×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 3 of 50

41.

The Risk Management Framework (NIST SP 800-37) from the National Institute of Standards and Technology (NIST) assessment contains six steps. Which of the following has them in the CORRECT order?

  • Assessor selection, Assessment plan, Control assessments, Assessment reports, Remediation actions, Plan of action and milestones

  • Assessment plan, Assessor selection, Control assessments, Remediation actions, Assessment reports, Plan of action and milestones

  • Assessment plan, Control assessments, Assessor selection, Remediation actions, Plan of action and milestones, Assessment reports

  • Assessor selection, Control assessments, Remediation actions, Assessment plan, Plan of action and milestones, Assessment reports

Correct answer: Assessor selection, Assessment plan, Control assessments, Assessment reports, Remediation actions, Plan of action and milestones

The first step is to select an internal or external assessor. Someone has to do this work. Then plan. This is the logic of Plan, Do, Check, and Act (PDCA). Do is the next step with control assessments. After an assessment, a report must be produced that says what the assessor found. This could be considered Check. Then remediation actions are developed so that Action can be taken to fix what is appropriate. With those remediation actions, there must be a plan describing how to do that with milestones along the way.

42.

In developing Information Security (IS) governance, the information security manager must plan the physical architecture of the network. The physical architecture is made up of:

  • Firewalls, databases, switches, servers, routers, and all required connections 

  • Firewalls, servers, Data Base Management System (DBMS), routers, and switches

  • Servers, firewalls, switches, Application Programming Interfaces (APIs), and routers

  • APIs, DBMS, routers, switches, servers, databases, and firewalls

Correct answer: Firewalls, databases, switches, servers, routers, and all required connections

DBMS and APIs are logical structures, not physical. The firewalls, databases, switches, routers, and servers are all physical.

43.

Working as the information security manager for a consulting firm, you have identified a specific risk. Assessing the risk shows that it is a moderate risk for data that is sensitive.

For what reason would you NOT put a control in place to protect it?

  • There is no cost-effective way to mitigate that risk.

  • The law says that you do not need to protect it.

  • The Board of Directors (BoD) is unaware of the risk.

  • There is no reason; it must always be mitigated.

Correct answer: There is no cost-effective way to mitigate that risk.

If there is no cost-effective way to mitigate the risk, then it is plausible that that risk will be accepted.

Risk acceptance must be done consciously, so the BoD not knowing about it is not acceptable. Laws specify what must be done to protect data. They do not exist to tell you what you do not have to do, so that answer is just a bit odd. All risks will not be mediated. It is just not plausible to think that all risks to all assets will always be mitigated. That is just too expensive.

44.

If the quality and granularity of information senior management uses to make decisions is not adequately managed, what type of risk is this?

  • Strategic risk

  • Technology risk

  • Criminal and illicit acts risk

  • Supplier risk

Correct answer: Strategic risk

Strategic risk is the failure to meet the long-term strategic goals of a business. If the information that they are provided is insufficient, then they cannot do their job correctly.

Technology risk is the failure to plan, manage and monitor the performance of technology-related projects, products, etc. Criminal and illicit acts risk is the loss or damage caused by fraud, theft, willful neglect, vandalism, extortion, etc. Supplier risk is the failure to adequately evaluate suppliers' capabilities, leading to breakdowns in the supply process or substandard delivery of supplied goods and services. Think about the lack of toilet paper during the 2020 COVID lockdowns.

45.

Phishing and ransomware can best be stopped by:

  • Awareness and training for the users and staff

  • Anti-malware software on all servers with up to data signatures

  • Firewall and Intrusion Prevention Systems (IPS) at network ingress

  • The use of blocklists to prevent messages from certain territories

Correct answer: Awareness and training for the users and staff

SPAM blockers or anti-malware software may catch phishing emails.

Firewalls and IPS will not normally stop or block messages. Firewalls usually block certain types of traffic or content, but seeing an email as phishing is beyond its capability. The IPS looks for intrusions, which these emails are not. Using blocklists (formerly blacklists, now an offensive term) is not too helpful because hackers get into email systems and send phishing from valid accounts. Therefore, the best thing to do is to ensure that all staff is trained regularly to spot these emails and, in general, be suspicious of emails.

46.

Information security governance requires a wide array of people and teams to work towards success. Risk management is an essential step towards successful governance.

The information security manager should:

  • Ensure that risk assessments are conducted

  • Ensure roles and responsibilities include risk management

  • Oversee a policy on risk management

  • Evaluate and report on risk practices and results

Correct answer: Ensure that risk assessments are conducted

Information security managers have to ensure that risk assessments and business impact assessments are conducted.

Executive management is responsible for roles and responsibilities. Oversight is done by the Board of Directors (BoD). Audit executives would best evaluate practices.

47.

You are working on Business Continuity Planning (BCP) as the information security manager for a real estate company. You are currently looking into the availability needs of customer data.

Which of the following technologies has the HIGHEST availability?

  • Storage Area Network (SAN)

  • Network Attached Storage (NAS)

  • Direct Attached Storage (DAS)

  • Solid State Drive (SSD)

Correct answer: Storage Area Network (SAN)

A Storage Area Network (SAN) is a high-speed network that allows faster access to data. It also supports disk mirroring, backups, as well as many other features.

A Network Attached Storage (NAS) is attached to the existing Local Area Network (LAN), which is probably Ethernet. It is reasonably reliable but does not have all of the features of a SAN. Direct Attached Storage (DAS) is storage attached to the server or end station directly. It can be accessible from the network depending on the use of that end station. A Solid State Drive (SSD) is a type of drive that replaces magnetic media. It is more reliable, but for managing customer data within a business, the SAN is the critical technology that is needed.

48.

As an information security manager, you are working with a team going through the risk management process. The team is in the middle of using risk scenarios to determine the range and nature of the corporation's risk.

This is the: 

  • Risk identification step

  • Risk analysis step

  • Risk evaluation step

  • Risk management step

Correct answer: Risk identification step

In the identification step, you are using scenarios to determine the range and nature of risk.

Risk analysis then combines vulnerability and threat information to assess the risk of compromise. It is usually done with quantitative or qualitative processes. Risk evaluation is then the process of taking that information from the risk analysis step and establishing criteria for risk treatment. Risk management includes all three steps of evaluation, analysis, and identification, as well as more.

49.

While doing their annual risk assessment for Business Continuity Planning (BCP), a research firm determined that they could tolerate losing four hours of their data. More than four hours would cause a great deal of damage to their business.

What have they defined?

  • Recovery Point Objective (RPO)

  • Recovery Time Objective (RTO)

  • Maximum Tolerable Downtime (MTD)

  • Service Delivery Objective (SDO)

Correct answer: Recovery Point Objective (RPO)

The Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time. It represents how far back in time a business can go to recover data after a disruption without significant impact. For example, if the RPO is four hours, the organization can lose up to four hours' worth of data without severe consequences.

The Recovery Time Objective (RTO) is the time it takes for a service or system to be restored after an interruption.

Maximum Tolerable Downtime (MTD) refers to the maximum amount of time a business process can be inoperative without causing significant damage.

The Service Delivery Objective (SDO) is the level of functionality a system must achieve to operate adequately after recovery.

50.

Management wants to create a set of workplace rules that will allow for an understanding of appropriate behavior while using company property. What term BEST describes this set of rules?

  • Acceptable use policy

  • Non-disclosure agreement

  • Means of use

  • Code of ethics

Correct answer: Acceptable use policy

Employees will usually sign an acceptable use policy, which states they acknowledge and agree to abide by appropriate rules of behavior when using company property. Typically, companies will develop this policy alongside their human resources division to ensure it is fair and enforceable. 

A non-disclosure agreement involves employees agreeing not to disclose sensitive information that could jeopardize the company in any way. A code of ethics is a behavior-focused approach to ensuring ethical behavior in the workplace, not necessarily directed at only using company property. Means of use is not an ISACA term.

51.

When identifying important assets, what criteria would be of LEAST importance for an organization to take into consideration?

  • Asset popularity in the industry

  • Effect on overall operations

  • Dependencies

  • Ability to work around the issue

Correct answer: Asset popularity in the industry

Asset popularity in the industry is least important for an organization — what works for their business may not work for others, but fits their needs perfectly. Any organization has to consider the fact that new equipment means retraining employees to proficiency, which is risky and can impede business when unneeded.

What does matter is how the assets impact operations, what is dependent on the assets in question, and how the workplace utilizes resources and works around the issue of not using the most popular assets.

52.

Which of the following is LEAST likely to be covered by insurance?

  • A company decides not to encrypt data to follow GDPR in an effort to avoid key management, resulting in a breach

  • An employee of a company mistakenly releases customer data

  • Enterprise equipment is damaged after a water pipe breaks

  • An ex-employee reveals classified information

Correct answer: A company decides not to encrypt data to follow GDPR in an effort to avoid key management, resulting in a breach

A company that decides not to encrypt data that must be encrypted by regulation and subsequently is breached would not be covered by insurance. This is because it was wilfully negligent, not an accident.

An employee making an honest mistake would likely be covered by insurance. Company assets being damaged by disasters or accidents would also be covered, along with ex-employees releasing information maliciously.

53.

As an information security professional, you have discovered that a policy is not being followed consistently. There are many possible reasons, but of the following, which is MOST LIKELY?

  • The policy does not align with the information security strategy.

  • The policy is not in alignment with corporate culture.

  • Awareness training does not include policy discussions.

  • Auditors have not reviewed and assessed the policy.

Correct answer: The policy does not align with the information security strategy.

The policy must be in alignment with corporate strategy. If it is not, that will cause issues, and it is a perfect place to begin your investigation. If it is not aligned with the strategy, that could mean it is also not aligned with the culture. The strategy answer is better because it could include cultural issues. If training does not include policy discussions, that would be an issue with the users not knowing about it and then following it. The strategy misalignment is a more significant issue, though, or a more inclusive answer if auditors have or have not reviewed the policies, which would not be the reason for the policy not being followed.

54.

A security control baseline is:

  • The minimum security requirement for a control

  • The procedural steps for configuration

  • The goals and objectives from management

  • The sum of the controls required 

Correct answer: The minimum security requirement for a control

The security control baseline is the minimum amount of security measures that must be employed by the organization. For many controls, it is the actual configuration. This will have details for different classification levels when the configurations change as appropriate.

A baseline is not the sum of the controls. There will be different baselines for different classifications. The procedural steps are actually called procedures. The goals and objectives are documented within policies. 

55.

Paalavi has been working with the telecom and data provider to ensure that a backhoe cannot dig up all of the cables that provide access to their Wide Area Network (WAN). What has he been working on?

  • Last-mile protection

  • Voice recovery

  • Alternative routing

  • Redundancy

Correct answer: Last-mile protection

The best answer here is last-mile protection.

In protecting that last mile, redundancy is added, but in this context, redundancy would be considered within the network. Alternative routing is a possible answer, but the situation does not involve a different medium, such as dial-up, cellular, microwave, fiber vs. cable, etc. Voice recovery is close in that it ensures that the telecoms continue to work, but again, the better answer is last-mile protection because of the very specific scenario.

56.

If an information security manager determines that a vendor change needs to occur with the internet-facing firewalls, to obtain the funding they:

  • Should create a business case to show cost/benefit analysis so management can make an informed decision

  • Need to create a compelling PowerPoint presentation for the Board of Directors (BoD)

  • Should deliver essential marketing materials to the Chief Executive Officer (CEO) 

  • Need to provide a presentation to the Chief Information Officer (CIO) on the changes coming to Information Technology (IT)

Correct answer: Should create a business case to show cost/benefit analysis so management can make an informed decision

A business case is a critical tool for information security management. It begins as a critical look at why a change needs to be made and the cost/benefit of that change.

Presentations to the BoD and the CIO are not the most effective method. There may be a business case presentation, but the other answer is better because it actually says "business case." Marketing materials to a CEO are not effective as they are likely to sit at a desk until they're thrown out, especially without all of the information that would be in a business case.

57.

Which of the core goals of an incident management strategy is the HARDEST to achieve?

  • Eliminating threats

  • Mitigating threats

  • Reducing threat likelihood

  • Reducing potential threat impacts

Correct answer:  Eliminating threats

The three core elements of an incident management strategy are eliminating or neutralizing threats, minimizing the likelihood of a threat, and minimizing a threat's potential impacts. Eliminating threats is the hardest goal to achieve because it may be impossible to do so.

Mitigating threats is an umbrella term that covers both reducing the likelihood of a threat and minimizing a threat's potential impacts.

58.

What is the term used for the electronic health information of individuals?

  • ePHI 

  • PII

  • PCI

  • PRL

Correct answer: ePHI

ePHI is electronic personal health information. This is the electronic form of individuals' health information that a business would have control of and must secure.

PII (personally identifiable information) is any information that could be traced back to a person. PCI (payment card industry) includes PCI-DSS standards to protect credit card information stored and used on behalf of individuals. A PRL (preferred roaming list) is embedded in cellular devices and allows a cellular device to specify certain bands and service provider IDs to be used when searching for a signal.

59.

Harris and his team have been working to determine critical systems, their interdependencies, possible disruptions, and providing information on possible restoration methods. What have they been doing?

  • A Business Impact Analysis (BIA)

  • A gap analysis

  • A formal audit/assessment

  • A risk assessment

Correct answer: A Business Impact Analysis (BIA)

The question covers the basics of a BIA.

A gap analysis is when you look for the difference between or distance from where you are in comparison to where you want to be. A formal audit involves someone coming in from the outside world. The question does not state or imply that this is true. Additionally, an audit looks to see if things are being done according to a standard, framework, policy, etc. A risk assessment does look at critical systems and what can happen, but not at possible restoration methods, making it incorrect.

60.

When assessing risk within your corporation, it is advisable to utilize one of the available documents to guide you through the process. Which of the following can be used to assess risk?

  • International Standards Organization (ISO) 27005

  • International Standards Organization (ISO) 27002

  • Capability Maturity Model Integration (CMMI)

  • Data Maturity Model (DMM)

Correct Answer: International Standards Organization (ISO) 27005

ISO 27005 is titled "Information technology — Security techniques — Information security risk management."

ISO 27002 is fundamentally a list of all controls. So, there is a mention of risk assessment there, but 27005 is dedicated to it. Capability Maturity Model Integration (CMMI) is used to assess the maturity of processes like software development. Data Maturity Model (DMM) is also a maturity assessment, but it is for data specifically.

×