×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 10 of 50

181.

Jeff is working with the software development team to ensure that the code that is used aids the software application more than traditional operating systems are designed to do. This code is known as:

  • Middleware

  • Source code

  • Binaries

  • Libraries

Correct answer: Middleware

Middleware works between the system and the application. It is an intermediate layer. It can also be found between the client and the server, or between the application and the Database Management System (DBMS).

Binaries are the compiled code that allows a program to be installed. Source code is the program in its original programming language. This would be something like Java, C++, Ruby, etc. A library is a location on a site where files and key information about the files are stored. 

182.

Data retention policies should:

  • Meet the business needs and legal requirements

  • Meet only the legal requirements

  • Exceed the legal requirements

  • Meet the business needs

Correct answer: Meet the business needs and legal requirements

Data retention should, at a minimum, meet the legal requirements of the applicable laws and jurisdictions. The business often needs a longer retention period. The business' needs should be met, unless, of course, they violate the legal requirements. 

183.

If a security incident has caused the functionality of a critical Information Technology (IT) system to be significantly reduced, what aspect of security has been affected?

  • Availability

  • Integrity

  • Confidentiality

  • Risk

Correct answer: Availability

Availability means that the system and data must be usable when the end-users need them. If there is a severe reduction in the functionality of a critical system, it can impact the corporation's mission.

Integrity says that the data and system must not be changed or modified inappropriately. Confidentiality means that business secrets must not be protected so that they are not shown to someone not allowed to see that information. Risk is a combination of likelihood and probability.

184.

One of the first tests that should be performed on the Disaster Recovery Plan (DRP) that has the team members talking through the plan and reviewing it on paper ONLY is the:

  • Structured walkthrough

  • Simulation

  • Parallel test

  • Checklist

Correct answer: Structured walkthrough

The structured walkthrough is also known as a tabletop exercise because it occurs in a room while the team members are seated at a table. It is not an exercise that has any actions taken on the network or business processes.

The parallel test brings the alternate site up and operational alongside the functioning business. In other words, the company should not be interrupted. 

A simulation is effectively a role-playing game, but the alternate processing capability is not activated. A simple example is a fire drill. You pretend there is a file and physically go through the motions of exiting, but you do not start a fire. 

A checklist has the team ensuring that everything that is needed in the plan did in fact end up in the plan.

185.

What does a KPI do?

  • Quantify the impact of a change

  • Uniquely identify a particular component

  • Measure whether an IT department has achieved its goals

  • Quantify risk for a risk register

Correct answer: Quantify the impact of a change

KPIs or key performance indicators are any indicators that allow a user to see how effective some configuration setting is. For example, viewing a new firewall rule changing network traffic flows would be a key performance indicator. KPIs can also be indicators of power usage, device storage, or memory utilization.

A key goal indicator (KGI) is used to measure whether an IT department has achieved its goals.

There are not (K*I) values for uniquely identifying components or quantifying risk for risk registers.

186.

If a team is performing a forensic analysis, what phase of incident management are they in?

  • Containment, analysis, tracking, and recovery

  • Planning and preparation

  • Detection, triage, and investigation

  • Post-incident assessment

Correct answer: Containment, analysis, tracking, and recovery

The containment, analysis, tracking, and recovery phase is when a forensic analysis should be performed.

Planning and preparation is when policies are written and tools are acquired. Detection, triage, and investigation is the initial response to an event. In that phase, triage is performed so that the most critical incidents are handled first. Post-incident assessment is when a postmortem is conducted and feedback is given based on lessons learned.

187.

Which of the following is LEAST likely to be an example of ongoing administration?

  • Vulnerability scanning

  • Record-keeping

  • Budgeting

  • Project management

Correct answer: Vulnerability scanning

Vulnerability scanning is least likely to be an example of ongoing administration, as it is not typically performed continuously. If vulnerability scans are continuous, they may disrupt enterprise systems. Vulnerability scanners actively interact with targets by sending packets of data. If a system is receiving business-related data on top of that and a vulnerability scan causes a slowdown in traffic flow, it can disrupt customer service or other business activities.

Record-keeping, budgeting, and project management are continuous processes within an organization. Organizations always need to budget for financial purposes. Projects are constant, whether large or small. Record-keeping of anything occurring in the enterprise is constant.

188.

If you are contemplating moving some of your data and functions to the public cloud, what would be MOST prudent to move to the cloud first?

  • Low-value, noncritical services

  • Low-value, critical services

  • High-value, critical services

  • High-value, noncritical services

Correct answer: Low-value, noncritical services

Since moving to the public cloud involves putting your functions and data into someone else's physical possession, it is usually most prudent to transfer data and functions that would be the lowest risk first.

If it is a critical service with either low or high value and is not configured correctly, it would be a hazardous proposition. If it is high-value and there is a breach, that could be very bad as well. So, until the services and the vendor are understood fully, it is best to initially move low-value and noncritical services.

189.

What term is used to describe the redundant cabling with alternative routing in place to MINIMIZE the impact of a cable break in the voice communication structure?

  • Voice recovery

  • Long-haul network diversity

  • Recovery Time Objective (RTO)

  • Redundancy

Correct answer: Voice recovery

Having an alternate cabling structure so that a cut line will not also sever the company's ability to talk to their customers (or anyone else) is called voice recovery. It is a type of redundancy.

Redundancy is not the best option here, since voice recovery matches the description in the question. Long-haul network diversity is redundancy within the service provider's core network. That network could carry data, voice, or video. Recovery Time Objective (RTO) is the time that can be taken to restart a failed service before there is a significant impact on the company.

190.

In what instance would an insurance company be LEAST likely to provide coverage after a cybersecurity incident?

  • Negligence of regulations

  • Damage to physical systems

  • Loss of software

  • Mistakes by employees

Correct answer: Negligence of regulations

An insurance company is least likely to provide coverage after negligence of regulations. Generally, insurance companies provide coverage in agreed-upon circumstances. The amount of coverage and what is covered is based upon making a profit and also being competitive with other companies. Insurance companies would likely make little profit if they covered every instance of negligence.

Insurance companies cover damage to physical systems due to accidents and disasters, loss of software due to unforeseen circumstances, and even honest mistakes by employees. There are a variety of categories within insurance, such as errors and omissions or professional and commercial liability, which are typically covered under insurance.

191.

Suppose a business has been disrupted because of ransomware. The ransomware encrypted 80% of the data needed to function.

What type of plan would be used to recover?

  • It must be defined within a corporation

  • Incident Response Plan (IRP)

  • Emergency management plan

  • Disaster Recovery Plan (DRP)

Correct answer: It must be defined within a corporation

ISACA uses the following definitions within its 16th edition CISM manual. It is hard to figure out the difference between them. They even state on page 282 that the same words are used to describe a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP). Within any given business, it is essential that these terms are defined and clarified. It is critical that they are understandable and consistently used.

Emergency management activities are the events that require prompt attention to recover operational status. Incident Response Plans (IRPs) are used for unplanned interruption of business activities. A Disaster Recovery Plan (DRP) is for preventing, mitigating, and recovering from disruption. A disaster must be declared for this plan to be used.

192.

During an incident response, there are many tasks that need to be completed. Who would write the report on the investigation findings?

  • Investigator

  • Incident handler

  • Information security manger

  • Legal representative 

Correct answer: Investigator

The investigator writes the report on the investigation findings.

The incident handler writes the report on the incident response. This question is not trying to trick you — just watch the wording carefully. The legal representative works to ensure that all actions taken are within legal and regulatory requirements. The information security manager oversees the Incident Management Team (IMT) and possibly the Incident Response Team (IRT). They would not write the investigation findings report, as they were not doing the actual work.

193.

As a new information security manager, you have learned that a ransomware attack recently hit your new business. The company ended up losing data that it was unable to recover.

What security control was probably NOT in place that you need to ensure is appropriately added?

  • Offsite, offline backups

  • Cloud backups

  • Patch management

  • Policy regarding user email behavior

Correct answer: Offsite, offline backups

The focus of the question is the data. Therefore, the answer is data backup. The offline answer is best because it cannot be hit by ransomware if it is offline.

Patching must be done better, as it is likely the attacker exploited something. The attacker's entry could have been through a phishing email that a user clicked on. However, neither patching nor improving email behavior ensures that data will not be lost in the future. Cloud backups could help in a ransomware attack, but that depends on how the backup process is connected. Since it may or may not be safe from the ransomware and there is an offline backup option, it is not the best answer. A 3-2-1 (three copies, two media types, one offsite) backup rule is essential.

194.

Key Performance Indicators (KPIs) designed for an information security program should drive:

  • Key actions

  • Audit activities

  • Legal reviews

  • Critical Success Factors (CSFs)

Correct answer: Key actions

A strategic objective should cause CSFs to be identified. Once they are identified, the KPIs can be developed. A KPI helps to explain what actions are essential to take. The actions could be an audit or a legal review, or many other things. 

195.

When determining which offsite facility is the best option (e.g., hot site, mobile site, etc.) what is the MOST critical thing to know?

  • Recovery Time Objective (RTO)

  • Recovery Point Objective (RPO)

  • Business Impact Analysis (BIA)

  • Service Delivery Objective (SDO)

Correct answer: Recovery Time Objective (RTO)

The Recovery Time Objective (RTO) is the single biggest influence on the type of alternative site you should choose.

You figure out the RTO by doing a Business Impact Analysis (BIA). RTO is the correct answer, though, because it asks for a "thing to know," not a thing to do. The Recovery Point Objective (RPO) is relevant to data backup types. The Service Delivery Objective (SDO) affects the type and quantity of systems at the alternate site.

196.

What is the BEST description of the relationship between risk appetite and risk capacity?

  • The risk appetite should not exceed the business's risk capacity.

  • The risk appetite should not exceed the tolerance level of the risk capacity.

  • The risk capacity plus risk tolerance define the risk appetite.

  • Risk tolerance minus risk capacity results in risk appetite.

Correct answer: The risk appetite should not exceed the business's risk capacity.

A business can only tolerate so much loss—such as loss of income, loss of customers, or loss of goodwill—before its ability to survive is questionable. That amount of risk is its capacity. Risk appetite is the amount of risk that the board and senior management are willing to bear. It should not exceed the business's capacity. Risk tolerance is the level of variation that management is ready to contend with concerning a specific risk.

197.

When a disaster is declared, that usually indicates that:

  • Operations need to be moved to an alternate site

  • It is now time to perform a damage assessment

  • The Incident Response Plan (IRP) failed

  • All operations have ceased and the business is likely to fail

Correct answer: Operations need to be moved to an alternate site

When an incident occurs, the incident response begins. An incident can escalate to a disaster, but that does not mean that the incident response failed. It could only be able to start the response, but unable to handle everything that must be done due to its scope.

If there are life safety concerns, that must be handled first. Then a damage assessment is performed. If the damage assessment shows that operations will not be recoverable at the primary site within the necessary timeframe for business success (Maximum Tolerable Outage (MTO) and Recovery Time Objectives (RTO)), then a disaster is declared. A disaster declaration means that the Disaster Recovery Plan (DRP) is started. The general purpose of DRPs is to move IT operations to another site or into the cloud. A disaster declaration does not mean the business will fail. If it is not declared and action is not taken to restore systems using the DRP, then the business might fail.

198.

Incident response activities would typically occur in what order?

  • Detect, triage, contain, restore, and report

  • Detect, contain, restore, triage, report

  • Detect, report, contain, triage, restore

  • Contain, detect, triage, report, restore

Correct answer: Detect, triage, contain, restore, and report

  1. An incident must be detected for anything else to happen.
  2. Then triage occurs, which will diagnose the incident and prioritize actions to be taken.
  3. The first action is to contain the damage so that it does not get any worse than necessary.
  4. Once it is contained, it is essential to restore the systems to normal.
  5. The final step is to document and report on the incident in total.

As a side note, containment might occur earlier, depending on the exact incident. For example, if you know your computer is being eaten by a virus (detection), you might contain it by disconnecting it from the network before actual triage occurs. So, the order here is the typical set of steps or, you could say, the theoretical order of the steps.

199.

During an attack, the bad actor may work to gain access to the administrator's permission levels on a network, even possibly the domain administrator's account. If the attack is an Advance Persistence Threat (APT), which phase would include these activities?

  • Escalate privileges

  • Internal reconnaissance

  • Move laterally

  • Initial compromise

Correct answer: Escalate privileges

Gaining administrator permissions could occur at the initial compromise, but it is unlikely. The initial compromise is usually through social engineering, phishing, viruses, etc., which will gain a random user's level of access. Escalating privileges has the goal of getting permission. So, that makes the best answer out of these four options. Moving laterally is to jump from one computer to another, including servers, routers, switches, etc. Internal reconnaissance is the act of collecting information. Reconnaissance is defined as a "survey to gain information."

200.

If the information could be corrupted and the company has determined that they must protect it, it would be good to add what kind of security control?

  • Redundant Array of Independent Disks (RAID)

  • Content filtering

  • Public Key Infrastructure (PKI)

  • Intrustion Detection System (IDS)

Correct answer: Redundant Array of Independent Disks (RAID)

It may not be the best of all options that exist, but it is the only one that works here. RAID (most versions) has error detection built into it with the ability to rebuild the data. Content filtering watches data for anything inappropriate, think child browser protection or SPAM filters. It would not help protect data from being corrupted.

PKI is the logic of creating and protecting public keys (as well as private keys). These keys are used for the encryption and decryption of symmetric keys or data. That encryption does not have error detection built-in. If you argue that the data cannot be decrypted, therefore it has error detection, that is fine, but it does not stop the corruption or recover from it. IDS may witness the cause of the corruption of the data, but it also does not stop it nor solve the corruption problem.

×