Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 13

  1. The PRIMARY benefit of performing an information asset classification is to:

    • link security requirements to business objectives.
    • identify controls commensurate to risk.
    • define access rights.
    • establish ownership.


    All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process.

  2. Which of the following is MOST essential for a risk management program to be effective?

    • Flexible security budget
    • Sound risk baseline
    • New risks detection
    • Accurate risk reporting

    All of these procedures are essential for implementing risk management. However, without identifying new risks, other procedures will only be useful for a limited period.

  3. Which of the following attacks is BEST mitigated by utilizing strong passwords?

    • Man-in-the-middle attack
    • Brute force attack
    • Remote buffer overflow
    • Root kit

    A brute force attack is normally successful against weak passwords, whereas strong passwords would not prevent any of the other attacks. Man-in-the-middle attacks intercept network traffic, which could contain passwords, but is not naturally password-protected. Remote buffer overflows rarely require a password to exploit a remote host. Root kits hook into the operating system’s kernel and, therefore, operate underneath any authentication mechanism.

  4. Phishing is BEST mitigated by which of the following?

    • Security monitoring software
    • Encryption
    • Two-factor authentication
    • User awareness

    Phishing can best be detected by the user. It can be mitigated by appropriate user awareness. Security monitoring software would provide some protection, but would not be as effective as user awareness. Encryption and two-factor authentication would not mitigate this threat.

  5. The security responsibility of data custodians in an organization will include:

    • assuming overall protection of information assets.
    • determining data classification levels.
    • implementing security controls in products they install.
    • ensuring security measures are consistent with policy.

    Security responsibilities of data custodians within an organization include ensuring that appropriate security measures are maintained and are consistent with organizational policy. Executive management holds overall responsibility for protection of the information assets. Data owners determine data classification levels for information assets so that appropriate levels of controls can be provided to meet the requirements relating to confidentiality, integrity and availability. Implementation of information security in products is the responsibility of the IT developers.

  6. A security risk assessment exercise should be repeated at regular intervals because:

    • business threats are constantly changing.
    • omissions in earlier assessments can be addressed.
    • repetitive assessments allow various methodologies.
    • they help raise awareness on security in the business.
    As business objectives and methods change, the nature and relevance of threats change as well. Choice B does not, by itself, justify regular reassessment. Choice C is not necessarily true in all cases. Choice D is incorrect because there are better ways of raising security awareness than by performing a risk assessment.
  7. Which of the following steps in conducting a risk assessment should be performed FIRST?

    • Identity business assets
    • Identify business risks
    • Assess vulnerabilities
    • Evaluate key controls

    Risk assessment first requires one to identify the business assets that need to be protected before identifying the threats. The next step is to establish whether those threats represent business risk by identifying the likelihood and effect of occurrence, followed by assessing the vulnerabilities that may affect the security of the asset. This process establishes the control objectives against which key controls can be evaluated.

  8. The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:

    • periodically testing the incident response plans.
    • regularly testing the intrusion detection system (IDS).
    • establishing mandatory training of all personnel.
    • periodically reviewing incident response procedures.

    Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.

  9. Which of the following risks is represented in the risk appetite of an organization?

    • Control
    • Inherent
    • Residual
    • Audit

    Residual risk is unmanaged, i.e., inherent risk which remains uncontrolled. This is key to the organization’s risk appetite and is the amount of residual risk that a business is living with that affects its viability. Hence, inherent risk is incorrect. Control risk, the potential for controls to fail, and audit risk, which relates only to audit’s approach to their work, are not relevant in this context.

  10. Which of the following would a security manager establish to determine the target for restoration of normal processing?

    • Recover time objective (RTO)
    • Maximum tolerable outage (MTO)
    • Recovery point objectives (RPOs)
    • Services delivery objectives (SDOs)

    Recovery time objective (RTO) is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level. Maximum tolerable outage (MTO) is the maximum time for which an organization can operate in a reduced mode. Recovery point objectives (RPOs) relate to the age of the data required for recovery. Services delivery objectives (SDOs) are the levels of service required in reduced mode.

  11. A risk management program would be expected to:

    • remove all inherent risk.
    • maintain residual risk at an acceptable level.
    • implement preventive controls for every threat.a
    • reduce control risk to zero.

    The object of risk management is to ensure that all residual risk is maintained at a level acceptable to the business; it is not intended to remove every identified risk or implement controls for every threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a component of the program but is unlikely to be reduced to zero.

  12. Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?

    • Programming
    • Specification
    • User testing
    • Feasibility

    Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C.

  13. Which of the following would help management determine the resources needed to mitigate a risk to the organization?

    • Risk analysis process
    • Business impact analysis (BIA)
    • Risk management balanced scorecard
    • Risk-based audit program

    The business impact analysis (BIA) determines the possible outcome of a risk and is essential to determine the appropriate cost of control. The risk analysis process provides comprehensive data, but does not determine definite resources to mitigate the risk as does the BIA. The risk management balanced scorecard is a measuring tool for goal attainment. A risk-based audit program is used to focus the audit process on the areas of greatest importance to the organization.

  14. A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:

    • there are sufficient safeguards in place to prevent this risk from happening.
    • the needed countermeasure is too complicated to deploy.
    • the cost of countermeasure outweighs the value of the asset and potential loss.
    • The likelihood of the risk occurring is unknown.

    An organization may decide to live with specific risks because it would cost more to protect themselves than the value of the potential loss. The safeguards need to match the risk level. While countermeasures could be too complicated to deploy, this is not the most compelling reason. It is unlikely that a global financial institution would not be exposed to such attacks and the frequency could not be predicted.

  15. Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?

    • Number of controls implemented
    • Percent of control objectives accomplished
    • Percent of compliance with the security policy
    • Reduction in the number of reported security incidents

    Control objectives are directly related to business objectives; therefore, they would be the best metrics. Number of controls implemented does not have a direct relationship with the results of a security program. Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B.

  16. Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?

    • Strategic business plan
    • Upcoming financial results
    • Customer personal information
    • Previous financial results

    Previous financial results are public; all of the other choices are private information and should only be accessed by authorized entities.

  17. The PRIMARY purpose of using risk analysis within a security program is to:

    • justify the security expenditure.
    • help businesses prioritize the assets to be protected.
    • inform executive management of residual risk value.
    • assess exposures and plan remediation.

    Risk analysis explores the degree to which an asset needs protecting so this can be managed effectively. Risk analysis indirectly supports the security expenditure, but justifying the security expenditure is not its primary purpose. Helping businesses prioritize the assets to be protected is an indirect benefit of risk analysis, but not its primary purpose. Informing executive management of residual risk value is not directly relevant.

  18. Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?

    • Defining job roles
    • Performing a risk assessment
    • Identifying data owners
    • Establishing data retention policies
    Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified). Establishing data retention policies may occur after data have been classified.
  19. An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:

    • mitigate the impact by purchasing insurance.
    • implement a circuit-level firewall to protect the network.
    • increase the resiliency of security measures in place.
    • implement a real-time intrusion detection system.

    Since residual risk will always be too high, the only practical solution is to mitigate the financial impact by purchasing insurance.

  20. What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?

    • Business impact analyses
    • Security gap analyses
    • System performance metrics
    • Incident response processes

    A security gap analysis is a process which measures all security controls in place against typically good business practice, and identifies related weaknesses. A business impact analysis is less suited to identify security deficiencies. System performance metrics may indicate security weaknesses, but that is not their primary purpose. Incident response processes exist for cases where security weaknesses are exploited.