×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 4 of 50

61.

When implementing an intrusion detection system, which of the following LEAST describes the role of a risk owner?

  • Implements controls

  • Manages the risks of everything in an environment

  • Is held accountable for all risks

  • Prepares reports regarding risks and related controls

Correct answer: Implements controls

When implementing an intrusion detection system (IDS), implementing controls falls under the scope of the control owner. In this instance, a control owner is responsible for the specific technical control and is given direction by the risk owner.

In any instance, a risk owner manages risks, is held accountable for the risks, and prepares reports regarding the risks and assigned controls. Outside of technical control implementation, a risk owner and control owner are synonymous. This is important to understand for accountability purposes, as someone needs to be responsible and accountable in the event of something going wrong.

62.

Which of the following is the greatest metric to determine the likelihood of an attempted breach of a public-facing web server?

  • Ten failed authentication attempts in ten minutes

  • Three ping sweeps in the past day

  • Vulnerability scan results

  • A CVSS score of 2.1

Correct answer: Ten failed authentication attempts in ten minutes

Ten failed authentication attempts in ten minutes is a clear metric that there is some risk of a breach. This is a prime example of a key risk indicator (KRI).

Three ping sweeps is normal for something public-facing — anything directly open to the public is going to constantly be scanned. Vulnerability scan results may be an indicator, but the scan itself does not indicate if any vulnerability was found. A CVSS score is a KRI, but a score of 2.1 is so low that it does not need to be remediated right away and is not as important as an active attempted breach occurring through failed authentication attempts.

63.

To implement the information security strategy efficiently and deliver on the value that the business needs, the information security manager MUST be able to:

  • Effectively plan and manage projects

  • Communicate with the Board of Directors (BoD)

  • Plan the annual audits

  • Understand and take actions based on new laws

Correct answer: Effectively plan and manage projects

Delivering value while implementing the security strategy requires information security managers to create plans that transition into projects and ensure that they are effectively managed, which requires project management skills.

Communicating with the BoDs is an excellent skill to have, but it is not the talent needed to implement the strategy effectively; emphasis is on the work's implementation. Planning audits and understanding new laws are also excellent skills to have, but not the ones needed to implement the strategy effectively.

64.

If a cloud is off of the customer's premises and is managed by someone else but is dedicated to that customer, it is a:

  • Private cloud

  • Public cloud

  • Hybrid cloud

  • Community cloud

Correct answer: Private cloud

This is the definition of a private cloud. It can be on or off premises. The corporation, or a third party, can manage it. The key is that it is dedicated to this single customer.

If the cloud is shared with others, it would be public or community. A public cloud shares access to the servers, but they should not know about each other or see each other's data. A community cloud shares access to the servers, the services, and, maybe, even the data. A hybrid cloud combines at least two of the three options: public, private, and community.

65.

If a business is concerned about stolen credentials allowing a bad actor to access a critical corporate database, what control could they add to REDUCE the probability of impersonation?

  • Multi-Factor Authentication (MFA)

  • Transport Layer Security (TLS)

  • Web Application Firewall (WAF)

  • Intrusion Prevention System (IPS)

Correct answer: Multi-Factor Authentication (MFA)

If a user is accessing a database with only a user id and password, then stolen credentials (hacked or guessed as well) will allow a bad actor access to the database. Multi-Factor Authentication (MFA) done correctly would reduce the probability of a bad actor impersonating a user with the stolen credentials because they would also have to compromise the tool used for the second factor of authentication (e.g., Google authenticator).

Transport Layer Security (TLS) encrypts the data in transmission to keep prying eyes from seeing the info, but it does not protect the impersonation. A Web Application Firewall (WAF) protects a web application, not a database; it does not stop impersonation, rather it blocks specific unwanted traffic types. An IPS will stop an intruder as they are breaking in, which does not include impersonation.

66.

If a business has a need for high availability of their core servers and they are worried about a disaster such as a fire occurring in their data center, what recovery site would be the BEST for them?

  • Mirror site

  • Duplicate site

  • Mobile site

  • Hot site

Correct answer: Mirror site

A mirror site quite literally mirrors the primary site, at least for the servers and services that require high availability. With a mirror site, both the primary and the secondary site are operational at the same time. A load balancer directs traffic in a distributed manner between them.

A duplicate site could be anything from a hot site to a reciprocal site, but it does require time to bring the site active. A mobile site is defined as moveable, but would not be expected to always be active. A hot site does have all of the IT equipment and operating systems, but it is missing people, data, and possibly programs, which will require a few hours of time to get operational.

67.

Which of the following is another term for resource pooling?

  • Ballooning

  • Measured services

  • Elasticity

  • Resource aggregation

Correct answer: Ballooning   

Ballooning is a term that means resource pooling. In hypervisors such as Proxmox and VMWare ESXI, ballooning is used with memory to provide a virtual machine with unallocated memory that resides in the hypervisor.

Measured services involve measuring resource usage and billing customers that way. Elasticity is the ability of a virtual machine to shrink and grow as needed, taking and giving resources when necessary. Resource aggregation is not a term on the exam, but could be most closely related to resource pooling.

68.

Technical metrics, such as monitoring that roles and responsibilities should be clearly defined, present a problem for upper management. What is the problem?

  • They do not provide information about strategic alignment.

  • Auditors do not look at roles and responsibilities.

  • Laws do not define what is needed. They must be invented here.

  • That is not even a technical metric.

Correct answer: They do not provide information about strategic alignment.

The technical metrics that we monitor—e.g., firewall rule changes, results from a BC/DR test, how effectively we use our resources or define roles and responsibilities—do not tell management if the program is in alignment with the corporation's strategy.

Auditors can and should, if in scope, look at defined roles and responsibilities. But that is not related to the question. Laws sometimes do define roles and responsibilities, but corporate roles do need to be invented within corporations. That does not say that we are aligned strategically though. We can argue about whether this is a technical metric or not. It is debatable. But it does not show strategic alignment. So that answer is more definitive, as it is directly related to something that senior management would be interested in.

69.

Throughout the risk management process, decisions are made about what threat scenario to apply money and time to in order to reduce the likelihood and impact of specific threats. Which combination should have the corporation's attention, time, and money FIRST?

  • High likelihood, high impact

  • High likelihood, low impact

  • Medium likelihood, high impact

  • Low likelihood, high impact

Correct answer: High likelihood, high impact

The corporation's money and time should be spent first contending with the most likely threats that they will experience that will have the highest impact on the corporation and its ability to serve its customers. Once those threats are adequately addressed, the remaining options are prioritized. It is hard to say in what order they would be treated with controls, insurance, or anything else.

70.

Successful implementation of an information security strategy and the associated program, policies, goals, standards, and such requires an information security manager to ensure that they gain ongoing commitment from:

  • Senior leadership

  • The Board of Directors (BoD)

  • External auditors

  • Legal counsel

Correct answer: Senior leadership

Information security managers must get support from senior management.

Senior management gets support from the BoD. It is nice if auditors and legal counsel support the security efforts, but it is critical to have ongoing leadership support. If that support is not there, then budget and personnel are not allocated as needed to security projects.

71.

What corporate position would the Incident Response Team (IRT) leader hold?

  • Incident response manager

  • Information security manager

  • IT specialists

  • Investigators

Correct answer: Incident response manager

The incident response manager would be the IRT leader.

The information security manager would be the Incident Management Team (IMT) leader. IT specialists and investigators are subject matter experts needed as team members for both IMT and IRT.

72.

When developing an information security program, it is necessary that you, the information security manager, ensure that the information security objectives are tied to and based on the:

  • enterprise's objectives

  • Risk assessment

  • Return on Investment (ROI)

  • Cost-benefit analysis

Correct answer: Enterprise's objectives

The information security objectives need to be based on the enterprise's objectives.

It will be necessary to do a risk assessment and choose the risk response that makes the most sense financially, from both an ROI and a cost-benefit analysis.

73.

Why would an organization conduct a pretest when testing their operational recovery?

  • To prepare for a simulation

  • To test recovery strategies before the simulation

  • To determine if the plan was effective enough

  • To determine if the testing is realistic for the environment

Correct answer: To prepare for a simulation

An organization would conduct a pretest before testing their operational recovery to ultimately prepare for a simulation. This pretest prepares everything for the actual test to make sure it can function and do so with accuracy.

The pretest does not actually test recovery strategies — the actual test does that. The test will then determine if the testing meets the needs of the environment and if the plan was effective enough. Testing and improving operational recovery is key to ensuring strong reliability for customers and reduced overall impact on business.

74.

Insurance is a critical part of running a business. Insurance policies have different purposes.

If a business is worried that one of their contractors might make a mistake and cause them financial loss, what type of insurance should the contractor have?

  • Errors and omissions

  • Extra expense

  • Professional and commercial liability

  • Cybersecurity

Correct answer: Errors and omissions

Errors and omissions insurance is designed specifically for this scenario. If a professional practitioner causes financial loss to a client because of an error or an omission that they made, then this insurance would help to cover that loss.

Extra expense insurance is designed to cover the extra costs that are incurred after damage at the data center. Professional and commercial liability protects a business when a third party claims that the business caused them losses or damage. Cybersecurity helps in the event of something like ransomware, Denial of Service (DoS), or a Distributed DoS (DDoS).

75.

Blaise has determined, with the assistance of his Disaster Recovery (DR) team, that the transactional database for customer sales must be able to process at least 1,000 connections per hour. This is less than the normal processing capability of 1,500 connections per hour. If they are able to accomplish this level of functionality at the hot site, they will be able to ensure the survivability of the business, at least for a while. However, it must return to a normal condition within three weeks.

What is the term for the idea here of 1,000 connections per hour instead of the 1,500 per hour that is the norm?

  • Service Delivery Objective (SDO)

  • Maximum Tolerable Outage (MTO)

  • Recovery Time Objective (RTO)

  • Allowable Interruption Window (AIW)

Correct answer: Service Delivery Objective (SDO)

The SDO is the level of service that must be supported at the alternate site. Here, it is the reduced number of connections per hour.

The three-week window of time would be the MTO. The RTO is the time to perform the recovery actions to bring customers online at the alternate site. The AIW is the amount of time from nonfunctionality to restoration of critical services.

76.

An organization wants to develop an incident response plan in the event that one of their workstations is infected with malware. Employees know the signs of an infection can include a sluggish computer, locked files, and suspicious programs running.

After identifying this infection, what would management MOST likely recommend to prevent it from spreading further?

  • Immediately disconnect from the network and report to the cybersecurity team

  • Refrain from acting upon the malware

  • Document findings yourself

  • Work around the issue to complete primary tasks at hand

Correct answer: Immediately disconnect from the network and report to the cybersecurity team

While there is controversy around this tactic, the best bet to reduce the spread of the infection is by immediately disconnecting from the network and reporting to the cybersecurity team. Some may say that disconnecting a device from the network could trigger malware to lock up files immediately. If this is going to happen regardless, then you need to ensure more systems aren't affected, as the more systems infected, the greater liability and financial responsibility.

You cannot simply refrain from acting on the malware. From a business perspective, you must do something to prevent the spread, even if it means not being able to fully research the attacker's intentions after. If you are not responsible for investigating such an incident, you should not document the findings yourself while allowing it to spread. You also should not work around the issue and avoid it. Many of these options would be deemed negligent and could void an insurance policy.

77.

As an information security professional, you have realized that your users are sending emails that include credit card and address information. What kind of product would you recommend that would analyze the traffic as it leaves the business and block these emails?

  • Data Loss Prevention (DLP)

  • Intrusion Prevention System (IPS)

  • Web Application Firewall (WAF)

  • Acceptable Use Policy (AUP)

Correct answer: Data Loss Prevention (DLP)

A DLP tool is designed for watching for traffic that should not be sent out of the user's device or the network. It could block or encrypt the traffic when it sees it.

An IPS is designed for watching for suspicious traffic coming in or traversing the network and then blocking it. An email with a credit card number does not qualify as suspicious. It is simply poor judgment on the user's part. A WAF is designed to monitor web (HTTP/HTTPS) traffic and block or allow as configured. The email uses SMTP or another email protocol for transmission, not HTTP typically. AUP could tell the user they are not supposed to send such emails, but it is not a tool to analyze the traffic. 

78.

When doing a risk assessment within your business, you find that it is necessary to evaluate existing controls as a security manager. When looking at the existing controls, what is it that you are trying to decide about any given control?

  • The extent that they are successful in meeting the desired state for risk mitigation

  • The number of times the control is successful in doing its particular job

  • The effectiveness of that specific control when mapped against industry standards

  • The quality of service the control provides in comparison to vendor product promises

Correct answer: The extent that they are successful in meeting the desired state for risk mitigation

The decision that needs to be made about a control is whether it is sufficient for its task or if it needs to be changed, supplemented, or replaced. To make that decision, it is helpful to know the number of times the control is successful. It may help to compare the control to industry standards or vendor promises, but the question is, what are you trying to decide about the control.

79.

An organization has experienced a breach within some of their payment systems and must have an external or third-party audit conducted before the affected systems are brought back to production. What is one step the organization could take to ensure their success in this process?

  • Conduct an internal audit

  • Report the incident to an insurance provider

  • Report the incident to law enforcement

  • Share this information immediately with information sharing centers (ISACs)

Correct answer: Conduct an internal audit

Prior to any external or third-party audit, an organization would be wise to audit themselves and check their own work before others check it for them. This allows for a simpler audit and a stronger reputation.

Reporting the incident to an insurance provider or law enforcement is important when needed, but it will not ensure success in an external or third-party audit. Sharing information to ISACs is important, but should be done when a vulnerability is remediated. This ensures everyone is educated on the matter, but no threat is posed to your business. Reporting this before the vulnerability is remediated could allow someone to launch an attack, knowing your organization cannot defend against it.

80.

Who is BEST suited to determine who requires access to data within need to know?

  • Data owner

  • Senior management

  • Legal counsel

  • Department manager

Correct answer: Data owner

The data owner is responsible for the protection of data that they own. This includes classification, access lists, and need to know. There needs to be someone close to the actual data who understands where and when it is needed. It is often the person who creates the data.

It could be someone at a department level, but they would need to assign the task of data owner to someone. So the department manager is a possible person, but the role is data owner. Senior management and legal counsel are too far removed from the data to be effective. Senior management may own the data, but would not be classified as "data owners."

×