×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 7 of 50

121.

When doing a risk assessment, the CORRECT order of the steps is:

  • Risk identification, risk analysis, risk evaluation

  • Risk analysis, risk identification, risk evaluation

  • Risk evaluation, risk treatment, risk identification

  • Risk management, risk identification, risk evaluation

Correct answer: Risk identification, risk analysis, risk evaluation

Risk assement includes:

  1. Risk identification
  2. Risk analysis
  3. Risk evaluation

Risk management involves: 

  1. Context establishment
  2. Risk identification
  3. Risk analysis
  4. Risk evaluation
  5. Risk treatment

Risk management is the whole topic, and it includes all five steps. Risk identification uses scenarios to determine the range of risk. Risk analysis looks for the impact and likelihood of risk if realized. Risk evaluation then compares those results against acceptable risk levels and determines risk treatment. Risk treatment has four options:

  1. Risk avoidance
  2. Risk transference
  3. Risk mitigation
  4. Risk acceptance

122.

Which "C-suite" executive is MOST likely responsible for managing the likelihood of exploits being used against enterprise-controlled data?

  • Chief Risk Officer

  • Chief Information Officer

  • Information Security Officer

  • Chief Information Security Officer

Correct answer: Chief Risk Officer

The Chief Risk Officer (CRO) is responsible for "managing the likelihood of exploits being utilised upon enterprise data", or managing risk. This individual reports directly to the Chief Information Security Officer (CISO), who has overall responsibility for security.

Although a CISO or Chief Information Officer (CIO) may be accountable for those directly under them, the CRO will be primarily responsible for managing risk. An Information Security Officer may also deal with risks, but their main responsibility may not be risk management specifically, and their authority on the subject would not supersede that of the CRO.

123.

What action could limit protection offered by insurance, potentially resulting in unforeseen losses to a company?

  • Failure to act with due care

  • Failure to act with due diligence

  • Failure to avoid risks

  • Failure to accept risks

Correct answer: Failure to act with due care

Failing to act with due care would limit the protection offered by insurance during an incident. For example, a company that is insured in the event of a security breach that did not exercise due care by encrypting data and securing networks as much as possible would lose the benefits of insurance.

Generally, insurance policies are put in place to transfer risk when flaws in security cannot be properly mitigated by a company. So, if a company uses a legacy system within their enterprise network with access to highly sensitive data and that device can be potentially breached, the company would recognize this and file for an insurance policy well before a breach occurs. This, of course, would be done after compensating controls were put in place to reduce this risk. Organizations would keep cost in mind and ensure the insurance policy cost doesn't exceed the cost of a compensating control or the data at risk.

Due diligence is the act of ensuring due care has been conducted. Due diligence can be thought about as a follow-up procedure to ensure the due care process is doing what it should.

124.

When creating metrics for managers in a business, it is critical to think about why and what information they need to do their jobs. Which type of metric would senior management MOST LIKELY want to see?

  • Strategic

  • Tactical

  • Operational

  • Technical

Correct answer: Strategic

Senior management needs to design strategy, revise strategy, and know how the business is progressing toward its strategic goals.

Technical details are not likely to be of use, such as how many times a password reset request has been made. Tactical and operational information, like patch management status, would be of more interest to the information security manager directly.

125.

Who is allowed to declare a disaster so that the process to move to the alternate site is initiated after a fire starts in a data center?

  • It is defined during Disaster Recovery Plan (DRP) creation

  • The Chief Executive officer (CEO)

  • A present information security manager

  • Any member of the Board of Directors (BoD)

Correct answer: It is defined during Disaster Recovery Plan (DRP) creation

Who declares the disaster and under what criteria must be decided upon and documented during the plan creation. It could be the CEO, an information security manager, the Board of Directors (BoD), or someone else. It all depends on the decisions about who can call a disaster and who is on-site or available at the time it needs to be done.

126.

A corporation is working to test their Incident Response Plan (IRP), and they have the recovery team role-playing a prepared scenario without activating the alternate site. What type of test are they doing?

  • Simulation

  • Structured walkthrough

  • Checklist

  • Parallel

Correct answer: Simulation

In a simulation, the team role-plays through a scenario without activating the alternate site.

A structured walkthrough is a paper-based test to review each step of the written plan. A checklist is a preliminary level test to ensure that the checklist and the plan are current. A parallel test brings the alternate site up while operations continue as they normally are.

127.

It is necessary to ensure that security controls are established and managed within the network, such as firewalls. Who is LIKELY to be responsible for their operations?

  • Information Technology (IT)

  • Information Security (IS)

  • Chief Operations Officer (COO)

  • Audit and compliance

Correct answer: Information Technology (IT)

Since firewalls can impact the network's operations, if they were to fail, they would typically be installed and managed by IT.

Therefore, IS must work with IT regarding its configuration and management. The COO is not responsible for IT, rather that would be the Chief Information Officer (CIO). Audit and compliance would review its configuration but should never operate, configure, or manage the device in production.

128.

Working with the personnel director, you, the information security manager, have defined all employees' security roles and responsibilities.

Which of the following are also critical to define?

  • Competencies

  • Pay scales

  • Job titles

  • Managers

Correct answer: Competencies

After identifying someone's roles and responsibilities, it is then necessary to understand the competencies required. This allows the proper awareness, training, or education programs to be put together, and creates guidelines for selecting the right person for the job.

Pay scales, job titles, and managers must all be identified, but that is not the job of the information security manager when discussing all of the business's employees.

129.

If an insurance company is worried about drive failure in one of its critical servers, what would you recommend?

  • Redundant Array of Inexpensive Disks (RAID) 5

  • Recovery Time Objective (RTO)

  • Network Attached Storage (NAS)

  • Virtual machine

Correct answer: Redundant Array of Inexpensive Disks (RAID) 5

A Redundant Array of Inexpensive Disks (RAID) array is the installation of many drives within a single server. RAID 5 does have the ability to withstand a drive failure within a server. The failed drive is then hot-swappable with a new drive to replace it (the server does not need to be powered down).

Recovery Time Objective (RTO) is the time it would take to bring the server from a failed status to an operational status on a different machine, possibly within a different building. Virtual machines have many uses, but helping a server withstand a drive failure is not one of them; however, they can make it easier to recover the server elsewhere. Network Attached Storage (NAS) is helpful for backing up and recovering data if a drive fails and data loss occurs. Since the question is about a drive failure and RAID 5 is an option, NAS is not the best answer.

130.

If the information security manager finds that a project is not successful and has only received negative responses from within the business, what is MOST LIKELY the issue?

  • The project plan does not fulfill the action plan of the security roadmap.

  • Auditor reports have shown a disconnect with user expectations.

  • Management has not been following the badge policy.

  • The steps defined in ISO 9001 have not been followed closely.

Correct answer: The project plan does not fulfill the action plan of the security road map.

An action plan to execute the strategy is critical. One part of the action plan is to design policies. Policies communicate corporate security strategy. This is mapped out on a roadmap that then has an action plan. The action plan turns into a project plan and specific projects. If the projects are not working, it is most likely that there is a disconnect between strategy and roadmap, or roadmap and project.

A report that shows a disconnect with user expectations might be interesting, but what the expectations are in regard to is not clear. Without more detail, it is tough to select whether this is the most likely issue. Management not following a badge policy by itself is not a likely issue. It may be a symptom of the real problem, but, by itself, it is not a good answer here. ISO 9001 is about quality assurance. This could be a part of the problem here, but again, by itself, it is not likely the most likely issue.

131.

Which of the following is LEAST likely to be considered by an organization when deciding to have a centralized incident response team?

  • Services offered and cost

  • Skill sets

  • Constant training and educational opportunities

  • Proper equipment and implementation

Correct answer: Services offered and cost

Services offered and cost would be the least likely consideration by an organization when deciding to have a centralized incident response team, because a centralized team would be in-house, so it could be easily tailored to the needs of the organization. To ultimately save costs, an organization could integrate cost into the salary of a current employee, expand the roles of employees, or create new roles when more employees are needed anyway.

With an in-house team, an organization has to consider the current skill sets of employees and assess where skill sets need to be, while keeping up with constant training and educational opportunities. The organization also has to ensure proper equipment and implementation for maximum benefit.

132.

What word BEST describes any event that may cause harm to a corporation and its assets?

  • Threat

  • Vulnerability

  • Risk

  • Attack

Correct answer: Threat

A threat is any event that can cause harm to a corporation.

A vulnerability is a weakness or flaw (unpatched device, unlocked door, etc.). Risk is the likelihood and its impact combined (there is a 20% chance I will drop my phone today and break the screen). Attack is an action taken by bad actors to exploit a vulnerability and cause the threat to be realized. 

133.

When estimating the degree of vulnerability of a particular weakness being exploited, the assessment can be done with:

  • Both quantitative and qualitative approaches

  • Quantitative approaches

  • Qualitative approaches

  • Scanning tools

Correct answer: Both quantitative and qualitative approaches

The assessment of a degree of vulnerability can be accomplished through quantitative and qualitative evaluations.

The scanning tools can be used to understand that there is a vulnerability in a system, such as a known bug that allows an attacker to inject code into a user interface because there is no input validation. To understand the degree of the vulnerability, additional info is necessary, such as the particular control condition.

134.

The new information security manager, Camilo, has been working with his team to understand where control objectives are NOT adequately supported by controls. What have they been doing?

  • Gap analysis

  • Vulnerability assessment

  • Penetration test

  • Formal audit

Correct answer: Gap analysis

A gap analysis is used to determine where you are versus where you want to be. In this case, it is matching existing controls to control objectives. 

A vulnerability assessment is used to determine if there are possible/potential weaknesses within a system, network, application, etc. It is not looking at controls. It is looking for an opening into the environment. A penetration test takes that one step further and tries to exploit those vulnerabilities. It is possible that either one of these could have been answers, but there is nothing in the question that points towards such analysis. The question is about mapping controls to control objectives, or rather a lack of controls.

A formal audit is used to verify if things are being done correctly. It could also discover missing controls. But since it is a formal audit, it would not be the security manager and his team. It is most likely to be an external or third party auditor.

135.

The combination of the probability of an event and its resulting consequence or damage is the:

  • Risk

  • Exposure

  • Proximity

  • Threat

Correct answer: Risk

Risk is defined in many ways, but it essentially always comes back to a combination of likelihood or probability and the resulting impact.

Exposure is the potential loss to an area or asset. Proximity is a term that indicates the time between an event and its impact. If something happens at a high speed, then the closer the proximity is. If something hits your network within minutes, but for another business, it will take days, your proximity is higher. The other company has time to control or react in another way because they may hear about your attack before it gets to them. A threat is anything acting against an asset that causes harm. A threat is something like a worm or a virus. 

136.

What type of test involves planning and brainstorming how an incident might be handled using a tabletop exercise?

  • Paper test

  • Preparedness test

  • Diagram test

  • Full operational test

Correct answer: Paper test

A paper test involves mapping out a critical incident on paper. These tests are essentially a walkthrough with a diagram included, and they occur early in the testing phase of a response recovery plan. 

A preparedness test is a localized test where a simulation occurs and brings the plan to life, allowing the faults or benefits of the plan to become more visible. They can be broken into parts and also evaluated in parts, allowing for a more granular approach to creating a disaster recovery plan. 

A full operational test will test the complete plan with a test that falls just short of an actual outage or incident.

Diagram tests are not an actual term associated with the exam. 

137.

As a successful information security manager for a well-established company, an issue has come to your attention, and you need to address it. The issue is with an operational firewall, and what the exact issue is is not clear. What is clear is that this issue has remained unresolved for some time.

The recommended course of action is to: 

  • Execute problem management

  • Consult a lawyer

  • Review issue with senior management

  • Perform a formal audit

Correct answer: Execute problem management

Problem management is a tool information security managers have to uncover and understand the root cause of issues.

It is plausible that a lawyer, or senior management, needs to be consulted when an issue arises. Still, the question does not introduce a topic that would lead us directly to them. An audit may be able to uncover where the issue is, but with this as well, there are not enough details in the question to drive us to do a formal audit.

138.

Omala has been hired by a large enterprise to join their security team. Her job will be to participate in their testing exercises. She will be working on the attack side of the exercise.

What is that team referred to as?

  • Red team

  • Blue team

  • Purple team 

  • Green team

Correct answer: Red team

Red teams are the pretend attackers.

The blue team is the defense. The purple teams look at the actions and output of both red and blue to determine how to improve the security, as well as learn from the actions the red team took. They can also act as mediators between red and blue. (If you combine red and blue paint, you get purple paint.) The green team takes the knowledge discovered by the purple team based on what the blue team saw and did, and then improves their software. So, the green team builds the actual source code.

139.

To estimate costs for a budget appropriately, the information security manager should consult with the Subject Matter Experts (SMEs) and the: 

  • Project Management Office (PMO)

  • HR department

  • Legal department

  • Board of Directors (BoD) 

Correct answer: Project Management Office (PMO)

Consultation with the SMEs and the PMO is highly recommended to ensure costs for a project are estimated appropriately. There may be others to consult with, but the most likely of this list is the PMO.

HR would possibly help find the SMEs. The legal department is consulted about the strategy or the changes you wish to make, but not the budget. BoD should perhaps be advised of the project, but the budget is more likely for a Chief Executive Officer (CEO) discussion in most businesses.

140.

Working for a new business, as the information security manager, you must decide on the use of a cloud service. As a small business, one of the MOST appealing aspects of a large public cloud provider is that they will:

  • Have a highly resilient environment

  • Increase your Operational Expenditures (OpEx)

  • Have a static network for your servers

  • Increase the deployment time for software

Correct answer: Have a highly resilient environment

Having a highly resilient environment is one of the appealing aspects of cloud providers; their resilience makes any equipment failure of little concern to their customers.

It does increase OpEx, but that is not the appealing aspect. If that, combined with Capital Expenditures (CapEx), saves money, that would be appealing, but not OpEx by itself. Software deployment time is hopefully decreased, and an increase is not appealing. A static network is likely not appealing. If it is dynamic, it can respond to failures automatically.

×