CISM : Certified Information Security Manager : Part 19

  1. An organization’s marketing department wants to use an online collaboration service which is not in compliance with the information security policy. A risk assessment is performed, and risk acceptance is being pursued. Approval of risk acceptance should be provided by:

    • the information security manager
    • business senior management
    • the chief risk officer
    • the compliance officer.
  2. The risk of mishandling alerts identified by an intrusion detection system (IDS) would be the GREATEST when:

    • standard operating procedures are not formalized.
    • the IT infrastructure is diverse.
    • IDS sensors are misconfigured.
    • operations and monitoring are handled by different teams.
  3. An information security manager has been informed of a new vulnerability in an online banking application, and patch to resolve this issue is expected to be released in the next 72 hours. The information security manager’s MOST important course of action should be to:

    • assess the risk and advise senior management.
    • identify and implement mitigating controls.
    • run the application system in offline mode.
    • perform a business impact analysis (BIA).
  4. An information security manager has recently been notified of potential security risks associated with a third-party service provider. What should be done NEXT to address this concern?

    • Conduct a risk analysis
    • Escalate to the chief risk officer
    • Conduct a vulnerability analysis
    • Determine compensating controls
  5. In risk assessment, after the identification of threats to organizational assets, the information security manager would:

    • evaluate the controls currently in place.
    • implement controls to achieve target risk levels.
    • request funding for the security program.
    • determine threats to be reported to upper management.
  6. During a security assessment, an information security manager finds a number of security patches were not installed on a server hosting a critical business application. The application owner did not approve the patch installation to avoid interrupting the application.

    Which of the following should be the information security manager’s FIRST course of action?

    • Escalate the risk to senior management.
    • Communicate the potential impact to the application owner.
    • Report the risk to the information security steering committee.
    • Determine mitigation options with IT management.
  7. Risk identification, analysis, and mitigation activities can BEST be integrated into business life cycle processes by linking them to:

    • compliance testing
    • configuration management
    • continuity planning
    • change management
  8. Which of the following is the PRIMARY reason for performing an analysis of the threat landscape on a regular basis?

    • To determine the basis for proposing an increase in security budgets.
    • To determine if existing business continuity plans are adequate.
    • To determine if existing vulnerabilities present a risk.
    • To determine critical information for executive management.
  9. Which of the following would BEST justify spending for a compensating control?

    • Threat analysis
    • Risk analysis
    • Peer benchmarking
    • Vulnerability analysis
  10. After undertaking a security assessment of a production system, the information security manager is MOST likely to:

    • inform the system owner of any residual risks and propose measures to reduce them.
    • inform the development team of any residual risks, and together formulate risk reduction measures.
    • inform the IT manager of the residual risks and propose measures to reduce them.
    • establish an overall security program that minimizes the residual risks of that production system.
  11. Mitigating technology risks to acceptable levels should be based PRIMARILY upon:

    • business process reengineering.
    • business process requirement.
    • legal and regulatory requirements.
    • information security budget.
  12. After assessing risk, the decision to treat the risk should be based PRIMARILY on:

    • availability of financial resources.
    • whether the level of risk exceeds risk appetite.
    • whether the level of risk exceeds inherent risk.
    • the criticality of the risk.
  13. Which of the following is the MOST important prerequisite to performing an information security risk assessment?

    • Classifying assets
    • Determining risk tolerance
    • Reviewing the business impact analysis
    • Assessing threats and vulnerabilities
  14. When preventative controls to appropriately mitigate risk are not feasible, which of the following is the MOST important action for the information security manager to perform?

    • Assess vulnerabilities.
    • Manage the impact.
    • Evaluate potential threats.
    • Identify unacceptable risk levels.
  15. Reevaluation of risk is MOST critical when there is:

    • a change in security policy.
    • resistance to the implementation of mitigating controls.
    • a change in the threat landscape.
    • a management request for updated security reports.
  16. An information security manager finds that a soon-to-be deployed online application will increase risk beyond acceptable levels, and necessary controls have not been included. Which of the following is the BEST course of action for the information security manager?

    • Present a business case for additional controls to senior management.
    • Instruct IT to deploy controls based on urgent business needs.
    • Solicit bids for compensating control products.
    • Recommend a different application.
  17. Which of the following is the GREATEST risk of single sign-on?

    • It is a single point of failure for an enterprise access control process.
    • Password carelessness by one user may render the entire infrastructure vulnerable.
    • Integration of single sign-on with the rest of the infrastructure is complicated.
    • One administrator maintains the single sign-on solutions without segregation of duty.
  18. Which of the following is the MOST important reason for performing a risk analysis?

    • Assigning the appropriate level of protection
    • Identifying critical information assets
    • Identifying and eliminating threats
    • Promoting increased security awareness in the organization
  19. Deciding the level of protection a particular asset should be given in BEST determined by:

    • a threat assessment.
    • a vulnerability assessment.
    • a risk analysis.
    • the corporate risk appetite.
  20. A risk profile supports effective security decisions PRIMARILY because it:

    • defines how to best mitigate future risks.
    • identifies priorities for risk reduction.
    • enables comparison with industry best practices.
    • describes security threats.