×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 6 of 50

101.

When establishing an information security strategy, it should be in alignment with:

  • Organizational goals and objectives

  • Critical laws and regulations

  • Senior management ideal business

  • Information security standards

Correct answer: Organizational goals and objectives

Information security strategies should be in alignment with the organization's goals and objectives. The security plan should securely forward this business. Security mustn't stop the company. If there are laws, e.g., GDPR, that a business must comply with, that should be reflected in the organization's goals and objectives. Senior management may have an ideal business in mind, but their expression of it is the goals and objectives of their business. Information security standards, such as ISO 27001, may be followed in order to create an information security program. Still, if it is the desire of the company, it should be reflected in their goals and objectives.

102.

Executive management, the Chief Executive Officer (CEO), and her team want to know about performance measurements within her business. What would be the BEST word for her relationship to measurement and metrics?

  • Require

  • Review

  • Develop

  • Evaluate

Correct answer: Require

Executive management requires monitoring security activities and the associated security metrics.

The steering committee would review and advise on what to do with knowledge about performance measurements. The Chief Information Security Manager (CISO) and the information security manager(s) would develop, implement, and report monitoring and metrics. Auditors, among others, would evaluate.

103.

A Security Information and Event Management (SIEM) tool would be considered a:

  • Management support technology

  • Supplemental control technology

  • Native support technology

  • Preventive control

Correct answer: Management support technology

A Security Information and Event Management (SIEM) facilitates the management of reviewing logs and identifying incidents. It increases management efficiency. Therefore, it is a management support technology.

A native control comes with business information systems such as the Access Control List (ACL) in a router. A supplemental control is added to provide some functions that are not available with the core technology, such as an Intrusion Detection System (IDS), which generates the SIEM ingests' logs.

104.

While doing a risk assessment, your team has identified an information asset of significant value to the corporation. The next step would be to:

  • Identify threats to that asset

  • Determine what vulnerabilities exist

  • Calculate potential loss of the asset

  • Determine the best control to install

Correct answer: Identify threats to that asset

If an asset is of significant value, then the next step is to identify the threats, according to the NIST risk assessment methodology. Vulnerabilities are identified next. If there are viable vulnerabilities, then the potential loss should be identified. This will help to determine the best control to install.

105.

Of the following, what could Disler use to ensure that information assets are known and understood so that the CORRECT security mechanisms are used to protect them?

  • Information asset classification

  • Information security program roadmap

  • Gap analysis followed by a full audit

  • Acquisition management

Correct answer: Information asset classification

Information asset classification is used to determine an asset's criticality and sensitivity. With that information, it is possible to ensure that the asset is properly protected, and not over- or under-protected.

An information security program roadmap is a plan detailing how to implement the information security strategy. A gap analysis is used to determine the distance between where you are and where you want to be. The full audit would then determine the exact issues that need to be addressed. Acquisition management is something that information security managers are likely to do as ongoing administration of an information security program.

106.

A corporation has determined that it will have to do the work of recovering a critical server within a four-hour window. What is the name of this time period?

  • Recovery Time Objective (RTO)

  • Recovery Point Objective (RPO)

  • Allowable Interruption Window (AIW)

  • Service Delivery Objective (SDO)

Correct answer: Recovery Time Objective (RTO)

The Recovery Time Objective (RTO) is the amount of time that is allowed for the recovery of a business function.

The recovery must fit within the Allowable Interruption Window (AIW). The AIW is the total time that the corporation can wait between the moment of failure to the restoration of critical services. Once the service is recovered, it needs to be to the Service Delivery Objective (SDO). The SDO is the level of service, e.g., % of transactions/hour.

107.

While performing risk analysis, it is determined that a specific compromise of Personally Identifiable Information (PII) will reduce the corporation's share value. What is this describing?

  • Impact

  • Control

  • Valuation

  • Baseline

Correct answer: Impact

The reduction of share value has an impact.

Control would include things such as firewalls or encryption to prevent this breach. The valuation is the financial or intrinsic value of the business. A baseline could be a couple of different things, one of which is baseline security, which is defined as the minimum security level across the enterprise that is required.

108.

What is being calculated by looking at the number of events combined with the impact of those events?

  • Risk

  • Threat

  • Likelihood

  • Vulnerability

Correct answer: Risk

When identifying risk, you need to use likelihood to calculate the level of risk based on the number of events that will occur within a specific time period, say a year, and the impact of those events.

A threat is anything capable of acting against an asset. The likelihood is the chance something will happen. A vulnerability is a weakness that allows the threat to occur.

109.

Incident Response Plans (IRP) must be tailored for a specific business. The basic steps of incident response, though, are consistent. What is the CORRECT order of these steps?

  • Prepare, protect, detect, triage, respond

  • Prepare, detect, protect, triage, respond

  • Respond, prepare, detect, triage, protect

  • Detect, prepare, triage, protect, respond

Correct answer: Prepare, protect, detect, triage, respond

You must first prepare by building teams that create plans to fulfill objectives. Then you protect, and take actions to reduce the chance of specific incidents happening. However, if they do happen, you must then detect them. If you do not know something is happening, then you cannot respond. Response is not the next step; you must triage. You must assess all that is happening to use your limited response resources as effectively as possible. Once you know that information, then you can respond.

110.

Who would be the MOST interested in a Key Performance Indicator (KPI) that tracks if individuals or groups that access systems and data are formally approved?

  • Department manager

  • Quality manager

  • Purchasing

  • Executive management

Correct answer: Department manager

The department manager should know who is in the department and what level of access each employee and group would need.

Executive management may have accountability for this topic, but they are not interested in tracking who has access. They would be interested in knowing it is done and that it is improving. The department manager is a closer tie to this KPI. Purchasing is generally not worried about this. They are working to ensure we buy the right services and have the right Service Level Agreements (SLAs) and contracts. Quality managers are worried about ensuring the quality of the systems in some way, not tracking approved access levels.

111.

An organization wants to develop a secure network using the COBIT framework. This framework will result in:

  • A balance between quality security and meeting regulatory expectations

  • Data governance being placed above technical controls

  • Technical controls being considered more than governance

  • An increased IT cost

Correct answer: A balance between quality security and meeting regulatory expectations

The COBIT framework allows a balance between quality security and meeting regulatory expectations — it allows information technology needs and business requirements to work together to reach a common goal of success.

COBIT does not necessarily stress the importance of placing governance or technical controls over each other, nor will COBIT necessarily require an increased IT cost.

112.

During a Business Impact Analysis (BIA), it is essential to identify acceptable downtimes and resource requirements. What else would be considered a PRIMARY goal of a BIA?

  • Criticality prioritization

  • Management concerns

  • Legal requirements

  • Audit capability

Correct Answer: Criticality prioritization

There are three primary goals for a Business Impact Analysis (BIA):

  1. How long can you be without the system (data or other)?
  2. What resources are required for the system (or other) to function?
  3. Where in the list of priorities does this fall so that it is recovered within time?

Management's concerns are essential, but it is not the BIA output. It should be some of the initial information gathered for risk analysis or incident management. The same would be true with legal requirements. It should be information discovered at the beginning of the process, rather than as an output of a BIA. Audit capability is something that is needed from our auditors or for those being audited. It is not typically linked directly to BIA.

113.

When working on risk assessment, you, the information security manager, determine the value of information based on the difference between the present cash inflows and cash outflows. What is this called?

  • Net Present Value (NPV)

  • Qualitative value

  • Replacement cost

  • Risk management

Correct answer: Net Present Value (NPV)

Net Present Value (NPV) is the difference between the present value of cash inflows and the present value of cash outflows. It is a method of doing quantitative valuation of an asset.

NPV is quantitative, not qualitative, in value. Qualitative does not have specific cost values, but instead helps to rank or prioritize the asset. The difference in those values does not equate to replacement cost. Replacement cost includes purchasing a new product and the time and effort to build it to replace the lost asset. All of this and so much more fall into risk management.

114.

An organization wants to develop their information security program from the ground up. Unsure of how to begin, they at least want guidelines to follow to ensure they aren't putting their organization at risk.

Of the following, which is NOT a strong suggestion you would provide to the organization?

  • Purchase the latest equipment possible

  • The program must have measurable effectiveness

  • The program must support the organization's goals or objectives moving forward

  • Effective implementation stems from support from stakeholders and management

Correct answer: Purchase the latest equipment possible

Purchasing the latest equipment possible may put the company at risk if it is a new product that has not been tested by the market yet. Consider Windows 11, for example, which is the newest Windows operating system – many people still prefer Windows 10 because it has been around longer, patched more, and any major flaws were likely found early.

Any security program should be able to be measured so it can be proven effective and its existence can be justified. You can do this with key risk indicators (KRIs) and key performance indicators (KPIs), for example. The program must also support the organization's goals and not hinder success, otherwise why have the program? In order to have such a program, the proper people with the greatest authority must approve of it to ensure others follow suit.

115.

As the information security manager, you have been working with the Disaster Recovery Planning (DRP) team. The assessment that you have just completed shows that you could tolerate functioning at a lowered processing level for a little while. The determination is that you could process 5,000 requests per minute as opposed to the usual 8,000.

What is the name of this reduced operations term?

  • Service Delivery Objective (SDO)

  • Recovery Time Objective (RTO)

  • Allowable Interruption Window (AIW)

  • Maximum Tolerable Outage (MTO)

Correct Answer: Service Delivery Objective (SDO)

The Service Delivery Objective (SDO) is the level of processing that is tolerable for a contained time period.

The time period is the Maximum Tolerable Outage (MTO). The Recovery Time Objective (RTO) and the Allowable Interruption Window (AIW) have to do with the time a service can be offline.

116.

When determining the amount of time that can be taken by the Incident Response Team (IRT) to bring a server back online, the team may find that a contract with one of their customers requires recovery within a certain amount of time. What part of a contract would that be? 

  • Service Level Agreement (SLA)

  • Master Service Agreement (MSA)

  • Privacy Level Agreement (PLA)

  • Data Processing Agreement (DPA)

Correct answer: Service Level Agreement (SLA)

When determining the amount of time that can be taken by the Incident Response Team (IRT) to bring a server back online, the team may find that a contract with one of their customers requires recovery within a certain amount of time. This would be the Service Level Agreement (SLA) part of the contract.

The MSA defines the relationship between the two parties: the customer is responsible for X and then the provider is responsible for Y. The PLA is a notification to the cloud provider that sensitive personal data is in their possession. In Europe, it is referred to as the Data Processing Agreement (DPA), or the Business Associate Agreement (BAA) under HIPAA in the US.

117.

An organization wants to utilize a pre-determined architecture implementation of devices in their business. What is the MOST likely reason for this?

  • Familiarity with configuration and performance

  • Cost

  • Uniformity

  • Availability

Correct answer: Familiarity with configuration and performance

Familiarity with configuration and performance are the reason for using a pre-determined architecture of devices. Many organizations prefer to use familiar devices and software because it reduces training needed, mistakes made, and vendor issues.

Cost, uniformity, and availability are generally not the reasons for using a pre-determined architecture of devices. Uniformity may not always be a good thing for organizations, especially with firewalls, as one firewall with a vulnerability means they all have a vulnerability. Availability and cost may not always be applicable — in fact, a pre-determined device could be more expensive up front.

118.

A corporation has determined that it can function for an extended period at a lower level after a disaster. The level of functionality must be at least 72% of typical functionality.

They have now defined their:

  • Service Delivery Objective (SDO)

  • Recovery Point Objective (RPO)

  • Recovery Time Objective (RTO)

  • Allowable Interruption Window (AIW)

Correct answer: Service Delivery Objective (SDO)

The Service Delivery Objective (SDO) is the amount of reduced processing levels that a corporation can withstand for a period of time called the Maximum Tolerable Outage (MTO).

The Allowable Interruption Window (AIW) is the amount of time normal operations can be down for a business before severe impact. The Recovery Time Objective (RTO) is time to do recovery work at the alternate site. The Recovery Point Objective (RPO) is the amount of data that can be lost due to an incident.

119.

Role-based training is applicable for a variety of scenarios ranging from disaster recovery to day-to-day operations. What is an example of a role-based training technique that is LEAST likely to disrupt business?

  • Phishing awareness testing with fake emails

  • Simulation tests

  • Parallel tests

  • Walk-through tests

Correct answer: Phishing awareness testing with fake emails

Phishing awareness testing with fake emails is least likely to interrupt business, since it doesn't require anyone to leave the office or their workstation. Instead, employees are educated and informed right from their desk. Additionally, security metrics can be gathered and assessed with ease.

Parallel, simulation, and walk-through tests cause employees to leave workstations and focus their attention elsewhere. This can inhibit other productive tasks, especially if they are not necessarily part of a security team. A parallel test does not cause the workplace to shut down, but requires employees to replicate and operate a second workplace while the primary is still functioning. A simulation test can also replicate disaster recovery and business continuity. A walk-through test is simpler than the other two, involving a discussion of every employee's role in disaster recovery. That being said, they can all be disruptive and hinder business. However, it should be noted that tests attempting to mimic the workplace in a variety of ways can be extremely beneficial in providing insight into disaster recovery objectives.

120.

When building a defense in depth, it is critical to select different types of controls to build out the layers effectively. One type of defense that a control can provide is reactionary.

Of the following, what would fit into this category? 

  • Procedure change

  • Firewall

  • Physical security

  • Backups

Correct answer: Procedure change

A change to the procedure is a reaction that a business could have after they have been hacked or a new threat has been discovered.

Backups are recovery and restoration. Physical security is typically considered preventive. Firewalls are both prevention and containment.

×