Upgrade to remove ads
CISM Domain 2
Terms in this set (69)
Risk controls are adequate when ____
the residual risk is less than or equal to acceptable risk
Value at risk can be used:
to determine maximum probable loss in a given time period—typically at 95 or 99 percent certainty.
High-impact, low-likelihood situations are typically most cost effectively covered by ________
transferring the risk to a third party, e.g., insurance
Reducing exposure reduces _______
the likelihood of a vulnerability being exploited
factor in calculating impact of lost connectivity:
Financial losses incurred by the business units
Control baselines are MOST directly related to the:
organization's risk appetite
first step in a risk analysis process to determine the impact to the organization
Calculate the value of the information or asset
Unless the exploitation of vulnerability by a threat has ________ , there is no risk to the organization.
Purpose of controls:
Bring residual risk to acceptable levels
Most effective way to avoid introduction of malware into the end user's computers.
Restricting execution of mobile code
Which program element should be implemented FIRST in asset classification and control?
Why might an organization rationally choose to mitigate a risk that is estimated to be at a level higher than its stated risk appetite but within its stated risk tolerance?
Senior management may have concern that the stated impact is underestimated
"- best way to rase confidential information stored on magnetic tapes
- the magnetic tapes would quickly dispose of all information because the magnetic domains are thoroughly scrambled and would not allow reuse
It is always good practice to engage _______ when addressing security threats and risk.
management of the business unit
_____ is the weakest link in encryption
Who is responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience?
Information Security Department
What is the BEST way to identify an application back door?
Source code review
"What is an advantage of sending messages using steganographic techniques as opposed to using encryption?
" The existence of messages is unknown. The existence of messages is hidden in another file, such as a JPEG image, when using steganography.
Symmetric or secret key encryption
requires a separate key for each pair of individuals who wish to have confidential communication, resulting in an exponential increase in the number of keys as the number of users increase, creating an intractable distribution and storage problems.
Public key infrastructure keys
increase arithmetically, making it more practical from a scalability point of view.
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
Developing an information security baseline helps to _________
define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality/classification levels.
An extranet server should be placed _________
on a screened subnet, which is a demilitarized zone.
firewalls should be installed _______
on hardened servers with minimal services enabled
Placing ______ or _______would leave it defenseless.
external router / outside the firewall
A security baseline can BEST be used for:
Establishing uniform system hardening
The approval of standards to meet the requirements of policies should be performed by __________
information security department
Who is the appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
Addressing production risks is PRIMARILY a function of:
What is the PRIMARY purpose of using risk analysis within a security program?
The risk analysis helps assess exposures and plan remediation.
can transfer operational risk and financial impacts associated with that risk; however, legal responsibility for the consequences of compromise generally remains with the original entity.
Who should be assigned as data owner?
The owner of the information asset should be the individual with the decision-making power in the department deriving the most benefit from the asset.
The value of any business asset is generally based on:
its contribution to generating revenues for the organization, both now and in the future
attacks inject malformed input
Controls are effective when:
residual risk is at a level acceptable to the organization.
The purpose of controls:
to bring residual risk to accect. The purpose of controls is to bring residual risk to acceptable levels
asset classification is based on:
the criticality and sensitivity of information assets with the goal of providing the appropriate, and therefore proportional, degree of protection.
Operational risk is the risk to an organization as a result of its internal and external operations (ex: Distributed Denial of Service attack)
Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?
After completing a full IT risk assessment, who is in the BEST position to decide which mitigating controls should be implemented?
A challenge/response mechanism
prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge
Risk analysis explores
the degree to which an asset needs protecting so this can be managed effectively.
A network vulnerability assessment intends to identify
known vulnerabilities based on common misconfigurations and missing updates.
A challenge/response mechanism
prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge.
A wired equivalent privacy key
"- will not prevent sniffing
- it will take the attacker longer to break the WEP key if he/she does not already have it). Therefore, it will not be able to prevent recording and replaying an authentication handshake.
hypertext Transfer Protocol basic authentication
is cleartext and has no mechanisms to prevent replay.
A business impact analysis is the BEST tool for determining:
priority of restoration
A mature organization will have a complete suite of policies and standards, and inconsistent risk treatment is most likely to be _______________
inconsistent compliance with standards
Attackers who exploit cross-site scripting vulnerabilities take advantage of:
a lack of proper input validation controls
Attackers who exploit flawed cryptographic Secure Sockets Layer implementations and short key lengths can ______________
sniff network traffic and crack keys to gain unauthorized access to information
The MOST effective use of a risk register is to:
facilitate a thorough review of all IT-related risk on a periodic basis
should be used as a tool to ensure comprehensive documentation, periodic review and formal update of all risk elements in the enterprise's IT and related organization.
Conflicts between a security standard and a business objective should be resolved based on __________
a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard.
The value of any business asset is generally based on __________
its contribution to generating revenues for the organization, both now and in the future.
Segmenting data reduces ______
the quantity of data exposed as a result of a particular event
Change management is ____________
the overall process to assess and control risk scenarios introduced by changes
Information security managers should use risk assessment techniques to __________
to justify and implement a risk mitigation strategy as efficiently as possible.
a framework for management of an information security management system (ISMS), but not for conducting risk assessments
"- a compensating control can be permitted if it meets the intent of the original control
- another control cannot be used as a compensating control for another control
- compensating controls are valid for only one year
- does not require independent validation of a compensating control
Which member of a cyber-risk steering committee should have veto power for specific cyber-risk decisions?
The business owner for a relevant business process or system
is a methodology for conducting a risk assessment in an organization or part of an organization.
Which of the following represents the best considerations for classifying assets in a global e-commerce organization?
Knowing whether assets contain cardholder data, PII, and encryption keys
is an IT process framework, not a security controls framework (although it does contain some security processes).
The most effective way for a legal team to stay abreast of new and changing security- and privacy-related laws and regulations is to ___________
The most effective way for a legal team to stay abreast of new and changing subscribe to one of several good services that provide this information at a fraction of the cost of paying attorneys or paralegals to conduct this research on their own
A risk tolerance guideline or policy (also known as risk appetite) can help management ___________________
better understand what types of risks may be accepted, and which should be mitigated, transferred, or avoided.
The best and highest purpose for remediating audit deficiencies is _________
What is the purpose for an information security team to partner with the procurement team in an organization?
Develop requirements for new service providers
risks associated with the use of open source software source code
Availability of technical support, back doors, and other exploitable vulnerabilities
What is the best means for discovering many, if not all, of the third-party service providers being used by the organization?
use of a cloud access security broker (CASB)
THIS SET IS OFTEN IN FOLDERS WITH...
CISM Domain 1
CISM Essentials Section 1
OTHER SETS BY THIS CREATOR
CISA Domain 5
CISA Domain 1
CISA Domain 5