CISM : Certified Information Security Manager : Part 37

  1. The PRIMARY reason for classifying assets is to:

    • balance asset value and protection measures. 
    • identify low-value assets with insufficient controls.
    • establish clear lines of authority and ownership for the asset.
    • inform senior management of the organization’s risk posture.
  2. The MAIN purpose of documenting information security guidelines for use within a large, international organization is to:

    • ensure that all business units have the same strategic security goals.
    • provide evidence for auditors that security practices are adequate.
    • explain the organization’s preferred practices for security.
    • ensure that all business units implement identical security procedures.
  3. Which of the following should be an information security manager’s PRIMARY role when an organization initiates a data classification process?

    • Verify that assets have been appropriately classified.
    • Apply security in accordance with specific classification.
    • Define the classification structure to be implemented.
    • Assign the asset classification level.
  4. Which of the following should be an information security manager’s FIRST course of action following a decision to implement a new technology?

    • Determine security controls needed to support the new technology.
    • Perform a business impact analysis (BIA) on the new technology.
    • Perform a return-on-investment (ROI) analysis for the new technology.
    • Determine whether the new technology will comply with regulatory requirements.
  5. Which of the following defines the minimum security requirements that a specific system must meet?

    • Security policy
    • Security guideline
    • Security procedure
    • Security baseline
  6. An organization recently rolled out a new procurement program that does not include any security requirements. Which of the following should the information security manager do FIRST?

    • Conduct security assessments of vendors based on value of annual spend with each vendor.
    • Meet with the head of procurement to discuss aligning security with the organization’s operational objectives.
    • Ask internal audit to conduct an assessment of the current state of third-party security controls.
    • Escalate the procurement program gaps to the compliance department in case of noncompliance issues.
  7. Which of the following would be MOST helpful in gaining support for a business case for an information security initiative?

    • Demonstrating organizational alignment
    • Emphasizing threats to the organization
    • Referencing control deficiencies
    • Presenting a solution comparison matrix
  8. When drafting the corporate privacy statement for a public web site, which of the following MUST be included?

    • Access control requirements
    • Limited liability clause
    • Information encryption requirements
    • Explanation of information usage
  9. Which of the following BEST determines an information asset’s classification?

    • Directives from the data owner
    • Criticality to a business process
    • Cost of producing the information asset
    • Value of the information asset to competitors
  10. Which of the following is BEST to include in a business case when the return on investment (ROI) for an information security initiative is difficult to calculate?

    • Estimated reduction in risk
    • Estimated increase in efficiency
    • Projected costs over time
    • Projected increase in maturity level
  11. Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?

    • Regular review of access control lists
    • Security guard escort of visitors
    • Visitor registry log at the door
    • A biometric coupled with a PIN

    Explanation:

    A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy. Visitors accompanied by a guard will also provide assurance but may not be cost effective. A visitor registry is the next cost-effective control. A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed.

  12. To BEST improve the alignment of the information security objectives in an organization, the chief information security officer (CISO) should:

    • revise the information security program.
    • evaluate a balanced business scorecard.
    • conduct regular user awareness sessions.
    • perform penetration tests.
    Explanation:
    The balanced business scorecard can track the effectiveness of how an organization executes it information security strategy and determine areas of improvement. Revising the information security program may be a solution, but is not the best solution to improve alignment of the information security objectives. User awareness is just one of the areas the organization must track through the balanced business scorecard. Performing penetration tests does not affect alignment with information security objectives.
  13. What is the MOST important item to be included in an information security policy?

    • The definition of roles and responsibilities
    • The scope of the security program
    • The key objectives of the security program
    • Reference to procedures and standards of the security program
    Explanation:

    Stating the objectives of the security program is the most important element to ensure alignment with business goals. The other choices are part of the security policy, but they are not as important.

  14. In an organization, information systems security is the responsibility of:

    • all personnel.
    • information systems personnel.
    • information systems security personnel.
    • functional personnel.
    Explanation:
    All personnel of the organization have the responsibility of ensuring information systems security-this can include indirect personnel such as physical security personnel. Information systems security cannot be the responsibility of information systems personnel alone since they cannot ensure security. Information systems security cannot be the responsibility of information systems security personnel alone since they cannot ensure security. Information systems security cannot be the responsibility of functional personnel alone since they cannot ensure security.
  15. An organization without any formal information security program that has decided to implement information security best practices should FIRST:

    • invite an external consultant to create the security strategy.
    • allocate budget based on best practices.
    • benchmark similar organizations.
    • define high-level business security requirements.
    Explanation:
    All four options are valid steps in the process of implementing information security best practices; however, defining high-level business security requirements should precede the others because the implementation should be based on those security requirements.
  16. When considering the value of assets, which of the following would give the information security manager the MOST objective basis for measurement of value delivery in information security governance?

    • Number of controls
    • Cost of achieving control objectives
    • Effectiveness of controls
    • Test results of controls
    Explanation:
    Comparison of cost of achievement of control objectives and corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery. Number of controls has no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated. Effectiveness of controls has no correlation with the value of assets unless their costs are also evaluated. Test results of controls have no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated.
  17. Which of the following would be the BEST metric for the IT risk management process?

    • Number of risk management action plans
    • Percentage of critical assets with budgeted remedial
    • Percentage of unresolved risk exposures
    • Number of security incidents identified
    Explanation:
    Percentage of unresolved risk exposures and the number of security incidents identified contribute to the IT risk management process, but the percentage of critical assets with budgeted remedial is the most indicative metric. Number of risk management action plans is not useful for assessing the quality of the process.
  18. Which of the following is a key area of the ISO 27001 framework?

    • Operational risk assessment
    • Financial crime metrics
    • Capacity management
    • Business continuity management
    Explanation:
    Operational risk assessment, financial crime metrics and capacity management can complement the information security framework, but only business continuity management is a key component.
  19. The MAIN goal of an information security strategic plan is to:

    • develop a risk assessment plan.
    • develop a data protection plan.
    • protect information assets and resources.
    • establish security governance.
    Explanation:
    The main goal of an information security strategic plan is to protect information assets and resources. Developing a risk assessment plan and H data protection plan, and establishing security governance refer to tools utilized in the security strategic plan that achieve the protection of information assets and resources.
  20. Which of the following, using public key cryptography, ensures authentication, confidentiality and nonrepudiation of a message?

    • Encrypting first by receiver’s private key and second by sender’s public key
    • Encrypting first by sender’s private key and second by receiver’s public key
    • Encrypting first by sender’s private key and second decrypting by sender’s public key
    • Encrypting first by sender’s public key and second by receiver’s private key
    Explanation:

    Encrypting by the sender’s private key ensures authentication. By being able to decrypt with the sender’s public key, the receiver would know that the message is sent by the sender only and the sender cannot deny/repudiate the message. By encrypting with the sender’s public key secondly, only the sender will be able to decrypt the message and confidentiality is assured. The receiver’s private key is private to the receiver and the sender cannot have it for encryption. Similarly, the receiver will not have the private key of the sender to decrypt the second-level encryption. In the case of encrypting first by the sender’s private key and. second, decrypting by the sender’s public key, confidentiality is not ensured since the message can be decrypted by anyone using the sender’s public key. The receiver’s private key would not be available to the sender for second-level encryption. Similarly, the sender’s private key would not be available to the receiver for decrypting the message.