Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 16

  1. Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?

    • User assessments of changes
    • Comparison of the program results with industry standards
    • Assignment of risk within the organization
    • Participation by all members of the organization

    Effective risk management requires participation, support and acceptance by all applicable members of the organization, beginning with the executive levels. Personnel must understand their responsibilities and be trained on how to fulfill their roles.

  2. The MOST effective use of a risk register is to:

    • identify risks and assign roles and responsibilities for mitigation.
    • identify threats and probabilities.
    • facilitate a thorough review of all IT-related risks on a periodic basis.
    • record the annualized financial amount of expected losses due to risks.
    A risk register is more than a simple list — it should lie used as a tool to ensure comprehensive documentation, periodic review and formal update of all risk elements in the enterprise’s IT and related organization. Identifying risks and assigning roles and responsibilities for mitigation are elements of the register. Identifying threats and probabilities are two elements that are defined in the risk matrix, as differentiated from the broader scope of content in, and purpose for, the risk register. While the annualized loss expectancy (ALE) should be included in the register, this quantification is only a single element in the overall risk analysis program.
  3. After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?

    • Define security metrics
    • Conduct a risk assessment
    • Perform a gap analysis
    • Procure security tools
    When establishing an information security program, conducting a risk assessment is key to identifying the needs of the organization and developing a security strategy. Defining security metrics, performing a gap analysis and procuring security tools are all subsequent considerations.
  4. Which of the following are the essential ingredients of a business impact analysis (B1A)?

    • Downtime tolerance, resources and criticality
    • Cost of business outages in a year as a factor of the security budget
    • Business continuity testing methodology being deployed
    • Structure of the crisis management team
    The main purpose of a BIA is to measure the downtime tolerance, associated resources and criticality of a business function. Options B, C and D are all associated with business continuity planning, but are not related to the BIA.
  5. A risk management approach to information protection is:

    • managing risks to an acceptable level, commensurate with goals and objectives.
    • accepting the security posture provided by commercial security products.
    • implementing a training program to educate individuals on information protection and risks.
    • managing risk tools to ensure that they assess all information protection vulnerabilities.
    Risk management is identifying all risks within an organization, establishing an acceptable level of risk and effectively managing risks which may include mitigation or transfer. Accepting the security- posture provided by commercial security products is an approach that would be limited to technology components and may not address all business operations of the organization. Education is a part of the overall risk management process. Tools may be limited to technology and would not address non-technology risks.
  6. Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?

    • Implement countermeasures.
    • Eliminate the risk.
    • Transfer the risk.
    • Accept the risk.
    Risks are typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include: hurricanes, tornados and earthquakes. Implementing countermeasures may not be the most cost-effective approach to security management. Eliminating the risk may not be possible. Accepting the risk would leave the organization vulnerable to a catastrophic disaster which may cripple or ruin the organization. It would be more cost effective to pay recurring insurance costs than to be affected by a disaster from which the organization cannot financially recover.
  7. To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRS T crucial step an information security manager would take in ensuring business continuity planning?

    • Conducting a qualitative and quantitative risk analysis.
    • Assigning value to the assets.
    • Weighing the cost of implementing the plan vs. financial loss.
    • Conducting a business impact analysis (BIA).
    BIA is an essential component of an organization’s business continuity plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. It is the first crucial step in business continuity planning. Qualitative and quantitative risk analysis will have been completed to define the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events. Assigning value to assets is part of the BIA process. Weighing the cost of implementing the plan vs. financial loss is another part of the BIA.
  8. An information security organization should PRIMARILY:

    • support the business objectives of the company by providing security-related support services.
    • be responsible for setting up and documenting the information security responsibilities of the information security team members.
    • ensure that the information security policies of the company are in line with global best practices and standards.
    • ensure that the information security expectations are conveyed to employees.
    The information security organization is responsible for options B and D within an organization, but they are not its primary mission. Reviewing and adopting appropriate standards (option C) is a requirement. The primary objective of an information security organization is to ensure that security supports the overall business objectives of the company.
  9. When implementing security controls, an information security manager must PRIMARILY focus on:

    • minimizing operational impacts.
    • eliminating all vulnerabilities.
    • usage by similar organizations.
    • certification from a third party.
    Security controls must be compatible with business needs. It is not feasible to eliminate all vulnerabilities. Usage by similar organizations does not guarantee that controls are adequate. Certification by a third party is important, but not a primary concern.
  10. All risk management activities are PRIMARILY designed to reduce impacts to:

    • a level defined by the security manager.
    • an acceptable level based on organizational risk tolerance.
    • a minimum level consistent with regulatory requirements.
    • the minimum level possible.
    The aim of risk management is to reduce impacts to an acceptable level. “Acceptable” or “reasonable” are relative terms that can vary based on environment and circumstances. A minimum level that is consistent with regulatory requirements may not be consistent with business objectives, and regulators typically do not assign risk levels. The minimum level possible may not be aligned with business requirements.
  11. After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?

    • Information security officer
    • Chief information officer (CIO)
    • Business owner
    • Chief executive officer (CFO)
    The business owner of the application needs to understand and accept the residual application risks.
  12. The purpose of a corrective control is to:

    • reduce adverse events.
    • indicate compromise.
    • mitigate impact.
    • ensure compliance.
    Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities. Preventive controls reduce adverse events, such as firewalls. Compromise can be detected by detective controls, such as intrusion detection systems (IDSs). Compliance could be ensured by preventive controls, such as access controls.
  13. Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?

    • Performing a business impact analysis (BIA)
    • Considering personal information devices as pan of the security policy
    • Initiating IT security training and familiarization
    • Basing the information security infrastructure on risk assessment
    The information security infrastructure should be based on risk. While considering personal information devices as part of the security policy may be a consideration, it is not the most important requirement. A BIA is typically carried out to prioritize business processes as part of a business continuity plan. Initiating IT security training may not be important for the purpose of the information security infrastructure.
  14. Previously accepted risk should be:

    • re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
    • accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
    • avoided next time since risk avoidance provides the best protection to the company.
    • removed from the risk log once it is accepted.
    Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to change(s) and. hence, risk cannot be accepted permanently. Risk is an inherent part of business and it is impractical and costly to eliminate all risk. Even risks that have been accepted should be monitored for changing conditions that could alter the original decision.
  15. An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:

    • perform a comprehensive assessment of the organization’s exposure to the hacker’s techniques.
    • initiate awareness training to counter social engineering.
    • immediately advise senior management of the elevated risk.
    • increase monitoring activities to provide early detection of intrusion.
    Information about possible significant new risks from credible sources should be provided to management along with advice on steps that need to be taken to counter the threat. The security manager should assess the risk, but senior management should be immediately advised. It may be prudent to initiate an awareness campaign subsequent to sounding the alarm if awareness training is not current. Monitoring activities should also be increased.
  16. Which of the following steps should be performed FIRST in the risk assessment process?

    • Staff interviews
    • Threat identification
    • Asset identification and valuation
    • Determination of the likelihood of identified risks
    The first step in the risk assessment methodology is a system characterization, or identification and valuation, of all of the enterprise’s assets to define the boundaries of the assessment. Interviewing is a valuable tool to determine qualitative information about an organization’s objectives and tolerance for risk. Interviews are used in subsequent steps. Identification of threats comes later in the process and should not be performed prior to an inventory since many possible threats will not be applicable if there is no asset at risk. Determination of likelihood comes later in the risk assessment process.
  17. Which of the following authentication methods prevents authentication replay?

    • Password hash implementation
    • Challenge/response mechanism
    • Wired Equivalent Privacy (WEP) encryption usage
    • HTTP Basic Authentication
    A challenge/response mechanism prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge. Therefore, capturing the authentication handshake and replaying it through the network will not work. Using hashes by itself will not prevent a replay. A WEP key will not prevent sniffing (it just takes a few more minutes to break the WEP key if the attacker does not already have it) and therefore will not be able to prevent recording and replaying an authentication handshake. HTTP Basic Authentication is clear text and has no mechanisms to prevent replay.
  18. An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?

    • Nothing, since a risk assessment was completed during development.
    • A vulnerability assessment should be conducted.
    • A new risk assessment should be performed.
    • The new vendor’s SAS 70 type II report should be reviewed.
    The risk assessment process is continual and any changes to an established process should include a new- risk assessment. While a review of the SAS 70 report and a vulnerability assessment may be components of a risk assessment, neither would constitute sufficient due diligence on its own.
  19. Which of the following is MOST important to consider when developing a business case to support the investment in an information security program?

    • Senior management support
    • Results of a cost-benefit analysis
    • Results of a risk assessment
    • Impact on the risk profile
    The information security manager must understand the business risk profile of the organization. No model provides a complete picture, but logically categorizing the risk areas of an organization facilitates focusing on key risk management strategies and decisions. It also enables the organization to develop and implement risk treatment approaches that are relevant to the business and cost effective.
  20. It is MOST important for an information security manager to ensure that security risk assessments are performed:

    • consistently throughout the enterprise
    • during a root cause analysis
    • as part of the security business case
    • in response to the threat landscape
    Reference: (14)