Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 43

  1. Of the following, who should have PRIMARY responsibility for assessing the security risk associated with an outsourced cloud provider contract?

    • Information security manager
    • Compliance manager
    • Chief information officer
    • Service delivery manager
  2. Which of the following would BEST provide stakeholders with information to determine the appropriate response to a disaster?

    • Risk assessment
    • Vulnerability assessment
    • Business impact analysis
    • SWOT analysis
  3. The PRIMARY purpose for continuous monitoring of security controls is to ensure:

    • system availability.
    • control gaps are minimized.
    • effectiveness of controls.
    • alignment with compliance requirements.
  4. To prevent computers on the corporate network from being used as part of a distributed denial of service attack, the information security manager should use:

    • incoming traffic filtering
    • outgoing traffic filtering
    • IT security policy dissemination
    • rate limiting
  5. Which of the following is the PRIMARY objective of reporting security metrics to stakeholders?

    • To identify key controls within the organization
    • To provide support for security audit activities
    • To communicate the effectiveness of the security program
    • To demonstrate alignment to the business strategy
  6. Which of the following BEST reduces the likelihood of leakage of private information via email?

    • Email encryption
    • User awareness training
    • Strong user authentication protocols
    • Prohibition on the personal use of email
  7. Once a suite of security controls has been successfully implemented for an organization’s business units, it is MOST important for the information security manager to:

    • ensure the controls are regularly tested for ongoing effectiveness.
    • hand over the controls to the relevant business owners.
    • prepare to adapt the controls for future system upgrades.
    • perform testing to compare control performance against industry levels.
  8. What should be an organization’s MAIN concern when evaluating an Infrastructure as a Service (IaaS) cloud computing model for an e-commerce application?

    • Availability of provider’s services
    • Internal audit requirements
    • Where the application resides
    • Application ownership
  9. Which of the following would be MOST important to include in a bring your own device (BYOD) policy with regard to lost or stolen devices? The need for employees to:

    • initiate the company’s incident reporting process.
    • seek advice from the mobile service provider.
    • notify local law enforcement.
    • request a remote wipe of the device.
  10. An information security manager learns that the root password of an external FTP server may be subject to brute force attacks. Which of the following would be the MOST appropriate way to reduce the likelihood of a successful attack?

    • Block the source IP address of the attacker.
    • Lock remote logon after multiple failed attempts. 
    • Disable access to the externally facing server.
    • Install an intrusion detection system (IDS).
  11. An advantage of antivirus software schemes based on change detection is that they have:

    • a chance of detecting current and future viral strains.
    • a more flexible directory of viral signatures.
    • to be updated less frequently than activity monitors.
    • the highest probability of avoiding false alarms.
  12. Which of the following is the BEST performed by the security department?

    • Approving standards for accessing the operating system
    • Logging unauthorized access to the operating system
    • Managing user profiles for accessing the operating system
    • Provisioning users to access the operating system
  13. An organization outsources its payroll processing. Which of the following would be the BEST key risk indicator for monitoring the information security of the service provider?

    • Number of security incidents by severity
    • Number of critical security patches
    • Percentage of application up-time
    • Number of manual payroll adjustments
  14. Senior management asks the information security manager for justification before approving the acquisition of a new intrusion detection system (IDS). The BEST course of action is to provide:

    • documented industry best practices
    • a gap analysis against the new IDS controls.
    • a business case.
    • a business impact analysis (BIA).
  15. Ensuring that activities performed by outsourcing providers comply with information security policies can BEST be accomplished through the use of:

    • service level agreements.
    • independent audits.
    • explicit contract language.
    • local regulations.
  16. Which of the following will BEST enable an effective information asset classification process?

    • Reviewing the recovery time objective (RTO) requirements of the asset
    • Analyzing audit findings
    • Including security requirements in the classification process
    • Assigning ownership
  17. Which of the following devices, when placed in a demilitarized zone (DMZ), would be considered the MOST significant exposure?

    • Proxy server
    • Mail relay server
    • Application server
    • Database server
  18. Which of the following should be the MOST important criteria when defining data retention policies?

    • Capacity requirements
    • Audit findings
    • Regulatory requirements
    • Industry best practices
  19. Within the confidentiality, integrity, and availability (CIA) triad, which of the following activities BEST supports the concept of integrity?

    • Enforcing service level agreements
    • Implementing a data classification schema
    • Ensuring encryption for data in transit
    • Utilizing a formal change management process
  20. A small organization has a contract with a multinational cloud computing vendor. Which of the following would present the GREATEST concern to an information security manager if omitted from the contract?

    • Authority of the subscriber to approve access to its data
    • Right of the subscriber to conduct onsite audits of the vendor
    • Escrow of software code with conditions for code release
    • Comingling of subscribers’ data on the same physical server