CISM : Certified Information Security Manager : Part 32

  1. Management is questioning the need for several items in the information security budget proposal.

    Which of the following would have been MOST helpful prior to budget submission?

    • Benchmarking information security efforts of industry competitors
    • Obtaining better pricing from information security service vendors
    • Presenting a report of current threats to the organization
    • Educating management on information security best practices
  2. For a business operating in a competitive and evolving online market, it is MOST important for a security policy to focus on:

    • defining policies for new technologies.
    • enabling adoption of new technologies.
    • requiring accreditation for new technologies.
    • managing risks of new technologies.
  3. The FIRST step in establishing an information security program is to:

    • define policies and standards that mitigate the organization’s risks
    • secure organizational commitment and support.
    • assess the organization’s compliance with regulatory requirements.
    • determine the level of risk that is acceptable to senior management.
  4. Which of the following would be MOST important to include in a business case to help obtain senior management’s commitment for an information security investment?

    • Results of an independent audit
    • Industry best practices
    • Projected business value
    • Reference to business polices
  5. In an organization with effective IT risk management, the PRIMARY reason to establish key risk indicators (KRIs) is to:

    • provide information to remediate risk events.
    • demonstrate the alignment of risk management efforts.
    • map potential risk to key organizational strategic initiatives.
    • identity triggers that exceed risk thresholds.
  6. Which of the following is the BEST way for an information security manager to justify continued investment in the information security program when the organization is facing significant budget cuts?

    • Demonstrate that the program enables business activities
    • Demonstrate an increase in ransomware attacks targeting peer organizations
    • Demonstrate that implemented program controls are effective
    • Demonstrate the readiness of business continuity plans
  7. Which of the following is the MOST important consideration when designing information security architecture?

    • Risk management parameters for the organization are defined.
    • The information security architecture is aligned with industry standards.
    • The level of security supported is based on business decisions.
    • The existing threat landscape is monitored.
  8. Which of the following processes if the FIRST step in establishing an information security policy?

    • Security controls evaluation
    • Information security audit
    • Review of current global standards
    • Business risk assessment
  9. A company has purchased a rival organization and is looking to integrate security strategies. Which of the following is the GREATEST issue to consider?

    • The organizations have different risk appetites
    • Differing security technologies
    • Differing security skills within the organizations
    • Confidential information could be leaked
  10. Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism?

    • Number of attacks detected
    • Number of successful attacks
    • Ratio of false positives to false negatives
    • Ratio of successful to unsuccessful attacks


    The ratio of false positives to false negatives will indicate whether an intrusion detection system (IDS) is properly tuned to minimize the number of false alarms while, at the same time, minimizing the number of omissions. The number of attacks detected, successful attacks or the ratio of successful to unsuccessful attacks would not indicate whether the IDS is properly configured.

  11. Which of the following is MOST effective in preventing weaknesses from being introduced into existing production systems?

    • Patch management
    • Change management
    • Security baselines
    • Virus detection

    Change management controls the process of introducing changes to systems. This is often the point at which a weakness will be introduced. Patch management involves the correction of software weaknesses and would necessarily follow change management procedures. Security baselines provide minimum recommended settings and do not prevent introduction of control weaknesses. Virus detection is an effective tool but primarily focuses on malicious code from external sources, and only for those applications that are online.

  12. Which of the following tools is MOST appropriate for determining how long a security project will take to implement?

    • Gantt chart
    • Waterfall chart
    • Critical path
    • Rapid Application Development (RAD)

    The critical path method is most effective for determining how long a project will take. A waterfall chart is used to understand the flow of one process into another. A Gantt chart facilitates the proper estimation and allocation of resources. The Rapid Application Development (RAD) method is used as an aid to facilitate and expedite systems development.

  13. Which of the following is MOST effective in preventing security weaknesses in operating systems?

    • Patch management
    • Change management
    • Security baselines
    • Configuration management

    Patch management corrects discovered weaknesses by applying a correction (a patch) to the original program code. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Configuration management controls the updates to the production environment.

  14. When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:

    • calculating the residual risk.
    • enforcing the security standard.
    • redesigning the system change.
    • implementing mitigating controls.
  15. Who can BEST approve plans to implement an information security governance framework?

    • Internal auditor
    • Information security management
    • Steering committee
    • Infrastructure management

    Senior management that is part of the security steering committee is in the best position to approve plans to implement an information security governance framework. An internal auditor is secondary’ to the authority and influence of senior management. Information security management should not have the authority to approve the security governance framework. Infrastructure management will not be in the best position since it focuses more on the technologies than on the business.

  16. Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?

    • Baseline security standards
    • System access violation logs
    • Role-based access controls
    • Exit routines

    Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Violation logs are detective and do not prevent unauthorized access. Baseline security standards do not prevent unauthorized access. Exit routines are dependent upon appropriate role-based access.

  17. Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?

    • Biometric authentication
    • Embedded steganographic
    • Two-factor authentication
    • Embedded digital signature

    Digital signatures ensure that transmitted information can be attributed to the named sender; this provides nonrepudiation. Steganographic techniques are used to hide messages or data within other files. Biometric and two-factor authentication is not generally used to protect internet data transmissions.

  18. Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?

    • Daily
    • Weekly
    • Concurrently with O/S patch updates
    • During scheduled change control updates

    New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Patches may occur less frequently. Weekly updates may potentially allow new viruses to infect the system.

  19. Which of the following devices should be placed within a demilitarized zone (DMZ)?

    • Network switch
    • Web server
    • Database server
    • File/print server

    A web server should normally be placed within a demilitarized zone (DMZ) to shield the internal network. Database and file/print servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise. Switches may bridge a DMZ to another network but do not technically reside within the DMZ network segment.

  20. On which of the following should a firewall be placed?

    • Web server
    • Intrusion detection system (IDS) server
    • Screened subnet
    • Domain boundary

    A firewall should be placed on a (security) domain boundary. Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ), does not provide any protection. Since firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to have the firewall and the intrusion detection system (IDS) on the same physical device.