CISM Test Bank Quiz With Complete Solution

CISM Test Bank Quiz With Complete Solution

The PRIMARY selection criterion for an offsite media storage facility is:

Select an answer:

A. that the primary and offsite facilities not be subject to the same environmental

disasters.

B. that the offsite storage facility be in close proximity to the primary site.

C. the overall storage and maintenance costs of the offsite facility.

D. the availability of cost-effective media transportation services.>>> You are correct,

the answer is A.

It is important to prevent a disaster that could affect both sites. The distance between

sites may be important in cases of widespread disasters; however, this is covered by

choice A. The costs should not be the primary criteria to selection. A cost-effective

media transport service may be a consideration, but is not the main concern.

In which of the following areas are data owners PRIMARILY responsible for establishing

risk mitigation?

Select an answer:

A. Platform security

B. Entitlement changes

C. Intrusion detection

D. Antivirus controls>>> You are correct, the answer is B.

Data owners are responsible for assigning user entitlements and approving access to

the systems for which they are responsible. Platform security, intrusion detection and

antivirus controls are all within the responsibility of the information security manager.

Which of the following is the BEST justification to convince management to invest in an

information security program?

Select an answer:

A. Cost reduction

B. Compliance with company policies

C. Protection of business assets

D. Increased business value>>> You answered C. The correct answer is D.

Investing in an information security program should increase business value and

confidence. Cost reduction by itself is rarely the motivator for implementing an

information security program. Compliance is secondary to business value. Increasing

business value may include protection of business assets.

To improve the security of an organization's human resources (HR) system, an

information security manager was presented with a choice to either implement an

additional packet filtering firewall OR a heuristics-based intrusion detection system

(IDS). How should the security manager with a limited budget choose between the two

technologies?

Select an answer:

A. Risk analysis

B. Business impact analysis (BIA)

C. Return on investment (ROI) analysis

D. Cost-benefit analysis>>> You answered A. The correct answer is D.

Cost-benefit analysis measures the cost of a safeguard versus the benefit it provides,

and does include risk assessment. The cost of a control should not exceed the benefit

to be derived from it. The degree of control employed is a matter of good business

judgment. Risk analysis identifies the risk and appropriate mitigation strategies. A BIA

identifies the impact from the loss of systems. ROI analysis compares the magnitude

and timing of investment gains directly with the magnitude and timing of investment

costs.