×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 2 of 50

21.

An organization wants to determine the risk associated with implementing some legacy systems within their network. They have narrowed down several factors, but need to determine what is less important to consider so as to maintain focus on the most important factors.

Which of the following is LEAST likely to assist in determining risk?

  • Financial utilization of the enterprise

  • Skill of the attacker

  • Motivation of the attacker

  • Interdependency

Correct answer: Financial utilization of the enterprise

Finances would be the least likely consideration for determining risk, as compensating controls can allow for mitigating risk while reducing financial burdens. This is typically common with devices that are at the end of support or end-of-life phase.

The skill of a potential attacker, their motivation, and the dependency on whatever is at risk are the most important factors for an organization. Simply put, an organization needs to identify what is most vulnerable, who is targeting it, and then decide the best way to defend it. It may be necessary to purchase state-of-the-art equipment, or perhaps just compensate with an additional firewall for a fraction of the price.

22.

Honeypots, security cameras, and SIEMs are BEST related to what type of security mechanism?

  • Detective

  • Containment

  • Reaction

  • Prevention

Correct answer: Detective

Honeypots, security cameras, and SIEMs are detective security mechanisms because their primary job is to detect a security incident.

These controls do not necessarily contain anything, SIEMs do not directly respond to an incident, and none of them necessarily prevent an incident from occurring. In all instances, honeypots, security cameras, and SIEMs detect an incident and allow recording of activity and an audit trail for later investigative work. This can be done with logs and video footage.

23.

Metrics are essential to information security programs. Of the following, which type of metrics would likely be of MORE interest to senior management?

  • Results of disaster recovery testing

  • Firewall log analysis metrics

  • Patch management status

  • Vulnerability scan results

Correct answer: Results of disaster recovery testing

Senior management would likely want to know about anything that could impact the management of the business. Suppose the disaster recovery processes are not working. In that case, senior management should understand that if there is a significant incident classified as a disaster, they risk losing substantial amounts of money, or even the business.

Policy, patch, and vulnerability information may at some point provide such information, but not typically. The information security manager needs to know about policy compliance issues and patch status, and the IT security manager should know about the vulnerability scan results.

24.

Information security metrics should be tied to: 

  • Information security objectives

  • Management's goals and objectives

  • Risk assessments

  • Privacy laws

Correct answer: Information security objectives

For metrics to be helpful, they need to show what progress is, if any, by tying them to the information security objectives.

They would be tied to management's goals and objectives through many steps, but the direct link from security metrics is security objectives. Risk assessments are used to determine the risk response to take once a threat is understood. If applicable, privacy laws should drive senior management's goals and objectives, which should be reflected in the organizational goals and objectives that inform the information security objectives.

25.

Reviews of information security program components aid the oversight to ensure that requirements are fulfilled and that the program is consistent with strategic direction. Which component of the security program is this a part of?

  • Management

  • Administrative

  • Technical

  • Operational

Correct answer: Management

The management component would include activities like standard development, policy reviews, and oversight initiatives.

The operational component includes things like change control and release management. The technical component includes things such as servers and firewalls. The administrative component includes financial, HR, and other functions.

26.

Access Control enforcement would be considered a:

  • Preventive control

  • Compensating control

  • Deterrent control

  • Corrective control

Correct answer: Preventive control

Access control is considered preventive because it prevents unauthorized access. This is what it was designed to do, and even if it is not perfect at it, it still belongs in this category.

It could be considered a deterrent control, but it has the primary consideration of preventing unauthorized access. A lock on a door could be regarded as a deterrent as it is only designed to slow unauthorized access. A compensating control is used because of control vulnerabilities, so a second factor of access could compensate for a weak authentication system using weak passwords. A corrective control remediates impact. There is no impact if access control does its job of blocking unauthorized access.

27.

Information Technology (IT) and Information Security (IS) must work together to enable and forward the business securely. What relationship should they have with each other?

  • IS is concerned with securing the network and the business, and IT is concerned with ensuring the availability of the network and resources.

  • IT is concerned with securing the network after all goals are created by IS.

  • IS develops the objectives that IT must follow when creating their plans for how to secure the network and associated resources.

  • IT tells IS the goals they must follow while creating the security plan for IT.

Correct answer: IS is concerned with securing the network and the business, and IT is concerned with ensuring the availability of the network and resources.

IS and IT create their outcomes, requirements, and objectives independently. IT is concerned with functionality. IS is concerned with the security of IT and the rest of the business. 

28.

If the Incident Management Team (IMT) evaluates the computing infrastructure by using a security assessment tool, they are in what phase of the incident response lifecycle?

  • Protect

  • Respond

  • Detect

  • Triage

Correct answer: Protect

In the protect phase, actions are taken to reduce the likelihood of an attack and the impact if it does happen.

The respond phase is the actions taken to address, resolve, or mitigate an incident. The detect phase is where the Intrusion Detection System (IDS) sends a log, or when a user forwards an email, calls the help desk about a topic, etc. Triage is the prioritization of incidents so that they are assigned to the Incident Management Team (IMT) in an appropriate order.

29.

Which role would MOST likely be responsible for publishing cybersecurity training materials for general employee use outside of the IT department?

  • Security awareness trainers

  • Business and functional managers

  • The producers of enterprise goods

  • Bug bounty program managers

Correct answer: Security awareness trainers

Security awareness trainers are typically those who use workstations and other things managed by IT. They have a vested interest in security and serve as a bridge between the IT department and other departments within the workplace to educate and inform everyone on cybersecurity.

Business and functional managers are those who manage directly above IT security practitioners. They are responsible for passing on and enforcing any policies, procedures, or regulations involved with those below them.

Producers of enterprise goods produce educational material, but it is typically geared more toward technical individuals who can understand the technical terms in a product manual.

Bug bounty program managers direct programs for identifying vulnerabilities, but wouldn't educate non-technical employees in a workplace.

30.

Which of the following types of measurements is included in risk register templates because they provide the MOST precise and granular information?

  • Quantitative

  • Qualitative

  • Objective

  • Subjective

Correct answer: Quantitative

Quantitative measurements are the most granular. They provide a precise measurement as accurately as we want because they are far more specific than a description.  For example, the number 9.9 is more precise than the term "high" or "critical." 

Qualitative measurements are synonymous with descriptive measurements.

Quantitative measurements are objective, and qualitative measurements should be as well. This means that they are not dependent on the person performing the measurement and their views (which would make them subjective).

31.

If an Advanced Persistent Threat (APT) is how the hacker or bad actor gains access to a corporation, they will at some point collect information on surrounding infrastructure and trust relationships. Which phase of the APT is this?

  • Internal reconnaissance

  • Establish foothold

  • Move laterally

  • Maintain presence 

Correct answer: Internal reconnaissance

The internal reconnaissance phase is where attackers collect information on infrastructure, trust relationships, and the Windows domain structure.

If they are establishing a foothold, they are ensuring they have access by putting in backdoors or planting software that allows remote access. If they are moving laterally, they jump from one machine to the next (workstations, servers, routers, etc.). Maintaining their presence involves actions that allow them to ensure that they will have continued access.

32.

Which of the following is LEAST likely to be an incident management responsibility that an organization should consider?

  • Preparing employees to the level of first responders

  • Legal issues

  • Always being ready

  • Notifying necessary people

Correct answer: Preparing employees to the level of first responders

An organization is least likely to be responsible for training employees to the level of first responders. While basic first aid and CPR is important, going beyond that is unnecessary and may have a negative return on investment.

In any incident, an organization should consider legal issues, always be ready and prepared for an incident, and notify the appropriate people and have a call list.

33.

With recovery test metrics, which of the following describes the time from one failure to the next?

  • MTBF

  • MTTF

  • ARO

  • EF

Correct answer: MTBF

Mean time between failures (MTBF) is the average time between failures based upon multiple compared instances.

Mean time to failure (MTTF) is the average time it will take for an initial failure. Annual rate of occurrence (ARO) is how often something occurs in a year — you can use this measurement to determine the risk associated with repeated threats in a year, for example. The exposure factor (EF) of an asset is the percentage of that asset's value at risk.

34.

In developing an information security program, it is necessary that the information security manager ensures that risks are managed to the level of:

  • Risk acceptance

  • Risk capacity

  • Risk evaluation

  • Risk transfer

Correct answer: Risk acceptance

Managing risk involves reducing risk to an acceptable level as determined by management. This risk acceptance level must be within the risk capacity that the enterprise can withstand. The business is run the way management wants, though risk is managed to their acceptable level.

Risk capacity tells you at what point a company is likely to fail. Risk evaluation is the process of understanding the risks and threats a business can face. Risk transfer is a remediation method in which risk is most commonly transferred or shared with an insurance company.

35.

When selecting controls for use within your organization, as the information security manager, which type of control would be the BEST fit?

  • A control that has been tested, understood, and tied to business objectives

  • Automated controls are always preferred over manual controls

  • Manual controls work just as well as automated controls in any corporation

  • As long as the control allows business to continue, either manual or automated is fine

Correct answer: A control that has been tested, understood, and tied to business objectives

Without a lot more information than this question provides, it is not possible to state whether automated or manual is better. It must be tested, understood, and tied to business objectives. Saying that any control is fine so long as the business can continue is missing the control effectiveness confirmation with testing.

36.

When creating an information security plan, you must ensure that policies, standards, procedures, and guidelines are developed. How many information security policies does ISACA recommend?

  • Two dozen

  • One dozen

  • Less than 100

  • As many as needed

Correct answer: Two dozen

ISACA recommends that a program has two dozen or fewer information security policies, even for larger organizations.

37.

A corporation has determined that they cannot tolerate the loss of any transaction that has been committed to their sales database. Therefore, they can only tolerate losing a transaction that is in process. This is approximately 24 microseconds of tolerable loss.

What have they determined?

  • Recovery Point Objective (RPO)

  • Maximum Tolerable Outage (MTO)

  • Recovery Time Objective (RTO)

  • Service Delivery Objective (SDO)

Correct answer: Recovery Point Objective (RPO)

The RPO is the age of the data that must be restored after a failure, or the time worth of data that can be lost. 

The MTO is the total time that the business can be at the alternate site. The RTO is the time to recover, whether it is from failure to function or declaration of disaster to functionality. Neither is the topic of the question, so whichever definition you prefer does not make a difference in terms of answering this question. The SDO is the percentage of functionality at the alternate site, such as 80% of the normal number of calls/connections from customers per hour.

38.

As an information security manager, you know it is critical to track and monitor the success of an information security program. If you have identified that you want to "progress in control effectiveness testing," that would be an example of a(n):

  • Key Performance Indicator (KPI)

  • Key Goal Indicator (KGI)

  • Critical Success Factor (CSF)

  • Action plan metric

Correct answer: Key Performance Indicator (KPI)

KPIs show progress toward a goal.

KGI is the goal. CSFs are things that must be done to get there. KPIs and KGIs are examples of metrics.

39.

As a Disaster Recovery Plan (DRP) is being built for a corporation, the team will move through different phases. As the team moves from identifying a recovery strategy to developing the response and recovery plan, it is ESSENTIAL to:

  • Obtain management support 

  • Research legal requirements

  • Communicate with shareholders

  • Enlist auditor support

Correct answer: Obtain management support

After a strategy is identified, the plan must be built. Building the alternate facilities, or whatever has been strategized, will usually cost a fair amount of money. It is essential to ensure that you have management support for the plan.

Legal requirements should have been researched before any strategies were created. Communication with shareholders will probably occur after the plan is developed rather than before. As there is no plan yet, just a strategy, auditor involvement of any kind is unlikely.

40.

Which of the following is the BEST example of a technical threat?

  • Abnormally hot servers due to HVAC failure

  • Emerging threats in cybersecurity

  • Shoulder surfing

  • Hurricanes

Correct answer: Abnormally hot servers due to HVAC failure

Abnormally hot servers due to an HVAC failure would be a technical threat, since it is the result of a technical device failing.

Emerging threats in cybersecurity refer to technical threats that involve technology. Shoulder surfing is a human threat, as it involves human interaction and direct human control. Abnormally hot servers due to an HVAC failure would be a technical threat, since it is the result of a technical device failing. A hurricane is an environmental threat.

×