Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 44
Which of the following is the BEST method to protect consumer private information for an online public website?
- Encrypt consumer’s data in transit and at rest.
- Apply a masking policy to the consumer data.
- Use secure encrypted transport layer.
- Apply strong authentication to online accounts.
Failure to include information security requirements within the build/buy decision would MOST likely result in the need for:
- compensating controls in the operational environment.
- commercial product compliance with corporate standards.
- more stringent source programming standards.
- security scanning of operational platforms.
A business impact analysis should be periodically executed PRIMARILY to:
- validate vulnerabilities on environmental changes.
- analyze the importance of assets.
- verify the effectiveness of controls.
- check compliance with regulations.
The GREATEST benefit resulting from well-documented information security procedures is that they:
- ensure that security policies are consistently applied.
- ensure that critical processes can be followed by temporary staff.
- facilitate security training of new staff.
- provide a basis for auditing security practices.
For an organization with a large and complex IT infrastructure, which of the following elements of a disaster recovery hot site service will require the closest monitoring?
- Employee access
- Audit rights
- Systems configurations
- Number of subscribers
Reviewing security objectives and ensuring the integration of security across business units is PRIMARILY the focus of the:
- executive management
- chief information security officer (CISO)
- board of directors
- steering committee.
Which of the following metrics is the BEST indicator of an abuse of the change management process that could compromise information security?
- Small number of change request
- Large percentage decrease in monthly change requests
- Percentage of changes that include post-approval supplemental add-ons
- High ratio of lines of code changed to total lines of code
Labeling information according to its security classification:
- enhances the likelihood of people handling information securely.
- reduces the number and type of countermeasures required.
- reduces the need to identify baseline controls for each classification.
- affects the consequences if information is handled insecurely.
Meeting which of the following security objectives BEST ensures that information is protected against unauthorized disclosure?
Which of the following is the MOST effective data loss control when connecting a personally owned mobile device to the corporate email system?
- Email must be stored in an encrypted format on the mobile device.
- Email synchronization must be prevented when connected to a public Wi-Fi hotspot.
- A senior manager must approve each connection.
- Users must agree to allow the mobile device to be wiped if it is lost.
Key systems necessary for branch operations reside at corporate headquarters. Branch A is negotiating with a third party to provide disaster recovery facilities.
Which of the following contract terms would be the MOST significant concern?
- The hot site for the branch may have to be shared.
- Connectivity is not provided from the hot site to corporate headquarters.
- Penalty clauses for nonperformance are not included in contract.
- The right to audit the hot site is not provided in the contract.
A regulatory organization sends an email to an information security manager warning of an impending cyber-attack. The information security manager should FIRST:
- validate the authenticity of the alert
- determine whether the attack is in progress
- alert the network operations center
- reply asking for more details
The use of a business case to obtain funding for an information security investment is MOST effective when the business case:
- relates information security policies and standards into business requirements
- relates the investment to the organization’s strategic plan.
- realigns information security objectives to organizational strategy.
- articulates management’s intent and information security directives in clear language.
The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an organization is to:
- reinforce the need for training
- increase corporate accountability
- comply with security policy
- enforce individual accountability
Which of the following is the PRIMARY reason social media has become a popular target for attack?
- The prevalence of strong perimeter.
- The reduced effectiveness of access controls.
- The element of trust created by social media.
- The accessibility of social media from multiple locations.
A validated patch to address a new vulnerability that may affect a mission-critical server has been released.
What should be done immediately?
- Add mitigating controls.
- Check the server’s security and install the patch.
- Conduct an impact analysis.
- Take the server off-line and install the patch.
Which of the following is the MOST effective way to protect the authenticity of data in transit?
- Hash value
- Digital signature
- Public key
- Private key
Which of the following is the FIRST task when determining an organization’s information security profile?
- Build an asset inventory
- List administrative privileges
- Establish security standards
- Complete a threat assessment
To ensure appropriate control of information processed in IT systems, security safeguards should be based PRIMARILY on:
- established guidelines
- criteria consistent with classification levels
- efficient technical processing considerations
- overall IT capacity and operational constraints
The PRIMARY reason an organization would require that users sign an acknowledgment of their system access responsibilities is to:
- maintain an accurate record of users’ access rights.
- serve as evidence of security awareness training.
- maintain compliance with industry best practices.
- assign accountability for transactions made with the user’s ID.