CISM 2024 Verified Exam Questions and
Answers
What would be the BEST security measure we could use to prevent data disclosure and data
exfiltration?
A) User authentication in all applications.
B) Use very strong encryption.
C) Use very strong key storage.
D) Use very complex firewall rules. ...
What would be the BEST security measure we could use to prevent data disclosure and data
exfiltration?
A) User authentication in all applications.
B) Use very strong encryption.
C) Use very strong key storage.
D) Use very complex firewall rules. - answer✔✔C) Use very strong key storage.
Explanation
We would want a very strong key storage, if the attackers can get to our encryption keys, most of
the other security measures are irrelevant. Most encryption today is strong enough to not be
breakable with current technologies, making it stronger does often not make it significantly more
secure. Complex firewall rules do not mean more secure, and in this example is a distractor. We
would want user authentication in all applications, but not relevant for this question.
What is the MOST important reason we have Information Security review our contracts
throughout the enterprise?
A) To ensure that both parties can perform their contractual promises.
D) To ensure no confidential information is included in the contract. - answer✔✔C) To ensure
appropriate controls are included.
As an IT auditor, Trisha is conducting a compliance review. Which of these is she MOST likely
to be performing?
A) Performing job activity analysis
B) Performing program activity analysis
C) Performing system aging analysis
D) Determine whether program changes are approved - answer✔✔D) Determine whether
program changes are approved
Explanation
Compliance reviews determine whether the controls are enforcing the regulations and include
ensuring there are no unauthorized changes to the production environment. The other answers
are part of a substantive review, that verify the accuracy and reasonableness of reported
information.
Of these options, when is the BEST time to have penetration tests conducted?
D) After an audit has found weaknesses in our security controls. - answer✔✔B) After significant
system changes.
At which phase of our systems or software development lifecycle should risk assessments be
built in to ensure risks are addressed in the project development?
A) The specifications phase.
B) The programming phase.
C) The user testing phase.
D) The feasibility phase. - answer✔✔D) The feasibility phase.
Explanation
We should address risk as early on in the project as possible, of the phases listed here that would
be feasibility. In the programming or the user testing phase is way too late, if the feasibility
phase was not an option, then we would do it in specifications, but feasibility is much better.
Our organization has just finished a companywide Information Security user awareness training
effort and we are going to try to social engineer our employees to gauge how effective the
training was. Which of these is NOT a type of social engineering attack?
Reconnaissance is one of the phases of an attack or penetration testing, it is not a form of social
engineering. Vishing (voice phishing), authority, and scarcity are all types of social engineering.
What would be the BEST reason to get help from external resources to work on our Information
Security program?
A) They can give us more redundancy for internal employees
B) They would be responsible for our Information Security program meeting the requirements
C) They can be more cost effective and can have expertise we do not internally
D) They can deliver the product faster because of their external knowledge - answer✔✔C) They
can be more cost effective and can have expertise we do not internally
Bob is finishing up this iteration of our risk management program. What is the BIGGEST benefit
of the program?
A) It can bring our losses in alignment with what we had budgeted for.
B) It can identify and remove all threats posed by people.
C) It can eliminate or transfer all organizational risks.
D) It can align our risk with the cost of countermeasures. - answer✔✔D) It can align our risk
with the cost of countermeasures.
Paul asks his manager Naomi why separation of roles is important. What is the MOST likely
answer Naomi will give to Paul?
A) Divides the knowledge necessary to complete key tasks
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Brightstars. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.49. You're not tied to anything after your purchase.
