Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 45
What would be the PRIMARY reason for an organization to conduct a simulated phishing attack on its employees as part of a social engineering assessment?
- Measure the effectiveness of security awareness training.
- Identify the need for mitigating security controls.
- Measure the effectiveness of the anti-spam solution.
- Test the effectiveness of the incident response plan.
Which of the following activities should take place FIRST when a security patch for Internet software is received from a vendor?
- The patch should be validated using a hash algorithm.
- The patch should be applied to critical systems.
- The patch should be deployed quickly to systems that are vulnerable.
- The patch should be evaluated in a testing environment.
An information security manager has researched several options for handling ongoing security concerns and will be presenting these solutions to business managers. Which of the following will BEST enable business managers to make an informed decision?
- Business impact analysis (BIA)
- Cost-benefit analysis
- Risk analysis
- Gap analysis
Which of the following would BEST ensure that application security standards are in place?
- Functional testing
- Performing a code review
- Publishing software coding standards
- Penetration testing
Which of the following is the BEST criterion to use when classifying assets?
- The market value of the assets
- Annual loss expectancy (ALE)
- Value of the assets relative to the organization
- Recovery time objective (RTO)
Which of the following is the MOST effective method to prevent a SQL injection in an employee portal?
- Reconfigure the database schema
- Enforce referential integrity on the database
- Conduct code reviews
- Conduct network penetration testing
Which of the following is MOST important when conducting a forensic investigation?
- Documenting analysis steps
- Capturing full system images
- Maintaining a chain of custody
- Analyzing system memory
Which of the following would be the information security manager’s BEST course of action to gain approval for investment in a technical control?
- Perform a cost-benefit analysis.
- Conduct a risk assessment.
- Calculate the exposure factor.
- Conduct a business impact analysis (BIA).
Which of the following is the BEST indication of information security strategy alignment with the business?
- Number of business objectives directly supported by information security initiatives.
- Percentage of corporate budget allocated to information security initiatives.
- Number of business executives who have attended information security awareness sessions.
- Percentage of information security incidents resolved within defined service level agreements.
When customer data has been compromised, an organization should contact law enforcement authorities:
- if the attack comes from an international source.
- when directed by the information security manager.
- if there is potential impact to the organization.
- in accordance with the corporate communication policy.
The GREATEST benefit of choosing a private cloud over a public cloud would be:
- server protection.
- collection of data forensics.
- online service availability.
- containment of customer data.
Which of the following is the MOST important consideration when selecting members for an information security steering committee?
- Cross-functional composition
- Information security expertise
- Tenure in the organization
- Business expertise
Organization A offers e-commerce services and uses secure transport protocol to protect Internet communication. To confirm communication with Organization A, which of the following would be the BEST for a client to verify?
- The certificate of the e-commerce server
- The browser’s indication of SSL use
- The IP address of the e-commerce server
- The URL of the e-commerce server
Meeting which of the following security objectives BEST ensures that information is protected against unauthorized modification?
An information security steering group should:
- provide general oversight and guidance.
- develop information security policies.
- establish information security baselines.
- oversee the daily operations of the security program.
Which of the following should be the PRIMARY basis for an information security strategy?
- The organization’s vision and mission.
- Information security policies.
- Results of a comprehensive gap analysis.
- Audit and regulatory requirements.
Which of the following is an example of a vulnerability?
- Natural disasters
- Defective software
- Unauthorized users
What would be an information security manager’s BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization’s critical data?
- Create an addendum to the existing contract.
- Cancel the outsourcing contract.
- Transfer the risk to the provider.
- Initiate an external audit of the provider’s data center.
Which of the following is the MOST important reason to monitor information risk on a continuous basis?
- The risk profile can change over time.
- The effectiveness of controls can be verified.
- The cost of controls can be minimized.
- Risk assessment errors can be identified.
Which of the following is MOST important to include in monthly information security reports to the broad?
- Trend analysis of security metrics
- Threat intelligence
- Root cause analysis of security incidents
- Risk assessment results