CISM Exam Questions: Information Security Program Development, Exams of Information Security and Markup Languages

This multiple-choice exam focuses on information security program development, covering advocacy, data confidentiality, virus detection, access control, and intrusion detection. It features detailed rationales for each answer, offering a comprehensive review of key security management concepts. Valuable for students and professionals preparing for certification or seeking deeper understanding, the exam explores roles of auditors, COOs, and committees in security advocacy. It also covers VPNs, firewalls, biometric authentication for data confidentiality, virus detection effectiveness, access control cost-effectiveness, and responsibilities in enforcing access rights. Placement of intrusion detection systems, firewalls implementation, and security awareness training evaluation are also addressed.

Typology: Exams

2024/2025

Available from 06/10/2025

smart-scores
smart-scores 🇺🇸

4.6

(5)

17K documents

1 / 269

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CISM | Domain | 3 | - | Information |
Security | Program | Development |
Multiple | choice | exam | with | answers |
& | rationale | for | each | choice
1 | Who | can | BEST | advocate | the | development | of | and | ensure | the | success | of | an |
information | security | program?
A. | Internal | auditor
B. | Chief | operating | officer
C. | Steering | committee
D. | IT | management | - | Correct | answer | C | is | the | correct | answer. | Justification:
A. | An | internal | auditor | is | a | good | advocate | but | is | secondary | to | the | influence | of |
senior | management.
B. | The | chief | operating | officer | will | be | a | member | of | the | steering | committee.
C. | Senior | management | represented | in | the | security | steering | committee | is | in |
the | best | position | to | advocate | the | establishment | of, | and | continued | support |
for, | an | information | security | program.
D. | IT | management | has | a | lesser | degree | of | influence | and | would | also | be | part | of |
the | steering | committee.
2 | Which | of | the | following | BEST | ensures | that | information | transmitted | over |
the | Internet | will | remain | confidential?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download CISM Exam Questions: Information Security Program Development and more Exams Information Security and Markup Languages in PDF only on Docsity!

CISM | Domain | 3 | - | Information |

Security | Program | Development |

Multiple | choice | exam | with | answers |

& | rationale | for | each | choice

1 | Who | can | BEST | advocate | the | development | of | and | ensure | the | success | of | an | information | security | program? A. | Internal | auditor B. | Chief | operating | officer C. | Steering | committee D. | IT | management | - | Correct | answer | ✔C | is | the | correct | answer. | Justification: A. | An | internal | auditor | is | a | good | advocate | but | is | secondary | to | the | influence | of | senior | management. B. | The | chief | operating | officer | will | be | a | member | of | the | steering | committee. C. | Senior | management | represented | in | the | security | steering | committee | is | in | the | best | position | to | advocate | the | establishment | of, | and | continued | support | for, | an | information | security | program. D. | IT | management | has | a | lesser | degree | of | influence | and | would | also | be | part | of | the | steering | committee. 2 | Which | of | the | following | BEST | ensures | that | information | transmitted | over | the | Internet | will | remain | confidential?

A. | A | virtual | private | network B. | Firewalls | and | routers C. | Biometric | authentication D. | Two-factor | authentication | - | Correct | answer | ✔A | is | the | correct | answer. Justification: A. | Encryption | of | data | in | a | virtual | private | network | ensures | that | transmitted | information | is | not | readable, | even | if | intercepted. B. | Firewalls | and | routers | protect | access | to | data | resources | inside | the | network | and | do | not | protect | traffic | in | the | public | network. C. | Biometric | authentication | alone | would | not | prevent | a | message | from | being | intercepted | and | read. D. | Two-factor | authentication | alone | would | not | prevent | a | message | from | being | intercepted | and | read. 3 | What | does | the | effectiveness | of | virus | detection | software | MOST | depend | on? A. | Packet | filtering B. | Intrusion | detection C. | Software | upgrades D. | Definition | files | - | Correct | answer | ✔D | is | the | correct | answer. Justification: A. | Packet | filtering | does | not | focus | on | virus | detection. B. | Intrusion | detection | does | not | address | virus | detection. C. | Software | upgrades | are | related | to | the | periodic | updating | of | the | program | code, | which | would | not | be | as | critical.

Justification: A. | Data | owners | are | responsible | for | approving | access | rights. B. | Business | process | owners | are | sometimes | the | data | owners | as | well | and | would | not | be | responsible | for | enforcement. C. | The | security | steering | committee | would | not | be | responsible | for | enforcement. D. | As | custodians, | security | administrators | are | responsible | for | enforcing | access | rights | to | data. 6 | When | designing | an | intrusion | detection | system, | the | information | security | manager | should | recommend | that | it | be | placed: A. | outside | the | firewall. B. | on | the | firewall | server. C. | on | a | screened | subnet. D. | on | the | external | router. | - | Correct | answer | ✔C | is | the | correct | answer. Justification: A. | Placing | the | intrusion | detection | system | (IDS) | on | the | Internet | side | of | the | firewall | is | not | advised | because the | system | will | generate | alerts | on | all | malicious | traffic--even | though | 99 | percent | will | be | stopped | by | the | firewall | and | never | reach | the | internal | network. B. | Because | firewalls | should | be | installed | on | hardened | servers | with | minimal | services | enabled, | it | would | be | inappropriate | to | install | the | IDS | on | the | same | physical | device. C. | An | IDS | should | be | placed | on | a | screened | subnet, | which | is | a | demilitarized | zone. D. | Placing | the | IDS | on | the | external | server, | if | such | a | thing | were | feasible, | is | not | advised | because | the | system | will | generate | alerts | on | all | malicious | traffic--even |

though | 99 | percent | will | be | stopped | by | the | firewall | and | never | reach | the | internal | network. 7 | The | BEST | reason | for | an | organization | to | implement | two | discrete | firewalls | connected | directly | to | the | Internet | and | to | the | same | demilitarized | zone | would | be | to: A. | provide | in-depth | defense. B. | separate | test | and | production. C. | permit | traffic | load | balancing. D. | prevent | a | denial-of-service | attack. | - | Correct | answer | ✔C | is | the | correct | answer. Justification: A. | Two | firewalls | in | parallel | provide | two | concurrent | paths | for | compromise | and, | therefore, | do | not | provide | defense | in | depth. | If | they | were | connected | in | series | one | behind | the | other, | they | would | provide | defense | in | depth. B. | As | both | entry | points | connect | to | the | Internet | and | to | the | same | demilitarized | zone, | such | an | arrangement | is | not | practical | for | separating | test | from | production. C. | Having | two | entry | points, | each | guarded | by | a | separate | firewall, | is | desirable | to | permit | traffic | load | balancing. D. | Firewalls | are | not | effective | at | preventing | denial-of-service | attacks. 8 | When | designing | information | security | standards | for | an | enterprise, | the | information | security | manager | should | require | that | an | extranet | server | be | placed: A. | outside | the | firewall. B. | on | the | firewall | server.

C. | The | number | of | incidents | resolved | may | not | correlate | to | staff | awareness. D. | Access | rule | violations | may | or | may | not | have | anything | to | do | with | awareness | levels. 10 | What | is | the | MOST | important | contractual | element | when | contracting | with | an | outsourcer | to | provide | security | administration? A. | The | right-to-terminate | clause B. | Limitations | of | liability C. | The | service | level | agreement D. | The | financial | penalties | clause | - | Correct | answer | ✔C | is | the | correct | answer. Justification: A. | The | service | level | agreement | (SLA) | provides | metrics | to | which | outsourcing | firms | can | be | held accountable | and | will | always | include | the | right-to-terminate | clause. B. | Limitations | of | liability | will | also | be | included | in | the | SLA. C. | The | SLA | includes | the | other | options | in | addition | to | a | number | of | other | conditions, | representations | and | warranties | as | well | as | right | to | inspect, | provisions | for | audits, | requirements | on | termination, | etc. D. | Financial | penalties | clauses | are | a | standard | part | of | SLAs. ll | Which | of | the | following | is | the | BEST | metiic | for | evaluating | the | effectiveness | of | an | intrusion | detection | mechanism? A. | Number | of | attacks | detected B. | Number | of | successful | attacks C. | Ratio | of | false | positives | to | false | negatives

D. | Ratio | of | successful | to | unsuccessful | attacks | - | Correct | answer | ✔C | is | the | correct | answer. Justification: A. | The | number | of | attacks | detected | does | not | indicate | how | many | attacks | were | not | detected, | and | therefore, it | is | no | indication | of | effectiveness. B. | The | number | of | successful | attacks | does | not | indicate | how | many | were | detected. C. | The | ratio | of | false | positives | to | false | negatives | will | indicate | the | effectiveness | of | the | intrusion | detection | system. D. | Without | knowing | whether | attacks | were | detected | or | not, | the | ratio | of | successful | attacks | to | unsuccessful | attacks | indicates | nothing | about | the | effectiveness | of | the | IDS. 12 | Which | of | the | following | is | MOST | effective | in | preventing | weaknesses | from | being | introduced | into | existing | production | systems? A. | Patch | management B. | Change | management C. | Security | baselines D. | Virus | detection | - | Correct | answer | ✔B | is | the | correct | answer. Justification: A. | Patch | management | involves | the | correction | of | software | weaknesses | and | would | necessarily | follow change | management | procedures. B. | Change | management | controls | the | process | of | introducing | changes | to | systems. | This | is | often | the | point | at | which | a | weakness | will | be | introduced.

B. | System | access | violation | logs C. | Role-based | access | controls D. | Exit | routines | - | Correct | answer | ✔C | is | the | correct | answer. Justification: A. | Baseline | security | standards | will | provide | for | general | access | controls | but | not | for | specific | authorizations. B. | Violation | logs | are | detective | and | do | not | prevent | unauthorized | access. C. | Role-based | access | controls | help | ensure | that | users | only | have | access | to | fiJes | and | systems | appropriate | for | their | job | role. D. | Exit | routines | are | dependent | upon | appropriate | role-based | access. 15 | Which | of | the | following | is | generally | used | to | ensure | that | information | transmitted | over | the | Internet | is | authentic | and | actually | transmitted | by | the | named | sender? A. | Biometric | authentication B. | Embedded | steganographic C. | Two-factor | authentication D. | Embedded | digital | signature | - | Correct | answer | ✔D | is | the | correct | answer. Justification: A. | Authentication | does | not | ensure | the | authenticity | of | the | data, | just | the | identity | of | the | sender. B. | Steganography | is | a | form | of | encryption | that | may | ensure | integrity | but | not | identity. C. | Authentication | does | not | ensure | the | authenticity | of | the | data, | just | the | identity | of | the | sender.

D. | Digital | signature | ensures | both | the | identity | and | the | integrity | of | the | data. 18 | Which | of | the | following | is | the | MOST | appropriate | frequency | for | updating | antivirus | signature | files | for | antivirus | software | on | production | servers? A. | Daily B. | Weekly C. | Concurrently | with | operating | system | patch | updates D. | During | scheduled | change | control | updates | - | Correct | answer | ✔A | is | the | correct | answer. Justification: A. | New | viruses | are | being | introduced | almost | daily. | The | effectiveness | of | virus | detection | software depends | on | frequent | updates | to | its | virus | signatures, | which | are | stored | on | antivirus | signature | files | so | updates | may | be | carried | out | several | times | during | the | day. | At | a | minimum, | daily | updating | should | occur. B. | Weekly | updates | may | potentially | allow | new | viruses | to | infect | the | system. C. | Operating | system | updates | are | too | infrequent | for | virus | updates. D. | Change | control | updates | are | sporadic | and | not | the | basis | for | virus | updates. Which | of | the | following | devices | should | be | placed | within | a | demilitarized | zone? A. | Network | switch B. | Web | server C. | Database | server

C. | Placing | it | on | a | screened | subnet, | which | is | a | DMZ, | does | not | provide | any | protection. D. | A | firewall | should | be | placed | on | a | (security) | domain | boundary. 20 | Where | should | an | intranet | server | generally | be | placed? A. | On | the | internal | network B. | On | the | firewall | server C. | On | the | external | router D. | On | the | primary | domain | controller | - | Correct | answer | ✔A | is | the | correct | answer. Justification: A. | An | intranet | server | should | be | placed | on | the | internal | network. | An | intranet | server | should | stay | in | the | internal | network | because | external | people | do | not | need | to | access | it. | This | reduces | the | risk | of | unauthorized | access. B. | Because | firewalls | should | be | installed | on | hardened | servers | with | minimal | services | enabled, | it | is | inappropriate | to | store | the | intranet | server | on | the | same | physical | device | as | the | firewall. C. | Placing | the | intranet | server | on | an | external | router | leaves | it | exposed. D. | Primary | domain | controllers | should | not | share | the | same | physical | device | as | the | intranet | server. How | can | access | control | to | a | sensitive | intranet | application | by | mobile | users | BEST | be | implemented? A. | Through | data | encryption

B. | Through | digital | signatures C. | Through | strong | passwords D. | Through | two-factor | authentication | - | Correct | answer | ✔D | is | the | correct | answer. Justification: A. | Data | encryption | does | not | provide | access | control. B. | Digital | signatures | provide | assurance | of | the | identity | of | the | sender, | not | access | control. C. | Strong | passwords | provide | an | intermediate | strength | of | access | controls | but | not | as | strong | as | two-factor | authentication. D. | Two-factor | authentication, | through | the | use | of | strong | passwords | combined | with | security | tokens, | provides | the | highest | level | of | security. 21 | A | control | policy | is | MOST | likely | to | address | which | of | the | following | implementation | requirements? A. | Specific | metrics B. | Operational | capabilities C. | Training | requirements D. | Failure | modes | - | Correct | answer | ✔D | is | the | correct | answer. Justification: A. | A | control | policy | may | specify | a | requirement | for | monitoring | or | metrics | but | will | not | define specific | metrics. B. | Operational | capabilities | will | likely | be | defined | in | specific | requirements | or | a | design | document | rather | than | in | the | control | policy.

D. | It | reduces | the | need | for | two-factor | authentication. | - | Correct | answer | ✔A | is | the | correct | answer. Justification: A. | Automated | password | synchronization | reduces | the | overall | administrative | workload | of resetting | passwords. B. | Automated | password | synchronization | does | not | increase | security | between | multi-tier | systems. C. | Automated | password | synchronization | does | not | allow | passwords | to | be | changed | less | frequently. D. | Automated | password | synchronization | does | not | reduce | the | need | for | two- factor | authentication. 24 | Which | of | the | following | tools | is | MOST | appropriate | to | assess | whether | information | security | governance | objectives | are | being | met? A. | SWOT | (strengths, | weaknesses, | opportunities, | threats) | analysis B. | Waterfall | chart C. | Gap | analysis D. | Balanced | scorecard | - | Correct | answer | ✔D | is | the | correct | answer. Justification: A. | A | SWOT | (strengths, | weaknesses, | opportunities, | threats) | analysis | addresses | strengths, | weaknesses, opportunities | and | threats. | Although | useful, | a | SWOT | analysis | is | not | as | effective | a | tool | as | a | balanced | scorecard | (BSC). B. | A | waterfall | chart | is | used | to | understand | the | flow | of | one | process | into | another.

C. | A | gap | analysis, | while | useful | for | identifying | the | difference | between | the | current | state | and | the | desired | future | state, | is | not | the | most | appropriate | tool. D. | A | BSC | is | most | effective | for | evaluating | the | degree | to | which | information | security | objectives | are | being | met. 27 | Which | of | the | following | is | MOST | effective | in | preventing | the | introduction | of | a | code | modification | that | may | reduce | the | security | of | a | critical | business | application? A. | Patch | management B. | Change | management C. | Security | metrics D. | Version | control | - | Correct | answer | ✔B | is | the | correct | answer. Justification: A. | Patch | management | corrects | discovered | weaknesses | by | applying | a | correction | to | the | original | program | code. B. | Change | management | controls | the | process | of | introducing | changes | to | systems. | Failure | to | have | good | change | management | may | introduce | new | weaknesses | into | otherwise | secure | systems. C. | Security | metrics | provide | a | means | for | measuring | effectiveness. D. | Version | control | is | a | subset | of | change | management. Which | of | the | following | is | MOST | important | to | the | success | of | an | information | security | program? A. | Security | awareness | training

C. | Role-based | access | controls | would | help | ensure | that | users | only | had | acces | to | files | and | systems | appropriate | for | their | job | role. D. | Intrusion | detection | systems | are | useful | to | detect | invalid | attempts, | but | they | will | not | prevent | attempts. 30 | Which | of | the | following | technologies | is | utilized | to | ensure | that | an | individual | connecting | to | a | corporate | internal | network | over | the | Internet | is | not | an | intruder | masquerading | as | an | authorized | user? A. | Intrusion | detection | system

  1. | IP | address | packet | filtering C. | Two-factor | authentication D. | Embedded | digital | signature | - | Correct | answer | ✔C | is | the | correct | answer. Justification: A. | An | intrusion | detection | system | can | be | used | to | detect | an | external | attack | but | would | not | help | in | authenticating | a | user | attempting | to | connect.
  2. | IP | address | packet | filtering | would | protect | against | spoofing | an | internal | address | but | would | not | provide | strong | authentication. C. | Two-factor | authentication | provides | an | additional | security | mechanism | over | and | above | that | provided | by | passwords | alone. | This | is | frequently | used | by | mobile | users | needing | to | establish | connectivity | to | a | corporate | network. D. | Digital | signatures | ensure | that | transmitted | information | can | be | attributed | to | the | named | sender. What | is | an | appropriate | frequency | for | updating | operating | system | patches | on | production | servers?

A. | During | scheduled | rollouts | of | new | applications

  1. | According | to | a | fixed | security | patch | management | schedule C. | Concurrently | with | quarterly | hardware | maintenance D. | Whenever | important | security | patches | are | released | - | Correct | answer | ✔D | is | the | correct | answer. Justification: A. | Patches | should | not | be | delayed | to | coincide | with | other | scheduled | rollouts.
  2. | Patches | should | not | be | delayed | to | coincide | with | other | scheduled | maintenance. C. | Due | to | the | possibility | of | creating | a | system | outage, | patches | should | not | be | deployed | during | critical | periods | of | application | activity | such | as | month-end | or | quarter-end | closing. D. | Patches | should | be | applied | whenever | important | security | updates | are | released | after | being | tested | to | ensure | compatibility. Which | of | the | following | BEST | accomplishes | secure | customer | use | of | an | e- commerce | application? A. | Data | encryption
  3. | Digital | signatures C. | Strong | passwords D. | Two-factor | authentication | - | Correct | answer | ✔A | is | the | correct | answer. Justification: A. | Encryption | would | be | the | preferred | method | of | ensuring | confidentiality | in | customer communications | with | an | e-commerce | application.