isaca cism practice test

Certified Information Security Manager

Last exam update: Jun 12 ,2024
Page 1 out of 123. Viewing questions 1-15 out of 1842

Question 1 Topic 5

Topic 5
Which of the following is MOST important in determining whether a disaster recovery test is successful?

  • A. Only business data files from offsite storage are used
  • B. IT staff fully recovers the processing infrastructure
  • C. Critical business processes are duplicated
  • D. All systems are restored within recovery time objectives (RTOs)
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions
were successfully recovered and duplicated. Although ensuring that only materials taken from offsite storage are used in the
test is important, this is not as critical in determining a test's success. While full recovery of the processing infrastructure is a
key recovery milestone, it does not ensure the success of a test. Achieving the RTOs is another important milestone, but
does not necessarily prove that the critical business functions can be conducted, due to interdependencies with other
applications and key elements such as data, staff, manual processes, materials and accessories, etc.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2 Topic 5

Topic 5
An organization with multiple data centers has designated one of its own facilities as the recovery site. The MOST important
concern is the:

  • A. communication line capacity between data centers.
  • B. current processing capacity loads at data centers.
  • C. differences in logical security at each center.
  • D. synchronization of system software release versions.
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
If data centers are operating at or near capacity, it may prove difficult to recover critical operations at an alternate data
center. Although line capacity is important from a mirroring perspective, this is secondary to having the necessary capacity to
restore critical systems. By comparison, differences in logical and physical security and synchronization of system software
releases are much easier issues to overcome and are, therefore, of less concern.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3 Topic 5

Topic 5
A post-incident review should be conducted by an incident management team to determine:

  • A. relevant electronic evidence.
  • B. lessons learned.
  • C. hacker's identity.
  • D. areas affected.
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Post-incident reviews are beneficial in determining ways to improve the response process through lessons learned from the
attack. Evaluating the relevance of evidence, who launched the attack or what areas were affected are not the primary
purposes for such a meeting because these should have been already established during the response to the incident.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4 Topic 5

Topic 5
The BEST approach in managing a security incident involving a successful penetration should be to:

  • A. allow business processes to continue during the response.
  • B. allow the security team to assess the attack profile.
  • C. permit the incident to continue to trace the source.
  • D. examine the incident response process for deficiencies.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Since information security objectives should always be linked to the objectives of the business, it is imperative that business
processes be allowed to continue whenever possible. Only when there is no alternative should these processes be
interrupted. Although it is important to allow the security team to assess the characteristics of an attack, this is subordinate to
the needs of the business. Permitting an incident to continue may expose the organization to additional damage. Evaluating
the incident management process for deficiencies is valuable but it, too, is subordinate to allowing business processes to
continue.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5 Topic 5

Topic 5
An incident response policy must contain:

  • A. updated call trees.
  • B. escalation criteria.
  • C. press release templates.
  • D. critical backup files inventory.
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained
within an incident response policy. Telephone trees, press release templates and lists of critical backup files are too detailed
to be included in a policy document.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6 Topic 5

Topic 5
At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the
vendor's hot site facility?

  • A. Erase data and software from devices
  • B. Conduct a meeting to evaluate the test
  • C. Complete an assessment of the hot site provider
  • D. Evaluate the results from all test scripts
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
For security and privacy reasons, all organizational data and software should be erased prior to departure. Evaluations can
occur back at the office after everyone is rested, and the overall results can be discussed and compared objectively.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7 Topic 5

Topic 5
Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided
hot site?

  • A. Tests are scheduled on weekends
  • B. Network IP addresses are predefined
  • C. Equipment at the hot site is identical
  • D. Business management actively participates
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Disaster recovery testing requires the allocation of sufficient resources to be successful. Without the support of
management, these resources will not be available, and testing will suffer as a result. Testing on weekends can be
advantageous but this is not the most important choice. As vendor-provided hot sites are in a state of constant change, it is
not always possible to have network addresses defined in advance. Although it would be ideal to provide for identical
equipment at the hot site, this is not always practical as multiple customers must be served and equipment specifications will
therefore vary.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8 Topic 5

Topic 5
Which of the following is the MOST important to ensure a successful recovery?

  • A. Backup media is stored offsite
  • B. Recovery location is secure and accessible
  • C. More than one hot site is available
  • D. Network alternate links are regularly tested
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Unless backup media are available, all other preparations become meaningless. Recovery site location and security are
important, but would not prevent recovery in a disaster situation. Having a secondary hot site is also important, but not as
important as having backup media available. Similarly, alternate data communication lines should be tested regularly and
successfully but, again, this is not as critical.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9 Topic 5

Topic 5
The FIRST priority when responding to a major security incident is:

  • A. documentation.
  • B. monitoring.
  • C. restoration.
  • D. containment.
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
The first priority in responding to a security incident is to contain it to limit the impact. Documentation, monitoring and
restoration are all important, but they should follow containment.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10 Topic 5

Topic 5
The BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk
is to utilize:

  • A. firewalls.
  • B. bastion hosts.
  • C. decoy files.
  • D. screened subnets.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Decoy files, often referred to as honeypots, are the best choice for diverting a hacker away from critical files and alerting
security of the hacker's presence. Firewalls and bastion hosts attempt to keep the hacker out, while screened subnets or
demilitarized zones (DM/.s) provide a middle ground between the trusted internal network and the external untrusted
Internet.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11 Topic 5

Topic 5
Which of the following actions should be taken when an online trading company discovers a network attack in progress?

  • A. Shut off all network access points
  • B. Dump all event logs to removable media
  • C. Isolate the affected network segment
  • D. Enable trace logging on all event
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business
to continue processing. Shutting off all network access points would create a denial of service that could result in loss of
revenue. Dumping event logs and enabling trace logging, while perhaps useful, would not mitigate the immediate threat
posed by the network attack.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12 Topic 5

Topic 5
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site.
Which of the following would be the GREATEST weakness in recovery capability?

  • A. Exclusive use of the hot site is limited to six weeks
  • B. The hot site may have to be shared with other customers
  • C. The time of declaration determines site access priority
  • D. The provider services all major companies in the area
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Sharing a hot site facility is sometimes necessary in the case of a major disaster. Also, first come, first served usually
determines priority of access based on general industry practice. Access to a hot site is not indefinite; the recovery plan
should address a long-term outage. In case of a disaster affecting a localized geographical area, the vendor's facility and
capabilities could be insufficient for all of its clients, which will all be competing for the same resource. Preference will likely
be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients
based locally.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13 Topic 5

Topic 5
A desktop computer that was involved in a computer security incident should be secured as evidence by:

  • A. disconnecting the computer from all power sources.
  • B. disabling all local user accounts except for one administrator.
  • C. encrypting local files and uploading exact copies to a secure server.
  • D. copying all files using the operating system (OS) to write-once media.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
To preserve the integrity of the desktop computer as an item of evidence, it should be immediately disconnected from all
sources of power. Any attempt to access the information on the computer by copying, uploading or accessing it remotely
changes the operating system (OS) and temporary files on the computer and invalidates it as admissible evidence.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14 Topic 5

Topic 5
Which of the following should be determined FIRST when establishing a business continuity program?

  • A. Cost to rebuild information processing facilities
  • B. Incremental daily cost of the unavailability of systems
  • C. Location and cost of offsite recovery facilities
  • D. Composition and mission of individual recovery teams
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different
systems. This will allow recovery time objectives to be determined which, in turn, affects the location and cost of offsite
recovery facilities, and the composition and mission of individual recovery teams. Determining the cost to rebuild information
processing facilities would not be the first thing to determine.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15 Topic 5

Topic 5
The MOST likely cause of a security information event monitoring (SIEM) solution failing to identify a serious incident is that
the system:

  • A. is not collecting logs from relevant devices.
  • B. has not been updated with the latest patches.
  • C. is hosted by a cloud service provider.
  • D. has performance issues.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2