CISM : Certified Information Security Manager : Part 47

  1. A message is being sent with a hash. The risk of an attacker changing the message and generating an authentic hash value can be mitigated by:

    • using a secret key in conjunction with the hash algorithm
    • requiring the recipient to use a different hash algorithm
    • using the sender’s public key to encrypt the message
    • generating hash output that is the same size as the original message
  2. An organization’s marketing department has requested access to cloud-based collaboration sites for exchanging media files with external marketing companies. As a result, the information security manager has been asked to perform a risks assessment. Which of the following should be the MOST important consideration?

    • The information to be exchanged
    • Methods for transferring the information
    • Reputations of the external marketing companies
    • The security of the third-party cloud provider
  3. What should the information security manager do FIRST when end users express that new security controls are too restrictive?

    • Conduct a business impact analysis (BIA)
    • Obtain process owner buy-in to remove the controls
    • Perform a risk assessment on modifying the control environment
    • Perform a cost-benefit analysis on modifying the control environment
  4. Which of the following is the PRIMARY objective of a business impact analysis (BIA)?

    • Analyze vulnerabilities
    • Determine recovery priorities
    • Confirm control effectiveness
    • Define the recovery point objective (RPO)
  5. An organization implemented a mandatory information security awareness training program a year ago. What is the BEST way to determine its effectiveness?

    • Analyze findings from previous audit reports
    • Analyze results from training completion reports
    • Analyze results of a social engineering test
    • Analyze responses from an employee survey of training satisfaction
  6. Which of the following will BEST provide an organization with ongoing assurance of the information security services provided by a cloud provider?

    • Requiring periodic self-assessments by the provider
    • Evaluating the provider’s security incident response plan
    • Continuous monitoring of an information security risk profile
    • Ensuring the provider’s roles and responsibilities are established
  7. An internal audit has found that critical patches were not implemented within the timeline established by policy without a valid reason. Which of the following is the BEST course of action to address the audit findings?

    • Perform regular audits on the implementation of critical patches.
    • Evaluate patch management training.
    • Assess the patch management process.
    • Monitor and notify IT staff of critical patches.
  8. A cloud service provider is unable to provide an independent assessment of controls. Which of the following is the BEST way to obtain assurance that the provider can adequately protect the organization’s information?

    • Invoke the right to audit per the contract
    • Review the provider’s information security policy
    • Check references supplied by the provider’s other customers
    • Review the provider’s self-assessment
  9. Which of the following is MOST important when selecting an information security metric?

    • Aligning the metric to the IT strategy
    • Defining the metric in quantitative terms
    • Ensuring the metric is repeatable
    • Defining the metric in qualitative terms
  10. Which of the following BEST supports the risk assessment process to determine critically of an asset?

    • Business impact analysis (BIA)
    • Residual risk analysis
    • Vulnerability assessment
    • Threat assessment
  11. When recommending a preventive control against cross-site scripting in web applications, an information security manager is MOST likely to suggest:

    • using https in place of http
    • coding standards and code review
    • consolidating multiple sites into a single portal
    • hardening of the web server’s operating system
  12. The PRIMARY benefit of integrating information security activities into change management processes is to:

    • ensure required controls are included in changes
    • protect the organization from unauthorized changes
    • provide greater accountability for security-related changes in the business
    • protect the business from collusion and compliance threats
  13. Which of the following should be an information security manager’s MOST important consideration when conducting a physical security review of a potential outsourced data center?

    • Distance of the data center from the corporate office
    • Availability of network circuit connections
    • Environment factors of the surrounding location
    • Proximity to law enforcement
  14. Which of the following tools BEST demonstrates the effectiveness of the information security program?

    • Key risk indicators (KRIs)
    • Management satisfaction surveys
    • Risk heat map
    • A security balanced scorecard
  15. In an organization where IT is critical to its business strategy and where there is a high level of operational dependence on IT, senior management commitment to security is BEST demonstrated by the:

    • segregation of duties policy
    • size of the IT security function
    • reporting line of the chief information security officer (CISO)
    • existence of an IT steering committee
  16. Which of the following would be an information security manager’s PRIMARY challenge when deploying a Bring Your Own Device (BYOD) mobile program in an enterprise?

    • End user acceptance
    • Configuration management
    • Mobile application control
    • Disparate device security
  17. When an operating system is being hardened, it is MOST important for an information security manager to ensure that:

    • system logs are activated
    • default passwords are changed
    • file access is restricted
    • anonymous access is removed
  18. Which of the following would BEST help to ensure compliance with an organization’s information security requirements by an IT service provider?

    • Requiring an external security audit of the IT service provider
    • Defining information security requirements with internal IT
    • Requiring regular reporting from the IT service provider
    • Defining the business recovery plan with the IT service provider
  19. Which of the following would present the GREATEST need to revise information security policies?

    • A merger with a competing company
    • An increase in reported incidents
    • Implementation of a new firewall
    • Changes in standards and procedures
  20. Which of the following MOST effectively prevents internal users from modifying sensitive data?

    • Network segmentation
    • Acceptable use policies
    • Role-based access controls
    • Multi-factor authentication
Notify of
Inline Feedbacks
View all comments