The Certified Information Security Manager (CISM) certification by ISACA is designed for information security managers with technical expertise and experience in IS/IT security and control. It emphasizes expertise in information security governance, program development and management, incident management, and risk management. To obtain the CISM certification, candidates must pass a rigorous exam, have five years of experience in the field, and comply with annual continuing professional education requirements. The CISM certification is recognized globally and is beneficial for IT professionals focused on assessing risks, implementing effective governance, and responding proactively to incidents
Hery
Purnama, SE., MM.
MCP, PMP, ITILF, CISA, CISM, CRISC, CGEIT, CDPSE,
CDMP, CISSP, CTFL , CBAP, COBIT, TOGAF, ISO27001, ISO31000
CISM EXAM PRACTICE FINAL 150
1. Which of the following best describes information security governance?
⚪ Information security policies.
⚪ Information security policies along with audits of those policies.
⚫ Management’s control of information security processes.
⚪ Benchmarks of metrics as compared to similar organizations.
2. What is the best method for ensuring that an organization’s security program achieves adequate business alignment?
⚪ Find and read the organization’s articles of incorporation.
⚫ Understand the organization’s vision, mission statement, and objectives.
⚪ Study the organization’s chart of management reporting (the “org chart”).
⚪ Study the organization’s financial chart of accounts.
3. Robert has located his organization’s mission statement and a list of strategic objectives. What steps should Robert take to ensure that the information security program aligns with the business?
⚫ Discuss strategic objectives with business leaders to understand better what they want to accomplish and what steps are being taken to achieve them.
⚪ Develop a list of activities that will support the organization’s strategic objectives, and determine the cost of each.
⚪ Select those controls from the organization’s control framework that align to each objective, and then ensure that those controls are effective.
⚪ Select the policies from the organization’s information security policy that are relevant to each objective, and ensure that those policies are current.
4. Michael wants to improve the risk management process in his organization by creating guidelines that will help management understand when certain risks should be accepted and when certain risks should be mitigated. The policy that Michael needs to create is known as what?
⚪ Security policy
⚪ Control framework
⚫ Risk appetite statement
⚪ Control testing procedure
5. In a risk management process, who is the best person(s) to make a risk treatment decision?
⚪ Chief risk officer (CRO)
⚪ Chief information officer (CIO)
⚫ Process owner who is associated with the risk
⚪ Chief information security officer (CISO)
6. The ultimate responsibility for an organization’s cybersecurity program lies with whom?
⚫ The board of directors
⚪ The chief executive officer (CEO)
⚪ The chief information officer (CIO)
⚪ The chief information security officer (CISO)
7. In a U.S. public company, a CISO will generally report the state of the organization’s cybersecurity program to:
⚪ The Treadway Commission
⚪ Independent auditors
⚪ The U.S. Securities and Exchange Commission
⚫ The audit committee of the board of directors
8. A new CISO in an organization is building its cybersecurity program from the ground up. To ensure collaboration among business leaders and department heads in the organization, the CISO should form and manage which of the following?
⚪ A risk committee of the board of directors
⚫ A cybersecurity steering committee
⚪ An audit committee of the board of directors
⚪ Business-aligned security policy
9. Who is the best person or group to make cyber- risk treatment decisions?
⚪ The chief information security officer (CISO)
⚪ The audit committee of the board of directors
⚫ The cybersecurity steering committee
⚪ The chief risk officer (CRO)
10. Which is the best party to conduct access reviews?
⚪ Users’ managers
⚪ Information security manager
⚪ IT service desk
⚫ Department head
11. Which is the best party to make decisions about the purpose and function of business applications?
⚫ Business department head
⚪ IT business analyst
⚪ Application developer
⚪ End user
12. Which of the following is the best definition of custodial responsibility?
⚪ Custodian protects assets based on customer’s defined interests
⚪ Custodian protects assets based on its own defined interests
⚪ Custodian makes decisions based on its own defined interests
⚫ Custodian makes decisions based on customer’s defined interests
13. What is the primary risk of IT acting as custodian for a business owner?
⚪ IT may not have enough interest to provide quality care for business applications.
⚪ IT may not have sufficient staffing to care for business applications properly.
⚫ IT may have insufficient knowledge of business operations to make good decisions.
⚪ Business departments might not give IT sufficient access to manage applications properly.
14. An organization needs to hire an executive who will build a management program that will consider threats and vulnerabilities and determine controls needed to protect systems and work centers. What is the best job title for this position?
⚪ CSO
⚫ CRO
⚪ CISO
⚪ CIRO
15. The Big Data Company is adjusting several position titles in its IT department to reflect industry standards. Included in consideration are two individuals: The first is responsible for the overall relationships and data flows among its internal and external information systems. The second is responsible for the overall health and management of systems containing information. Which two job titles are most appropriate for these two roles?
⚪ Systems architect and database administrator
⚪ Data architect and data scientist
⚪ Data scientist and database administrator
⚫ Data architect and database administrator
16. What is the primary distinction between a network engineer and a telecom engineer?
⚫ A network engineer is primarily involved with networks and internal network media, while a telecom engineer is primarily involved with networks and external (carrier) network media.
⚪ A network engineer is primarily involved with networks and external (carrier) network media, while a telecom engineer is primarily involved with networks and internal network media.
⚪ A network engineer is primarily involved with layer 3 protocols and above, while a telecom engineer is primarily involved with layer 1 and layer 2 protocols.
⚪ There is no distinction, as both are involved in all aspects of an organization’s networks.
17. An organization that is a U.S. public company is redesigning its access management and access review controls. What is the best role for internal audit in this redesign effort?
⚪ Develop procedures
⚪ Design controls
⚫ Provide feedback on control design
⚪ Develop controls and procedures
18. A security operations manager is proposing that engineers who design and manage information systems play a role in monitoring those systems. Is design and management compatible with monitoring? Why or why not?
⚪ Personnel who design and manage systems should not perform a monitoring role because this is a conflict of interest.
⚫ Personnel who design and manage systems will be more familiar with the reasons and steps to take when alerts are generated.
⚪ Personnel who design and manage systems will not be familiar with response procedures when alerts are generated.
⚪ Personnel who design and manage systems are not permitted access to production environments and should not perform monitoring.
19. What is the purpose of metrics in an information security program?
⚫ To measure the performance and effectiveness of security controls
⚪ To measure the likelihood of an attack on the organization
⚪ To predict the likelihood of an attack on an organization
⚪ To predict the method of an attack on an organization
20. Which security metric is best considered a leading indicator of an attack?
⚪ Number of firewall rules triggered
⚪ Number of security awareness training sessions completed
⚪ Percentage of systems scanned
⚫ Mean time to apply security patches
21. Steve, a CISO, has vulnerability management metrics and needs to build business-level metrics. Which of the following is the best leading indicator metric suitable for his organization’s board of directors?
⚫ Average time to patch servers supporting manufacturing processes
⚪ Frequency of security scans of servers supporting manufacturing processes
⚪ Percentage of servers supporting manufacturing processes that are scanned by vulnerability scanning tools
⚪ Number of vulnerabilities remediated on servers supporting manufacturing processes
22. The metric “percentage of systems with completed installation of advanced antimalware” is best described as what?
⚪ Key operational indicator (KOI)
⚪ Key performance indicator (KPI)
⚫ Key goal indicator (KGI)
⚪ Key risk indicator (KRI)
23. A member of the board of directors has asked Ravila, a CIRO, to produce a metric showing the reduction of risk as a result of the organization making key improvements to its security information and event management system. Which type of metric is most suitable for this purpose?
⚪ KGI
⚪ RACI
⚫ KRI
⚪ ROSI
24. A common way to determine the effectiveness of security and risk metrics is the SMART method. What does SMART stand for?
⚪ Security Metrics Are Risk Treatment
⚫ Specific, Measurable, Attainable, Relevant, Timely
⚪ Specific, Measurable, Actionable, Relevant, Timely
⚪ Specific, Manageable, Actionable, Relevant, Timely
25. An organization has a process whereby security- related hazards are identified, followed by analysis and decisions about what to do about these hazards. What kind of a business process is this?
⚪ Vulnerability management
⚪ Risk treatment
⚫ Risk management
⚪ Risk assessment
26. What is the purpose of a cyber-risk management program in an organization?
⚪ Consume information from a centralized risk register
⚫ Identify and make decisions about information security risks
⚪ Plan for future cybersecurity projects and initiatives
⚪ Develop mitigating controls
27. All of the following activities are typical inputs into a risk management process except which one?
⚫ Code reviews
⚪ Risk assessments
⚪ Threat assessments
⚪ Internal audits
28. What should be the primary objective of a risk management strategy?
⚪ Determine the organization’s risk appetite.
⚪ Identify credible risks and transfer them to an external party.
⚫ Identify credible risks and reduce them to an acceptable level.
⚪ Eliminate credible risks.
29. What are possible outcomes of a risk that has been identified and analyzed in a risk management process?
⚪ Acceptance, avoidance, mitigation, transfer, residual
⚪ Acceptance, elimination, reduction, transfer
⚪ Acceptance, avoidance, elimination, mitigation, transfer
⚫ Acceptance, avoidance, mitigation, transfer
30. Dawn, a new CISO in a pharmaceutical company, is reviewing an existing risk management process. The process states that the CISO alone makes all risk treatment decisions. What should Dawn conclude from this observation?
⚫ The process should be changed so that other business leaders may collaborate on risk treatment decisions.
⚪ The process is appropriate, as it is the CISO’s responsibility to make risk treatment decisions.
⚪ The process should be changed so that the internal audit department approves risk treatment decisions.
⚪ The process should be changed so that external regulators approve risk treatment decisions.
31. Marie, a CISO at a manufacturing company, is building a new cyber-risk governance process. For this process to be successful, what is the best first step for Marie to take?
⚪ Develop a RACI matrix that defines executive roles and responsibilities.
⚪ Charter a security steering committee consisting of IT and cybersecurity leaders.
⚪ Develop a risk management process similar to what is found in ISO/IEC 27001.
⚫ Charter a security steering committee consisting of IT, security, and business leaders.
32. To what audience should communication about new information risks be sent?
⚪ Customers
⚫ Security steering committee and executive management
⚪ All personnel
⚪ Board of directors
33. An organization’s internal audit department is assessing the organization’s compliance with PCI- DSS. Internal audit finds that the organization is not compliant with a PCI-DSS control regarding workers’ annual acknowledgement of security policy. What kind of a risk has been identified?
⚪ Insider threat risk
⚪ Disclosure risk
⚫ Compliance risk
⚪ Administrative risk
34. An internal audit team has completed a comprehensive internal audit and has determined that several controls are ineffective. What is the next step that should be performed?
⚪ Correlate these results with an appropriately scoped penetration test.
⚪ Develop compensating controls to reduce risk to acceptable levels.
⚪ Perform a risk assessment.
⚫ Develop a risk-based action plan to remediate ineffective controls.
35. Which of the following statements is correct regarding applicable regulation and the selection of a security controls framework?
⚫ An appropriate framework will make it easier to map regulatory details to required activities.
⚪ It makes no difference which controls framework is selected for regulatory compliance matters.
⚪ Applicable laws and security control framework have little to do with each other.
⚪ For regulated organizations, wise selection of control frameworks will result in lower cyber- insurance premiums.
36. In the use of FAIR (Factor Analysis of Information Risk), how does a risk manager determine the potential types of loss?
⚪ A risk assessment is used to determine what types of loss may occur.
⚪ The record of prior losses is used.
⚪ Losses in similar companies are used.
⚫ Loss types are defined by the FAIR method.
37. Dawn, a CISO in a pharmaceutical organization, is partnering with the company’s legal department on the topic of new applicable regulations. Which of the following approaches is most likely to be successful?
⚪ Examine each new regulation for impact to the organization. Confirm applicability if impact is significant.
⚪ Examine each new regulation for impact to the organization. Confirm applicability for regulations from other countries.
⚫ Examine each new regulation for applicability. If applicable, analyze for impact to the organization.
⚪ Subscribe to a service that informs the organization of new laws. Implement them in the following budget year.
38. What steps must be completed prior to the start of a risk assessment in an organization?
⚪ Determine the qualifications of the firm that will perform the audit.
⚫ Determine scope, purpose, and criteria for the audit.
⚪ Determine the qualifications of the person(s) who will perform the audit.
⚪ Determine scope, applicability, and purpose for the audit.
39. A risk manager recently completed a risk assessment in an organization. Executive management asked the risk manager to remove one of the findings from the final report. This removal is an example of what?
⚪ Gerrymandering
⚪ Internal politics
⚪ Risk avoidance
⚫ Risk acceptance
40. Which of the following is not a risk management methodology?
⚪ FRAP
⚪ ISO/IEC 27005
⚪ NIST Special Publication 800-39
⚫ FAIR
41. What is the primary objective of the Factor Analysis of Information Risk (FAIR) methodology?
⚫ Determine the probability of a threat event.
⚪ Determine the impact of a threat event.
⚪ Determine the cost of a threat event.
⚪ Determine the type of a threat event.
42. Why might the first control objective of CIS be “Inventory of Authorized and Unauthorized Devices”?
⚪ Most organizations are required to have effective asset inventory processes.
⚪ The CIS controls framework is hardware asset–centric.
⚫ Several IT and security processes depend upon an effective hardware inventory.
⚪ The CIS controls framework is an antiquated controls framework.
43. Why is hardware asset inventory critical for the success of security operations?
⚪ Critical processes such as software asset and software licensing depend upon accurate asset inventory.
⚫ Critical processes such as vulnerability management, event management, and antimalware depend upon accurate asset inventory.
⚪ Vulnerability scans need to cover all hardware assets so that all assets are scanned.
⚪ Penetration tests need to cover all hardware assets so that all assets are scanned.
44. What are the most important security-related criteria for system classification?
⚪ Data sensitivity
⚫ Data sensitivity and operational criticality
⚪ Operational criticality
⚪ Location
45. A new CISO in a financial service organization is working to get asset inventory processes under control. The organization uses on-premises and IaaS-based virtualization services. What approach will most effectively identify all assets in use?
⚫ Perform discovery scans on all networks.
⚪ Obtain a list of all assets from the patch management platform.
⚪ Obtain a list of all assets from the security event and information management (SIEM) system.
⚪ Count all of the servers in each data center.
46. Which of the following security-based metrics is most likely to provide value when reported to management?
⚪ Number of firewall packets dropped per server per day
⚪ Number of persons who have completed security awareness training
⚪ Number of phishing messages blocked per month
⚫ Percent of production servers that have been patched within SLA
47. Ravila, a CISO, reports security-related metrics to executive management. The trend for the past several months for the metric “Percent of patches applied within SLA for servers supporting manufacturing” is 100 percent, 99.5 percent, 100 percent, 100 percent, 99.2 percent, and 74.5 percent. What action should Ravila take with regard to these metrics?
⚪ Explain that risk levels have dropped correspondingly.
⚪ No action is required because this is normal for patch management processes.
⚫ Investigate the cause of the reduction in patching and report to management.
⚪ Wait until the next month to see if the metric returns to normal.
48. Duncan is the CISO in a large electric utility. Duncan received an advisory that describes a serious flaw in Intel CPUs that permits an attacker to take control of an affected system. Knowing that much of the utility’s industrial control system (ICS) is Intel-based, what should Duncan do next?
⚪ Report the situation to executive management.
⚪ Create a new entry in the risk register.
⚫ Analyze the situation to understand business impact.
⚪ Declare a security incident.
49. Duncan is the CISO in a large electric utility. Duncan received an advisory that describes a serious flaw in Intel CPUs that permits an attacker to take control of an affected system. After analyzing the advisory, Duncan realizes that many of the ICS devices in the environment are vulnerable. Knowing that much of the utility’s industrial control system (ICS) is Intel-based, what should Duncan do next?
⚪ Create a new entry in the risk register.
⚪ Report the situation to executive management.
⚪ Create a new entry in the vulnerability register.
⚫ Declare a security incident.
50. Ravila is a new CISO in a healthcare organization. During strategy development, Ravila found that IT system administrators apply security patches when the security team sends them quarterly vulnerability scan reports. What is the most effective change that can be made in the vulnerability management process to make it more proactive versus reactive?
⚪ Have IT system administrators run vulnerability scans on their own systems.
⚪ No change is needed because this process is already working properly.
⚫ Revise the patching process to ensure patches are applied on a defined process schedule based on the risk of the vulnerability. Leverage the quarterly scanning process as a QA.
⚪ Run vulnerability scan reports monthly instead of quarterly.
51. An organization’s CISO is planning for the cybersecurity budget for the following year. One of the security analysts informed the CISO that she should add more licenses to the vulnerability scanning tool so that all of the organization’s networks can be scanned; currently, there are only enough licenses to scan the primary on-premises data center, but not the secondary data center, office networks, or external-facing assets. How should the CISO respond to this request?
⚫ Acquire licenses for all internal and external networks.
⚪ No additional licenses are needed, since only the data center network needs to be scanned.
⚪ No additional licenses are needed, because the scanner can scan all networks but will not maintain records for them because of license limitations.
⚪ Acquire licenses for the secondary data center.
52. A global manufacturing organization has decided to develop a SaaS solution in support of one of its products. What security-related resources will need to be acquired in support of this new endeavor?
⚪ Functional requirements, source code control system, and IDEs
⚪ Secure coding training, web content scanning tools, and a web application firewall
⚫ Secure coding training, DAST and SAST tools, and a web application firewall
⚪ Secure coding training, web application scanning tools, and a web application firewall
53. An organization has decided to improve its information security program by developing a full suite of policies, procedures, standards, and processes. Which of these must be developed first?
⚪ Procedures
⚪ Standards
⚪ Processes
⚫ Policies
54. What kind of statement is the following: “Passwords are to consist of upper- and lowercase letters, numbers, and symbols, and are to be at least 12 characters in length.”
⚫ Standard
⚪ Policy
⚪ Guideline
⚪ Procedure
55. The CISO in a venture capital firm wants the firm’s acquisition process to include a cybersecurity risk assessment prior to the acquisition of a new company, not after the acquisition, as has been done in the past. What is the best reason for this change?
⚪ To discover compliance risks prior to the acquisition
⚫ To discover cybersecurity-related risks that may impact the valuation of the company
⚪ To get a head start on understanding risks that should be remediated
⚪ To understand cybersecurity-related risks prior to connecting networks together
56. What is the purpose of sending security questionnaires to third parties at the start of the due diligence process?
⚪ To determine the firewall rules required to connect to a third party
⚪ To determine which controls need to be added or changed
⚫ To address risks during contract negotiations
⚪ To register the third party with regulatory authorities
57. A CISO has developed and is publishing a new metric entitled, “Percentage of patches applied within SLAs to servers supporting manufacturing.” What message does this metric convey to executives?
⚪ The risk associated with SLAs and whether they are too long
⚪ The amount of downtime in manufacturing while patches are being applied
⚪ The amount of effort used to apply security patches to servers
⚫ The risk of security incidents that could disrupt manufacturing operations
58. Which of the following reports is most appropriate to send to a board of directors?
⚫ Quarterly high-level metrics and a list of security incidents
⚪ Weekly detailed metrics
⚪ Weekly detailed metrics and vulnerability scan reports
⚪ Vulnerability scan reports and a list of security incidents
59. What is the best solution for protecting an SaaS application from a layer 7 attack?
⚪ Advanced malware protection
⚪ Cloud access security broker
⚪ Web content filter
⚫ Web application firewall
60. An organization’s CISO has examined statistics and metrics and has determined that the organization’s software development organization is producing a growing number of serious security vulnerabilities. What new control would be most effective at ensuring that production systems are free of these vulnerabilities?
⚪ Implement an intrusion prevention system.
⚪ Implement a web application firewall.
⚫ Perform a security scan during the software build process and require that no critical or high-level vulnerabilities exist in software released to production.
⚪ Administer secure code training to all developers once per year.
61. How does an acceptable use policy differ from an information security policy?
⚪ They differ in name only; they are functionally the same.
⚫ An acceptable use policy defines expected behavior from workers, while an information security policy details all of the business rules for cybersecurity.
⚪ An information security policy defines expected behavior from workers, while an acceptable use policy details all of the business rules for cybersecurity.
⚪ An acceptable use policy applies to nontechnical workers only, while an information security policy applies only to technical workers.
62. What is the name of the self-attestation that U.S.- based companies can use to express their compliance with the General Data Protection Regulation?
⚪ Binding corporate rules
⚪ Model clauses
⚪ Safe Harbor
⚫ Privacy Shield
63. What is the name of the provision that multinational organizations can adopt for the protection of PII of its internal personnel?
⚫ Binding corporate rules
⚪ Model clauses
⚪ Safe Harbor
⚪ Privacy Shield
64. What is the most effective way of ensuring that personnel are aware of an organization’s security policies?
⚫ Require personnel to acknowledge compliance to security policies in writing annually.
⚪ Require personnel to acknowledge compliance to security policies at the time of hire.
⚪ Post information security policies on the organization’s intranet.
⚪ Distribute hard copies of information security policies to all personnel.
65. Which certification is recognized for knowledge and experience on the examination of information systems and on information system protection?
⚪ CGEIT
⚪ CRISC
⚫ CISA
⚪ CISSP
66. What is the best method for determining whether employees understand an organization’s information security policy?
⚪ Require employees to acknowledge information security policy in writing.
⚪ Incorporate quizzes into security awareness training.
⚫ Require employees to read the information security policy.
⚪ Distribute copies of the information security policy to employees.
67. An access management process includes an access request procedure, an access review procedure, and an access termination procedure. In the access request procedure, an employee submits an access request; it is approved by the application owner, and it is provisioned by the IT service desk. Which party should periodically review access requests to ensure that records are complete and that accesses were properly provisioned?
⚪ IT service desk
⚫ Internal audit
⚪ Application owner
⚪ Employee’s manager
68. When is the best time for the legal department to review a contract with a third-party service provider?
⚪ After a security questionnaire has been completed by the service provider
⚪ At the start of the procurement process
⚪ At the vendor selection stage
⚫ Before a security questionnaire has been sent to the service provider
69. What aspects of security access reviews would best be reported to senior management?
⚪ Number of accounts reviewed in security access reviews
⚪ Number of security access reviews completed
⚪ Number of security access reviews performed
⚫ Number of exceptions identified during security access reviews
70. In an audit of the user account deprovisioning process for a financial application, three out of ten randomly selected samples indicated that user accounts were not terminated within the 24- hour control limit. How should the audit proceed from this point?
⚪ Publish audit findings and declare the control as ineffective.
⚪ Select another sample of ten records and publish audit findings based on the twenty samples.
⚫ Test all remaining termination requests to see if more were missed.
⚪ Publish audit findings and declare the control as effective.
71. The board of directors in a manufacturing company has asked for a report from the CISO that describes the state of the organization’s cybersecurity program. Which of the following is the best way for the CISO to fulfill this request?
⚪ Meet with the board at its next scheduled meeting, provide a state of the state for the cybersecurity program, and answer questions by board members.
⚪ Send the most recent penetration test to the board members.
⚫ Send the most recent risk assessment to the board members.
⚪ Send the risk register to the board members.
72. One of the objectives in the long-term strategy for an organization’s information security program states that a concerted effort at improving software development will be undertaken. Which of the following approaches will be least effective at reaching this objective?
⚪ Enact financial compensation incentives for developers based on reductions in security defects.
⚫ Implement web application firewalls (WAFs) and intrusion prevention systems (IPSs) to protect applications from attack.
⚪ Enact a policy stating that new software release packages cannot be released until critical and high-level vulnerabilities are remediated.
⚪ Provide mandatory secure development training for all software developers.
73. Ravila, a new CISO in a healthcare organization, is reviewing incident response records from the past several years. Ravila has determined that minor incidents were managed with too much rigor and complexity, while major incidents weren’t dealt with thoroughly enough. What might be the cause of this?
⚪ Lack of training for incident responders
⚪ Inconsistent levels of response to incidents
⚫ Lack of a tiered incident response plan
⚪ Improperly tuned SIEM use cases
74. Which of the following is not a valid objection for using incident response plan “templates” to serve as an organization’s security incident response plan?
⚪ The templates will lack the specifics about business processes and technology.
⚫ The templates will lack the specific regulations the organization is required to comply with.
⚪ The templates will lack the names of specific departments and executives.
⚪ The templates will not specifically call on the organization’s crisis response plan.
75. Why would an organization consider developing alerts on its security information and event management system, as opposed to using its existing daily log review procedure?
⚫ More accurate and timely awareness of security issues requiring action
⚪ Compliance with PCI 3.2 requirement 10.6
⚪ Reduce costs associated with time-consuming log review
⚪ Free up staff to perform more challenging and interesting tasks
76. The purpose of documenting the steps taken during the response to an actual security incident includes all of the following except which one?
⚪ Helps the organization understand how to respond more effectively during future incidents
⚪ Helps the organization understand whether incident responders followed incident response procedures
⚫ Helps the organization understand whether the organization recovered from the incident
⚪ Helps the organization understand whether the incident response was compliant with applicable laws
77. While responding to a security incident, the person acting as the incident commander is unable to notify a particular executive in an escalation procedure. What should the incident responder do next?
⚪ Notify regulators that the organization is experiencing a cyber incident and requires assistance.
⚪ Notify law enforcement that the organization is experiencing a cyber incident and requires assistance.
⚪ Order incident responders to suspend their activities until the executive has been contacted.
⚫ Notify the next highest executive in the escalation chain.
78. Why should incident responders participate in incident response tabletop exercises?
⚫ Helps incident responders better understand incident response procedures
⚪ Helps incident responders find mistakes in incident response procedures
⚪ Helps incident responders understand how long it should take to respond to actual incidents
⚪ Helps incident responders memorize incident response procedures so they can respond more quickly
79. Why should incident responders be asked to review incident response procedures?
⚪ Helps incident responders memorize incident response procedures so they can respond more quickly
⚪ Helps incident responders understand how long it should take to respond to actual incidents
⚫ Helps incident responders better understand incident response procedures
⚪ Helps incident responders find mistakes in incident response procedures
80. Why would PCI-DSS requirements require organizations to put emergency contact information for card brands in their incident response plans?
⚪ An emergency is a poor time to start looking for emergency contact information for outside organizations.
⚫ Card brands must be notified of an incident as soon as possible.
⚪ Requirement 12.10.1 in PCI-DSS requires it.
⚪ It reminds organizations to notify the card brands in the event of a breach.
81. The purpose of a post-incident review of a security incident includes all of the following except which one?
⚪ Determine the root cause of the incident.
⚪ Identify improvements in incident response procedures.
⚫ Determine the motivation of the attacker.
⚪ Identify improvements in cybersecurity defenses.
82. James, the CISO in an organization, has reviewed the organization’s incident response plans and disaster recovery plans and has determined that incident response plans do not include any provisions should a security incident occur during a declared disaster of the organization. What is James’s most appropriate response?
⚪ Declare a security incident.
⚪ Request that the next tabletop exercise take place at the emergency operations center.
⚪ No response is required because security incident response plans are not required for DR sites.
⚫ Request that incident response and disaster recovery teams update the IRP to include procedures during emergency operations mode.
83. Which term in security incident response represents the final activity that takes place during a response to an incident?
⚫ Post-incident review
⚪ Remediation
⚪ Closure
⚪ Containment
84. Which step in an incident response plan is associated with tabletop exercises?
⚪ Remediation
⚪ Detection
⚪ Analysis
⚫ Planning
85. Of what value is a business impact analysis (BIA) in security incident response planning?
⚪ Identifies the business owners associated with information systems, and therefore the escalation path
⚪ Identifies the systems that require forensic examination during an incident
⚫ Indirectly identifies the most important information systems that require protection from threats
⚪ Directly identifies the location of the most critical data
86. Which of the following criteria would likely not be used to classify a security incident?
⚪ Data volume
⚪ System location
⚫ Data sensitivity
⚪ Operational criticality
87. An incident response team is responding to a situation in which an intruder has successfully logged on to a system using stolen nonprivileged credentials. Which steps are most effective at containing this incident?
⚪ Lock the compromised user account.
⚪ Reset the password of the compromised user account.
⚪ Kill all processes associated with the compromised user account.
⚫ Blackhole the intruder’s originating IP address and lock the compromised user account.
88. In what circumstances should executive management be notified of a security incident?
⚪ In no cases, other than monthly and quarterly metrics
⚪ In all cases
⚪ When its impact is material
⚫ When regulators are required to be notified
89. Which of the following individuals should approve the release of notifications regarding cybersecurity incidents to affected parties who are private citizens?
⚫ General counsel
⚪ Chief marketing officer
⚪ Chief information security officer
⚪ Security incident response commander
90. What is the purpose of a write blocker in the context of security incident response?
⚪ Protects forensic evidence against tampering
⚪ Creates forensically identical copies of hard drives
⚫ Assures that hard drives can be examined without being altered
⚪ Assures that affected systems cannot be altered
91. An employee in an organization is suspected of storing illegal content on the workstation assigned to him. Human resources asked the security manager to log on to the workstation and examine its logs. The security manager has identified evidence in the workstation’s logs that supports the allegation. Which statement best describes this investigation?
⚪ The investigation was performed properly, and the organization can proceed with disciplinary action.
⚫ Because forensic tools were not used to preserve the state of the workstation, the veracity of the evidence identified in the investigation can be called into question.
⚪ The investigation should enter a second phase in which forensic tools are used to specifically identify the disallowed behavior.
⚪ The investigation cannot continue because the initial examination of the workstation was performed without a signed warrant.
92. Under the state of California’s data security and privacy law of 2002 (SB 1386), under what circumstances is an organization not required to notify affected parties of a breach of personally identifiable information (PII)?
⚪ When the organization cannot identify affected parties
⚫ When the PII is encrypted at rest
⚪ When the number of compromised records is less than 20,000
⚪ When the number of total records is less than 20,000
93. Which of the following is not considered a part of a security incident post-incident review?
⚫ Motivations of perpetrators
⚪ Effectiveness of response procedures
⚪ Accuracy of response procedures
⚪ Improvements of preventive controls
94. Which of the following is usually not included in a cost analysis of a security incident during post- incident review?
⚪ Penalties and legal fees
⚪ Notification to external parties
⚫ Assistance by external parties
⚪ Loss of market share
95. Which of the following describes the best practice for capturing login log data?
⚪ Capture all unsuccessful login attempts. Capture user ID, password, IP address, and location.
⚪ Capture all successful and unsuccessful login attempts. Capture user ID, password, IP address, and location.
⚫ Capture all successful and unsuccessful login attempts. Capture user ID, IP address, and location.
⚪ Capture all unsuccessful login attempts. Capture user ID, IP address, and location.
96. What is the best method for utilizing forensic investigation assistance in organizations too small to hire individuals with forensic investigation skills?
⚪ Utilize interns from a nearby college or university that teaches cyberforensic investigations.
⚪ Request assistance from law enforcement at the city, state/province, or national level.
⚫ Obtain an incident response retainer from a cybersecurity firm that specializes in security incident response services.
⚪ Use one of several cloud-based, automated forensic examination services.
97. Threat analysts in an organization have identified a potential malware threat in an advisory. Detection in production systems will necessitate configuration changes to antivirus systems on production servers. What approach is best for making these configuration changes?
⚪ Make the changes as soon as possible on production servers to stop the threat.
⚫ Test the changes on nonproduction servers and measure performance impact.
⚪ Write a rule in intrusion detection systems to block the threat at the network layer.
⚪ Update antivirus signature files to permit detection of the threat.
98. The purpose of documenting the steps taken during the response to an actual security incident includes all of the following except which one?
⚪ Helps the organization understand how to respond more effectively during future incidents
⚪ Helps the organization understand whether incident responders followed incident response procedures
⚫ Helps the organization understand whether the organization recovered from the incident
⚪ Helps the organization understand whether the incident response was compliant with applicable laws
99. Ravila, a new CISO in a healthcare organization,
is reviewing incident response records from the
past several years. Ravila has determined that
minor incidents were managed with too much
rigor and complexity, while major incidents
weren’t dealt with thoroughly enough. What
might be the cause of this?
⚪ A. Lack of training for incident responders
⚪ B. Inconsistent levels of response to incidents
⚫ C. Lack of a tiered incident response plan
⚪ D. Improperly tuned SIEM use cases
100. Why would an organization consider developing alerts on its security information and event management system, as opposed to using its existing daily log review procedure?
⚫ More accurate and timely awareness of security issues requiring action
⚪ Compliance with PCI 3.2 requirement 10.6
⚪ Reduce costs associated with time-consuming log review
⚪ Free up staff to perform more challenging and interesting tasks
101. Why should incident responders participate in
incident response tabletop exercises?
⚫ A. Helps incident responders better understand
incident response procedures
⚪ B. Helps incident responders find mistakes in
incident response procedures
⚪ C. Helps incident responders understand how
long it should take to respond to actual
incidents
⚪ D. Helps incident responders memorize incident
response procedures so they can respond
more quickly
102. James, the CISO in an organization, has reviewed the organization’s incident response plans and disaster recovery plans and has determined that incident response plans do not include any provisions should a security incident occur during a declared disaster of the organization. What is James’s most appropriate response?
⚪ Declare a security incident.
⚪ Request that the next tabletop exercise take place at the emergency operations center.
⚪ No response is required because security incident response plans are not required for DR sites.
⚫ Request that incident response and disaster recovery teams update the IRP to include procedures during emergency operations mode.
103. Which term in security incident response
represents the final activity that takes place
during a response to an incident?
⚫ A. Post-incident review
⚪ B. Remediation
⚪ C. Closure
⚪ D. Containment
104. When is the best time for the legal department to review a contract with a third-party service provider?
⚪ After a security questionnaire has been completed by the service provider
⚪ At the start of the procurement process
⚪ At the vendor selection stage
⚫ Before a security questionnaire has been sent to the service provider
105. What is the purpose of developing security awareness content in various forms?
⚪ To provide unexpected messages that users are less likely to notice
⚪ To maximize the value of security awareness training content licensing
⚪ To relieve personnel of boredom from only one form of messaging
⚫ In recognition that different people have different learning and cognition styles
106. What is the purpose of metrics in an information
security program?
⚫ A. To measure the performance and
effectiveness of security controls
⚪ B. To measure the likelihood of an attack on the
organization
⚪ C. To predict the likelihood of an attack on an
organization
⚪ D. To predict the method of an attack on an
organization
107. The metric “percentage of systems with
completed installation of advanced antimalware”
is best described as what?
⚪ A. Key operational indicator (KOI)
⚪ B. Key performance indicator (KPI)
⚫ C. Key goal indicator (KGI)
⚪ D. Key risk indicator (KRI)
108. What is the primary objective of the Factor
Analysis of Information Risk (FAIR)
methodology?
⚫ A. Determine the probability of a threat event.
⚪ B. Determine the impact of a threat event.
⚪ C. Determine the cost of a threat event.
⚪ D. Determine the type of a threat event.
109. A new CISO in a financial service organization is
working to get asset inventory processes under
control. The organization uses on-premises and
IaaS-based virtualization services. What
approach will most effectively identify all assets
in use?
⚫ A. Perform discovery scans on all networks.
⚪ B. Obtain a list of all assets from the patch
management platform.
⚪ C. Obtain a list of all assets from the security
event and information management (SIEM)
system.
⚪ D. Count all of the servers in each data center.
110. An internal audit examination of the employee
termination process determined that in 20
percent of employee terminations, one or more
terminated employee user accounts were not
locked or removed. The internal audit
department also found that routine monthly user
access reviews identified 100 percent of missed
account closures, resulting in those user accounts
being closed no more than 60 days after users
were terminated. What corrective actions, if any,
are warranted?
⚪ A. Increase user access review process frequency
to twice per week.
⚪ B. Increase user access review process frequency
to weekly.
⚪ C. No action is necessary since monthly user
access review process is effective.
⚫ D. Improve the user termination process to
reduce the number of missed account
closures.
111. The PRIMARY goal in developing an information security strategy is to:
⚪ A.
establish security metrics and performance monitoring.
⚪ B.
educate business process owners regarding their duties.
⚪ C.
ensure that legal and regulatory requirements are met
⚫ D.
support the business objectives of the organization.
112. When an organization hires a new information security manager, which of the following goals
should this individual pursue FIRST?
⚪ A.
Develop a security architecture
⚫ B.
Establish good communication with steering committee members
⚪ C.
Assemble an experienced staff
⚪ D.
Benchmark peer organizations
113. The MOST important component of a privacy policy is:
⚫ A.
notifications.
⚪ B.
warranties.
⚪ C.
liabilities.
⚪ D.
geographic coverage.
114. Which of the following requirements would have the lowest level of priority in information security?
⚫ A.
Technical
⚪ B.
Regulatory
⚪ C.
Privacy
⚪ D.
Business
115. Which of the following individuals would be in the BEST position to sponsor the creation of an
information security steering group?
⚪ A.
Information security manager
⚫ B.
Chief operating officer (COO)
⚪ C.
Internal auditor
⚪ D.
Legal counsel
116. It is MOST important that information security architecture be aligned with which of the following?
⚪ A.
Industry best practices
⚪ B.
Information technology plans
⚪ C.
Information security best practices
⚫ D.
Business objectives and goals
117. Security technologies should be selected PRIMARILY on the basis of their:
⚫ A.
ability to mitigate business risks.
⚪ B.
evaluations in trade publications.
⚪ C.
use of new and emerging technologies.
⚪ D.
benefits in comparison to their costs.
118. The human resources arm of a large multinational company is planning to consolidate its HR information systems (HRIS) onto a single platform. How can the information security function align its strategy to this development?
⚪ Contractors and temporary workers can be managed in the new global HRIS.
⚪ Workers in all countries can acknowledge compliance with the information security policy.
⚫ Workers in all countries can be enrolled in security awareness training.
⚪ The identity and access management function can be integrated with the new global HRIS.
119. The CISO in a 1000-employee organization wants to implement a 24/7/365 security monitoring function. There is currently no 24/7 IT operations in the organization. What is the best option for the CISO to implement a 24/7/365 security monitoring function?
⚪ Outsource security monitoring to a managed security services provider (MSSP) that specializes in security event monitoring.
⚪ Staff up a 24/7/365 IT operations and security event monitoring function with permanent full-time staff.
⚫ Staff up a 24/7/365 security event monitoring function with permanent full-time staff.
⚪ Implement a security event monitoring platform and have events sent to existing 5x8 staff (a staff that works five days a week for eight hours per day) after hours.
120. How does an acceptable use policy differ from an
information security policy?
⚪ A. They differ in name only; they are
functionally the same.
⚫ B. An acceptable use policy defines expected
behavior from workers, while an information
security policy details all of the business rules
for cybersecurity.
⚪ C. An information security policy defines
expected behavior from workers, while an
acceptable use policy details all of the
business rules for cybersecurity.
⚪ D. An acceptable use policy applies to
nontechnical workers only, while an
information security policy applies only to
technical workers.
121. What is the name of the self-attestation that U.S.-
based companies can use to express their
compliance with the General Data Protection
Regulation?
⚪ A. Binding corporate rules
⚪ B. Model clauses
⚪ C. Safe Harbor
⚫ D. Privacy Shield
122. In a risk management process, who is the best
person(s) to make a risk treatment decision?
⚪ A. Chief risk officer (CRO)
⚪ B. Chief information officer (CIO)
⚫ C. Process owner who is associated with the risk
⚪ D. Chief information security officer (CISO)
123. Which is the best party to conduct access
reviews?
⚪ A. Users’ managers
⚪ B. Information security manager
⚪ C. IT service desk
⚫ D. Department head
124. An organization needs to hire an executive who
will be responsible for ensuring that the
organization’s policies, business processes, and
information systems are compliant with laws and
regulations concerning the proper collection, use,
and protection of personally identifiable
information. What is the best job title for the
organization to use for this position?
⚪ A. CSO
⚪ B. CIRO
⚪ C. CISO
⚫ D. CPO
125. An organization needs to hire an executive who
will be responsible for ensuring that the
organization’s policies, business processes, and
information systems are compliant with laws and
regulations concerning the proper collection, use,
and protection of personally identifiable
information. What is the best job title for the
organization to use for this position?
⚪ A. CSO
⚪ B. CIRO
⚪ C. CISO
⚫ D. CPO
126. What should be the primary objective of a risk
management strategy?
⚪ A. Determine the organization’s risk appetite.
⚪ B. Identify credible risks and transfer them to
an external party.
⚫ C. Identify credible risks and reduce them to an
acceptable level.
⚪ D. Eliminate credible risks.
127. The CISO in a venture capital firm wants the
firm’s acquisition process to include a
cybersecurity risk assessment prior to the
acquisition of a new company, not after the
acquisition, as has been done in the past. What is
the best reason for this change?
⚪ A. To discover compliance risks prior to the
acquisition
⚫ B. To discover cybersecurity-related risks that
may impact the valuation of the company
⚪ C. To get a head start on understanding risks
that should be remediated
⚪ D. To understand cybersecurity-related risks
prior to connecting networks together
128. Michael wants to improve the risk management
process in his organization by creating guidelines
that will help management understand when
certain risks should be accepted and when certain
risks should be mitigated. The policy that Michael
needs to create is known as what?
⚪ A. Security policy
⚪ B. Control framework
⚫ C. Risk appetite statement
⚪ D. Control testing procedure
129. To what audience should communication about
new information risks be sent?
⚪ A. Customers
⚫ B. Security steering committee and executive
management
⚪ C. All personnel
⚪ D. Board of directors
130. A risk manager recently completed a risk assessment in an organization. Executive management asked the risk manager to remove one of the findings from the final report. This removal is an example of what?
⚪ Gerrymandering
⚪ Internal politics
⚪ Risk avoidance
⚫ Risk acceptance
131. Which of the following reports is most appropriate to send to a board of directors?
⚫ Quarterly high-level metrics and a list of security incidents
⚪ Weekly detailed metrics
⚪ Weekly detailed metrics and vulnerability scan reports
⚪ Vulnerability scan reports and a list of security incidents
132. An employee in an organization is suspected of storing illegal content on the workstation assigned to him. Human resources asked the security manager to log on to the workstation and examine its logs. The security manager has identified evidence in the workstation’s logs that supports the allegation. Which statement best describes this investigation?
⚪ The investigation was performed properly, and the organization can proceed with disciplinary action.
⚫ Because forensic tools were not used to preserve the state of the workstation, the veracity of the evidence identified in the investigation can be called into question.
⚪ The investigation should enter a second phase in which forensic tools are used to specifically identify the disallowed behavior.
⚪ The investigation cannot continue because the initial examination of the workstation was performed without a signed warrant.
133. What is the best method for utilizing forensic investigation assistance in organizations too small to hire individuals with forensic investigation skills?
⚪ Utilize interns from a nearby college or university that teaches cyberforensic investigations.
⚪ Request assistance from law enforcement at the city, state/province, or national level.
⚫ Obtain an incident response retainer from a cybersecurity firm that specializes in security incident response services.
⚪ Use one of several cloud-based, automated forensic examination services.
134. An internal audit team has completed a comprehensive internal audit and has determined that several controls are ineffective. What is the next step that should be performed?
⚪ Correlate these results with an appropriately scoped penetration test.
⚪ Develop compensating controls to reduce risk to acceptable levels.
⚪ Perform a risk assessment.
⚫ Develop a risk-based action plan to remediate ineffective controls.
135. What is the purpose of sending security questionnaires to third parties at the start of the due diligence process?
⚪ To determine the firewall rules required to connect to a third party
⚪ To determine which controls need to be added or changed
⚫ To address risks during contract negotiations
⚪ To register the third party with regulatory authorities
136. Which of the following criteria would likely not be used to classify a security incident?
⚪ Data volume
⚪ System location
⚫ Data sensitivity
⚪ Operational criticality
137. While responding to a security incident, the person acting as the incident commander is unable to notify a particular executive in an escalation procedure. What should the incident responder do next?
⚪ Notify regulators that the organization is experiencing a cyber incident and requires assistance.
⚪ Notify law enforcement that the organization is experiencing a cyber incident and requires assistance.
⚪ Order incident responders to suspend their activities until the executive has been contacted.
⚫ Notify the next highest executive in the escalation chain.
138. Steve, a CISO, has vulnerability management metrics and needs to build business-level metrics. Which of the following is the best leading indicator metric suitable for his organization’s board of directors?
⚫ Average time to patch servers supporting manufacturing processes
⚪ Frequency of security scans of servers supporting manufacturing processes
⚪ Percentage of servers supporting manufacturing processes that are scanned by vulnerability scanning tools
⚪ Number of vulnerabilities remediated on servers supporting manufacturing processes
139. Ravila, a new CISO in a healthcare organization, is reviewing incident response records from the past several years. Ravila has determined that minor incidents were managed with too much rigor and complexity, while major incidents weren’t dealt with thoroughly enough. What might be the cause of this?
⚪ Lack of training for incident responders
⚪ Inconsistent levels of response to incidents
⚫ Lack of a tiered incident response plan
⚪ Improperly tuned SIEM use cases
140. In what circumstances should executive management be notified of a security incident?
⚪ In no cases, other than monthly and quarterly metrics
⚪ In all cases
⚪ When its impact is material
⚫ When regulators are required to be notified
141. Why would PCI-DSS requirements require
organizations to put emergency contact
information for card brands in their incident
response plans?
⚪ A. An emergency is a poor time to start looking
for emergency contact information for outside
organizations.
⚫ B. Card brands must be notified of an incident
as soon as possible.
⚪ C. Requirement 12.10.1 in PCI-DSS requires it.
⚪ D. It reminds organizations to notify the card
brands in the event of a breach.
142. What is the purpose of a cyber-risk management program in an organization?
⚪ Consume information from a centralized risk register
⚫ Identify and make decisions about information security risks
⚪ Plan for future cybersecurity projects and initiatives
⚪ Develop mitigating controls
143. What steps must be completed prior to the start of a risk assessment in an organization?
⚪ Determine the qualifications of the firm that will perform the audit.
⚫ Determine scope, purpose, and criteria for the audit.
⚪ Determine the qualifications of the person(s) who will perform the audit.
⚪ Determine scope, applicability, and purpose for the audit.
144. One of the objectives in the long-term strategy for an organization’s information security program states that a concerted effort at improving software development will be undertaken. Which of the following approaches will be least effective at reaching this objective?
⚪ Enact financial compensation incentives for developers based on reductions in security defects.
⚫ Implement web application firewalls (WAFs) and intrusion prevention systems (IPSs) to protect applications from attack.
⚪ Enact a policy stating that new software release packages cannot be released until critical and high-level vulnerabilities are remediated.
⚪ Provide mandatory secure development training for all software developers.
145. Which of the following security-based metrics is most likely to provide value when reported to management?
⚪ Number of firewall packets dropped per server per day
⚪ Number of persons who have completed security awareness training
⚪ Number of phishing messages blocked per month
⚫ Percent of production servers that have been patched within SLA
146. Retention of business records should PRIMARILY be based on:
⚪ A.business strategy and direction.
⚫ B.regulatory and legal requirements.
⚪ C.storage capacity and longevity.
⚪ D.business ease and value analysis.
147. Which of the following should be the FIRST step in developing an information security plan?
⚪ A.Perform a technical vulnerabilities assessment
⚫ B.Analyze the current business strategy
⚪ C.Perform a business impact analysis
⚪ D.Assess the current levels of security awareness
148. Minimum standards for securing the technical infrastructure should be defined in a security:
⚪ A.strategy.
⚪ B.guidelines.
⚪ C.model.
⚫ D.architecture.
149. Investments in information security technologies should be based on:
⚪ A.vulnerability assessments.
⚫ B.value analysis.
⚪ C.business climate.
⚪ D.audit recommendations.
150. Which of the following roles would represent a conflict of interest for an information security
manager?
⚪ A.Evaluation of third parties requesting connectivity
⚪ B.Assessment of the adequacy of disaster recovery plans
⚫ C.Final approval of information security policies
⚪ D.Monitoring adherence to physical security controls
0 comments:
Post a Comment
Silahkan isikan comment box untuk komentar Anda..