CISM Practice Questions

A.  

Business impact analysis (BIA)

B.  

Gap analysis

C.  

Threat analysis

D.  

Vulnerability analysis

A.  

Assign responsibility to the database administrator (DBA).

B.  

Review the databases for sensitive content.

C.  

Prepare a report of the databases for senior management.

D.  

Assign the highest classification level to those databases.

A.  

Full backup

B.  

Incremental

C.  

Differential

D.  

Disk mirroring

A.  

a directory of approved local media contacts

B.  

pre-prepared media statements

C.  

procedures to contact law enforcement

D.  

a single point of contact within the organization

A.  

To facilitate a qualitative risk assessment following the BIA

B.  

To increase awareness of information security among key stakeholders

C.  

To ensure the stakeholders providing input own the related risk

D.  

To obtain input from as many relevant stakeholders as possible

A.  

Validate the event is not a false positive.

B.  

Initiate the incident response plan.

C.  

Escalate the event to the business owner.

D.  

Implement compensating controls.

A.  

have a better understanding of specific business needs.

B.  

are more objective than information security management.

C.  

can see the overall impact to the business.

D.  

can balance the technical and business risks.

A.  

Adequate security resources are allocated to the program.

B.  

Key performance indicators (KPIs) are defined.

C.  

A balanced scorecard is approved by the steering committee.

D.  

The program is developed using global security standards.

A.  

Purchase cybersecurity insurance.

B.  

Accept the risk associated with continued use of the application.

C.  

Implement compensating controls for the application.

D.  

Discontinue using the application.

A.  

Review compliance requirements.

B.  

Communicate the exposure.

C.  

Declare an incident.

D.  

Change the encryption keys.

A.  

Evaluate the security posture of the organization.

B.  

Identify unmitigated risk.

C.  

Prevent incident recurrence.

D.  

Support business investments in security.

A.  

Needs of the organization

B.  

Disaster recovery plan (DRP)

C.  

Information security policy

D.  

Gap analysis

A.  

A weakness identified within an organization's information systems

B.  

Customer complaints about lack of website availability

C.  

A recent security incident at an industry competitor

D.  

Attempted patching of systems resulting in errors

A.  

Ensuring response staff are appropriately trained

B.  

Developing metrics for incident response reporting

C.  

Establishing an escalation process for the help desk

D.  

Developing a RACI chart of response staff functions

A.  

Employing global security standards during development processes

B.  

Providing training on secure development practices to programmers

C.  

Performing application security testing during acceptance testing

D.  

Introducing security requirements during the initiation phase

A.  

Integrating security throughout the development process

B.  

Performing security testing prior to deployment

C.  

Providing standards for implementation during development activities

D.  

Providing security training to the software development team

A.  

The organization's risk tolerance

B.  

The organizational structure

C.  

Industry security standards

D.  

Information security awareness

A.  

Security incident reporting procedures are followed.

B.  

Security staff turnover is reduced.

C.  

Information assets are classified appropriately.

D.  

Access is granted based on task requirements.

A.  

Regulatory compliance standards

B.  

Information security strategy

C.  

Information security policy

D.  

Business impact assessment

A.  

Stakeholder plan

B.  

Escalation plan

C.  

Up-to-date risk register

D.  

Asset classification