×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 8 of 50

141.

Terms can vary from one standard to the next. What is another way to say risk acceptance?

  • Risk retention

  • Risk modification

  • Risk sharing

  • Risk avoidance

Correct answer: Risk retention

Risk retention is equivalent to risk acceptance.

Risk modification, risk reduction, and risk mitigation are equivalent terms. Risk sharing is the same as risk transference. Risk avoidance is just that, risk avoidance.

142.

An organization wants to appropriately classify assets, specifically customer data. Of the following, which is LEAST likely to be considered when classifying information?

  • Age

  • Ownership of the info

  • Means of use

  • Means of storage

Correct answer: Age

Age is least likely to play a role in the classification of an asset or information, because age is irrelevant. For example, proprietary data that a company has owned for decades and a new password both have substantial value. These assets are important pieces of information and likely share the same classification.

Ownership of info, means of use, and means of storage can play a role in asset classification. If information is provided to the public, it shouldn't be highly classified. Data used, such as passwords to access important aspects of a business should be classified appropriately because of what is being accessed. This holds true for proprietary information. Additionally, the ownership of information can play a role in determining classification. Generally speaking, mandatory access control does not classify important information in a manner that is available to anyone — instead, the owner(s) have to limit that information to themselves and those of a similar clearance level.

143.

During risk management, it is determined that there is a chance that employee integrity could cause a product delivery issue. What type of risk is this?

  • Processing and behavioral risk

  • Technology risk

  • Human resources risk

  • Supplier risk

Correct answer: Processing and behavioral risk

Processing and behavioral risk are problems with service or product delivery caused by several factors, including employee integrity issues.

A technology risk involves failure to plan, manage, and monitor technology-related projects. Human resources risks include failing to recruit, develop, or retain employees' skills or knowledge. This is close, but the issue is their integrity, not their skill set in the question. Supplier risk is the failure to evaluate suppliers leading to a breakdown in the supply chain.

144.

What is the CMU SEI's five-step incident management process?

  • Prepare, protect, detect, triage, respond

  • Identify, prevent, detect, respond, review

  • Observe, orient, decide, act, repeat

  • Protect, prepare, detect, triage, respond

Correct answer: Prepare, protect, detect, triage, respond

The five steps of incident management are:

  1. Prepare includes designing a network with security controls and creating safety procedures.
  2. Protect consists of implementing protective measures on a network, such as an intrusion prevention system or configuring a firewall.
  3. Detect is using that intrusion detection system to proactively defend the network.
  4. Triage is best defined as ranking incidents and deciding what to manage in order of priority.
  5. Respond is taking action to ensure that the incident doesn't occur again, which can mean taking legal action or patching a system.

Following these steps in order is essential, as mixing one of them up could lead to poor results and further impact the network.

145.

K.C. is working with her team to understand the current state of incident response within their business. She has a goal of improving their response time and efficiency in closing incidents.

What type of analysis would you recommend for her to get the MOST comprehensive and complete view possible of the current state?

  • External assessment

  • Survey of senior management

  • Self-assessment

  • Internal audit

Correct answer: External assessment

An external assessment should give the most comprehensive view.

A self-assessment or internal audit is probably the easiest option, but they are done against specific criteria and are limited in their view. A survey of senior management is a valuable thing to do, but it will not be the most comprehensive. It is good to obtain their goals and objectives, as well as their current perception of the incident management that does currently exist.

146.

During an incident notification process, which team would be MOST likely to respond to an incident?

  • Physical and information security

  • Public relations

  • Cybersecurity

  • Legal

Correct answer: Physical and information security

Most incidents will involve physical and information security, since any cybersecurity incident will usually involve information and the CIA triad. Additionally, information security personnel define and assign responsibilities, so they must be present.

Public relations would be involved if a breach needed to be announced and the company's reputation was at stake. Cybersecurity teams would play a role in addressing and remediating issues, and ensuring they do not occur again. Legal would only be involved when a criminal or civil matter arises and is necessary to resolve the issue.

147.

Risk management can be performed during which phases of an IT system lifecycle?

  • Initiation, development or acquisition, implementation, maintenance or operation, disposal

  • Initiation, implementation, maintenance, disposal

  • Development, implementation, operation

  • Initiation, development, maintenance

Correct answer: Initiation, development or acquisition, implementation, maintenance or operation, disposal. 

Risk management can be done within any and all phases.

148.

When the Business Impact Assessment (BIA) needs to be reviewed to ensure it aligns with business objectives, who is accountable for this validation?

  • Board of Directors

  • Chief Executive Officer

  • Chief Risk Officer

  • Chief Information Security Officer

Correct answer: Board of Directors

The Board of Directors (BoD) should participate in the overall information security strategy for a business. This would include looking at the results of a BIA. They should then validate, or ratify, that the critical assets are protected at an appropriate level.

The CEO, CRO, and CISO are involved, and if there is no BoD within a business, reviewing the BIA would fall to the CEO.

149.

Within the Business Model for Information Security (BMIS), it is critical to ensure that people use technology. Failure to understand, use, or embrace technology is problematic for the security of a business.

The dynamic interconnection that addresses this is: 

  • Human factors

  • Culture

  • Enabling and support

  • Emergence

Correct answer: Human factors

The dynamic interconnection between people and technology is the human factor.

Culture is the interconnection of people to the organization. Emergence is the interconnection of people to processes. Enabling and support is between technology and a process.

150.

Which of the following can be described as a series of storage components connected with fiber cabling that ensures fast data transfer over a LAN connection, and is a central location for data fetching?

  • SAN (storage attached network)

  • NAS (network attached storage)

  • RAID (redundant array of independent disks)

  • FCOE (fiber cabling over ethernet)

Correct answer: SAN (storage attached network)

A storage attached network (SAN) is a fixed storage facility for anyone to access in the workplace over a network.

A network attached storage (NAS) is typically easier to set up, as it uses regular ethernet cables, and it is cheaper. A SAN, on the other hand, often uses fiber cabling over ethernet (FCOE) for fast data transfers and is generally more expensive. A redundant array of independent disks (RAID) is good for backups, but would back up to a specific user and not an entire workplace.

151.

When a corporation is worried about losing data and they have a very low amount of data that they can tolerate losing, they should utilize:

  • Synchronous replication

  • Asynchronous replication

  • Redundant Array of Independent Disks (RAID) 2

  • Backup tapes

Correct answer: Synchronous replication

Synchronous replication is when data is written to local and remote storage at the same time.

Asynchronous replication is doing something like backing up data once a day to a backup tape. Synchronous replication would be writing data to drives, not tapes, today. RAID 2 mirrors data, but it is only within a server. So, if they are really worried about losing data, it is best to write it to another location.

152.

What is the FIRST step of the NIST risk assessment methodology?

  • System characterization

  • Threat identification

  • Locating vulnerabilities

  • Identifying controls

Correct answer: System characterization

System characterization is the first step of the NIST risk assessment methodology. With system characterization, an organization identifies their hardware, software, personnel, mission, and data to ultimately determine what is at risk.

Threat identification is identifying the history of attacks, identifying potential threats, and reviewing databases to determine emerging threats. Locating vulnerabilities involves identifying weak points in an enterprise's network to later strengthen them. Identifying controls describes acknowledging the control mechanisms in place and determining if they meet the needs of the business or if they can be improved based on the identified threats and vulnerabilities.

153.

As the information security manager working at a new business, you find that no information security standards are in place. To create appropriate standards, you need to ensure that they are based on: 

  • Policies

  • Strategy

  • Goals

  • Governance

Correct answer: Policies

Policies drive standards and are written to fulfill enterprise goals and objectives. The whole process of creating goals, objectives, and policies is part of security governance. To answer the question correctly, you must choose the policy, because the standard must fulfill it specifically.

154.

What is the primary difference between heuristic analysis and signature analysis?

  • Heuristic look at traits and code to identify suspicious properties. Signature rely on predefined patterns.

  • Heuristic rely on predefined patterns. Signature look at traits and code to identify suspicious properties

  • Signature rely on a predefined baseline and compare it to current behavior. Heuristic rely on traits of a file to determine if it could be malicious.

  • Heuristic rely on a predefined baseline and compare it to current behavior. Signature rely on traits of a file to determine if it could be malicious.

Correct answer: Heuristic look at traits and code to identify suspicious properties. Signatures rely on predefined patterns.

The primary difference between heuristics and signatures is heuristics look at traits within a file or code, while signatures look at a predefined pattern that makes up a "signature".

Neither one looks at baselines, as that is common with anomaly analysis. However, signature-based analysis requires an associated signature with an attack in order to be identified. Heuristic analysis looks at behavior and traits to determine if software is malicious, regardless of the signature.

155.

Incident management often involves many different roles, along with a joint team effort. Which of the following would an organization be LEAST likely to utilize during an incident in which malware was found on a system, but no data was exfiltrated?

  • Public relations

  • System techs

  • Cybersecurity engineers

  • Internal audit

Correct answer: Public relations

In this scenario, the public relations department isn't needed because there is no public disclosure required.

System techs and cybersecurity engineers need to remove malware and ensure systems are back to normal, which involves sanitizing a drive and migrating data from a backup to a clean system. After this, an internal audit should be conducted to ensure the system meets security requirements. A third-party or external audit will likely have to be conducted prior to the device entering production.

156.

Bradley is working on a particular problem found by the last audit. It has been determined that they will add a software-based application that will provide a code that is critical to the process of authentication. Each time the user logs in, the code will be different.

What are they going to add?

  • One Time Password (OTP)

  • Multi-Factor Authentication (MFA)

  • Public Key Infrastrucure (PKI)

  • X.509 certificate

Correct answer: One Time Password (OTP)

An OTP is something generated by a software application or a hardware token. The OTP changes numbers each time the user logs in.

It is normal for this to be part of MFA, but the question is specific to OTP. PKI is a structure created within or outside of a business that enables a trust in the PKIs that are used to verify identity (decrypt signatures) or to protect sensitive data (encrypt sensitive data). The public key is protected by an X.509 certificate.

157.

If a corporation FAILS to manage the plans to build or change information security-related products within Information Technology (IT) like the installation of Digital Rights Management (DRM) tools, it would fall into which risk category?

  • Project management risk

  • Technology risk

  • Supplier risk

  • Legal and regulatory compliance risk

Correct answer: Project management risk

Failing to manage the plans to build would be a project management failure or risk.

DRM might make it sound like a technology risk, but the question is about managing the build or change, making it a project management risk. Supplier risk is the failure to adequately evaluate suppliers' capabilities, leading to breakdowns in the supply process or substandard delivery of supplied goods and services. Think about the lack of toilet paper during the 2020 lockdowns. The issue is not likely an issue with DRM. Legal and regulatory compliance risks will arise if you are not in compliance with data protection legislation. There is a chance that there is data protected by the DRM software that falls under law, but, again, the question is asking about the failure to plan.

158.

If a business is monitoring how aware employees are of the companies' security objectives and are understood, it would BEST fit into which category of metrics?

  • Strategic alignment metrics

  • Risk management metrics

  • Value delivery metrics

  • Resource management metrics

Correct answer: Strategic alignment metrics

Monitoring to see how many people understand the security objectives of the business would fit best into strategic alignment.

Risk management metrics seek to define the level a risk management program meets defined objectives in maintaining risk at acceptable levels. Value delivery is a function of strategic alignment, the optimal investment level. Resource management metrics monitor the processes to plan, allocate, and control information security resources.

159.

If an information security program is very technical and tactically driven, what is the MOST LIKELY missing?

  • Management support

  • Policies and procedures

  • A legal review of policies

  • A failed annual audit

Correct answer: Management support

When an information security program is very tactical instead of strategic, there is likely a lack of senior management support. When the program is very technical, it is likely to be driven from the bottom up rather than top-down.

Policies and a legal review of those policies are more likely with management support and a strategic program. A failed audit is more likely to drive a technical program to put pieces in place, and it would cause a strategic program in the same manner, which does not make it a good answer here.

160.

Which of the following is LEAST likely to be a resource following a cybersecurity incident?

  • Sales and marketing

  • Legal department

  • Law enforcement

  • Human resources

Correct answer: Sales and marketing

Sales and marketing would not be a resource after a cybersecurity incident because their expertise is outside of the scope of the issue at hand.

The legal department and law enforcement could be involved if civil or criminal charges are filed, depending on circumstances. Human resources can also be involved if there is an insider threat — an employee may need to be reprimanded or fired as a result of the incident.

×