CISM Domain 2 Test Questions With Answers All Correct

CISM Domain 2 Test Questions With Answers All Correct Which of the following should a successful information security management program use to determine the amount of resources devoted to mitigating exposures?(*) - CORRECT ANSWER- risk analysis result In a Business Impact Analysis (BIA), the value of information system should be based on the overall: - CORRECT ANSWER- opportunity cost Risk acceptance is a component of which of the following? - CORRECT ANSWER- risk mitigation Which of the following risk scenarios would BEST be assessed using qualitative risk assessment techniques? - CORRECT ANSWER- permanent decline in customer confidence Which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations? - CORRECT ANSWER- change management procedures are poor. Which of the following is the PRIMARY reason for implementing a risk management program? A risk management program:(*) - CORRECT ANSWER- is a necessary part of management's due diligence Which of the following is the MOST usable deliverable of an information security risk analysis? - CORRECT ANSWER- list of action items to mitigate risk Information security managers should use risk assessment techniques to: - CORRECT ANSWER- justify selection of risk mitigation strategies Which of the following is MOST essential when assessing risk?(*) - CORRECT ANSWER- considering both monetary value and likelihood of loss The PRIMARY goal of a corporate risk management program is to ensure that an organization's: - CORRECT ANSWER- stated objectives are achieved What is the PRIMARY objective of a risk management program? - CORRECT ANSWER- achieve acceptable risk What is the PRIMARY benefit of performing an information asset classification?(*) - CORRECT ANSWER- it identifies controls commensurate with impact Which of the following is MOST essential for a risk management program to be effective?(*) - CORRECT ANSWER- detection of new risk Which of the following steps in conduction risk assessment should be performed FIRST?(*) - CORRECT ANSWER- identify business assets In conducting an initial technical vulnerability assessment, which of the following choices should receive top priority?(*) - CORRECT ANSWER- systems covered by business interruption insurance What is the PRIMARY purpose of using risk analysis within a security program? - CORRECT ANSWER- the risk analysis helps assess exposures and plan remediation What mechanism should be used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?(*) - CORRECT ANSWERsecurity gap analysis Which of the following would BEST address the risk of data leakage? - CORRECT ANSWER- acceptable use policies A company recently developed a breakthrough technology. Because this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information to be protected? - CORRECT ANSWER- data classification policy Which of the following is the BEST basis for determining the criticality and sensitivity of information assets? - CORRECT ANSWER- an impact assessment Which program element should be implemented FIRST in asset classification and control?(*) - CORRECT ANSWER- valuation Which of the following is the MOST important consideration when performing a risk assessment? - CORRECT ANSWER- assets have been identified and appropriately valued The PRIMARY reason for initiating a policy exception process is when: - CORRECT ANSWER- the risk is justified by the benefit What activity should information security management perform FIRST when assessing the potential impact of new privacy legislation on the organization?(*) - CORRECT ANSWER- identify system and processes that contain privacy components The PRIMARY reason for classifying information resources according to sensitivity and criticality is to: - CORRECT ANSWER- define the appropriate level of access controls. When performing a qualitative risk analysis,which of the following will BEST produce reliable results?(*) - CORRECT ANSWER- possible scenarios with threats and impacts The MOST effective use of a risk register is to:(*) - CORRECT ANSWER- facilitate a thorough review of all IT-related risk on a periodic basis An information security manager is advised by contacts in law enforcement that there is evidence that his/her company is being targeted by a skilled gang of hackers known to use a variety of techniques,including social engineering and network penetration. The FIRST step that security manager should take is to:(*) - CORRECT ANSWERimmediately advice senior management of the elevated risk. Abnormal server communication from inside the organization to external parties may be monitored to: (*) - CORRECT ANSWER- record the trace of advanced persistent threats (APTs) What is the PRIMARY purpose of segregation of duties? - CORRECT ANSWER- fraud prevention What is the BEST means to standardize security configuration in similar devices? - CORRECT ANSWER- baselines