CISM : Certified Information Security Manager : Part 44

  1. Which of the following is the BEST method to protect consumer private information for an online public website?

    • Encrypt consumer’s data in transit and at rest. 
    • Apply a masking policy to the consumer data.
    • Use secure encrypted transport layer.
    • Apply strong authentication to online accounts.
  2. Failure to include information security requirements within the build/buy decision would MOST likely result in the need for:

    • compensating controls in the operational environment.
    • commercial product compliance with corporate standards.
    • more stringent source programming standards.
    • security scanning of operational platforms.
  3. A business impact analysis should be periodically executed PRIMARILY to:

    • validate vulnerabilities on environmental changes.
    • analyze the importance of assets.
    • verify the effectiveness of controls.
    • check compliance with regulations.
  4. The GREATEST benefit resulting from well-documented information security procedures is that they:

    • ensure that security policies are consistently applied.
    • ensure that critical processes can be followed by temporary staff.
    • facilitate security training of new staff.
    • provide a basis for auditing security practices.
  5. For an organization with a large and complex IT infrastructure, which of the following elements of a disaster recovery hot site service will require the closest monitoring?

    • Employee access
    • Audit rights
    • Systems configurations
    • Number of subscribers
  6. Reviewing security objectives and ensuring the integration of security across business units is PRIMARILY the focus of the:

    • executive management
    • chief information security officer (CISO)
    • board of directors
    • steering committee.
  7. Which of the following metrics is the BEST indicator of an abuse of the change management process that could compromise information security?

    • Small number of change request
    • Large percentage decrease in monthly change requests
    • Percentage of changes that include post-approval supplemental add-ons
    • High ratio of lines of code changed to total lines of code
  8. Labeling information according to its security classification:

    • enhances the likelihood of people handling information securely.
    • reduces the number and type of countermeasures required.
    • reduces the need to identify baseline controls for each classification.
    • affects the consequences if information is handled insecurely.
  9. Meeting which of the following security objectives BEST ensures that information is protected against unauthorized disclosure?

    • Authenticity
    • Confidentiality
    • Nonrepudiation
    • Integrity
  10. Which of the following is the MOST effective data loss control when connecting a personally owned mobile device to the corporate email system?

    • Email must be stored in an encrypted format on the mobile device.
    • Email synchronization must be prevented when connected to a public Wi-Fi hotspot.
    • A senior manager must approve each connection.
    • Users must agree to allow the mobile device to be wiped if it is lost.
  11. Key systems necessary for branch operations reside at corporate headquarters. Branch A is negotiating with a third party to provide disaster recovery facilities.

    Which of the following contract terms would be the MOST significant concern?

    • The hot site for the branch may have to be shared.
    • Connectivity is not provided from the hot site to corporate headquarters.
    • Penalty clauses for nonperformance are not included in contract.
    • The right to audit the hot site is not provided in the contract.
  12. A regulatory organization sends an email to an information security manager warning of an impending cyber-attack. The information security manager should FIRST:

    • validate the authenticity of the alert
    • determine whether the attack is in progress
    • alert the network operations center
    • reply asking for more details
  13. The use of a business case to obtain funding for an information security investment is MOST effective when the business case:

    • relates information security policies and standards into business requirements
    • relates the investment to the organization’s strategic plan.
    • realigns information security objectives to organizational strategy.
    • articulates management’s intent and information security directives in clear language.
  14. The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an organization is to:

    • reinforce the need for training
    • increase corporate accountability
    • comply with security policy
    • enforce individual accountability
  15. Which of the following is the PRIMARY reason social media has become a popular target for attack?

    • The prevalence of strong perimeter.
    • The reduced effectiveness of access controls.
    • The element of trust created by social media.
    • The accessibility of social media from multiple locations.
  16. A validated patch to address a new vulnerability that may affect a mission-critical server has been released.

    What should be done immediately?

    • Add mitigating controls.
    • Check the server’s security and install the patch.
    • Conduct an impact analysis.
    • Take the server off-line and install the patch.
  17. Which of the following is the MOST effective way to protect the authenticity of data in transit?

    • Hash value
    • Digital signature
    • Public key
    • Private key
  18. Which of the following is the FIRST task when determining an organization’s information security profile?

    • Build an asset inventory
    • List administrative privileges
    • Establish security standards
    • Complete a threat assessment
  19. To ensure appropriate control of information processed in IT systems, security safeguards should be based PRIMARILY on:

    • established guidelines
    • criteria consistent with classification levels
    • efficient technical processing considerations
    • overall IT capacity and operational constraints
  20. The PRIMARY reason an organization would require that users sign an acknowledgment of their system access responsibilities is to:

    • maintain an accurate record of users’ access rights.
    • serve as evidence of security awareness training.
    • maintain compliance with industry best practices.
    • assign accountability for transactions made with the user’s ID.