Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 42

  1. When outsourcing data to a cloud service provider, which of the following should be the information security manager’s MOST important consideration?

    • Roles and responsibilities have been defined for the subscriber organization.
    • Cloud servers are located in the same country as the organization.
    • Access authorization includes biometric security verification.
    • Data stored at the cloud service provider is not co-mingled.
  2. Without prior approval, a training department enrolled the company in a free cloud-based collaboration site and invited employees to use it. Which of the following is the BEST response of the information security manager?

    • Conduct a risk assessment and develop an impact analysis.
    • Update the risk register and review the information security strategy.
    • Report the activity to senior management.
    • Allow temporary use of the site and monitor for data leakage.
  3. A global organization has developed a strategy to share a customer information database between offices in two countries. In this situation, it is MOST important to ensure:

    • data sharing complies with local laws and regulations at both locations.
    • data is encrypted in transit and at rest.
    • a nondisclosure agreement is signed.
    • risk coverage is split between the two locations sharing data.
  4. Which of the following is MOST likely to reduce the effectiveness of a signature-based intrusion detection system (IDS)?

    • The activities being monitored deviate from what is considered normal.
    • The information regarding monitored activities becomes stale.
    • The pattern of normal behavior changes quickly and dramatically.
    • The environment is complex.
  5. An information security manager is reviewing the impact of a regulation on the organization’s human resources system. The NEXT course of action should be to:

    • perform a gap analysis of compliance requirements.
    • assess the penalties for non-compliance.
    • review the organization’s most recent audit report.
    • determine the cost of compliance.
  6. Which of the following will BEST protect confidential data when connecting large wireless networks to an existing wired-network infrastructure?

    • Mandatory access control (MAC) address filtering
    • Strong passwords
    • Virtual private network (VPN)
    • Firewall
  7. A global organization processes and stores large volumes of personal data. Which of the following would be the MOST important attribute in creating a data access policy?

    • Availability
    • Integrity
    • Reliability
    • Confidentiality
  8. An organization wants to integrate information security into its human resource management processes. Which of the following should be the FIRST step?

    • Evaluate the cost of information security integration
    • Assess the business objectives of the processes
    • Identify information security risk associated with the processes
    • Benchmark the processes with best practice to identify gaps
  9. Which of the following is MOST important for an information security manager to regularly report to senior management?

    • Results of penetration tests
    • Audit reports
    • Impact of unremediated risks
    • Threat analysis reports
  10. Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities?

    • Automation of controls
    • Documentation of control procedures
    • Integration of assurance efforts
    • Standardization of compliance requirements
  11. Which of the following sites would be MOST appropriate in the case of a very short recovery time objective (RTO)?

    • Warm
    • Redundant
    • Shared
    • Mobile



  12. Which of the following messages would be MOST effective in obtaining senior management’s commitment to information security management?

    • Effective security eliminates risk to the business
    • Adopt a recognized framework with metrics
    • Security is a business product and not a process
    • Security supports and protects the business
  13. Which of the following characteristics is MOST important to a bank in a high-value online financial transaction system?

    • Identification
    • Confidentiality
    • Authentication
    • Audit monitoring
  14. Which of the following presents the GREATEST challenge in calculating return on investment (ROI) in the security environment?

    • Number of incidents cannot be predetermined
    • Project cost overruns cannot be anticipated
    • Cost of security tools is difficult to estimate
    • Costs of security incidents cannot be estimated
  15. Which of the following would MOST likely require a business continuity plan to be invoked?

    • An unauthorized visitor discovered in the data center
    • A distributed denial of service attack on an e-mail server
    • An epidemic preventing staff from performing job functions
    • A hacker holding personally identifiable information hostage
  16. Which of the following is the MOST important driver when developing an effective information security strategy?

    • Information security standards
    • Compliance requirements
    • Benchmarking reports
    • Security audit reports
  17. An information security manager is recommending an investment in a new security initiative to address recently published threats. Which of the following would be MOST important to include in the business case?

    • Business impact if threats materialize
    • Availability of unused funds in the security budget
    • Threat information from reputable sources
    • Alignment of the new initiative with the approved business strategy
  18. Which of the following would BEST help to identify vulnerabilities introduced by changes to an organization’s technical infrastructure?

    • An intrusion detection system
    • Established security baselines
    • Penetration testing
    • Log aggregation and correlation
  19. When messages are encrypted and digitally signed to protect documents transferred between trading partners, the GREATEST concern is that:

    • trading partners can repudiate the transmission of messages.
    • hackers can eavesdrop on messages.
    • trading partners can repudiate the receipt of messages.
    • hackers can introduce forgery messages.
  20. In order to ensure separation of duties, which of the following activities is BEST performed by someone other than the system administrator?

    • Deleting system logs
    • Using system utilities
    • Monitoring system utilization
    • Defining system recovery procedures