CISM Information Security Risk Management • Complete Question Bank
Complete CISM Information Security Risk Management question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. Exhibit: ``` CISCO ASA Firewall Config Snippet access-list INSIDE extended permit tcp 10.0.0.0 255.255.255.0 any eq 443 access-list INSIDE extended permit udp 10.0.0.0 255.255.255.0 any eq 53 access-list OUTSIDE extended deny ip any any ```
Refer to the exhibit. Exhibit: ``` Log Entry: Jan 15 09:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2 Jan 15 09:23:47 server1 sshd[1235]: Failed password for admin from 10.0.0.5 port 22 ssh2 Jan 15 09:23:50 server1 sshd[1236]: Failed password for root from 10.0.0.5 port 22 ssh2 Jan 15 09:23:52 server1 sshd[1237]: Failed password for admin from 10.0.0.5 port 22 ssh2 ```
Refer to the exhibit. ``` Risk Assessment Log Date: 2025-03-01 Asset: Database Server DB-01 Threat: Unauthorized access Vulnerability: Weak password policy Current Controls: Password complexity enabled, account lockout after 5 failed attempts Likelihood: 3 (Moderate) Impact: 4 (Major) Risk Level: 12 (High) Risk Appetite Threshold: 10 ```
Match each risk assessment activity with the correct phase of the risk management lifecycle:
Activities: 1. Identify assets and threats 2. Determine risk level 3. Select controls to reduce risk 4. Monitor risk over time
Phases: A. Risk Assessment B. Risk Treatment C. Risk Monitoring D. Risk Communication (not used)
A security manager is evaluating risk treatment options for a high-risk vulnerability. Drag each option to the correct risk treatment category.
Options: - Apply a vendor patch - Purchase cyber insurance - Decommission the system - Accept the risk with formal sign-off - Install a WAF (Web Application Firewall)
Categories: - Mitigate - Transfer - Avoid - Accept
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Risk level before controls are applied
Risk remaining after controls are implemented
Amount of risk the organization is willing to accept
Acceptable variation around the risk appetite
Process of modifying risk by applying controls
Drag a concept onto its matching description — or click a concept then click the description.
Maximum time to restore a process after disruption
Maximum age of data that must be recovered
Plan to maintain business functions during disruption
Plan to restore IT infrastructure after disaster
Process to identify critical functions and dependencies
Drag a concept onto its matching description — or click a concept then click the description.
Uses same key for encryption and decryption
Uses public/private key pair
One-way transformation producing fixed-size digest
Provides authenticity and non-repudiation
Framework managing digital certificates and keys
Refer to the exhibit. Vulnerability Scan Summary Report 11-Jun-2023 04:15:42 Host: 192.168.10.25 Total vulnerabilities: 12 Critical: 2 High: 4 Medium: 3 Low: 3 Host: 192.168.10.30 Total vulnerabilities: 8 Critical: 0 High: 1 Medium: 5 Low: 2 Host: 192.168.10.35 Total vulnerabilities: 20 Critical: 5 High: 6 Medium: 7 Low: 2
Refer to the exhibit.
{
"dataClassification": {
"public": {
"description": "Information that can be disclosed to anyone",
"handling": "No special protection required"
},
"internal": {
"description": "Information for internal use only",
"handling": "Must be stored on internal systems, encrypted in transit"
},
"confidential": {
"description": "Sensitive information with legal or contractual obligations",
"handling": "Must be encrypted at rest and in transit, access on a need-to-know basis"
},
"highlyConfidential": {
"description": "Information that could cause severe reputational damage if disclosed",
"handling": "All 'confidential' protections plus multifactor authentication, data loss prevention, and quarterly access reviews"
}
}
}Refer to the exhibit. Network Architecture Description: - Internet facing web server (DMZ) - Application server (internal trust zone) - Database server (restricted zone) - All zones separated by firewalls - Admin access to database server requires VPN + jump host - All traffic from web server to application server encrypted with TLS 1.3 - Application server has direct access to database using SQL authentication
Risk Register Extract: Risk ID: R-001 Description: Unauthorized access to sensitive data Current Controls: Firewall, Access control lists Inherent Risk: High (Likelihood: 4, Impact: 5) Residual Risk: Medium (Likelihood: 3, Impact: 4) Risk Appetite: Low Risk ID: R-002 Description: Data corruption due to malware Current Controls: Antivirus software Inherent Risk: High (Likelihood: 5, Impact: 4) Residual Risk: High (Likelihood: 4, Impact: 4) Risk Appetite: Low