CISM TEST QUESTIONS WITH 100% VERIFIED
SOLUTIONS
The security requirements of each member of the organization should be documented
in: - ANSWER- Their job descriptions
What could be the greatest challenge to implementing a new security strategy? -
ANSWER- Obtaining buy-in from employees
A disgruntled former employee is a: - ANSWER- Threat
A bug or software flaw is a: - ANSWER- Vulnerability
An audit log is an example of a: - ANSWER- Detective control
A compensating control is used: - ANSWER- When normal controls are not sufficient to
mitigate the trick
Encryption is an example of a: - ANSWER- Countermeasure
The examination of risk factors would be an example of: - ANSWER- Risk analysis
True/False: The only real risk mitigation technique is based on effective implementation
of technical controls. - ANSWER- False
Should a risk assessment consider controls that are planned but not yet implemented? -
ANSWER- Yes, because it would not be appropriate to recommend implementing
controls that are already planned
The main purpose of information classification is to: - ANSWER- Ensure the effective,
appropriate protection of information
The value of information is based in part on: - ANSWER- The fines imposed by
regulators in the event of a breach
The definition of an information security baseline is: - ANSWER- The minimum level of
security mandated in the organization
The use of a baseline can help the organization to: - ANSWER- Compare the current
state of security with the desired state
, The purpose of a Business Impact Analysis (BIA) is to: - ANSWER- Estimate the
potential impact on the business in case of a system failure
The ultimate goal of BIA is to: - ANSWER- determine the priorities for recovery of
business processes and systems
New controls should be implemented as a part of the risk mitigation strategy: -
ANSWER- In areas where the cost of the control is justified by the benefit obtained
An example of risk transference as a risk mitigation option is: - ANSWER- The purchase
of insurance to cover some of the losses associated with an incident.
The purpose of a life cycle (as used in the Systems Development Life Cycle (SDLC)) is
to: - ANSWER- Assist in the management of a complex project by breaking it into
individual steps
At which stage of a project should risk management be performed? - ANSWER- At each
stage starting at project initiation
When working with an outside party that may include access to sensitive information,
each party should require a: - ANSWER- Non-disclosure agreement (NDA)
Symmetric key algorithms are best used for: - ANSWER- Encryption of large amounts of
data
An benefit provided by a symmetric algorithm is: - ANSWER- confidentiality
Asymmetric algorithms are often used in: - ANSWER- Digital signatures
The primary benefit of a hash function is: - ANSWER- Proving integrity of a message
Which key would open a message encrypted with John's public key? - ANSWER- John
corresponding private key
Symmetric encryption is a: - ANSWER- two-way encryption process
A primary reason for the development of public key cryptography was to: - ANSWER-
Address the ley distribution problems of asymmetric encryption
What is the length of a digest created by a hash function? - ANSWER- A hash function
creates a fixed length hash regardless of input message length
SOLUTIONS
The security requirements of each member of the organization should be documented
in: - ANSWER- Their job descriptions
What could be the greatest challenge to implementing a new security strategy? -
ANSWER- Obtaining buy-in from employees
A disgruntled former employee is a: - ANSWER- Threat
A bug or software flaw is a: - ANSWER- Vulnerability
An audit log is an example of a: - ANSWER- Detective control
A compensating control is used: - ANSWER- When normal controls are not sufficient to
mitigate the trick
Encryption is an example of a: - ANSWER- Countermeasure
The examination of risk factors would be an example of: - ANSWER- Risk analysis
True/False: The only real risk mitigation technique is based on effective implementation
of technical controls. - ANSWER- False
Should a risk assessment consider controls that are planned but not yet implemented? -
ANSWER- Yes, because it would not be appropriate to recommend implementing
controls that are already planned
The main purpose of information classification is to: - ANSWER- Ensure the effective,
appropriate protection of information
The value of information is based in part on: - ANSWER- The fines imposed by
regulators in the event of a breach
The definition of an information security baseline is: - ANSWER- The minimum level of
security mandated in the organization
The use of a baseline can help the organization to: - ANSWER- Compare the current
state of security with the desired state
, The purpose of a Business Impact Analysis (BIA) is to: - ANSWER- Estimate the
potential impact on the business in case of a system failure
The ultimate goal of BIA is to: - ANSWER- determine the priorities for recovery of
business processes and systems
New controls should be implemented as a part of the risk mitigation strategy: -
ANSWER- In areas where the cost of the control is justified by the benefit obtained
An example of risk transference as a risk mitigation option is: - ANSWER- The purchase
of insurance to cover some of the losses associated with an incident.
The purpose of a life cycle (as used in the Systems Development Life Cycle (SDLC)) is
to: - ANSWER- Assist in the management of a complex project by breaking it into
individual steps
At which stage of a project should risk management be performed? - ANSWER- At each
stage starting at project initiation
When working with an outside party that may include access to sensitive information,
each party should require a: - ANSWER- Non-disclosure agreement (NDA)
Symmetric key algorithms are best used for: - ANSWER- Encryption of large amounts of
data
An benefit provided by a symmetric algorithm is: - ANSWER- confidentiality
Asymmetric algorithms are often used in: - ANSWER- Digital signatures
The primary benefit of a hash function is: - ANSWER- Proving integrity of a message
Which key would open a message encrypted with John's public key? - ANSWER- John
corresponding private key
Symmetric encryption is a: - ANSWER- two-way encryption process
A primary reason for the development of public key cryptography was to: - ANSWER-
Address the ley distribution problems of asymmetric encryption
What is the length of a digest created by a hash function? - ANSWER- A hash function
creates a fixed length hash regardless of input message length
