Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 49
The PRIMARY objective of security awareness is to:
- ensure that security policies are understood.
- influence employee behavior.
- ensure legal and regulatory compliance
- notify of actions for noncompliance.
It is most important that security-conscious behavior be encouraged among employees through training that influences expected responses to security incidents. Ensuring that policies are read and understood, giving employees fair warning of potential disciplinary action, or meeting legal and regulatory requirements is important but secondary.
Which of the following will BEST protect against malicious activity by a former employee?
- Preemployment screening
- Close monitoring of users
- Periodic awareness training
- Effective termination procedures
When an employee leaves an organization, the former employee may attempt to use their credentials to perform unauthorized or malicious activity. Accordingly, it is important to ensure timely revocation of all access at the time an individual is terminated. Security awareness training, preemployment screening and monitoring are all important, but are not as effective in preventing this type of situation.
Which of the following represents a PRIMARY area of interest when conducting a penetration test?
- Data mining
- Network mapping
- Intrusion Detection System (IDS)
- Customer data
Network mapping is the process of determining the topology of the network one wishes to penetrate. This is one of the first steps toward determining points of attack in a network. Data mining is associated with ad hoc reporting and. together with customer data, they are potential targets after the network is penetrated. The intrusion detection mechanism in place is not an area of focus because one of the objectives is to determine how effectively it protects the network or how easy it is to circumvent.
The return on investment of information security can BEST be evaluated through which of the following?
- Support of business objectives
- Security metrics
- Security deliverables
- Process improvement models
One way to determine the return on security investment is to illustrate how information security supports the achievement of business objectives. Security metrics measure improvement and effectiveness within the security practice but do not tie to business objectives. Similarly, listing deliverables and creating process improvement models does not necessarily tie into business objectives.
To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:
- set their accounts to expire in six months or less.
- avoid granting system administration roles.
- ensure they successfully pass background checks.
- ensure their access is approved by the data owner.
Contract personnel should not be given job duties that provide them with power user or other administrative roles that they could then use to grant themselves access to sensitive files. Setting expiration dates, requiring background checks and having the data owner assign access are all positive elements, but these will not prevent contract personnel from obtaining access to sensitive information.
Information security policies should:
- address corporate network vulnerabilities.
- address the process for communicating a violation.
- be straightforward and easy to understand.
- be customized to specific groups and roles.
As high-level statements, information security policies should be straightforward and easy to understand. They arc high-level and, therefore, do not address network vulnerabilities directly or the process for communicating a violation. As policies, they should provide a uniform message to all groups and user roles.
Which of the following BEST indicates senior management support for an information security program?
- Detailed information security policies are established and regularly reviewed.
- The information security manager meets regularly with the lines of business.
- Key performance indicators (KPIs) are defined for the information security program.
- Risk assessments are conducted frequently by the information security team.
An information security manager suspects that the organization has suffered a ransomware attack. What should be done FIRST?
- Notify senior management.
- Alert employees to the attack.
- Confirm the infection.
- Isolate the affected systems.
The MAIN reason for internal certification of web-based business applications is to ensure:
- compliance with industry standards.
- changes to the organizational policy framework are identified.
- up-to-date web technology is being used.
- compliance with organizational policies.
Knowing which of the following is MOST important when the information security manager is seeking senior management commitment?
- Security costs
- Technical vulnerabilities
- Security technology requirements
- Implementation tasks
Which of the following would be the BEST way for a company to reduce the risk of data loss resulting from employee-owned devices accessing the corporate email system?
- Link the bring-your-own-device (BYOD) policy to the existing staff disciplinary policy.
- Require employees to undergo training before permitting access to the corporate email service.
- Require employees to install a reputable mobile anti-virus solution on their personal devices.
- Use a mobile device management (MDM) solution to isolate the local corporate email storage.
Which of the following is MOST critical for prioritizing actions in a business continuity plan (BCP)?
- Business impact analysis (BIA)
- Risk assessment
- Asset classification
- Business process mapping
Which of the following is the MOST effective defense against spear phishing attacks?
- Unified threat management
- Web filtering
- Anti-spam solutions
- User awareness training
Which of the following is MOST important to evaluate after completing a risk action plan?
- Threat profile
- Inherent risk
- Residual risk
- Vulnerability landscape
The PRIMARY benefit of integrating information security risk into enterprise risk management is to:
- ensure timely risk mitigation.
- justify the information security budget.
- obtain senior management’s commitment.
- provide a holistic view of risk.
A newly hired information security manager discovers that the cleanup of accounts for terminated employees happens only once a year.
Which of the following should be the information security manager’s FIRST course of action?
- Design and document a new process.
- Update the security policy.
- Perform a risk assessment.
- Report the issue to senior management.
A multinational organization wants to ensure its privacy program appropriately addresses privacy risk throughout its operations.
Which of the following would be of MOST concern to senior management?
- The organization uses a decentralized privacy governance structure.
- Privacy policies are only reviewed annually.
- The organization does not have a dedicated privacy officer.
- The privacy program does not include a formal training component.
After an information security business case has been approved by senior management, it should be:
- used to design functional requirements for the solution.
- used as the foundation for a risk assessment.
- referenced to build architectural blueprints for the solution.
- reviewed at key intervals to ensure intended outcomes.
The BEST way to isolate corporate data stored on employee-owned mobile devices would be to implement:
- a sandbox environment.
- device encryption.
- two-factor authentication.
- a strong password policy.
Which of the following is the MOST important outcome from vulnerability scanning?
- Prioritization of risks
- Information about steps necessary to hack the system
- Identification of back doors
- Verification that systems are properly configured