Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 59

  1. Which of the following is the BEST approach for improving information security management processes?

    • Conduct periodic security audits.
    • Perform periodic penetration testing.
    • Define and monitor security metrics.
    • Survey business units for feedback.

    Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify an opportunity for improvement. This is a systematic and structured approach to process improvement. Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement. Penetration testing will only uncover technical vulnerabilities, and cannot provide a holistic picture of information security management, feedback is subjective and not necessarily reflective of true performance.

  2. An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:

    • validate and sanitize client side inputs.
    • harden the database listener component.
    • normalize the database schema to the third normal form.
    • ensure that the security patches are updated on operating systems.
    SQL injection vulnerability arises when crafted or malformed user inputs are substituted directly in SQL queries, resulting into information leakage. Hardening the database listener does enhance the security of the database; however, it is unrelated to the SQL injection vulnerability. Normalization is related to the effectiveness and efficiency of the database but not to SQL injection vulnerability. SQL injections may also be observed in normalized databases. SQL injection vulnerability exploits the SQL query design, not the operating system.
  3. The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:

    • uses multiple redirects for completing a data commit transaction.
    • has implemented cookies as the sole authentication mechanism.
    • has been installed with a non-legitimate license key.
    • is hosted on a server along with other applications.
    XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. XSRF is related to an authentication mechanism, not to redirection. Option C is related to intellectual property rights, not to XSRF vulnerability. Merely hosting multiple applications on the same server is not the root cause of this vulnerability.
  4. Of the following, retention of business records should be PRIMARILY based on:

    • periodic vulnerability assessment.
    • regulatory and legal requirements.
    • device storage capacity and longevity.
    • past litigation.
    Retention of business records is a business requirement that must consider regulatory and legal requirements based on geographic location and industry. Options A and C are important elements for making the decision, but the primary driver is the legal and regulatory requirements that need to be followed by all companies. Record retention may take into consideration past litigation, but it should not be the primary decision factor.
  5. An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?

    • A due diligence security review of the business partner’s security controls
    • Ensuring that the business partner has an effective business continuity program
    • Ensuring that the third party is contractually obligated to all relevant security requirements
    • Talking to other clients of the business partner to check references for performance
    The key requirement is that the information security manager ensures that the third party is contractually bound to follow the appropriate security requirements for the process being outsourced. This protects both organizations. All other steps are contributory to the contractual agreement, but are not key.
  6. An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?

    • Right to audit
    • Nondisclosure agreement
    • Proper firewall implementation
    • Dedicated security manager for monitoring compliance
    Right to audit would be the most useful requirement since this would provide the company the ability to perform a security audit/assessment whenever there is a business need to examine whether the controls are working effectively at the third party. Options B, C and D are important requirements and can be examined during the audit. A dedicated security manager would be a costly solution and not always feasible for most situations.
  7. Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?

    • Provide security awareness training to the third-party provider’s employees
    • Conduct regular security reviews of the third-party provider
    • Include security requirements in the service contract
    • Request that the third-party provider comply with the organization’s information security policy
    Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced services. Depending on the type of services outsourced, security awareness may not be necessary. Security requirements should be included in the contract, but what is most important is verifying that the requirements are met by the provider. It is not necessary to require the provider to fully comply with the policy if only some of the policy is related and applicable.
  8. The MOST important reason for an information security manager to be involved in the change management process is to ensure that:

    • security controls are updated regularly.
    • potential vulnerabilities are identified.
    • risks have been evaluated.
    • security controls drive technology changes.
  9. An organization has implemented a new customer relationship management (CRM) system. Who should be responsible for enforcing authorized and controlled access to the CRM data?

    • The data owner
    • Internal IT audit
    • The data custodian
    • The information security manager 
  10. Which of the following BEST demonstrates the maturity of an information security monitoring program?

    • Senior management regularly reviews security standards.
    • The information security program was introduced with a thorough business case.
    • Information security key risk indicators (KRIs) are tied to business operations. 
    • Risk scenarios are regularly entered into a risk register.
  11. The PRIMARY purpose of a security information and event management (SIEM) system is to:

    • resolve incidents.
    • track ongoing incidents.
    • provide status of incidents.
    • identify potential incidents.
  12. Which of the following is the STRONGEST indication that senior management commitment to information security is lacking within an organization?

    • A high level of information security risk acceptance
    • The information security manager reports to the chief risk officer
    • Inconsistent enforcement of information security policies
    • A reduction in information security investment
  13. Which of the following presents the GREATEST information security concern when deploying an identity and access management solution?

    • Complying with the human resource policy
    • Supporting multiple user repositories
    • Supporting legacy applications
    • Gaining end user acceptance
  14. Which of the following is the MOST important outcome of testing incident response plans?

    • Staff is educated about current threats.
    • An action plan is available for senior management.
    • Areas requiring investment are identified.
    • Internal procedures are improved.
  15. Inadvertent disclosure of internal business information on social media is BEST minimized by which of the following?

    • Developing social media guidelines
    • Educating users on social media risks
    • Limiting access to social media sites
    • Implementing data loss prevention (DLP) solutions
  16. In a large organization, which of the following is the BEST source for identifying ownership of a PC?

    • User ID register
    • Asset management register
    • Domain name server (DNS) records
    • Identity management system
  17. The BEST way to obtain funding from senior management for a security awareness program is to:

    • meet regulatory requirements.
    • produce an impact analysis report of potential breaches.
    • produce a report of organizational risks.
    • demonstrate that the program will adequately reduce risk
  18. To minimize security exposure introduced by changes to the IT environment, which of the following is MOST important to implement as part of change management?

    • Requiring approval by senior management
    • Performing a business impact analysis (BIA) prior to implementation
    • Performing post-change reviews before closing change tickets
    • Conducting a security risk assessment prior to go-live
  19. Which of the following metrics would provide management with the MOST useful information about the effectiveness of a security awareness program?

    • Increased number of downloads of the organization’s security policy
    • Decreased number of security incidents
    • Increased number of reported security incidents
    • Decreased number of phishing attacks
  20. Which of the following is the MOST important security consideration when using Infrastructure as a Service (IaaS)?

    • Backup and recovery strategy
    • Compliance with internal standards
    • User access management
    • Segmentation among tenants