Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 23

  1. Which of the following BEST promotes stakeholder accountability in the management of information security risks?

    • Targeted security procedures
    • Establishment of information ownership
    • Establishment of security baselines
    • Regular reviews for noncompliance
  2. Which of the following is the BEST control to minimize the risk associated with loss of information as a result of ransomware exploiting a zero-day vulnerability?

    • A security operation center
    • A patch management process
    • A public key infrastructure
    • A data recovery process
  3. Application data integrity risk would be MOST directly addressed by a design that includes:

    • access control technologies such as role-based entitlements.
    • strict application of an authorized data dictionary.
    • application log requirements such as field-level audit trails and user activity logs.
    • reconciliation routines such as checksums, hash totals, and record counts.
  4. Which of the following is the MOST relevant risk factor to an organization when employees use social media?

    • Social media can be accessed from multiple locations.
    • Social media offers a platform that can host cyber-attacks.
    • Social media can be used to gather intelligence for attacks.
    • Social media increases the velocity of risk and the threat capacity.
  5. A PRIMARY advantage of involving business management in evaluating and managing information security risks is that they:

    • better understand organizational risks.
    • can balance technical and business risks.
    • are more objective than security management.
    • better understand the security architecture.
  6. The MOST important reason to maintain key risk indicators (KRIs) is that:

    • threats and vulnerabilities continuously evolve.
    • they are needed to verify compliance with laws and regulations.
    • they help assess the performance of the security program.
    • management uses them to make informed business decisions.
  7. In addition to cost, what is the BEST criteria for selecting countermeasures following a risk assessment?

    • Effort of implementation
    • Skill requirements for implementation
    • Effectiveness of each option
    • Maintenance requirements
  8. Vulnerability scanning has detected a critical risk in a vital business application. Which of the following should the information security manager do FIRST?

    • Report the business risk to senior management.
    • Confirm the risk with the business owner.
    • Update the risk register.
    • Create an emergency change request.
  9. A risk was identified during a risk assessment. The business process owner has chosen to accept the risk because the cost of remediation is greater than the projected cost of a worst-case scenario. What should be the information security manager’s NEXT course of action?

    • Determine a lower-cost approach to remediation.
    • Document and schedule a date to revisit the issue.
    • Shut down the business application.
    • Document and escalate to senior management.
  10. An inexperienced information security manager is relying on its internal audit department to design and implement key security controls. Which of the following is the GREATEST risk?

    • Inadequate implementation of controls
    • Conflict of interest
    • Violation of the audit charter
    • Inadequate audit skills
  11. An information security manager is asked to provide a short presentation on the organization’s current IT risk posture to the board of directors. Which of the following would be MOST effective to include in this presentation?

    • Risk heat map 
    • Gap analysis results
    • Threat assessment results
    • Risk register
  12. The MOST likely reason to use qualitative security risk assessments instead of quantitative methods is when:

    • an organization provides services instead of hard goods.
    • a security program requires independent expression of risks.
    • available data is too subjective.
    • a mature security program is in place.
  13. The PRIMARY objective of a risk response strategy should be:

    • threat reduction.
    • regulatory compliance.
    • senior management buy-in.
    • appropriate control selection.
  14. An organization is concerned with the risk of information leakage caused by incorrect use of personally owned smart devices by employees. What is the BEST way for the information security manager to mitigate the associated risk?

    • Require employees to sign a nondisclosure agreement (NDA).
    • Implement a mobile device management (MDM) solution.
    • Document a bring-your-own-device (BYOD) policy.
    • Implement a multi-factor authentication (MFA) solution.
  15. When determining an acceptable risk level, which of the following is the MOST important consideration?

    • System criticalities
    • Vulnerability scores
    • Risk matrices
    • Threat profiles
  16. An organization has concerns regarding a potential advanced persistent threat (APT). To ensure that the risk associated with this threat is appropriately managed, what should be the organization’s FIRST action?

    • Report to senior management.
    • Initiate incident response processes.
    • Implement additional controls.
    • Conduct an impact analysis.
  17. An organization plans to implement a document collaboration solution to allow employees to share company information. Which of the following is the MOST important control to mitigate the risk associated with the new solution?

    • Assign write access to data owners.
    • Allow a minimum number of user access to the solution.
    • Have data owners perform regular user access reviews.
    • Permit only non-sensitive information on the solution.
  18. An information security manager is evaluating the key risk indicators (KRIs) for an organization’s information security program. Which of the following would be the information security manager’s GREATEST concern?

    • Undefined thresholds to trigger alerts
    • Multiple KRIs for a single control process
    • Use of qualitative measures
    • Lack of formal KRI approval from IT management
  19. Which of the following is the MOST important function of information security?

    • Managing risk to the organization
    • Reducing the financial impact of security breaches
    • Identifying system vulnerabilities
    • Preventing security incidents
  20. Which of the following BEST describes a buffer overflow?

    • A program contains a hidden and unintended function that presents a security risk.
    • A type of covert channel that captures data.
    • Malicious code designed to interfere with normal operations.
    • A function is carried out with more data than the function can handle.