ISC issmp practice test

Information Systems Security Management Professional Exam

Last exam update: Dec 19 ,2024
Page 1 out of 15. Viewing questions 1-15 out of 224

Question 1

Which of the following processes is used by remote users to make a secure connection to internal
resources after establishing an Internet connection?

A. Packet filtering
B. Tunneling
C. Packet sniffing
D. Spoofing

Answer:

B


Explanation:

Tunneling is a process used by remote users to make a secure connection to internal resources after
establishing an Internet connection. The tunnel is created between the two ends by encapsulating
the data in a mutually agreed-upon protocol for transmission.
Answer option A is incorrect. Packet filtering is a method that allows or restricts the flow of specific
types of packets to provide security. It analyzes the incoming and outgoing packets and lets them
pass or stops them at a network interface based on the source and destination addresses, ports, or
protocols. Packet filtering provides a way to define precisely which type of IP traffic is allowed to
cross the firewall of an intranet. IP packet filtering is important when users from private intranets
connect to public networks, such as the Internet.
Answer option C is incorrect. Packet sniffing is a process of monitoring data packets that travel across
a network. The software used for packet sniffing is known as sniffers. There are many packet-sniffing
programs that are available on the Internet. Some of these are unauthorized, which can be harmful
for a network's security.
Answer option D is incorrect. Spoofing is a technique that makes a transmission appear to have
come from an authentic source by forging the IP address, email address, caller ID, etc. In IP spoofing,
a hacker modifies packet headers by using someone else's IP address to hide his identity. However,
spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging the source
IP address causes the responses to be misdirected.

Discussions
0 / 1000

Question 2

In which of the following alternative processing sites is the backup facility maintained in a constant
order, with a full complement of servers, workstations, and communication links ready to assume
the primary operations responsibility?

A. Mobile Site
B. Cold Site
C. Warm Site
D. Hot Site

Answer:

D


Explanation:

A hot site is a duplicate of the original site of the organization, with full computer systems as well as
near-complete backups of user data. It provides the backup facility, which is maintained in a constant
order, with a full complement of servers, workstations, and communication links ready to assume
the primary operations responsibility.
A hot site is a backup site in case disaster has taken place in a data center. A hot site is located off
site and provides the best protection. It is an exact replica of the current data center. In case a
disaster struck to the data center, administrators just need to take the backup of recent
data in hot site and the data center is back online in a very short time. It is very expensive to create
and maintain the hot site. There are lots of third party companies that provide disaster recovery
solutions by maintaining hot sites at their end.
Answer option B is incorrect. A cold site is a backup site in case disaster has taken place in a data
center. This is the least expensive disaster recovery solution, usually having only a single room with
no equipment. All equipment is brought to the site after the disaster. It can be on site or off site.
Answer option A is incorrect. Mobile sites are self-reliant, portable shells custom-fitted with definite
telecommunications and IT equipment essential to meet system requirements. These are presented
for lease through commercial vendors.
Answer option C is incorrect. A warm site is, quite logically, a compromise between hot and cold
sites. Warm sites will have hardware and connectivity already established, though on a smaller scale
than the original production site or even a hot site. These sites will have backups on hand, but they
may not be complete and may be between several days and a week old. An example would be
backup tapes sent to the warm site by courier.

Discussions
0 / 1000

Question 3

Which of the following are known as the three laws of OPSEC?
Each correct answer represents a part of the solution. Choose three.

A. If you don't know the threat, how do you know what to protect?
B. If you don't know what to protect, how do you know you are protecting it?
C. If you are not protecting it (the critical and sensitive information), the adversary wins!
D. If you don't know about your security resources you cannot protect your network.

Answer:

A, B, and C


Explanation:
OPSEC is also known as operations security. It has three laws.
The First Law of OPSEC. If you don't know the threat, how do you know what to protect? Although
specific threats may vary from site to site or program to program. Employees must be aware of the
actual and postulated threats. In any given situation, there is likely to be more than one adversary,
although each may be interested in different information.
The Second Law of OPSEC. If you don't know what to protect, how do you know you are protecting
it? The "what" is the critical and sensitive, or target, information that adversaries require to meet
their objectives.
The Third Law of OPSEC. If you are not protecting it (the critical and sensitive information), the
adversary wins! OPSEC vulnerability assessments, (referred to as "OPSEC assessments" - OA's - or
sometimes as Surveys") are conducted to determine whether or not critical information is
vulnerable to exploitation. An OA is a critical analysis of "what we do" and "how we do it" from the
perspective of
an adversary. Internal procedures and information sources are also reviewed to determine whether
there is an inadvertent release of sensitive information.
Answer option D is incorrect. The statement given in the option is not a valid law of OPSEC.

Discussions
0 / 1000

Question 4

Fill in the blank with an appropriate word. _________ are used in information security to formalize
security policies.

Answer:

Models.


Explanation: Models provide a great help in information security to formalize security policies. These
models can be abstract or intuitive. They provide a framework for the understanding of fundamental
information security architectural concepts.
Reference: CISM Review Manual 2010, Contents. "Information Security Program Development"

Discussions
0 / 1000

Question 5

You work as the project manager for Bluewell Inc. You are working on NGQQ Project for your
company. You have completed the risk analysis processes for the risk events. You and the project
team have created risk responses for most of the identified project risks. Which of the following risk
response planning techniques will you use to shift the impact of a threat to a third party, together
with the responses?

A. Risk mitigation
B. Risk acceptance
C. Risk avoidance
D. Risk transference

Answer:

D


Explanation:
Risk transference is a risk response planning technique that is used to shift the impact of a threat to a
third party, together with the ownership of the response.
Risk response planning is a method of developing options to decrease the amount of threats and
make the most of opportunities. The risk response should be aligned with the consequence of the
risk and cost-effectiveness. This planning documents the processes for managing risk events. It
addresses the owners and their responsibilities, risk identification, results from qualification and
quantification processes, budgets and times for responses, and contingency plans. The various risk
response planning techniques are as follows.
Risk acceptance. It indicates that the project team has decided not to change the project
management plan to deal with a risk, or is unable to identify any other suitable response strategy.
Risk avoidance. It is a technique for a threat, which creates changes to the project management plan
that are meant to either eliminate the risk or to protect the project objectives from this impact.
Risk mitigation. It is a list of specific actions being taken to deal with specific risks associated with the
threats and seeks to reduce the probability of occurrence or impact of risk below an acceptable
threshold.
Risk transference. It is used to shift the impact of a threat to a third party, together with the
ownership of the response.

Discussions
0 / 1000

Question 6

Which of the following anti-child pornography organizations helps local communities to create
programs and develop strategies to investigate child exploitation?

A. Internet Crimes Against Children (ICAC)
B. Project Safe Childhood (PSC)
C. Anti-Child Porn.org
D. Innocent Images National Imitative (IINI)

Answer:

B


Explanation:

Project Safe Childhood (PSC) is a Department of Justice initiative launched in 2006 that aims to
combat the proliferation of technology-facilitated sexual exploitation crimes against children. PSC
coordinates efforts by various federal, state and local agencies and organizations to protect children
by investigating and prosecuting online sexual predators. PSC partners include Internet Crimes
Against Children (ICAC) task forces, the FBI, U.S. Postal Inspection Service, Immigration and Customs
Enforcement, the U.S. Marshals Service, the National Center for Missing & Exploited Children, and
state and local law enforcement officials in each U.S. Attorney's district. PSC also helps local
communities to create programs and develop strategies to investigate child exploitation.
Answer option A is incorrect. Internet Crimes Against Children (ICAC) is a task-force started by the
United States Department of Justice's Office of Juvenile Justice and Delinquency Prevention (OJJDP)
in 1998. Its primary goals are to provide state and local law enforcement agencies the tools to
prevent Internet crimes against children by encouraging multi-jurisdictional cooperation as well as
educating both law enforcement agents and parents and teachers. The aims of ICAC task forces are
to catch distributors of child pornography on the Internet, whether delivered on-line or solicited on-
line and distributed through other channels and to catch sexual predators who solicit victims on the
Internet through chat rooms, forums and other methods. Currently all fifty states participate in ICAC.
Answer option C is incorrect. Anti-Child Porn.org (ACPO) is an organization, which has members all
over the world, focusing on the topics related to child exploitation, online predators, and child
pornography. Its Web site provides necessary information for law enforcement to
parents, and other interested organizations. It also provides software such as Reveal, which can be
used to evaluate and check files on a computer for explicit or illegal contents.
Answer option D is incorrect. Innocent Images National Initiative (IINI) is an organization, which is
developed by the FBI as part of its Cyber Crimes program. This organization is established for the
purpose of identifying, investigating, and prosecuting people who use computers for sexual
exploitation of children and child pornography. While performing these tasks, IINI also try to identify
and release children being exploited.
Reference: CHFI Course Manual, Contents. "Child Pornography"

Discussions
0 / 1000

Question 7

Which of the following refers to the ability to ensure that the data is not modified or tampered with?

A. Availability
B. Non-repudiation
C. Integrity
D. Confidentiality

Answer:

C


Explanation:
Integrity refers to the ability to ensure that the data is not modified or tampered with.
Integrity means that data cannot be modified without authorization. Integrity is violated when an
employee accidentally or with malicious intent deletes important data files, when a computer virus
infects a computer, when an employee is able to modify his own salary in a payroll database, when
an unauthorized user vandalizes a Web site, when someone is able to cast a very large number of
votes in an online poll, and so on.
Answer option D is incorrect. Confidentiality is the property of preventing disclosure of information
to unauthorized individuals or systems.
Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your
computer screen while you have confidential data displayed on it could be a breach of
confidentiality. If a laptop computer containing sensitive information about a company's employees
is stolen or sold, it could result in a breach of confidentiality.
Answer option A is incorrect. Availability means that data must be available whenever it is needed.
Answer option B is incorrect. Non-repudiation is the concept of ensuring that a party in a dispute
cannot refuse to acknowledge, or refute the validity of a statement or contract. As a service, it
provides proof of the integrity and origin of data. Although this concept can be applied to
any transmission, including television and radio, by far the most common application is in the
verification and trust of signatures.
Reference: "http.//en.wikipedia.org/wiki/Integrity"

Discussions
0 / 1000

Question 8

Which of the following laws is defined as the Law of Nations or the legal norms that has developed
through the customary exchanges between states over time, whether based on diplomacy or
aggression?

A. Customary
B. Tort
C. Criminal
D. Administrative

Answer:

A


Explanation:

The customary law refers to the Law of Nations or the legal norms that have developed through the
customary exchanges between states over time, whether based on diplomacy or aggression. The
customary law is built upon the ideas of personal conduct and tradition of a country.
Essentially, legal obligations are believed to arise between states to carry out their affairs
consistently with past accepted conduct. These customs can also change based on the acceptance or
rejection by states of particular acts. Some principles of customary law have achieved the force of
peremptory norms, which cannot be violated or altered except by a norm of comparable strength.
These norms are said to gain their strength from universal acceptance, such as the prohibitions
against genocide and slavery.
Answer option B is incorrect. Tort law is a body of law that deals with civil wrongdoings. The
definition of this kind of wrong is usually distinct from a criminal wrong. A person who suffers legal
damage may be able to use tort law to receive damages (usually monetary compensation) from
someone who is responsible or liable for those injuries. Generally speaking, tort law defines what a
legal injury is and what is not.
A person may be held liable (responsible to pay) for another's injury caused by them. The major
categories of torts are intentional torts, negligent torts, and strict liability torts.
Answer option D is incorrect. The administrative law is the body of law that governs the activities of
administrative agencies of government.
Government agency action can include rulemaking, adjudication, or the enforcement of a specific
regulatory agenda. Administrative law is considered a branch of public law.
As a body of law, administrative law deals with the decision-making of administrative units of
government (e.g., tribunals, boards or commissions) that are part of a national regulatory scheme in
such areas as police law, international trade, manufacturing, the environment, taxation,
broadcasting, immigration and transport.
Answer option C is incorrect. The criminal law, or penal law, is the body of rules with the potential
for severe impositions as punishment for failure to comply. Criminal punishment, depending on the
offense and jurisdiction, may include execution, loss of liberty, government supervision (parole or
probation), or fines. Criminal law typically is enforced by the government, unlike the civil law, which
may be enforced by private parties.

Discussions
0 / 1000

Question 9

Tomas is the project manager of the QWS Project and is worried that the project stakeholders will
want to change the project scope frequently. His fear is based on the many open issues in the project
and how the resolution of the issues may lead to additional project changes. On what document are
Tomas and the stakeholders working in this scenario?

A. Communications management plan
B. Change management plan
C. Issue log
D. Risk management plan

Answer:

B


Explanation:

The change management plan defines how the change control system works and the proper
channels and procedures manages changes within the project. Change control system, a part of the
configuration management system, is a collection of formal documented procedures that
define how project deliverables and documentation will be controlled, changed, and approved.
Answer option C is incorrect. The issue log is a document that records all issues, their characteristics,
and status.
Answer option A is incorrect. The communications management plan defines who needs what
information, when the information is needed, and the modality the information is to be
communicated in.
Answer option D is incorrect. The risk management plan defines how risk will be managed within the
project.
Reference: Chapter 5. A Guide to the Project Management Body of Knowledge, (PMBOK Guide),
Fourth Edition, ISBN.9781933890517, Section 5.5.2.

Discussions
0 / 1000

Question 10

Which of the following plans is documented and organized for emergency response, backup
operations, and recovery maintained by an activity as part of its security program that will ensure
the availability of critical resources and facilitates the continuity of operations in an emergency
situation?

A. Disaster Recovery Plan
B. Contingency Plan
C. Continuity Of Operations Plan
D. Business Continuity Plan

Answer:

B


Explanation:
Contingency plan is prepared and documented for emergency response, backup operations, and
recovery maintained by an activity as the element of its security program that will ensure the
availability of critical resources and facilitates the continuity of operations in an emergency
situation. A contingency plan is a plan devised for a specific situation when things could go wrong.
Contingency plans are often devised by governments or businesses who want to be prepared for
anything that could happen. Contingency plans include specific strategies and actions to deal with
specific variances to assumptions resulting in a particular problem, emergency, or state of affairs.
They also include a monitoring process and "triggers" for initiating planned actions. They are
required to help governments, businesses, or individuals to recover from serious incidents in the
minimum time with minimum cost and disruption.
Answer option A is incorrect. A disaster recovery plan should contain data, hardware, and software
that can be critical for a business. It should also include the plan for sudden loss such as hard disc
crash. The business should use backup and data recovery utilities to limit the loss of data.
Answer option C is incorrect. The Continuity Of Operation Plan (COOP) refers to the preparations and
institutions maintained by the United States government, providing survival of federal government
operations in the case of catastrophic events. It provides procedures and capabilities to sustain an
organization's essential. COOP is the procedure documented to ensure persistent critical operations
throughout any period where normal operations are unattainable.
Answer option D is incorrect. Business Continuity Planning (BCP) is the creation and validation of a
practiced logistical plan for how an organization will recover and restore partially or completely
interrupted critical (urgent) functions within a predetermined time after a disaster
or extended disruption. The logistical plan is called a business continuity plan.
Reference: CISM Review Manual 2010, Contents. "Incident management and response"

Discussions
0 / 1000

Question 11

Which of the following sites are similar to the hot site facilities, with the exception that they are
completely dedicated, self-developed recovery facilities?

A. Cold sites
B. Orange sites
C. Warm sites
D. Duplicate processing facilities

Answer:

D


Explanation:

The duplicate processing facilities work in the same manner as the hot site facilities, with the
exception that they are completely dedicated, self-developed recovery facilities. The duplicate
facility holds same equipment, operating systems, and applications and might have regularly
synchronized data. The examples of the duplicate processing facilities can be the large organizations
that have multiple geographic locations.
Answer option A is incorrect. A cold site is a backup site in case disaster has taken place in a data
center. This is the least expensive disaster recovery solution, usually having only a single room with
no equipment. All equipment is brought to the site after the disaster. It can be on site or off site.
Answer option C is incorrect. A warm site is, quite logically, a compromise between hot and cold
sites. Warm sites will have hardware and connectivity already established, though on a smaller scale
than the original production site or even a hot site. These sites will have backups on hand, but they
may not be complete and may be between several days and a week old. An example would be
backup tapes sent to the warm site by courier.
Answer option B is incorrect. This is not a valid recovery site.
Reference: Online ISACA Manual, Contents. "Backup and Recovery"

Discussions
0 / 1000

Question 12

Which of the following divisions of the Trusted Computer System Evaluation Criteria (TCSEC) is based
on the Mandatory Access Control (MAC) policy?

A. Division A
B. Division D
C. Division B
D. Division C

Answer:

C


Explanation:
Division B of the Trusted Computer System Evaluation Criteria (TCSEC) is based on the Mandatory
Access Control (MAC) policy. Mandatory Access Control (MAC) is a model that uses a predefined set
of access privileges for an object of the system. Access to an object is restricted on the basis of the
sensitivity of the object and granted through authorization. Sensitivity of an object is defined by the
label assigned to it. For example, if a user receives a copy of an object that is marked as "secret", he
cannot grant permission to other users to see this object unless they have the appropriate
permission.

Discussions
0 / 1000

Question 13

Which of the following governance bodies provides management, operational and technical controls
to satisfy security requirements?

A. Senior Management
B. Business Unit Manager
C. Information Security Steering Committee
D. Chief Information Security Officer

Answer:

A


Explanation:
Senior management provides management, operational and technical controls to satisfy security
requirements. The governance roles and responsibilities are mentioned below in the table.

Discussions
0 / 1000

Question 14

Which of the following processes provides a standard set of activities, general tasks, and a
management structure to certify and accredit systems, which maintain the information assurance
and the security posture of a system or site?

A. NSA-IAM
B. DITSCAP
C. ASSET
D. NIACAP

Answer:

D


Explanation: NIACAP is a process, which provides a standard set of activities, general tasks, and a
management structure to certify and accredit systems that maintain the information assurance and
the security posture of a system or site.
Answer option B is incorrect. DITSCAP is a process, which establishes a standard process, a set of
activities, general task descriptions, and a management structure to certify and accredit the IT
systems that will maintain the required security posture.
Answer option A is incorrect. The NSA-IAM evaluates information systems at a high level and uses a
subset of the SSE-CMM process areas to measure the implementation of information security on
these systems.
Answer option C is incorrect. ASSET is a tool developed by NIST to automate the process of self-
assessment through the use of the questionnaire in NIST.
Reference: CISM Review Manual 2010, Contents. "Information security process management"

Discussions
0 / 1000

Question 15

Which of the following are examples of administrative controls that involve all levels of employees
within an organization and determine which users have access to what resources and information?
Each correct answer represents a complete solution. Choose three.

A. Employee registration and accounting
B. Disaster preparedness and recovery plans
C. Network authentication
D. Training and awareness
E. Encryption

Answer:

D, A, and B


Explanation:
The following are examples of the administrative controls that involve all levels of employees within
an organization and determine which users have access to what resources and information.
Training and awareness
Policy enforcement
Personnel registration and accounting
Disaster preparedness and recovery plans
Administrative controls can be security policies or items such as standards, guidelines, and
procedures for individuals to follow to ensure security. Administrative controls are the foundations
from which technical and physical controls are implemented.
Answer options C and E are incorrect. Network authentication and encryption are examples of
technical controls.
Reference: "http.//en.wikipedia.org/wiki/Information_security"

Discussions
0 / 1000
To page 2