ISMP Online Practice Questions and Answers

The security manager of a global company has decided that a risk assessment needs to be completed across the company.

What is the primary objective of the risk assessment?

A. Identify, quantify and prioritize each of the business-critical assets residing on the corporate infrastructure

B. Identify, quantify and prioritize risks against criteria for risk acceptance

C. Identify, quantify and prioritize the scope of this risk assessment

D. Identify, quantify and prioritize which controls are going to be used to mitigate risk

An experienced security manager is well aware of the risks related to communication over the internet. She also knows that Public Key Infrastructure (PKI) can be used to keep e- mails between employees confidential.

Which is the main risk of PKI?

A. The Certificate Authority (CA) is hacked.

B. The certificate is invalid because it is on a Certificate Revocation List.

C. The users lose their public keys.

D. The HR department wants to be a Registration Authority (RA).

A protocol to investigate fraud by employees is being designed. Which measure can be part of this protocol?

A. Seize and investigate the private laptop of the employee

B. Investigate the contents of the workstation of the employee

C. Investigate the private mailbox of the employee

D. Put a phone tap on the employee's business phone

What is a risk treatment strategy?

A. Mobile updates

B. Risk acceptance

C. Risk exclusion

D. Software installation

A security manager just finished the final copy of a risk assessment. This assessment contains a list of identified risks and she has to determine how to treat these risks.

What is the best option for the treatment of risks?

A. Begin risk remediation immediately as the organization is currently at risk

B. Decide the criteria for determining if the risk can be accepted

C. Design appropriate controls to reduce the risk

D. Remediate the risk regardless of cost

A risk manager is asked to perform a complete risk assessment for a company. What is the best method to identify most of the threats to the company?

A. Have a brainstorm with representatives of all stakeholders

B. Interview top management

C. Send a checklist for threat identification to all staff involved in information security

An information security officer is asked to write a retention policy for a financial system. She is aware of the fact that some data must be kept for a long time and other data must be deleted.

Where should she look for guidelines first?

A. In company policies

B. In finance management procedures

C. In legislation

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are key terms in business continuity management (BCM). Reducing loss of data is one of the focus areas of a BCM policy.

What requirement is in the data recovery policy to realize minimal data loss?

A. Maximize RPO

B. Reduce RPO

C. Reduce RTO

D. Reduce the time between RTO and RPO

When is revision of an employee's access rights mandatory?

A. After any position change

B. At hire

C. At least each year

D. At all moments stated in the information security policy

What is the main reason to use a firewall to separate two parts of your internal network?

A. To control traffic intensity between two network segments

B. To decrease network loads

C. To enable the installation of an Intrusion Detection System

D. To separate areas with different confidentiality requirements