Practice Question Set 1

Q. 1

Answer: A. Security projects are discussed and approved by a steering committee

Explanation: The involvement of a steering committee in the discussion and approval of security projects indicates that the management is committed to security governance. The other options are not as significant.

Q. 2

Answer: C. The complexity of the organizational structure

Explanation: The information security governance model is primarily impacted by the complexity of the organizational structure. The organizational structure includes the organization's objectives, vision and mission, hierarchy, leadership structure, different function units, and different product lines. The other options are not as significant.

Q. 3

Answer: B. The development of security policies

Explanation: Security policies indicate the intent of the management. The security architecture and various procedures are designed based on these...

Practice Question Set 1

Q. 1

Answer: B. To evaluate the current business strategy

Explanation: The first step for an information security manager is to understand and evaluate the current business strategy. This is essential to align the information security plan with the business strategy. The other options are subsequent steps.

Q. 2

Answer: D. Desired future state of information security

Explanation: A strategy plan should include the desired level of information security. This desired state will impact options A and B. A mission statement is a high-level statement that may not indicate the detailed desired state for information security.

Q. 3

Answer: B. To support the business objectives

Explanation: The primary objective of any security strategy is to support the business objective. Thus, it should be aligned with business objectives. Other options are secondary objectives.

Q. 4

Answer: B. Security objectives...

Practice Question Set 1

Q. 1

Answer: A. The magnitude of impact

Explanation: To determine the risk level, two things are required, i.e., the probability (likelihood) of the event and the impact of the event. Risk is the product of probability and impact. Once the likelihood has been determined, the next step is to assess the magnitude of the impact. Once the level of risk is determined, it can be compared against risk appetite and risk tolerance.

Q. 2

Answer: B. Likelihood and consequences

Explanation: To determine the level of risk, two things are necessary: the probability of an event happening and the impact if it does take place. Risk is the product of probability (likelihood) and impact (consequence).

Q. 3

Answer: C. Reduction in the likelihood of being exploited

Explanation: Reducing the exposure refers to keeping the information assets away from public reach. For example, consider a sensitive database that...

Practice Question Set 1

Q.1

Answer: C. Risk transfer

Explanation: Taking out insurance is an example of risk transfer. In risk transfer, the risk is shared with partners or is transferred via insurance coverage, contractual agreement, or other means. For instance, natural disasters have a very low probability but a high impact. The response to such a risk should be risk transfer.

Q. 2

Answer: B. The business manager

Explanation: The business manager will be in the best position to decide on any particular control on the basis of risk assessment as they are thoroughly aware of the risks relevant to their processes. The senior manager should provide the appropriate funding for the control. The audit and security managers support the business manager in reviewing and monitoring the effectiveness of the control.

Q. 3

Answer: A. Set up monitoring techniques to detect and react to fraud

Explanation: The best course of action...

Practice Question Set 1

Q.1

Answer: A. To improve the integration of business and information security processes

Explanation: The most important challenge for a security manager is to obtain support from senior management and other business units for changing the business processes to include the security aspect. As the incident has already happened, business units will be more open to supporting security processes. In the absence of close integration of business and security processes, the other options will not be effective.

Q. 2

Answer: B. To understand the risk of technology and its contribution to security objectives

Explanation: An information security manager is required to evaluate the risk of technology and determine the relevant controls to safeguard IT resources. The other options are secondary aspects.

Q. 3

Answer: C. Strategy

Explanation: An information security strategy is a set of actions...

Practice Question Set 1

Q. 1

Answer: C. To mitigate impact

Explanation: Corrective controls are implemented to reduce the impact once a threat event has occurred. They facilitate the quick restoration of normal operations. Examples of corrective controls include the following:

• Business continuity planning
• Disaster recovery planning
• Incident response planning
• Backup procedures

Q. 2

Answer: D. The data custodian

Explanation: The data custodian is required to provide and implement adequate controls for the protection of data. The data owner is required to classify the level of protection required for their data.

Q. 3

Answer: C. A source code review

Explanation: The most effective method to identify and remove an application backdoor is to conduct a review of the source code. The other options will not be as effective.

Q. 4

Answer: C. A signed acceptable use policy

Explanation...

Practice Question Set 1

Q. 1

Answer: D. The information security architecture

Explanation: Just as conventional architecture defines the rules and standards for the construction of buildings, information security architecture addresses the design and implementation of the security posture of the organization. An architecture helps to integrate the different components of information security in an effective manner. A security architecture also defines minimum levels of security for the infrastructure.

Q. 2

Answer: D. Business objectives and goals

Explanation: The prime objective of the security architecture is to support business objectives and goals. The other options are secondary factors.

Q. 3

Answer: B. Developing an architecture

Explanation: Information security architecture supports the design and implementation of the organization's security posture, just as traditional architecture...

Practice Question Set 1

Q. 1

Answer: B. The rule to deny all traffic by default and permit only specific traffic

Explanation: From the preceding options, the most robust firewall configuration is to deny all traffic by default and permit only specific traffic. This is the most effective method to prevent unknown traffic from entering the organization's network.

Q. 2

Answer: A. The network layer of the OSI

Explanation: A CISM aspirant should note that packet filtering and stateful inspection operate at the network layer (3rd layer). The circuit level operates at the session layer (5th layer) and the application-level firewall operates at the application layer (7th layer).

Q. 3

Answer: B. A screened subnet firewall

Explanation: A screened subnet firewall (DMZ) is regarded as the safest type of firewall implementation. A screened subnet firewall includes two packet filtering routers and...

Practice Question Set 1

Q. 1

Answer: C. An incident response plan

Explanation: An incident response plan includes a detailed procedure to handle an incident. It also includes the detailed roles and responsibilities of different teams for handling the incident. A security breach can best be handled using an incident response plan. BCPs and DRPs will be applicable only if an incident becomes a disaster and an alternative site needs to be activated. A change management plan is used to manage changes and does not directly impact the handling of a security breach.

Q. 2

Answer: A. To check the facility access logs

Explanation: The first step should be to check the facility access logs and determine the number of employees in the facility. They should be evacuated on an emergency basis. The safety of human life always comes first. The other options are secondary actions.

Q. 3

Answer: B. Installing a packet filtering firewall...

Practice Question Set 1

Q. 1

Answer: A. Minimizing the impact of incidents

Explanation: Continuous monitoring helps to identify abnormalities in real time. This will help an information security manager take corrective action on an immediate basis and thereby control the impact of the incident. The other options are not the prime objectives of continuous monitoring.

Q. 2

Answer: D. The ability to handle stress amidst chaos

Explanation: The ability to stay calm and make appropriate decisions in stressful situations is the most important attribute of an incident handler. Any decision made by an individual who is unable to stay calm under pressure may not be in the best interests of the organization. The other options are secondary attributes of an incident handling team.

Practice Question Set 2

Q. 1

Answer: B. Applications being exposed to new viruses during the intervening week

Explanation: As a prudent practice...