CISM : Certified Information Security Manager : Part 53

  1. Which of the following metrics BEST evaluates the completeness of disaster-recovery preparations?

    • Number of published application-recovery plans
    • Ratio of recovery-plan documents to total applications
    • Ratio of tested applications to total applications
    • Ratio of successful to unsuccessful tests
  2. Which of the following methods BEST ensures that a comprehensive approach is used to direct information security activities?

    • Holding periodic meetings with business owners
    • Promoting security training
    • Establishing a steering committee
    • Creating communication channels
  3. During an annual security review of an organization’s servers, it was found that the customer service team’s file server, which contains sensitive customer data, is accessible to all user IDs in the organization. Which of the following should the information security manager do FIRST?

    • Report the situation to the data owner
    • Remove access privileges to the folder containing the data
    • Isolate the server from the network
    • Train the customer service team on properly controlling file permissions
  4. The selection of security controls is PRIMARILY linked to:

    • best practices of similar organizations
    • risk appetite of the organization
    • regulatory requirements
    • business impact assessment
  5. Which of the following is MOST important to include in a contract with a critical service provider to help ensure alignment with the organization’s information security program?

    • Right-to-audit clause
    • Escalation paths
    • Key performance indicators (KPIs)
    • Termination language
  6. Which of the following is the BEST reason for delaying the application of a critical security patch?

    • Conflicts with software development lifecycle (SDLC)
    • Technology interdependencies
    • Lack of vulnerability management
    • Resource limitations
  7. Which of the following would be MOST effective when justifying the cost of adding security controls to an existing web application?

    • Internal audit reports
    • Application security policy
    • Vulnerability assessment results
    • A business case
  8. Which of the following is the PRIMARY benefit to an organization using an automated event monitoring solution?

    • Improved response time to incidents
    • Improved network protection
    • Enhanced forensic analysis
    • Reduced need for manual analysis
  9. An information security manager reads a media report of a new type of malware attack. Who should be notified FIRST?

    • Application owners
    • Communications department
    • Data owners
    • Security operations team
  10. Which is MOST important when contracting an external party to perform a penetration test?

    • Provide network documentation
    • Obtain approval from IT management
    • Define the project scope
    • Increase the frequency of log reviews
  11. Calculation of the recovery time objective (RTO) is necessary to determine the:

    • time required to restore files
    • priority of restoration
    • point of synchronization
    • annual loss expectancy (ALE)
  12. Which of the following is an example of a change to the external threat landscape?

    • Infrastructure changes to the organization have been implemented
    • Organizational security standards have been modified
    • A commonly used encryption algorithm has been compromised
    • New legislation has been enacted in a region where the organization does business
  13. Which of the following roles should be PRIMARILY responsible for assigning sensitivity levels to an organization’s financial and payroll databases?

    • Data owner
    • Database administrator
    • Systems administrator
    • Information security manager
  14. The MOST important factors in determining the scope and timing for testing a business continuity plan are:

    • the importance of the functional to be tested and the cost of testing
    • the experience level of personnel and the function location
    • prior testing results and the degree of detail of the business continuity plan
    • manual processing capabilities and the test location
  15. A policy has been established requiring users to install mobile device management (MDM) software on their personal devices. Which of the following would BEST mitigate the risk created by noncompliance with this policy?

    • Issuing warnings and documenting noncompliance
    • Requiring users to sign off on terms and conditions
    • Issuing company-configured mobile devices
    • Disabling remote access from the mobile device
  16. The PRIMARY purpose of a periodic threat and risk assessment report to senior management is to communicate the:

    • status of the security posture
    • probability of future incidents
    • cost-benefit of security controls
    • risk acceptance criteria
  17. An organization’s HR department would like to outsource its employee system to a cloud-hosted solution due to features and cost savings offered. Management has identified this solution as a business need and wants to move forward. What should be the PRIMARY role of information security in this effort?

    • Explain security issues associated with the solution to management
    • Determine how to securely implement the solution
    • Ensure the service provider has the appropriate certifications
    • Ensure a security audit is performed of the service provider
  18. Which of the following is MOST effective against system intrusions?

    • Two-factor authentication
    • Continuous monitoring
    • Layered protection
    • Penetration testing
  19. What should be the information security manager’s MOST important consideration when planning a disaster recovery test?

    • Documented escalation processes
    • Organization-wide involvement
    • Impact to production systems
    • Stakeholder notification procedures
  20. The PRIMARY purpose of asset valuation for the management of information security is to:

    • prioritize risk management activities
    • eliminate the least significant assets
    • provide a basis for asset classification
    • determine the value of each asset