the length of a digest created by a hash function? A hash function creates a fixed length hash regardless of input message length A hash is often used for: Password based authentication The entity requesting access in an access control system is often known as: The subject Access control is a means to: Permit authorized persons appropriate levels of access A surveillance camera is an access control based on: Physical controls Anti-virus systems should be deployed on: Gateways and individual desktops The use of a policy compliant system may enable an organization to: Enforce policies at a desktop level An information classification policy is what form of control? Administrative controls Which of the following is a one-way function? Hashing True/False: A Disaster Recovery Plan is a part of an Information Security Framework True An important element of an information security program is: The development of metrics to measure program performance Identity management applies to: Giving both internal and external users unique identification The practice of only granting a user the lowest level required is: Least privilege A deterrent control can be used to: Discourage inappropriate behavior An example of a preventative control is: A fence A disadvantage of an automated control may be: That it may implement a configuration change automatically without review The implementation of a security program requires: a person that takes ownership of each activity The manipulation of staff to perform unauthorized actions is known as: NNTPSocial engineering Audit is a form of: business assurance When an organization undertakes a program to outsource the IT function what must it do as part of the outsourcing program? Ensure that security requirements are addressed in any contracts What is the best way to understand business priorities? Interviews with senior management In case the implementation of an IT project fails, what is the next step? Rollback the implementation if possible A gap analysis can be used to: Determine the disparity between current and desired state Every policy should be backed up through the use of: Procedures, standards and baselines The testing and evaluation of the security of a system made in support of the decision to implement the system is known as Certification Ensuring that a system is not implemented until it has been formally approved by a senior manager is part of: Accreditation Teaching staff how to use a new security tool is known as: Training To ensure the quality and adherence to standards for a modification to a system the organization enforces: Change control One of the most important considerations when two organizations are considering a merger is? Confidentiality What document is used to set out the expectations for vendors or suppliers? Service level agreements Good information security metrics are clear, timely and? Relevant A vulnerability test is intended to: Find weaknesses in the system True/False: Penetration testing and vulnerability assessments can be either internal or external. True True/False: Gathering data to evaluate the security program cannot be done through interviews since the answers are too subjective. False Metrics to evaluate the effectiveness of system controls may be based on: Key performance indicators (KPIs) The three authentication factors are: knowledge, ownership, biometric Sensitive information about a person is called: PII Remote access poses the risk that Unauthorized users may use remote access systems to gain access A Virtual Private Network (VPN) is used to: Create a secure tunnel to allow transmission of sensitive data over an insecure network A security risk associated with disposal of any storage device is: The removal of sensitive information When an outsourcing contract expires the organization must: Ensure all data is removed or destroyed by the outsource service provider