Upgrade to remove ads
CISM domain 2 tests Q/A
Terms in this set (89)
An information security manager performing a security review determines that compliance with access control policies to the data center is inconsistent across employees. The FIRST step to address this issue should be to:
assess the risk of noncompliance.
The information security manager should treat regulatory compliance requirements as:
just another risk.
Management decided that the organization will not achieve compliance with a recently issued set of regulations. Which ofthe following is the MOST likely reason for the decision?
the cost of compliance exceeds the cost of possible sanctions.
The value of information assets is BEST determined by:
individual business managers
It is important to classify and determine relative sensitivity of assets to ensure that:
countermeasures are proportional to risk.
When performing an information risk analysis, an information security manager should FIRST:
take an asset inventory.
The PRIMARY benefit of performing an information asset classification is to:
identify controls commensurate (съизмерими) to risk.
Which program element should be implemented FIRST in asset classification and control?
When performing a risk assessment, the MOST important consideration is that:
assets have been identified and appropriately valued.
The MAIN reason why asset classification is important to a successful information security program is because classification determines:
the appropriate level of protection to the asset.
Who is responsible for ensuring that information is classified?
The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:
defining the level of access controls.
Which of the following would govern which information assets need more protection than other information assets?
Which of the following is the MOST important to keep in mind when assessing the value of information?
the potential financial loss
The information classification scheme should:
consider possible impact of a security breach.
After performing an asset classification, the information security manager is BEST able to determine the:
impact of a compromise.
In controlling information leakage, management should FIRST establish:
an information classification process.
Which of the following BEST supports the principle of security proportionality?
The value of tangible assets can be BEST determined by which of the following?
the market value minus the book value
Which of the following is MOST important to achieve proportionality in the protection of enterprise information systems?
The MOST important reason for conducting periodic risk assessment is because:
security risks are subject to frequent change.
In a business impact analysis, the value of an information system should be based on the overall cost:
Which of the following risks would BEST be assessed using qualitative risk assessment techniques?
permanent decline in customer confidence
Which of the following is the PRIMARY reason for implementing a risk management program?
is a necessary part of management's due diligence
The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:
financial losses incurred by affected business units.
In assessing risk, it is MOST essential to:
consider both monetary value and likelihood of loss.
The PRIMARY goal of a corporate risk management program is to ensure that an organization's:
stated objectives are achievable.
Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST:
map the major threats to business objectives.
Which of the following is MOST essential for a risk management program to be effective?
detection of new risk
Which of the following would help management determine the resources needed to mitigate a risk to the organization?
business impact analysis (BIA)
The PRIMARY purpose of using risk analysis within a security program is to:
justify the security expenditure.
There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
identify the vulnerable systems and apply compensating controls
When performing a qualitative risk analysis, which of the following will BEST produce reliable results?
possible scenarios with threats and impacts
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
participation by all members of the organization
When calculating an annual loss expectancy (ALE), which variable MOST requires the information systems (IS) manager to form an opinion based on the uncertainty of the future?
annual rate of occurrence
The IT function has declared that, when putting a new application into production, it is not necessary to update the business impact analysis (BIA) because it does not produce modifications in the business processes. The information security manager should:
verify the decision with the business units.
Which of the following is the BEST reason to perform a business impact analysis (BIA)?
to help determine the current state of risk
Which of the following is involved when conducting a business impact analysis (BIA)?
listing critical business resources
An organization's management is carrying out a cost-benefit analysis of the controls recommended to mitigate a risk. The approach adopted by the management is:
both quantitative and qualitative.
What is the TYPICAL output of a risk assessment?
an inventory of risk that may impact the organization
The assessment of risk is always subjective. To improve accuracy, which of the following is the MOST important action to take?
train or "calibrate" the assessor.
Tightly integrated IT systems are MOST likely to be affected by:
Which of the following is the BEST quantitative indicator of an organization's current risk tolerance?
the ratio of cost to insurance coverage for business interruption protection
What is the PRIMARY deficiency in utilizing annual loss expectancy (ALE) to predict the annual extent of losses?
it is based on at least some subjective information.
Once the objective of performing a security review has been defined, the NEXT step for the information security manager is to determine
The PRIMARY objective of a vulnerability assessment program is to:
provide assurance to management.
Which of the following is the MOST cost-effective approach to test the security of a legacy application?
conduct a vulnerability assessment to detect application weaknesses.
The BEST process for assessing an existing risk level is a(n):
Which of the following BEST indicates a successful risk management practice?
residual risk is minimized.
Risk acceptance is a component of which of the following?
After completing a full IT risk assessment, who will BEST decide which mitigating controls should be implemented?
A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?
create a strong random password
Which of the following would BEST address the risk of data leakage?
acceptable use policies
After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
implement monitoring techniques to detect and react to potential fraud.
Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
total cost of ownership (TCO)
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:
The PRIMARY reason for initiating a policy exception process is when:
the risk is justified by the benefit.
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
Which of the following statements concerning the transfer of risk is TRUE?
responsibility cannot be transferred.
An information security manager is working with a business manager to develop risk management strategies for an application. The business manager believes that using an external application service provider (ASP) will eliminate all of its risk. Which of the following should the security manager explain to the business manager?
outsourcing will only transfer some of the risk.
Once residual risks have been determined, the enterprise should NEXT:
validate that the residual risks are acceptable.
The design and implementation of controls and countermeasures must be PRIMARILY focused on:
Which of the following is the BEST approach to deal with inadequate funding of the information security program?
use third-party providers for low-risk activities.
The MOST likely reason that management would choose not to mitigate a risk that exceeds the risk appetite is that it:
falls within the risk tolerance level.
From an information security perspective, which of the following poses the MOST important impact concern in a homogenous network?
An appropriate risk treatment method is:
an efficient approach to achieve control objectives.
A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
risk analysis results
An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:
One way to determine control effectiveness is by determining:
the test results of intended objectives.
Which of the following would provide the BEST defense against the introduction of malware in end-user computers via the Internet browser?
restricting execution of mobile code
Which of the following factors will MOST affect the extent to which controls should be layered?
controls subject to the same threat
Which of the following is a preventive measure?
an access control
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:
it implies compliance risks.
An operating system (OS) noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?
compensate for not installing the patch with mitigating controls
An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
The MOST effective approach to ensure the continued effectiveness of information security controls is by:
utilizing effective life cycle management.
Which of the following is the MOST useful indicator of control effectiveness?
the extent to which control objectives are achieved
A permissive (толерантна) controls policy would be reflected in which one of the following implementations?
allows access unless explicitly denied.
An information security manager's MOST effective efforts to manage the inherent risk related to a third-party service provider will be the result of:
limiting organizational exposure.
Which of the following BEST describes the key objective of an information security program?
protect information assets using manual and automated controls.
Measuring risk in quantitative terms:
is inherently subjective.
The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:
head of the sales department.
The acquisition of new information technology (IT) systems that are critical to an organization's core business can create significant risk. To effectively manage the risk, the information security manager should FIRST:
ensure that appropriate procurement processes are employed.
The PRIMARY reason to consider information security during the first stage of a project life cycle is:
information security may affect project feasibility.
The MOST effective use of a risk register is to:
facilitate a thorough review of all IT-related risks on a periodic basis.
An information security manager is advised by contacts in law enforcement that there is evidence that his/her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:
immediately advise senior management of the elevated risk.
The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?
visibility of impact
Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?
Which one of the following factors of a risk assessment typically involves the GREATEST amount of speculation?
THIS SET IS OFTEN IN FOLDERS WITH...
CISM - domain 3 - Q/A
CISM 8ed domain 1 Q/A
CISM 8ed domain 3 Q/A
YOU MIGHT ALSO LIKE...
Domain 4 - Risk and Control Monitoring and Reporti…
Exam 2 Practice Test
previous quiz questions
CS307 - Chapter 9
OTHER SETS BY THIS CREATOR
SW-CMM and IDEAL models
OTHER QUIZLET SETS
Market Segmentation (2)
Law Class Lesson 2
CHD4537-Exam 3 Review