Which of the following is the BEST indicator that security policy is effective

The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?

Options are :

• Data custodian
• Data owner
• Security administrator
• Systems programmer

Answer : Systems programmer

Which of the following is the MOST likely outcome of a well-designed information security awareness course?

Options are :

• Decrease in the number of password resets
• Increased reporting of security incidents to the incident response function
• Increase in the number of identified system vulnerabilities
• Decreased reporting of security incidents to the incident response function

Answer : Increased reporting of security incidents to the incident response function

CISM Information Security Governance Certified

An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:

Options are :

• the contract includes a nondisclosure agreement (NDA) to protect the organization's intellectual property.
• the third-party service provider conducts regular penetration testing.
• the contract should mandate that the service provider will comply with security policies.
• an audit of the service provider uncovers no significant weakness.

Answer : the contract should mandate that the service provider will comply with security policies.

Several business units reported problems with their systems after multiple security patches were deployed. The FIRST step in handling this problem would be to:

Options are :

• immediately uninstall the patches from these systems.
• assess the problems and institute rollback procedures, if needed.
• immediately contact the vendor regarding the problems that occurred.
• disconnect the systems from the network until the problems are corrected.

Answer : assess the problems and institute rollback procedures, if needed.

Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?

Options are :

• Business impact analysis (BIA)
• A problem management process
• Background screening
• A change control process

Answer : A change control process

CISM Information Risk Management Certification Practice

Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?

Options are :

• Penetration tests
• Vulnerability scans
• Security audits
• Code reviews

Answer : Penetration tests

Which of the following is the BEST method to reduce the number of incidents of employees forwarding spam and chain e-mail messages?

Options are :

• Setting low mailbox limits
• Taking disciplinary action
• Acceptable use policy
• User awareness training

Answer : User awareness training

Which of the following will MOST likely reduce the chances of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have his, her password reset?

Options are :

• Increasing the frequency of password changes
• Implementing automatic password syntax checking
• Conducting security awareness programs
• Performing reviews of password resets

Answer : Conducting security awareness programs

CISM Information Security Governance Practice Test Set 1

Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does il always introduce?

Options are :

• Clear text authentication
• Cross site scripting
• Man-in-the-middle attack
• Remote buffer overflow

Answer : Clear text authentication

When an emergency security patch is received via electronic mail, the patch should FIRST be:

Options are :

• loaded onto an isolated test machine.
• decompiled to check for malicious code.
• validated to ensure its authenticity.
• copied onto write-once media to prevent tampering.

Answer : validated to ensure its authenticity.

As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:

Options are :

• formally managed within the information security framework.
• considered at the discretion of the information owner.
• . approved by the next higher person in the organizational structure.
• reviewed and approved by the security manager.

Answer : . approved by the next higher person in the organizational structure.

Cism Information Security Program Development

Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?

Options are :

• Provide security awareness training to the third-party provider's employees
• Conduct regular security reviews of the third-party provider
• Request that the third-party provider comply with the organization's information security policy
• Include security requirements in the service contract

Answer : Conduct regular security reviews of the third-party provider

An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?

Options are :

• Ensuring that the business partner has an effective business continuity program
• A due diligence security review of the business partner's security controls
• Ensuring that the third party is contractually obligated to all relevant security requirements
• Talking to other clients of the business partner to check references for performance

Answer : Ensuring that the third party is contractually obligated to all relevant security requirements

The BEST way to ensure that information security policies are followed is to:

Options are :

• establish an anonymous hotline to report policy abuses.
• include escalating penalties for noncompliance.
• distribute printed copies to all employees
• perform periodic reviews for compliance.

Answer : perform periodic reviews for compliance.

CISM Information Risk Management Certification

Which of the following is the BEST approach to mitigate online brute-force attacks on user accounts?

Options are :

• Passwords stored in encrypted form
• Strong passwords that are changed periodically
• Implementation of lock-out policies
• User awareness

Answer : Implementation of lock-out policies

An organization's operations staff places payment files in a shared network folder and then the disbursement staff picks up the files for payment processing. This manual intervention will be automated some months later, thus cost-efficient controls are sought to protect against file alterations. Which of the following would be the BEST solution?

Options are :

• Design a training program for the staff involved to heighten information security awareness
• The end user develops a PC macro program to compare sender and recipient file contents
• Set role-based access permissions on the shared folder
• Shared folder operators sign an agreement to pledge not to commit fraudulent activities

Answer : Set role-based access permissions on the shared folder

Which of the following is the BEST indicator that security awareness training has been effective?

Options are :

• More incidents are being reported
• Employees sign to acknowledge the security policy
• No incidents have been reported in three months
• A majority of employees have completed training

Answer : More incidents are being reported

CISM Information Security Program Management Practice Exam Set 2

In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?

Options are :

• Software development
• Architectural design
• Procedural design
• System design specifications

Answer : System design specifications

Which of the following change management activities would be a clear indicator that normal operational procedures require examination? A high percentage of:

Options are :

• similar change requests.
• canceled change requests.
• change request postponements.
• emergency change requests.

Answer : emergency change requests.

Which of the following is the MOST appropriate method of ensuring password strength in a large organization?

Options are :

• Attempt to reset several passwords to weaker values
• Sample a subset of users and request their passwords for review
• Review general security settings on each platform
• Install code to capture passwords for periodic audit

Answer : Review general security settings on each platform

CISM Information Security Program Management Practice Exam Set 3

Which of the following is generally considered a fundamental component of an information security program?

Options are :

• Automated access provisioning
• Intrusion prevention systems (IPSs)
• Security awareness training
• Role-based access control systems

Answer : Security awareness training

There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?

Options are :

• Security audit
• Black box pen test
• Vulnerability scan
• Source code review

Answer : Source code review

How would an organization know if its new information security program is accomplishing its goals?

Options are :

• Senior management has approved the program and is supportive of it.
• Employees are receptive to changes that were implemented.
• There is an immediate reduction in reported incidents.
• Key metrics indicate a reduction in incident impacts

Answer : Key metrics indicate a reduction in incident impacts

CISM Information Risk Management Certification

A web-based business application is being migrated from test to production. Which of the following is the MOST important management signoff for this migration?

Options are :

• Database
• Network
• User
• Operations

Answer : User

An organization that outsourced its payroll processing performed an independent assessment of the security controls of the third party, per policy requirements. Which of the following is the MOST useful requirement to include in the contract?

Options are :

• Nondisclosure agreement
• Right to audit
• Proper firewall implementation
• Dedicated security manager for monitoring compliance

Answer : Right to audit

Which of the following is the BEST approach for improving information security management processes?

Options are :

• Perform periodic penetration testing.
• Conduct periodic security audits.
• Define and monitor security metrics.
• Survey business units for feedback.

Answer : Define and monitor security metrics.

CISM Information Risk Management Certification

Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?

Options are :

• Implementation
• Design
• Application security testing
• Feasibility

Answer : Feasibility

The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:

Options are :

• link policies to an independent standard.
• perform penetration testing.
• establish security baselines.
• implement vendor default settings.

Answer : establish security baselines.

A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that:

Options are :

• human intervention is not required for this type of test.
• it simulates the real-1ife situation of an external security attack.
• less time is spent on reconnaissance and information gathering.
• critical infrastructure information is not revealed to the tester.

Answer : less time is spent on reconnaissance and information gathering.

CISM Information Security Program Management Practice Exam Set 5

The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:

Options are :

• required key sizes are smaller.
• reliability of the data is higher in transit.
• the existence of messages is unknown.
• traffic cannot be sniffed.

Answer : the existence of messages is unknown.

The MOST appropriate individual to determine the level of information security needed for a specific business application is the:

Options are :

• system developer
• information security manager.
• system data owner.
• steering committee.

Answer : system data owner.

Which of the following is the MOST likely to change an organization's culture to one that is more security conscious?

Options are :

• Periodic compliance reviews
• Adequate security policies and procedures
• Security steering committees
• Security awareness campaigns

Answer : Security awareness campaigns

Cism Information Security Program Development Practice

What is the MOST cost-effective method of identifying new vendor vulnerabilities?

Options are :

• External vulnerability reporting sources
• Intrusion prevention software
• Periodic vulnerability assessments performed by consultants
• honey pots located in the DMZ

Answer : External vulnerability reporting sources

The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:

Options are :

• has implemented cookies as the sole authentication mechanism.
• is hosted on a server along with other applications
• has been installed with a non-1egitimate license key.
• uses multiple redirects for completing a data commit transaction.

Answer : has implemented cookies as the sole authentication mechanism.

The BEST way to ensure that an external service provider complies with organizational security policies is to:

Options are :

• Cross-reference to policies in the service level agreement
• Perform periodic reviews of the service provider.
• Receive acknowledgment in writing stating the provider has read all policies.
• Explicitly include the service provider in the security policies.

Answer : Perform periodic reviews of the service provider.

CISM Information Security Program Management Test

Which of the following measures is the MOST effective deterrent against disgruntled stall abusing their privileges?

Options are :

• Signed acceptable use policy
• Layered defense strategy
• High-availability systems
• System audit log monitoring

Answer : Signed acceptable use policy

An effective way of protecting applications against Structured Query Language (SQL) injection vulnerability is to:

Options are :

• normalize the database schema to the third normal form.
• ensure that the security patches are updated on operating systems.
• harden the database listener component.
• validate and sanitize client side inputs.

Answer : validate and sanitize client side inputs.

Which of the following would raise security awareness among an organization's employees?

Options are :

• Distributing industry statistics about security incidents
• Monitoring the magnitude of incidents
• Continually reinforcing the security policy
• Encouraging employees to behave in a more conscious manner

Answer : Continually reinforcing the security policy

In a well-controlled environment, which of the following activities is MOST likely to lead to the introduction of weaknesses in security software?

Options are :

• Applying patches
• Upgrading hardware
• Changing access rules
• Backing up files

Answer : Changing access rules

Of the following, retention of business records should be PRIMARILY based on:

Options are :

• regulatory and legal requirements.
• past litigation.
• device storage capacity and longevity.
• periodic vulnerability assessment.

Answer : regulatory and legal requirements.

Which of the following metrics would be the MOST useful in measuring how well information security is monitoring violation logs?

Options are :

• Frequency of corrective actions taken
• Violation log reports produced
• Penetration attempts investigated
• Violation log entries

Answer : Penetration attempts investigated

CISM Information Risk Management Certification

Which of the following would be best indicator of effective information security governance in an organisation?

Which of the following is the most useful indicator of control effectiveness?

Which of the following elements is most important when developing an information security strategy?

Which of the following is the most important objective of an information security strategy review?