CSEC 705 CISM Questions ch 1-6

an organization is subject to healthcare regulations that govern individual health data protection requirements. Which of the following describes this type of governance?

external

your company handles credit card transaction processing as part of its business processes. Which of the following best describes the source and type of governance it may incur because of its business processes?

external, industry standards 

which of the following describes why the organization exists?

organizational mission statement

all of the following factors influence an organizations culture except which one?

organizations policies

which of the following roles is responsible for control assurance?

internal audit

security governance is most concerned with

security strategy

the purpose of a RACI chart is

document the roles of persons or positions

while gathering and examining various security-related business records, the security manager has determined that the organization has no security incident log. What conclusion can the security manager take from this?

the organization does not have security incident detection capabilities

the entity that is ultimately responsible for security governance is

board of directors

a business asset owner is responsible for all of the following except

physical protection of the asset

which of the following people is/are responsible for ensuring that PII is not used improperly?

chief privacy officer 

an information security manager documents all of the data requirements associated with a specific set of business records. The manager should consider all of the following sources of requirements except

non-applicable laws

a new employee in an organization is reviewing organization documents to begin learning about the organizations culture and operations. One document describes situations where an employee must report gifts and favors from vendor organizations. Which of the following documents is the employee likely reading?

code of conduct

an acceptable use policy is likely to contain all of the following except

data retention requirements

the best definition of governance is

management control of business functions

what are the elements of the business model for information security BMIS?

organization, people, process, technology

the best definition of a strategy is

the plan to achieve an objective

as part of understanding the organizations current state, a security strategist is examining the organizations security policy. What does the policy tell the strategist?

none of these (level of commitment, management, & maturity)

a security strategist has examines several business procedures and has found that their individual maturity levels range from repeatable to optimizing. What is the best future state for these business processes?

there is insufficient information to determine the desired end states of these processes

a security strategist is seeking to improve the security program in an organization with a strong but casual culture. What is the best approach here?

conduct focus groups to discuss possible avenues of approaches

security governance is most concerned with

security strategy

a security strategist recently joined a retail organization that operates with slim profit margins and has discovered that the organization lacks several important security capabilities. What is the best strategy here?

develop a risk-based strategy that implements changes slowly over an extended period of time 

what relationship should exist between an ERM risk register and a cyber-risk register

ERM and cyber-risk registers should link bidirectionally

the primary factor related to the selection of a control framework is 

industry vertical

as part of understanding the organizations current state, a security strategist is examining the organizations security standards. What do the standards tell the strategist?

the maturity level of the organization

a security strategist has examined a business process and has determined that personnel who perform the process do so consistently, but there is no written process document. The maturity level of this process is 

repeatable

a security strategist has discovered that It does not control the usage and acquisition of software on endpoints. What can the strategist conclude?

IT lacks application whitelisting capability

in an organization using PCI DSS as its control framework, the conclusion of a recent risk assessment stipulates that additional controls not present in PCI DSS but present in ISO/IEC 27001 should be enacted. What is the best course of action in this situation?

add the required controls to the existing control framework

what is the purpose of a gap analysis in the context of strategy development?

a gap analysis identifies key process and system improvement needs

a risk manager is planning a first-ever risk assessment in an organization. What is the best approach for ensuring success?

work with executive management to determine the correct scope

a security manager has completed a vulnerability scan and has identified multiple vulnerabilities in production servers. What is the best course of action?

notify the production servers’ asset owners

the concept of security tasks in the context of a SaaS or IaaS environment is depicted in a 

shared responsibility model

a security manager is developing a vision for the future state of a risk management program. Before she can develop the plan to achieve the vision, she must perform a

gap analysis

all of the following are techniques to identify risks except

risk treatment

the main advantage of NIST standards versus ISO standards is

NIST standards are available without cost

which of the following statements is true about compliance risk?

compliance risk is just another risk that needs to be understood

misconfigured firewalls, missing antivirus, and lack of staff training are examples of

vulnerabilities

a phishing attack, network scan, and social engineering are examples of

threats

a security manager has been directed by executive management not to document a specific risk in the risk register. this course of action is known as

ignoring the risk

a security manager is performing a risk assessment on a business application. the security manager has determined that security patches have not been installed for more than a year. This finding is known as a 

vulnerability 

a security manager is performing a risk assessment on a data center. He has determined that it is possible for unauthorized personnel to enter the data center through the loading dock door and shut off utility power to the building. This finding is known as a

threat

hacktivists, criminal organizations, and crackers are all known as

threat actors

all of the following are core elements used in risk identification except

asset owner

what is usually the primary objective of risk management?

fewer and less severe security incidents 

a gaming software startup company does not employ penetration testing of its software. This is an example of 

high tolerance of risk 

the categories of risk treatment are

risk avoidance, risk transfer, risk mitigation, and risk acceptance

when would it make sense to spend $50,000 to protect an asset worth $10,000?

the asset was required for realization of $500,000 in monthly revenue

a security steering committee empowered to make risk treatment decisions has chosen to accept a specific risk. What is the best course of action?

reopen the risk item for reconsideration after one year

the responsibilities of a control owner include all of the following except

audit the control

accountability for the outcome of accepted risk is known as

risk ownership

a risk committee has formally decided that a specific risk is to be mitigated through the enactment of a specific type of control. What has the committee done?

risk treatment

a risk committee has formally decided to mitigate a specific risk. Where should this decision be documented?

risk register

a risk manager is contemplating risk treatment options for a particularly large risk that exceeds the organizations stated risk tolerance. How should risk treatment proceed?

the risk manager should escalate the decision to executive management

a cybersecurity leader is recording a decision to accept a particular risk. What, if anything, should the cybersecurity leader do concerning this accepted risk?

queue the accepted risk to be re-deliberated in one year

in a risk assessment, a risk manager has identified a risk that would cause considerable embarrassment to the organization if it were revealed to the workforce and the public. Executives have directed the risk manager to admit the finding from the final report. What has executive management done in this case?

ignored the risk

a risk manager is documenting a newly identified risk in the risk register and has identified the department head as the risk owner. The department head has instructed the risk manager to identify one of the lower level managers in the department as the risk manager. What has the department had done in this situation?

delegated risk ownership to the lower level manager

The leftover risk that exists after risk mitigation has been performed is known as?

Residual risk

a recent risk assessment has identified a data loss risk associated with the use of unapproved software management has directed the removal of the unapproved software as a result of the risk assessment what risk decision has been made in this situation?

Risk avoidance

when faced with a particularly high risk, executive management has decided to outsource the business operation associated with the risk. A legal agreement identifies that the outsource or accepts operational risks. What becomes of the accountability associated with the risk?

Accountability remains with executive management

an organization board of directors wants to see quarterly metrics on risk reduction. What would be the best metric to present to the board?

number of firewall rules triggered

Which of the following metrics is the best example of a leading indicator?

percentage of critical servers being patched within service level agreements

The purpose of a balance scorecard is two

Measure organizational performance and effectiveness against strategic goals

A security manager has developed a scheme that prescribes required methods to protect information at rest, in motion, and in transit this is known as.

Data classification policy

a security leader has developed a document that describes a program’s mission, vision, roles, and responsibilities, and processes. This is known as a.

Charter

Management in an organization has developed and published a policy that directs the workforce to follow specific steps to protect various types of information. This is known as.

Data classification policy

The security leader and an organization is developing a first ever date of classification policy. What is the best first step in this endeavor?

Performing data in inventory

A security leader wants to develop a scheme where by the most important assets are protected more regularly than those deep less important. What is the best first step in this endeavor?

Establishing systems inventory

a retail organizations, security leader, one to develop an ISMS which standard is the best resource for the leader to use

ISO/IEC 27001

an IT worker is reading a security related document that provides suggestions regarding compliance with a particular policy. What kind of document is the IT worker reading?

Guideline

an IT worker is reading a security related document that stipulates which algorithms are to be used to encrypt data at rest. What kind of document is the IT worker reading?

Standard

an IT worker is reading a document that describes the essential characteristics of a system to be developed. What kind of document is the IT worker reading?

Requirements

The concept of dividing the management of controls into development operations and assurance is known as.

Three lines of defense

The most important factor in the selection of a control framework is

Industry relevance

The lifecycle process that influences controls overtime is known as

Risk management

The main reason that preventative controls are preferred over detective controls is

preventative controls stop unwanted event events from occurring

An organization wants to protect itself from the effects of a ransom wear attack. What is the best data protection approach?

Backup data to off-line media

The best definition of general computing controls is

Controls that are general in nature and implemented across all systems

Which of the following is the best reason for adopting a standard control framework

Controls can be enacted without time consuming risk assessments

All of the following statements about ISO/IEC 27002 are correct except

Is available free of charge

A security manager in a healthcare clinic is planning to implement HIPAA and PCI DSS controls. Which of the following approaches should be taken.

Define the applicability of HIPAA and PCI DSS to those portions of the business where ePHI and cardholder data are used

Which of the following statements correctly, describes the link between risk management and controls

Risk treatment sometimes calls for the enactment of a new control

What organization is the governing body for the PCI DSS standard

PCI security standards council

Which of the following solutions is most suitable for the following control statement “safeguards prevent users from visiting hazardous websites “

Web content filter

The philosophy of a system and data protection that relies on continual evaluation is known as

Zero trust

A review of users access to specific information systems is best known as

An activity review

The information security department has sent a questionnaire in request for evidence to a control owner. This activity is best known as

Control self assessment

The most favorite practice for security awareness training is

Training at the time of higher and annually thereafter