CISM : Certified Information Security Manager : Part 39

  1. When developing security standards, which of the following would be MOST appropriate to include?

    • Accountability for licenses
    • Acceptable use of IT assets
    • Operating system requirements
    • Inventory management
  2. Which of the following would be MOST effective in the strategic alignment of security initiatives?

    • A security steering committee is set up within the IT department.
    • Key information security policies are updated on a regular basis.
    • Business leaders participate in information security decision making.
    • Policies are created with input from business unit managers.
  3. Which of the following would be the MOST effective countermeasure against malicious programming that rounds down transaction amounts and transfers them to the perpetrator’s account?

    • Ensure that proper controls exist for code review and release management
    • Set up an agent to run a virus-scanning program across platforms
    • Implement controls for continuous monitoring of middleware transactions
    • Apply the latest patch programs to the production operating systems
  4. The BEST way to mitigate the risk associated with a social engineering attack is to:

    • deploy an effective intrusion detection system (IDS)
    • perform a user-knowledge gap assessment of information security practices
    • perform a business risk assessment of the email filtering system
    • implement multi-factor authentication on critical business systems
  5. When considering whether to adopt a new information security framework, an organization’s information security manager should FIRST:

    • compare the framework with the current business strategy
    • perform a technical feasibility analysis
    • perform a financial viability study
    • analyze the framework’s legal implications and business impact
  6. A data-hosting organization’s data center houses servers, applications, and data for a large number of geographically dispersed customers. Which of the following strategies would be the BEST approach for developing a physical access control policy for the organization?

    • Design single sign-on or federated access
    • Conduct a risk assessment to determine security risks and mitigating controls
    • Develop access control requirements for each system and application
    • Review customers’ security policies
  7. After detecting an advanced persistent threat (APT), which of the following should be the information security manager’s FIRST step?

    • Notify management
    • Contain the threat
    • Remove the threat
    • Perform root-cause analysis
  8. A new system has been developed that does not comply with password-aging rules. This noncompliance can BEST be identified through:

    • a business impact analysis
    • an internal audit assessment
    • an incident management process
    • a progressive series of warnings
  9. Which of the following is the GREATEST security threat when an organization allows remote access to a virtual private network (VPN)?

    • Client logins are subject to replay attack
    • Compromised VPN clients could impact the network
    • Attackers could compromise the VPN gateway
    • VPN traffic could be sniffed and captured



  10. In which of the following ways can an information security manager BEST ensure that security controls are adequate for supporting business goals and objectives?

    • Reviewing results of the annual company external audit
    • Adopting internationally accepted controls
    • Enforcing strict disciplinary procedures in case of noncompliance
    • Using the risk management process
  11. The authorization to transfer the handling of an internal security incident to a third-party support provider is PRIMARILY defined by the:

    • information security manager
    • escalation procedures
    • disaster recovery plan
    • chain of custody
  12. Which of the following outsourced services has the GREATEST need for security monitoring?

    • Enterprise infrastructure
    • Application development
    • Virtual private network (VPN) services
    • Web site hosting
  13. Which of the following is done PRIMARILY to address the integrity of information?

    • Assignment of appropriate control permissions
    • Implementation of an Internet security application
    • Implementation of a duplex server system
    • Encryption of email
  14. An organization has a policy in which all criminal activity is prosecuted. What is MOST important for the information security manager to ensure when an employee is suspected of using a company computer to commit fraud?

    • The forensics process is immediately initiated
    • The incident response plan is initiated
    • The employee’s log files are backed-up
    • Senior management is informed of the situation
  15. A multinational organization’s information security manager has been advised that the city in which a contracted regional data center is located is experiencing civil unrest. The information security manager should FIRST:

    • delete the organization’s sensitive data at the provider’s location
    • engage another service provider at a safer location
    • verify the provider’s ability to protect the organization’s data
    • evaluate options to recover if the data center becomes unreachable
  16. When defining responsibilities with a cloud computing vendor, which of the following should be regarded as a shared responsibility between user and provider?

    • Data ownership
    • Access log review
    • Application logging
    • Incident response
  17. An organization is considering whether to allow employees to use personal computing devices for business purposes. To BEST facilitate senior management’s decision, the information security manager should:

    • map the strategy to business objectives
    • perform a cost-benefit analysis
    • conduct a risk assessment
    • develop a business case
  18. A business unit uses an e-commerce application with a strong password policy. Many customers complain that they cannot remember their passwords because they are too long and complex. The business unit states it is imperative to improve the customer experience. The information security manager should FIRST:

    • change the password policy to improve the customer experience
    • research alternative secure methods of identity verification
    • evaluate the impact of the customer’s experience on business revenue
    • recommend implementing two-factor authentication
  19. The PRIMARY reason for creating a business case when proposing an information security project is to:

    • establish the value of the project in relation to business objectives
    • establish the value of the project with regard to regulatory compliance
    • ensure relevant business parties are involved in the project
    • ensure comprehensive security controls are identified
  20. Which of the following will BEST help to proactively prevent the exploitation of vulnerabilities in operating system software?

    • Patch management
    • Threat management
    • Intrusion detection system
    • Anti-virus software