Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 30

  1. Threat and vulnerability assessments are important PRIMARILY because they are:

    • needed to estimate risk
    • the basis for setting control objectives
    • elements of the organization’s security posture
    • used to establish security investments
  2. Which of the following is the PRIMARY goal of business continuity management?

    • Establish incident response procedures.
    • Assess the impact to business processes.
    • Increase survivability of the organization.
    • Implement controls to prevent disaster.
  3. Which of the following should an information security manager establish FIRST to ensure security-related activities are adequately monitored?

    • Internal reporting channels
    • Accountability for security functions
    • Scheduled security assessments
    • Regular reviews of computer system logs
  4. Which of the following should be done FIRST when establishing security measures for personal data stored and processed on a human resources management system?

    • Conduct a privacy impact assessment (PIA).
    • Evaluate data encryption technologies.
    • Move the system into a separate network.
    • Conduct a vulnerability assessment.
  5. What is the role of the information security manager in finalizing contract negotiations with service providers?

    • To update security standards for the outsourced process
    • To ensure that clauses for periodic audits are included
    • To obtain a security standard certification from the provider
    • To perform a risk analysis on the outsourcing process
  6. Authorization can BEST be accomplished by establishing:

    • the ownership of the data.
    • what users can do when they are granted system access.
    • whether users are who they say they are.
    • how users identify themselves to information systems.
  7. Which of the following would provide the MOST effective security outcome in an

    organization’s contract management process?

    • Extending security assessment to include random penetration testing
    • Extending security assessment to cover asset disposal on contract termination
    • Performing vendor security benchmark analyses at the request-for-proposal (RFP) stage
    • Ensuring security requirements are defined at the request-for-proposal (RFP) stage
  8. An organization’s outsourced firewall was poorly configured and allowed unauthorized access that resulted in downtime of 48 hours. Which of the following should be the information security manager’s NEXT course of action?

    • Reconfigure the firewall in accordance with best practices.
    • Obtain supporting evidence that the problem has been corrected.
    • Revisit the contract and improve accountability of the service provider.
    • Seek damages from the service provider.
  9. The PRIMARY advantage of involving end users in continuity planning is that they:

    • are more objective than information security management.
    • can balance the technical and business risks.
    • have a better understanding of specific business needs.
    • can see the overall impact to the business.
  10. Who can BEST advocate the development of and ensure the success of an information security program?

    • Internal auditor
    • Chief operating officer (COO)
    • Steering committee
    • IT management

    Senior management represented in the security steering committee is in the best position to advocate the establishment of and continued support for an information security program. The chief operating officer (COO) will be a member of that committee. An internal auditor is a good advocate but is secondary to the influence of senior management. IT management has a lesser degree of influence and would also be part of the steering committee.

  11. Which of the following BEST ensures that information transmitted over the Internet will remain confidential?

    • Virtual private network (VPN)
    • Firewalls and routers
    • Biometric authentication
    • Two-factor authentication
    Encryption of data in a virtual private network (VPN) ensures that transmitted information is not readable, even if intercepted. Firewalls and routers protect access to data resources inside the network and do not protect traffic in the public network. Biometric and two-factor authentication, by themselves, would not prevent a message from being intercepted and read.
  12. The effectiveness of virus detection software is MOST dependent on which of the following?

    • Packet filtering
    • Intrusion detection
    • Software upgrades
    • Definition tables
    The effectiveness of virus detection software depends on virus signatures which are stored in virus definition tables. Software upgrades are related to the periodic updating of the program code, which would not be as critical. Intrusion detection and packet filtering do not focus on virus detection.
  13. Which of the following is the MOST effective type of access control?

    • Centralized
    • Role-based
    • Decentralized
    • Discretionary
    Role-based access control allows users to be grouped into job-related categories, which significantly cases the required administrative overhead. Discretionary access control would require a greater degree of administrative overhead. Decentralized access control generally requires a greater number of staff to administer, while centralized access control is an incomplete answer.
  14. Which of the following devices should be placed within a DMZ?

    • Router
    • Firewall
    • Mail relay
    • Authentication server
    A mail relay should normally be placed within a demilitarized zone (DMZ) to shield the internal network. An authentication server, due to its sensitivity, should always be placed on the internal network, never on a DMZ that is subject to compromise. Both routers and firewalls may bridge a DMZ to another network, but do not technically reside within the DMZ, network segment.
  15. An intrusion detection system should be placed:

    • outside the firewall.
    • on the firewall server.
    • on a screened subnet.
    • on the external router.
    An intrusion detection system (IDS) should be placed on a screened subnet, which is a demilitarized zone (DMZ). Placing it on the Internet side of the firewall would leave it defenseless. The same would be tmc of placing it on the external router, if such a thing were feasible. Since firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to store the IDS on the same physical device.
  16. The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:

    • provide in-depth defense.
    • separate test and production.
    • permit traffic load balancing.
    • prevent a denial-of-service attack.
    Having two entry points, each guarded by a separate firewall, is desirable to permit traffic load balancing. As they both connect to the Internet and to the same demilitarized zone (DMZ), such an arrangement is not practical for separating test from production or preventing a denial-of-service attack.
  17. An extranet server should be placed:

    • outside the firewall.
    • on the firewall server.
    • on a screened subnet.
    • on the external router.
    An extranet server should be placed on a screened subnet, which is a demilitarized zone (DMZ). Placing it on the Internet side of the firewall would leave it defenseless. The same would be true of placing it on the external router, although this would not be possible. Since firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to store the extranet on the same physical device.
  18. Which of the following is the BEST metric for evaluating the effectiveness of security awareness twining? The number of:

    • password resets.
    • reported incidents.
    • incidents resolved.
    • access rule violations.
    Reported incidents will provide an indicator of the awareness level of staff. An increase in reported incidents could indicate that the staff is paying more attention to security. Password resets and access rule violations may or may not have anything to do with awareness levels. The number of incidents resolved may not correlate to staff awareness.
  19. Security monitoring mechanisms should PRIMARILY:

    • focus on business-critical information.
    • assist owners to manage control risks.
    • focus on detecting network intrusions.
    • record all security violations.
    Security monitoring must focus on business-critical information to remain effectively usable by and credible to business users. Control risk is the possibility that controls would not detect an incident or error condition, and therefore is not a correct answer because monitoring would not directly assist in managing this risk. Network intrusions are not the only focus of monitoring mechanisms; although they should record all security violations, this is not the primary objective.
  20. Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?

    • Periodic focus group meetings
    • Periodic compliance reviews
    • Computer-based certification training (CBT)
    • Employee’s signed acknowledgement
    Using computer-based training (CBT) presentations with end-of-section reviews provides feedback on how well users understand what has been presented. Periodic compliance reviews are a good tool to identify problem areas but do not ensure that procedures are known or understood. Focus groups may or may not provide meaningful detail. Although a signed employee acknowledgement is good, it does not indicate whether the material has been read and/or understood.