The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?Options are : Show
Answer : Systems programmer Which of the following is the MOST likely outcome of a well-designed information security awareness course?Options are :
Answer : Increased reporting of security incidents to the incident response function CISM Information Security Governance Certified An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:Options are :
Answer : the contract should mandate that the service provider will comply with security policies. Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:Options are :
Answer : assess the problems and institute rollback procedures, if needed. Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?Options are :
Answer : A change control process CISM Information Risk Management Certification Practice Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?Options are :
Answer : Penetration tests Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?Options are :
Answer : User awareness training Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his, her password reset?Options are :
Answer : Conducting security awareness programs CISM Information Security Governance Practice Test Set 1 Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does il always introduce?Options are :
Answer : Clear text authentication When an emergency security patch is received via electronic mail, the patch should FIRST be:Options are :
Answer : validated to ensure its authenticity. As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:Options are :
Answer : . approved by the next higher person in the organizational structure. Cism Information Security Program Development Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?Options are :
Answer : Conduct regular security reviews of the third-party provider An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?Options are :
Answer : Ensuring that the third party is contractually obligated to all relevant security requirements The BEST way to ensure that information security policies are followed is to:Options are :
Answer : perform periodic reviews for compliance. CISM Information Risk Management Certification Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?Options are :
Answer : Implementation of lock-out policies An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?Options are :
Answer : Set role-based access permissions on the shared folder Which of the following is the BEST indicator that security awareness training has been effective?Options are :
Answer : More incidents are being reported CISM Information Security Program Management Practice Exam Set 2 In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?Options are :
Answer : System design specifications Which of the following change management activities would be a clear indicator that normal operational procedures require examination? A high percentage of:Options are :
Answer : emergency change requests. Which of the following is the MOST appropriate method of ensuring password strength in a large organization?Options are :
Answer : Review general security settings on each platform CISM Information Security Program Management Practice Exam Set 3 Which of the following is generally considered a fundamental component of an information security program?Options are :
Answer : Security awareness training There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?Options are :
Answer : Source code review How would an organization know if its new information security program is accomplishing its goals?Options are :
Answer : Key metrics indicate a reduction in incident impacts CISM Information Risk Management Certification A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?Options are :
Answer : User An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?Options are :
Answer : Right to audit Which of the following is the BEST approach for improving information security management processes?Options are :
Answer : Define and monitor security metrics. CISM Information Risk Management Certification Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?Options are :
Answer : Feasibility The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:Options are :
Answer : establish security baselines. A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:Options are :
Answer : less time is spent on reconnaissance and information gathering. CISM Information Security Program Management Practice Exam Set 5 The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:Options are :
Answer : the existence of messages is unknown. The MOST appropriate individual to determine the level of information security needed for a specific business application is the:Options are :
Answer : system data owner. Which of the following is the MOST likely to change an organization's culture to one that is more security conscious?Options are :
Answer : Security awareness campaigns Cism Information Security Program Development Practice What is the MOST cost-effective method of identifying new vendor vulnerabilities?Options are :
Answer : External vulnerability reporting sources The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:Options are :
Answer : has implemented cookies as the sole authentication mechanism. The BEST way to ensure that an external service provider complies with organizational security policies is to:Options are :
Answer : Perform periodic reviews of the service provider. CISM Information Security Program Management Test Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?Options are :
Answer : Signed acceptable use policy An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:Options are :
Answer : validate and sanitize client side inputs. Which of the following would raise security awareness among an organization's employees?Options are :
Answer : Continually reinforcing the security policy In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?Options are :
Answer : Changing access rules Of the following, retention of business records should be PRIMARILY based on:Options are :
Answer : regulatory and legal requirements. Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?Options are :
Answer : Penetration attempts investigated CISM Information Risk Management Certification Which of the following would be best indicator of effective information security governance in an organisation?Which of the following would be the best indicator of effective information security governance within an organization? Answer : The steering committee approves security projects.
Which of the following is the most useful indicator of control effectiveness?Which of the following is the MOST useful indicator of control effectiveness? access is allowed unless explicitly denied.
Which of the following elements is most important when developing an information security strategy?Which of the following elements is MOST important when developing an information security strategy? Information security policy development should PRIMARILY be based on: threats.
Which of the following is the most important objective of an information security strategy review?An important objective of a security strategy is to implement cost-effective controls that ensure that residual risk remains within the organization's risk tolerance levels.
|