Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 20
Which of the following would be the MOST effective to mitigate the risk of data loss in the event of a stolen laptop?
- Providing end-user awareness training focused on travelling with laptops
- Deploying end-point data loss prevention software on the laptop
- Encrypting the hard drive
- Utilizing a strong password
Which of the following is the BEST method for determining whether new risks exist in legacy applications?
- Regularly scheduled risk assessments
- Automated vulnerability scans
- Third-party penetration testing
- Frequent updates to the risk register
Which of the following processes can be used to remediate identified technical vulnerabilities?
- Running baseline configurations
- Conducting a risk assessment
- Performing a business impact analysis (BIA)
- Running automated scanners
Which of the following would provide senior management with the BEST information to better understand the organization’s information security risk profile?
- Scenarios that impact business operations
- Scenarios that disrupt client services
- Scenarios that impact business goals
- Scenarios that have a monetary impact
A software vendor has announced a zero-day vulnerability that exposes an organization’s critical business systems, following should be the information security manager’s PRIMARY concern?
- Business tolerance of downtime
- Adequacy of the incident response plan
- Availability of resources to implement controls
- Ability to test patches prior to deployment
Which of the following is the MOST important action when using a web application that has recognized vulnerabilities?
- Deploy an application firewall.
- Deploy host-based intrusion detection.
- Install anti-spyware software.
- Monitor application level logs.
Which of the following is the MOST effective mitigation strategy to protect confidential information from insider threats?
- Performing an entitlement review process
- Implementing authentication mechanisms
- Defining segregation of duties
- Establishing authorization controls
Which of the following is the BEST indicator of a successful external intrusion into computer systems?
- Unexpected use of protocols within the DMZ.
- Unexpected increase of malformed URLs.
- Decrease in the number of login failures.
- Spikes in the number of login failures.
The likelihood of a successful attack is a function of:
- incentive and capability of the intruder
- opportunity and asset value
- threat and vulnerability levels
- value and desirability to the intruder
A risk mitigation report would include recommendations for:
Acceptance of a risk is an alternative to be considered in the risk mitigation process. Assessment. evaluation and risk quantification are components of the risk analysis process that are completed prior to determining risk mitigation solutions.
A risk management program should reduce risk to:
- an acceptable level.
- an acceptable percent of revenue.
- an acceptable probability of occurrence.
Risk should be reduced to an acceptable level based on the risk preference of the organization. Reducing risk to zero is impractical and could be cost-prohibitive. Tying risk to a percentage of revenue is inadvisable since there is no direct correlation between the two. Reducing the probability of risk occurrence may not always be possible, as in the ease of natural disasters. The focus should be on reducing the impact to an acceptable level to the organization, not reducing the probability of the risk.
The MOST important reason for conducting periodic risk assessments is because:
- risk assessments are not always precise.
- security risks are subject to frequent change.
- reviewers can optimize and reduce the cost of controls.
- it demonstrates to senior management that the security function can add value.
Risks are constantly changing. A previously conducted risk assessment may not include measured risks that have been introduced since the last assessment. Although an assessment can never be perfect and invariably contains some errors, this is not the most important reason for periodic reassessment. The fact that controls can be made more efficient to reduce costs is not sufficient. Finally, risk assessments should not be performed merely to justify the existence of the security function.
Which of the following BEST indicates a successful risk management practice?
- Overall risk is quantified
- Inherent risk is eliminated
- Residual risk is minimized
- Control risk is tied to business units
A successful risk management practice minimizes the residual risk to the organization. Choice A is incorrect because the fact that overall risk has been quantified does not necessarily indicate the existence of a successful risk management practice. Choice B is incorrect since it is virtually impossible to eliminate inherent risk. Choice D is incorrect because, although the tying of control risks to business may improve accountability, this is not as desirable as minimizing residual risk.
Which of the following would generally have the GREATEST negative impact on an organization?
- Theft of computer software
- Interruption of utility services
- Loss of customer confidence
- Internal fraud resulting in monetary loss
Although the theft of software, interruption of utility services and internal frauds are all significant, the loss of customer confidence is the most damaging and could cause the business to fail.
A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
- Risk analysis results
- Audit report findings
- Penetration test results
- Amount of IT budget available
Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures. Audit report findings may not address all risks and do not address annual loss frequency. Penetration test results provide only a limited view of exposures, while the IT budget is not tied to the exposures faced by the organization.
Which of the following will BEST protect an organization from internal security attacks?
- Static IP addressing
- Internal address translation
- Prospective employee background checks
- Employee awareness certification program
Because past performance is a strong predictor of future performance, background checks of prospective employees best prevents attacks from originating within an organization. Static IP addressing does little to prevent an internal attack. Internal address translation using non-routable addresses is useful against external attacks but not against internal attacks. Employees who certify that they have read security policies are desirable, but this does not guarantee that the employees behave honestly.
For risk management purposes, the value of an asset should be based on:
- original cost.
- net cash flow.
- net present value.
- replacement cost.
The value of a physical asset should be based on its replacement cost since this is the amount that would be needed to replace the asset if it were to become damaged or destroyed. Original cost may be significantly different than the current cost of replacing the asset. Net cash flow and net present value do not accurately reflect the true value of the asset.
In a business impact analysis, the value of an information system should be based on the overall cost:
- of recovery.
- to recreate.
- if unavailable.
- of emergency operations.
The value of an information system should be based on the cost incurred if the system were to become unavailable. The cost to design or recreate the system is not as relevant since a business impact analysis measures the impact that would occur if an information system were to become unavailable. Similarly, the cost of emergency operations is not as relevant.
Acceptable risk is achieved when:
- residual risk is minimized.
- transferred risk is minimized.
- control risk is minimized.
- inherent risk is minimized.
Residual risk is the risk that remains after putting into place an effective risk management program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a measure of control effectiveness. Inherent risk cannot be minimized.
The value of information assets is BEST determined by:
- individual business managers.
- business systems analysts.
- information security management.
- industry averages benchmarking.
Individual business managers are in the best position to determine the value of information assets since they are most knowledgeable of the assets’ impact on the business. Business systems developers and information security managers are not as knowledgeable regarding the impact on the business. Peer companies’ industry averages do not necessarily provide detailed enough information nor are they as relevant to the unique aspects of the business.