CISM Online Practice Questions and Answers

Correct Answer: A

Residual risk is the risk that remains after putting into place an effective risk management program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a measure of control effectiveness. Inherent risk cannot be minimized.

Correct Answer: B

The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.

Correct Answer: C

Correct Answer: D

During an incident, emergency actions should minimize or eliminate casualties and damage to the business operation, thus reducing business interruptions. Determining the extent of property damage is not the consideration; emergency actions should minimize, not determine, the extent of the damage. Protecting/preserving environmental conditions may not be relevant. Ensuring orderly plan activation is important but not as critical as reducing damage to the operation.

Correct Answer: B

Correct Answer: C

Correct Answer: A

The factor that has the greatest influence on the successful integration of information security within the business is organizational structure and culture because they determine how information security is organized, governed, and supported within the organization, and how information security roles and responsibilities are defined, assigned, and communicated across different levels and functions. Risk tolerance and organizational objectives are not very influential because they do not affect how information security is integrated within the business, but rather what information security aims to achieve or protect. The desired state of the organization is not very influential because it does not affect how information security is integrated within the business, but rather what the organization aspires to be or do. Information security personnel are not very influential because they do not affect how information security is integrated within the business, but rather who performs information security tasks or activities. References: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-4/technical-security- standards-for-information-systems https://www.isaca.org/resources/isaca- journal/issues/2017/volume-2/how-to-align-security-initiatives-with-businessgoals-and- objectives

Correct Answer: B

Enforcing technical security standards is the most effective way to ensure that a new server is appropriately secured because it ensures that the server complies with the organization's security policies and best practices, such as encryption,

authentication, patching, and hardening. Performing secure code reviews is not relevant for securing a new server, unless it is running custom applications that need to be verified for security flaws. Conducting penetration testing is not

sufficient for securing a new server, because it only identifies vulnerabilities that can be exploited by attackers, but does not fix them. Initiating security scanning is not sufficient for securing a new server, because it only detects known

vulnerabilities or misconfigurations, but does not enforce security standards or remediate issues.

References: https://www.isaca.org/resources/isaca- journal/issues/2016/volume-4/technical-security-standards-for-information-systems https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/secure-code-review https://

www.isaca.org/resources/isaca-journal/issues/2017/volume-2/the-value-of- penetration-testing https://www.isaca.org/resources/isaca-journal/issues/2016/volume- 5/security-scanning-versus-penetration-testing

Correct Answer: D

Correct Answer: D

Following the incident response plan is the most important step for the security manager before classifying the suspected event as a security incident, as it provides the guidance and procedures for the incident management team to follow in order to identify, contain, analyze, and resolve security incidents. The incident response plan should define the roles and responsibilities of the incident management team, the criteria and process for incident classification and prioritization, the communication and escalation protocols, the tools and resources for incident handling, and the post-incident review and improvement activities.