×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 5 of 50

81.

Which of the following BEST describes when disaster recovery and business continuity plans should change?

  • Plans change based on what is impacted, how it is impacted, and how it affects the business overall

  • Disaster recovery plans should never change

  • Plans change only when technicians direct that they should

  • Plans change mainly due to the cost of the asset directly affected

Correct answer: Plans change based on what is impacted, how it is impacted, and how it affects the business overall

An organization would have multiple disaster recovery and business continuity plans based on what is impacted, how it is impacted, and how it affects the business overall. For example, a plan for a fast-spreading malware infection would be far different from a plan for a power outage or a motherboard dying. These plans should be created, updated, or replaced with changes to the business, such as the acquisition of a new application.

Disaster recovery plans should undergo periodic changes. These should be driven mainly by the needs of the business, not technicians' preferences or the costs of affected assets.

82.

Planning is critical to information security governance and the level of controls added to be at an optimal level for the business. What can be used to determine this optimal level?

  • Annual Loss Expectancy (ALE)

  • Risk appetite

  • Risk tolerance

  • Single Loss Expectancy (SLE)

Correct Answer: Annual Loss Expectancy (ALE)

The Annual Loss Expectancy (ALE) calculates the total cost of losses from a single type of event in a year. That can then be used to do a cost/benefit analysis when debating or discussing controls to be added. The amount of control needs to fit the corporation's risk appetite, which is how much they are willing to put at risk. That is critical in selecting controls, but the ALE gives something that can be used in a cost/benefit analysis. Risk appetite does not. Risk tolerance is the variance allowed around the acceptable risk or the risk appetite. The Single Loss Expectancy (SLE) is a cost calculation, but it is for a single event. It does not give us any clue if that single event will happen 500 times this year, e.g., 500 laptops stolen in one year, or if it will happen once every 25 years.

83.

Hannah is managing the development of security awareness training for her corporation. Who should receive this training?

  • All users

  • Senior management

  • All business units

  • Information Technology (IT)

Correct answer: All users

All users need awareness training. This would include senior management, all business units, IT, and more.

84.

Is ethics considered a resource or a constraint for information security?

  • Constraint

  • Resource

  • Both

  • Neither

Correct answer: Constraint

Constraints include ethics, legal, physical, culture, cost, and so on.

Resources, for example, include policies, technologies, architectures, and controls.

85.

Dabria is worried that her business is going to experience a disruption caused by an attacker that will disrupt the data center's functionality. They have built a backup site and have successfully tested the Disaster Recovery Plan (DRP). She thinks it would be wise to get an insurance policy that would help to cover the corporate losses due to this disruption.

What would you recommend?

  • Business interruption

  • Valuable papers and records

  • Fidelity coverage

  • Media reconstruction

Correct answer: Business interruption

Business interruption insurance is to help cover the company's profit loss during Information Technology (IT) disruptions. Cybersecurity could have also applied here, although it is not an option within the provided answers.

Valuable papers and records insurance is related to actual papers, not IT. Fidelity coverage is insurance purchased to cover dishonest or fraudulent employees. Media (software) reconstruction insurance covers damage to the media. There is a bit of overlap in the concepts of each of these different types of insurance, so watch the wording of questions carefully.

86.

The beginning of determining the criticality of assets is to determine the department that is the most valuable to the business. Who should determine this importance?

  • Senior management team

  • Information security manager

  • Board of Directors (BoD)

  • Audit department manager

Correct answer: Senior management

The organizational structure and its criticality to the business is determined by the senior management team.

There can be an information security manager at that level, but they alone do not determine criticality, if they are involved at all in the determination. The Board of Directors (BoD) has oversight of the business, but they would not be the ones making the determination. They might be consulted or informed of the decision. The audit department manager would be one of the departments that is being ranked for its value to the business. They would not be determining how important they are to the business.

87.

Suppose a company has decided to outsource a particular service. They are concerned that the service provider may not adequately protect some of the information. Their concern comes from their requirement to comply with Sarbanes Oxley (SOX).

To ensure data is protected CORRECTLY by the service provider, they need to:

  • Specify security requirements in the service contract

  • Audit the data center before outsourcing service

  • Ensure management has updated policies to include legal requirements

  • Confirm legal requirements with staff lawyers

Correct answer: Specify security requirements in the service contract

This is the only answer that involves the service provider. You may want an audit as an answer, but the audit answer says to audit before outsourcing. Therefore, it is the corporation's own data center. This will not help in any way to get the service provider to comply with Sarbanes Oxley (SOX). Management should have SOX requirements in the policy, as appropriate to a policy. They should also speak with their lawyers before outsourcing. The question asks to have the service provider in compliance. You can take no actions within the business listed in the answers, as direct as to put requirements in the contract. The contract does not mean they will comply, but it does give the company legal recourse if they do not. Therefore, it is plausible to believe the service provider will work to honor the contract.

88.

Which of the following BEST describes the goal of a business impact analysis?

  • Determine the effect of losing a single component on a business overall

  • Determine financial losses resulting from replacing an item

  • Determine financial losses resulting from failing to serve customers

  • Forecast future losses as a result of current issues

Correct answer: Determine the effect of losing a single component on a business overall

A business impact analysis (BIA) determines the effect of losing a component on an organization as a whole. In losing a component, you can measure how it trickles down and affects the rest of the organization.

In addition to identifying potential financial losses, a BIA also determines how the loss of each asset can result in losses in other critical aspects such as customers or reputation. With this, you can determine how valuable each asset is to the organization; it also helps create a value estimate for insurance purposes.

89.

What is necessary to be identified to ensure responsibility and accountability of ALL systems and that they are maintained in compliance with security policies?

  • System owner

  • Legal requirements

  • Board of Directors (BoD) objectives

  • Last audit findings

Correct answer: System owner

To have responsibility and accountability over a system, you need to identify the system owner. They are then responsible for ensuring that that system is maintained in compliance with the security policies. The objectives of the Board of Directors (BoD) are useful at a much higher level. The objectives should have guided the strategy which then guides the creation of the program, which includes the policies.

In that process, the laws and regulations that the business must be in compliance with should have been identified and fed into the decision-making process for objectives and then into the program. The latest audit findings could also impact the creation or modification of a program, or the findings could simply be used to change policies, procedures, the configuration of a system, etc. But the findings do not ensure responsibility of a system.

90.

To create a successful risk management program within your business, it is essential that you, as the information security manager, ensure that there is FIRST a: 

  • Policy from senior management

  • Planning a meeting to determine resources

  • Implementation project for controls

  • Quantitative and qualitative risk assessment

Correct answer: Policy from senior management

To build a successful information security risk management program, you must have management direction and support. This should be documented within a policy regarding information security risk management. If you have a policy, then you can do your planning and resourcing. Next would be the risk assessment using quantitative and qualitative methods. Then a project to implement appropriate controls should be created.

91.

Determination of risk treatment options for a critical business server can be assessed from many different perspectives. In business terms, the appropriate treatment option would be: 

  • The one that the benefits outweigh the costs

  • The one that senior management deems appropriate

  • The control that the related law designates for this context

  • The control specified by the auditor after the last audit

Correct answer: The one that the benefits outweigh the costs

The most appropriate control to add to any business server will—almost always—be the one that is cost-justified. If the benefits outweigh the cost, it is a good idea. If the cost outweighs the benefit, then it is not a good idea, even if that is the control specified in a specific law.

Laws might specify controls; often, they just say what must be protected. If there is a control specified, then there usually is an alternative control in the law if the first cannot be done for some reason, such as cost. Senior management may prefer the control that is used, but they should accept the one that reduces the likelihood, reduces the impact, and is cost-justified. Auditors do have a responsibility to make suggestions about improving security, but that does not mean it will be the control accepted by the business.

92.

When a business is doing risk analysis by utilizing a 4x4 grid and has assigned values to each row and column, the rows represent the likelihood, and the columns represent impact. The rows are from rare, with a one value, to frequent, with a four. The columns have a similar numbering scheme as well for the impact rating.

What type of analysis is this?

  • Semi-quantitative

  • Semi-qualitative

  • Quantitative

  • Qualitative

Correct answer: Semi-quantitative

A grid with words representing the impact and likelihood, such as catastrophic, minor, likely, frequent, etc., is qualitative. If those rows and columns are then numbered one through four, it is not a semi-quantitative analysis. There is a "quantity," but they are relative numbers, not actual values such as the exact price to buy a product. If there were actual cost values discussed and used to perform a Single Loss Expectancy (SLE) calculation, it is now quantitative. There is no semi-qualitative.

93.

Danielle has been in discussions with her corporate data service provider. The provider has informed her that, should their long-distance facilities have problems, there are agreements with other providers to switch traffic to their networks. They have also explained that this will happen automatically.

What is the provider describing?

  • Long-haul network diversity

  • Last-mile circuit protection

  • Alternative routing

  • Diverse routing

Correct answer: Long-haul network diversity

The question describes long-haul network diversity. This is normal practice for carriers today, so that the Wide Area Network (WAN) (such as MPLS (Multiprotocol Label Switching)) or internet access will continue to work, no matter what happens to different wires or facilities.

This is close to diverse routing in nature, but since the question specifies a carrier network, long-haul diversity is the correct answer. Diverse routing is done from the corporation's perspective (the carrier's customer's perspective). Alternative routing is on different media, which is also for the corporation, not the carrier. Last-mile circuit protection is from the carrier to the corporation. 

94.

A data center catching on fire would be the result of what type of threat?

  • Technical

  • Human-driven

  • Environmental

  • External

Correct answer: Technical

Technical threats include fire, heating failures, system and software issues, telecom failure, etc.

Environmental threats include natural disasters. If the fire was a wildfire, then it would be an environmental threat, but it is more likely an internal issue in the building, so technical is the better answer. Human-driven threats arise because of people (disgruntled employees, people taking shortcuts to save time, corporate espionage, embezzlement, etc.). A human may have intentionally set the fire, but there is nothing in the question about that, so one should default to this fire being due to a natural cause. External threats are not one of ISACA's categories.

95.

Which of the following is LEAST likely to be a consideration within RACI and the RACI chart when developing a security program?

  • Even distribution of work

  • Pairing qualifications and skills with a job description

  • Ensuring effective implementation of each role

  • Allowing for efficient development and continuation of a security program

Correct answer: Even distribution of work

A RACI chart will not provide an even distribution of work to individuals in all cases. In fact, not all individuals will be involved in every business practice considered in the chart. There will be times in which responsible parties, such as technicians, may not be involved in all facets of the accountable or consulted roles. In these instances, management or another department may play these roles.

RACI is meant to pair qualifications and skills with a job description. This is seen both on the job to ensure effective implementation of each role, as well as in job postings during a hiring process. A very important part of any workplace or team is ensuring the team is competent and capable of completing tasks, both now and potentially during a future expansion. With this said, RACI allows for the strong start and continuity of any security program, while also ensuring each role fulfills its necessary duties to facilitate day-to-day operations.

96.

Within the incident management life cycle phases, when would a forensic analysis occur (when necessary)?

  • Containment, analysis, tracking, and recovery

  • Detection, triage, and investigation

  • Planning and preparation

  • Postincident assessment

Correct answer: Containment, analysis, tracking, and recovery

According to the ISACA incident management and response document of 2012, forensic analysis occurs within the containment, analysis, tracking, and recovery phase. What is critical to note is that all documents regarding this topic do not show the same thing. This is an ISACA exam, and that is what they have in their incident management and response document. So, if you think it belongs to a different step, you are not necessarily incorrect, but for the exam, consider this set of lifecycle steps as a way to answer questions.

97.

As the information must be accessible to your users when a failover occurs at the Disaster Recovery (DR) site, you are looking into the technologies available to find the best solution to make the data available when it is needed. What parameter is CRITICAL to your decision?

  • Recovery Time Objective (RTO)

  • Recovery Point Objective (RPO)

  • Allowable Interruption Window (AIW)

  • Service Delivery Objective (SDO)

Correct answer: Recovery Time Objective (RTO)

The RTO is the time allowed for the recovery of a business function. This would include the machine, operating system, applications, and data.

The RPO is about the age of the data or the loss of data. The question is looking for "when it is needed." When gets you directly to RTO. Recovery Point Objective (RPO) is still critical, but that is how much you can lose. Allowable Interruption Window (AIW) is very close to the answer here, but we are looking for a technology. The technologies must work within our time window for recovery, RTO. The AIW is the total amount of time the corporation can wait from failure to functionality.

98.

If a metric is oriented to the high-level outcomes of the business, as well as the objectives of that business for the information security program, it would be:

  • Strategic metrics

  • Governance implementation metrics

  • Risk management metrics

  • Value delivery metrics

Correct answer: Strategic metrics

Strategic metrics are oriented toward high-level outcomes of the business, as well as the objectives of that business for the information security program.

Governance implementation metrics can be represented by Key Goal Indicators (KGIs) or Key Performance Indicators (KPIs). The reason they work is because implementation of governance typically has projects or initiatives, and it is possible to create KGIs and KPIs for those projects. A risk management metric is one that helps senior management see that risk is being managed successfully and appropriately for the business. A value delivery metric helps to show that the security investment is being optimized in support of corporate objectives.

99.

As an information security manager, you are working on ensuring that legal liabilities concerning Human Resources (HR) issues are managed appropriately. This applies to what part of the management framework?

  • Administrative component

  • Management component

  • Educational component

  • Technical component

Correct answer: Administrative component

Ensuring that HR issues do not cause legal liabilities falls into the administrative area.

An example of an education component would be an awareness campaign. An example of a technical component would be a review of procedures for policy compliance. A management component would be strategic implementation activities like standard modification.

100.

Which of the following is LEAST likely to be considered when assessing the value of a resource?

  • Age of data

  • Loss scenarios

  • Replacement cost

  • Annual revenue

Correct answer: Age of data

The age of data would be of least likely consideration when assessing the value of a resource. This is because the age of data doesn't always matter, as long as it is still relevant data.

Loss scenarios, replacement cost, and annual revenue can be factors in determining the value of an asset or resource. Generally, loss scenarios determine the ultimate value of an asset because, depending on what it is and how it is used or lost, it can determine the actual loss. For example, a mobile device with proprietary data is stolen from a workplace. If the data on the device is encrypted with AES 256, the company did not lose that data or violate the CIA triad. On the other hand, this is a much more valuable loss when the device and the data need to be accounted for when not properly encrypted.

×