×

Quiz Session - Attempts With Random Questions

ISACA CISM Exam Questions

Page 9 of 50

161.

Which of the following is LEAST likely to be used natively on Linux systems for system hardening?

  • Procmon

  • AppArmor

  • Chmod

  • Security-enhanced Linux

Correct answer: Procmon

Procmon is least likely to be used natively on Linux systems — it is a Windows program through Microsoft Security Suites.

AppArmor is a command-line application that can control permissions of programs on any Linux system, which is useful for locking down an account. Chmod is a command in Linux to change permissions of a file, folder, or program. Security-enhanced Linux (SELinux) is a command-line application like AppArmor, but allows for more granular permission configuration.

162.

When building a Disaster Recovery Plan (DRP), you have determined that your corporation will likely experience a widespread disaster from an earthquake. The expectation is that the data center equipment will not be able to function anymore. You are looking for a solution that will allow Information Technology (IT) recovery without leaving the region.

What do you recommend?

  • Mobile site

  • Hot site

  • Warm site

  • Cold site

Correct answer: Mobile site

A mobile site is a specially designed trailer that can be brought in quickly with the equipment you need ready to go inside. They are instrumental in widespread disasters that result in no alternative sites in that region being available.

A hot site is not a suitable answer to the question because we have an earthquake and a desire not to leave the region. If there were an earthquake, the IT equipment would not be usable in the primary or the alternate site. A warm site is not a suitable answer for the same reason as a hot site. If in the same region, what is there would not be usable, and they do not want to leave the region (according to the question). A cold site has a similar problem with location. It does not already have IT equipment, so it would not be broken during an earthquake. But, cold sites are only used in unusual situations, such as tolerating an extended downtime or needing a second backup location. Neither of those situations is mentioned in the question.

163.

In working to uncover any issues with employees supporting the information security strategy and plan, which of the following is MOST LIKELY to be a source of lack of support?

  • Missing active day-to-day operational participation in business activities

  • A lack of information sharing about auditor findings

  • A lack of communication between senior management and the Board of Directors (BoD)

  • Missing interactions between Information Technology (IT) and business planning units

Correct answer: Missing active day-to-day operational participation in business activities

Suppose the information security manager and team participate in business activities, meetings, and planning, etc. In that case, it can help employees understand why the security is there and it can help security keep business functionality in mind while planning security controls and activities. Security must enable the business to move forward securely.

Sharing auditor findings may help overcome the lack of support, but not as much as day-to-day participation. A lack of communication between senior management and the BoD is a problem for all of the business. It could be a part of the problem with the lack of security support, but changing that does not directly affect security support as much as security participation with business. IT must also support and forward the business, so a lack of interaction there is a problem, but IT has a general focus on the functionality of IT, not the security of IT.

164.

The control practice of "trust" refers to:

  • The ability of an entity like a Certificate Authority (CA) to attest to the identity of an entity

  • The ability of a layperson to understand how system security is supposed to work

  • The ability of software to restrict a user from having two functions so that we can manage appropriately

  • The design strategy that includes oversight controls as part of the system design

Correct answer: The ability of an entity like a Certificate Authority (CA) to attest to the identity of an entity

Trust is a design strategy that includes the existence of a security mechanism whereby the identity of a user can be determined because of its relationship with an identity provider who is trusted.

The ability for a layperson to understand how a system works is called transparency. The ability of software to restrict access to a function is called segregation of duties. Trust no one is the design strategy that includes oversight controls rather than designating trusted individuals to administer the system and expecting them to follow procedures.

165.

When a corporation has determined that they can ONLY tolerate a non-functional status for their primary server and database for 2.5 hours, what have they determined?

  • Acceptable Interruption Window (AIW)

  • Maximum Tolerable Outage (MTO)

  • Service Delivery Objective (SDO)

  • Recovery Point Objective (RPO)

Correct answer: Acceptable Interruption Window (AIW)

The AIW is the time that a server/service can be offline before it is detrimental to a corporation.

The MTO is the time that a business can remain in the alternate processing state, such as having failed over to a hot site. The SDO is the level of service that must be present in the alternate processing mode for it to be suitable for business success. The RPO is the age of the data that can be tolerated once it is recovered to the alternate site.

166.

Within the Business Model for Information Security (BMIS), the interconnection between people and the organization looks at:

  • Culture

  • Human factors

  • Emergence

  • Architecture

Correct answer: Culture

The interconnection between people and the organization looks at culture.

Human factors are seen in people's relationship to technology. Emergence is how people and processes interact. Architecture is the organization's relationship with technology.

167.

An unexpected event is called a/an: 

  • Incident

  • Disaster

  • Problem 

  • Issue

Correct answer: Incident

By ISACA's definition on page 259, an incident is an unexpected event.

A disaster, as defined on page 277, is recovering an IT-processing facility, operational facility, or IT capabilities. A problem—page 259—is something greater than an incident. They do not actually define what a problem is here. ITIL defines a problem as something that occurs over and over. "Issue" is not an Incident Response (IR) term.

168.

Allen is working at a newspaper company. Even though they have adapted to the paperless environment and have their newspaper online, they still have a printing press and enough demand to keep it running. The company does plan to keep printing newspapers for years to come, even though they have reduced their printing to a single facility. They are worried about a fire that could disrupt printing. They are looking into recovery sites that they could use to keep this service working for their customers. They know that if they stop printing for more than two days they will lose their customers. Allen is tasked with finding the MOST cost-effective recovery site possible.

What would you suggest?

  • Reciprocal agreement

  • Hot site

  • Warm site

  • Mobile site

Correct answer: Reciprocal agreement

Even though reciprocal agreements are not as common as they may have been at one time, it is the best option here. Because they have one printing site and they want to save money, this is the only option that makes sense. They will have to work carefully on the contract and agreement with another newspaper company.

It is much more affordable than having a second printing press at a hot site that is ready to be used when a fire happens. A warm site is not likely to have an expensive printing press there. It can take months to get a new one purchased and installed, and they only have two days. A mobile site is unlikely because printing presses are just too large to fit in something like a trailer.

169.

As the information security manager working on the information security program, you need to start significant projects to improve the security environment. To gain the support of senior management and the Board of Directors (BoD), it is BEST to: 

  • Develop a persuasive business case

  • Have a meeting with senior management

  • Run an advertising campaign to gain user support

  • Speak to a lawyer to confirm the appropriate course of action

Correct answer: Develop a persuasive business case

There will likely be a meeting with senior management, but it is the business case that you would present, and senior management would review it. It is critical to gaining support. The business case holds all of the vital data that they need to review.

Gaining user support would come later. If management support is not earned, the project will not happen, so users would not need to understand it. Talking to a lawyer is a good answer, especially where the law could restrict personal data, financial data, cameras, or so many other elements of programs. Any information from the lawyers would go into the business case to gain senior management support.

170.

As the information security manager responsible for the security of a system being outsourced to a service provider, you know that it is necessary to see an audit report before you sign the outsourcing contract. Which report do you want to see?

  • SOC 2 Type II

  • SOC 2 Type I

  • SOC 3

  • SOC 1 Type II

Correct answer: SOC 2 Type II

A System and Organization Control (SOC) report contains information on the trust service criteria: confidentiality, security, availability, processing integrity, and privacy. A Type II report spans a period of time to prove the effectiveness of the controls, not just their design. So, a SOC2 Type II gives you confidence in the controls they have installed and how they have been working before placing your service on their system.

A Type I report looks at the control at a single moment in time and can only tell you how well they have been designed. A SOC 1 report contains information about controls related to their internal control over financial statements. This is not a good answer to the question because there is no reference to financial statements, making the more generic SOC 2 more relevant. A SOC 3 is a reduced SOC 2 report to the level it is generally considered acceptable to release to the public as it has less sensitive info. The question does not ask what you will see (probably SOC3), it asks what you want, which would be SOC 2 Type II. These reports are the result of an audit based on SSAE16.

171.

As an information security manager, you have discovered that a new control could be added to improve the businesses' security posture. Why would you NOT add it?

  • The resources to monitor it are not available.

  • The CEO is hesitant to add this control.

  • The privacy regulation does not require it.

  • The Information Technology (IT) officer is not interested.

Correct answer: The resources to monitor it are not available.

If no one, or anything, can monitor a control, it should not be added because it actually poses an unacceptable risk to the business. It is critical to consider the ability to monitor before adding any controls.

If a CEO is hesitant, they have probably not been provided with all of the information they need to make a decision. If it is the right decision, they can say yes. If it is not, then they can say no when they have the info they need. A privacy regulation not requiring a control is not a reason not to add something. There could be another law that effectively needs this control or some other threat that business is worried about happening. The IT officer is interested in the running of IT, and their primary concern is availability. Many security controls disrupt this, but that does not mean it should not be added.

172.

Of the following, what would be considered a technical and quantitative metric?

  • Unremediated vulnerabilities

  • CMMI level

  • ISO 9001 quality indicator

  • Business Balance Scorecard (BSC)

Correct answer: Unremediated vulnerabilities

The number of unremediated vulnerabilities is a quantitative metric.

A CMMI level is a number but qualitative in nature. It is about the quality of a process within a business. The same is true with ISO 9001; it is quality, not quantity. A BSC is a management system that enables organizations to clarify their vision and strategy.

173.

Controls should be chosen based on:

  • Cost-effectiveness comparison

  • Vendor trustworthiness

  • Price of the licensing

  • Management approval

Correct answer: Cost-effectiveness comparison

Controls should be selected based on a cost-effectiveness comparison, which involves evaluating how well a control reduces risk relative to its cost. However, this analysis should also consider the overall effectiveness of the control in mitigating risks and its alignment with the organization’s security objectives. While cost-effectiveness is critical, it’s part of a broader evaluation that includes benefit realization and ensuring the control meets the organization’s risk management goals.

Cost-effectiveness comparison is necessary before management gives their permission.

Suppose the licensing price is either high or low. In that case, it will factor into the cost-effectiveness comparison, which would help determine the applicability of that control, but cost by itself is not helpful.

Vendor trustworthiness may be essential, but if the product is too expensive concerning its effectiveness, it may rule the product out even if it is from a vendor you trust.

174.

What are the steps of an incident response plan?

  • Preparation, Identification, Containment, Eradications, Restoration, Follow-up

  • Identification, Preparation, Containment, Eradications, Restoration, Follow-up

  • Identification, Preparation, Containment, Eradications, Follow-up, Restoration

  • Preparation, Containment, Identification, Eradications, Restoration, Follow-up

Correct answer: Preparation, Identification, Containment, Eradications, Restoration, Follow-up

Preparation is commonly added as the first step to incident response. You must build your IRP before an incident happens. After preparation, you need to identify that something may be/is happening. Then, immediately contain the incident so it does not go further. After that, eradicate the attack, virus, attacker, etc. from the systems. Then, restore them to normal. When all is done, have a follow-up/lessons learned/postmortem meeting to uncover what worked and what did not, so that things can be improved in preparation for the next incident.

175.

Sólyom is working with his team to measure how far and wide the monitoring of key controls are throughout the corporation. What are they LIKELY working to measure?

  • Performance measurement

  • Value delivery

  • Risk management

  • Resource management

Correct answer: Performance measurement

Performance measurement metrics reflect the performance level of the security program throughout the business. Knowing how well controls are being monitored would be part of that. It would also help management in making decisions that would guide security activities.

Value delivery metrics track how well security investments are being optimized in support of corporate objectives. Risk management metrics track the effectiveness of the risk management program with the goal of managing risk to acceptable levels. Resource management metrics look to describe how well resources, people, tools, and processes are used within the business.

176.

Experience has taught Neriah that when she starts her new job next week as the information security manager, many businesses do NOT have this critical tool that is essential to building and implementing an effective information security program. What is it?

  • Security architecture

  • Defined senior management team

  • Qualified auditors

  • Responsible lawyers

Correct answer: Security architecture

A security architecture is difficult to create and maintain. It is an expensive proposition, especially using something like Zachman or SABSA. It is also possible that there is simply a lack of people available that know and understand what it is to create security architectures. It is an essential tool that allows for the management of the complexity of a security program.

Defined senior management team, qualified auditors, and responsible lawyers are people, not tools.

177.

Of the following steps, which MUST be done by the risk assessment team first for a successful risk management program?

  • Asset identification

  • Asset classification

  • Risk analysis

  • Risk treatment

Correct answer: Asset identification

Asset identification must be made first.

You cannot classify an asset unless you know what you have and where it is. Once the classification is done, risk identification, then risk analysis can be done. That needs to be evaluated so that the risk treatment can be selected.

178.

When a bad actor has successfully installed malware on a critical corporate server and it is now communicating back to the bad actor's server, the attack has progressed to which phase of the kill chain?

  • Command and control

  • Installation

  • Exploitation

  • Actions on objective

Correct answer: Command and control

When the malware is communicating back to the bad actor's server, the attack is now at command and control.

Installation is when the malware is installed on the corporate server. Exploitation is when the malware takes advantage of a weakness in the target system or network to get to the corporate server. Actions on objective is when the bad actor is able to proceed with their plan because the malware has communicated back after installation.

179.

Which open-source program would MOST likely be used for evidence collection and event tracking?

  • Security Onion

  • Sentinel

  • Crowdstrike

  • Splunk

Correct answer: Security Onion

Security Onion is a SIEM or security incident event manager, which can be used to log network information and track events. Security Onion can be sent logs from another device remotely or reside directly on a network. It is currently open source for anyone to use. 

Splunk, Sentinel, and Crowdstrike are all closed-source programs that can oftentimes do more than just evidence collection and event tracking. Sentinel, Crowdstrike, and Splunk can enable automated response to threats, which can save response time for incidents, but requires careful configuration and a financial cost.

180.

A recovery site that has partial Information Technology (IT) configurations would be a: 

  • Warm site

  • Hot site

  • Cold site

  • Mobile site

Correct answer: Warm site

A warm site has partial IT equipment and/or IT configurations.

A cold site does not have any IT equipment. A hot site site has the equipment and configurations it needs already in place. A mobile site is a plausible answer, but what defines a mobile site is that it is moveable. Traditionally, the most like configuration within the mobile site or trailer would be at hot site status.

×