CISM Leak Questions

According to the CISM Manual, the information security manager should first assess the risk to business operations before taking any other action. This will help to prioritize the issues and determine the appropriate response. Performing a vulnerability assessment, a gap analysis, or creating a security exception are possible actions, but they should be based on the risk assessment results. References = CISM Manual, 5th Edition, page 1211; CISM Practice Quiz, question 32

A validation of the current firewall rule set is the best method for determining whether a firewall has been configured to provide a comprehensive perimeter defense because it verifies that the firewall rules are consistent, accurate, and effective in allowing or blocking traffic according to the security policies and standards of the organization. A port scan of the firewall from an internal source is not a good method because it does not test the firewall’s behavior from an external perspective, which is more relevant for perimeter defense. A ping test from an external source is not a good method because it only tests the firewall’s availability and responsiveness, not its security or functionality. A simulated denial of service (DoS) attack against the firewall is not a good method because it only tests the firewall’s resilience and performance under high traffic load, not its security or functionality. References: al-security-standards-for-information-systems journal/issues/2017/volume-2/the-value-of-penetration-testing urity-scanning-versus-penetration-testing

According to the CISM Review Manual, a business impact analysis (BIA) is the most useful tool when determining the business continuity strategy for a large organization’s data center, as it helps to identify and prioritize the critical business processes and resources that depend on the data center, and the impact of their disruption or loss. A BIA also provides the basis for defining the recovery time objectives (RTOs) and recovery point objectives (RPOs) for the data center, which guide the selection of the appropriate business continuity strategy.

References = CISM Review Manual, 27th Edition, Chapter 3, Section 3.5.2, page 1511.