The following correction applies to page 13 of the CISM Review

Questions, Answers & Explanations Manual 2011 Supplement.

The correction is circled.

AreA 2—InformAtIon rIsk mAnAgement

SS2-11 Which of the following, if not properly secured and/or segregated from local area network (LAN), can be
the GREATEST source of risk to an enterprise’s internal network?

A. A virtual local area network (VLAN)

B. A virtual private network (VPN)
C. A wireless local area network (WLAN)
D. Voice-over IP (VoIP)

C If not properly configured, a WLAN is not secure and can expose the network to unauthorized external
access. Even if misconfigured, the other choices generally pose less risk.

SS2-12 Which of the following would provide the BEST defense against the introduction of malware in end-user
computers via the Internet browser?

A. Input validation checks on SQL injection

B. Restricting access to social media sites
C. Deleting temporary files
D. Restricting execution of mobile code

D Restricting execution of mobile code is the most effective way to avoid introduction of malware into the
end user’s computers. Validation of checks on SQL injection does not apply to this scenario. Restricting
access to social media sites may be helpful, but is not the primary source of malware. Deleting temporary
files is not applicable to this scenario.

SS2-13 An enterprise is transferring its IT operations to an offshore location. An information security manager
should be PRIMARILY concerned about:

A. reviewing new laws and regulations.

B. updating operational procedures.
C. validating staff qualifications.
D. conducting a risk assessment.

D A risk assessment should be conducted to determine new risks introduced by the outsourced processes. The
other choices may or may not be identified as mitigating measures based on the risks determined by the
assessment.

SS2-14 Which of the following statements concerning the transfer of risk is TRUE?

A. Responsibility cannot be transferred.

B. Transferring risk is a form of mitigation.
C. Transferring risk eliminates the risk.
D. Risk cannot be transferred.

A Transferring risk is a compensatory control that serves to reduce impact, but does not eliminate
responsibility. Transfer of risk does not mitigate the risk, but is a parallel option to mitigation (reduction).
Transfer does not eliminate the risk. Some risks cannot be transferred.

CISM Review Questions, Answers & Explanations Manual 2011 Supplement 13

 The following correction applies to page 15 of the CISM Review
Questions, Answers & Explanations Manual 2011 Supplement.
The correction is circled.

AreA 2—InformAtIon rIsk mAnAgement

SS2-18 An information security manager performing a security review determines that compliance with access
control policies to the data center is inconsistent across employees. The FIRST step to address this issue
should be to:

A. assess the risk of noncompliance.

B. initiate security awareness training.
C. prepare a status report for management.
D. increase compliance enforcement.

A Inconsistent compliance can be the result of different factors, but is often a lack of awareness. Assessing
the risk of noncompliance will provide the information needed to determine the most effective remediation
requirements. If awareness is adequate, training may not help and increased compliance enforcement may
be indicated. A report may be warranted, but will not directly address the issue that is normally a part of the
information security manager’s responsibilities. Increased enforcement is not warranted if the problem is a
lack of effective communication about security policy.

SS2-19 Which of the following is the MOST important element to consider when initiating asset classification?

A. The type of IT hardware that must be classified

B. A comprehensive risk assessment and analysis
C. Business continuity and disaster recovery plans (BCPs/DRPs)
D. The consequences of losing system functionality

D Business criticality and sensitivity is the primary consideration for a classification scheme. This is
determined by a business impact analysis (BIA), which will determine the consequences of losing or
compromising various information systems. The type of hardware is typically not a classification issue,
although it is a factor in incident recovery considerations. Classification is concerned with the loss or
compromise of information systems, not the risk they are subject to. Classification is an element of
BCP/DRP, but is not required for classification.

SS2-20 Which of the following factors will MOST affect the extent to which controls should be layered?

A. The extent to which controls are procedural

B. Controls subject to the same threat
C. The maintenance cost of controls
D. Controls that fail in a closed condition

B To manage the aggregate risk of total risk, common failure modes in existing controls must be addressed by
adding or modifying controls so that they fail under different conditions. Whether controls are procedural or
technical will not affect layering requirements. Excessive maintenance costs will probably not be addressed
by adding additional controls. Controls that fail in a closed condition pose risks to availability, whereas
controls that fail in an open condition may require additional control layers to prevent compromise.

SS2-21 Generally, who should determine the classification of an information asset?

A. The asset custodian

B. The security manager
C. Senior management
D. The asset owner

D Classifying an information asset is the responsibility of the asset owner.

CISM Review Questions, Answers & Explanations Manual 2011 Supplement 15

 The following correction applies to page 24 of the CISM Review
Questions, Answers & Explanations Manual 2011 Supplement.
The correction is circled.

AreA 4—InformAtIon SecurIty ProgrAm mAnAgement

SS4-9 Which of the following is the BEST way to erase confidential information stored on magnetic tapes?

A. Performing a low-level format

B. Rewriting with zeros
C. Burning them
D. Degaussing them

D Degaussing the magnetic tapes would best dispose of confidential information since information is
completely destroyed due to the magnetic effect of the degaussing process. Performing a low-level format
and rewriting with zeros may still help, but some forensic tools can be used to retrieve information.
Rewriting with zeros is dependent on the procedure used. Burning destroys the tapes and does not allow
their reuse.

SS4-10 The MOST common reason for an increasing number of emergency change requests is that:

A. the normal procedures are being bypassed.

B. there are zero-day defects.
C. there is an increase in help desk calls.
D. the IT team may be applying the changes without approval.

A If there is an increasing number of emergency change requests, it means that people do not want to follow
the standard process and thus the normal change control procedures are being bypassed.

SS4-11 A contract has just been signed with a new vendor to manage IT support services. Which of the following
tasks should the information security manager ensure is performed NEXT?

A. Establish vendor monitoring.

B. Define reporting relationships.
C. Create a service level agreement (SLA).
D. Have the vendor sign a nondisclosure agreement (NDA).

A When a formal process has been followed, choices B, C and D are performed to define the parameters of
the service relationship and provide the basis for establishing the contract. Once the contract is signed, the
security manager should ensure that choice A, continuous vendor monitoring, is established and operational.
This control will help identify and provide alerts on security events and minimize potential losses.

SS4-12 Which of the following will be MOST important in calculating accurate return on investment (ROI) in
information security?

A. Excluding qualitative risks for accuracy in calculated figures

B. Establishing processes to ensure cost reductions
C. Measuring monetary values in a consistent manner
D. Treating security investment as a profit center

C There must be consistency in metrics in order to have accurate and consistent results. In assessing security
risks, it is not a good idea to simply exclude qualitative risks because of the difficulties in measurement.
If something is an important risk factor, an attempt should be made to quantify it even though it may not
be highly accurate. ROI itself may not be primarily targeted for the assurance of cost reduction. Even
when ROI is calculated, there is a chance that the security cost will increase if identified exposures are not
immediately resolved. Treating a security investment as a profit center could be an important factor as an
educational item for senior management. There is a fundamental requirement to run ROI-based security
management, but it is not necessarily the key item in delivering positive results from ROI-based security
management.

24 CISM Review Questions, Answers & Explanations Manual 2011 Supplement

 The following correction applies to page 35 of the CISM Review
Questions, Answers & Explanations Manual 2011 Supplement.
The correction is circled.

SAMPLE EXAM

SAMPLE EXAM
1. The MOST important aspect in establishing good information security policies is to ensure that they:

A. have the consensus of all concerned groups.

B. are easy to access by all employees.
C. capture the intent of management and align with business goals.
D. have been approved by the internal audit department.

2. Which of the following is the MOST important objective of an information security strategy review?

A. Ensuring that risks are identified and mitigated

B. Ensuring that information security strategy is aligned with organizational goals
C. Maximizing the return of information security investments
D. Ensuring the efficient utilization of information security resources

3. The use of insurance is an example of which of the following?

A. Risk mitigation
B. Risk acceptance
C. Risk elimination
D. Risk transfer

4. The MOST common reason for an increasing number of emergency change requests is that:

A. the normal procedures are being bypassed.

B. there are zero-day defects.
C. there is an increase in help desk calls.
D. the IT team may be applying the changes without approval.

5. Which of the following is the MOST important to successfully manage an incident?

A. Clearly documented roles and responsibilities

B. An approved and tested incident management and response plan
C. IT personnel with ready access to hardware and software to restore operations
D. An updated incident response training program

6. The factor that is MOST likely to result in identification of security incidents is:

A. effective communication and reporting processes.

B. clear policies detailing incident severity levels.
C. intrusion detection system (IDS) capabilities.
D. security awareness training.

7. The design and implementation of controls and countermeasures must be PRIMARILY focused on:

A. eliminating IT risk.
B. cost-benefit balance.
C. resource management.
D. the number of assets protected.

CISM Review Questions, Answers & Explanations Manual 2011 Supplement 35