×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 1 of 50

1.

If a business is employing a security control that will block or allow traffic according to pre-configured rules, they are using a(n):

  • Firewall

  • Intrusion Detection System (IDS)

  • Intrusion Prevention System (IPS)

  • Digital Rights Management (DRM)

Correct answer: Firewall

A firewall will block/allow traffic according to pre-configured rules. The rest of the traffic should be blocked by default.

An IDS will not block any traffic. It will only monitor the traffic as it occurs. An IPS will block traffic according to a signature file or block anomalies if it uses a known good traffic pattern analysis. DRM will allow a user to access data if they are provisioned.

2.

What is one of the MOST important tools, if not the most important tool, that provides information to guide information security program execution?

  • Security metrics

  • Security policies

  • Security goals and objectives

  • Security governance

Correct answer: Security metrics

One of the three most essential elements of the information security program is metrics. From metrics, information is provided that will guide the execution, e.g., is the program on track or does something need to change to achieve security and business goals and objectives?

The goals and objectives do not guide the execution or direction. They drive the information security strategy. All of this falls under security governance. Within the program itself are policies, but the metrics would tell us about the execution of following the policies, not following, or if they need to be modified. 

3.

You have been informed by the risk management team that they have found that one of the Critical Business Functions (CBFs) has a likelihood and impact outside of risk acceptance levels. In this determination, they conclude that it would be best to add full disk encryption to the server and the CBF.

This is an example of: 

  • Risk evaluation

  • Risk analysis

  • Risk identification

  • Risk management

Correct answer: Risk evaluation

In the identification step, you are using scenarios to determine the range and nature of risk.

Risk analysis then combines vulnerability and threat information to assess the risk of compromise. It is usually done with quantitative or qualitative processes. Risk evaluation is then the process of taking that information from the risk analysis step and establishing criteria for risk treatment. Risk management includes all three steps of evaluation, analysis, and identification, as well as more.

4.

Who is responsible for managing the information security program activities?

  • Information security manager

  • Senior management

  • Chief Executive Officer (CEO)

  • Board of Directors (BoD)

Correct answer: Information security manager

The information security manager is responsible for information security program activities.

The CEO and Senior Management are responsible for supporting the objectives and providing resources. The BoD is accountable or informed, depending on the activity.

5.

What is the definition of governance?

  • Considering the needs of stakeholders, regulation compliance, and the objectives of the enterprise to determine direction

  • Making decisions solely based upon the needs of a business

  • Decision-making driven by customer feedback

  • Holding regulatory compliance above everything when making a business decision

Correct answer: Considering the needs of stakeholders, regulation compliance, and the objectives of the enterprise to determine direction

Governance is best described through the COBIT (control objectives for information technology) framework. This takes into consideration the needs of stakeholders, regulation compliance, and the objectives of the enterprise to determine direction. Essentially, it is a game of balance to ensure all parties are considered for business decisions and that one does not suffer to please the other.

Making decisions for the sole purpose of the business, customers, or regulatory purposes could be detrimental to other entities in this process. For example, making decisions for strict regulatory compliance could be expensive and negatively impact a business when a compensatory measure could have met the same requirement. Additionally, making decisions with only customers in mind could result in jeopardizing data or violating regulations. Customers don't usually have these things in mind, but a manager would be held to such a standard of knowledge and be potentially liable for the decisions made.

6.

In the past, information security reported to the Chief Information Officer (CIO). Increasingly, that is seen as insufficient or even counterproductive. Today, it would be BEST for information security to report to:

  • The Board of Directors (BoD)

  • The Chief Financial Officer (CFO)

  • The Chief Legal Officer (CLO)

  • The Chief Risk Officer (CRO)

Correct answer: The Board of Directors (BoD)

Of these answers, the BoD is the most accepted. If the Chief Executive Officer (CEO) were on the list of answers, this would be a challenging question.

It could work for information security to report to the CFO, CLO, or CRO, but it is not currently the most commonly accepted practice. 

7.

In any enterprise, security controls are an important feature to protect against attackers and the liability that comes with managing data. However, prior to implementing a preventive or corrective control, what can a business utilize to BEST ensure the proper issues are found and addressed prior to an incident?

  • Nessus

  • Snort

  • Asset inventory

  • OWASP Top 10

Correct answer: Nessus

Nessus is a vulnerability scanner, with basic features free to many. It can be used to detect vulnerabilities and ensure proper issues are addressed in any network.

Snort can also address issues, but is more closely related to a preventive control, and the question specifically asks what can be done prior to implementing preventive controls.

The OWASP Top 10 attacks and an asset inventory would not detect issues in any organization specifically. The OWASP Top 10 will not find anything on its own, as it's only a reference. Asset inventories will only track assets and provide some compensating factors depending on how they are deployed, but will not detect a potential issue prior to the incident — if anything, this would come after the incident.

8.

In risk management, the process of risk evaluation is when:

  • The results of the risk analysis are used to determine if risk falls within acceptable risk

  • The results of the risk identification are evaluated with Business Impact Assessment (BIA)

  • The risk scenarios are considered, and possible outcomes are developed

  • The vulnerabilities are assessed with the threat landscape to determine probable compromise methods

Correct answer: The results of the risk analysis are used to determine if risk falls within acceptable risk

Risk evaluation comes after analysis. It is where the risk level is considered compared to the acceptable risk to determine the correct risk response.

Risk identification comes first, and the risk analysis looks at the BIA concerning the identified risks. Risk identification is when risk scenarios are developed with a thorough assessment of the threat landscape. Vulnerabilities are assessed during the risk identification process as well.

9.

An organization has decided to conduct an exercise in which they write their roles and duties on paper, determine how effective it is, and identify where they can improve based upon a given scenario. What type of exercise does this BEST describe?

  • Structured walkthrough

  • Checklist

  • Diagramming 

  • Simulation test

Correct answer: Structured walkthrough

In a structured walkthrough, employees write their roles and duties on paper, determine how effective it is for a disaster recovery situation, and identify where they can improve based upon a given scenario. This allows for knowledge sharing, providing and receiving feedback, and ultimately results in a stronger disaster recovery team without major interruptions to the organization.

A checklist is more simplified, in which each individual is essentially given a list of their roles. A simulation test is dynamic and extremely beneficial to a workplace because it gives employees hands-on training within their role. However, a simulation can be time-consuming and disrupt normal business workflows. Diagramming is a fabricated term.

10.

The Information Technology (IT) department has responded to alerts from the Security Information and Event Manager (SIEM). They have determined that a security incident has occurred and must be investigated.

Who should receive the escalation of this issue?

  • Information security manager

  • Chief Risk Officer (CRO)

  • Board of Directors (BoD)

  • Second-tier technical support

Correct answer: Information security manager

Commonly, the information security manager is the point of escalation for security issues. Also, incidents that need investigation normally go to the information security manager.

The CRO may need to reevaluate a threat based on this incident, but they are not the ones to handle the event or investigation. Depending on the scale of the incident, the BoD may need to be advised of the incident, but they certainly do not handle the escalation or investigation. As this is a security issue, it would not go to technical support. It needs to go to security, security manager, security operations, or even incident response. The best answer to this question is the information security manager.

11.

Reporting changes found by a risk assessment due to changes occurring within the organization to the appropriate levels of management at the proper time is a primary responsibility of the: 

  • Information security manager

  • Chief Risk Officer (CRO)

  • Chief Executive Officer (CEO)

  • Risk team

Correct answer: Information security manager

The information security manager is responsible for updating management as changes occur in the organization that cause differences to be found with the subsequent risk assessment.

The Chief Risk Officer (CRO) and Chief Executive Officer (CEO) would need to be updated or informed of these changes. The risk team are the ones who are doing the work to uncover the changes themselves.

12.

When developing an information security strategy, what is the FIRST thing that must be developed/identified? 

  • Goals

  • Objectives

  • Desired state

  • Architectural approach

Correct answer: Goals

The first question that must be answered by a business creating an information security strategy is the goal. The information security manager, with senior management, must define a clear goal. Once an information security manager has a goal, then the objectives can be created. That leads to the desired state and then the approach that will be taken to build an appropriate architecture.

13.

What tool could be used to assess the gap between the current and desired state of an information security program?

  • Capability Maturity Model Integration (CMMI)

  • International Standards Organization (ISO) 27002

  • National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53

  • Governance, Risk management, and Compliance (GRC)

Correct Answer: Capability Maturity Model Integration (CMMI)

Capability Maturity Model Integration (CMMI) is about maturing processes. It allows organizations to elevate their performance levels by understanding where they are and where they want to be. That is where you find the gap.

ISO 27002 and NIST SP 800-53 are fundamentally lists of possible controls that can be added to a business. GRC reflects an approach that an organization can adopt to integrate the three areas of its name.

14.

When developing a RACI chart for governance practices, it is critical to address:

  • Evaluate, direct, and monitor

  • Plan, do, check, and act

  • Prepare, protect and detect

  • Principles, policies, and frameworks

Correct answer: Evaluate, direct, and monitor

Governance practices are:

  1. Evaluate the governance system
  2. Direct the governance system
  3. Monitor the governance system

When creating a RACI (Responsible, Accountable, Consulted, Informed) chart for governance, those are the three aspects to cover.

Plan, do, check, and act are known as the Deming Wheel, and they are core to things like building an Information Security Management System (ISMS) with ISO 27001. Prepare, protect, and detect are the beginning of the incident response plan process flow. They are followed by triage and respond. Principles, policies, and frameworks are core to COBIT (Control Objectives for Information and related Technology) enterprise enablers.

15.

Which of the following is NOT one of the nine primary steps in the NIST risk assessment methodology?

  • Potential reward

  • Risk determination

  • Control analysis

  • Impact

Correct answer: Potential reward

Potential reward is not one of the nine steps in a NIST risk assessment. However, companies may weigh potential reward to determine their risk appetite — for example, an organization with more to gain than lose through a calculated risk may choose to take that risk.

Risk determination is related to the likelihood of a risk being exploited. Control analysis is determining which existing or potential controls could be used to mitigate risk. Impact is simply the potential impact a risk could have on a company if successfully exploited — for example, should an organization really avoid encrypting certain things to speed up processes if it could cost them millions if exploited?

16.

When doing a risk assessment, exposure is a critical element to determine. Exposure is:

  • The attack surface

  • The weakness of the control

  • The eventual attack

  • Where the attack is

Correct answer: The attack surface

Exposure is also known as the attack surface. It is the extent to which a vulnerability is exposed to a threat.

The weakness is a vulnerability, in this case, of the control. The eventual attack refers to when it is going to happen. Where the attack is is the location.

17.

Which of the following refers to the maximum period after an incident that critical operations/processes can be down before the company runs the risk of going out of business?

  • AIW

  • RTO

  • RPO

  • SDO

Correct answer: AIW

The acceptable interruption window (AIW) is the maximum period after an incident that critical services/processes can be down before the company runs the risk of going out of business.

The recovery point objective (RPO) measures how much data is lost after an incident. It is typically the age of the last known backup.

The recovery time objective (RTO) measures the maximum time until a process operates at an acceptable level before the business begins experiencing unacceptable impacts (financial, reputational, etc.).

The service delivery objective (SDO) refers to the level of service provided while the organization is resolving an incident with the main service.

18.

The cost of a specific threat as it is encountered many times within a single year is called the:

  • Annual Loss Expectancy (ALE)

  • Single Loss Expectancy (SLE)

  • Annual Rate of Occurrence (ARO)

  • Exposure Factor (EF)

Correct answer: Annual Loss Expectancy (ALE)

The ALE is the SLE x ARO. The ARO is the number of times a certain event will happen within a year. So, if the threat of laptops being stolen is an SLE of $2000, and we expect an ARO of five (five laptops stolen/ear), that would result in an ALE of $2000 x 5 or $10,000.

The EF is the percentage of asset loss caused by a threat. The EF for a laptop stolen is 100%.

19.

When working as an information security manager, you must determine the risk of losing a critical server. Without this server, customers cannot request products or assistance from your business. You must assess the risk of losing this server and determine how long it could be non-functional should a hurricane knock out your data centers' power.

What is the term for the amount of time this server can be non-functional?

  • Acceptable Interruption Window (AIW)

  • Business Impact Analysis (BIA) 

  • Recovery Time Objective (RTO)

  • Service Delivery Objective (SDO)

Correct answer: Acceptable Interruption Window (AIW)

The AIW is the maximum amount of time a system can be non-functional before there is a severe impact on the business.

The BIA is the exercise of determining the criticality and sensitivity of information assets. During the BIA, the AIW, RTO, and SDO are defined. The RTO is the window of time available to do the work of restoring the system. The SDO is the level of service that a system must achieve when the business is working at an alternate site. Think about things like the number of connections per minute the server can accept.

20.

Change control and release management are part of which component of the security program?

  • Operational 

  • Management

  • Administrative

  • Technical

Correct answer: Operational

Change control and release management are part of the operational component of a security program.

The technical component would include things such as servers and firewalls. The management component would include activities like standard development, policy reviews, and oversight initiatives. The administrative component includes financial, HR, and other such functions.

×