Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 18

  1. Which of the following approaches is BEST for selecting controls to minimize information security risks?

    • Cost-benefit analysis
    • Control-effectiveness
    • Risk assessment
    • Industry best practices
  2. Which of the following is the MOST appropriate course of action when the risk occurrence rate is low but the impact is high?

    • Risk transfer
    • Risk acceptance
    • Risk mitigation
    • Risk avoidance
  3. Which of the following is the MOST effective way to communicate information security risk to senior management?

    • Business impact analysis
    • Balanced scorecard
    • Key performance indicators (KPIs)
    • Heat map
  4. Security risk assessments should cover only information assets that:

    • are classified and labeled.
    • are inside the organization.
    • support business processes.
    • have tangible value.
  5. Which of the following is an indicator of improvement in the ability to identify security risks?

    • Increased number of reported security incidents.
    • Decreased number of staff requiring information security training.
    • Decreased number of information security risk assessments.
    • Increased number of security audit issues resolved.
  6. Which of the following is the MOST important step in risk ranking?

    • Impact assessment
    • Mitigation cost
    • Threat assessment
    • Vulnerability analysis
  7. An organization is considering moving one of its critical business applications to a cloud hosting service. The cloud provider may not provide the same level of security for this application as the organization. Which of the following will provide the BEST information to help maintain the security posture?

    • Risk assessment
    • Cloud security strategy
    • Vulnerability assessment
    • Risk governance framework
  8. Following a significant change to the underlying code of an application, it is MOST important for the information security manager to:

    • inform senior management
    • update the risk assessment
    • validate the user acceptance testing (UAT)
    • modify key risk indicators (KRIs)
  9. Which of the following would BEST mitigate identified vulnerabilities in a timely manner?

    • Continuous vulnerability monitoring tool
    • Categorization of the vulnerabilities based on system’s criticality
    • Monitoring of key risk indicators (KRIs)
    • Action plan with responsibilities and deadlines

    One approach seeing increasing use is to report and monitor risk through the use of key risk indicators (KRIs). KRIs can be defined as measures that, in some manner, indicate when an enterprise is subject to risk that exceeds a defined risk level. Typically, these indicators are trends in factors known to increase risk and are generally developed based on experience. They can be as diverse as increasing absenteeism or increased turnover in key employees to rising levels of security events or incidents.

  10. Risk assessment should be conducted on a continuing basis because:

    • controls change on a continuing basis
    • the number of hacking incidents is increasing
    • management should be updated about changes in risk
    • factors that affect information security change
  11. Which of the following BEST illustrates residual risk within an organization?

    • Risk management framework
    • Risk register
    • Business impact analysis
    • Heat map
  12. Following a recent acquisition, an information security manager has been requested to address the outstanding risk reported early in the acquisition process. Which of the following would be the manager’s BEST course of action?

    • Add the outstanding risk to the acquiring organization’s risk registry.
    • Re-assess the outstanding risk of the acquired company.
    • Re-evaluate the risk treatment plan for the outstanding risk.
    • Perform a vulnerability assessment of the acquired company’s infrastructure.
  13. An organization has recently experienced unauthorized device access to its network. To proactively manage the problem and mitigate this risk, the BEST preventive control would be to:

    • keep an inventory of network and hardware addresses of all systems connected to the network.
    • install a stateful inspection firewall to prevent unauthorized network traffic.
    • implement network-level authentication and login to regulate access of devices to the network.
    • deploy an automated asset inventory discovery tool to identify devices that access the network.
  14. A core business unit relies on an effective legacy system that does not meet the current security standards and threatens the enterprise network. Which of the following is the BEST course of action to address the situation?

    • Document the deficiencies in the risk register.
    • Disconnect the legacy system from the rest of the network.
    • Require that new systems that can meet the standards be implemented.
    • Develop processes to compensate for the deficiencies.
  15. Which of the following is the PRIMARY goal of a risk management program?

    • Implement preventive controls against threats.
    • Manage the business impact of inherent risks.
    • Manage compliance with organizational policies.
    • Reduce the organization’s risk appetite.
  16. A risk management program will be MOST effective when:

    • risk appetite is sustained for a long period
    • risk assessments are repeated periodically
    • risk assessments are conducted by a third party
    • business units are involved in risk assessments
  17. The objective of risk management is to reduce risk to the minimum level that is:

    • compliant with security policies
    • practical given industry and regulatory environments.
    • achievable from technical and financial perspectives.
    • acceptable given the preference of the organization.
  18. The MOST important objective of monitoring key risk indicators (KRIs) related to information security is to:

    • identify change in security exposures.
    • reduce risk management costs.
    • meet regulatory compliance requirements.
    • minimize the loss from security incidents.
  19. Which of the following would be MOST helpful in determining an organization’s current capacity to mitigate risk?

    • Capability maturity model
    • Business impact analysis
    • IT security risk and exposure
    • Vulnerability assessment
  20. Several significant risks have been identified after a centralized risk register was compiled and prioritized. The information security manager’s most important action is to:

    • provide senior management with risk treatment options.
    • design and implement controls to reduce the risk.
    • consult external third parties on how to treat the risk.
    • ensure that employees are aware of the risk.