ISACA CISM Sample Questions

docx

School

Toronto Metropolitan University *

*We aren’t endorsed by this school

Course

CYBER SECU

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

Uploaded by EarlResolveWolverine3228

ISACA CISM Sample Questions: 1. IT-related risk management activities are MOST effective when they are: a) treated as a distinct process b) conducted by the IT department c) communicated to all employees d) integrated within business processes 2. A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will be responsible for evaluating the results and identified risk. Which of the following would be the BEST approach of the information security manager? a) Acceptance of the business manager’s decision on the risk to the corporation b) Acceptance of the information security manager’s decision on the risk to the corporation c) Review of the risk assessment with executive management for final input d) Create a new risk assessment and BIA to resolve the disagreement 3. Who is accountable for ensuring that information is categorized and that specific protective measures are taken? a) The security officer b) Senior management c) The end user d) The custodian 4. Abnormal server communication from inside the organization to external parties may be monitored to: a) record the trace of advanced persistent threats b) evaluate the process resiliency of server operations c) verify the effectiveness of an intrusion detection system d) support a nonrepudiation framework in e-commerce

5. Which of the following is the BEST way to detect an intruder who successfully penetrates a network before significant damage is inflicted? a) Perform periodic penetration testing b) Establish minimum security baselines c) Implement vendor default settings d) Install a honeypot on the network 6. To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs? a) Database server b) Domain name server c) Time server d) Proxy server 7. Which of the following authentication methods prevents authentication replay? a) Password hash implementation b) Challenge/response mechanism c) Wired equivalent privacy encryption usage d) Hypertext Transfer Protocol basic authentication 8. In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources? a) Conducting periodic security awareness programs b) Implementing on-screen masking of passwords c) Increasing the frequency of password changes d) Requiring that passwords be kept strictly confidential 9. Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system? a) User ad hoc reporting is not logged b) Network traffic is through a single switch c) Operating system security patches have not been applied d) Database security defaults to ERP settings

10. The post incident review of a security incident revealed that there was a process that was not monitored. As a result, monitoring functionality has been implemented. Which of the following may BEST be expected from this remediation? a) Reduction in total incident duration b) Increase in risk tolerance c) Facilitation of escalation d) Improvement in identification 11. Julie is developing a compensating control to help her organization mitigate the risk associated with downtime due to hardware failure. What control would best meet this need? a) Incident notification plan b) Business interruption insurance c) Fault tolerant hardware d) Backups in a secure location 12. Gary is collecting evidence from the hard drive of a system that was involved in a security incident. What technology may Gary use to later demonstrate that the evidence was not tampered with after collection? a) Digital certificate b) Backup c) Hash value d) Write Blocker 13. What is the primary purpose of an incident management program? a) Alert key individuals when an incident occurs b) Conduct lessons learned sessions after incidents c) Identify and assess incidents and prevent their recurrence d) Designate an individual responsible for information security 14. Susan is the lead investigator for a security incident and realizes that she will not be able to complete her investigation without causing severe disruption to the business. The action she feels she must take exceeds the authority granted to her under the incident response plan. What should Susan do? a) Shut down all business operations immediately until she develops a plan b) Take the action immediately to protect the business c) Discount the action as a possibility because it exceeds her authority d) Consult with higher levels of management

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

15. Belinda is attempting to determine the RPO for a database server that she administers. Which piece of information will best help her determine this value? a) The amount of time required to recover a service b) The amount of data loss that the organization considers acceptable c) The amount of time that a service may be down d) The cost to recover a service 16. Ruth is reviewing her organization’s business continuity and disaster recovery plans. In it, she comes across the following statement: “ In the event that the payroll system fails, the IT team must restore access within 48 hours to avoid unacceptable levels of damage to the business.” What type of statement is this? a) MTA (Mail Transfer Agents) b) RPO c) RTO d) SLA 17. Harold conducts a review of his organization’s disaster recovery plan and realizes that the maximum tolerable outage for a service may be shorter than the organization can recover the service. What should he do next? a) Conduct a business impact assessment b) Change the MTO c) Notify the organization’s board of directors d) Develop a plan to meet the MTO 18. What type of risk has an acceptable level determined by management discretion? a) Residual risk b) Inherent risk c) Controlled risk d) Appropriated risk

19. Under which of the following scenarios would it be most acceptable for an organization to pursue a risk acceptance strategy? a) The likelihood of a risk is extremely low and the impact is extremely high. b) The likelihood of a risk is extremely high and the impact is extremely high. c) The likelihood of a risk is extremely low and the impact is extremely low. d) The likelihood of a risk is extremely high and the impact is extremely low. 20. Doug recently became aware of a flaw in one of the applications used by his organization and adjusted firewall rules to limit access from external networks. What effect would this have on the risk? a) Decrease the threat vector b) Decrease the impact of a successful incident c) Reduce the likelihood of an exploit d) Increase the risk appetite 21. Russell is concerned about a new hacking group that is targeting his organization. He is performing a risk assessment and wishes to use a technique that identifies the overall risk from that threat. What technique should he use? a) Qualitative assessment b) Quantitative assessment c) Inherent risk d) Risk aggregation 22. What pillar of information security ensures that sensitive information is not disclosed without authorization? a) Integrity b) Availability c) Non-repudiation d) Confidentiality

23. Valerie is reviewing the logs of her organization’s data loss prevention (DLP) system and believes that she found a record indicating that an employee is stealing confidential information. What should she do next? a) Perform further investigation b) Cut off the employee’s network access c) Inform the employee’s manager d) Question the employee 24. Which of the following is NOT a reason why data should be classified? a) Classification forces valuation which can be used to determine risk. b) Classification is required to determine appropriate access control. c) Classification can be used to optimize security budget. d) Classification is required to develop secure systems. 25. Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multi-factor authentication? a) Username b) PIN c) Security question d) Fingerprint scan 26. A ____________ contains levels with various compartments that are isolated from the rest of the security domain. a) Hybrid environment b) Compartmentalized environment c) Hierarchical environment d) Security environment 27. Which Category best describes threat modeling? a) Qualitative approach to risk analysis b) Value-based approach to risk analysis c) Quantitative approach to risk analysis d) None of these

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

28. When assigning access to sensitive information you should enforce which of the following? a) Separation of Duties b) Individual user accounts c) Dual Control d) Mutually Exclusive 29. When considering the organization's overall security program, which of the following should be fully committed to the security process? a) Senior Management b) Finance Management and CIO c) CIO and Senior Management d) Everywhere in the organization 30. After a disaster occurs, a damage assessment needs to take place. Which of the following steps occurs last in a damage assessment? a) Determine the cause of the disaster. b) Identify the resources that must be replaced immediately. c) Declare a disaster. d) Determine how long it will take to bring critical functions back online 31. Failure of a Contingency plan is usually due to: a) Technical issues b) Management issues c) Lack of awareness d) Lack of training 32. A business impact analysis is considered a functional analysis. Which of the following is not carried out during a business impact analysis? a) A parallel or full-interruption test b) The application of a classification scheme based on criticality levels c) The gathering of information via interviews d) Documentation of business functions

33. What security control may be used to implement a concept known as two-person control? a) Mandatory vacation b) Separation of duties c) Least privilege d) Defense in depth 34. When Jim enters his organization's data center, he has to use a smart card and code to enter, and is allowed through one set of doors. The first set of doors closes, and he must then use his card again to get through a second set, which locks behind him. What type of control is this, and what is it called? a) A physical control; a one-way trapdoor b) A logical control; dual-swipe authorization c) A directive control; one-way access corridor d) A preventive access control; a mantrap 35. Which individual bears the ultimate responsibility for data protection tasks? a) Data owner b) Data custodian c) User d) Auditor 36. David works in an organization that uses a formal data governance program. He is consulting with an employee working on a project that created an entirely new class of data and wants to work with the appropriate individual to assign a classification level to that information. Who is responsible for the assignment of information to a classification level? a) Data creator b) Data owner c) CISO d) Data custodian 37. Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing? a) Separation of duties b) Two-person control c) Least privilege d) Job rotation

38. Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech's facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million. Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility. 1)Based on the information in this scenario, what is the exposure factor for the effect of a flood on DataTech's data center? a. 2% b. 20% c. 100% d. 200% 2) Based on the information in this scenario, what is the annualized rate of occurrence for a flood at DataTech's data center? a. 0.002 b. 0.005 c. 0.02 d. 0.05 3) Based on the information in this scenario, what is the annualized loss expectancy for a flood at DataTech's data center? a. $40,000 b. $100,000 c. $400,000 d. $1,000,000 4) Which accounts are typically assessed during an account management assessment? a. A random sample b. Highly privileged accounts c. Recently generated accounts d. Accounts that have existed for long periods of time 5) In the shared responsibility model, under which tier of cloud computing does the customer take responsibility for securing server operating systems? a. IaaS b. PaaS c. SaaS d. TaaS 6- What type of error occurs when a valid subject using a biometric authenticator is not authenticated? A. A Type 1 error B. A Type 2 error C. A Type 3 error D. A Type 4 error

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

39) In what model of cloud computing do two or more organizations collaborate to build a shared cloud computing environment that is for their own use? A. Public cloud B. Private cloud C. Community cloud D. Shared cloud 40) Don's company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use? A. IaaS B. PaaS C. CaaS D. SaaS

ISACA CISM Sample Questions

Related Documents