CISM Online Practice Questions and Answers

Correct Answer: A

The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer. Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee.

Correct Answer: A

Residual risk is the risk that remains after putting into place an effective risk management program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a measure of control effectiveness. Inherent risk cannot be minimized.

Correct Answer: C

Sufficient senior management support is the most important factor for the success of an information security program. Security awareness training, although important, is secondary. Achievable goals and objectives as well as having adequate budgeting and staffing are important factors, but they will not ensure success if senior management support is not present.

Correct Answer: C

Encryption by the private key of the sender will guarantee authentication and nonrepudiation. Encryption by the public key of the receiver will guarantee confidentiality.

Correct Answer: B

Correct Answer: C

Correct Answer: B

Security baselines will provide the best assurance that each platform meets minimum criteria. Penetration testing will not be as effective and can only be performed periodically. Vendor default settings will not necessarily meet the criteria set by the security policies, while linking policies to an independent standard will not provide assurance that the platforms meet these levels of security.

Correct Answer: C

Correct Answer: A

Correct Answer: A

The strongest justification for granting an exception to the security policy that disables access to USB storage devices on laptops and desktops is that the benefit outweighs the potential risk. A security policy outlines goals, objectives, roles, responsibilities, and requirements for protecting an organization's information and systems. It should be based on a risk assessment that evaluates threats, vulnerabilities, and the impact and likelihood of incidents. Additionally, the security policy must align with the organization's business objectives and risk appetite. In some situations, full compliance with a security policy may not be feasible due to technical, operational, or business reasons. In such cases, an exception may be requested and granted by authorized personnel, such as a security manager or a policy committee. Exceptions must be justified with a clear, compelling reason that outweighs the risk of non-compliance. These exceptions should be documented, approved, monitored, reviewed, and revoked as necessary. USB storage devices, which can enhance data mobility, improve backup and recovery, and support data sharing, also pose significant security risks, such as introducing malware, exposing sensitive data, or violating security regulations. An exception to the policy that disables access to USB devices should only be granted if the benefits of using them exceed the potential risks. For example, if a user needs to transfer encrypted data between devices in a remote location without network access, the benefit may outweigh the risk. Other options for USB access, such as enabling it based on user roles or restricting access to read-only, are not the strongest justifications for granting an exception. Instead, they are potential controls or implementations of a more flexible security policy. Users accepting the risk of noncompliance is also not a justification but a requirement for requesting a policy exception.